Generating a Certificate Signing Request - BlueCat Integrity - 26.1.0

Address Manager Administration Guide
ft:locale
en-US
Product name
BlueCat Integrity
Version
26.1.0

Generate a Certificate Signing Request that you will use to obtain a signed server certificate from a Certificate Authority. You can choose to generate a private key to encrypt and authenticate the CSR, or use an existing private key.

Note: You must submit the generated CSR to the Certificate Authority to obtain the custom certificate.

To generate a CSR:

  1. Select the Settings tab in the sidebar.
  2. Under System security, select Web access.
  3. Set the following parameters:
    Note: When replication is configured between Address Manager servers, web access settings for primary and standby servers are represented on separate tabs.
    • HTTP enabled—select the checkbox to enable HTTP. Deselect the checkbox to disable HTTP.
    • HTTPS enabled—select the checkbox to enable HTTPS.
    • HTTP to HTTPS redirection enabled—select the checkbox to enable HTTP to HTTPS redirection. The HTTP enabled checkbox must be selected to select this option.
      Important: You can't disable HTTPS if HTTP is configured to redirect to HTTPS.
      Note: HTTP to HTTPS redirection
      Selecting HTTP to HTTPS redirection enabled will redirect users to HTTPS if they attempt to access Address Manager using HTTP. You must have HTTP and HTTPS enabled to use HTTP to HTTPS redirection.
      • If the Address Manager domain name is configured to resolve to an IPv6 address, HTTP to HTTPS redirection enabled will redirect the domain name in the URL to an IPv6 address, resulting in an unknown certificate warning in your browser. For more information, refer to knowledge base article 5978 on BlueCat Customer Care.
    • X509 authenticator—select an X.509 authenticator previously added to Address Manager. For more information, refer to X.509 authentication.
  4. Under Server certificate settings, complete the following:
    • Certificate method—select Generate certificate signing request.
    • Common name—enter the DNS hostname of the Address Manager server.
    • Organization—enter the name of your organization.
    • Department—enter the name of your department or division.
    • City—enter the name of your city or municipality.
    • State or province—enter the full name of your state or province. Abbreviations won't be accepted.
    • Country code (two letter)—enter your country’s two letter country code according to the ISO 3166-1 alpha-2 standard. For example, US=United States, CA=Canada, GB=Great Britain, DE=Germany. The country code must use capital letters.
    • Email address—(optional) enter an email address.
    • Comment—(optional) enter necessary comments on the certificate or its parameters.
    • Generate private key—select the checkbox to have Address Manager generate a private key on your behalf. Deselect the checkbox if you will use a previously configured private key. If deselected, the Upload private key field appears.
      • If selected, the Key size field appears.
        • Key size—from the drop-down menu, select either 2048 (default), 4096, or 8192 bits. The greater the bit key size, the greater the complexity of encryption.
      • If deselected, the Upload private key field appears.
        • Upload private key—use the upload box to select or drag and drop the private key file on your local machine or workstation.
          Attention:
          • The private key must comply with PKCS #8 standards.
          • The private key must be an RSA private key. The following cipher suites are supported for Address Manager HTTPS configurations (TLS 1.2):
            • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
            • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
            • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
          • The private key must be in PEM format and must only contain one key. It can't contain multiple keys or certificates. You can validate the key using openssl and the following command (if there's no password, omit the --passin pass:<password> parameter):
            openssl rsa -noout -modulus -in <private key file> --passin pass:<password>

            If the beginning of the output contains Modulus=, the key is valid.

  5. Select Generate CSR. Allow a few moments for Address Manager to generate the CSR. Once completed, the CSR appears in the Generated CSR field.
  6. Select Download CSR and Download private key to save these files to your local machine or workstation. By default, Address Manager saves the CSR as <common_name>.csr and the private key as <common_name>.key.