Generate a Certificate Signing Request (CSR)
You can use a private key to generate a new PKCS#10 certificate signing request (CSR). This CSR is saved to the local hard disk of the machine running the Policy Manager, in either binary (.p10) or Base64 PEM (.pem) format. You then send this CSR to a Certificate Authority (CA) to apply for an actual certificate.
You can use a private key to generate a new PKCS#10 certificate signing request (CSR). This CSR is saved to the local hard disk of the machine running the Policy Manager, in either binary (
.p10) or Base64 PEM (.pem) format. You then send this CSR to a Certificate Authority (CA) to apply for an actual certificate.
Many CAs allow you to apply for a certificate by uploading a CSR file to its web site.
To generate a certificate signing request:
- In the Policy Manager, selectTasks > Certificates, Keys, and Secrets > Manage Private Keysfrom the Main Menu. The Manage Private Keys dialog appears.
- Select the private key to be used to generate the CSR and then clickProperties. The Private Keys Properties dialog appears.
- ClickGenerate CSRin theOther Actionssection. Provide a subject DN for the CSR. The current subject DN is offered as a default.
- Enter theCSR Subject (DN). This is presented to the requestor and it specifies the owner of the initial self-signed certificate. It should be in the form of an X.509 subject. For example:CN=ssl.ca.com, O="CA Technologies, Inc", L=Vancouver, ST=British Columbia, C=CANote that fields with commas must be enclosed in quotes.Some certificate authorities require specifically formatted subject DN attributes to be present in the CSR. This may include attributes such as “Country,” “State,” “Locality,” or “Organization.” Verify which subject DN attributes are necessary from the issuing organization.
- If you need to add aSubject Alternative Nameto the CSR, clickAddand complete the dialog box. The Subject Alternative Name can be one of the following types:
- DNS Name
- Directory Name
- IP Address
- Choose theSignature hashto use from the drop-down list. The following options are available:
- Auto (default)
- SHA-256 (RSASSA-PSS)
- SHA-384 (RSASSA-PSS)
- SHA-512 (RSASSA-PSS)
- Ensure that you select the signature hash size that is at least the same as the Private Key size.
- RSASSA-PSS algorithms apply to RSA key types only - selecting a RSASSA-PSS hash for an EC key type will yield an error.
- Click [OK].
- Navigate to the destination and then click [Save]. Note that by default, the file is saved as a Base64 PEM file. You can change this to PKCS #10 format if necessary.
- Deliver the CSR to the certificate authority.