2. Generieren von Zertifikaten für IEM - Manual - Industrial Edge - Industrial Edge - Industrial Edge - Documentation of the Industrial Edge Platform - IEM - Hub - Industrial - Device - IED - Edge - IEH

Industrial Edge Platform Operation - APIs & Referenzen
Portfolio
Industrial Edge
Product
Industrial Edge
Product Version
v25.04
Edition
04/2025
Language
de-DE

Stellen Sie vor dem Ausführen des Skripts sicher, dass Sie über die Zertifikate verfügen, die zum Onboarding eines IEM erforderlich sind. Sie können entweder Ihre eigenen TLS-Zertifikate verwenden, die zum Beenden des TLS-Datenverkehrs auf dem Gateway verwendet werden, oder Sie können sie mit openssl-Befehlen erstellen.

Codebeispiel zum Generieren von Zertifikaten:

Erstellen Sie die ca.conf Datei.

basicConstraints = CA:TRUE
keyUsage = cRLSign, keyCertSign
[req]
distinguished_name = req_distinguished_name
prompt = no

[req_distinguished_name]
C   = DE
ST  = Dummy
L   = Dummy
CN  = My Personal Root CA

Datei erstellen cert.conf

IEM = ""

[req]
default_md = sha512
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
default_keyfile    = myCert.key
x509_extensions    = v3_ca
prompt             = no
authorityKeyIdentifier=keyid,issuer
distinguished_name = req_distinguished_name
req_extensions     = req_ext


[req_distinguished_name]
C=DE
ST=Dummy
L=Dummy
O=Dummy
CN=localhost

[req_ext]
subjectAltName = @alt_names

[v3_ca]
subjectAltName = @alt_names

Datei erstellen cert-ext.conf

basicConstraints = CA:FALSE
nsCertType = server
nsComment = "My Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

Erstellen Sie die gen_with_ca.sh Datei

    #!/bin/bash

    # Copyright (c) 2018-2022, Siemens AG (http://www.siemens.com)
    # All rights reserved.
    # THIS IS PROPRIETARY SOFTWARE OWNED BY SIEMENS AG.
    # USE ONLY PERMITTED ACCORDING TO LICENSE AGREEMENT.
    # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
    # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
    # ARE DISCLAIMED. IN NO EVENT SHALL SIEMENS AG OR ITS CONTRIBUTORS BE LIABLE
    # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
    # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
    # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
    # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
    # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
    # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.


    path=$(dirname "$0")

    IEM_IP=$1

    mkdir -p "${path}"/out

    openssl genrsa -out "${path}"/out/myCA.key 4096

    openssl req -x509 -new -nodes -key "${path}"/out/myCA.key -sha256 -days 825 -out "${path}"/out/myCA.crt -config "${path}"/ca.conf

    openssl genrsa -out "${path}"/out/myCert.key 4096

    openssl req -new -key "${path}"/out/myCert.key -out "${path}"/out/myCert.csr -subj "/C=DE/ST=Dummy/L=Dummy/O=Dummy/CN=$IEM" -config <(cat "${path}"/cert.conf <(printf "\\n[alt_names]\\nIP.1=%s" "${IEM_IP}"))

    openssl x509 -req -in "${path}"/out/myCert.csr -CA "${path}"/out/myCA.crt -CAkey "${path}"/out/myCA.key -CAcreateserial -out "${path}"/out/myCert.crt -days 825 -sha256 -extfile <(cat "${path}"/cert-ext.conf <(printf "\\n[alt_names]\\nIP.1=%s" "${IEM_IP}"))

    cat "${path}"/out/myCert.crt "${path}"/out/myCA.crt > "${path}"/out/certChain.crt

    rm "${path}"/out/myCert.csr "${path}"/out/myCA.srl
    cp "${path}"/out/myCert.crt "${path}"/out/certChain.crt "$(pwd)"/

Führen Sie die gen_with_ca.sh Datei mit dem folgenden Befehl aus. Ersetzen Sie hier die IP-Adresse durch die IP-Adresse Ihres Hosts:

bash +x gen_with_ca.sh 165.218.200.235