Step-by-Step Instructions

A CSR is a file containing your certificate application information, including your Public Key. Generate your CSR and then copy and paste the CSR file into the web form in the enrollment process:

Generate keys and certificate:

To generate a pair of private key and public Certificate Signing Request (CSR) for a webserver, replace "server" below and "myserver" with the total hostname you are using in the following command:

openssl req -new -newkey rsa:2048 -keyout myserver.key -nodes -out server.csr

This creates two files. The file myserver.key contains a private key; do not disclose this file to anyone. Carefully protect the private key.

In particular, be sure to backup the private key, as there is no means to recover it should it be lost. The private key is used as input in the command to generate a Certificate Signing Request (CSR).

You will now be asked to enter details to be entered into your CSR.

What you are about to enter is what is called a Distinguished Name or a DN.

For some fields there will be a default value, If you enter '.', the field will be left blank.

-----
Country Name (2 letter code) [AU]: GB
State or Province Name (full name) [Some-State]: York
Locality Name (eg, city) []: York
Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd
Organizational Unit Name (eg, section) []: IT
Common Name (eg, YOUR name) []: mysubdomain.mydomain.com
Email Address []:

Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
-----

Use the name of the web server as Common Name (CN). If the domain name is mydomain.com append the domain to the hostname (use the fully qualified domain name).

The fields email address, optional company name and challenge password can be left blank for a web server certificate.

Your CSR will now have been created. Open the server.csr in a text editor and copy and paste the contents into the online enrollment form when requested.

Step-by-Step Instructions

A CSR is a file containing your certificate application information, including your Public Key. Generate your CSR and then copy and paste the CSR file into the web form in the enrollment process:

Generate keys and certificate:

To generate a pair of private key and public Certificate Signing Request (CSR) for a web server, "server", use the following commands:

256-bit Certificate:

Openssl req -new -newkey rsa: 2048 -keyout myserver.key -nodes -out server.csr

This creates two files. The file myserver.key contains a private key; do not disclose this file to anyone. Carefully protect the private key.

In particular, be sure to backup the private key, as there is no means to recover it should it be lost. The private key is used as input in the command to generate a Certificate Signing Request (CSR).

You will now be asked to enter details to be entered into your CSR.

What you are about to enter is what is called a Distinguished Name or a DN.

For some fields there will be a default value, If you enter '.', the field will be left blank.

-----
Country Name (2 letter code) [AU]: GB
State or Province Name (full name) [Some-State]: York
Locality Name (eg, city) []: York
Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd
Organizational Unit Name (eg, section) []: IT
Common Name (eg, YOUR name) []: mysubdomain.mydomain.com
Email Address []:

Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
-----

Use the name of the web server as Common Name (CN). If the domain name is mydomain.com append the domain to the hostname (use the fully qualified domain name).

The fields email address; optional company name and challenge password can be left blank for a webserver certificate.

Your CSR will now have been created. Open the server.csr in a text editor and copy and paste the contents into the online enrollment form when requested.

To enable SSL on a virtual site:

Go to the Server Management screen.
Click the green icon (Wrench for RaQ4, Pencil for XTR) next to the virtual site on which you want to enable SSL. The Site Management screen appears.
Click Site Settings on the left side.
(Then 'General' for XTR)
Click the check box next to Enable SSL.
Click Save Changes.
The RaQ4/XTR saves the configuration of the virtual site.

Generate a self-signed certificate:

Once SSL is enabled, the user must now create a self-signed certificate. An external authority will sign the self-signed certificate later.
Go to the Server Management screen.
Click the green icon (Wrench for RaQ4, Pencil for XTR) next to the SSL enabled virtual site

Click SSL Settings on the left side.

The Certificate Subject Information table appears.

Enter the following information:

Country Enter the two-letter country code
State Enter the name of the state or County
Locality Enter the city or locality
Organization Enter the name of the organization
Organizational Unit As an option, enter the name of a department

Select Generate self-signed certificate from the pull-down menu at the bottom.
Click Save Changes.

The RaQ4/XTR processes the information and regenerates the screen with the new self-signed certificate in the Certificate Request and Certificate windows.

Copy the entire contents of the certificate request, including:

-----BEGIN CERTIFICATE REQUEST-----
and
-----END CERTIFICATE REQUEST-----
for use during the purchasing process.

