Sign a Certificate

Once you generate a Certificate Signing Request (CSR), you can sign it with a private key.
gateway94
Once you generate a Certificate Signing Request (CSR), you can sign it with a private key.
To sign a CSR using a private key
:
  1. In the Policy Manager, select
    Tasks > Certificates, Keys, and Secrets > Manage Private Keys
    from the Main Menu. The Manage Private Keys dialog appears.
  2. Select the private key to be used for the signing. Eligible keys are indicated by the CA-capable_cert_icon.gif  icon.
    It is possible to use a key that is not flagged as being eligible for signing, but be aware that certain software systems may reject certificates signed by that key.
  3. Click
    Sign Cert
    and then select the Certificate Signing Request to open. If you chose an ineligible key, you must acknowledge the consequences.
  4. Locate the .pem file that contains the CSR that you are accepting. This creates a new signing certificate using the private key that was selected in step 2.
  5. The properties for the newly created signing certificate are displayed. Modify any settings as necessary.
    Setting
    Description
    Subject DN
    The subject DN of the certificate signing request.
    Subject Alternative Names
    The Subject Alternative Names of the CSR that is to be signed. This information was entered in Generate a Certificate Signing Request (CSR) and cannot be modified here. If any of the Subject Alternative Names are incorrect, you must generate a new CSR.
    Expiry Age
    The number of days before the certificate expires. By default, this is
    730
    days. You can change the default using
    pkix.csr.defaultExpiryAge
    cluster property.
    Hash Algorithm
    Choose the Hash Algorithm to use:
    Automatic, SHA-1
    ,
    SHA-256
    ,
    SHA-384
    ,
    SHA-512
    ,
    SHA-256 (RSASSA-PSS)
    ,
    SHA-384 (RSASSA-PSS)
    ,
    SHA-512 (RSASSA-PSS)
    .
    • Ensure that you select the signature hash size that is at least the same as the Private Key size.
    • RSASSA-PSS algorithms apply to RSA key types only - selecting a RSASSA-PSS hash for an EC key type will yield an error.
    The default "
    <Automatic>
    " setting selects the algorithm as follows:
    • If the system property,
      com.l7tech.security.cert.alwaysSignWithSha1
      is defined, or if the issuer public key is a short key, then SHA-1 is used.
    • Otherwise, it uses SHA-384.
    Public Key
    Displays details about the public key in brief. Click dot.png to view the full public key details.
  6. Click [
    OK
    ] to close and save the certificate properties. You are prompted to save the resulting certificate chain. Note that the destination file also uses the .pem extension, since the file is PEM-encoded.
  7. Enter a name for the signed certificate chain and then click [
    Save
    ].
A new certificate chain is created. You can see this chain in the Private Key Properties.
The new certificate chain belongs to the client and is
not
kept by the
Layer7 API Gateway
. You can make the Gateway trust the newly signed certificate by doing one of the following:
  • To trust the certificate as a client certificate, import it as an Internal or LDAP user's client certificate. For information on importing it for an internal user, see Creating an Internal User.
  • To trust the certificate for some other purpose, import it using the Manage Certificates task.