To get a certificate from a CA, you need to generate a certificate request first.
Note
A key generated from a third-party must be in base-64 format.
Procedure
-
To associate keys to the KeySecure user, perform the following settings in the CryptoGraphic Key Server Properties of the KMIP protocol:
-
Select Used for SSL session and username for the parameter Client Certificate Authentication.
-
Select UID for the parameter User name filed in Client Certificate.
For more information, refer to KeySecure documentation.
-
-
To create a certificate request, execute the following command on any computer that has OpenSSL:
openssl req -out clientreq -newkey rsa:2048 -keyout clientkeyNote: The certificate request and private key both are created in the working directory by default. You can generate them in another directory by including the location and key name in the request. For example, to create the request and key in the C:\certs folder, use the following command:
openssl req -out C:\certs\clientreq -newkey rsa:2048 –keyout C:\certs\clientkey -
The key generation process will then request the following data:
-
A PEM passphrase to encode the private key. The passphrase that encodes the private key is the first passphrase you provide after issuing the command above.
-
The distinguished name. The distinguished name is a series of fields whose values are incorporated into the certificate request. These fields include country name, state or province name, locality name, organization name, organizational unit name, common name, email address, surname, userID, and IP address.
Note: The userId field must be the username of a valid SafeNet KeySecure user account with appropriate permissions.
-
An optional challenge password.
-
An optional company name.
The files clientkey and clientrequest are generated. The clientkey contains the key and the clientrequest contains the certificate.
-
-
Copy the clientkey file to CommServe machine.