IBM Endpoint Manager, Version 9.0

Generating a new private key and CSR for a certificate signed by a CA

A private key and signed certificate are already provided with the server, for a certificate authority (CA) signed certificate. You can generate a new private key and a certificate signing request (CSR) for a CA signed certificate.

About this task

The CSR can either be sent to an external CA for signing, or you can create a private CA and use your private CA to sign the CSR. A private CA can be created on any computer with an operating system that supports openSSL.

The advantage of using an external CA is that root certificates of known public CAs are imported by default into modern web browsers. The advantage of using a private CA is that there is no dependency on an external entity for certificates, and no cost.

Procedure

Generate a new private key and a certificate signing request (CSR), by opening a command line console and entering the following commands:
```
openssl genrsa -out key_name.key key_strength -sha256
```
Note: Add the -des3 option to have a password-protected key, for example: openssl genrsa -des3 -out key_name.key key_strength -sha256
```
openssl req -new -key key_name.key -out csr_name.csr
```
Where:
csr_name

Is the name of the CSR file you want to create.

key_name

Is the name of the new key.

key_strength

Is the strength of the key that is measured in the number of bits.

sha256

Is the signature hash algorithm.

For example:
```
openssl genrsa -out privateKey.key 2048 -sha256
```
```
openssl req -new -key privateKey.key -out csr.csr
```
The certificate request is created. The CSR functions as a temporary placeholder for the signed certificate until you import the certificate into the keystore in the Server Settings panel. The certificate must now be signed by a CA to complete the process of generating a signed certificate for the server. The CSR can be sent to an external CA for signing, or you can create a private CA.
Optional: Create a private CA and sign the CSR. Use this procedure if you intend to create and use a private CA, and not an external CA.
1. Create a private CA, by running the following commands:
```
openssl req -new -newkey rsa:key_strength -nodes -out path_to_csr.csr -keyout path_to_keyfile.key -sha256
```
  Where:
  key_strength
  
  Is the strength of the key that is measured in the number of bits.
  
  path_to_csr
  
  Is the path to the CSR.
  
  path_to_keyfile
  
  Is the path to the CA key file.
  
  For example:
```
mkdir ca

openssl req -new -newkey rsa:2048 -nodes -out ca/ca.csr -keyout ca/ca.key -sha256
```
2. Create a certificate for your new private CA:
```
openssl x509 -signkey path_to_keyfile.key -days 
number_of_days -req -in path_to_csr.csr -out path_to_ca_cert.arm -sha256
```
  Where:
  path_to_keyfile
  
  Is the path to the CA key file.
  
  number_of_days
  
  Is the number of days the certificate is to be valid.
  
  path_to_csr
  
  Is the path to the CSR.
  
  path_to_ca_cert
  
  Is the path to CA certificate file.
  
  For example:
```
openssl x509 -signkey ca/ca.key -days 7300 -req -in ca/ca.csr -out ca/ca.arm -sha256
```
3. Sign the CSR:
```
openssl x509 -req -days 7300 -in path_to_csr -CA ca/ca.arm -CAkey path_to_keyfile -out cert.arm -set_serial 01 -sha256
```
  Where:
  path_to_csr
  
  Is the path to the CSR file that you created.
  
  path_to_keyfile
  
  Is the path to the CA key file that you created.
  
  cert.arm
  
  Is the produced server certificate.
  
  ca.arm
  
  Is the CA certificate that you must use to sign the CSR.
  
  For example:
```
openssl x509 -req -days 7300 -in csr.csr -CA ca/ca.arm -CAkey ca/ca.key -out cert.arm -set_serial 01 -sha256
```
  The newly created file ca.arm contains the root certificate of your private CA. The certificate cert.arm and private key privateKey.key can now be imported in the Server Settings panel.

Feedback