Sign the CSR with OpenSSL

Before you begin

  • Generate a certificate signing request
  • In the openssl.cnf file, make sure the [ v3_ca ] section of the file includes this field and value:

    basicConstraints = CA:TRUE

    This value indicates that the certificate is a CA.

Complete this procedure to sign the CSR that you generated in ETP with OpenSSL. Your CA must be configured with an OpenSSL configuration file and include a generated public certificate and private key pair for CA operations.

How to

  1. On the CA system that contains OpenSSL, open a command line interface and go to the location where CA certificates are located.
  2. To generate a private key, enter this command: 
    openssl genrsa -out <CA_private_key>.key 2048

    where <CA_private_key> is the name of the private key.

  3. To generate a public certificate that is used to sign the CSR, enter this command: 
    openssl req -new -x509 -days 10000 -key <CA_private_key>.key -out <CA_public>.crt
    where:
    • <CA_private_key> is the name of your private key.
    • <CA_public> is the name of the CA’s public certificate.
  4. Enter this command to sign the CSR and generate a signed certificate: 
    openssl x509 -req -in <ETP_CSR> -days 365 -CA <CA_public> -CAkey <CA_private_key>.pem -set_serial <#> -out <filename>.crt -extfile /<path>/<path>/openssl.cnf -extensions v3_ca
    where:
    • <ETP_CSR> is the certificate signing request you generated in ETP.
    • <CA_public> is the CA’s public certificate.
    • <CA_private_key> is the CA’s private key.
    • <#> is the serial number that you set for the generated self-signed certificate. You can use a decimal number (1, 2, 3, and so on).
    • filename is the file name that you want to assign to the certificate.
    • <path> is the path to the openssl.cnf file.

    The CA creates a certificate and signs it with the private key.

  5. Open the certificate and copy the contents of the certificate.

Next steps

Upload and deploy signed certificate to ETP