16.4 Generating a Certificate Signing Request

  1. Click Security > Certificates > New.

  2. To create a certificate signing request (CSR), select Use external certificate authority.

    This option generates a CSR for you to send to the CA for signing. A third-party CA is managed by a third party outside of the eDirectory tree. An example of a third party CA is VeriSign. After the signed certificate is received, import the certificate.

  3. Specify a Certificate name.

    Pick a unique, system-wide name for the certificate that you can easily associate with the certificate’s purpose. The name must contain only alphanumeric characters and no spaces.

  4. Click Edit and add appropriate locality information types for the subject name.

    For more information, see Section 16.2, Editing the Subject Name.

  5. Click OK and specify the following details:

    Signature algorithm: The algorithm you want to use (SHA-256 or SHA-512).

    Valid from: The date from which the certificate is valid. For externally signed certificates, the external certificate authority sets the validity period.

    Months valid: The number of months that the certificate is valid.

    Key size: The size of the key. Select 512, 1024, 2048, or 4096.

  6. (Conditional) If you are creating a key for a certificate authority, click Advanced Options, then configure the following:

    This key is for a Certificate Authority: Select this option.

    Critical: Enforces the basic constraints you specify. Select one of the following:

    • Unlimited: Specifies no restriction on the number of subordinate certificates that the CA can verify.

    • Do not allow intermediate signing certificates in certificate chain: Prevents the CA from creating other CAs, but it can create server or user certificates.

    • Number of allowable intermediate signing certificates in signing chain: Specifies how many subordinate certificates are allowed in the certificate chain. Values must be 1 or more. Entering 0 creates only entity objects.

  7. Click OK.

  8. Click the certificate, copy the CSR data and send the information to the external CA.

    The certificate status is CSR Pending until you import the signed certificate.

  9. Click Close.

  10. Continue with Importing a Signed Certificate.