Certificate signing requests (CSRs)

To acquire a server certificate from a Certificate Authority (CA), a certificate signing request (CSR) has to be created and submitted to the CA. You can generate a CSR from within Pexip Infinity, and then upload the returned certificate associated with that request.

You can create a new CSR for any given subject name / node, or if you have an existing certificate already installed on a Pexip Infinity node that you need to replace (for example if it is due to expire) you can create a CSR based on the existing certificate data.

CSRs generated via Pexip Infinity always request client certificate and server certificate capabilities.

This topic covers:

Requesting a certificate signing request (CSR) for an existing certificate / subject name

You can generate a certificate signing request (CSR) for an existing certificate / subject name, for example if your current certificate is soon due to expire and you want to replace it. Before generating the CSR you can change the certificate data to be included in the new request, such as adding extra subject alternative names (SANs) to those already present in the existing certificate.

To generate a CSR for an existing certificate / subject name:

  1. Go to Platform configuration > TLS certificates.
  2. Select the subject name of the certificate for which you want to generate a CSR.

    The certificate data is shown.

  3. Go to the bottom of the page and select Create certificate signing request.

    You are taken to the Add Certificate signing request page, and the CSR data is defaulted to the contents of the certificate you selected.

  4. If required you can change the certificate data, such as the subject alternative names (SANs) and subject fields.

    Note that you cannot change the private key — the CSR uses the same private key as the original certificate.

  5. Select Save.

    The CSR is generated and you are taken to the Change Certificate signing request page.

  6. Select Download.

    This downloads the CSR to your local file system, with a filename in the format <subject-name>.csr.

    Note that the private key is not downloaded, or included within the CSR.

  7. You can now submit this CSR file to your chosen CA for signing.

    The CA will then send you a signed certificate which you can upload into Pexip Infinity (see Uploading the signed certificate associated with a certificate signing request).

Note that you cannot generate a CSR for an existing temporary / self-signed certificate.

If the CSR generation fails with a "It was not possible to automatically create a certificate signing request from this certificate" message, then there was a problem with validating the original certificate data, most likely an invalid subject name or an invalid country code. In this case you will have to create the CSR manually.

Creating a new certificate signing request

To generate a CSR within Pexip Infinity:

  1. Go to Utilities > Certificate signing requests.
  2. Select Add Certificate signing request.
  3. Complete the following fields:

    TLS Certificate

    Create non-renewal CSR is selected by default. This lets you create a new CSR.

    To create a renewal CSR based on an existing certificate, choose a different subject name / issuer from the list (in which case the subject name and private key fields below are not displayed).

    Subject name

    Select the name to be specified as the Common Name field of the requested certificate's subject. This is typically set to the FQDN of the node on which the certificate is to be installed.

    The available options are prepopulated with the FQDNs (hostname plus domain) of the Management Node and each currently deployed Conferencing Node. The list also includes any SIP TLS FQDN names of your Conferencing Nodes, if such names have been configured and are different from the node's FQDN.

    If you want to specify a custom Common Name instead, select User-provided custom Common Name.

    Custom subject name Enter the name that you want to use as the Common Name field of the requested certificate's subject, if you have selected User-provided custom Common Name above.
    Private key type

    Select the type of private key to generate, or select Upload user-provided private key if you want to provide your own private key.

    Default: RSA (2048bit)

    Private key

    Only applies if you have selected Upload user-provided private key above.

    Enter the PEM formatted RSA or ECC private key to use when generating your CSR. You can either paste the key into the input field or upload the private key file from your local file system.

    Private key passphrase

    Only applies if you have selected Upload user-provided private key above.

    If the private key is encrypted, you must also supply the associated passphrase.

    Subject alternative names

    Select the subject alternative names (SANs) to be included in the CSR. This allows the certificate to be used to secure a server with multiple names (such as a different DNS name), or to secure multiple servers using the same certificate.

    You can choose from the same list of names presented in the Subject name field. Note that the name you choose as the Common Name is automatically included in the generated CSR's list of SANs (even if you remove it from the Subject alternative names list shown here).

