• Certification authority on the Internet
  It is possible to find many CAs on the Internet, most of them offer trusted certificates that are issued on the domain name. Many of these CAs are already assigned to trusted root CAs in your web browser. 
  
  

• Your own certification authority
  It is possible to create your own CA, however it is needed to import certificate of such CA in to the web browser.
  
  We will show you example of using OpenSSL certificate toolkit under a linux based system (e.g. Ubuntu).
  More information you can find also here:
  https://ubuntu.com/server/docs/openssl
  https://jamielinux.com/docs/openssl-certificate-authority/introduction.html
  
  
  

• • Open a linux command line (terminal)
    
    
    
  • Create a Certification Authority
    
    
    • Start the procedure by this command 
      
      

      admin@ubuntu:~$ openssl req -out ca.crt -new -x509

• • • During command processing you will be prompted for password creation and verification. This password will be used to protect your private key so the key file cannot be used to issue assign unauthorised certificates with your private key.
      
      

      Enter PEM pass phrase:  YourPassword123 Verifying - Enter PEM pass phrase: YourPassword123

• • • Now fill in data about your CA
      (use your own data, below is just an example)
      
      

      You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: CZ State or Province Name (full name) [Some-State]: Prague Locality Name (eg, city) [ ]: Prague Organization Name (eg, company) [Internet Widgits Pty Ltd]: 2N Organizational Unit Name (eg, section) [ ]: Techsupport Common Name (e.g. server FQDN or YOUR name) [ ]: TestUser Email Address [ ]:         (we left this blank)

• • • Two files have been created (you can find them in /home)
      
      
      • • ca.crt
          containing certificate of our CA
          
          
        • privkey.pem
          containing private key of our CA,
          needed to sign and issue new certificates by this CA
          

• • Create CSR (Certificate Sign Request) with RSA (cryptographic algorithm) Private Key
    
    
    • Start the procedure by this command 
      (name IPINTERCOM can be changed)
      
      

      admin@ubuntu:~$ openssl req -newkey rsa:2048 -noenc -keyout IPINTERCOM.key -out IPINTERCOM.csr

• • • This file has been created (you can find it in /home)
      
      
      • • IPINTERCOM.key
          RSA (cryptographic algorithm) Private Key

• • • Now fill in data about the certificate and its owner.
      (use your own data, below is just an example)
      
      Very important item is Common Name which must contain IP address or Domain Name under which the 2N device can be accessed. Without this correct parameter authentication won't be made correctly and web browser will inform you that this web page is untrustworthy.
      
      

      You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: CZ State or Province Name (full name) [Some-State]: Prague Locality Name (eg, city) [ ]: Prague Organization Name (eg, company) [Internet Widgits Pty Ltd]: 2N Organizational Unit Name (eg, section) []: Techsupport Common Name (e.g. server FQDN or YOUR name) [ ]: intercom.local Email Address [ ]:         (we left this blank)   Please enter the following 'extra' attributes to be sent with your certificate request A challenge password [ ]:         (we left this blank) An optional company name [ ]:         (we left this blank)

• • • This file has been created (you can find it in /home)
      
      
      • • IPINTERCOM.csr
          containing new certificate request
          

• • Create configuration file containing the DNS entries
    
    
    • Open a text editor and insert this content (this are not terminal commands), save as "Cert.conf".
      
      

      authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE subjectAltName=@alt_names [alt_names] DNS.1=intercom.local

      If you are generating for IP address, make sure to change "DNS.1" to "IP.1" instead.

• • Now just enter the pass phrase for the privkey.pem
    
    

    Certificate request self-signature ok subject=C =CZ, ST = Prague, L = Prague, O = 2N, OU = Techsupport, CN = intercom.local Enter pass phrase for privkey.pem: YourPassword123

Loading CA certificate into browser

This is step needed for certificates created by your own CA (e.g. by OpenSSL),
in case of trustworthy CA from the Internet, you can pass this section.

• In the browsers go to Settings - Privacy - Security and just import the certificate authority file (in our case CA.crt).
  Here is an example for Firefox:
  
  

Loading device certificate into the device

• Please go to section System - Certificates - User Certificates and upload a new certificate.
  You will need the device certificate file CERT.crt, intercom RSA private key IPINTERCOM.key and the private key password.
  
  It is possible that some Internet Certification Authorities will give you just one file containing both certificate and private key. This file must be then uploaded in both User Certificate and Private Key boxes.

• Please go to section Services - Web Server and assign this certificate for web interface.

• Finally, please go to section System - Maintenance and restart the device.
  With new start new certificate and key will be used for HTTPS communication.