Federation Manager Guide › Keys and Certificates for Secure Federated Communication › Import Trusted Certificates and Key/Certificate Pairs › Generate a Key/Certificate Pair › Generate a Certificate Request

Generate a Certificate Request

If you do not have a cert/key pair in the key database, you can request a certificate from a trusted Certificate Authority, then import the signed certificate response from that authority.

When you generate a certificate request, Federation Manager generates a private key and a self-signed certificate pair and stores this pair in the key database. Using the generated request, you contact a Certificate Authority and fill out the CA certificate request form, pasting the contents of the generated request into the form.

The CA issues a signed certificate response, usually in PKCS #7 format, which you can import into the key database. After the signed certificate response is imported, the existing self-signed certificate entry of the same alias is replaced.

To determine which entries in the key database are self-signed certificates and which are CA-signed certificates, look at the Signing Status column in the Certificates and Private Keys List in the UI.

This column displays one of the following values for each entry:

• Self-signed
• CA-signed
• N/A—displayed only for trusted certificates

  Signing status is relevant for key pair entries so that you can determine which ones have been fully signed and which ones have not. For a trusted certificate, which does not have a corresponding private key, the status does not apply because they have been imported as trusted certificates. These certificates can be self-signed or CA-signed.

To generate a certificate request

1. From the Certs & Keys tab, select Certificate and Private Keys.

   The View Certificates and Private Keys dialog opens.

2. Click Request Certificate.

   The Request Certificate dialog opens.

3. Complete the required fields.

   Note: Click Help for a description of fields, controls, and their respective requirements.

4. Click Save.

A file that conforms to the PKCS #10 specification is generated.

The browser prompts you to save or open the file, which contains the certificate request. If you do not save this file (or at least open it and extract the text), Federation Manager still generates the private key and self-signed certificate pair. However, you must generate a new certificate signing request, using the Federation Manager Generate CSR feature, to get a new request file for the private key.