CSR Exchange

The CSR Exchange page allows you to:

submit a certificate signing request (CSR) to the Hub to request that your TLS client certificate be signed by the Hub’s Certificate Authority (CA)
view the status of sent CSRs, and view or download the CSR or the signed certificate itself

Figure 1. CSR Exchange

CSR

Figure 2. CSR

To share a CSR with the Hub, complete the following steps:

Go to the CSR tab.
In the CSR field, click the Auto generate button and Connection Wizard will automatically create a CSR for you in the backend.
Alternatively, if you wish to use a CSR that you created yourself, click Choose File, select the CSR file saved on your computer, and click Submit to send the CSR to the Hub.

If you need help creating a client CSR, see:

Create a keystore for instructions on how to create a keystore to hold your client key pair and CSR.
Create server key pair and client key pair for instructions on how to create a client key pair.
Create the client CSR for instructions on how to create the CSR from the client key pair.

On uploading your CSR, Connection Wizard renames the file so that the file name includes information about the name of the DFSP. This means that you will see the original file name of your CSR change to a value assigned by Connection Wizard.

If you have accidentally uploaded the wrong CSR, you can re-upload a new CSR and that will replace the old one.

Sent CSRs

Figure 3. Sent CSRs

The Status indicator displays the status of your sent CSR/client certificate:

CSR created: The CSR has been sent.
Certificate created: The CSR has been signed.

To view a CSR, click View CSR. A dialog box pops up displaying your CSR.

To download a CSR, click Download CSR, and open or save the file when prompted.

To view a certificate, click View Certificate. A dialog box pops up displaying your certificate.

To retrieve a TLS client certificate signed by the Hub, complete the following steps:

Go to the Sent CSRs tab. You can search for a sent CSR by typing a keyword in the Search DFSP CSRs search box and pressing Enter.
Click Download Certificate to download your signed certificate. A dialog box pops up prompting you to open or save your certificate.

Information about the validity of CSRs and certificates is also displayed. Click View Details for information on possible validity issues.

The following details are validated for a sent CSR:

The CSR’s signature algorithm must be "sha256WithRSAEncryption". Note that the validation also accepts "sha512WithRSAEncryption".
The CSR public key length must be 4096 bits.
The CSR must have all mandatory Distinguished Name attributes. These are: Common Name (CN), Organizational Unit (OU), Organization (O), Locality (L), State (ST), Country (C), and Email Address (E).

The following details are validated for a signed CSR:

The CSR’s signature must match the public key.
The CSR’s signature algorithm must be "sha256WithRSAEncryption". Note that the validation also accepts "sha512WithRSAEncryption".
The CSR public key length must be 4096 bits.
The CSR must have all mandatory Distinguished Name attributes. These are: Common Name (CN), Organizational Unit (OU), Organization (O), Locality (L), State (ST), Country (C), and Email Address (E).
The CSR and certificate must have the same public key.
The CSR and certificate must have the same Subject information.
The CSR and certificate must have the same Common Name (CN) information.
The certificate must be valid at the present time according to the certificate validity period.
The certificate’s signature algorithm must be "sha256WithRSAEncryption".
The certificate public key must match the private key used to sign the CSR. Only available if the CSR was manually created (Connection Wizard has the private key) instead of uploaded.