Certificate Signing Request (CSR) - Metasys - LIT-1201519 - MS-NAE35xx-2 - MS-NAE45xx-2 - MS-NAE5510-2U - MS-NAE5510-3U - MS-NAE551S-2 - MS-NAE55xx-3 - MS-NCE25xx-0 - MS-NXE85SW-x - Supervisory Device - NAE35 Network Automation Engine - NAE45 Network Automation Engine - NAE55 Network Automation Engine - NAE85 Network Automation Engine - NCE25 Network Control Engine - 11.0

NAE Commissioning Guide

Brand
Metasys
Product name
NAE35 Network Automation Engine
NAE45 Network Automation Engine
NAE55 Network Automation Engine
NAE85 Network Automation Engine
NCE25 Network Control Engine
Document type
Commissioning Guide
Document number
LIT-1201519
Version
11.0
Revision date
2022-02-09
Language
English

SCT can generate a certificate signing request (CSR) on behalf of a network engine. However, SCT cannot act as a certificate authority (CA) for signing certificates. Requesting a certificate is a multi-step process that involves specifying the following information:

  • common name
  • email address
  • name of organization
  • name of organizational unit
  • city
  • state or province
  • name of country

Summary of steps for Network Engine:

  1. Verify that the device name in the SCT archive and the subject common name for the device match.
  2. Use SCT to create a CSR and an associated private key for each network engine. See Requesting a certificate.
  3. Send the CSR for each engine to the internal IT department or CA for signing. The internal IT department or CA returns the signed certificate files.
  4. Import the signed certificate files for each network engine into the SCT archive. See Importing a certificate.
    Note: You need to import the root certificate, the server certificate, and an intermediate certificate file (if provided). The combination of one root certificate, one or more intermediate certificates, and one server certificate is known as a certificate chain. The certificate chain must be complete for both the server and each network engine to successfully configure a site.

    The CSR is complete and SCT removes the certificate request from the Requests table. The private key that SCT previously created is paired with the imported certificate.

  5. Export all certificate files and store them in a safe and secure location in case you need to re-import them. See Exporting a certificate.
Note: You cannot request a CSR for a device if an existing CSR is still pending. You must delete the existing CSR first.
Important: The private key that is generated when the CSR is created can be associated with the new certificate only if the device name in the SCT archive and the subject common name for the device match. Therefore, before requesting a device CSR, verify that the device name is correct. If not, the newly purchased certificate could be worthless because of the device name mismatch. A common mistake is to forget to include the company domain name with the CSR. No workaround is available that can recover the use of the new certificate.