Home  Contents

pki:getSelfSignedCertData()

Cipher/PKI Core4 Lua Commands
Platform Core4 Filesystem Core4 Lua
Core4 Manager Core4 Manager Downloads Getting started Installation Development
Application Notes Lua TCP/IP
Core4 Lua Commands Audio Cipher Cipher/Hash Cipher/MPI Cipher/PKI Cipher/SSL Ctype Date/Time Debug Filer Graphics JSON Kconfig Math Mtd16 OS Sql String Table Tr
Core4 Lua Event System Bis Event Finger Gpio Httpd Httpd/CGI Keyboard Magstripe Mtd16io Rawio Touch V4kf Websocket
Lua Commands Coroutine Debug File Global IO OS Package String Table
Credits Credits

SYNOPSIS

  1. data = pki:getSelfSignedCertData(param)
  2. result = pki:saveSelfSignedCertFile(filename, param)

DESCRIPTION

This generates a self-signed SSL/TLS certificate. To use this function, a private key must have been loaded or generated into the object previously.

The required table param is used to fill the typical certificate data fields.

param = { subject = "CN=..., O=..., C=..., S=..., OU=..., L=..., C=..., R=...", [hash = "...",] [format = "PEM" | "DER",] [serial = "...",] [not_before = "..." | DateTime,] [not_after = "..." | DateTime,] [usage = { ...=true, ...=false, ... },] [cert_type = { ...=true, ...=false, ... },] }

The subject may also be specified as a table like this:

subject = { CN=..., O=..., C=..., S=..., OU=..., L=..., C=..., R=... }

Please see the SSL/TLS specification for documentation on the supported subject fields. For a typical webserver usage, it is customary to set the field CN to the IP-Address of the webserver.

The field hash allows selection of the one-way-hash function that is used to sign the certificate. The default is SHA256. Supported algorithms are: MD2, MD4, MD5, SHA1, SHA224, SHA256, SHA384, SHA512, RIPEMD160.

The field format selects the output data format, PEM or DER. Default is PEM.

The field serial is copied into the certificate as the certificate serial number. When not given, a 64-bit value is generated by mixing the board serial number with the current date/time.

The fields not_before and not_after can be used to limit the validity of the certificate between certain dates. The defaults are the current date/time for not_before and 30 years for not_after.
The fields can be given as a date/time object or a string in X509 format (YYYYMMDDHHMMSS).

The usage map is a table of true/false keys that map directly to mbedtls flags as listed. See mbedtls documentation for details.

digital_signature MBEDTLS_X509_KU_DIGITAL_SIGNATURE
non_repudiation MBEDTLS_X509_KU_NON_REPUDIATION
key_encipherment MBEDTLS_X509_KU_KEY_ENCIPHERMENT
data_encipherment MBEDTLS_X509_KU_DATA_ENCIPHERMENT
key_agreement MBEDTLS_X509_KU_KEY_AGREEMENT
key_cert_sign MBEDTLS_X509_KU_KEY_CERT_SIGN
crl_sign MBEDTLS_X509_KU_CRL_SIGN
encipher_only MBEDTLS_X509_KU_ENCIPHER_ONLY
decipher_only MBEDTLS_X509_KU_DECIPHER_ONLY

The cert_type map is a table of true/false keys that map directly to mbedtls flags as listed. See mbedtls documentation for details.

ssl_client MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT
ssl_server MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER
email MBEDTLS_X509_NS_CERT_TYPE_EMAIL
object_signing MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING
reserved MBEDTLS_X509_NS_CERT_TYPE_RESERVED
ssl_ca MBEDTLS_X509_NS_CERT_TYPE_SSL_CA
email_ca MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA
object_signing_ca MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA

RETURN VALUE

On success, the first form returns the certificate as a string, while the second form saves the certificate to a file.

In case of an error returns three values: nil, a string describing the error and a negative error code from the underlying mbed TLS implementation.

SEE ALSO

pki:generateKeyPair()

Core4 SDK 2.114.0#7929 © Teratronik elektronische Systeme GmbH © mbed TLS   2024-04-25