---
title: Using a CA-signed certificate
description: To use a Certificate Authority (CA)-signed SSL certificates, follow the process shown below to create a private key, generate a certificate signing request (CSR), and request a certificate:
component: pingintelligence
version: 5.2
page_id: pingintelligence:installing_pingintelligence_for_apis:pingintelligence_using_ca_signed_certificate
canonical_url: https://docs.pingidentity.com/pingintelligence/5.2/installing_pingintelligence_for_apis/pingintelligence_using_ca_signed_certificate.html
revdate: April 3, 2024
section_ids:
  about-this-task: About this task
  steps: Steps
  result: Result:
---

# Using a CA-signed certificate

## About this task

To use a Certificate Authority (CA)-signed SSL certificates, follow the process shown below to create a private key, generate a certificate signing request (CSR), and request a certificate:

![A diagram of the process for using a Certificate Authority-signed SSL certificate.](../_images/hth1564009151581.png)

|   |                                                                        |
| - | ---------------------------------------------------------------------- |
|   | ASE internally validates the authenticity of the imported certificate. |

## Steps

1. Create a private key.

   ```
   /optCDO:/content/authoring/nrc1651605112856.image/pingidentity/ase/bin/cli.sh create_key_pair -u admin -p
   Warning: create_key_pair will delete any existing key_pair, CSR and self-signed certificate
   Do you want to proceed [y/n]:y
   OK, creating new key pair. Creating DH parameter may take around 20 minutes. Please wait
   Key created in keystore
   dh param file created at /opt/pingidentity/ase/config/certs/dataplane/dh1024.pem
   ```

   |   |                                                                                                             |
   | - | ----------------------------------------------------------------------------------------------------------- |
   |   | ASE command-line interface (CLI) is used to create a 2048-bit private key and to store it in the key store. |

2. Create a CSR.

   ```
   /opt/pingidentity/ase/bin/cli.sh create_csr -u admin -p
   Warning: create_csr will delete any existing CSR and self-signed certificate
   Do you want to proceed [y/n]:y
   please provide following info
   Country Code >US
   State > Colorado
   Location >Denver
   Organization >Pingidentity
   Organization Unit >Pingintelligence
   Common Name >ase
   Generating CSR. Please wait...
   OK, csr created at /opt/pingidentity/ase/config/certs/dataplane/ase.csr
   ```

   ### Result:

   ASE takes you through a CLI-based interactive session to create a CSR.

3. Upload the CSR created in step 2 to the CA-signing authority's website to get a CA-signed certificate.

4. Download the CA-signed certificate from the CA-signing authority's website.

5. Use the CLI to import the signed CA certificate into ASE. The certificate is imported into the key store.

   ```
   /opt/pingidentity/ase/bin/cli.sh import_cert  <CA signed certificate path>  -u admin -p
   Warning: import_cert will overwrite any existing signed certificate
   Do you want to proceed [y/n]:y
   Exporting certificate to API Security Enforcer...
   OK, signed certificate added to keystore
   ```

6. Restart ASE by first stopping and then starting ASE.