To acquire a CA-signed certificate, you must first generate a self-signed user certificate. This will implicitly generate or import a public-private key pair.
- In the web UI, go to . In the native UI, go to or click the Certificates button in the tool bar.
- Right-click the Users store in the tree pane and select .
The Generate Certificate dialog box appears. - Enter information about the certificate you want to generate.
See User certificate reference for information about the fields in the dialog box. - After you finish entering required information, click OK.
After the key-pair and certificate are created, the certificate is added under Users in the tree pane.Note: Because generating a self-signed certificate might take some time because it could involve public-private key pair generation.
Generating a new self-signed user certificate based on an existing certificate
You can use the Certificate Manager to generate a new self-signed certificate based on the contents of an existing certificate. This is useful in situations where a self-signed certificate has expired and needs to be regenerated, or you want to generate a new self-signed certificate using the same information as an existing certificate.
- In the web UI, go to . In the native UI, go to or click the Certificates button in the tool bar.
- Right-click the existing certificate in the Users store and select .
- A new Generate User X.509 Certificate dialog is displayed with all the information from the original certificate except the User Alias and Private Key Password.
- Enter new values in the User Alias, Private Key Password and Confirm Password fields, and then click OK.
For information about these fields, see User certificate reference.
- The new self-signed certificate is created and added to the Users store.
User certificate reference
User Information and Usage Information
| Field | Description |
|---|---|
| User Alias | An arbitrary name for the certificate (for example, CLEO) |
| Common Name | A user name for client-style certificates; a fully qualified computer name (or registered IP address) for server-style certificates (for example, cleo.com). This field may be completed when importing OpenPGP or SSH FTP keys. |
| Administrator email address, for example, user@cleo.com. This field may be completed when importing OpenPGP or SSH FTP keys. | |
| Organization Unit | This could be a company department (for example, Cleo Engineering, or Cleo Production) |
| Organization | Official company name (for example, Cleo Communications, Inc.) |
| City | Complete city name (for example, Loves Park) |
| State | State name (for example, Illinois) |
| Country | Two characters (for example, US). Select from pull-down menu. |
| Signature Algorithm |
SHA-256 is recommended for RSA certificates. SHA-1 is the only valid signature algorithm for DSA certificates. The appropriate algorithm is configured and this is field is disabled after importing OpenPGP or SSH FTP keys. |
| DigitalSignature | Set if certificate is to be used for SSL client or signing. This field should generally be checked for AS2, AS3, or ebMS. |
| KeyEncipherment | Set if certificate is to be used for SSL server or encryption. This field should generally be checked for AS2, AS3, or ebMS. |
| clientAuth | Set if certificate is to be used for TLS client. Not applicable to AS2, AS3, or ebMS. |
| serverAuth | Set if certificate is to be used for TLS server. Not applicable to AS2, AS3, or ebMS. |
| Subject Key Identifier | Set if the Subject Key Identifier extension is to be generated. This extension is used as a means of identifying the particular public key being used. |
| Valid For | The number of months that this certificate will be valid. By default, it is set to 24 months, but may be increased up to 96 months. |
Generate Private
Used to generate a new public/private key pair.
| Field | Description |
|---|---|
| Private Key Size | 512, 1024, 2048, 3072 or 4096 for RSA certificates. 512 or 1024 for DSA certificates. 256, 384 or 521 for ECDSA certificates. 256 for ED25519 certificates. The larger the key size, the stronger the encryption; however, depending on your platform and/or CPU speed, generating certificates with private key sizes greater than 2048 bits may take several minutes. (2048 is the default for RSA certificates. 1024 is the default for DSA certificates. 256 is the default for ECDSA certificates.) |
| Algorithm | Defaults to RSA, which is the de facto standard. DSA is also available. ECDSA and ED25519 are also available, but are only valid for SSH FTP usage. Note: ED25519 is not supported in FIPS mode. |
| Private Key Password | This is an arbitrary password. This password can be any combination of letters, numbers, or special characters. |
| Confirm Password | Re-enter the private key password. |
| Encryption Sub-key Size | 1024, 2048, or 4096-bit OpenPGP encryption sub-key size. Enabled when the Generate OpenPGP checkbox is selected. This is only necessary if you wish to generate a certificate to be used for OpenPGP encryption and an encryption sub-key is required. |
| OpenPGP Key Does Not Expire | When selected, the generated OpenPGP key will never expire. Otherwise, the OpenPGP key will expire when the User Certificate expires. Enabled when the Generate OpenPGP checkbox is selected. |
Import OpenPGP
Used for OpenPGP encryption for an existing key.
| Field | Description |
|---|---|
| OpenPGP Key | OpenPGP secret key. Browse/type for the OpenPGP filename. |
| Private Key Password | This must be the same password as the existing key. |
SSH FTP Key
SSH FTP Key - to use an existing key for SSH FTP authentication. Enter the following information and click Import to read the key information. The Common Name and Email fields will be completed using the key information.
| Field | Description |
|---|---|
| SSH FTP Key | SSH FTP private key. Browse/type for the SSH filename. |
| Private Key Password | This must be the same password as the existing key. |
Comments
0 comments
Please sign in to leave a comment.