On-board Cert Generation - Advanced

NetBurner On-board Certificate Generation - Advanced

Overview

This application demonstrates advanced on-board SSL certificate generation capabilities for NetBurner embedded devices. It provides interactive control over certificate lifecycle management, including creation, validation, expiration checking, and deletion of self-signed certificates.

The simple auto-generate self-signed certificate example is what is normally used in applications. This example provide advanced options, such as interactive control to:

• Generate the certificate
• Delete the certificate
• View certificate expiration date
• Check for a valid certificate
• Manually enter the system time

Features

Certificate Management

• Automatic Certificate Generation: Creates self-signed certificates with configurable parameters
• Certificate Validation: Verifies certificate and key pair validity
• Expiration Monitoring: Checks certificate expiration status and displays expiration dates
• Certificate Deletion: Removes existing certificates (requires reboot to take effect)

Time Management

• NTP Time Synchronization: Automatically syncs system time with NTP servers
• Manual Time Entry: Fallback option for manual time configuration
• Timezone Support: Configurable timezone settings with automatic daylight savings

Network Connectivity

• Dual Protocol Support: Serves both HTTP (port 80) and HTTPS (port 443)
• Web Interface: Provides web-based access to the application
• System Configuration: Access to NetBurner system configuration pages
• Network Discovery: Integration with NetBurner discovery service

Application Structure

Main Components

main.cpp

The primary application file containing:

• Certificate Generation Logic: createCertAndKey() function
• Certificate Validation: certExpired() and printCertExpiration() functions
• Interactive Menu System: Serial console interface for user interaction
• Web Server Integration: HTTP/HTTPS server startup and link display
• Network Configuration: IP address detection and interface management

TimeUtil.cpp / TimeUtil.h

Time management utilities including:

• NTP Synchronization: Automatic time setting from network time servers
• Manual Time Entry: Interactive time configuration via serial console
• Timezone Management: Support for various timezones with DST calculation
• Time Display Functions: Formatted time output utilities

CaCrt.cpp

Auto-generated certificate data file containing:

• Certificate Array: Binary certificate data (501 bytes)
• Certificate Length: Size definition for the embedded certificate

Certificate Configuration

The application generates certificates with the following default parameters:

Country: US
State: California
Locality: San Diego
Organization: NetBurner
Unit: CodeDemo
Email: [email protected]
Common Name: MyNetburner
Validity Period: 1 year

Subject Alternative Names (SAN)

The certificate includes both IP address and DNS entries based on the device's network configuration.

Interactive Menu Options

The application provides a serial console menu with the following options:

1. Check Certificate Expiration: Determines if the current certificate is expired
2. Show Certificate Expiration Date: Displays the exact expiration timestamp
3. Generate New Certificate: Creates a fresh certificate/key pair
4. Erase Certificate: Removes the current certificate (requires reboot)
5. Display System Time: Shows current system time and timezone
6. Reboot: Restarts the device
7. ? - Display Menu: Shows the menu options

Network Access Points

Once running, the device can be accessed through multiple endpoints:

Discovery Service

• URL: http://discover.netburner.com
• Description: NetBurner's network discovery service

Application Pages

• HTTP: http://[device-ip]
• HTTPS: https://[device-ip]

System Configuration

• HTTP: http://[device-ip]:20034
• HTTPS: https://[device-ip]:20034

Security Features

Certificate Generation

• ECC Key Generation: Uses Elliptic Curve Cryptography for key pairs
• Self-Signed Certificates: Generates certificates signed by the device itself
• Secure Storage: Certificates and keys are stored in device flash memory
• Random Number Generation: Utilizes hardware random number generation

SSL/TLS Support

• Dual Protocol: Supports both HTTP and HTTPS simultaneously
• Certificate Validation: Built-in certificate and key validation
• Secure Configuration: HTTPS access to system configuration pages

Prerequisites

Hardware Requirements

• NetBurner embedded device with SSL/TLS capability
• Network connectivity (Ethernet)
• Sufficient flash memory for certificate storage

Software Requirements

• NetBurner NNDK (NetBurner Network Development Kit)
• Compatible compiler toolchain
• Serial console access for interactive features

Network Requirements

• Active network connection for NTP synchronization
• Internet access (optional, for NTP and discovery service)

Build and Deployment

1. Compile: Build the application using the NetBurner development environment
2. Deploy: Upload the compiled application to the target device
3. Network Setup: Ensure the device has network connectivity
4. Time Synchronization: The application will attempt NTP sync on startup
5. Certificate Generation: Certificates can be generated via the interactive menu

Usage Instructions

Initial Setup

1. Connect to the device via serial console
2. Wait for network initialization
3. The application will attempt automatic time synchronization
4. Use the interactive menu to manage certificates

Certificate Lifecycle

1. Generate: Use menu option 3 to create a new certificate
2. Validate: Use menu option 1 to check expiration status
3. Monitor: Use menu option 2 to view expiration dates
4. Refresh: Generate new certificates before expiration
5. Clean: Use menu option 4 to remove certificates when needed

Web Access

• Navigate to the device's IP address using HTTP or HTTPS
• Use the secure configuration pages for advanced device management
• The discovery service can help locate devices on the network

Troubleshooting

Common Issues

• Time Synchronization Failures: Check network connectivity and DNS resolution
• Certificate Generation Errors: Ensure sufficient entropy for random number generation
• HTTPS Access Problems: Verify certificate validity and browser security settings
• Menu Unresponsive: Check serial console connection and baud rate settings

Error Codes

The application provides specific error codes for certificate generation failures:

• CERT_GEN_RETURN_INVALID_RANDOM: Insufficient random number generation

Advanced Features

Custom Certificate Parameters

The certificate generation structure can be modified to customize:

• Subject distinguished name fields
• Validity periods
• Subject alternative names
• Key algorithms and parameters

Integration Options

• Web Server Customization: Modify HTTP/HTTPS server behavior
• Certificate Storage: Custom certificate and key storage implementations
• Time Sources: Alternative time synchronization methods
• Network Interfaces: Multi-interface support and configuration