Generate a Certificate Signing Request (CSR)

You can use a private key to generate a new PKCS#10 certificate signing request (CSR). This CSR is saved to the local hard disk of the machine running the Policy Manager, in either binary (.p10) or Base64 PEM (.pem) format. You then send this CSR to a Certificate Authority (CA) to apply for an actual certificate.
You can use a private key to generate a new PKCS#10 certificate signing request (CSR). This CSR is saved to the local hard disk of the machine running the Policy Manager, in either binary (
.p10) or Base64 PEM (
.pem) format. You then send this CSR to a Certificate Authority (CA) to apply for an actual certificate.
Many CAs allow you to apply for a certificate by uploading a CSR file to its web site.
To generate a certificate signing request:
  1. In the Policy Manager, select
    Tasks > Certificates, Keys, and Secrets > Manage Private Keys
    from the Main Menu. The Manage Private Keys dialog appears.
  2. Select the private key to be used to generate the CSR and then click
    Properties
    . The Private Keys Properties dialog appears.
  3. Click
    Generate CSR
    in the
    Other Actions
    section. Provide a subject DN for the CSR. The current subject DN is offered as a default.
  4. Enter the
    CSR Subject (DN)
    . This is presented to the requestor and it specifies the owner of the initial self-signed certificate. It should be in the form of an X.509 subject. For example:
    CN=ssl.ca.com, O="CA Technologies, Inc", L=Vancouver, ST=British Columbia, C=CA
    Note that fields with commas must be enclosed in quotes.
    Some certificate authorities require specifically formatted subject DN attributes to be present in the CSR. This may include attributes such as “Country,” “State,” “Locality,” or “Organization.” Verify which subject DN attributes are necessary from the issuing organization.
  5. If you need to add a
    Subject Alternative Name
    to the CSR, click
    Add
    and complete the dialog box. The Subject Alternative Name can be one of the following types:
    • Email
    • DNS Name
    • Directory Name
    • URI
    • IP Address
  6. Choose the
    Signature hash
    to use from the drop-down list. The following options are available:
    • Auto (default)
    • SHA-1
    • SHA-256
    • SHA-384
    • SHA-512
    • SHA-256 (RSASSA-PSS)
    • SHA-384 (RSASSA-PSS)
    • SHA-512 (RSASSA-PSS)
    • Ensure that you select the signature hash size that is at least the same as the Private Key size.
    • RSASSA-PSS algorithms apply to RSA key types only - selecting a RSASSA-PSS hash for an EC key type will yield an error.
  7. Click [
    OK
    ].
  8. Navigate to the destination and then click [
    Save
    ]. Note that by default, the file is saved as a Base64 PEM file. You can change this to PKCS #10 format if necessary.
  9. Deliver the CSR to the certificate authority.