Cryptzone Support

 
If you wish to submit a support ticket please sign in to your customer portal or use the “submit a ticket” button at the top menu.
If you need to find documentation about our Sheriff Suite please login to the Hive- Click Here

 

Article

Using openssl on AppGate (classic) to make a Certificate Request for SSL

« Go Back

Information

 
Article Number000001075
Article

There are various methods that can be used to generate a Certificate Request for enrollment with a CA Authority. One method is to use the openssl software that is already a part of the the AppGate (classic).

To generate the .csr file you first need a configuration file. Here is an example - you need to fill in the parts of the req_distinguished_name section and move all into a file named ssl.cnf in /var/opt/appgate/local. If the directory /var/opt/appgate/local doesn't exist it should be created.

See below for example with SANs.

# OpenSSL config file

 [ req ]
 default_bits                    = 2048
 default_keyfile                 = privkey.pem
 distinguished_name              = req_distinguished_name
 attributes                      = req_attributes
 x509_extensions                 = self_extensions
 req_extensions                  = req_extensions
 string_mask                     = nombstr
 prompt                          = no

 [ req_distinguished_name ]
 countryName                     = UK
 stateOrProvinceName             = Far Out Province
 localityName                    = London

 # The 0.organizationName is the company name
 # You should enter the company name as it appears on your official company
 # registration documents.
 0.organizationName              = Example Corp Inc
 # The commonName should be the host name used in the URL
 commonName                      = example-corp-ssl.example.com

 [ req_attributes ]

 [ req_extensions ]
 basicConstraints                = CA:FALSE
 nsCertType                      = server
 nsComment                       = "OpenSSL Generated Certificate"
 subjectKeyIdentifier            = hash
 keyUsage                        = critical,digitalSignature,keyEncipherment

 [ self_extensions ]
 basicConstraints                = CA:FALSE
 nsCertType                      = server
 nsComment                       = "OpenSSL Generated Certificate"
 subjectKeyIdentifier            = hash
 authorityKeyIdentifier          = keyid,issuer:always
 keyUsage                        = critical,digitalSignature,keyEncipherment

SAN example

# OpenSSL config file

 [ req ]
 default_bits                    = 2048
 default_keyfile                 = privkey.pem
 distinguished_name              = req_distinguished_name
 attributes                      = req_attributes
 x509_extensions                 = self_extensions
 req_extensions                  = req_extensions
 string_mask                     = nombstr
 prompt                          = no
distinguished_name               = req_distinguished_name
req_extensions                   = v3_req


 [ req_distinguished_name ]
 countryName                     = SE
 stateOrProvinceName             = VGR
 localityName                    = Gothenburg

 # The 0.organizationName is the company name
 # You should enter the company name as it appears on your official company
 # registration documents.
 # 0.organizationName             = Cryptzone
 # The commonName should be the host name used in the URL
 commonName                       = Cryptzone AB

 [ req_attributes ]

 [ v3_req ]
# Extensions to add to a certificate request
basicConstraints                = CA:FALSE
keyUsage                        = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName                  = @alt_names

[alt_names]
DNS.1                           = asdemo3.cryptzone.com
DNS.2                           = asdemo4.cryptzone.com
DNS.3                           = systems.example.net
IP.1                            = 212.16.176.156
IP.2                            = 212.16.176.157

[ req_extensions ]
 basicConstraints                = CA:FALSE
 nsCertType                      = server
 nsComment                       = "OpenSSL Generated Certificate"
 subjectKeyIdentifier            = hash
 keyUsage                        = critical,digitalSignature,keyEncipherment

 [ self_extensions ]
 basicConstraints                = CA:FALSE
 nsCertType                      = server
 nsComment                       = "OpenSSL Generated Certificate"
 subjectKeyIdentifier            = hash
 authorityKeyIdentifier          = keyid,issuer:always
 keyUsage                        = critical,digitalSignature,keyEncipherment

Create CSR

1. Run the following as root:

cd /var/opt/appgate/local
openssl req -config ssl.cnf -new -newkey rsa:2048 -sha256 -nodes -out example-corp.csr -keyout example-corp.key

Note:  ignore the warning about missing /usr/local/ssl/openssl.conf file.

2. Verify the CSR:
openssl req -in example-corp.csr -noout -text

3. Transfer the resulting .css file and the .key file to your PC.

4. Use the .csr file to make your Certificate Request. When you have received the Certificate file you should upload it in the AppGate Console -> System Settings -> SSL -> Upload. This upload will also request that you give the .key file.

The .key file should be kept safely as it contains the secret part for your SSL-function.
Related File 
Additional Files 

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255