--- title: Using a CA-signed certificate description: To use a CA-signed SSL certificates, follow the process to create a private key, generate a certificate signing request (CSR), and request a certificate as shown in the following diagram. component: pingintelligence version: 5.2 page_id: pingintelligence:pingintelligence_reference_guide:yxi1661459964318 canonical_url: https://docs.pingidentity.com/pingintelligence/5.2/pingintelligence_reference_guide/yxi1661459964318.html revdate: April 3, 2024 section_ids: about-this-task: About this task steps: Steps example: Example: example-2: Example: example-3: Example: result: Result: --- # Using a CA-signed certificate ## About this task To use a CA-signed SSL certificates, follow the process to create a private key, generate a certificate signing request (CSR), and request a certificate as shown in the following diagram. ![Diagram showing CA-signed certificate process](../_images/wrh1564009007993.png) | | | | - | ---------------------------------------------------------------------- | | | ASE internally validates the authenticity of the imported certificate. | To use a CA-signed certificate: ## Steps 1. Create a private key. The ASE command-line interface (CLI) is used to create a 2048-bit private key and to store it in the key store. ### Example: ``` /opt/pingidentity/ase/bin/cli.sh create_key_pair -u admin -p Warning: create_key_pair will delete any existing key_pair, CSR and self-signed certificate Do you want to proceed [y/n]:y Ok, creating new key pair. Creating DH parameter may take around 20 minutes. Please wait Key created in keystore dh param file created at /opt/pingidentity/ase/config/certs/dataplane/dh1024.pem ``` 2. Create a CSR. ASE takes you through a CLI-based interactive session to create a CSR. ### Example: ``` /opt/pingidentity/ase/bin/cli.sh create_csr -u admin -p Warning: create_csr will delete any existing CSR and self-signed certificate Do you want to proceed [y/n]:y please provide following info Country Code >US State > Colorado Location >Denver Organization >Pingidentity Organization Unit >Pingintelligence Common Name >ase Generating CSR. Please wait... OK, csr created at /opt/pingidentity/ase/config/certs/dataplane/ase.csr ``` 3. Upload the CSR that you created in step 2 to the CA signing authority's website to get a CA-signed certificate. 4. Download the CA-signed certificate from the CA signing authority's website. 5. Use the CLI to import the signed CA certificate into ASE. ### Example: ``` /opt/pingidentity/ase/bin/cli.sh import_cert -u admin -p Warning: import_cert will overwrite any existing signed certificate Do you want to proceed [y/n]:y Exporting certificate to API Security Enforcer... OK, signed certificate added to keystore ``` ### Result: The certificate is imported into the key store. 6. Restart ASE. For more information, see [Starting and stopping ASE](pingintelligence_starting_and_stopping_ase.html).