Generate the SSL certificate that CA Gateway will use to authenticate enrollment operations with the ECS-managed CA.

Generating the key pair

Generate the key pair. 

openssl genrsa -out key.pem 2048

Generating the certificate signing request

Generate the certificate signing request.

openssl req -new -key key.pem -out csr.pem

When requested for the Common Name, enter a domain or subdomain verified in your account.

Issuing the certificate

Process the certificate signing request to issue a certificate.

To issue the certificate

  1. As a Super Admin user, log in to the ECS Portal.
  2. Navigate to Create > SSL/TLS
  3. In the create wizard, paste the generated PEM request contents.
  4. Select one of the following extended key usages: 
    • Client Authentication
    • Client and Server Authentication.
  5. Complete the wizard steps.
  6. Navigate to Certificates > Managed Certificates > ECS Certificates.
  7. Record the Tracking ID value for future use.
  8. Go to Actions > Pickup.
  9. Type the password, if required.
  10. Select the WS_FTP server type.
  11. Download a Zip file containing the issued certificate, the certification chain, and the root certificate.

Generating the SSL PKCS#12

Generate a PKCS#12 containing the SSL keys and certificates. For example:

openssl pkcs12 -export -in ServerCertificate.crt -certfile chain.pem -inkey key.pem -out restapi.p12

You will later set this PKCS#12 as either a file path or a base64 encoding. To encode the PKCS#12 in Base64, run:

base64 restapi.p12 -w 0 > restapi.txt

Where the -w 0 option formats the output as one line without line breaks.