Introduction:
When certificates have expired, it will be required to create private key and certificate signing request (CSR) to request for a new certificate.
Question:
How to generate private key and CSR when an HSM is being used?
Environment:
In-House or On-Premise CA Transaction Manager customers.
Answer:
The steps to generate private key and CSR is as follows:
1. Navigate to the following directory: /opt/arcot/bin
This directory contains the pk11util command line utility.
2. Run the pk11 utility to generate a private key and the certificate request by using the following command:
pk11util -module nfast -slot 1 -label <acssignkeyname> -genrsa -genreq <X500 File path> -out <certrequestname>.pem
Example:
pk11util -module nfast -slot 1 -label testlb1 -genrsa -genreq x500test1.txt -out certreq1.pem
Create and have an “X500” file in below format for creating a distinguished name.
Following are few examples of X500 fields:
C=US, S=New York, L=Syracuse, O=Dart, OU=Development, CN=My Machine
C=US, S=Georgia, L=Atlanta, O=MyOrg, OU=Toy Department, CN=John Doe
3. Upload/Send the generated certificate request file to the CA (Certification Authority). The CA returns a signing certificate.
Additional Information:
Tips to create X500 file:
1. Have all the fields in the same row separated by comma.
2. If this does not work, have the fields one below the other.
3. Example fields and their meaning:
Ø C – Name of the Country
Ø S – Name of the State
Ø L – Name of the Locality or City
Ø O – Name of the Organization
Ø OU – Organizational unit
Ø CN – Common Name; typically the name of the system or user
4. You can have only the required fields in your X500 file based on the requirement.
5. Save all the fields in a text file and save it in *.txt format.