This step-by-step example shows you how to generate a new key, and then request a X.509 certificate for a TLS/SSL Server based on this key from PGP Key Management Server.
It will create a SKM key (private key material stored on PGP KMS) and the certificate will be issued to a hostname.
After those steps are finished, the certificate will be available as pkcs7 file (Machine1_0xFBEBEEE8.crt) and pkcs12 file including the private key (Machine1_0xFBEBEEE8.pfx)
Preparation
Use PGP Universal Server Management console and go to Consumers-Users-Add Users-Internal User-Manual Creation
Create a new device consumer named "Machine1" with passphrase "password".
Open the poliy settings for this user's consumer policy and go to General - Edit Preferences, select "Consumer Policy General Options"
Now set the advanced pref named "autoIssueCerts" to boolean false
Under Cosumer Policy - Keys - Certificates you can set advanced certificate properties and attributes
Assign the following permissions for this consumer:
Can create managed key
Steps to perform via PGP Command Line
1. Authenticate the consumer and cache authentication
pgp --usp-server keys.senderdomain.com --auth-username Machine1 --auth-passphrase password --usp-cache-auth
returns:
keys.senderdomain.com:USP cache auth (0:Authentication cached)
2. Create a new key, without subkeys
pgp --gen-key "SSL Certificate Key" --bits 2048 --key-type rsa-sign-only --passphrase ""
returns:
0xFBEBEEE8:generate key (0:key successfully generated)
3. Add additional key usages to this key
pgp --set-key-flag --key-flag encrypt-and-sign 0xFBEBEEE8 --passphrase ""
returns:
0xFBEBEEE8:set key flag (0:flags updated successfully)
4. Export this key
pgp --export-key-pair 0xFBEBEEE8 -o 0xFBEBEEE8.asc
returns:
0xFBEBEEE8:export key pair (0:key exported to 0xFBEBEEE8.asc)
5. Import the key as SKM in PGP Key Management Server
pgp --usp-server keys.senderdomain.com --import-mak 0xFBEBEEE8.asc
returns:
SSL Certificate Key:import MAK (0:key imported as ca5282ba-3387-4c1a-9c37-3603b9785e99 SSL Certificate Key)
6. Create an advanced certificate signing request
pgp --export 0xFBEBEEE8 --export-format csr -o 0xFBEBEEE8.csr --passphrase "" --common-name "machine1.senderdomain.com" --organization "Senderdomain" --city "Menlo Park" --state "California" --country "US" --organizational-unit "Sales Organization" --organizational-unit "Field Engieering"
returns:
0xFBEBEEE8:export key (0:key exported to 0xFBEBEEE8.csr)
7. Send the certificate request to Universal Server (MAK UUID from step 5, CSR filename from step 6)
pgp --usp-server keys.senderdomain.com --request-cert ca5282ba-3387-4c1a-9c37-3603b9785e99 --cert-file 0xFBEBEEE8.csr
returns:
SSL Certificate Key:MAK request certificate (0:CSR imported from 0xFBEBEEE8.csr)
8. (optional) Issue the certificate on Universal Server (MAK UUID from step 5)
pgp --usp-server keys.senderdomain.com --edit-mak ca5282ba-3387-4c1a-9c37-3603b9785e99 --import-certificates --passphrase ""
9. Download the modified MAK including the new cert (MAK UUID from step 5, new filename containing keyid from step 2)
pgp --usp-server keys.senderdomain.com --export-mak ca5282ba-3387-4c1a-9c37-3603b9785e99 -o "0xFBEBEEE8_new.asc"
return:
0xFBEBEEE8:export MAK (0:key exported to 0xFBEBEEE8_new.asc)
10. Import the updated MAK into the keyring (filename from step 9)
pgp --import -i "0xFBEBEEE8_new.asc"
returns:
0xFBEBEEE8_new.asc:import key (0:key imported as 0xFBEBEEE8 SSL Certificate Key)
11. Export certificate (keyid from step 2, filename for exported certificate)
pgp --export 0xFBEBEEE8 --export-format x509-cert -o "Machine1_0xFBEBEEE8.crt"
returns:
0xFBEBEEE8:export key (0:key exported to Machine1_0xFBEBEEE8.crt)
12. Export certificate as PKCS12 file (keyid from step 2, filename for exported pkcs12 file)
pgp --export-key-pair 0xFBEBEEE8 --export-format pkcs12 --passphrase "" --export-passphrase "password" -o "Machine1_0xFBEBEEE8.pfx"
returns:
0xFBEBEEE8:export key pair (0:key exported to Machine1_0xFBEBEEE8.pfx)
The attached file contains the same steps as plain text file: