Introduction: 

When certificates have expired, it will be required to create private key and certificate signing request (CSR) to request for a new certificate.

Question: 

How to generate private key and CSR when an HSM is being used?

Environment:  

In-House or On-Premise CA Transaction Manager customers.

Answer: 

The steps to generate private key and CSR is as follows:

1. Navigate to the following directory: /opt/arcot/bin

This directory contains the pk11util command line utility.

2. Run the pk11 utility to generate a private key and the certificate request by using the following command:

pk11util -module nfast -slot 1 -label <acssignkeyname> -genrsa -genreq <X500 File path> -out <certrequestname>.pem

Example:

pk11util -module nfast -slot 1 -label testlb1 -genrsa -genreq x500test1.txt -out certreq1.pem

Create and have an “X500” file in below format for creating a distinguished name.

Following are few examples of X500 fields:

C=US, S=New York, L=Syracuse, O=Dart, OU=Development, CN=My Machine

C=US, S=Georgia, L=Atlanta, O=MyOrg, OU=Toy Department, CN=John Doe

3. Upload/Send the generated certificate request file to the CA (Certification Authority). The CA returns a signing certificate.

Additional Information:

Tips to create X500 file:

1.    Have all the fields in the same row separated by comma.

2.    If this does not work, have the fields one below the other.

3.    Example fields and their meaning:

Ø  C – Name of the Country

Ø  S – Name of the State

Ø  L – Name of the Locality or City

Ø  O – Name of the Organization

Ø  OU – Organizational unit

Ø  CN – Common Name; typically the name of the system or user

4.    You can have only the required fields in your X500 file based on the requirement.

5.    Save all the fields in a text file and save it in *.txt format.