how to generate a certificate on a hardware device · pdf filehow to generate a certificate on...
TRANSCRIPT
![Page 1: How to Generate a Certificate on a Hardware Device · PDF fileHow to Generate a Certificate on a Hardware Device ... This option can be used to generate a Certificate Signing Request](https://reader033.vdocuments.mx/reader033/viewer/2022050807/5a81b11b7f8b9ada388d4839/html5/thumbnails/1.jpg)
How to Generate a Certificate on a Hardware Device
Generate a Certificate using Certificate Manager (certmgr.msc)
This option can be used to generate a Certificate Signing Request (CSR) on a hardware device likeSafeNet/Aladdin eToken, Safenet iKey, Luna HSM. The resulting CSR is signed by the RootCertificate and the .CER response file is imported on the hardware device. The certificate hierarchywill be as follow:
Open certmgr.msc and select Create Custom Request, as below:
Page 1
![Page 2: How to Generate a Certificate on a Hardware Device · PDF fileHow to Generate a Certificate on a Hardware Device ... This option can be used to generate a Certificate Signing Request](https://reader033.vdocuments.mx/reader033/viewer/2022050807/5a81b11b7f8b9ada388d4839/html5/thumbnails/2.jpg)
Select Custom Request.
Page 2
![Page 3: How to Generate a Certificate on a Hardware Device · PDF fileHow to Generate a Certificate on a Hardware Device ... This option can be used to generate a Certificate Signing Request](https://reader033.vdocuments.mx/reader033/viewer/2022050807/5a81b11b7f8b9ada388d4839/html5/thumbnails/3.jpg)
Select Legacy Key.
Important: Most of the third party applications and the Secure Soft products (CA Server, TSAServer, PDF Signer, P7S Signer) cannot use CNG (Cryptographic Next Generation) keys so aLegacy key must be created.
Page 3
![Page 4: How to Generate a Certificate on a Hardware Device · PDF fileHow to Generate a Certificate on a Hardware Device ... This option can be used to generate a Certificate Signing Request](https://reader033.vdocuments.mx/reader033/viewer/2022050807/5a81b11b7f8b9ada388d4839/html5/thumbnails/4.jpg)
Customize the CSR by adding Common Name, extensions and other attributes.
Page 4
![Page 5: How to Generate a Certificate on a Hardware Device · PDF fileHow to Generate a Certificate on a Hardware Device ... This option can be used to generate a Certificate Signing Request](https://reader033.vdocuments.mx/reader033/viewer/2022050807/5a81b11b7f8b9ada388d4839/html5/thumbnails/5.jpg)
Select the Private Key container that can be a HSM device or a cryptographic smart card device:
Page 5
![Page 6: How to Generate a Certificate on a Hardware Device · PDF fileHow to Generate a Certificate on a Hardware Device ... This option can be used to generate a Certificate Signing Request](https://reader033.vdocuments.mx/reader033/viewer/2022050807/5a81b11b7f8b9ada388d4839/html5/thumbnails/6.jpg)
After the certificate request is customized and the private key container is selected, it can be created.
If the CSR is created on a smart card device, the device PIN must be entered.If the CSR is created on a HSM device (like Luna HSM), the HSM credentials must be entered onthe PED or console. More details about this can be found on the manuals offered by the HSMvendor.
Page 6
![Page 7: How to Generate a Certificate on a Hardware Device · PDF fileHow to Generate a Certificate on a Hardware Device ... This option can be used to generate a Certificate Signing Request](https://reader033.vdocuments.mx/reader033/viewer/2022050807/5a81b11b7f8b9ada388d4839/html5/thumbnails/7.jpg)
When the process is finished, the resulting CSR file must be saved.
Page 7
![Page 8: How to Generate a Certificate on a Hardware Device · PDF fileHow to Generate a Certificate on a Hardware Device ... This option can be used to generate a Certificate Signing Request](https://reader033.vdocuments.mx/reader033/viewer/2022050807/5a81b11b7f8b9ada388d4839/html5/thumbnails/8.jpg)
The CSR must be passed to the Certification Authority in order to be digitally signed by the Root CA.
