Generate the SSL certificate that CA Gateway will use to authenticate enrollment operations with the ECS-managed CA.

You can run the commands below on the machine hosting CA Gateway or on any machine with OpenSSL installed.

Generating the key pair

Run the following command to generate the key pair. 

openssl genrsa -out key.pem 2048

Generating the certificate signing request

Run the following command to generate the certificate signing request.

openssl req -new -key key.pem -out csr.pem

When requested for the Common Name, enter a domain or subdomain verified in your account.

Issuing the certificate

Process the certificate signing request to issue a certificate.

To issue the certificate

  1. As a Super Admin user, log in to the ECS Portal.
  2. Navigate to Create > SSL/TLS
  3. In the create wizard, paste the generated PEM request contents.
  4. Select one of the following extended key usages: 
    • Client Authentication
    • Client and Server Authentication.
  5. Complete the wizard steps.
  6. Navigate to Certificates > Managed Certificates > ECS Certificates.
  7. Record the Tracking ID value for future use.
  8. Go to Actions > Pickup.
  9. Type the password, if required.
  10. Select the WS_FTP server type.
  11. Download a Zip file containing the issued certificate, the certification chain, and the root certificate.

Generating the SSL PKCS#12

Generate a PKCS#12 containing the SSL keys and certificates –  for example:

openssl pkcs12 -export -in ServerCertificate.crt -certfile chain.pem -inkey key.pem -out restapi.p12

You will later set this PKCS#12 as either a file path or a base64 encoding. To encode the PKCS#12 in Base64, run:

base64 restapi.p12 -w 0 > restapi.txt

Where the -w 0 option formats the output as one line without line breaks.