Obtaining and importing a CA-signed certificate
You may provide your own Certificate Authority (CA) signed certificates, instead of the default "self-signed" certificate.
Use these steps to obtain and import a CA-signed certificate into the server.
Before you begin
Supported encoding of the certificates are PEM or DER.
The trust chain certificates must be in X.509 format.
The signed certificate must be in X.509 format or a PKCS #7 bundle that includes the trust chain certificates.
Procedure
Create a new certificate. Customize the server's private key to set the required validity period and correct location information.
$ tls-certificate-create-custom --confirm
Generate a CSR (Certificate Signing Request) and send it to the chosen CA. If you already have a certificate with a private key, go to Step 4.
$ tls-certificate-generate-csr
NoteThe CA will check the sender's identity. This may take some time.Depending on what you are provided, perform the appropriate steps:
- If you are given a single X.509 signed certificate and multiple X.509
trust chains:
- Import each certificate of the trust chain provided.
$ tls-certificate-import-trust-chain --confirm --path tc1.cer –alias tc1 $ tls-certificate-import-trust-chain --confirm --path tcn.cer –-alias tcn
- Import the signed certificate.
$ tls-certificate-import-signed --confirm --path signed.cer
- Import each certificate of the trust chain provided.
- If you are given a single PKCS #7 certificate bundle:
Depending on the format of the trust chain and signed certificate, you may import them both at once.
$ tls-certificate-import-signed --confirm --path signed_and_trust_chain
- If you are given a single X.509 signed certificate and multiple X.509
trust chains:
Results