Page 8
![Page 9: How to Generate a Certificate on a Hardware Device · PDF fileHow to Generate a Certificate on a Hardware Device ... This option can be used to generate a Certificate Signing Request](https://reader033.vdocuments.mx/reader033/viewer/2022050807/5a81b11b7f8b9ada388d4839/html5/thumbnails/9.jpg)
The CA will digitally sign the CSR resulting the .CER file. This .CER file must be copied on the samecomputer where the CSR was created on the same user account.
Open the .CER file and click install button.
If the CSR is created on a smart card device, the device PIN must be entered.If the CSR is created on a HSM device (like Luna HSM), the HSM credentials must be entered onthe PED or console. More details about this can be found on the manuals offered by the HSMvendor.
Page 9
![Page 10: How to Generate a Certificate on a Hardware Device · PDF fileHow to Generate a Certificate on a Hardware Device ... This option can be used to generate a Certificate Signing Request](https://reader033.vdocuments.mx/reader033/viewer/2022050807/5a81b11b7f8b9ada388d4839/html5/thumbnails/10.jpg)
After the .CER certificate (public part) is installed on the device, the private key is now binded with thepublic part of the certificate resulting a fully functional certificate, as below.
If the private key will not correctly bind with the public part (the message “You have a private key thatcorresponds to this certificate” not appear on the certificate window) you must do this manually. Moreinformation can be found on the product manual but a good start is to use certutil - repairstore (moredetails on this article or this article).
Page 10
![Page 11: How to Generate a Certificate on a Hardware Device · PDF fileHow to Generate a Certificate on a Hardware Device ... This option can be used to generate a Certificate Signing Request](https://reader033.vdocuments.mx/reader033/viewer/2022050807/5a81b11b7f8b9ada388d4839/html5/thumbnails/11.jpg)
The certificate appears on the smart card device.
The certificate is ready to be used.
Page 11
![Page 12: How to Generate a Certificate on a Hardware Device · PDF fileHow to Generate a Certificate on a Hardware Device ... This option can be used to generate a Certificate Signing Request](https://reader033.vdocuments.mx/reader033/viewer/2022050807/5a81b11b7f8b9ada388d4839/html5/thumbnails/12.jpg)
Generate a Certificate using Smart Card GeneratorDownload X.509 Digital Certificate Generator from here: http://www.signfiles.com/x509-certificate-generator/
Smart Card Generator can be used to generate a Certificate Signing Request (CSR) on a hardwaredevice like SafeNet/Aladdin eToken, Safenet iKey, Luna HSM. The resulting CSR is signed by theRoot Certificate and the .CER response file is imported on the hardware device. The certificatehierarchy will be as follow:
If the certificate is created on a smart card device, the device PIN must be entered.If the certificate is created on a HSM device (like Luna HSM), the HSM credentials must beentered on the PED or console. More details about this can be found on the manuals offered bythe HSM vendor.Note that this product will not work for all types of hardware devices and HSM's.
Page 12
![Page 13: How to Generate a Certificate on a Hardware Device · PDF fileHow to Generate a Certificate on a Hardware Device ... This option can be used to generate a Certificate Signing Request](https://reader033.vdocuments.mx/reader033/viewer/2022050807/5a81b11b7f8b9ada388d4839/html5/thumbnails/13.jpg)
Choose Generate PKCS#10 Certificate Request (CSR) option:
If the certificate is created on a smart card device, the device PIN must be entered, as below:
Page 13
![Page 14: How to Generate a Certificate on a Hardware Device · PDF fileHow to Generate a Certificate on a Hardware Device ... This option can be used to generate a Certificate Signing Request](https://reader033.vdocuments.mx/reader033/viewer/2022050807/5a81b11b7f8b9ada388d4839/html5/thumbnails/14.jpg)
The CSR is now issued and ready to be passed to the Certification Authority in order to be digitallysigned.
Page 14
![Page 15: How to Generate a Certificate on a Hardware Device · PDF fileHow to Generate a Certificate on a Hardware Device ... This option can be used to generate a Certificate Signing Request](https://reader033.vdocuments.mx/reader033/viewer/2022050807/5a81b11b7f8b9ada388d4839/html5/thumbnails/15.jpg)
The CSR must be passed to the Certification Authority in order to be digitally signed by the Root CA.
