You are here: Command-Line Procedures > Creating a TLS Authority Signed Certificate

Creating a TLS Authority Signed Certificate

The procedure below helps you to create a TLS authority signed certificate for your ZixGateway.

1. Log in to your ZixGateway appliance as zixadmin.
2. Use sudo to become the root user:

sudo -i

3. Enter the following change directory command:

cd /tmp

4. Run the following command to generate the certificate request and create two PEM files privKey.pem and certreq.pem. These certificates have a one year expiration.

/usr/bin/openssl req -new -nodes -keyout privKey.pem -out certreq.pem -days 365 -config /etc/pki/tls/openssl.cnf -sha256

5. Follow the instructions generated by the command. Ensure that the Common Name (CN) that you specify is the Fully Qualified Domain Name (FQDN) of your ZixGateway appliance as seen from the internet.
6. Change the permissions on the PEM files with the following command.

chmod 777 *.pem

7. Use WinSCP to download the two PEM files from the ZixGateway. They are located in the same directory where the command was run (/tmp).
8. Submit the certificate request, certreq.pem, by following your certificate authority’s submission procedures.

Installing the Certificate Authority’s certificates

When the Certificate Authority returns the authorized certificate and their public certificate, store them in location where the ZixGateway Manager can access them, such as your desktop.

1. Access the ZixGateway Manager and select Configure Server > TLS.
2. Your private key (privKey.pem) is entered into the Private Key field of the TLS section.
3. Your new certificate returned from the certificate authority is entered into the Server Certificate field of the TLS section.
4. The certificate authority’s public (root) certificate is entered into the Server Certificate Signing CA field of the TLS section.
Note: If there is no certificate chain (only this server’s certificate and the root certificate), then the root certificate is entered into the Server Certificate Signing CA field. This is the Certificate Authority’s public certificate.
5. Deploy and Cycle the cluster from the Configure Server tab.

All keys and certificates should be kept in a secure location where they can be backed up. If you need additional assistance, contact ZixCorp Customer Support at support@zixcorp.com

Closed6.3.1

To create a certificate, you need to start with a certificate request. Follow the procedures below to create a certificate request. The process will also create the private key for you. A certificate request can then be sent to a Certificate Authority (For Example: Verisign) to get it signed into an authorized certificate.

When the Certificate Authority returns the authorized certificate and their public certificate, store them in location where ZixGateway Manager can browse to them.

The installed script, create_cert_req.sh, is used to generate your private key and certificate request for this server has several options.

For usage information only, type "help" after the command. This will not create a certificate request.

$ sudo ./create_cert_req.sh help

There is also a recommended option to create a unique name for this server certificate. After the command, enter a short identifier.

$ sudo ./create_cert_req.sh vpm01

Two files are created in the /tmp directory: ./privKeyvpm01.pem and ./certreqvpm01.pem

If you choose not to use an identifier,

$ sudo ./create_cert_req.sh

Two files are created in the /tmp directory: privKey.pem and certreq.pem.

Note: The certificates have a one-year expiration.

To create a authority-signed certificate:

1. Upload the createCAreq.tar file to the /tmp directory on the ZixGateway system.

pscp createCAreq.tar <putty session name>:/tmp

2. Log in to your ZixGateway system as zixadmin using the serial, the console (KVM) or an SSH connection.
3. On your ZixGateway system, change to the /tmp directory:

cd /tmp

4. Extract the file uploaded in step 1.

$ sudo tar -xvpPf createCAreq.tar

5. Run the create_cert_req.sh script as described above.

Follow the instructions displayed to provide the information prompted for the certificate request. Ensure that the Common Name (CN) that you specify in the certificate request is the Fully Qualified Domain Name (FQDN) of your ZixGateway server as seen from the internet.

6. Use WinSCP to download the 2 pem files which were just created. These commands will download the pem files to c:\

pscp zixvpm01:/tmp/privKey.pem c:\

pscp zixvpm01:/tmp/certreq.pem c:\

Store them in a location where the ZixGateway Manager can browse to them.

7. You may now submit the certificate request, certreq.pem (or certreqvpm01.pem) by following your certificate authority’s submission procedures.