The SRĀ OS supports two certificate enrollment methods:
off-line method via PKCS#10
on-line method via CMPv2
The off-line method works as follows:
Generate a key pair via the command admin certificate gen-keypair
For example:
admin certificate gen-keypair cf3:/segw.key size 2048 type rsa
Generate a PKCS#10 certificate signing request with the key generated in the step mentioned above via the admin certificate gen-local-cert-req command.
For example:
admin certificate gen-local-cert-req keypair cf3:/segw.key subject-dn
C=US,ST=CA,O=ALU,CN=SeGW domain-name segw-1.alu.com file cf3:/segw.pkcs10
The user specifies the subject of certificate request and optionally can also specify a FQDN or an IP address as SubjectAltName.
Import the key file via the admin certificate import command.
For example:
admin certificate import type key input cf3:/segw.key output segw.key format de
Because the key is imported, remove the key file generated in the first step for security reasons.
Send the PKCS#10 file to CA via an offline method such as e-mail.
CA signs the request, and returns the certificate.
Import the result certificate the admin certificate import command.
For example:
admin certificate import type cert input cf3:/segw.cert output segw.cert format pem
For CMPv2-based enrollment, see CMPv2.