Credential files format - eclipse-leshan/leshan GitHub Wiki
To use RPK or X509 certificate with Leshan demos your need to provide credentials files :lock:.
This page aims to share information about how generate such files.
RPK :key:
To use RPK you need a private and public key.
Using OpenSSL
Create EC keys (private and public) using default openssl pem encoding :
(prime256v1 also know as secp256r1, is the default curve)
openssl ecparam -out keys.pem -name prime256v1 -genkey
Now we will convert those keys in formats which is used for Security(id 0) object in LWM2M specification and which is also well supported by the JVM.
Convert private Key to PKCS#8 format (DER encoding) :
openssl pkcs8 -topk8 -inform PEM -outform DER -in keys.pem -out cprik.der -nocrypt
Output public key portion in SubjectPublicKeyInfo format (DER encoding) :
openssl ec -in keys.pem -pubout -outform DER -out cpubk.der
For further information about Elliptic curves and OpenSSL, refer to openSSL wiki.
To find coordonates(x,y) of an elliptic curve public key, you can look at this post.
X509 :scroll:
Using OpenSSL to create self-signed certificat
Create EC keys (private and public) using default openssl pem encoding : (prime256v1 also know as secp256r1, is the default curve)
openssl ecparam -out keys.pem -name prime256v1 -genkey
Now we will convert those keys in formats which is used for Security(id 0) object in LWM2M specification and which is also well supported by the JVM. Convert private Key to PKCS#8 format (DER encoding) :
openssl pkcs8 -topk8 -inform PEM -outform DER -in keys.pem -out cprik.der -nocrypt
Final step, create a self-signed certificate :
# YOUR_COMMON_NAME must be replaced by
# - the endpoint name for a client
# - the server domain name or ip address for a server
openssl req -x509 -new -key keys.pem -sha256 -days 36500 \
-subj '/CN=YOUR_COMMON_NAME' \
-outform DER -out self_signed_cert.der
You may want to generate a more advanced certificate with keyUsage and extendedKeyUsage like this :
openssl req -x509 -new -key keys.pem -sha256 -days 36500 \
-subj '/CN=YOUR_COMMON_NAME/C=FR' \
-addext "keyUsage = digitalSignature,keyAgreement" \
-addext "extendedKeyUsage = serverAuth, clientAuth" \
-outform DER -out self_signed_cert.der
Using OpenSSL to create CA signed certificat
First you need a CA certificate and its private key.
To do that you can create your own root CA self-signed certificate. (like above but we need the certificate in PEM encoding)
# create keys
openssl ecparam -out root_keys.pem -name prime256v1 -genkey
# create certificate without KeyUsage
openssl req -x509 -new -key root_keys.pem -sha256 -days 36500 \
-outform PEM -out root_cert.pem
# OR with keyUsage :
openssl req -x509 -new -key root_keys.pem -sha256 -days 36500 \
-subj '/CN=root' \
-addext "keyUsage = keyCertSign,cRLSign" \
-outform PEM -out root_cert.pem
If you want to use this root certificate as truststore for leshan demos, you need to convert it into DER encoded file.
openssl x509 -inform PEM -in root_cert.pem -outform DER -out root_cert.der
Now we have a CA certificate(root_cert.pem) and its key(root_keys.pem), we will be able to create CA signed certificate for our keys.
To do that we need to create a CSR (Certificate Signing Request) for our keys.
So create your keys :
openssl ecparam -out keys.pem -name prime256v1 -genkey
Then create a CSR for this key :
# YOUR_COMMON_NAME must be replaced by
# - the endpoint name for a client
# - the server domain name or ip address for a server
openssl req -new -key keys.pem \
-subj '/CN=YOUR_COMMON_NAME/C=FR' \
-out csr.pem
# OR if you want to use KeyUsage and ExtendedKeyUsage
openssl req -new -key keys.pem \
-subj '/CN=YOUR_COMMON_NAME/C=FR' \
-addext "keyUsage = digitalSignature,keyAgreement" \
-addext "extendedKeyUsage = serverAuth, clientAuth" \
-out csr.pem
Now use to CSR, the CA certificate and the CA key to create your CA-signed certificate :
openssl x509 -req -in csr.pem -CA root_cert.pem -CAkey root_keys.pem -CAcreateserial -days 36500 \
-outform DER -out ccert.der
You probably need the private key too :
openssl pkcs8 -topk8 -inform PEM -outform DER -in keys.pem -out cprik.der -nocrypt
Get string value from file
On Linux
To get hexa string :
xxd -p -c 512 credential.der
To get base64 string :
base64 credential.der
To display PEM keys :
openssl ec -text -noout -in keys.pem
To display DER public key :
openssl ec -text -noout -inform DER -pubin -in cpubk.der
To display DER private key :
# We didn't find any best way to do that ...
openssl asn1parse -inform DER -in cprik.der
To display DER Certificate :
openssl x509 -noout -text -inform DER -in self_signed_cert.der
To display PEM Certificate :
openssl x509 -noout -text -in self_signed_cert.pem
To display PEM Certificate Signing Request (CSR) :
openssl req -noout -text -in csr.pem
About Java Keystore
leshan-server-demo allow to provide credentials in a Java Keystore thanks to -ks, -ksp, [-kst], [-ksa], -ksap option but this is a deprecated way for leshan-server-demo.
To be clear Java Keystore is a good way to store credentials and can be used with Leshan library but for our demo we want to keep it simple and so propose only one way.
That's why those options will probably be removed at short term.
If you want to use a Java keystore, you should have a look at java keytool documentation.
Here some usage example by leshan-integration-tests.
Here the demo code to better understand how keystore is expected to be setup for leshan-server-demo.
Credential file formats
To try to find your way in the jungle of credentials file format your could have a look at :
- https://embeddedinn.xyz/articles/tutorial/understanding-X.509-certificate-structure/
- https://tls.mbed.org/kb/cryptography/asn1-key-structures-in-der-and-pem
- https://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file
- https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them