BMU CA signed certificate generate guide
BMU CA signed certificate generate guide. 1
1.1 Generate private key file. 1
1.2 generate certificate application bmu_cert.csr. 2
1.3 apply signed certificate in CA.. 3
1.4 import signed certificate and private key to certificate library. 3
1.5 reason why BMU still display alarm after import the signed certificate. 3
1.6 appendix. 4
1.6.1 install openssl in Windows. 4
1.6.2 CA generate signed certificate depend on certificate application file. 4
1.6.3 how to get CA root certificate. 7
1.6.4 how to get CSR self-signed certificate by certificate application. 9
1.1 Generate private key file
premise： Openssl tool is installed（refer install openssl in Windows）
Step1. Go to openssl installation path/bin/，double click openssl.exe
Step2. Use command to generate private key
genrsa -aes256 -out bmu_private.key 2048
Step3. When prompt fill in private key password, please fill in password. For example, here is bmu123456
Step4. bmu_private.key will be generated at the same level path with openssl.exe
1.2 generate certificate application bmu_cert.csr
Step1. At openssl.exe command line:
req -new -key bmu_private.key -config D:\tools\openssl\share\openssl.cnf -days 3650 -sha256 -out bmu_cert.csr
the red path is openssl.cnf actual path：openssl installation path/share/openssl.cnf，
must make the signature algorithm is sha256 or high, or else the Chrome will alarm.
Step2. When prompt fill in private key password, please fill in bmu 123456.
1. Common Name option must be the same with the ip or domain you visited in browser.
2. Email Address, challenge and optional company name, please do not fill in, just enter.
Step3. Other configuration please refer to the screenshot
So at the same level path with openssl.exe generated certificate application file（csr file includes public key）:
1.3 apply signed certificate in CA
Step1. Submit bmu_cert.csr file to customer, apply signed certificate, please refer to appendix1.6.2
Step2. Request cer file，named bmu_cert.cer
Step3. Request CA root certificate，named CA.cer
Refer to appendix1.6.3
1.4 import signed certificate and private key to certificate library
Step1. The file we already got
CA root certificate：CA.cer
Server private key：bmu_private.key
Private key password：generate bmu_private.key used password（for example : bmu123456）
Step2. If all these files are ok, refer to the 《eSpace UC V200R003 product document》------ Converting the BMU Digital Certificate and Replacing the BMU Digital Certificate
Note：if customer laptops are already installed root certificate, then the Replacing the BMU Digital Certificate the 7th step no need to do.
1.5 reason why BMU still display alarm after import the signed certificate
when browser get the BMU server sent certificate, verify as below:
Step1. Get the BMU certificate licensor information
Step2. Search the licensor from system trusted list. If searched, think the certificate is legal, or else, think the licensor is illegal. Then think the certificate is illegal.
process method：depend on CA root certificate. Refer to Replacing the BMU Digital Certificate the 7th step to operate.
Tools > Internet Options > Content > Certificates > Trusted Root Certification Authorities, click Import, and select the root certificate that has been applied for, such as root_cert.cer
1.6.1 install openssl in Windows
1、click Complete package, except sources Setup link
3、installation path only include English and digit
4、installation path \bin , double click openssl.exe
1.6.2 CA generate signed certificate depend on certificate application file
Step1. the certificate request file “bmu_cert.csr” to your CA server.
Step2. Open this URL in Internet Explorer: https://127.0.0.1/certsrv
Step3. Select Request a certificate.
Step4. Select advanced certificate request.
Step5. Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 files.
Step6. Using a text editor like Notepad, open “bmu_cert.csr”.
Paste the content of the CSR into the Certificate Request text box.
Certificate template: Web Server
Step7. Downloading the Signed Certificate from CA Server
In Administrative Tools, open the Certification Authority. The Certificate Request that you have just issued will be displayed in Issued Requests.
Right click the request and select Open.
Select the Details tab.
Select “Copy to File”.
Continue the steps by following the below table.
Save the certificate to the local disk.
Step8. Continue the steps by following the below table.
Export File Format Window
Select Base-64 encoded X.509.
File to Export Window
Enter the location where you want to store the certificate and use cert.cer for the certificate name, for example, c:\cert.cer
Certificate Export Wizard Completion Window
Review the summary information and verify that the export was successful.
1.6.3 how to get CA root certificate
Step9. Open the URL specific to your CA windows platform type:
Step10. Select Download a CA certificate, certificate chain, or CRL.
Step11. For the Encoding Method, select Base 64,then Download CA Certificate.
Step12. Save the certificate to the local disk.
1.6.4 how to get CSR self-signed certificate by certificate application
use openssl x509 command，import own private key to generate. When prompt fill in private key password, just fill in.
>x509 -req -in bmu_cert.csr -out bmu_cert.crt -signkey bmu_private.key -days 3650