------ PKI requests ------ Landais Gabriel Certificate signing request A certificate signing request (CSR) contains the public key of the requester, and its informations (name, organisation, ...). The first step to get a certificate is to generate a key pair : private and public keys. As our PKI is a tool for tests, it is better for us to know certificates private keys. We will be then able to use any certificate in our tests, to diagnose problems or for a man in the middle proxy. The certificate type should be TLS client (consumer) or TLS server (provider). The PKI is able to manage several CAs, so be sure to know which one should be used. Some sub CAs may exist, but should not be used in the general case. You need to enter the FQDN (Fully Qualified Domain Name) of your system as Common Name. Note that for IHE testing we are using the name of the system and request that you do not check the CN when verifying certificates. Request - Request without CSR A request should be made without CSR. The PKI will generate a key pair and a CSR matching input data. Request - Request with CSR For educational purposes, it is possible to request a certificate using a CSR. An individual may also do not want to share its private key with the PKI. This tutorial supposes you have {{{http://www.openssl.org/}<<>>}} installed on your system. Openssl can be installed on various systems. In that case, the CSR must be provided in PEM format. * Key generation The following command to generate a RSA private key and store it in the traditional format with PEM encoding, but no encryption : +---------------------------------------------------------------------------------------------------------+ openssl req -new -key privkey.pem -out cert.csr +---------------------------------------------------------------------------------------------------------+ Be sure to backup the private key (file privkey.pem), as there is no means to recover it should it be lost. The private key is used as input in the command to generate a Certificate Signing Request (CSR). * CSR generation Then generate a certificate signing request : +---------------------------------------------------------------------------------------------------------+ openssl req -new -key privkey.pem -out cert.csr +---------------------------------------------------------------------------------------------------------+ You will be asked to answer some questions. +---------------------------------------------------------------------------------------------------------+ You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:FR State or Province Name (full name) [Some-State]:Brittany Locality Name (eg, city) []:Rennes Organization Name (eg, company) [Internet Widgits Pty Ltd]:IHE Europe Organizational Unit Name (eg, section) []:Development Team Common Name (eg, YOUR name) []:name.system.org Email Address []:eric.poiseau@inria.fr Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: +---------------------------------------------------------------------------------------------------------+ Request issuing Your request will be processed by the administrator shortly, making it available in certificates list. Once your certificate is generated, you will be able to download it in various formats. If you have provided your private key (or not generated a CSR), keystores in p12 and JKS formats are available directly. Otherwise, you are still able to generate keystores by providing your private key. This feature is available in the detailed view of a certificate, in Downloads section.