CA API Gateway 9.1

9.4 9.1

Sign a Certificate

Once you generate?a Certificate Signing Request (CSR), you can sign it with a private key.
gateway90
Once you generate?a Certificate Signing Request (CSR), you can sign it with a private key.
To sign a CSR using a private key
:
  1. In the Policy Manager, select [
    Tasks
    ] > 
    Manage Private Keys
     from the Main Menu. The Manage Private Keys dialog appears.
  2. Select the private key to be used for the signing. Eligible keys are indicated by the CA-capable_cert_icon.gif icon.
    It is possible to use a key that is not flagged as being eligible for signing, but be aware that certain software systems may reject certificates signed by that key.
  3. Click [
    Sign Cert
    ]. You are prompted to select the Certificate Signing Request to open. If you chose an ineligible key, you must acknowledge the consequences.
  4. Locate the .pem file that contains the CSR that you are accepting. This creates a new signing certificate using the private key that was selected in step 2.
  5. The properties for the newly created signing certificate are displayed. Modify any settings as necessary. 
    Setting
    Description
    Subject DN
    The subject DN of the certificate signing request.
    Expiry Age
    The number of days before the certificate expires. By default, this is
    730
     days. You can change the default using
    pkix.csr.defaultExpiryAge 
    cluster property.
    Hash Algorithm
    Choose the Hash Algorithm to use:
    Automatic, SHA-1
    ,
    SHA-256
    ,
    SHA-384
    ,
    SHA-512
    .
    The default "
    <Automatic>
    " setting selects the algorithm as follows:
    • If the system property,
      com.l7tech.security.cert.alwaysSignWithSha1
       is defined, or if the issuer public key is a short key, then SHA-1 is used.
    • Otherwise, it uses SHA-384.
    Public Key
    Displays details about the public key in brief. Click dot.png to view the full public key details.
  6. Click [
    OK
    ] to close and save the certificate properties. You are prompted to save the resulting certificate chain. Note that the destination file also uses the .pem extension, since the file is PEM-encoded.
  7. Enter a name for the signed certificate chain and then click [
    Save
    ].
A new certificate chain is created. You can see this chain in the Private Key Properties
The new certificate chain belongs to the client and is 
not
 kept by the
CA API Gateway
. You can make the Gateway trust the newly signed certificate by doing one of the following:
  • To trust the certificate as a client certificate, import it as an Internal or LDAP user's client certificate. For information on importing it for an internal user, see Creating an Internal User.
  • To trust the certificate for some other purpose, import it using the Manage Certificates task.

Content feedback and comments