Public-key cryptography

Generating custom certificates with OpenSSL

You can generate DLMS certificates with OpenSSL. It's important that certificates are saved in correct format because DLMS standard defines only PKCS 8, PKCS 10 and x509 Certificate formats.

Printing the certificates in readable format

PKCS 8 Private key.
openssl ec -in rootCA.pem -text -noout
PKCS 10 certificate certificate request.
openssl req -in client1.csr -text --noout
x509 certificate
openssl x509 -in guruxCA.pem -text

Create root CA

You can make custom certificates by yourself. First you need to create an Root CA. Root CA is used to sign your custom certificates.
For that you need to create ca.ext file where you define key usage and other settings.
Content of ca.ext file:
authorityKeyIdentifier=keyid,issuer
basicConstraints=critical, CA:TRUE
keyUsage=critical, keyCertSign, cRLSign
Create Root CA private Key.
openssl ecparam -out rootCA.key -name prime256v1 -genkey
Create custom Root CA certificate:
openssl req -new -nodes -key rootCA.key> rootCA.csr 
You must apply CA settings something like:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FI
State or Province Name (full name) [Some-State]:Pirkanmaa
Locality Name (eg, city) []:Tampere
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Gurux Security
Organizational Unit Name (eg, section) []:Gurux
Common Name (e.g. server FQDN or YOUR name) []:Root CA 256
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Gurux.Ltd
Self sign Root CA certificate:
openssl x509 -extfile ca.ext -in rootCA.csr -out rootCA.crt -req -signkey rootCA.key -days 1001

Create certificate for the client

First you need to create cl.ext file where you define key usage.
Content of cl.ext file:
keyUsage=critical,digitalSignature,keyAgreement
Generate an ECDSA private Key. There is own private key for each client.
openssl ecparam -out client1pk.key -name prime256v1 -genkey
You can print the private and public key in textual format:
openssl ec -in client1pk.key -text -noout
Save private key in PKCS 8 Format. This is important because DLMS standard uses only PKCS formatted keys.
openssl pkcs8 -topk8 -outform PEM -in client1pk.key -out client1pk.pem -nocrypt
Generate client application or meter certificate request. Common Name must be the same as the system title.
openssl req -new -key client1pk.key -nodes> client1cert.csr 
You must apply client settings something like:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FI
State or Province Name (full name) [Some-State]:Pirkanmaa
Locality Name (eg, city) []:Tampere
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Gurux Ltd
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:'4758436C69656E74'
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Gurux Ltd
Generate client application or meter certificate request. Common Name must be the same as the system title.
openssl x509 -extfile cl.ext -in client1cert.csr -out client1.pem -req -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -days 1001
You can print the content of the x509 file in textual format:
openssl x509 -in client1.pem -text
You can generate meter certificate in the same way you generated the client certificate. The only difference is to change Common name to meter system title.