Certificate Enrollment Gateway requires a TLS certificate to secure incoming connections over HTTPS. This TLS certificate must be issued and installed into Entrust PKI Hub 1.0 before Certificate Enrollment Gateway can accept any enrollment requests over HTTPS.

The following procedure describes how to create a private key and certificate signing request (CSR) using OpenSSL. A CSR contains information that the issuing CA will use to create the certificate. You will need the private key later when installing the certificate into Entrust PKI Hub 1.0. Entrust PKI as a Service or an on-premises CA can process the CSR and issue the certificate.

To generate a private key and CSR for the Certificate Enrollment Gateway certificate using OpenSSL

  1. Log in to any node in the Entrust PKI Hub 1.0 cluster as the user account that owns Entrust PKI Hub 1.0.

  2. Enter the following command to check if OpenSSL is installed: 

    openssl version

    If OpenSSL is installed, the currently-installed version of OpenSSL is displayed.

  3. If OpenSSL is not installed, install OpenSSL by entering the following command: 

    sudo dnf install openssl

  4. Enter the following command to create a CSR and private key for the Certificate Enrollment Gateway certificate: 

    openssl req -nodes -newkey rsa:2048 -keyout <private key> -out <csr> -subj "<subject>"

    The following table describes the command parameters. 

    Parameter

    Description

    -nodes

    This parameter will prevent the private key from being encrypted. Entrust PKI Hub 1.0 does not support encrypted private keys.

    -newkey rsa:2048

    This parameter will create a new certificate request and a new private key. The private key will be generated using RSA-2048.

    -keyout <private key>

    This parameter specifies a path and file name for the private key.

    Do not delete this file. You will need this file later to install the certificate in Entrust PKI Hub 1.0.

    -out <csr>

    This parameter specifies a path and file name for the CSR.

    -subj "<subject>"

    This parameter specifies a subject for the CSR.

    For example:

    openssl req -nodes -newkey rsa:2048 -keyout /home/user/ceg/private.key -out /home/user/ceg/csr.txt -subj "/CN=example.com"