Creating a CSR Using Expressway
To generate a CSR:
Procedure
Step 1 |
Go to . |
||
Step 2 |
Click Generate CSR to go to the Generate CSR page. |
||
Step 3 |
Enter the required properties for the certificate:
|
||
Step 4 |
Click Generate CSR. The system produces a signing request and an associated private key. The private key is stored securely on the Expressway and cannot be viewed or downloaded. You must never disclose your private key, not even to the certificate authority. |
||
Step 5 |
You are returned to the Server certificate page. From here you can:
You must now use CSR to generate a signed PEM certificate file. You can pass it to a third-party or internal certification authority, or use it in conjunction with an application such as Microsoft Certification Authority (see Appendix 6: Authorize a Request and Generate a Certificate using Microsoft Certification Authority) or OpenSSL (see Operate as a Certificate Authority Using OpenSSL). If you have multiple entries or FQDNs in the SAN (such as for MRA deployments), ensure that you ask for a multi-domain / multi-SAN certificate from your certificate authority, not a single certificate. Some authorities do not suggest this option unless you specifically request it. When the signed server certificate is received back from the certificate authority, upload it to the Expressway as described in Load Certificates and Keys Onto Expressway. |
Server Certificates and Clustered Systems
When a CSR is generated, a single request and private key combination is generated for that peer only.
If you have a cluster of Expressways, you must generate a separate signing request on each peer. Those requests must then be sent to the certificate authority and the returned server certificates uploaded to each relevant peer.
You must ensure that the correct server certificate is uploaded to the appropriate peer, otherwise the stored private key on each peer will not correspond to the uploaded certificate.