Creating a New Server Certificate (CLI)

Use this procedure to create a new server certificate.

1. Go to configuration settings certificates system.
2. Create a new Certificate Signing Request (CSR).

   Either add a new CSR or copy an existing CSR.

   • To add a new CSR, enter the create command.

   • To create a new CSR based on an existing CSR or certificate, do the following:

     1. Enter the list command to view the certificates table.

     2. Enter the clone cert command, where cert is a value from the CERT column of the table.

        hostname:configuration settings certificates system> clone cert-001

3. Complete the CSR form.

   hostname:configuration settings certificates system (uncommitted)> get   
               subject_commonname = hostname.us.example.com
         subject_organizationname = (unset)
   subject_organizationalunitname = (unset)
             subject_localityname = (unset)
      subject_stateorprovincename = (unset)
              subject_countryname = (unset)
             subject_emailaddress = (unset)
                              dns = hostname.us.example.com
                               ip = 192.0.2.174
                              uri = (unset)
                          dirname = (unset)
                          comment = (unset)
                         key_type = RSA
                         key_bits = 2048
                        key_curve = prime256v1 / P-256 (unused)                       
   hostname:configuration settings certificates system (uncommitted)> set comment="test"
                          comment = test (uncommitted)
   hostname:configuration settings certificates system (uncommitted)> commit

4. View the CSR.
   1. Enter the list command to see your new CSR in the table.

      hostname:configuration settings certificates system> list
      CERT     TYPE SUBJECT COMMON NAME       ISSUER COMMON NAME        NOT AFTER
      cert-002 req  hostname.us.example.com
      cert-001 cert hostname.us.example.com   CA                        2023-1-25
      cert-000 cert 3ebff8d2-58f6-4de4-a2c... 3ebff8d2-58f6-4de4-a2c... 2038-1-19

   2. Enter the dump cert command, where cert is your new CSR in the table.

      hostname:configuration settings certificates system> dump cert-002
      -----BEGIN CERTIFICATE REQUEST-----
      ...
      -----END CERTIFICATE REQUEST-----

5. Copy the CSR and transfer it to your CA in the prescribed manner.
6. Import the signed certificate.

   After you receive the signed certificate from the CA, do the following:

   1. Go to configuration settings certificates system.
   2. Enter the import command.
   3. At the prompt, paste the signed certificate.

      hostname:configuration settings certificates system> import
      ("." to end)> 
                        -----BEGIN CERTIFICATE-----
      ...
      ("." to end)> 
                        -----END CERTIFICATE-----
      ("." to end)> 
                        .

      The certificate replaces the CSR.

7. Verify the imported certificate.
   1. Enter the list command to see your new signed certificate in the table.
   2. Enter select cert and then enter get to view the properties of the certificate.
   3. Enter done and then enter dump cert to view the certificate.