A. Upload CSR and Sign Certificate

Overview

Transfer the CSR to cont16059, elevate to the appropriate account, and sign the CSR with the internal CA to produce CRT output plus signing details for audit.

  1. Download CSR from JIRA and place it in the CyberArk Downloads folder.
  2. Upload CSR to cont16059: 
    scp Downloads/<ATTACHED-CSR-FILE-NAME> cont16059:/tmp
  3. SSH into cont16059: 
    ssh cont16059
  4. Switch to apizone: 
    su - apizone
    Credentials (restricted)
    !Password = NwQsR@404 Retrieve the password from the enterprise secrets vault or CyberArk; avoid embedding plaintext secrets in documentation.
    <PASSWORD-REDACTED—FETCH-FROM-VAULT>
  5. Gain root privileges: 
    sudo su -
  6. Go to module CSR directory: 
    cd /home/apizone/CSR/<COUNTRY>/DTBRootCACert.pem /csr/<COUNTRY>/<MODULE-DIRECTORY>
  7. Move CSR from /tmp: 
    mv /tmp/<ATTACHED-CSR-FILE-NAME> .
  8. Sign CSR and write details to a text file: 
    openssl ca -policy policy_anything -in <ATTACHED-CSR-FILE-NAME> \
 -cert /home/apizone/CSR/<COUNTRY>/DTBRootCACert.pem \
 -keyfile /home/apizone/CSR/<COUNTRY>/DTBRootCA.key \
 -out <CERT-OUTPUT-FILE-NAME.crt> > certificate_name&date.txt
    CA key passphrase prompt
    ! Enter the CA key passphrase from the vault; do not store secrets in shell history or in plaintext files.
    <CA-KEY-PASSPHRASE-REDACTED>
    CSR example screenshot (replace with hosted path)
  9. Copy the contents of certificate_name&date.txt into a note and attach to the JIRA ticket for audit traceability.

B. Create and Retrieve P7B

  1. Convert CRT to P7B with root and root CA: 
    openssl crl2pkcs7 -nocrl -certfile <CERT-OUTPUT-FILE-NAME.crt> \
 -certfile /home/apizone/CSR/<COUNTRY>/DTBRootCACert.pem /DTBRootCACert.pem \
 -out <P7B-OUTPUT-FILE-NAME.p7b>
  2. Copy the P7B to /tmp: 
    cp <P7B-OUTPUT-FILE-NAME.p7b> /tmp/
  3. Download the P7B to workstation: 
    scp cont16059:/tmp/<P7B-OUTPUT-FILE-NAME> ~/Downloads/
  4. Attach the P7B file to the related JIRA item.

C. Generate Token (UAT)

  1. Generate user token and write to file: 
    cert-gen-<COUNTRY>-uat <USERNAME> > token_username&date.txt
    Token details screenshot (replace with hosted path)
    i Replace placeholders with actual country code and username from the approved spreadsheet.
  2. Exit the server after token generation and store artifacts per policy.

Email Format and Attachments

  1. Generate an email draft to share the certificate with the bank team using the internal tool “cert-mail” in the TOOL section, and fill all required fields. Mail format tool (replace with hosted path) Required fields (replace with hosted path)
  2. Attach the generated P7B file copied from CyberArk to the email to share with the bank team. P7B attachment example (replace with hosted path)
  3. Verify certificate/token details and recipients before sending to ensure accuracy and confidentiality. Certificate details preview (replace with hosted path)

Maintainer Notes

Images and assets

i Replace local Windows paths in img src with repo-relative or hosted URLs to ensure images render in CI/CD and docs portals.

Credentials handling

! Never embed real passwords or passphrases; fetch from CyberArk or the enterprise vault and rotate per policy.

Accessibility

i Keep <summary> text concise and meaningful so the disclosure control has a clear accessible name.