Step 2: Signing certificates

After you create a certificate signing request (CSR), it must be signed by a certificate authority (CA) to be transformed into a certificate that can be uploaded to License Metric Tool. You can use the OpenSSL cryptographic library to create a private CA and sign your request.

1. Create a private certificate authority (CA) and a certificate for it.
   1. Create a private CA. This step creates a private key (.key) and a request (.csr) similar to those that you created in Creating private keys and certificates.

      openssl req -new -newkey rsa:key_strength -nodes 
      -out CA_csr_name.csr -keyout CA_key_name.key -sha256

      For example:

      openssl req -new -newkey rsa:2048 -nodes -out CA_CSR.csr -keyout CA_private_key.key -sha256

      Important: The certificate that is generated by using the Certificate Signing Request (CSR) produced by this command may not contain the SubjectAltName field. Some browsers can still treat a connection that such certificate secures as untrusted. For more information, see: OpenSSL documentation.

      Where:

      key_strength

      Key strength, measured in bits. The maximum value that you can use for License Metric Tool is:

      • For application update 9.2.10 and higher: 16384 bits
      • For application update 9.2.9 and lower: 2048 bits.

      CA_csr_name

      File name for the certificate signing request (CSR). The certificate authority (CA) requires a separate request.

      CA_key_name

      File name for the private key. The certificate authority (CA) requires a separate private key.

   2. Create a certificate for your private CA. This step creates a certificate (.arm) that you can use to sign your CSR.

      openssl x509 -signkey path_to_CA_key.key -days 
      number_of_days -req -in path_to_CA_csr.csr 
      -out CA_certificate_name.arm -sha256

      For example:

      openssl x509 -signkey CA_private_key.key -days 90 -req -in CA_CSR.csr -out CA_certificate.arm -sha256

      Where:

      key_strength

      Key strength, measured in bits. The maximum value that you can use for License Metric Tool is:

      • For application update 9.2.10 and higher: 16384 bits
      • For application update 9.2.9 and lower: 2048 bits.

      path_to_CA_csr

      File name for the certificate signing request (CSR) that you created for the certificate authority (CA).

      path_to_CA_key

      File name for the private key that you created for the certificate authority (CA).

      number_of_days

      Number of days for the new certificate to be valid.

      CA_certificate_name

      File name for the certificate of your CA. This certificate is used to sign your CSR.

2. Use the CA certificate to sign the certificate signing request that you created in Creating private keys and certificates.

   openssl x509 -req -days number_of_days -in path_to_csr.csr -CA path_to_CA_certificate.arm 
   -CAkey path_to_CA_key.key -out new_certificate.arm -set_serial 01 -sha256

   For example:

   openssl x509 -req -days 90 -in CSR.csr -CA CA_certificate.arm -CAkey CA_private_key.key -out certificate.arm -set_serial 01 -sha256

   Where:

   number_of_days

   Number of days for the new certificate to be valid.

   path_to_csr

   Path to certificate signing request (CSR) that you want to sign.

   path_to_CA_certificate

   Path to certificate that you created for the certificate authority (CA).

   path_to_CA_key

   Path to the private key that you created for the certificate authority (CA).

   new_certificate

   File name for the new certificate that is created from your certificate signing request (CSR). You upload this certificate together with your private key to License Metric Tool.