Searching...

Matching results

    Generating Certificates

    To enable Hybrid Cloud on your ALMS account you will need to generate certificates for your routers (root certificate) and your users (client or intermediary certificates). As these certificates are generated by you from your IT environment, the process for creation of these certificates will vary. Consider this documentation as general guidance, and contact Semtech Customer Support for any clarification.

    In the Hybrid Cloud infrastructure, the root certificate is installed in every router in your account, and unique client certificates are installed in each hardware key (YubiKey) used by ALMS authorizers to verify operations in Hybrid Cloud. Every client certificate is linked to the root certificate and can thereby verify the router’s identity and validate operations sent from the router.

    This page provides requirements and guidance for creating root and client certificates.

    If your organization does not have a PKI team or consultant, you should generate your certificates using any Certificate Authority that can generate self-signed Root Certificates. You can contact third party vendors such as Venafi, GoDaddy, or Digicert, who can provide access to a Certificate Authority. If you do not have access to a Certificate Authority, you can use OpenSSL (Open Source command line tool) to generate Root certificates locally and sign client certificates. OpenSSL guide to create Root certificate / Client certificate: https://confluence.sierrawireless.com/display/AVENG/Creating+chained+ECDSA+certificates

    Generating the Root Certificate

    Methods of generating the root certificate will vary depending on your Certificate Authority. To obtain the correct certificate from your Certificate Authority, you must specify an algorithm supported by Hybrid Cloud. Use one of the algorithm combinations below to create a root certificate.

    ALGORITHM HASH FUNCTION DESCRIPTION
    ECDSA SHA384

    ECDSA with SHA-384 hash function

    Curve: P-384 (secp384r1)
    ECDSA SHA256

    ECDSA with SHA-256 hash function.

    Curve: P-256 (secp256r1, prime256v1)
    RSA SHA256

    RSASSA-PSS with SHA-256 hash function.

    2048-bit keys are preferred.

    Generating the Client Certificate

    The first step for generating a client certificate is to generate a CSR (Certificate Signing Request) using YubiKey manager, as documented on this page. Steps for generating a client certificate from the Certificate Signing Request will vary with your Certificate Authority and tools used to generate root certificate. With Yubikey Manager, Customer can create the CSR with the algorithms below, and you must ensure that the Certificate Authority creates the client certificate based on the CSR algorithm.

    • ECCP256
    • ECCP384
    • RSA1024—Not sufficiently secure. If this option is available, do not use it for Hybrid Cloud.
    • RSA2048
    TOP