Certificate signing requests (CSRs)
To acquire a server certificate from a Certificate Authority (CA), a certificate signing request (CSR) has to be created and submitted to the CA. You can generate a CSR from within Pexip Infinity, and then upload the returned certificate associated with that request.
You can create a new CSR for any given subject name / node, or if you have an existing certificate already installed on a Pexip Infinity node that you need to replace (for example if it is due to expire) you can create a CSR based on the existing certificate data.
CSRs generated via Pexip Infinity always request client certificate and server certificate capabilities.
This topic covers:
- Requesting a certificate signing request (CSR) for an existing certificate / subject name
- Creating a new certificate signing request
- Uploading the signed certificate associated with a certificate signing request
- Troubleshooting
- Modifying a CSR
Requesting a certificate signing request (CSR) for an existing certificate / subject name
You can generate a certificate signing request (CSR) for an existing certificate / subject name, for example if your current certificate is soon due to expire and you want to replace it.
Note that this will generate a CSR containing the same certificate data, common names, subject alternative names (SANs), private key and so on as the current certificate. If you want to change any of this existing data, such as adding a new SAN, you must generate a new CSR via (see Creating a new certificate signing request).
To generate a CSR for an existing certificate / subject name:
- Go to .
-
Select the subject name of the certificate for which you want to generate a CSR.
The certificate data is shown.
-
Go to the bottom of the page and select .
The CSR is generated and you are taken to the Certificate signing request page.
-
Scroll to the bottom of the page and select .
This downloads the CSR to your local file system, with a filename in the format <subject-name>.csr.
Note that the private key is not downloaded, or included within the CSR.
-
You can now submit this CSR file to your chosen CA for signing.
The CA will then send you a signed certificate which you can upload into Pexip Infinity (see
Note that you cannot generate a CSR for an existing temporary / self-signed certificate.
If the CSR generation fails with a "It was not possible to automatically create a certificate signing request from this certificate" message, then there was a problem with validating the original certificate data, most likely an invalid subject name or an invalid country code. In this case you will have to create the CSR manually.
Creating a new certificate signing request
To generate a CSR within Pexip Infinity:
- Go to .
- Select .
-
Complete the following fields:
Subject name Select the name to be specified as the Common Name field of the requested certificate's subject. This is typically set to the FQDN of the node on which the certificate is to be installed.
The available options are prepopulated with the FQDNs (hostname plus domain) of the Management Node and each currently deployed Conferencing Node. The list also includes any SIP TLS FQDN names of your Conferencing Nodes, if such names have been configured and are different from the node's FQDN.
If you want to specify a custom Common Name instead, select User-provided custom Common Name.
Custom subject name Enter the name that you want to use as the Common Name field of the requested certificate's subject, if you have selected User-provided custom Common Name above. Private key type Select the type of private key to generate, or select Upload user-provided private key if you want to provide your own private key.
Default: RSA (2048bit)
Private key Only applies if you have selected Upload user-provided private key above.
Enter the PEM formatted RSA or ECC private key to use when generating your CSR. You can either paste the key into the input field or upload the private key file from your local file system.
Subject alternative names Select the subject alternative names (SANs) to be included in the CSR. This allows the certificate to be used to secure a server with multiple names (such as a different DNS name), or to secure multiple servers using the same certificate.
You can choose from the same list of names presented in the Subject name field. Note that the name you choose as the Common Name is automatically included in the generated CSR's list of SANs (even if you remove it from the Subject alternative names list shown here).
In some deployments it may be more practical to generate single CSR in which all of your Conferencing Node FQDNs are included in the list of SANs. This means that the same single server certificate returned by the CA can then be assigned to every Conferencing Node.
When integrating with Microsoft Lync / Skype for Business, SAN entries must be included for every individual Conferencing Node in the public DMZ (public DMZ deployments) or in the trusted application pool (on-prem deployments). See Certificate creation and requirements for Lync / Skype for Business integrations more information.
Additional subject alternative names Optionally, enter a comma-separated list of additional subject alternative names to include in the CSR.
For example, when integrating with on-prem Lync / Skype for Business deployments you would typically need to add the trusted application pool FQDN.
Additional subject fields
(if required you can enter the following additional CSR attributes; these are all blank by default)Organization name The name of your organization. Department The department within your organization. City The city where your organization is located. State or Province The state or province where your organization is located. Country The 2 letter code of the country where your organization is located. Advanced
(in most scenarios you should leave the advanced options to their default settings)Include Microsoft certificate template extension Select this option to specify a (Microsoft-specific) certificate template in the CSR. This is needed when using the Certification Authority MMC snap-in to request a certificate from an enterprise CA. Selecting this option causes the 'WebServer' certificate template to be specified.
Default: disabled.
Include Common Name in Subject Alternative Names Specifies whether to include the requested subject Common Name in the Subject Alternative Name field of the CSR.
Default: enabled.
-
Select .
You are returned to the list of certificate signing requests.
-
Select the CSR you have just created.
You are shown the decoded certificate data.
-
Scroll to the bottom of the page and select .
This downloads the CSR to your local file system, with a filename in the format <subject-name>.csr.
Note that the private key is not downloaded, or included within the CSR.
-
You can now submit this CSR file to your chosen CA for signing.
The CA will then send you a signed certificate which you can upload into Pexip Infinity (see
Uploading the signed certificate associated with a certificate signing request
When the Certificate Authority sends you a signed certificate in response to your CSR, you can upload that certificate into Pexip Infinity and assign it to one or more of your nodes. Make sure that you upload it via the page as this ensures that it is linked with the private key associated with your original CSR.
To upload the signed certificate:
- Go to .
-
Select the original CSR that is associated with the signed certificate.
You are shown the decoded certificate data.
-
Scroll down the page and in the Certificate field either paste the PEM-formatted certificate into the input field or upload the certificate file from your local file system.
The certificate file that you have obtained from the Certificate Authority typically has a .CRT or .PEM extension. Do not upload your certificate signing request (.CSR file).
-
Select .
Providing it is a valid certificate and is based on the original CSR:
- the certificate is uploaded and automatically linked with the private key associated with your original CSR.
- if you are uploading a replacement certificate (same subject name and private key) it will replace the existing certificate and maintain any existing node assignments.
- the original CSR is deleted.
- you are taken to the page.
-
You can now assign that certificate to the Management Node or one of more Conferencing Nodes as required:
- From within the page go to the Nodes field and from the Available Nodes list, select the nodes to which you want to assign the certificate and move them into the Chosen Nodes list.
- Go to the bottom of the page and select .
For more information about assigning certificates to nodes, see Viewing or modifying existing TLS certificates and changing node assignments.
Troubleshooting
This section describes some of the error messages you may see when attempting to upload a signed certificate.
| Error message | Possible cause | Resolution |
|---|---|---|
| Certificate and private key do not appear to be part of the same key pair | This most likely means that you have tried to upload the certificate against the wrong CSR. | Select the correct CSR and try again. |
| Certificate for <subject name> not uploaded. There is already a certificate with this subject, but it uses a different key. | You are trying to upload a replacement for an existing certificate (same subject name), but the CSR for the new certificate was generated using a different private key to that associated with the existing certificate. |
|
Modifying a CSR
After a CSR has been created it cannot be modified — the only available actions are to download it (for sending to a CA), or to apply the returned, signed certificate that is associated with that request.
If you need to change the content of a CSR, you should delete the original CSR and create a new CSR with the correct content.
Note that a CSR is automatically deleted when the resulting signed certificate is uploaded.