To generate a custom Private Key and Certificate Signing Request:
NOTE: The following instructions are for the
Linux command-line OpenSSL tool. They also assume the presence of an
openssl.cnf file in the OpenSSL executable directory or on the system path containing needed configuration details to gather the required fields. For information about how to use a GUI-based CSR or key generation tool, see the tool manufacturer's instructions.
For information about creation of the
openssl.cnf file, see the OpenSSL documentation at
openssl.org for more details.
NOTE: The following instructions generate a PEM-formatted RSA private key and CSR without a password to secure the private key. Make sure to secure the private key file against unauthorized access as it can be used to impersonate your server. For instructions on how to create a
PKCS#12-formatted private key, see
openssl.org. The instructions to create an elliptic-curve private key are similar to these instructions, but are available at
openssl.org.
- Open a command-line window into a folder where the private key can be created.
- Run the below command to create the private key:
openssl req -newkey rsa:2048 -nodes -keyout private_key.pem -out your_domain.csr
This command generates two files in the current directory. First, it creates a private key using the RSA generation mechanism with a bit-length of 2048 bits. It then outputs the private key as private_key.pem in the current directory.
It then asks for the needed data to create the certificate signing request and outputs the CSR as your_domain.csr.
IMPORTANT: The file private_key.pem is the private key for your certificate. Anyone with access to this key can impersonate your server/domain. We recommend that you run these commands on the command line of the appliance so that the key never actually leaves the secure environment. If you run these commands outside the appliance, make sure to protect this file from unauthorized access. Remember, that the appliance has no way to provide a password to unlock the private key, so a password can’t be used to encrypt the file.
- Provide the Certificate Signing Request (the file named 'your_domain.csr') to your domain registrar for signing.
- See the instructions in the Solution 1 to concatenate the files together and upload to the appliance.