3 certificate signing requests, 3 cd1.1 operation – Guralp Systems CD1.1 User Manual

Operator's Guide

spyrus_util --getkey --index 3

On the web interface, a new key can be generated in the
section entitle “New key generation” with a single button
press. Keys can also be deleted through this interface: find the
corresponding slot in “Card certificates” and press “Delete
entry”.

10.2.3 Certificate signing requests

In order to verify data signed by a private key, it is necessary
to generate a certificate signing request (CSR) for forwarding to
and signing by a certificate authority (CA).

By default the command outputs the PEM encoded request to
stdout so it may be convenient to supply the “--out file.pem”
option to redirect the output to a file:

spyrus_util --request --index 3 --out newreq.pem \

commonName="Bob Dunlop"

Note also the override of the commonName request subject
component. To check the current subject options and values
you can use the command:

spyrus_util --request --help

or simply examine the file /etc/spyrus/reqparam.local.

On the web interface, find the corresponding slot in the “Card
certificates” section and press “Generate certificate request”.
This will let you modify the subject options (and the defaults)
before generating the request.

10.3 CD1.1 operation

gdi2cd11 must be configured to use authentication (see section
5.2.1 on page 26 for details). Required options are a subframe
transformation that includes signing, a Spyrus slot holding a
valid keypair, and an authentication key ID.

data-out-cd11 must also be configured to use authentication
(see chapter 7.3.1 on page 40 for details). Required options are
the Spyrus slot holding a valid keypair and an authentication
key ID.

It is possible to use the digitiser's web or commandline
configuration engine to enable/disable authentication and to

June 2010

69