1. Download and install OpenSSL-Win32 here: https://slproweb.com/download/Win64OpenSSL-1_1_1g.exe
2. Run the command from in an elevated dos prompt (Run As Administrator):
openssl req –new –nodes –newkey rsa:2048 –keyout myserver.key –out server.csr -config openssl.cfg
Example output fields:
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:NH
Locality Name (eg, city) :Salem
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Extreme Networks
Organizational Unit Name (eg, section) :IT-DEPT
Common Name (e.g. server FQDN or YOUR name) :controller1.extremenetworks.com
Email Address :email@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :password123
An optional company name :
3. Fill out the fields for the certificate request including the common name, which is the DNS record hostname of the interface this will be applied to.
4. Send the CSR to the Certificate Authority (CA) that you are purchasing the certificate from, and choose “Apache” as your web server.
5. The CA will send you back a certificate file that is chained to their Root CA certificate. Usually the CA has both a Root and Intermediate certificate that is in the cert path.
6. They can usually be downloaded together but on occasion may need to be combined.
7. If you open up the certificates, you can verify that the certificate path of the Root/Intermediate certificate matches the path of the CA signed certificate.
8. When you have the certificate and the Root CA bundle, navigate to:
9. VNS > Topologies > Certificates > Select correct topology > “Replace/Install selected Topology’s certificate and key from separate files”
Browse to the correct files and enter the private key password if generated during CSR process.
- First file is the topology certificate (created by the CA)
- Private key file that was created in OpenSSL process
- Root/Intermediate CA certificate. This states it is optional, but the cert will not be trusted if this is not uploaded.
10. After the certificate is installed, it should show the new date and also a “Yes” indicating it is a CA certificate.