Video Screencast Help

Step by Step guide to create a X.509 certificate with extended properties using KMS

Created: 08 Apr 2011
Andreas Zengel's picture

This step-by-step example shows you how to generate a new key, and then request a X.509 certificate for a TLS/SSL Server based on this key from PGP Key Management Server.
It will create a SKM key (private key material stored on PGP KMS) and the certificate will be issued to a hostname.

After those steps are finished, the certificate will be available as pkcs7 file (Machine1_0xFBEBEEE8.crt) and pkcs12 file including the private key (Machine1_0xFBEBEEE8.pfx)
Use PGP Universal Server Management console and go to Consumers-Users-Add Users-Internal User-Manual Creation
Create a new device consumer named "Machine1" with passphrase "password".  
Open the poliy settings for this user's consumer policy and go to General - Edit Preferences, select "Consumer Policy General Options"
Now set the advanced pref named "autoIssueCerts" to boolean false
Under Cosumer Policy - Keys - Certificates you can set advanced certificate properties and attributes
Assign the following permissions for this consumer:
Can create managed key
Steps to perform via PGP Command Line
1. Authenticate the consumer and cache authentication

 pgp --usp-server --auth-username Machine1 --auth-passphrase password --usp-cache-auth
 returns: cache auth (0:Authentication cached) 

2. Create a new key, without subkeys

 pgp --gen-key "SSL Certificate Key" --bits 2048 --key-type rsa-sign-only --passphrase ""
 0xFBEBEEE8:generate key (0:key successfully generated) 

3. Add additional key usages to this key

 pgp --set-key-flag --key-flag encrypt-and-sign 0xFBEBEEE8 --passphrase ""
 0xFBEBEEE8:set key flag (0:flags updated successfully) 

4. Export this key

 pgp --export-key-pair 0xFBEBEEE8 -o 0xFBEBEEE8.asc
 0xFBEBEEE8:export key pair (0:key exported to 0xFBEBEEE8.asc) 

5. Import the key as SKM in PGP Key Management Server

 pgp --usp-server --import-mak 0xFBEBEEE8.asc  
 SSL Certificate Key:import MAK (0:key imported as ca5282ba-3387-4c1a-9c37-3603b9785e99 SSL Certificate Key) 

6. Create an advanced certificate signing request

 pgp  --export 0xFBEBEEE8 --export-format csr -o 0xFBEBEEE8.csr --passphrase "" --common-name "" --organization "Senderdomain"  --city "Menlo Park" --state "California" --country "US" --organizational-unit "Sales Organization" --organizational-unit "Field Engieering"  
  0xFBEBEEE8:export key (0:key exported to 0xFBEBEEE8.csr)  

7. Send the certificate request to Universal Server (MAK UUID from step 5, CSR filename from step 6)

 pgp --usp-server  --request-cert ca5282ba-3387-4c1a-9c37-3603b9785e99 --cert-file 0xFBEBEEE8.csr
 SSL Certificate Key:MAK request certificate (0:CSR imported from 0xFBEBEEE8.csr) 

8. (optional) Issue the certificate on Universal Server (MAK UUID from step 5)

pgp --usp-server --edit-mak ca5282ba-3387-4c1a-9c37-3603b9785e99 --import-certificates --passphrase ""
9. Download the modified MAK including the new cert (MAK UUID from step 5, new filename containing keyid from step 2)

 pgp --usp-server --export-mak ca5282ba-3387-4c1a-9c37-3603b9785e99 -o "0xFBEBEEE8_new.asc"
 0xFBEBEEE8:export MAK (0:key exported to 0xFBEBEEE8_new.asc) 

10. Import the updated MAK into the keyring (filename from step 9)

 pgp --import -i "0xFBEBEEE8_new.asc"
 0xFBEBEEE8_new.asc:import key (0:key imported as 0xFBEBEEE8 SSL Certificate Key) 

11. Export certificate (keyid from step 2, filename for exported certificate)

 pgp --export 0xFBEBEEE8 --export-format x509-cert -o "Machine1_0xFBEBEEE8.crt"
 0xFBEBEEE8:export key (0:key exported to Machine1_0xFBEBEEE8.crt) 

12. Export certificate as PKCS12 file (keyid from step 2, filename for exported pkcs12 file)

 pgp --export-key-pair 0xFBEBEEE8 --export-format pkcs12 --passphrase "" --export-passphrase "password" -o "Machine1_0xFBEBEEE8.pfx"
 0xFBEBEEE8:export key pair (0:key exported to Machine1_0xFBEBEEE8.pfx) 

The attached file contains the same steps as plain text file: