# Self signing CA certificate
To secure communication between the gateway and your server, you will need SSL/TLS certificates. **The most robust approach is to use a certificate signed by a trusted Certification Authority.** However, for demonstration purposes, we will generate and use self-signed certificates.
## Before you start
* Ensure that OpenSSL is installed on your computer (it is included with Git, so you likely have it already).
* Register a domain name and point it to the IP address of the server that will receive data from the gateway.
## Set up
{% stepper %}
{% step %}
### **Generate a private key**
Open the command line and navigate to the folder where OpenSSL is installed (e.g., `Git\usr\bin`). Then run:
```bash
openssl genrsa -out rootCA.key 2048
```
This command generates a 2048-bit private key and saves it in a file named **rootCA.key** in the current directory. This key will later be used to sign all certificates.
{% endstep %}
{% step %}
### **Create a certificate signing request (CSR)**
Run the following command:
```bash
openssl req -new -nodes -key rootCA.key -out signing_request.csr
```
You will be prompted to enter several optional fields, which form the certificate's *Distinguished Name (DN)*. These fields may be left blank.
{% endstep %}
{% step %}
### **Generate and sign the root certificate**
Create a self-signed root certificate using:
```bash
openssl x509 -in signing_request.csr -out rootCA.pem -req -signkey rootCA.key -days 365
```
The `-days` parameter sets the certificate's validity period (default is 30 days if omitted).
{% endstep %}
{% step %}
### **Upload the certificate to the gateway**
Log in to the Efento Gateway via a web browser and navigate to:\
**Settings → CA certificates**
Select **rootCA.pem** and upload it. Confirm the change by clicking **Save**.
{% endstep %}
{% step %}
### **Generate the server certificate and key pair**
Generate the server’s key pair and certificate signing request:
```bash
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
```
**Important:** When prompted, make sure to enter the correct domain name or IP address of your server.
Next, sign the server certificate with the root certificate:
```bash
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 365
```
{% endstep %}
{% step %}
### **Update the server application to support HTTPS**
Your server application must support HTTPS communication. How you enable this depends on the programming language and framework you are using.
For example Python’s Flask framework supports HTTPS natively. Copy **server.crt** and **server.key** into your project folder, then update your `app.run()` call:
```python
app.run(host='0.0.0.0', port=5000, ssl_context=('server.crt', 'server.key'))
```
This enables encrypted HTTPS communication.
{% endstep %}
{% step %}
### **Configure the Efento Gateway to use HTTPS**
#### Ethernet gateway
1. Log in to the gateway and go to: **Settings → Server**
2. Enter your server’s domain in **Server address**, specify the port number, enable **TLS**, and click **Save**.
#### LTE gateway
\
From this point on, the gateway will send all data using secure HTTPS communication.
{% endstep %}
{% endstepper %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.efento.io/efento-gateways/integration/self-signing-ca-certificate.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.