Creating a Certificate Signing Request

A certificate signing request (CSR) tells an external Certificate Authority (CA) that you want an SSL certificate generated and signed by that CA. The SSL certificate can then be uploaded to Cryptographic Security Platform Vault and used in place of the default self-signed certificate.

When you use Cryptographic Security Platform Vault to create the CSR, Cryptographic Security Platform Vault creates a key pair and uses that key pair in conjunction with the information you specify to create the CSR. Cryptographic Security Platform Vault then encrypts the key pair and stores it for later use.

You can use the resulting CSR to generate an SSL certificate from the external CA you want to use. After you receive the SSL certificate from that external CA, you can upload it to Cryptographic Security Platform Vault. Because the key pair already exists on the system, you do not need to upload anything else.

If you create the CSR to generate an SSL certificate to be installed for internal web server, you must include the IP address of the Cryptographic Security Platform Vault node in Subject Alternative Name.

If you create the CSR outside of Cryptographic Security Platform Vault, you need to upload both the SSL certificate and the matching private key file when you install the certificate on Cryptographic Security Platform Vault.

  1. Log into the Cryptographic Security Platform Vault Management webGUI using an account with Domain Admin privileges.
  2. In the top right, click the Switch to Appliance Management link.
  3. In the top menu bar, click Cluster.
  4. Click the Servers tab and select a Cryptographic Security Platform Vault node.
  5. Select Actions > Create CSR.

  6. In the Generate Certificate Signing Request dialog box, specify the options you want to use.

    Field

    Description
    Common Name The name to associate with this request. By default, Cryptographic Security Platform Vault enters the selected server name in this field. You can edit the default name as needed.

    Locality

    The locale to associate with this request.
    State The state to associate with this request.

    Subject Alternative Names

    The host names that will be protected by this certificate. If you want to use the same certificate on multiple Cryptographic Security Platform Vault nodes in the system for the external web server, add all of the Cryptographic Security Platform Vault URLs to this list.

    By default, Cryptographic Security Platform Vault adds the URL of the selected Cryptographic Security Platform Vault node. You can change or delete the default URL as long as you end up specifying at least one Cryptographic Security Platform Vault node in this field.

    Key Size

    Select the key size that you want to use. The default is 4096 bytes.

    Country

    The ISO 3166-1 alpha-2 code of country to associate with this request. The default is US.
    Organization

    The organization to associate with this request.

    Organization Unit

    		 The organizational unit associate with this request.
  7. Click Generate.
  8. When you receive the message that Cryptographic Security Platform Vault has created the CSR, click Download to save a copy of the CSR to your browser's default download directory or click Preview to view the CSR in a pop-up window. You can copy the CSR from the Preview window to the clipboard if desired.
  9. Use the CSR to request an SSL certificate from the external Certificate Authority you want to use. How you do this depends on the CA you are using.

What to Do Next 

After you receive the SSL certificate from the external CA, install it on Cryptographic Security Platform Vault as described in Installing External Certificates for Internal and External Webservers.