Creating a Certificate Signing Request (CSR) and key for each of your AE Services server

Last Updated : Sep 22, 2020 |

Procedure

  1. Login to the AE Services Management console of the server for which you need to create the certificate
  2. Navigate to Security > Certificate Management > Server Certificate > Add
    1. To select the Certificate Alias, select the appropriate alias for the certificate.

      • Select cmtls for the Transport Service certificate

      • Select aeservices for the CVLAN, DLG, DMCC and TSAPI certificates. If cmtls is not specified, and the switch connection Provide AE Services certificate to switch option is enabled, this certificate will be used for the Transport Service.

      • Select web for the Apache and Tomcat certificates.

      • Select ldap for the LDAP certificate.

      • Select rsyslog for remote logging.

      • Select server to include all certificates (cmtls, aeservices, web, and ldap) as a second preference.

    2. To select the Enrollment Method, select Manual from the drop down menu
    3. To select the Encryption Algorithm, select 3DES from the drop down menu
    4. Enter a password in the Password field. This password will be used to encrypt the private key associated with the certificate. The encrypted private key will be kept on the AE Services server. Re-enter the password for verification
    5. To select the Key Size, select 2048 from the drop down menu
    6. Under Signature Algorithm, select sha256 from the drop down menu. If your client does not support sha256, select sha1
    7. For the Certificate Validity, enter the number of days you want this certificate to be valid. For example, for 5 years, it would be 1825 days.
    8. To select a Distinguished Name (DN), enter as per the below hints:

      • C=US

      • ST=CO

      • L=yourCity

      • O=YourCompanyName

      • OU=yourOrg

      • CN=aeshostname

      Note:

      The C value US, the ST value CO and the O value that is YourCompanyName must match the country name, state name and the company name of the CA certificate for the CA certificate to be able to sign the CSR.

      The Distinguished Name (DN) field must not contain any wildcard character, that is an asterisk (*), double dots (..) or a question mark (?).

    9. Modify the Key Usage by holding down the Ctrl key on the keyboard. Select the Digital Signature, Non-repudiation, Key encipherment, and Data encipherment options
    10. To set the Extended Key Usage, hold the Ctrl key down on the keyboard. Select the SSL/TSL Web Server Authentication and SSL/TLS Web Client Authentication options. Leave all other fields empty
    11. Click Apply
  3. From the Server Certificate Manual Enrollment Request page, copy the CSR certificate in the window starting with-----BEGIN CERTIFICATE REQUEST----- and ending with -----END CERTIFICATE REQUEST-----. Save the CSR to a file named myserver.req in the /certificate directory on the server where the CA certificate was created.