Creating a server
certificate signing request for the AE Services server
About this task
Use this procedure to create a server certificate request (also
referred to as a certificate signing request, or CSR) for the AE Services server. This procedure generates a certificate signing
request which includes a private key.
Procedure
From the AE Services Management Console main menu, select Security > Certificate
Management > Server Certificates.
On the Server Certificates page, click Add.
Complete the Add Server Certificate page, as follows:
In the Certificate Alias field, select the appropriate alias for the certificate.
Select cmtls for the Transport Service certificate
Select aeservices for the CVLAN, DLG,
DMCC and TSAPI certificates. If cmtls is not
specified, and the switch connection Provide AE Services certificate to switch option is enabled, this certificate
will be used for the Transport Service.
Select web for
the Apache and Tomcat certificates.
Select ldap for
the LDAP certificate.
Select server to
include all certificates (cmtls, aeservices, web, and ldap).
Select rsyslog for remote logging.
Leave the Create Self-Signed
Certificate check box unchecked (the default).
In the Enrollment Method field, select the appropriate setting.
In the Encryption Algorithm field, select 3DES.
In the Password field, type the password of your choice.
In the Re-enter Password field, type the password of your choice.
In the Key
Size field, accept the value 2048 or higher
In the Certificate Validity field, accept the default 1825.
In the Distinguished Name field, type the LDAP entries required by your CA.
These entries must be in LDAP format and they must match the values
required by your CA. If you are not sure what the required entries
are, contact your CA.
Among the required entries will be the FQDN (fully qualified domain
name) of the AE Server in LDAP format. Additionally you might need
to provide your company name, your organization name and so on. Separate
each LDAP entry with a comma, and do not use blank spaces, for example:
Currently the Add Server Certificate page in the AE Services Management Console does not support using commas within
a DN attribute (for example o=Examplecorp, Inc).
In the Challenge Password field, type the challenge password of your choice.
In the Re-enter Challenge
Password field, type the challenge password of your choice.
(Optional) From the Key Usage list, select the setting that is appropriate for your certificate:
Digital Signature
Non-repudiation
Key encipherment
Data encipherment
Key agreement
Key certificate
sign
CRL sign
Encipher Only
Decipher Only
(Optional) From the Extended Key Usage list, select the setting appropriate for your certificate.
(Optional - applies
to auto-enrollment) Complete the SCEP Parameters that apply to your certificate:
SCEP Server URL — specify the CA URL.
An example of a Microsoft CA URL is http://ca.example.com/certsrv/mscep/mscep.dll. An example of an Enterprise Java Beans Certificate Authority (EJBCA)
URL is http://ca.example.com:8080/ejbca/publicweb/apply/scep/pkiclient.exe.
CA Certificate Alias — enter the CA Alias to be used.
The CA Certificate Alias
refers to the name used to identify the CA Certificate.
CA Identifier — enter the CA ID to be used.
The CA Identifier Used by CAs
to identify which CA you are referring to in your SCEP request. Many
CAs strictly match the CA Identifier string, while some ignore it.
For example, with EJBCA you you need to match the CA Identifier string.
This is used when the CA server acts as multiple CAs. This string
is set by the CA Admin.
Click Apply.
AE Services displays the Server Certificate
Manual Enrollment Request page, which displays the certificate
alias and the certificate request itself in PEM (Privacy Enhanced
Mail) format. The certificate request consists of all the text in
the box, including the header (-----BEGIN CERTIFICATE REQUEST -----)
and the trailer (-----END CERTIFICATE REQUEST-----).
Copy the entire contents of the server certificate, including the
header and the trailer. Keep the contents available in the clipboard
for the next procedure.