How do I generate a Certificate Signing Request and import a signed certificate?
03/26/2020 527 12528
The process for generating a Certificate Signing Request (CSR) and importing the Certificate Authority (CA) signed certificate is very straight forward but there is no flexibility.
File names are required to be exact.
The server.key file created with the server.csr is required to install the resulting CA signed certificate.
If a password is used in creating the CSR it will be required to import the certificate.
This is a security appliance and the integrity of the certificate is critical to that security.
To generate a Certificate Signing Request (CSR):
Select System in the left hand menu. Then select Certificates.
Click on the 'Generate CSR' button.
Fill out the form. The country is a two letter code (e.g. US for the United States of America)
If you enter a Private Key Password that password will be required to import the resulting certificate.
Please read carefully. This is simple but it must be exactly as described to allow a certificate to be imported.
When generating a CSR the system outputs a zip file containing two files: server.csr and server.key
To import a CA signed certificate you must have a zip file containing two files named: server.crt and server.key
The server.key file required to import the certificate is the same server.key file that was generated with the CSR.
When pulling the CA signed certificate the format of this certificate should be for an Apache Server.
The CA will typically provide two certificate files. One will contain the word 'bundle' in the name. This file contains the CA intermediate and root certificates. That certificate bundle is imported by clicking on the 'Import Ca Certificate' button under System > Certificates.
The second .crt file the CA provides will be the CA signed certificate. It may be named with as <FQDN>.crt or <random character string>.crt Rename this file to server.crt.
Create a zip file containing the server.key and server.crt files and nothing else. The zip file name must end in .zip but otherwise may be named what ever you wish.
When your certificate is about to expire and you need a new CA signed certificate the CA can generate a new one from the previous CSR. If they do that you will still require the server.key file originally generated with the CSR and the private key password that was entered when the CSR was generated.
The server.key file can be recovered by exporting the soon to expire certificate. That zip file will contain the server.crt file and the server.key file.