Create TLS private key and CSR

Before you can begin the process of obtaining a signed certificate, you must first create a private key, then a Certificate Signing Request (CSR) using Red Hat Cockpit on the Email Gateway.

  1. Connect to the Email Gateway

    1. Log in to Red Hat Cockpit.
    2. Navigate to the Terminal tab.
    3. Assume root privileges using the sudo su command.

  2. Create the TLS private key.

    You now use the OpenSSL utility on the Email Gateway to create the TLS private key.

    • At the # prompt, type the following command:

      openssl genrsa -out emailgateway.key 4096 -sha256

    This command creates an RSA 4096-bit private key and stores it in the PEM-format file PEM (Privacy-Enhanced Mail) emailgateway.key.

     

    You must protect the private key file by storing it in a secure location.

    We recommend that you restrict access to the server so that only authorized server administrators have access to the private key file.

  3. Create the TLS Certificate Signing Request (CSR).

    You now use the OpenSSL utility on the Email Gateway to create the Certificate Signing Request (CSR).

    • At the # prompt, type the following command:

      openssl req -new -key emailgateway.key -out emailgateway.csr

    This command prompts for the following X.509 attributes of your digital certificate:

    This command creates a Certificate Signing Request and stores it in the PEM-format file emailgateway.csr.

    4. ClosedWhen you have finished

    You have now created a public/private key pair. The private key is used for decryption and must be stored locally on the Email Gateway. The public key (in the form of the Certificate Signing Request file), is used to register the certificate with the CA.

    File name Description
    emailgateway.key The private key file.
    emailgateway.csr The Certificate Signing Request file: it contains your public key.
    1. Move the CSR file to your home directory on the Email Gateway server using the mv command:

      mv emailgateway.csr /home

    2. Copy the CSR file securely from the Email Gateway server to a desktop computer.
  4. Save the CSR to your local machine.

    You can now use the open SSH session to copy your CSR for submission to your certificate authority (CA).

    1. Create a .txt file named emailgateway.txt on your computer.
    2. At the # prompt, type the following command:
      cat emailgateway.csr
      This outputs the CSR, starting with "begin certificate request" and ending with "end certificate request".
    3. Copy the output, including the begin and end markers, and paste it into the emailgateway.txt file.
    4. Save the .txt file, close it, and rename it to emailgateway.csr.

    5. See also...