Cobalt User Guide available at:
http://www.sun.com/hardware/serverappliances/documentation/manuals.html [4]

Login to the Site Administrator or Appliance Administrator and select the site to administer.

Select Services

Select the Actions box next to Apache Web Server and then select SSL Settings

Select Generate and fill in the required details, the site name will automatically be entered into the Common Name field, ensure this is correct and contains the Fully Qualified Domain Name (e.g. secure.digi-sign.com, www.digi-sign.com [5], support.digi-sign.net

Select Save and you are presented with the RSA Key and the Certificate Request (CSR)

Copy the Certificate Request into a text editor; this will be required when you purchase your certificate. Do not delete this request, as it will be needed during the installation of your SSL certificate.

NOTE: Keys and certificates are managed through three scripts: genkey, getca and genreq. These are part of the normal Stronghold distribution. Keys and certificates are stored in the directory$SSLTOP/private/, where SSLTOP is typically /usr/local/ssl.

To generate a key pair and CSR for your server:

• Run genkey, specifying the name of the host or virtual host: genkey hostname. The genkey script displays the filenames and locations of the key file and CSR file it will generate:
• Key file: /usr/local/www/sslhostname.key
• CSR file: /usr/local/www/sslhostname.cert

NOTE: If you already have a key for your server, run genreq [servername] to generate only the CSR.

• Press Enter. The genkey script reminds you to be sure you are not overwriting an existing key pair and certificate.
• When prompted, enter a key size in bits. It is recommended that you use the largest key size available: 2048.
• When prompted, enter random keystrokes. Stop when the counter reaches zero and genkey beeps. This random data is used to create a unique public and private key pair.
• When prompted, enter 'y' to create the key pair and CSR.
• For your CA [6] select 'Other'.
• Enter the two-letter country code for your country. You must use the correct ISO country code; other abbreviations will not be recognized. For example the correct code for the United Kingdom is GB, not UK.
• Enter the full name of your state or province. Do not abbreviate.
• Enter the name of your city, town, or other locality.
• Enter the name of your organization.
• Enter the name of your unit within the specified organization.
• Enter your web site's fully qualified name. For example www.company.com [7]. This is also known as your site's common name.
• When you have finished entering the CSR data, genkey automatically creates the CSR.

Back up your key file and CSR on a floppy disk and store the disk in a secure location. If you lose your private key or forget the password, you will not be able to install your certificate.

1. Click SSL on your control panel home page.

2. Enable SSL for the domain in the list.

3. Click the link at the top of the form that appears.

4. On the page that appears, confirm your details by clicking the Submit button:

These data will be used to generate the certificate. Don't make changes to the data if you are not sure about the purpose of these changes.

5. Follow instructions that appear at the top of the next page.

• SSL Certificate Signing request. It includes the details that you submitted on the previous step. Use this request to get an SSL certificate from Digi-Sign.




• SSL Server Private Key. This is the secret key to decrypt messages from your visitors. It must be stored in a secure place where it is inaccessible to others. Don't lose this key; you will need it if you get a permanent certificate.




• Temporary SSL Certificate. It validates your identity and confirms the public key to assure the visitors that they are communicating with your server, not any other party.

6. Copy the signing request and private key for later use.

Using IKEYMAN for CSR Generation

NOTE: If you are starting IKEYMAN to create a new key database file, the file is stored in the directory where you start IKEYMAN.

To create a new Key Database:

• A key database is a file that the server uses to store one or more key pairs and certificates. You can use one key database for all your key pairs and certificates, or create multiple databases.
• Enter IKEYMAN on a command line on UNIX, or start the Key Management utility in the IBM HTTP Server folder, on Windows.
• Select Key Database File from the main user interface, select New.
• In the New dialog box, enter your key database name. Click OK.
• In the Password Prompt dialog box, enter a password, enter to confirm the password. Click OK.

