Certificate Signing Request Generation

The generation of a Certificate Signing Request (CSR) is required for the KeySafe 5 Agent and optionally for using the internal MongoDB database with other Entrust products, such as the nShield Web Services product.

KeySafe 5 Agent CSR Generation

These steps are provided as an example, Entrust recommends that the values are adjusted to your organization’s needs.

  1. Generate a private key

    openssl genrsa -out tls.key 4096

    Entrust recommends that the private key is created on the machine where you are installing the KeySafe 5 Agent and that access to the file is restricted.

  2. Generate a CSR.

    1. Create a file called agent_csr.cnf with the following. The DNS.1 entry must match the hostname that the KeySafe 5 agent identifies as and must be the first entry in the [alt_names] section. IP.1 is the IP address of the KeySafe 5 agent host.

      [req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no

[req_distinguished_name]
C   = UK
ST  = Cambs
L   = Cambridge
O   = Entrust
OU  = nShield
CN  = www.entrust.com

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = keysafe5.ncipher.com
IP.1 = 111.222.333.444

    2. Generate the CSR request.

      openssl req -new -key tls.key -out tls.csr -config agent_csr.cnf

The CSR generated can then be supplied during the Obtaining the KeySafe 5 Agent Certificates procedure.

MongoDB CSR Generation

These steps are provided as an example, Entrust recommends that the values are adjusted to your organization’s needs.

  1. Generate a private key

    openssl genrsa -out tls.key 4096

    Entrust recommends that access to the private key file is restricted.

  2. Generate a CSR.

    1. Create a file called mongo_csr.cnf with the following. The "subject" of the CSR must match the value "OU = mongodb, CN = keysafe5-mongo".

      [req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no

[req_distinguished_name]
OU = mongodb
CN = keysafe5-mongo

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = keysafe5.ncipher.com
IP.1 = 111.222.333.444

    2. Generate the CSR request.

      openssl req -new -key tls.key -out tls.csr -config mongo_csr.cnf

The CSR generated can then be supplied during the MongoDB Database: Internal Database procedure.