Obtain CA-signed or self-signed TLS certificate

Once the TLS private key The secret key kept on the sender's computer that the sender uses to digitally sign messages to recipients and to decrypt messages from recipients. Private keys should be password protected. and Certificate Signing Request (CSR) A message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. have been created, you can register your certificate A digital means of proving your identity. When you send a digitally-signed message, you are sending your certificate and public key. Certificates are issued by a certification authority and can expire or be revoked. with a Certificate Authority (CA). You can either:

Use a third-party (commercial) CA to have your certificate signed and receive their signing certificate The certificate of the certificate authority that signed the key certificate. It contains the certificate authority's own public key. Also known as "root certificate"., or
Create a CA on Secure Email Gateway, generate its signing certificate, and self-sign the certificate

You can select the latter if you do not want to purchase a digital certificate from a third-party CA, or if you want to use digital signing immediately.

However, self-signed certificates are not recommended for production use.

Submit the CSR to a third-party CA

Before proceeding with the following instructions, ensure that you create the TLS private key and CSR first.

Submit the CSR to CA

Copy the CSR from Secure Email Gateway.
Submit the CSR to your third-party CA. (Consult the CA for instructions.)
The CA will return your signed certificate, along with their signing certificate.
When you have all your TLS keys and certificates, import them into the Gateway.

Create a CA on Secure Email Gateway and self-sign the certificate

Before proceeding with the following instructions, ensure that you create the TLS private key and CSR first.

Connect to Red Hat Cockpit

Log in to Red Hat Cockpit.

To access the Cockpit administration user interface, open a supported web browser and enter the IP address of your Secure Email Gateway, on port 9090:

https://<ip-address>:9090
Navigate to Terminal. Assume root user privileges using the following command:
```
sudo su
```

Create a CA on the Gateway

At the # prompt, create a subdirectory /tmp/CA by typing the following command:
```
mkdir /tmp/CA
```
Switch to the /tmp/CA subdirectory:
```
cd /tmp/CA
```
Use the OpenSSL utility to create the CA's private key:
```
openssl genrsa -out CA.key 4096
```
Create the CA's signing certificate:
```
openssl req -new -key CA.key -x509 -days 1095 -out CA.crt -sha256
```
This command prompts for the following X.509 attributes of the signing certificate:

List the files in the current directory (type ls) to confirm that the signing certificate (CA.crt) and CA private key (CA.key) files are present in the /tmp/CA directory.

If the files are present, you have successfully created the CA on Secure Email Gateway.

You can now self-sign your TLS certificate by using this CA to authorize the CSR that you previously created.

Self-sign the certificate

Copy the CSR file to the /tmp/CA directory by typing the following command:
```
cp /root/emailgateway.csr
```
Type ls to confirm that the CSR file is present in the /tmp/CA directory:

Authorize the CSR:

openssl x509 -req -days 365 -in emailgateway.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out emailgateway.crt

List the files in the current directory (type ls) to confirm that the signed certificate file (emailgateway.crt) is present in the /tmp/CA directory.

You now have three TLS certificate and private key files that you can import into the Gateway.

File name	Description	Directory
`emailgateway.key`	The private key file.	`/root`
`emailgateway.crt`	The self-signed TLS certificate file.	`/tmp/CA`
`CA.crt`	The signing certificate file by the Gateway CA.	`/tmp/CA`