Use PGP Universal Server Management console and go to Consumers-Users-Add Users-Internal User-Manual Creation Create a new device consumer named "Machine1" with passphrase "password". Open the poliy settings for this user's consumer policy and go to General - Edit Preferences, select "Consumer Policy General Options" Now set the advanced pref named "autoIssueCerts" to boolean false Under Cosumer Policy - Keys - Certificates you can set advanced certificate properties and attributes Assign the following permissions for this consumer: Can create managed key 1. Authenticate the consumer and cache authentication pgp --usp-server keys.senderdomain.com --auth-username Machine1 --auth-passphrase password --usp-cache-auth returns: keys.senderdomain.com:USP cache auth (0:Authentication cached) 2. Create a new key, without subkeys pgp --gen-key "SSL Certificate Key" --bits 2048 --key-type rsa-sign-only --passphrase "" returns: 0xFBEBEEE8:generate key (0:key successfully generated) 3. Add additional key usages to this key pgp --set-key-flag --key-flag encrypt-and-sign 0xFBEBEEE8 --passphrase "" returns: 0xFBEBEEE8:set key flag (0:flags updated successfully) 4. Export this key pgp --export-key-pair 0xFBEBEEE8 -o 0xFBEBEEE8.asc returns: 0xFBEBEEE8:export key pair (0:key exported to 0xFBEBEEE8.asc) 5. Import the key as SKM in PGP Key Management Server pgp --usp-server keys.senderdomain.com --import-mak 0xFBEBEEE8.asc returns: SSL Certificate Key:import MAK (0:key imported as ca5282ba-3387-4c1a-9c37-3603b9785e99 SSL Certificate Key) 6. Create an advanced certificate signing request pgp --export 0xFBEBEEE8 --export-format csr -o 0xFBEBEEE8.csr --passphrase "" --common-name "machine1.senderdomain.com" --organization "Senderdomain" --city "Menlo Park" --state "California" --country "US" --organizational-unit "Sales Organization" --organizational-unit "Field Engieering" returns: 0xFBEBEEE8:export key (0:key exported to 0xFBEBEEE8.csr) 7. Send the certificate request to Universal Server (MAK UUID from step 5, CSR filename from step 6) pgp --usp-server keys.senderdomain.com --request-cert ca5282ba-3387-4c1a-9c37-3603b9785e99 --cert-file 0xFBEBEEE8.csr returns: SSL Certificate Key:MAK request certificate (0:CSR imported from 0xFBEBEEE8.csr) (optional start) 8. Issue the certificate on Universal Server (MAK UUID from step 5) pgp --usp-server keys.senderdomain.com --edit-mak ca5282ba-3387-4c1a-9c37-3603b9785e99 --import-certificates --passphrase "" (optional end) 9. Download the modified MAK including the new cert (MAK UUID from step 5, new filename containing keyid from step 2) pgp --usp-server keys.senderdomain.com --export-mak ca5282ba-3387-4c1a-9c37-3603b9785e99 -o "0xFBEBEEE8_new.asc" return: 0xFBEBEEE8:export MAK (0:key exported to 0xFBEBEEE8_new.asc) 10. Import the updated MAK into the keyring (filename from step 9) pgp --import -i "0xFBEBEEE8_new.asc" returns: 0xFBEBEEE8_new.asc:import key (0:key imported as 0xFBEBEEE8 SSL Certificate Key) 11. Export certificate (keyid from step 2, filename for exported certificate) pgp --export 0xFBEBEEE8 --export-format x509-cert -o "Machine1_0xFBEBEEE8.crt" returns: 0xFBEBEEE8:export key (0:key exported to Machine1_0xFBEBEEE8.crt) 12. Export certificate as PKCS12 file (keyid from step 2, filename for exported pkcs12 file) pgp --export-key-pair 0xFBEBEEE8 --export-format pkcs12 --passphrase "" --export-passphrase "password" -o "Machine1_0xFBEBEEE8.pfx" returns: 0xFBEBEEE8:export key pair (0:key exported to Machine1_0xFBEBEEE8.pfx)