Generating custom certificates with OpenSSL
You can generate DLMS certificates with OpenSSL. It's important that certificates are saved in correct format because DLMS standard defines only PKCS 8, PKCS 10 and x509 Certificate formats.Convert pfx to PEM format
If the certificates are in pfx format they can convert to pem using openssl like this:openssl pkcs12 -in YOUR_CERTIFICATE.pfx -nocerts -nodes -out YOUR_CERTIFICATE.pem
Printing the certificates in readable format
PKCS 8 Private key.openssl ec -in rootCA.pem -text -nooutPKCS 10 certificate certificate request.
openssl req -in client1.csr -text --nooutx509 certificate
openssl x509 -in guruxCA.pem -text
Create root CA
You can make custom certificates by yourself. First you need to create an Root CA. Root CA is used to sign your custom certificates.For that you need to create ca.ext file where you define key usage and other settings.
Content of ca.ext file:
authorityKeyIdentifier=keyid,issuer basicConstraints=critical, CA:TRUE keyUsage=critical, keyCertSign, cRLSignCreate Root CA private Key.
openssl ecparam -out rootCA.key -name prime256v1 -genkeyOr for P384
openssl ecparam -out rootCA.key -name secp384r1 -genkeyCreate custom Root CA certificate:
openssl req -new -nodes -key rootCA.key> rootCA.csrYou must apply CA settings something like:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:FI State or Province Name (full name) [Some-State]:Pirkanmaa Locality Name (eg, city) []:Tampere Organization Name (eg, company) [Internet Widgits Pty Ltd]:Gurux Security Organizational Unit Name (eg, section) []:Gurux Common Name (e.g. server FQDN or YOUR name) []:Root CA 256 Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:Gurux.LtdSelf sign Root CA certificate:
openssl x509 -extfile ca.ext -in rootCA.csr -out rootCA.crt -req -signkey rootCA.key -days 1001
Create certificate for the client
First you need to create cl.ext file where you define key usage.Content of cl.ext file for the digitalSignature:
keyUsage=critical,digitalSignatureContent of cl.ext file for the keyAgreement:
keyUsage=critical,keyAgreementGenerate an ECDSA private Key. There is own private key for each client.
openssl ecparam -out client1pk.key -name prime256v1 -genkeyOr for P384
openssl ecparam -out client1pk.key -name secp384r1 -genkeyYou can print the private and public key in textual format:
openssl ec -in client1pk.key -text -nooutSave private key in PKCS 8 Format. This is important because DLMS standard uses only PKCS formatted keys.
openssl pkcs8 -topk8 -outform PEM -in client1pk.key -out client1pk.pem -nocryptGenerate client application or meter certificate request. Common Name must be the same as the system title.
openssl req -new -key client1pk.key -nodes> client1cert.csrYou must apply client settings something like:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:FI State or Province Name (full name) [Some-State]:Pirkanmaa Locality Name (eg, city) []:Tampere Organization Name (eg, company) [Internet Widgits Pty Ltd]:Gurux Ltd Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:'4758436C69656E74' Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:Gurux LtdGenerate client application or meter certificate request. Common Name must be the same as the system title.
openssl x509 -extfile cl.ext -in client1cert.csr -out client1.pem -req -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -days 1001You can print the content of the x509 file in textual format:
openssl x509 -in client1.pem -textYou can generate meter certificate in the same way you generated the client certificate. The only difference is to change Common name to meter system title.