Secure Connect Gateway: How to generate a Certificate Signing Request (CSR)

A Certificate Signing Request (CSR) cannot be generated from the Certificate Import page on the Secure Connect Gateway (SCG) user interface.

If your Certificate Signing Authority requires the use of a CSR, follow the steps outlined below:

• Log in to SCG/PM using SSH
• If on Policy Manager (PM), enter the container with the following command (skip this step on SCG):

  • PM=$(docker ps --format '{{.Names}}');\
    docker exec -it $PM bash

• Run the following command (do not insert spaces before trailing backslashes in lines between -subj and /CN): 

  • openssl req -newkey rsa:4096 \
    -subj "/C=<Country>\
    /ST=<State/Province>\
    /L=<City>\
    /O=<Comapny>\
    /OU=<Department>\
    /CN=<Hostname/FQDN>" \
    -addext "subjectAltName = DNS:<FQDN>, IP:<IP>" \
    -keyout private.key -out csr.csr

  • Any space in the subject field must be escaped with a leading \, see example image.
• Copy the files to outside the container (required only on Policy Manager):
  • Exit the container with Ctrl+D: 

  • PM=$(docker ps --format '{{.Names}}');\
    docker cp $PM:/csr.csr /root/csr.csr;\
    docker cp $PM:/private.key /root/private.key

• 
• Two files are generated under /root:
  • Pass the .csr to Cert Authority for signing; ask for a Base-64 encoded X.509.
  • Leave private.key as is to import later with the signed certificate.
• Once you receive the signed certificate, upload the certificate to SCG/PM:
  • 
  • Issue the following command to convert the Cert and Key to compatible format with SCG/PM:

    • openssl pkcs12 -export -in pmcert.cer -inkey private.key -out pmcert.p12

      
      
    • Save the .p12 file to your PC and import the p12 on the SCG/PM UI.
    • After SCG/PM reboots, verify that the Certificate Information is correct:
      •