Applying for a Private Certificate

Prerequisites

You have created and activated a private CA. For details, see Creating a Private CA and Activating a Private CA.

Procedure

1. Log in to the management console.
2. Click in the upper left corner of the page and choose Security & Compliance > Cloud Certificate Management Service. In the navigation pane on the left, choose Private Certificate Management > Private Certificate. The Private Certificate page is displayed.
3. In the upper right corner of the private certificate list, click Apply for Certificate.
   Figure 1 System generated CSR
   
   Figure 2 Upload a CSR
   
   1. Select the CSR file generation method.

      Table 1 Certificate signing request (CSR)

      Parameter	Description
      System generated CSR	The system automatically generates a certificate private key. Once the certificate is issued, you can download your certificate and private key on the certificate management page.
      Upload a CSR	You can use an existing CSR. The procedure is as follows: You need to manually generate a CSR file and paste the content of the CSR file into the text box. Click Parse.
      NOTE: To obtain a certificate, a CSR file needs to be submitted to the CA for review. A CSR file contains a public key and a distinguished name (DN). Typically, a CSR file is generated by a web server, and a pair of public and private keys are created along with the CSR file. You are advised to select System generated CSR to avoid approval failure caused by incorrect content. A private key file will be generated when the CSR file is generated manually. Keep and back up your private key properly. A private key maps to a certificate. If a private key is lost, the corresponding certificate becomes invalid. Huawei Cloud is not responsible for keeping your private key. You need to purchase a new certificate if the private key is lost. CCM has strict requirements on the key length of a CSR file. The key length must be 2,048 bits and the key type must be RSA.

   2. Configure certificate details.

      Perform this step only when you select System generated CSR for CSR.

      Common Name: You can customize the name of the private certificate.

   3. Click on the right of Advanced Configuration.

      Perform this step only when you select System generated CSR for CSR.

      Table 2 Advanced settings

      Parameter	Description	Example Value
      Key Algorithm	Key Algorithm: Select the key algorithm and key size for the private certificate. The value can be RSA2048, RSA4096, EC256, or EC384.	RSA2048
      Signature Algorithm	Select the signature hash algorithm for the private certificate. The value can be SHA256, SHA384, or SHA512.	SHA256
      Key Usage	Select the key usage of the certificate. You can select more than one option. digitalSignature: The key is used as a digital signature. nonRepudiation: The key can be used for non-repudiation. keyEncipherment: The key can be used for key encryption. dataEncipherment: The key can be used for data encryption. keyAgreement: The key can be used as a key-agreement protocol. keyCertSign: The key can be used to issue certificates. cRLSign: The key can be used for signing blacklists. encipherOnly: The key can be used for encryption only. decipherOnly: The key can be used for decryption only.	digitalSignature
      Enhanced Key Usage	Select the enhanced key usage for the certificate. You can select more than one option. Server identity authentication Client identity authentication Code signature Secure email Timestamp	Server identity authentication
      Customized Extension Field	Enter customized information.	None
      Configure Certificate AltName	This field is optional. If you want to use the private certificate to multiple subjects, you can add more AltName records. You can configure IP address, DNS, Email, or URI for AltName. When you configure AltName, enter the value according to the value type you select. IP address: Enter an IP address. DNS: Enter the domain name. Email: Enter an email address. URI: Enter the network address. A maximum of five AltName records can be configured.	None

   4. Select a CA.

      Table 3 Parameters for selecting a CA

      Parameter	Description
      Common Name	Select a common name of the private CA you want.
      Type	The CA type is autofilled after you specify Common Name.
      CA ID	The CA ID is autofilled after you specify Common Name.
      Validity Period	Configure the validity period of the private certificate. NOTE: You can customize the validity period of a private certificate. The validity period cannot outlive the validity period of the activated private CA. A private CA can be valid for up to 30 years.

4. Confirm the information and click OK.

   After you submit your application, the system will return to the private certificate list page. Message "Certificate xxx applied for successfully." is displayed in the upper right corner of the page, indicating that the private certificate application is successful.

Follow-up Operations

When a private certificate is issued, you can download it and distribute it to the certificate subject for installation. For details, see Downloading a Private Certificate.