Creating a New Key Pair and Certificate Request:

• Enter IKEYMAN on a command line on UNIX, or start the Key Management utility in the IBM HTTP Server folder on Windows.
• Select Key Database File, from the main user interface and select Open.
• In the Open dialog box, select your key database name. Click OK.
• In the Password Prompt dialog box, enter your correct password and click OK.
• Select Create from the main user interface, select New Certificate Request.
• In the New Key and Certificate Request dialog box, enter:


• Key Label: A descriptive comment to identify the key and certificate in the database.
• Keysize:
• Organization Name:
• Organization Unit:
• Locality:
• State/Province:
• Zipcode/Postcode:#
• Country: Enter a country code. Example: US or GB etc
• Certificate request file name, or use the default name
• Click OK.

In the Information dialog box, click OK.

Creating a New Key Pair

• Use the keytool command to create the key file:

keytool -genkey -keyalg RSA -keystore domain.key

• The following questions will be asked if not known:

Enter keystore password: (NOTE:remember this for later use)

• What is your first and last name? - This is the Common Name (Domain Name
• What is the name of your organizational unit?
• What is the name of your organization?
• What is the name of your City or Locality?
• What is the name of your State or Province?
• What is the two-letter country code for this unit?
• You will then be asked if the information is correct:

Is CN=www.yourdomain.com, OU=Your Organizational Unit, O=Your Organization, L=Your City, ST=Your State, C=Your Country correct?

• When you answer 'y' or 'yes' the password is then requested:

Enter key password for

NOTE:Make a note of this password
is the default alias for the certificate

• Use the keytool command to create the CSR file:

Keytool -certreq -keyalg RSA -alias yyy (where yyy is the alias name you will need to remember) -file domain.csr -keystore domain.key

• You will be prompted to enter the password.

Enter keystore password:

If the password is correct then the CSR is created.
If the password is incorrect then a password error is displayed.

• You will need the text from this CSR when requesting a certificate

Creating a New Key Pair

• Use the keytool command to create the key file:

keytool -genkey -keyalg RSA -keystore domain.key

• The following questions will be asked if not known:

Enter keystore password: (NOTE:remember this for later use)

• What is your first and last name? - This is the Common Name (Domain Name
• What is the name of your organizational unit?
• What is the name of your organization?
• What is the name of your City or Locality?
• What is the name of your State or Province?
• What is the two-letter country code for this unit?
• You will then be asked if the information is correct:

Is CN=www.yourdomain.com, OU=Your Organizational Unit, O=Your Organization, L=Your City, ST=Your State, C=Your Country correct?

• When you answer 'y' or 'yes' the password is then requested:

Enter key password for

NOTE:Make a note of this password
is the default alias for the certificate

• Use the keytool command to create the CSR file:

Keytool -certreq -keyalg RSA -alias yyy (where yyy is the alias name you will need to remember) -file domain.csr -keystore domain.key

• You will be prompted to enter the password.

Enter keystore password:

If the password is correct then the CSR is created.
If the password is incorrect then a password error is displayed.

• You will need the text from this CSR when requesting a certificate

For version 4.6x:

• From the administration panel, click System Databases and choose Open Domino Server Certificate Administration (CERTSRV.NSF) on the local machine. Click Create Key Ring.
• Enter a name for the key ring file in the "Key Ring File Name" field.
• Enter a password for the server key ring file in the "Key Ring Password" field.
  NOTE: The password is case sensitive.
• Select a key size. This is the size Domino uses when creating the public and private key pairs.
  NOTE: If you are using the international version of Domino, only the 512 bit key size will work for you unless you have Release R5.04.
• Specify the components of your server's distinguished name.
• Click Create Key Ring. Click OK.
• Click Create Certificate Request.

NOTE: You must select all the text in the second dialog box, including Begin Certificate and End Certificate when the CSR is requested.


For R5.0x:

• Launch the Domino Administration client.
• Select File-Open Server and select the Domino server you wish to administer, Click the file tab, double click on Server Certificate Administration database (certsrv.nsf)
• From the administration panel, click System Databases and choose Open Domino Server Certificate Administration (CERTSRV.NSF) on the local machine.
• Click Create Key Ring.
• Enter a name for the key ring file in the "Key Ring File Name" field.
• Enter a password for the server key ring file in the "Key Ring Password" field.
  NOTE: The password is case sensitive. If you are using the international version of Domino, only the 512 bit key size will work for you unless you have Release R5.04.
• Specify the components of your server's distinguished name.
• Click Create Key Ring. Click OK.
• Click Create Certificate Request.

