Generating a certificate signing request (CSR)

Procedure

1. Copy the certificate provided by the CA to the SMU (for example, use the scp command to copy the certificate to /home/manager/signedcert-der.p7.

2. If necessary, provide the certificate authority’s trusted certificate chain as a file (for example, /home/manager/veritas.pem). The SMU already includes popular certificate authority trust chains, so this step can typically be skipped

   NoteThe content of the certificate and trust chain files should only start with -----BEGIN and end with -----END CERTIFICATE-----.

3. Log in to the SMU as user manager, enter su -, and enter the root password.

4. If you are using your own private/corporate CA, you will probably need to import that CA certificate.

   • If the root CA certificate and your signed certificate are bundled into a single file (usually a .p7b file): Enter cert-import.sh -p path to to import your signed certificate and the certificate authority certificate.

   • If the Root CA certificate is in a separate file from your certificate: Enter cert-importtrustchain.sh -p path to root CA cert file -a unique alias to import the certificate authority certificate (usually a .cer file) . This is optional and is only required if the java keystore does not already trust the root CA. This might require multiple files or chains, so repeat as necessary. Enter cert-import.sh -p path to cert file to import your signed certificate reply (usually a .p7b file).

     The default SMU SSL certificate is now replaced by your CA-signed certificate.

   • In case you already have a certificate with a private key, then you don't need to generate a new signing request. Instead, catenate all your certificates, starting with the end-entity/leaf certificate, then intermediate certificates if they exist, into a single file in PEM or DER format. Catenate the private key to this file too and then enter cert-importprivatekey.sh -p /path/to/certs_with_key.pem to import your signed leaf and intermediate certificates and your private key.

   NoteAny unique alias may be used. If the alias already exists in the SMU’s keystore, you will be prompted to replace the old certificate or cancel the import.

5. When prompted to overwrite the existing certificate, enter y.

6. Restart the web server when prompted so that it can start to use the new SSL certificate.

7. Close and restart any browsers used to connect to the SMU.

   Restarting the browser is required to purge the browser of any previously negotiated SSL session values. When logging into SMU after restarting the browser, the new SSL Certificate is provided.

8. As needed, enter cert-showall.sh to display and verify the contents (SSL certificate and trust chain) of the keystore.

Parent Topic

• Generating a certificate signing request (CSR)

Procedure

1. Log in to the SMU as the user manager, enter su -, and enter the root password.

2. Enter cert-gendefault.sh.

3. When prompted to overwrite the existing certificate, enter y.

4. Restart the web server when prompted so that it can use the new SSL certificate.

5. Close and restart any browsers that are connected to the SMU.

   Restarting the browser is required to purge the browser of any previously negotiated SSL session values. When logging into SMU after restarting the browser, the new SSL certificate will be provided.

Parent Topic

• Generating a certificate signing request (CSR)