Skip to content

TLS Certificates

This section is about generating TLS certificates for an instance of Plaid.

OpenADR requires connections to use TLS 1.2 with client side certificates. Both the client (the VEN, Plaid in this case) and the server (VTN) must have a certificate. Certificates are generated by a certificate authority (CA). The OpenADR alliance has selected Eonti as the certificate provider.

Many programs will have a test VTN for which you can quickly generate test certificates for free, from Eonti. When you are ready to connect to their live production VTN, you will need to go through the process with Eonti to generate live certificates. This takes more time and money but is important to ensure a secure VEN authentication process.

Test certificates

You can use free test certificates from Eonti in order to connect to test VTN instances.

Generate Certificate from Eonti

Request for a Test certificate at https://www.eonti.com/openadr/.

You will see the following screen.

Eonti Start Page

Click on the button 'Test Certificate Request'. You will see the following page with a form.

Eonti modal form

The only things you must update are:

  • Device type VEN
  • Device type RSA
  • Company Name Your company name
  • Country Code Your country (US is default)
  • DNS Name or MAC Address Name of your certificate. Enter something descriptive (this will not be used)

Eonti modal form filled

Click Get Certificates to submit request for your certificates. Your download should begin immediately. The downloaded content should look similar to the following.

Eonti Certificate files

Here's a description of each file:

  • DemoCertsRoot.pem: CA certificate file
  • DemoCertsICA.pem: CA certificate file
  • DemoCertsEE.pem: Certificate file
  • PrivateKey.txt: Certificate private key

The first two files are certificate authority files and are the same in every certificate bundle generated from Eonti. The next two files - the private key and certificate file - contain the RSA private/public key pair and some information that was signed by Eonti. The certificate file can be verified using the two CA certificate files.

Before these files can be used by Plaid, a little prep work must be done.

Add certificate to Plaid instance

You will need to create two files based on contents of the folder that you just downloaded. See next section for example command line commands to execute the following steps

  1. The file named PrivateKey.txt rename it to privkey.pem (Remember to change file extension)
  2. In a plain text editor, concatenate together the contents of three other files and save it as certchain.pem, in this order:
    1. DemoCertsEE.pem
    2. DemoCertsICA.pem
    3. DempCertsRoot.pem

Create a new folder in the root directory /certs and add those two files in there.

Finally, in the config file, make sure that the certificate file path parameters point to the correct files (you may want to move the certs folder into the same folder structure as your Plaid executable):

  • keypath points to the privkey file
  • certpath points to the certchain file
  • capath points to the ca file that is provided with Plaid. In the source code, this is in the cacerts/ folder. When connecting to a test instance, it should use the test file (ven_cacerts_test.pem).

In the binaries, only the test cacerts file is given.

Production certificates

The test certificates will not work with most production VTNs. Production certificates will be generated either via Eonti or directly from the VTN provider. The files need to be organized in the same way as described above, and make sure that you are using the prod ca file!

If Eonti production certificates are required, and you have gone through OpenADR certification process, you may contract directly with Eonti to obtain the certificates

You will need to generate a private key and a CSR for every production certificate that you request.

Using Production Certificates

The process to use production certificates is similar to test certificates, but they need to be prepared differently.

For cacerts, if the VTN is using an existing cert from Kyrio, then you can use the ven_cacerts_prod.pem file that’s included in your source code (or download here). If the VTN is using Eonti certificate then you will need to request the cacerts from them.

For the key, you use the private key that you generated when you created a CSR.

For the certificate, use the signed certificate received back from Eonti after the certificate signing process. To be safe, it is worth chaining a couple intermediate certificates to make sure that the VTN can trace it back to a well known certificate authority.

You’ll need to create a certificate chain out of:

  • 1st – your signed certificate from Eonti
  • 2nd – append the contents of the intermediate certificate
  • 3rd – append the contents of production root certificate

If the files get downloaded as .csr files, before appending you need to convert them into .pem. You should be able to do so using openssl – if using openssl with the command line: 

openssl x509 -in mycert.crt -out mycert.pem -outform PEM -inform DER

(you need to add -inform DER because the certificates you get are in binary format).

Once you have the proper files in pem format, concatenate the contents of these 3 files into a single file in the order specified above, and that becomes your certificate file.

Add the path to these files in the Plaid Config File.

CA Certificates for the Plugin

If you would like the plugin messages to use https (configured in the config file under the plugin>tls section):

  • On Linux, there is no need to specify a CA file unless the endpoint is not using a certificate from a wellknown CA - Plaid will use the default system CA files
  • On Windows, use the ffcacert.pem file in the cacerts folder (or download here)