vtl createCSR

Create a Certificate Signing Request (CSR)—a private key and unsigned client certificate. The certificate must be signed by a third party before being used to authenticate the Luna HSM Client.

CAUTION!   If the key and certificate are re-created, existing NTLS connections are broken and the client must be removed and re-registered on each HSM server.

NOTE   The client hostname/IP (-n) is the only mandatory field for certificate creation. All other fields of the certificate are used simply for display and visual confirmation purposes. The NTLA never displays certificate data fields to the user, so the content in these fields is irrelevant.

This feature requires minimum Luna HSM Client version 10.1. See Version Dependencies by Feature for more information.

Syntax

vtl createCSR -n <IP/hostname> [-c <country_code>] [-s <state>] [-l <locality>] [-o <organization>] [-u <organization_unit>] [-e <email_address>] [-P <private_key_filename>] [-C <cert_filename>] [-d <certificate_validity_period>] [-v]

Argument(s) Description
-c <country> The country where the client computer resides.
-C <filename>

The specified filename (*CSR.pem) for the unsigned certificate.

Default: <IP/hostname>CSR.pem

NOTE   Thales recommends using the default filename to avoid losing track of keys and certificates.

-d <validity_period>

Specifies the validity period for the client certificate, in days.

Default: 3650 (10 years)

-e <email_address> An email address to contact the certificate creator.
-l <locality> The locality where the client computer resides.
-n <IP/hostname> The client hostname or IP address. This becomes the certificate Common Name (CN).
-o <organization> The name of the organization that owns the client computer.
-P <filename>

The specified filename (*Key.pem) for the private key.

Default: <IP/hostname>Key.pem

NOTE   Thales recommends using the default filename to avoid losing track of keys and certificates.

-s <state> The state where the client computer resides.
-u <unit> The business unit or department that owns the client computer.
-v Verbose mode. Output extra information while creating the certificate and private key.
-x Deprecated option to encrypt the private key -- the private key is always encrypted by default.

Example

>vtl createCSR -n 192.168.10.12
vtl (64-bit) v10.1.0. Copyright (c) 2019 SafeNet. All rights reserved.

Private Key created and written to: C:\Program Files\SafeNet\LunaClient\cert\client\192.168.10.12Key.pem
Certificate CSR created and written to: C:\Program Files\SafeNet\LunaClient\cert\client\192.168.10.12CSR.pem