skip to main content
Installation Guide > Appendices > Appendix A: Certificate Management > Manually Creating Certificates
Manually Creating Certificates
Use the following instructions to manually create certificates for use with ICE Agents and clients.
To manually create certificates
1. Create a CA cert and private key
openssl genrsa -out ice-ca.key 2048
openssl req -x509 -new -nodes -key ice-ca.key -sha256 -days 3650 -out ice-ca.pem
2. Create client-side cert and key, signed by CA
openssl genrsa -out ice-client.key
openssl req -new -key ice-client.key -out ice-client.csr
openssl x509 -req -in ice-client.csr -CA ice-ca.pem -CAkey ice-ca.key -CAcreateserial -out ice-client.pem
3. Create server-side cert and key, signed by CA
openssl genrsa -out ice-server.key
openssl req -new -key ice-server.key -out ice-server.csr
openssl x509 -req -in ice-server.csr -CA ice-ca.pem -CAkey ice-ca.key -CAcreateserial -out ice-server.pem
To manually create certstores
1. Create the Infra certstore
./ecstool infra.certstore create
./ecstool infra.certstore --tags:-enginedefault add iceDefaultClientCert ice-client.pem ice-client.key
./ecstool infra.certstore --tags:-rpwsdefault,-rpdefault add iceDefaultRpCert ice-server.pem ice-server.key
./ecstool infra.certstore --tags:-cadefault add iceDefaultCA ice-ca.pem
2. Create the Rallypoint certstore
./ecstool RallyPoint.certstore create
./ecstool RallyPoint.certstore --tags:-rpwsdefault,-rpdefault add iceDefaultRpCert ice-server.pem ice-server.key
./ecstool RallyPoint.certstore --tags:-cadefault add iceDefaultCA ice-ca.pem
3. Create the Client certstore
./ecstool client.certstore create
./ecstool client.certstore --tags:-enginedefault add iceDefaultClientCert ice-client.pem ice-client.key
./ecstool client.certstore --tags:-cadefault add iceDefaultCA ice-ca.pem