Appendix C: Generating a Private Key and CSR
IEEE2030.5 requires that any Elliptic Curve Cryptography (ECC) cipher suite used to generate a private key must use a specific mathematical formula called the "secp256r1 elliptic curve". This curve is also sometimes referred to as "prime256v1" or "NIST P-256". Here's an example of how to generate a key using this curve with OpenSSL.
[ req ]
req_extensions = req_ext
[ req_ext ]
subjectAltName = otherName:1.3.6.1.5.5.7.8.4;SEQ:hwmodulename
[ hwmodulename ]
# this is where you enter Manufacturer Device Type/Model OID number e.g. 1.3.6.1.4.1 hwType = OID:1.3.6.1.4.1
# this is where you enter Device unique serial number using Octet String value e.g. 4444...Octet String must be an even amount of digits
hwSerialNum = OctetString:4444
OIDs (Object Identifiers) for hwType:
• OEMs may use their IANA assigned PEN as the OID
• IANA OID Prefix: All IANA OIDs for PENs share a common prefix: 1.3.6.1.4.1.
• Full OID for hwType: To identify your device type using your IANA PEN, the full OID would be constructed as follows:
1.3.6.1.4.1.<your_iana_pen>
• (Replace <your_iana_pen> with your actual PEN number.)
• Optional Child Suffix: You can optionally add a child suffix to your PEN OID to further categorize different device models or versions within your organization. Here's the format:
1.3.6.1.4.1.<your_iana_pen> <child_suffix>
(The <child_suffix> can be any numerical or alphanumeric string that helps differentiate devices.)
Example: If your PEN is 123 and you want to identify a specific model with version 1.1.1, the OID would be:
1.3.6.1.4.1.123.1.1.1
• Relevance for Aggregator Solution Providers: This child suffix approach might be less relevant if you provide aggregation solutions for devices from various vendors, as using vendor-specific PENs is more appropriate in such cases.
hwSerialNum:
• This field is intended to uniquely identify a particular device instance.
• Ideal Data: The best value for hwSerialNum would be a manufacturer-assigned serial number or a version number associated with the device.
• Alternative Options: If a dedicated serial number or version number isn't available, you can:
- Reuse PEN: Use your IANA PEN as the hwSerialNum.
- Subset of Device SFDI: If you have a longer identifier like a Short Form Device Identifier (SFDI), you can use a relevant portion of it for hwSerialNum.
• Even Length Requirement: The hwSerialNum field must have an even number of characters (e.g., "1234", "ABCDEF").
• Odd-Length Handling: If your source identifier (PEN or SFDI subset) has an odd number of characters, simply add a leading zero (e.g., "0123" for a PEN of "123").
openssl genpkey -genparam -algorithm ec -pkeyopt ec_paramgen_curve:P-256 -out "cppalue- test-csr.pem"
The private key you generate is extremely sensitive. It acts like a master password for your certificate, so treat it with the utmost care. It should never be shared with anyone.
Once you've created your secure private key, you can move on to generating a Certificate Signing Request (CSR). Unlike traditional internet certificates that require information like your website's domain name, IEEE2030.5 certificates do not. In fact, these fields should be left blank during CSR creation. To avoid OpenSSL prompting you to fill in these empty fields, you'll need to include them upfront as blank values when generating the CSR.
Create CSR file using OpenSSL command: