Before running the script, make sure you have the certificates needed to onboard an IEM. You can either use your own TLS certificates that are used to terminate TLS traffic on the gateway, or you can create them using openssl commands.
Code Example Generating Certificates:
Create the ca.conf file.
basicConstraints = CA:TRUE
keyUsage = cRLSign, keyCertSign
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = DE
ST = Dummy
L = Dummy
CN = My Personal Root CA
create cert.conf file
IEM = ""
[req]
default_md = sha512
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
default_keyfile = myCert.key
x509_extensions = v3_ca
prompt = no
authorityKeyIdentifier=keyid,issuer
distinguished_name = req_distinguished_name
req_extensions = req_ext
[req_distinguished_name]
C=DE
ST=Dummy
L=Dummy
O=Dummy
CN=localhost
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
create cert-ext.conf file
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "My Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
Create the gen_with_ca.sh file
#!/bin/bash
# Copyright (c) 2018-2022, Siemens AG (http://www.siemens.com)
# All rights reserved.
# THIS IS PROPRIETARY SOFTWARE OWNED BY SIEMENS AG.
# USE ONLY PERMITTED ACCORDING TO LICENSE AGREEMENT.
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL SIEMENS AG OR ITS CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
path=$(dirname "$0")
IEM_IP=$1
mkdir -p "${path}"/out
openssl genrsa -out "${path}"/out/myCA.key 4096
openssl req -x509 -new -nodes -key "${path}"/out/myCA.key -sha256 -days 825 -out "${path}"/out/myCA.crt -config "${path}"/ca.conf
openssl genrsa -out "${path}"/out/myCert.key 4096
openssl req -new -key "${path}"/out/myCert.key -out "${path}"/out/myCert.csr -subj "/C=DE/ST=Dummy/L=Dummy/O=Dummy/CN=$IEM" -config <(cat "${path}"/cert.conf <(printf "\\n[alt_names]\\nIP.1=%s" "${IEM_IP}"))
openssl x509 -req -in "${path}"/out/myCert.csr -CA "${path}"/out/myCA.crt -CAkey "${path}"/out/myCA.key -CAcreateserial -out "${path}"/out/myCert.crt -days 825 -sha256 -extfile <(cat "${path}"/cert-ext.conf <(printf "\\n[alt_names]\\nIP.1=%s" "${IEM_IP}"))
cat "${path}"/out/myCert.crt "${path}"/out/myCA.crt > "${path}"/out/certChain.crt
rm "${path}"/out/myCert.csr "${path}"/out/myCA.srl
cp "${path}"/out/myCert.crt "${path}"/out/certChain.crt "$(pwd)"/
Execute the gen_with_ca.sh file with the following command.
Replace the IP address with your host's IP address here:
bash +x gen_with_ca.sh 165.218.200.235