Generate a Certificate Signing Request that you will use to obtain a signed server certificate from a Certificate Authority. You can choose to generate a private key to encrypt and authenticate the CSR, or use an existing private key.
To generate a CSR:
- Select the Administration tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Administration page.
- Under User Management, click Secure Access.
-
Under General, complete the following:
- Select Server—by default, this is the IP address of a standalone Address Manager server. If running Address Manager in replication, use the drop-down menu to select the IP address of Primary or Standby Address Manager servers.
- HTTP—from the drop-down menu, select either
Enable, Disable,
or Redirect to HTTPS.Note: Redirect to HTTPSSelecting Redirect to HTTPS will redirect users to HTTPS if they attempt to access Address Manager using HTTP. You must have HTTPS enabled to use Redirect to HTTPS.
- If the Address Manager domain name is configured to resolve to an IPv6 address, enabling Redirect to HTTPS will redirect the domain name in the URL to an IPv6 address, resulting in an unknown certificate warning in your browser. For more information, refer to knowledge base article 5978 on BlueCat Customer Care.
- HTTPS—from the drop-down menu, select
Enable.Important: Disabling HTTPS
You can't disable HTTPS if HTTP is configured to redirect to HTTPS.
- Under Server Certificate Settings, select Custom.
-
Under
Self-Signed Certificate, complete the
following:
- Common Name—enter the DNS hostname of the Address Manager server.
- Organization—enter the name of your organization.
- Department—enter the name of your department or division.
- City—enter the name of your city or municipality.
- State/province (full name)—enter the full name of your state or province. Abbreviations won't be accepted.
- Country Code (two letter code)—enter your country’s two letter country code according to the ISO 3166-1 alpha-2 standard. For example, US=United States, CA=Canada, GB=Great Britain, DE=Germany. The Country code must use capital letters.
- Email Address—(optional) enter an email address.
- Comment—(optional) enter necessary comments on the certificate or its parameters.
- Key
Size—from the drop-down menu, select either
1024, 2048
(default), 4096, or
8192 bits. The greater the bit key size,
the greater the complexity of encryption.Note: Key bit sizes
As a best practice, BlueCat recommends using the default key size of 2048 bits. 1024 bit keys are no longer accepted for digital signatures by the National Institute of Standards and Technology (NIST) and shouldn't be used to encrypt new self-signed or custom certificates. 1024 bit keys are in place only to support legacy certificates for customers upgrading from earlier versions of Address Manager.
- Generate Private Key—select to have Address Manager generate a private key on your behalf (default).
Deselect the check box if you will use a previously
configured private key. If deselected, the Private
Key upload option appears.
- Private Key—click Choose
File to select a private key file on your local
machine or workstation.Attention: The private key must comply with PKCS #8 standards.
- Private Key—click Choose
File to select a private key file on your local
machine or workstation.
- Key
Size—from the drop-down menu, select either
1024, 2048
(default), 4096, or
8192 bits. The greater the bit key size,
the greater the complexity of encryption.Note: Key bit sizes
As a best practice, BlueCat recommends using the default key size of 2048 bits. 1024 bit keys are no longer accepted for digital signatures by the National Institute of Standards and Technology (NIST) and shouldn't be used to encrypt new self-signed or custom certificates. 1024 bit keys are in place only to support legacy certificates for customers upgrading from earlier versions of Address Manager.
- Click Generate. Allow a few moments for Address Manager to generate the CSR. Once completed, the CSR appears in the CSR Generated field.
- Click Download CSR and Download Private Key to save these files to your local machine or workstation. By default, Address Manager saves the CSR as <common_name>.csr and the private key as <common_name>.key
- Click Update.