Page 15
![Page 16: How to Generate a Certificate on a Hardware Device · PDF fileHow to Generate a Certificate on a Hardware Device ... This option can be used to generate a Certificate Signing Request](https://reader033.vdocuments.mx/reader033/viewer/2022050807/5a81b11b7f8b9ada388d4839/html5/thumbnails/16.jpg)
The CA will digitally sign the CSR resulting the .CER file. This .CER file must be copied on the samecomputer where the CSR was created on the same user account.
If the CSR is created on a smart card device, the device PIN must be entered.If the CSR is created on a HSM device (like Luna HSM), the HSM credentials must be entered onthe PED or console. More details about this can be found on the manuals offered by the HSMvendor.
Page 16
![Page 17: How to Generate a Certificate on a Hardware Device · PDF fileHow to Generate a Certificate on a Hardware Device ... This option can be used to generate a Certificate Signing Request](https://reader033.vdocuments.mx/reader033/viewer/2022050807/5a81b11b7f8b9ada388d4839/html5/thumbnails/17.jpg)
Install the .CER file using Install PCS#10 CA Response option.
After the .CER certificate (public part) is installed on the device, the private key is now binded with thepublic part of the certificate resulting a fully functional certificate, as below.
If the private key will not correctly bind with the public part (the message “You have a private key thatcorresponds to this certificate” not appear on the certificate window) you must do this manually. Moreinformation can be foud on the product manual but a good start is to use certutil - repairstore (moredetails on this article or this article).
Page 17
![Page 18: How to Generate a Certificate on a Hardware Device · PDF fileHow to Generate a Certificate on a Hardware Device ... This option can be used to generate a Certificate Signing Request](https://reader033.vdocuments.mx/reader033/viewer/2022050807/5a81b11b7f8b9ada388d4839/html5/thumbnails/18.jpg)
The certificate appears on the smart card device.
Page 18
![Page 19: How to Generate a Certificate on a Hardware Device · PDF fileHow to Generate a Certificate on a Hardware Device ... This option can be used to generate a Certificate Signing Request](https://reader033.vdocuments.mx/reader033/viewer/2022050807/5a81b11b7f8b9ada388d4839/html5/thumbnails/19.jpg)
The certificate is ready to be used.
Page 19
![Page 20: How to Generate a Certificate on a Hardware Device · PDF fileHow to Generate a Certificate on a Hardware Device ... This option can be used to generate a Certificate Signing Request](https://reader033.vdocuments.mx/reader033/viewer/2022050807/5a81b11b7f8b9ada388d4839/html5/thumbnails/20.jpg)
Generate a Self-Signed Certificate using Smart Card GeneratorDownload X.509 Digital Certificate Generator from here: http://www.signfiles.com/x509-certificate-generator/
Start Smart Card Generator and make all necessary customizations.
This section is useful when you want to generate a Root CA Certificate directly on a hardware device.
If the certificate is created on a smart card device, the device PIN must be entered.If the certificate is created on a HSM device (like Luna HSM), the HSM credentials must beentered on the PED or console. More details about this can be found on the manuals offered bythe HSM vendor.
Note that this product will not work for all types of hardware devices and HSM's.
Page 20
![Page 21: How to Generate a Certificate on a Hardware Device · PDF fileHow to Generate a Certificate on a Hardware Device ... This option can be used to generate a Certificate Signing Request](https://reader033.vdocuments.mx/reader033/viewer/2022050807/5a81b11b7f8b9ada388d4839/html5/thumbnails/21.jpg)
If the certificate is created on a smart card device, the device PIN must be entered, as below:
Page 21
![Page 22: How to Generate a Certificate on a Hardware Device · PDF fileHow to Generate a Certificate on a Hardware Device ... This option can be used to generate a Certificate Signing Request](https://reader033.vdocuments.mx/reader033/viewer/2022050807/5a81b11b7f8b9ada388d4839/html5/thumbnails/22.jpg)
The certificate is successfully created and ready to be used.
Page 22