How can I create a CSR (Certificate Signing Request)?

Applicable products

SNS appliances

Description

If you want to get a SSL certificate from a valid organisation (like Verisign or Thawte, for example) you have to generate a CSR for the machine where the certificate will be installed and submit it to one of those organisations. This organisation will generate the real certificate that you will use during secure communications. This SSL certificate is used, for example, to convert an internet site from http to https or to use pop3s, imaps, smtps. This certificate guarantees people that they are dealing with the right organisation.

Procedure

Here is how you can create a CSR on the UTM:

  • Connect to your Stormshield product through SSH
  • Execute the command:
 cli
  • Enter the password for admin user.
  • Enter the command :
 MODIFY ON FORCE
  • To get a list of option arguments, type:
PKI REQUEST CREATE help
  • This is the minimal set of arguments to create the request. Modify the next command to suit your needs:
 PKI REQUEST CREATE type=server CN=stormshield.com C=FR ST=HDF L=VDA O=Stormshield OU=TAC shortname=mycertname

If you want to protect the private key of the future certificate with the TPM, you can use the token "tpm=ondisk" :

PKI REQUEST CREATE type=server CN=stormshield.com C=FR ST=HDF L=VDA O=Stormshield OU=TAC shortname=mycertname tpm=ondisk
  • Enter command: quit to leave the nsrpc mode.
  • In the ~/ConfigFiles/Certificates directory you will find :
    • the csr file (e.g. mycertname.req.pem)
    • the private key (e.g. mycertname.req.pkey.pem)

 

Once you retrieve the certificate signed by your external authority (most likely a .pem file), you will be able to :

  • Import the certificate file through the PKI panel in GUI
  • move the private key to the right path in SSH, e.g : 
    cd ~/ConfigFiles/Certificates
    mv mycertname.req.pkey.pem CAFOLDER/mycertname.pkey.pem

    In this example, CAFOLDER will be the folder containing the external CA.
    Notice that in the file name mycertname.pkey.pem, the term "req" specific to a CSR has been removed.