Creating a CSR

A CSR (Certificate Signing Request) creates a .csr file for each intermediate, server, and code-signing certificate. This file can be signed by a root or intermediate CA certificate.

For creating intermediate and code-signing certificates you are viewing the Workbench stores. For creating server certificates you are viewing the platform/station stores.
  1. Select the certificate to sign, and click Cert Request.
    The Certificate Request Info window opens.
  2. Confirm that the certificate properties are correct and click OK.
    One of the following happens:

    • If you are preparing a CSR for a server certificate, the system displays the certManagement folder for you to choose the location to store the CSR.

    • If you are creating a CSR for a CA certificate (root or intermediate) or a code-signing certificate, the Certificate Manager prompts you for the private key password. Enter the password and click OK. The system displays the certManagement folder for you to choose the location to store the CSR.

    The Alias for the certificate is used as the file name of the CSR.

  3. Use the default folder, or select a different folder in which to store the CSR and click Save.
    The system displays, CSR generation complete.
  4. To confirm completion, click OK.
    Note: Once you create a CSR, do not delete the original certificate from which you created the CSR. Later in the process you will import a signed certificate back into the User Key Store where its public key must match the private key of the original certificate. Creating a new certificate with the same name does not generate the same key pair and results in errors when you try to import the signed certificate. If it is absolutely necessary (for example, if the computer on which the certificate is stored is vulnerable), you may export the original certificate with its private key and import it into the User Key Store when you receive the signed certificate. But, ideally, you should leave the original certificate in the User Key Store of the original secure host.
  5. If an external CA, such as VeriSign or Thawte, will sign your server certificates, follow the CSR submission procedure as required by the CA.
    The CA verifies that you are who you claim to be, that each certificate is for a server your organization actually maintains, and other important information. They then return a signed server certificates (one for each server).

    The CA may compress both the new signed certificate and a copy of the root CA certificate containing only the public key with password protection, put both on a website, email the links to you, and phone you with the password for the compressed, password-protected files. The root CA certificate with its public key does not have to be protected and can be sent via email.