Generate certificates with CRL for Modern POS

If you are working with the Modern POS (MPOS) and experiencing issues right at the beginning with the activation of the device (if I recall right, because I haven't saved the error that I get, the message error code was something like: DC10031 or DC10032), one of the possible reasons for this would be that the certificates that you've generated do not contain a CRL (a short note: the process I'm describing below is strictly for a DEV, maybe TEST machine, never for a PROD instance).
Just a comment: if you have followed the steps in the installation manual, you may have come across this issue, like I had, and the fix is to generate the certificates with CRL.

So, in order to start this you will first need the Win32 OpenSSL package (you can get the light package, or the complete one). I used in my generation the Win32OpenSSL_Light-1_0_2d.exe.

Next, after you install the OpenSSL for Windows, you have to create some folders / files; I presume you will did not touch any of the installed files (openssl.cfg in particular), so go and  create a new demoCA folder in the already existing bin folder, and then in it two files: clrnumber and index.txt.

Also, in the bin folder create a new file called cidRetail247CRLSetup.cfg and append this content:


crlDistributionPoints = URI:http://hostname/cidRetail247CRL.crl
authorityInfoAccess = OCSP;URI:http://hostname



(hostname variable must be replaced with the actual machine name you are going to install the certificates on). Also, one important note: all the names that start with cid can be replaced with whatever name you wish, as long as you keep the names properly throughout all the commands.



Now, open up a cmd and run each of the following commands:

set OPENSSL_CONF=C:\OpenSSL-Win32\bin\OpenSSL.cfg

openssl genrsa -out cidRetailCA.key 4096


openssl req -new -x509 -days 1826 -key cidRetailCA.key -out cidRetailCA.crt


openssl genrsa -out cidRetail247.key 4096


openssl req -new -key cidRetail247.key -out cidRetail247.csr


openssl x509 -req -days 730 -in cidRetail247.csr -CA cidRetailCA.crt -CAkey cidRetailCA.key -set_serial 01 -out cidRetail247.crt -extfile cidRetail247CRLSetup.cfg


openssl ca -gencrl -keyfile cidRetailCA.key -cert cidRetailCA.crt -out cidRetail247CRL.pem


openssl crl -inform PEM -in cidRetail247CRL.pem -outform DER -out cidRetail247CRL.crl


openssl pkcs12 -export -out cidRetail247.pfx -inkey cidRetail247.key -in cidRetail247.crt -chain -CAfile cidRetailCA.crt



So, now you can go ahead and install the two files you need on your MPOS machine: the CA .crt file in the Trusted Root Certification Authorities and the .pfx file in Personal.

I have also copied the cidRetail247CRL.crl file in the inetpub\wwwroot folder on the machine for which I generated the certificates (I suppose you have a web site on port 80 that is running, otherwise just change the address in your cfg file) - although I must admit I haven't tested if this step is actually required, or you can skip it.

Also, I did not mention anything about what you should enter as the data for your certificates at steps 3 and 6, but I believe you are familiar with that.

And, finally you will get the thumbprints for the certificate very easy using Powershell like:

get-childitem -path cert:\LocalMachine\My

No comments:

Post a Comment