Skip to main content


IPsec certificate generation for base stations traffic

If you need to set your own PKI, you can generate the certificate and its key using the following procedure:


Do not set any passphrase when generating your own certificate; ThingPark Enterprise does not handle this feature.

  1. Connect to the server's console.

  2. Create a configuration file for OpenSSL:

    $ cd /home/support
    $ vi openssl.cnf.CA

    Copy and paste the content of this configuration example: openssl.cnf.CA

  3. Go to /home/support/ and execute the following commands:

    $ openssl genrsa -out CA_PKI_Root.key 2048
    $ openssl req -new -extensions v3_ca_root -key CA_PKI_Root.key -out CA_PKI_Root.csr -subj '/C=FR/ST=/L=Paris/O=Actility/OU=/CN=CA_RCA_Root' -config openssl.cnf.CA
    $ openssl x509 -req -extensions v3_ca_root -days 9125 -in CA_PKI_Root.csr -signkey CA_PKI_Root.key -out CA_PKI_Root.crt -extfile openssl.cnf.CA
  4. Retrieve the CA_PKI_Root.crt file (certificate) and the CA_PKI_Root.key file (key) with a SFTP client on port 2222 with the «support» user.

Sample: File openssl.cnf.CA

dir = /etc/pki/CA

[ ca ]
default_ca = CA_default

[ CA_default ]
serial = $dir/serial
database = $dir/cert.idx
new_certs_dir = $dir/certs
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 3650
crl = $dir/crl/crl.pem
crlnumber = $dir/crl/crl_serial
default_crl_days = 365
default_md = sha256
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
copy_extensions = copy

[ policy_match ]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]
default_bits = 2048
default_keyfile = key.pem
default_md = sha256
string_mask = nombstr
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
countryName_default = FR

############ Profiles AC ############
[ v3_ca_root ]
basicConstraints = CA:TRUE, pathlen:1
keyUsage = critical, keyCertSign, cRLSign
subjectKeyIdentifier= hash
authorityKeyIdentifier= keyid:always,issuer:always

Generation of a local media on USB key

The local media package is available as a 5.4GB ISO file (tpe-localmedia-<version>.iso). To create a USB key that can be used during the Local Repository Installation phase, you must directly burn the ISO file on the USB key.

Create a USB key on Windows

You can use a tool like isotousb ( that can directly flash the iso file on the USB key (select FAT32)

Create USB key on Windows

Or you can just format your USB key in FAT32, open the ISO file using Explorer and copy the content of the ISO file to the USB key.

Create a USB key on Linux

On Linux, you can directly use the dd command to burn the ISO file to the USBkey :

$ dd if=./tpe-localmedia-6.1-x.y.iso of=/dev/<your device>

When using that USB key on cockpit, it will be referenced as CDROM (media type iso9660) and the mount point will be /run/media/support/CDROM