How to create certificate signing request


This document describes how to:

create a certificate signing request (CSR) on the Secure Socket Layer Module (SSLM)

import the certificate using cut and paste in privacy-enhanced mail (PEM) format


Before you begin, you need to know the domain name that is assigned to the certificate. You also need the Certificates Authorities (CA) root certificate, and possibly the CA intermediate certificate.


Components Used


Main Task


This section details each step needed to create the CSR, from the creation of the key pair to importing the server certificate.

Step-by-Step Instructions

Complete the instructions in this section.

Create the key pair.

nov10-key is the name of the key pair.

Note: Be sure to specify exportable ; otherwise, you are not able to export the key pair from the SSLM.

Create the trustpoint .

The name of the trustpoint is yoursite. You need to enter the subject name in X.509 format and your domain name. This information is used to create the CSR.

Use copy and paste to send the CSR to your CA. If your CA asks for a server type, select Apache.

Load the CA root certificate

Before you can load the server certificate, you must load any CA certificates. At a minimum, this is the CA root certificate, and possibly a CA intermediate certificate. Your CA

is able to provide you with the necessary certificates.

Intermediate Certificates

If you have an intermediate certificate, you need to configure two trustpoints. One trustpoint contains the CA root certificate only. You only need to configure enrollment terminal PEM and Certificate Revocation List (CRL) optional. The second trustpoint contains the intermediate certificate and the server certificate. The second trustpoint is configured similar to the first trustpoint, however, instead of the root certificate, use the intermediate certificate.


There is currently no verification procedure available for this configuration.


This section provides troubleshooting information relevant to this configuration.

If you run into problems loading the certificates, enable debugging with the debug crypto pki transactions command.

Make sure you have the complete certificate chain. You can determine this by viewing the certificates on a PC. Save the certificates with a .cer extension, then double click to open them.

The root certificate is shown in Figure 1. You can determine this by looking at the Issued to and Issued by sections. Both sections are the same. Also, note that the certificate is showing up as not trusted because it a test certificate.

Figure 1

The server certificate is shown in Figure 2. You call determine that it matches the root certificate because the Issued by section matches the Issued by section on the root certificate.

Figure 2


Category: Insurance

Similar articles: