Create a Signed Certificate Signing Request (CSR)
A signed Certificate Signing Request (CSR) includes information about your organization and public key and is signed with the corresponding private key to ensure its authenticity. The following steps will guide you through generating a CSR using a CSR configuration file and signing it with either an RSA or ECC private key.
Before you begin
Before performing certificate request operations using TrustEdge certificate tool , make sure you set up your Certificate Signing Request (CSR) configuration file.
Create a
sample_csr.cnf
Certificate Signing Request (CSR) configuration file in the/etc/digicert/keystoreconf
directory.touch /etc/digicert/keystore/conf/sample_csr.cnf
Add the following sample CSR content to the
sample_csr.cnf
file.##Subject countryName=US commonName=iot-device101 stateOrProvinceName=California localityName=San Francisco organizationName=DBA organizationalUnitName=BU ##Requested Extensions hasBasicConstraints=true isCA=true certPathLen=-1 keyUsage=keyEncipherment, digitalSignature, keyCertSign subjectAltNames=2; *.mydomain.com, 2; *.mydomain.net, 2
Step 1: Prepare the CSR configuration file
If you haven’t already done so, create a CSR configuration file in the
/etc/digicert/keystore
directory.Check the contents of the CSR configuration file to ensure it contains the correct information.
cat /etc/digicert/keystore/sample_csr.cnf
Step 2: Generate the CSR
Once the CSR configuration file is ready, you can generate the CSR by specifying the configuration file and signing it with a private key.
Important
Make sure your keystore folder contains the private key (RSA_2048.pem
or ECC_P256.pem
) being used to sign the CSR. See Generate a software-based private key.
For an RSA private key:
trustedge certificate --cert-sign-req --output-file CSR_RSA_2048.pem --signing-key RSA_2048.pem --csr-conf sample_csr.cnf --digest SHA256
For an ECC private key:
trustedge certificate --cert-sign-req --output-file CSR_ECC_P256.pem --signing-key ECC_P256.pem --csr-conf sample_csr.cnf --digest SHA256
Step 3 (optional): Include a signing certificate
If you need to include a signing certificate with your CSR, you can include the --signing-cert
option. Make sure the specified signing certificate filename is located in the /etc/digicert/keystore/cert
directory.
For RSA keys with a signing certificate:
trustedge certificate --cert-sign-req --output-file CSR_RSA_2048.pem --signing-key RSA_2048.pem --signing-cert RSA_CERT_2048.pem --digest SHA256
For ECC keys with a signing certificate:
trustedge certificate --cert-sign-req --output-file CSR_ECC_P256.pem --signing-key ECC_P256.pem --signing-cert ECC_CERT_P256.pem --digest SHA256
Step 4: Verify the CSR
After generating the CSR, you can verify that the file was created by listing the contents of the directory:
ls -l -R /etc/digicert/keystore
This command will display the all directories and files in the keystore directory, including the newly created CSR.