This article explains how to create a Certificate Signing Request (CSR) for an SSL certificate and then import the certificate to Symantec Encryption Management Server.
Services such as clustering and web messenger use the SSL protocol and require a server-side SSL/TLS certificate, which includes the host name for the IP address of the server on which the service is running. To issue a certificate, the Certificate Authority needs information found in a certificate request. The steps below illustrate how to create the CSR and import the signed Certificate to the network interface for Encryption Management Server.
Generating a Certificate Signing Request (CSR)
- Log into the admin console.
- Navigate to System > Network and click on the Certificates button at the bottom of the page.
- Click Generate CSR.
NOTE: You can also choose to generate a Self Signed Certificate if you do not intend to use an external Certificate Authority.
- Type in the Fully Qualified Domain Name (FQDN) for the server. For example, keys.example.com.
- Type an email address in the Contact Email field.
- Type your organization's name in the Organization Name field.
- Type your organization's unit designation in the Organization Unit field.
- Type a city or locality, as appropriate, in the City/Locality field.
- Type a state or province, as appropriate, in the Province/State field.
- Type a country in the Country field.
- To generate a Certificate Signing Request (CSR), click Generate CSR. If you choose this option, the certificate appears on the Certificate page labeled Pending.
- The New SSL/TLS Certificate dialog box disappears. The certificate request is created with the settings you specified. The CSR dialog box appears, showing the certificate request.
- Copy the contents of the CSR dialog box to a file, then click OK.
- Submit this file to your Certificate Authority (CA).
- The CA will send a server certificate back to you. The CA will also send you the root certificate and any intermediate certificates.
Importing the Certificate Chain
Before you import the server certificate, you must ensure that Encryption Management Server trusts the certificates in the server certificate's issuing chain. Every signed certificate has an issuing chain of certificates. Generally, the Certificate Authority will send you these certificates or direct you to a web site from where you can download them. There is always a root certificate in the signing chain and at least one intermediate certificate. To ensure that Encryption Management server trusts them please do the following:
- From the admin console, click on Keys / Trusted Keys.
- Click on the Add Trusted Key button.
- Click on the Choose File button, browse to the location of the root certificate and click Open. Note that the certificate must be in Base-64 encoded format, not DER encoded binary format.
- At a minimum, click to enable the option Trust key for verifying SSL/TLS certificates.
- If Encryption Management Server processes email, enable the option Trust key for verifying mail encryption keys.
- Click the Save button.
- Repeat the above steps to import all intermediate certificates.
Importing the Server SSL Certificate
- Open the server certificate that the Certificate Authority sent you in a text editor and copy all the text to the clipboard.
- From the admin console, click on System / Network and then click the Certificates button.
- Click the plus sign icon in the Import column of the pending certificate you are adding. The Add Certificate to Key dialog box appears.
- Paste the text from the clipboard into the Certificate Block box.
- Click Save.
- Click on System / Network.
- Select the correct Interface from the drop down list.
- Select the new certificate from the Assigned Certificate drop down list.
- Click Save.