Generating a certificate signing request

To generate a new private encryption key and certificate-signing request, complete the following steps:

  1. In the navigation pane, click MM Control → Security.
  2. In the SSL Server Configuration for Web Server section, make sure that the SSL server is disabled. If it is not disabled, select Disabled in the SSL Server field; then, click Save.
  3. In the SSL Server Certificate Management section, select Generate a New Key and a Certificate Signing Request. A page similar to the one in the following illustration is displayed.
    Graphic illustrating the SSL Certificate Signing Request page.
  4. Type the information in the required fields and any optional fields that apply to your configuration. The fields are the same as for a self-signed certificate, with some additional fields. The following sections describe each of the common fields.
    • Required certificate data

      The following user-input fields are required for generating a self-signed certificate or a certificate-signing request:

      Country
      Use this field to indicate the country in which the management module is located. This field must contain the 2-character country code.
      State or Province
      Use this field to indicate the state or province in which the management module is located. This field can contain a maximum of 30 characters.
      City or Locality
      Use this field to indicate the city or locality in which the management module is located. This field can contain a maximum of 50 characters.
      Organization Name
      Use this field to indicate the company or organization that controls the management module. When this information is used to generate a certificate-signing request, the issuing certificate authority can verify that the organization that is requesting the certificate is legally entitled to claim ownership of the given company or organization name. This field can contain a maximum of 60 characters.
      MM Host Name
      Use this field to indicate the management-module host name that appears in the browser Web address field.

      Make sure that the value that you typed in the MM host name field exactly matches the host name as it is known by the Web browser. The browser compares the host name in the resolved Web address to the name in the certificate. To prevent certificate warnings from the browser, the value that is used in this field must match the host name that is used by the browser to connect to the management module. For example, if the Web address in the address field is http://mm11.xyz.com/private/main.ssi, the value that is used for the MM Host Name field must be mm11.xyz.com. If the Web address is http://mm11/private/main.ssi, the value that is used must be mm11. If the Web address is http://192.168.70.2/private/main.ssi, the value that is used must be 192.168.70.2.

      This certificate attribute is generally referred to as the common name.

      This field can contain a maximum of 60 characters.

    • Optional certificate data

      The following user-input fields are optional for generating a self-signed certificate or a certificate-signing request:

      Contact Person
      Use this field to indicate the name of a contact person who is responsible for the management module. This field can contain a maximum of 60 characters.
      Email Address
      Use this field to indicate the email address of a contact person who is responsible for the management module. This field can contain a maximum of 60 characters.
      Organizational Unit
      Use this field to indicate the unit within the company or organization that controls the management module. This field can contain a maximum of 60 characters.
      Surname
      Use this field for additional information, such as the surname of a person who is responsible for the management module. This field can contain a maximum of 60 characters
      Given Name
      Use this field for additional information, such as the given name of a person who is responsible for the management module. This field can contain a maximum of 60 characters.
      Initials
      Use this field for additional information, such as the initials of a person who is responsible for the management module. This field can contain a maximum of 20 characters.
      DN Qualifier
      Use this field for additional information, such as a distinguished name qualifier for the management module. This field can contain a maximum of 60 characters.
      Years Valid
      This field is present onlyfor an SSL server; it is not shown for an SSL client.
    • Certificate-signing request attributes

      The following fields are optional unless they are required by your selected certificate authority:

      Challenge Password
      Use this field to assign a password to the certificate-signing request. This field can contain a maximum of 30 characters.
      Unstructured Name
      Use this field for additional information, such as an unstructured name that is assigned to the management module. This field can contain a maximum of 60 characters.
  5. After you complete the information, click Generate CSR. The new encryption keys and CSR are generated. This process might take several minutes. A page similar to the one in the following illustration is displayed when the process is completed.
    Graphic illustrating the Download CSR page.
  6. Click Download CSR; then, click Save to save the file to your computer. The file that is produced when you create a certificate-signing request is in DER format. If your certificate authority expects the data in some other format, such as PEM, you can convert the file by using a tool such as OpenSSL (http://www.openssl.org). If the certificate authority asks you to copy the contents of the certificate-signing request file into a Web page, PEM format is usually expected. The command for converting a certificate-signing request from DER to PEM format through OpenSSL is similar to the following command:
                      openssl req -in csr.der -inform DER -out csr.pem -outform PEM
                   
  7. Send the certificate signing request to your certificate authority. When the certificate authority returns your signed certificate, you might need to convert the certificate to DER format. (If you received the certificate as text in an e-mail or a Web page, it is probably in PEM format.) You can change the format by using a tool that is provided by your certificate authority or by using a tool such as OpenSSL (http://www.openssl.org). The command for converting a certificate from PEM to DER format is similar to the following command
                      openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER 
                   

    Go to step 8 after the signed certificate is returned from the certificate authority.

  8. In the navigation pane, click MM Control → Security. Scroll to the SSL Server Certificate Management section, which looks similar to the page in the following illustration.
    Graphic illustrating the SSL Server Certificate Management page.
  9. Select Import a Signed Certificate. A page similar to the one in the following illustration is displayed.
    Graphic illustrating the Import a Signed Certificate page.
  10. Click Browse.
  11. Click the certificate file that you want; then, click Open. The file name (including the full path) is displayed in the field next to the Browse push button.
  12. Click Import Server Certificate to begin the process. A progress indicator is displayed as the file is transferred to storage on the management module. Continue displaying this page until the transfer is completed.