Create TLS private key and CSR

In order to obtain a signed certificate A digital means of proving your identity. When you send a digitally-signed message, you are sending your certificate and public key. Certificates are issued by a certification authority and can expire or be revoked., you must first create the following private key The secret key kept on the sender's computer that the sender uses to digitally sign messages to recipients and to decrypt messages from recipients. Private keys should be password protected. and Certificate Signing Request (CSR) A message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. using Red Hat Cockpit on Secure Email Gateway.

File name	Description	Directory
emailgateway.key	The private key file.	/root
emailgateway.csr	The Certificate Signing Request (CSR) file: it contains your public key The key a sender gives to a recipient so that the recipient can verify the sender's signature and confirm that the message was not altered. Recipients also use the public key to encrypt email messages to the sender..	/root

Create the TLS private key and CSR

Connect to Red Hat Cockpit

• Log in to Red Hat Cockpit.

  To access the Cockpit administration user interface, open a supported web browser and enter the IP address of your Secure Email Gateway, on port 9090:

  https://<ip-address>:9090

• Navigate to Terminal. Assume root user privileges using the following command:

  sudo su

Create the TLS private key

Use the OpenSSL utility on Secure Email Gateway to create the TLS private key.

• At the # prompt, type the following command:

  openssl genrsa -out emailgateway.key 4096 -sha256

  This command creates an RSA 4096-bit private key and stores it in the PEM-format file: emailgateway.key.

  You must protect the private key file by storing it in a secure location. We recommend that you restrict access to the server so that only authorized server administrators have access to the private key file.

Create the TLS Certificate Signing Request (CSR)

Use the OpenSSL utility on Secure Email Gateway to create the Certificate Signing Request (CSR).

• At the # prompt, type the following command:

  openssl req -new -key emailgateway.key -out emailgateway.csr

  This command prompts for the following X.509 attributes of your digital certificate:

  

  The command has created the CSR and stores it in the PEM-format file: emailgateway.csr.

You have now created a public/private key pair.

The private key is used for decryption and must be stored locally on Secure Email Gateway. The public key (in the form of the CSR file), is used to register the certificate with your Certificate Authority (CA).

When you have finished

Move the CSR file to home directory

• Use the mv command and move the CSR file to your home directory on the Secure Email Gateway server.

  mv emailgateway.csr /home

• Copy the CSR file securely from the Gateway server to a desktop computer.

Save the CSR file to local machine

Use the OpenSSH session to copy your CSR for submission to the CA.

• Create a text (.txt) file named emailgateway.txt on your computer.

• At the # prompt, type the following command:

  cat emailgateway.csr

  This outputs the CSR, starting with "begin certificate request" and ending with "end certificate request".

• Copy the output, including the begin and end markers, and paste it into the emailgateway.txt file.

• Save and close the text file, and then rename it to emailgateway.csr.

See also...

• Red Hat Cockpit
• SSH Access
• Required TLS certificates and keys
• Obtain CA-signed or self-signed TLS certificate
• Import TLS certificates and private keys