Sign the CSR with OpenSSL
Before you begin
- Generate a certificate signing request
- In the openssl.cnf file,
make sure the [ v3_ca
] section of the file includes this field and value:
basicConstraints = CA:TRUE
This value indicates that the certificate is a CA.
Complete this procedure to sign the CSR that you generated in ETP with OpenSSL. Your CA must be configured with an OpenSSL configuration file and include a generated public certificate and private key pair for CA operations.
- On the CA system that contains OpenSSL, open a command line interface and go to the location where CA certificates are located.
To generate a private key, enter this command:
openssl genrsa -out <CA_private_key>.key 2048
where <CA_private_key> is the name of the private key.
To generate a public certificate that is used to sign the CSR, enter this
openssl req -new -x509 -days 10000 -key <CA_private_key>.key -out <CA_public>.crtwhere:
- <CA_private_key> is the name of your private key.
- <CA_public> is the name of the CA’s public certificate.
Enter this command to sign the
CSR and generate a signed certificate:
openssl x509 -req -in <ETP_CSR> -days 365 -CA <CA_public> -CAkey <CA_private_key>.pem -set_serial <#> -out <filename>.crt -extfile /<path>/<path>/openssl.cnf -extensions v3_cawhere:
- <ETP_CSR> is the certificate signing request you generated in ETP.
- <CA_public> is the CA’s public certificate.
- <CA_private_key> is the CA’s private key.
- <#> is the serial number that you set for the generated self-signed certificate. You can use a decimal number (1, 2, 3, and so on).
- filename is the file name that you want to assign to the certificate.
- <path> is the path to the openssl.cnf file.
The CA creates a certificate and signs it with the private key.
- Open the certificate and copy the contents of the certificate.
Upload and deploy signed certificate to ETP