Tip

This is the documentation for the 24.06 version. Looking for the documentation of the latest version? Have a look here.

Generate a Certificate Signing RequestΒΆ

The Certificate Signing Request (CSR) contains a public key derived from the key pair generated in the previous step, plus attributes that uniquely identify the requester. A CSR is signed by a Certificate Authority to generate a certificate.

To generate a CSR, first set values which identify this TNSR instance:

tnsr# pki signing-request settings clear
tnsr# pki signing-request set common-name tnsr-example.netgate.com
tnsr# pki signing-request set subject-alt-names add hostname tnsr-example.netgate.com
tnsr# pki signing-request set country US
tnsr# pki signing-request set state Texas
tnsr# pki signing-request set city Austin
tnsr# pki signing-request set org Netgate
tnsr# pki signing-request set org-unit Engineering Testing 1 2 3

For the Common Name, the best practice is to enter the fully qualified domain name or IP address of the TNSR instance.

Note

This does not have to be a valid public hostname or IP address, but ideally it should uniquely identify this TNSR installation.

For the other fields, enter information about the name and location of the organization controlling this TNSR instance.

A Digest Algorithm is also required to sign the request:

tnsr# pki signing-request set digest sha256

View the values that have been set before generating the request:

tnsr# pki signing-request settings show
Certificate signing request fields:
      common-name: tnsr-example.netgate.com
          country: US
            state: Texas
             city: Austin
              org: Netgate
         org-unit: Engineering Testing 1 2 3
           digest: sha256
subject-alt-names:
         hostname: tnsr-example.netgate.com

Any typos can be corrected by re-running the appropriate set commands.

When all values are correct, generate the request:

Warning

As with the key pair, the request must have the name tnsr-updates.

tnsr# pki signing-request tnsr-updates generate
-----BEGIN CERTIFICATE REQUEST-----
MIICzTCCAbUCAQAwgYcxITAfBgNVBAMMGHRuc3ItZXhhbXBsZS5uZXRnYXRlLmNv
bTELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMQ8wDQYDVQQHDAZBdXN0aW4x
EDAOBgNVBAoMB05ldGdhdGUxIjAgBgNVBAsMGUVuZ2luZWVyaW5nIFRlc3Rpbmcg
MSAyIDMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAUxpX5KYNnu1t
7xIKV5ES6kPMDtBHqXB7d2fywtqfI/UVvV9+LhCHLL0z8ovqq/GcHioddCBQH63a
+Uqh0cMIZVOwRQhe7eYMO3GmHMyuxz6P5eWO3E9d/3sT0rL+fUDH8CVWwjmwX0tC
ldP3PADH4ennxqaWk0+lHga0Dm93hrErX5crzJMyZpGZ/BXfDYo+0uxktZOHIsSb
9gDtEN2534I2wk0hm6mFashDWxmYpcb8ventcVwtEOQGAByNsCg8z3VwcPQY6x9k
YIKFuQM3U8hZ2y6oEjjPqfsc+GnZ6b+7bWnck7tITqz6FQwnSW3sKvXkwsyeDnEa
3eyIjSrFAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAetjRqn6IoekxZErrPvZf
encbvedPUTLSEbGF923PMpmH5KBAOe4QMT2wEA7dWd5GeuOEA5+6/QlvQh3kl1yU
bzDqRASjl67cKFxp6fL2iDkvoaGf+PusLGM3eQthGzF6t7q6cHl5O0ANVbrLZws2
quO9evqHgPCJkOhcmPLXSGgitMJwH7EBSmySsZPuEyUCsozA8YLsDLM0dxU5PQnX
XesDhG0AMcFhu34nmsUrCqJwi3CM4ruLT1YseVVyZDyjhTEWuCp9lZf7jzRl2qEF
afis853CjtURIekfzeKIqqacr1Y0XXt119DtKDzl9Z4sWu3C1PsdciOgalCnSVHh
5g==
-----END CERTIFICATE REQUEST-----

TNSR will print the CSR data to the terminal, as shown above. Copy the text, including the lines containing BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST, and save it to a file.