Sign in
< Back to User Guide Top

Generating self-signed user certificates

To acquire a CA-signed certificate, you must first generate a self-signed user certificate.  This will implicitly generate or import a public-private key pair.

  1. In the web UI, go to Administration > Certificate Management > Certificates. In the native UI, go to Tools > Certificate Manager or click the Certificates button in the tool bar.
  2. Right-click the Users store in the tree pane and select Generate > Self-signed User Certificate.
    The Generate Certificate dialog box appears.
  3. Enter information about the certificate you want to generate.
    See User certificate reference for information about the fields in the dialog box.
  4. After you finish entering required information, click OK.
    After the key-pair and certificate are created, the certificate is added under Users in the tree pane.
    Note: Because generating a self-signed certificate might take some time because it could involve public-private key pair generation.

Generating a new self-signed user certificate based on an existing certificate

You can use the Certificate Manager to generate a new self-signed certificate based on the contents of an existing certificate. This is useful in situations where a self-signed certificate has expired and needs to be regenerated, or you want to generate a new self-signed certificate using the same information as an existing certificate.  

  1. In the web UI, go to Administration > Certificate Management > Certificates. In the native UI, go to Tools > Certificate Manager or click the Certificates button in the tool bar.
  2. Right-click the existing certificate in the Users store and select Generate > New Self-signed User Certificate.
  3. A new Generate User X.509 Certificate dialog is displayed with all the information from the original certificate except the User Alias and Private Key Password.
  4. Enter new values in the User AliasPrivate Key Password and Confirm Password fields, and then click OK.
    For information about these fields, see User certificate reference.
  5. The new self-signed certificate is created and added to the Users store.

User certificate reference

 User Information and Usage Information

User Alias
An arbitrary name for the certificate (for example, CLEO)
Common Name
A user name for client-style certificates; a fully qualified computer name (or registered IP address) for server-style certificates (for example, cleo.com). This field may be completed when importing OpenPGP or SSH FTP keys.
Email
Administrator email address, for example, user@cleo.com. This field may be completed when importing OpenPGP or SSH FTP keys.
Organization Unit
This could be a company department (for example, Cleo Engineering, or Cleo Production)
Organization
Official company name (for example, Cleo Communications, Inc.)
City
Complete city name (for example, Loves Park)
State
State name (for example, Illinois)
Country
Two characters (for example, US).  Select from pull-down menu.
Signature Algorithm
Either MD5, SHA-1, SHA-256, SHA-384, or SHA-512.
SHA-256 is recommended for RSA certificates.
SHA-1 is the only valid signature algorithm for DSA certificates.
The appropriate algorithm is configured and this is field is disabled after importing OpenPGP or SSH FTP keys.
DigitalSignature
Set if certificate is to be used for SSL client or signing.  This field should generally be checked for AS2, AS3, or ebMS.
KeyEncipherment
Set if certificate is to be used for SSL server or encryption.  This field should generally be checked for AS2, AS3, or ebMS.
clientAuth
Set if certificate is to be used for TLS client.  Not applicable to AS2, AS3, or ebMS.
serverAuth
Set if certificate is to be used for TLS server.  Not applicable to AS2, AS3, or ebMS.
Subject Key Identifier
Set if the Subject Key Identifier extension is to be generated.  This extension is used as a means of identifying the particular public key being used.
Valid For
The number of months that this certificate will be valid.  By default, it is set to 24 months, but may be increased up to 96 months.

Generate Private

Used to generate a new public/private key pair.

Private Key Size
512, 1024, 2048, 3072 or 4096 for RSA certificates.

512 or 1024 for DSA certificates. 

The larger the key size, the stronger the encryption; however, depending on your platform and/or CPU speed, generating certificates with private key sizes greater than 2048 bits may take several minutes. (2048 is the default for RSA certificates. 1024 is the default for DSA certificates.)

Algorithm
Defaults to RSA, which is the de facto standard.  DSA is also available.
Private Key Password
This is an arbitrary password. This password can be any combination of letters, numbers, or special characters.
Confirm Password
Re-enter the private key password.
Encryption Sub-key Size
1024, 2048, or 4096-bit OpenPGP encryption sub-key size. Enabled when the Generate OpenPGP checkbox is selected. This is only necessary if you wish to generate a certificate to be used for OpenPGP encryption and an encryption sub-key is required.
OpenPGP Key Does Not Expire
When selected, the generated OpenPGP key will never expire. Otherwise, the OpenPGP key will expire when the User Certificate expires. Enabled when the Generate OpenPGP checkbox is selected.

Import OpenPGP

Used for OpenPGP encryption for an existing key.

OpenPGP Key
OpenPGP secret key. Browse/type for the OpenPGP filename.
Private Key Password
This must be the same password as the existing key.

SSH FTP Key

SSH FTP Key - to use an existing key for SSH FTP authentication. Enter the following information and click Import to read the key information. The Common Name and Email fields will be completed using the key information.

SSH FTP Key
SSH FTP private key. Browse/type for the SSH filename.
Private Key Password
This must be the same password as the existing key.
 

Related articles

Comments

0 comments

Please sign in to leave a comment.