15.4 Generating a Certificate Signing Request

  1. Click Security > Certificates > New.

  2. To create a certificate signing request (CSR), select Use external certificate authority.

    This option generates a CSR for you to send to the CA for signing. A third-party CA is managed by a third party outside of the eDirectory tree. An example of a third party CA is VeriSign. After the signed certificate is received, you need to import the certificate.

  3. Specify a Certificate name.

    Pick a unique, system-wide name for the certificate that you can easily associate with the certificate’s purpose. The name must contain only alphanumeric characters and no spaces.

  4. Click the Edit button to display a dialog box that lets you add appropriate locality information types for the subject name.

    For more information, see Section 15.2, Editing the Subject Name.

  5. Click OK, then fill in the following fields:

    Signature algorithm: The algorithm you want to use (SHA-256 or SHA-512).

    Valid from: The date from which the certificate is valid. For externally signed certificates, the external certificate authority sets the validity period.

    Months valid: The number of months that the certificate is valid.

    Key size: The size of the key. Select 512, 1024, 2048, or 4096.

  6. (Conditional) If you are creating a key for a certificate authority, click Advanced Options, then configure the following:

    This key is for a Certificate Authority: Select this option.

    Critical: Enforces the basic constraints you specify. Select one of the following:

    • Unlimited: Specifies no restriction on the number of subordinate certificates that the CA can verify.

    • Do not allow intermediate signing certificates in certificate chain: Prevents the CA from creating other CAs, but it can create server or user certificates.

    • Number of allowable intermediate signing certificates in signing chain: Specifies how many subordinate certificates are allowed in the certificate chain. Values must be 1 or more. Entering 0 creates only entity objects.

  7. Click OK.

  8. Click the name of the certificate, copy the CSR data and send the information to the external CA.

    The certificate status is CSR Pending until you import the signed certificate.

  9. Click Close.

  10. When you receive the signed certificate and the trusted root (CA chain), continue with Importing a Signed Certificate.