Print

Creating a server certificate signing request for the AE Services server

About this task

Use this procedure to create a server certificate request (also referred to as a certificate signing request, or CSR) for the AE Services server. This procedure generates a certificate signing request which includes a private key.

Procedure

  1. From the AE Services Management Console main menu, select Security > Certificate Management > Server Certificates.
  2. On the Server Certificates page, click Add.
  3. Complete the Add Server Certificate page, as follows:
    1. In the Certificate Alias field, select the appropriate alias for the certificate.
      • Select cmtls for the Transport Service certificate

      • Select aeservices for the CVLAN, DLG, DMCC and TSAPI certificates. If cmtls is not specified, and the switch connection Provide AE Services certificate to switch option is enabled, this certificate will be used for the Transport Service.

      • Select web for the Apache and Tomcat certificates.

      • Select ldap for the LDAP certificate.

      • Select server to include all certificates (cmtls, aeservices, web, and ldap).

      • Select rsyslog for remote logging.

    2. Leave the Create Self-Signed Certificate check box unchecked (the default).
    3. In the Enrollment Method field, select the appropriate setting.
    4. In the Encryption Algorithm field, select 3DES.
    5. In the Password field, type the password of your choice.
    6. In the Re-enter Password field, type the password of your choice.
    7. In the Key Size field, accept the value 2048 or higher
    8. In the Certificate Validity field, accept the default 1825.
    9. In the Distinguished Name field, type the LDAP entries required by your CA.

      These entries must be in LDAP format and they must match the values required by your CA. If you are not sure what the required entries are, contact your CA.

      Among the required entries will be the FQDN (fully qualified domain name) of the AE Server in LDAP format. Additionally you might need to provide your company name, your organization name and so on. Separate each LDAP entry with a comma, and do not use blank spaces, for example:

      cn=aeserver.example.com,ou=myOrganizationalUnit,o=Examplecorp,L=Springfield,ST=Illinois,C=US

      noteNote

      Currently the Add Server Certificate page in the AE Services Management Console does not support using commas within a DN attribute (for example o=Examplecorp, Inc).

    10. In the Challenge Password field, type the challenge password of your choice.
    11. In the Re-enter Challenge Password field, type the challenge password of your choice.
    12. (Optional) From the Key Usage list, select the setting that is appropriate for your certificate:
      • Digital Signature

      • Non-repudiation

      • Key encipherment

      • Data encipherment

      • Key agreement

      • Key certificate sign

      • CRL sign

      • Encipher Only

      • Decipher Only

    13. (Optional) From the Extended Key Usage list, select the setting appropriate for your certificate.
    14. (Optional - applies to auto-enrollment) Complete the SCEP Parameters that apply to your certificate:
      • SCEP Server URL — specify the CA URL.

        An example of a Microsoft CA URL is http://ca.example.com/certsrv/mscep/mscep.dll. An example of an Enterprise Java Beans Certificate Authority (EJBCA) URL is http://ca.example.com:8080/ejbca/publicweb/apply/scep/pkiclient.exe.

      • CA Certificate Alias — enter the CA Alias to be used.

        The CA Certificate Alias refers to the name used to identify the CA Certificate.

      • CA Identifier — enter the CA ID to be used.

        The CA Identifier Used by CAs to identify which CA you are referring to in your SCEP request. Many CAs strictly match the CA Identifier string, while some ignore it. For example, with EJBCA you you need to match the CA Identifier string. This is used when the CA server acts as multiple CAs. This string is set by the CA Admin.

    15. Click Apply.

      AE Services displays the Server Certificate Manual Enrollment Request page, which displays the certificate alias and the certificate request itself in PEM (Privacy Enhanced Mail) format. The certificate request consists of all the text in the box, including the header (-----BEGIN CERTIFICATE REQUEST -----) and the trailer (-----END CERTIFICATE REQUEST-----).

  4. Copy the entire contents of the server certificate, including the header and the trailer. Keep the contents available in the clipboard for the next procedure.