Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add self-signed cert guidance #5

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

add self-signed cert guidance #5

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
32 changes: 32 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,3 +45,35 @@ The path to the unsigned module.

### module-out
The path the signed module will be written to.

## Usage Tips For Self-Signed Certs

These steps assume that you have a JDK and OpenSSL installed. Done on OS X, but should be cross platform. You will also need Keystore Explorer. When you run
Keystore Explorer for the first time, you may be prompted to upgrade to unlimited strength Java crypto.

To create a cert for self-signed modules, the process is roughly:

1. Make a module and create a .modl file
2. Create a keystore and certificate
3. Open a command prompt, Change to the directory where you would like your keystore.jks file to be saved
4. Type `keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore keystore.jks`. You will be prompted for other information needed to complete the cert. The start date of the certificate will always be today, but the end date can be changed with the -validity flag. -validity 20 will make it valid for 20 days.
5. Open your newly created keystore.jks file with Keystore Explorer. Right-click on the server alias, and choose Export > Export Certificate Chain. In the Export dialog, change Certificate Length to Entire Chain. The export format should be PKCS#7 and PEM should be checked.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The certificate chain can be exported using keytool from the command prompt instead of manually using Keystore Explorer:

keytool -exportcert -keystore keystore.jks -alias server -storepass <keystore password> -rfc -file <pathToMyp7b>/cert.p7b


With a certificate to sign with, you can now sign your module using the invocation above.

### Signing a Module in Intellij using Module Signer from Source Code

To sign a module using this Module-Signer project in Intellij:

Within an IDE, set the _main_ program to com.inductiveautomation.ignitionsdk.ModuleSigner.Main. The output will be the self-signed module. For the example above, the program arguments to configure in the IDE Run Configuration's VM Options are:

```shell
-keystore=<pathToMyJKS>/keystore.jks
-keystore-pwd=<password>
-alias=server
-alias-pwd=<password>
-chain=<pathToMyp7b>/cert.p7b
-module-in=<pathToMyModule>/MyModule_unsigned.modl
-module-out=<pathToMyModule>/MyModule.modl
```
This self-signed module can now be installed in Ignition.