How to Create Certificates from an Existing Root Certificate

This article describes how to create ICG certificates from an existing root certificate in the IGEL Universal Management Suite (UMS) starting from UMS version 6.02.

Required Certificate Files

The following files are required:

• CA certificate

• CA private key
  If you need to export the CA signing root certificate and key from a Microsoft CA server, you can follow this document from Cisco: How do I export and convert a pfx CA root certificate and key from a Microsoft CA server

Importing Your Existing Private CA Files into the UMS

1. In UMS Console go to UMS Administration > Global Configuration > Cloud Gateway Options.
   

2. In the Certificates section, click to import the root certificate.
   

3. Choose the CA's root certificate file (PEM format) and click Open.

   

   
   The CA's root certificate appears in the list.
   

   

4. Right-click the CA's root certificate and select Import decrypted private key.

   

   

   If the private key is protected with a passphrase, you need to decrypt it using the OpenSSL command line tool: openssl rsa -in encrypted.key -out decrypted.key

5. Choose the decrypted private key file and click Open.

   

   
   If everything went well, a success message is shown.

   

   
   The CA is now ready to use.

Creating a Signed Certificate

1. Right-click the CA's root certificate and select Create signed certificate.

   

2. Fill in the certificate fields:

   • Display name: Name of the certificate

   • Your first and last name: Name of the certificate holder

   • Your organization: Organization or company name

   • Your city or locality: Location

   • Your two-letter country code:ISO 3166 country code, e.g. US, UK or ES

   • Hostname and/or IP address of certificate target server: Host name(s) or IP address(es) for which the certificate is valid. Multiple entries are allowed, separated by semicolons.

   

   All IP addresses and host names by which the ICG will be reachable from within the company network or from outside must be provided here.

   • Valid until: Local date on which this certifcate expires. (Default: one year from now)

   • Certificate Type: Select "End Entity".
     

3. Click OK.

   

   A key pair and a certificate are generated.

   

   Generating keys may take substantial time on virtual machines (VMs), as these do not have a powerful (pseudo) random number source. On Linux VMs this can be improved by installing the haveged package.

   The signed certificate appears in the list.
   

   

4. Continue with Installing the IGEL Cloud Gateway.