Generating a Certificate Signing Request - BlueCat Integrity - 9.4.0

Address Manager Administration Guide

Locale
English
Product name
BlueCat Integrity
Version
9.4.0

Generate a Certificate Signing Request that you will use to obtain a signed server certificate from a Certificate Authority. You can choose to generate a private key to encrypt and authenticate the CSR, or use an existing private key.

Note: You must submit the generated CSR to the Certificate Authority to obtain the custom certificate.

To generate a CSR:

  1. Select the Administration tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Administration page.
  2. Under User Management, click Secure Access.
  3. Under General, complete the following:
    • Select Server—by default, this is the IP address of a standalone Address Manager server. If running Address Manager in replication, use the drop-down menu to select the IP address of Primary or Standby Address Manager servers.
    • HTTP—from the drop-down menu, select either Enable, Disable, or Redirect to HTTPS.
      Note: Redirect to HTTPS
      Selecting Redirect to HTTPS will redirect users to HTTPS if they attempt to access Address Manager using HTTP. You must have HTTPS enabled to use Redirect to HTTPS.
      • If the Address Manager domain name is configured to resolve to an IPv6 address, enabling Redirect to HTTPS will redirect the domain name in the URL to an IPv6 address, resulting in an unknown certificate warning in your browser. For more information, refer to knowledge base article 5978 on BlueCat Customer Care.
    • HTTPS—from the drop-down menu, select Enable.
      Important: Disabling HTTPS

      You can't disable HTTPS if HTTP is configured to redirect to HTTPS.

  4. Under Server Certificate Settings, select Custom.
  5. Under Self-Signed Certificate, complete the following:
    • Common Name—enter the DNS hostname of the Address Manager server.
    • Organization—enter the name of your organization.
    • Department—enter the name of your department or division.
    • City—enter the name of your city or municipality.
    • State/province (full name)—enter the full name of your state or province. Abbreviations won't be accepted.
    • Country Code (two letter code)—enter your country’s two letter country code according to the ISO 3166-1 alpha-2 standard. For example, US=United States, CA=Canada, GB=Great Britain, DE=Germany. The Country code must use capital letters.
    • Email Address—(optional) enter an email address.
    • Comment—(optional) enter necessary comments on the certificate or its parameters.
    • Key Size—from the drop-down menu, select either 1024, 2048 (default), 4096, or 8192 bits. The greater the bit key size, the greater the complexity of encryption.
      Note: Key bit sizes

      As a best practice, BlueCat recommends using the default key size of 2048 bits. 1024 bit keys are no longer accepted for digital signatures by the National Institute of Standards and Technology (NIST) and shouldn't be used to encrypt new self-signed or custom certificates. 1024 bit keys are in place only to support legacy certificates for customers upgrading from earlier versions of Address Manager.

    • Generate Private Key—select to have Address Manager generate a private key on your behalf (default). Deselect the check box if you will use a previously configured private key. If deselected, the Private Key upload option appears.
      • Private Key—click Choose File to select a private key file on your local machine or workstation.
        Attention: The private key must comply with PKCS #8 standards.
    • Key Size—from the drop-down menu, select either 1024, 2048 (default), 4096, or 8192 bits. The greater the bit key size, the greater the complexity of encryption.
      Note: Key bit sizes

      As a best practice, BlueCat recommends using the default key size of 2048 bits. 1024 bit keys are no longer accepted for digital signatures by the National Institute of Standards and Technology (NIST) and shouldn't be used to encrypt new self-signed or custom certificates. 1024 bit keys are in place only to support legacy certificates for customers upgrading from earlier versions of Address Manager.

  6. Click Generate. Allow a few moments for Address Manager to generate the CSR. Once completed, the CSR appears in the CSR Generated field.
  7. Click Download CSR and Download Private Key to save these files to your local machine or workstation. By default, Address Manager saves the CSR as <common_name>.csr and the private key as <common_name>.key
  8. Click Update.