After you create a certificate signing request (CSR), it must be signed by a certificate
authority (CA) to be transformed into a certificate that can be uploaded to License Metric Tool. You can use the OpenSSL
cryptographic library to create a private CA and sign your request.
Before you begin
Using a private CA to sign your request is not the only way. You can also send the request
to internationally trusted CAs, such as Entrust or VeriSign, or use the CA of your organization. The
certificates of these CAs are often trusted by default and do not display any warnings in the
browser. Warnings might be displayed if you use a private CA. This procedure describes an exemplary
way to create a signed certificate. It illustrates the steps that are needed to sign certificate
that use OpenSSL cryptographic library. Adjust the procedure according to the specifics of your
organization.
Procedure
- Create a private certificate authority (CA) and a certificate for it.
- Create a private CA. This step creates a private key (.key) and a
request (.csr) similar to those that you created in Creating private keys and
certificates.
openssl req -new -newkey rsa:key_strength -nodes
-out CA_csr_name.csr -keyout CA_key_name.key -sha256
For
example:
openssl req -new -newkey rsa:2048 -nodes -out CA_CSR.csr -keyout CA_private_key.key -sha256
Important: The certificate that is generated by using the Certificate Signing Request (CSR)
produced by this command may not contain the
SubjectAltName field. Some
browsers can still treat a connection that such certificate secures as untrusted. For more
information, see:
OpenSSL
documentation.
Where:
- key_strength
- Key strength, measured in bits. The maximum value that you can use for License Metric Tool is:
- For application update 9.2.10 and higher: 16384 bits
- For application update 9.2.9 and lower: 2048 bits.
- CA_csr_name
- File name for the certificate signing request (CSR). The certificate authority (CA) requires a
separate request.
- CA_key_name
- File name for the private key. The certificate authority (CA) requires a separate private
key.
- Create a certificate for your private CA. This step creates a certificate
(.arm) that you can use to sign your
CSR.
openssl x509 -signkey path_to_CA_key.key -days
number_of_days -req -in path_to_CA_csr.csr
-out CA_certificate_name.arm -sha256
For
example:
openssl x509 -signkey CA_private_key.key -days 90 -req -in CA_CSR.csr -out CA_certificate.arm -sha256
Where:
- key_strength
- Key strength, measured in bits. The maximum value that you can use for License Metric Tool is:
- For application update 9.2.10 and higher: 16384 bits
- For application update 9.2.9 and lower: 2048 bits.
- path_to_CA_csr
- File name for the certificate signing request (CSR) that you created for the certificate
authority (CA).
- path_to_CA_key
- File name for the private key that you created for the certificate authority (CA).
- number_of_days
- Number of days for the new certificate to be valid.
- CA_certificate_name
- File name for the certificate of your CA. This certificate is used to sign your CSR.
- Use the CA certificate to sign the certificate signing request that you created in Creating private keys and
certificates.
openssl x509 -req -days number_of_days -in path_to_csr.csr -CA path_to_CA_certificate.arm
-CAkey path_to_CA_key.key -out new_certificate.arm -set_serial 01 -sha256
For
example:
openssl x509 -req -days 90 -in CSR.csr -CA CA_certificate.arm -CAkey CA_private_key.key -out certificate.arm -set_serial 01 -sha256
Where:
- number_of_days
- Number of days for the new certificate to be valid.
- path_to_csr
- Path to certificate signing request (CSR) that you want to sign.
- path_to_CA_certificate
- Path to certificate that you created for the certificate authority (CA).
- path_to_CA_key
- Path to the private key that you created for the certificate authority (CA).
- new_certificate
- File name for the new certificate that is created from your certificate signing request (CSR).
You upload this certificate together with your private key to License Metric Tool.
Results
You signed your certificate signing request and obtained a new certificate.
What to do next
Enable encrypted communication in License Metric Tool and upload your private key and the
certificate. These files replace the self-signed certificate that is already available in
License Metric Tool, and thus ensure secure
communication.