XTR: Generating a Certificate Signed by a Certificate Authority
To generate a certificate signed by a certificate authority, you must first create a Certificate Request.
The steps below assume that the XYGATETR installation is located at $SYSTEM.XYGATETR
1. Edit SSLTRCFG. SSLTRCFG is located in the XYGATETR subvolume. Make sure the following lines are set to the proper values for your
state/country/organization (customizations in red)
Example:
key=rsa
key_length=2048
country=ZZ
state=State
locality=Internet
organization=World Technology Corporation
organizational_unit=World Technology Corporation Root CA
common_name=World Technology Corporation Root CA
days=730
CA_cert=$SYSTEM.XYGATETR.SSLCACRT
CA_key=$SYSTEM.XYGATETR.SSLCAKEY
2. Create a Certificate Request (CSR). From the XYGATETR subvolume:
RUN XYCERT -cfg:<file> <option> <option> <option> <option>
Where the command line options are:
| -cfg:<file> | This is the configuration file that contains a set of parameters used when creating a certificate request. Refer to the table below for the configuration (-cfg) file contents. |
| -new | Create a new public/private-key pair and a certificate request. |
| -passout:<pass> | Specifies the password being used to protect the private-key file. |
| -out:<file> | Specifies the name of the file that will contain the certificate request. |
| -keyout:<file> | Specifies the name of the output file that will contain the private key. |
| -outform:<form> | Specifies the name the format for the -out file. The options are der (distinguished encoding rules) or pem (privacy-enhanced mail). |
| -q | Quiet (optional), means do not print messages. |
| -pklab:<label> | This (optional) entry specifies the Private Key Label. |
| -keyset | Store the new private key in the existing keyout file. |
Appendix D, Creating and Managing SSL Certificates in the XYGATE Transaction Router v2.28 manual contains more information on these options, as well as information on valid configuration file information for both certificates signed by a certificate authority or self-signed certificates.
Example:
Run xycert -cfg:ssltrcfg -new -passout:12345678 -out:ssltrcsr -keyout:ssltrkey -outform:pem
Where -cfg: is the configuration file
-new means create a new public/private-key pair and a certificate request.
-passout is the password being used to protect the private-key file
-out is the name of the file that will contain the certificate request
-keyout is the name of the file that will contain the private key
-outform specifies the format for the -out file, e.g. der or pem
3. Download the -out file (in binary format) to send to the Certificate Authority.
4. Once the Certificate Authority returns the signed certificate, upload to the XYGATETR subvolume (in binary format) as SSLTRCRT.
If this article did not provide a solution, please open a case with our support team by sending an email message to support@xypro.com.