Certificate Signing Request Generation

The generation of a Certificate Signing Request (CSR) is required for the Keysafe 5 Agent and optionally for using the internal MongoDB database with other Entrust products, such as the nShield Web Services product.

Keysafe 5 Agent CSR Generation

These steps are provided as an example, Entrust recommends that the values are adjusted to your organization’s needs.

  1. Generate a private key

    openssl genrsa -out tls.key 4096

    Entrust recommends that the private key is created on the machine where you are installing the Keysafe 5 Agent and that access to the file is restricted.

  2. Generate a CSR.

    1. Create a file called agent_csr.cnf with the following. keysafe5-agent needs to be the DNS.1 entry and must be the first entry in the [alt_names] section. IP.1 is the IP address of the KeySafe 5 agent host.

      [req]
      distinguished_name = req_distinguished_name
      req_extensions = req_ext
      prompt = no
      
      [req_distinguished_name]
      C   = UK
      ST  = Cambs
      L   = Cambridge
      O   = Entrust
      OU  = nShield
      CN  = www.entrust.com
      
      [req_ext]
      subjectAltName = @alt_names
      
      [alt_names]
      DNS.1 = keysafe5-agent
      IP.1 = 111.222.333.444
    2. Generate the CSR request.

      openssl req -new -key tls.key -out tls.csr -config agent_csr.cnf

The CSR generated can then be supplied during the Obtaining the Keysafe 5 Agent Certificates procedure.

MongoDB CSR Generation

These steps are provided as an example, Entrust recommends that the values are adjusted to your organization’s needs.

  1. Generate a private key

    openssl genrsa -out tls.key 4096

    Entrust recommends that access to the private key file is restricted.

  2. Generate a CSR.

    1. Create a file called mongo_csr.cnf with the following. The "subject" of the CSR must match the value "OU = mongodb, CN = keysafe5-mongo".

      [req]
      distinguished_name = req_distinguished_name
      req_extensions = req_ext
      prompt = no
      
      [req_distinguished_name]
      OU = mongodb
      CN = keysafe5-mongo
      
      [req_ext]
      subjectAltName = @alt_names
      
      [alt_names]
      DNS.1 = wsop.ncipher.com
      IP.1 = 111.222.333.444
    2. Generate the CSR request.

      openssl req -new -key tls.key -out tls.csr -config mongo_csr.cnf

The CSR generated can then be supplied during the MongoDB Database: Internal Database procedure.