Certificate signing requests (CSRs)

To acquire a server certificate from a Certificate Authority (CA), a certificate signing request (CSR) has to be created and submitted to the CA. You can generate a CSR from within Pexip Infinity, and then upload the returned certificate associated with that request.

CSRs generated via Pexip Infinity always request client certificate and server certificate capabilities.

Creating a certificate signing request

To generate a CSR within Pexip Infinity:

  1. Go to Utilities > Certificate signing requests.
  2. Select Add Certificate signing request.

  3. Complete the following fields:

    Subject name

    Select the name to be specified as the Common Name field of the requested certificate's subject. This is typically set to the FQDN of the node on which the certificate is to be installed.

    The available options are prepopulated with the FQDNs (hostname plus domain) of the Management Node and each currently deployed Conferencing Node. The list also includes any SIP TLS FQDN names of your Conferencing Nodes, if such names have been configured and are different from the node's FQDN.

    If you want to specify a custom Common Name instead, select User-provided custom Common Name.
    Custom subject name Enter the name that you want to use as the Common Name field of the requested certificate's subject, if you have selected User-provided custom Common Name above.
    Private key type

    Select the type of private key to generate, or select Upload user-provided private key if you want to provide your own private key.

    Default: RSA (2048bit)
    Private key

    Only applies if you have selected Upload user-provided private key above.

    Enter the PEM formatted RSA or ECC private key to use when generating your CSR. You can either paste the key into the input field or upload the private key file from your local file system.
    Subject alternative names

    Select the subject alternative names (SANs) to be included in the CSR. This allows the certificate to be used to secure a server with multiple names (such as a different DNS name), or to secure multiple servers using the same certificate.

    You can choose from the same list of names presented in the Subject name field. Note that the name you choose as the Common Name is automatically included in the generated CSR's list of SANs (even if you remove it from the Subject alternative names list shown here).

    In some deployments it may be more practical to generate single CSR in which all of your Conferencing Node FQDNs are included in the list of SANs. This means that the same single server certificate returned by the CA can then be assigned to every Conferencing Node.

    When integrating with Microsoft Lync / Skype for Business, SAN entries must be included for every individual Conferencing Node in the public DMZ (public DMZ deployments) or in the trusted application pool (on-prem deployments). See Certificate creation and requirements for Lync / Skype for Business integrations more information.
    Additional subject alternative names

    Optionally, enter a comma-separated list of additional subject alternative names to include in the CSR.

    For example, when integrating with on-prem Lync / Skype for Business deployments you would typically need to add the trusted application pool FQDN.
    Additional subject fields
    (if required you can enter the following additional CSR attributes; these are all blank by default)
    Organization name The name of your organization.
    Department The department within your organization.
    City The city where your organization is located.
    State or Province The state or province where your organization is located.
    Country The 2 letter code of the country where your organization is located.
    Advanced
    (in most scenarios you should leave the advanced options to their default settings)
    Include Microsoft certificate template extension

    Select this option to specify a (Microsoft-specific) certificate template in the CSR. This is needed when using the Certification Authority MMC snap-in to request a certificate from an enterprise CA. Selecting this option causes the 'WebServer' certificate template to be specified.

    Default: disabled.
    Include Common Name in Subject Alternative Names

    Specifies whether to include the requested subject Common Name in the Subject Alternative Name field of the CSR.

    Default: enabled.

  4. Select Save.

    You are returned to the list of certificate signing requests.

  5. Select the CSR you have just created.

    You are shown the decoded certificate data.

  6. Scroll to the bottom of the page and select Download.

    This downloads the CSR to your local file system, with a filename in the format <subject-name>.csr.

    Note that the private key is not downloaded, or included within the CSR.

  7. You can now submit this CSR file to your chosen CA for signing.

    The CA will then send you a signed certificate which you can upload into Pexip Infinity (see below).

Uploading the signed certificate associated with a certificate signing request

When the Certificate Authority sends you a signed certificate in response to your CSR, you can upload that certificate into Pexip Infinity and assign it to one or more of your nodes. Make sure that you upload it via the Certificate signing requests page as this ensures that it is linked with the private key associated with your original CSR.

To upload the signed certificate:

  1. Go to Utilities > Certificate signing requests.

  2. Select the original CSR that is associated with the signed certificate.

    You are shown the decoded certificate data.

  3. Scroll down the page and in the Certificate field either paste the PEM-formatted certificate into the input field or upload the certificate file from your local file system.

    The certificate file that you have obtained from the Certificate Authority typically has a .CRT or .PEM extension. Do not upload your certificate signing request (.CSR file).

  4. Select Complete.

    Providing it is a valid certificate and is based on the original CSR:

    • the certificate is uploaded and automatically linked with the private key associated with your original CSR
    • the original CSR is deleted
    • you are taken to the Change TLS certificate page.
  5. You can now assign that certificate to the Management Node or one of more Conferencing Nodes as required:
    1. From within the Change TLS certificate page go to the Nodes field and from the Available Nodes list, select the nodes to which you want to assign the certificate and move them into the Chosen Nodes list.
    2. Go to the bottom of the page and select Save.

For more information about assigning certificates to nodes, see Viewing or modifying existing TLS certificates and changing node assignments.

Troubleshooting

If you receive an error message "Certificate and private key do not appear to be part of the same key pair" when attempting to upload a signed certificate, this most likely means that you have tried to upload the certificate against the wrong CSR.

Modifying a CSR

After a CSR has been created it cannot be modified — the only available actions are to download it (for sending to a CA), or to apply the returned, signed certificate that is associated with that request.

If you need to change the content of a CSR, you should delete the original CSR and create a new CSR with the correct content.

Note that a CSR is automatically deleted when the resulting signed certificate is uploaded.

© 2017 Pexip AS v15.1