    In some deployments it may be more practical to generate a single CSR in which all of your Conferencing Node FQDNs are included in the list of SANs. This means that the same single server certificate returned by the CA can then be assigned to every Conferencing Node.

    When integrating with Microsoft Skype for Business / Lync, SAN entries must be included for every individual Conferencing Node in the public DMZ (public DMZ deployments) or in the trusted application pool (on-prem deployments). See Certificate creation and requirements for Skype for Business / Lync integrations more information.

    Additional subject alternative names

    Optionally, enter a comma-separated list of additional subject alternative names to include in the CSR. For example:

    • When receiving SIP or Skype for Business / Lync (MS-SIP) calls, the certificate on the Conferencing Node receiving the call should include the domain names (e.g. vc.example.com) that are used in any DNS SRV records that are used to route calls to those Conferencing Nodes.
    • When integrating with on-prem Skype for Business / Lync deployments you would typically need to add the trusted application pool FQDN.
    Additional subject fields
    (if required you can enter the following additional CSR attributes; these are all blank by default)
    Organization name The name of your organization.
    Department The department within your organization.
    City The city where your organization is located.
    State or Province The state or province where your organization is located.
    Country The 2 letter code of the country where your organization is located.
    Advanced
    (in most scenarios you should leave the advanced options to their default settings)
    Include Microsoft certificate template extension

    Select this option to specify a (Microsoft-specific) certificate template in the CSR. This is needed when using the Certification Authority MMC snap-in to request a certificate from an enterprise CA. Selecting this option causes the 'WebServer' certificate template to be specified.

    Default: disabled.

    Include Common Name in Subject Alternative Names

    Specifies whether to include the requested subject Common Name in the Subject Alternative Name field of the CSR.

    Default: enabled.

  4. Select Save.

    You are taken to the Change Certificate signing request page.

  5. Select Download.

    This downloads the CSR to your local file system, with a filename in the format <subject-name>.csr.

    Note that the private key is not downloaded, or included within the CSR.

  6. You can now submit this CSR file to your chosen CA for signing.

    The CA will then send you a signed certificate which you can upload into Pexip Infinity (see below).

Uploading the signed certificate associated with a certificate signing request

When the Certificate Authority sends you a signed certificate in response to your CSR, you can upload that certificate into Pexip Infinity and assign it to one or more of your nodes. Make sure that you upload it via the Certificate signing requests page as this ensures that it is linked with the private key associated with your original CSR.

To upload the signed certificate:

  1. Go to Utilities > Certificate signing requests.
  2. Select the original CSR that is associated with the signed certificate.

    You are taken to the Change Certificate signing request page.

  3. In the Certificate field either paste the PEM-formatted certificate into the input field or upload the certificate file from your local file system.

    The certificate file that you have obtained from the Certificate Authority typically has a .CRT or .PEM extension. Do not upload your certificate signing request (.CSR file).

  4. Select Complete.

    Providing it is a valid certificate and is based on the original CSR:

    • the certificate is uploaded and automatically linked with the private key associated with your original CSR.
    • if you are uploading a replacement certificate (same subject name and private key) it will replace the existing certificate and maintain any existing node assignments.
    • the original CSR is deleted.
    • you are taken to the Change TLS certificate page.
  5. You can now assign that certificate to the Management Node or one of more Conferencing Nodes as required:

    1. From within the Change TLS certificate page go to the Nodes field and from the Available Nodes list, select the nodes to which you want to assign the certificate and move them into the Chosen Nodes list.
    2. Go to the bottom of the page and select Save.

For more information about assigning certificates to nodes, see Viewing or modifying existing TLS certificates and changing node assignments.

Troubleshooting

This section describes some of the error messages you may see when attempting to upload a signed certificate.

Error message Possible cause Resolution
Certificate and private key do not appear to be part of the same key pair This most likely means that you have tried to upload the certificate against the wrong CSR. Select the correct CSR and try again.

Modifying a CSR

After a CSR has been created it cannot be modified — the only available actions are to download it (for sending to a CA), or to apply the returned, signed certificate that is associated with that request.

If you need to change the content of a CSR, you should delete the original CSR and create a new CSR with the correct content.

Note that a CSR is automatically deleted when the resulting signed certificate is uploaded.