Creating a Certificate Signing Request

A certificate signing request (CSR) tells an external Certificate Authority (CA) that you want an SSL certificate generated and signed by that CA. The SSL certificate can then be uploaded to KeyControl Vault and used in place of the default self-signed certificate.

When you use KeyControl Vault to create the CSR, KeyControl Vault creates a key pair and uses that key pair in conjunction with the information you specify to create the CSR. KeyControl Vault then encrypts the key pair and stores it for later use.

You can use the resulting CSR to generate an SSL certificate from the external CA you want to use. After you receive the SSL certificate from that external CA, you can upload it to KeyControl Vault. Because the key pair already exists on the system, you do not need to upload anything else.

If you create the CSR to generate an SSL certificate to be installed for internal web server, you must include the IP address of the KeyControl Vault node in Subject Alternative Name.

If you create the CSR outside of KeyControl Vault, you need to upload both the SSL certificate and the matching private key file when you install the certificate on KeyControl Vault.

  1. Log into the KeyControl webGUI using an account with Domain Admin privileges.
  2. In the top menu bar, click Cluster.
  3. Click the Servers tab and select a KeyControl Vault node.
  4. Select Actions > Create CSR.

  5. In the Generate Certificate Signing Request dialog box, specify the options you want to use.

    Field

    Description
    Common Name The name to associate with this request. By default, KeyControl Vault enters the selected server name in this field. You can edit the default name as needed.

    Locality

    The locale to associate with this request.
    State The state to associate with this request.

    Subject Alternative Names

    The host names that will be protected by this certificate. If you want to use the same certificate on multiple KeyControl Vault nodes in the system for the external web server, add all of the KeyControl Vault URLs to this list.

    By default, KeyControl Vault adds the URL of the selected KeyControl Vault node. You can change or delete the default URL as long as you end up specifying at least one KeyControl Vault node in this field.

    Key Size

    Select the key size that you want to use. The default is 4096 bytes.

    Country

    The ISO 3166-1 alpha-2 code of country to associate with this request. The default is US.
    Organization

    The organization to associate with this request.

    Organization Unit

    		 The organizational unit associate with this request.
  6. Click Generate.
  7. When you receive the message that KeyControl Vault has created the CSR, click Download to save a copy of the CSR to your browser's default download directory or click Preview to view the CSR in a pop-up window. You can copy the CSR from the Preview window to the clipboard if desired.
  8. Use the CSR to request an SSL certificate from the external Certificate Authority you want to use. How you do this depends on the CA you are using.

What to Do Next 

After you receive the SSL certificate from the external CA, install it on KeyControl Vault as described in Installing External Certificates for Internal and External Webservers.