This document describes how to create a certificate signing request (CSR) on an Email Security Appliance (ESA).
Create a CSR on an ESA
As of AsyncOS 7.1.1, the ESA can create a self-signed certificate for your own use and generate a CSR to submit to a certificate authority and obtain the public certificate. The certificate authority returns a trusted public certificate signed by a private key. Use the Network > Certificates page in the GUI or the certconfig command in the CLI in order to create the self-signed certificate, generate the CSR, and install the trusted public certificate.
If you acquire or create a certificate for the first time, search the Internet for "certificate authority services SSL Server Certificates" and choose the service that best meets the needs of your organization. Follow the service's instructions in order to obtain a certificate.
Configuration Steps on the GUI
In order to create a self-signed certificate, click Add Certificate on the Network > Certificates page in the GUI (or the certconfig command in the CLI). On the Add Certificate page, choose Create Self-Signed Certificate.
Enter this information for the self-signed certificate:
Common Name - The fully qualified domain name.
Organization - The exact legal name of the organization.
Organizational Unit - Section of the organization.
City (Locality) - The city where the organization is legally located.
State (Province) - The state, county, or region where the organization is legally located.
Country - The two letter International Organization for Standardization (ISO) abbreviation of the country where the organization is legally located.
Duration before expiration - The number of days before the certificate expires.
Private Key Size - Size of the private key to generate for the CSR. Only 2048-bit and 1024-bit are supported.
Click Next in order to view the certificate and signature information.
Enter a name for the certificate. AsyncOS assigns the common name by default.
If you want to submit a CSR for the self-signed certificate to a certificate authority, click Download Certificate Signing Request in order to save the CSR in Privacy Enhanced Mail (PEM) format to a local or network machine.
Click Submit in order to save the certificate and commit your changes. If you leave the changes uncommitted, the private key will get lost and the signed certificate cannot be installed.
When the certificate authority returns the trusted public certificate signed by a private key, click the certificate's name on the Certificates page and enter the path to the file on your local machine or network in order to upload the certificate. Make sure that the trusted public certificate that you receive is in PEM format or a format that you can convert to PEM before it is uploaded to the appliance. Tools to complete this are included with OpenSSL, free software available at http://www.openssl.org.
If you upload the certificate from the certificate authority, the existing certificate is overwritten. You can also upload an intermediate certificate related to the self-signed certificate. You can use the certificate with a public or private listener, an IP interface's HTTPS services, the Lightweight Directory Access Protocol (LDAP) interface, or all outgoing Transport Layer Security (TLS) connections to destination domains.