Certificate Signing Request Generation
The generation of a Certificate Signing Request (CSR) is required for the KeySafe 5 Agent and optionally for using the internal MongoDB database with other Entrust products, such as the nShield Web Services product.
KeySafe 5 Agent CSR Generation
These steps are provided as an example, Entrust recommends that the values are adjusted to your organization’s needs. |
-
Generate a private key
openssl genrsa -out tls.key 4096
Entrust recommends that the private key is created on the machine where you are installing the KeySafe 5 Agent and that access to the file is restricted.
-
Generate a CSR.
-
Create a file called agent_csr.cnf with the following. The DNS.1 entry must match the hostname that the KeySafe 5 agent identifies as and must be the first entry in the [alt_names] section. IP.1 is the IP address of the KeySafe 5 agent host.
[req] distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no [req_distinguished_name] C = UK ST = Cambs L = Cambridge O = Entrust OU = nShield CN = www.entrust.com [req_ext] subjectAltName = @alt_names [alt_names] DNS.1 = keysafe5.ncipher.com IP.1 = 111.222.333.444
-
Generate the CSR request.
openssl req -new -key tls.key -out tls.csr -config agent_csr.cnf
-
The CSR generated can then be supplied during the Obtaining the KeySafe 5 Agent Certificates procedure.
MongoDB CSR Generation
These steps are provided as an example, Entrust recommends that the values are adjusted to your organization’s needs. |
-
Generate a private key
openssl genrsa -out tls.key 4096
Entrust recommends that access to the private key file is restricted.
-
Generate a CSR.
-
Create a file called mongo_csr.cnf with the following. The "subject" of the CSR must match the value "OU = mongodb, CN = keysafe5-mongo".
[req] distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no [req_distinguished_name] OU = mongodb CN = keysafe5-mongo [req_ext] subjectAltName = @alt_names [alt_names] DNS.1 = keysafe5.ncipher.com IP.1 = 111.222.333.444
-
Generate the CSR request.
openssl req -new -key tls.key -out tls.csr -config mongo_csr.cnf
-
The CSR generated can then be supplied during the MongoDB Database: Internal Database procedure.