Skip to main content
GSA Logo

Cloud Economics

About MCaaS

GSA External Certificate Requests

External Certificate Request

Important notes:
1. Dev and Test applications cannot be publicly accessible per GSA policy
2. Wildcard certificates are not allowed for external apps per GSA policy
3. FCS tracks the certificate's expiration after it's loaded into Netscaler and notifies you 30-60 days prior

Generate the CSR

1. Copy and paste the following into a new file. Ensure the CN and DNS.1 fields are filled out with the desired FQDN. Additional SANs can be added with DNS.2 = DNS.3 = , etc.

[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[dn]
C = US
ST = District of Columbia
L = Washington
O = General Services Administration
OU = General Services Administration
CN = <FQDN>

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = <FQDN>

2. Save the file, eg my-subdomain-gsa-gov.cnf
3. Replace my-subdomain-gsa-gov for the filenames in the following command. Run the command to create the CSR and private key:

openssl req -new -newkey rsa:2048 -sha256 -nodes \
-config my-subdomain-gsa-gov.cnf \
-keyout my-subdomain-gsa-gov.key \
-out my-subdomain-gsa-gov.csr

4. Make a copy of the .csr file with .txt file extension, eg my-subdomain-gsa-gov.csr.txt . This will be attached to the request.
5. Put all 4 files in a safe place that you can find easily later. Do not lose the private key or this entire process will be redone. Do not share the private key with anyone except FCS Networking.

Filling out the Form

1. Go to the GSA IT Self Service Portal
2. Select Self Catalog.
3. Select Enterprise Services
4. Select External Certificate Request
5. Attach the CSR .txt file (the form does not accept .csr file extensions)
6. Fill the required fields as such:

  • Supervisor: < your GSA supervisor >
  • What is this request for: < New Certificate or Replacement Certificate >
  • Hostname: < FQDN >
  • Group Email/Backup POC: < your GSA email >
  • Fully Qualified Domain Name: < FQDN >
  • Current Certificate Expiration Date: < today's date >
  • Organization: GSA
  • Organization Unit: FAS
  • Country/Region: US
  • Operating System: Linux/Unix
  • Did you attach the CSR: Yes
  • Responsible SSO: GSA IT - Office of Acquisition IT Services (IQ)
  • FISMA System: FAS Cloud Services (FCS)
  • Subject Alternative Name (SAN): < FQDN and any additional SANs >

Submitting the Request

A single request item (RITM) can be submitted by clicking on "Order Now". This will generate a REQ number for your records. You'll receive emails when the Change Request (CHG) is created and assigned to the implementation team.

Multiple request items can be bundled into one request by clicking on "Add to cart" for each completed form. After adding all items, click on "View Cart" at the top of form (or "Cart" at top right of page) then "Checkout".

External Routing

To make an endpoint publically accessible, follow the steps outlined in External/Public Traffic.

    On this page:
test