NOTE: You must select all the text in the second dialog box, including Begin Certificate and End Certificate when the CSR is requested.

A CSR is a file containing your certificate application information, including your Public Key. Generate your CSR and then copy and paste the CSR file into the web form in the enrolment process:

Generate keys and certificate:

• Open the Microsoft Management Console (MMC) for IIS (available in the Windows NT 4.0 Option Pack > Microsoft Internet Information Server > Internet Service Manager.
• In the MMC, Expand the Internet Information Server folder and expand the computer name
• Open the properties window for the website the CSR is for. You can do this by right clicking on the website
• Open Directory Security Folder
• In the Secure Communications area of this Property Sheet, select the Key Manager button and select "Create New Key..."
• Choose "Put the request in a file that you will send to an authority." Select an appropriate filename (or accept the default).
• Fill in the appropriate details:
• Fill in all the fields; do not use the following characters:
  ! @ # $ % ^ * ( ) ~ ? > < & / \
  Note: If your server is 256 bit enabled, you will generate a 2048 bit key
  If your server is 256 bit you can generate up to 2048 bit keys
• Click Next until you finish
• Click Finish
• Key Manager will display a key icon under the WWW icon. The key will have an orange slash through it indicating it is not complete. Choose the "Computers" menu and select Exit. Select YES when asked to commit changes
• When you make your application, make sure you include this file (this is your CSR) in its entirety into the appropriate section of the enrolment form - including

-----BEGIN CERTIFICATE REQUEST-----to-----END CERTIFICATE REQUEST-----

• Click Next
• Confirm your details in the enrolment form
• Finish

We recommend that you make a note of your password and backup your key, as only you know these, so if you loose them we can't help! A floppy diskette or other removable media is recommended for your backup files

• For instructions on generating a Certificate Signing Request (CSR) using Microsoft IIS 5.x / 6.x for certificate renewal, click here.

  A CSR is a file containing your certificate application information, including your Public Key. Generate your CSR and then copy and paste the CSR file into the web form in the enrollment process:

Generate keys and Certificate Signing Request:

• Select Administrative Tools
• Start Internet Services Manager









• Open the properties window for the website the CSR is for. You can do this by right clicking on the Default Website and selecting Properties from the menu




• Open Directory Security by right clicking on the Directory Security tab.









• Click Server Certificate. The following Wizard will appear:









• Click Create a new certificate and click Next.









• Select Prepare the request and click Next.









• Provide a name for the certificate; this needs to be easily identifiable if you are working with multiple domains. This is for your records only.
• If your server is 256 bit enabled, you will generate a 2048 bit key. We recommend you stay with the default of 2048 bit key if the option is available. Click Next









• Enter Organisation and Organisation Unit, these are your company name and department respectively. Click Next.









• The Common Name field should be the Fully Qualified Domain Name (FQDN) or the web address for which you plan to use your Certificate, e.g. the area of your site you wish customers to connect to using SSL. For example, a Digi-Sign Certificate issued for
  digi-sign.com will not be valid for secure.digi-sign.com. If the web address to be used for SSL is secure.digi-sign.com, ensure that the common name submitted in the CSR is secure.digi-sign.com. Click Next.









• Enter your country, state and city. Click Next.









• Enter a filename and location to save your CSR. You will need this CSR to enroll for your Certificate. Click Next.









• Check the details you have entered. If you have made a mistake click Back and amend the details. Be especially sure to check the domain name the Certificate is to be "Issued To". Your Certificate will only work on this domain. Click Next when you are happy the details are absolutely correct.
• When you make your application, make sure you include the CSR in its entirety into the appropriate section of the enrollment form - including

-----BEGIN CERTIFICATE REQUEST-----to-----END CERTIFICATE REQUEST-----

• Click Next
• Confirm your details in the enrollment form
• Finish

To save your private key:

• Go to: Certificates snap in the MMC
• Select Requests
• Select All tasks
• Select Export

We recommend that you make a note of your password and backup your key as these are known only to you, so if you loose them we can't help! A floppy diskette or other removable media is recommended for your backup files.

Follow these instructions to generate a certificate request (CSR).

• Open the Internet Information Services (IIS) Manager. From the Start button select Programs > Administrative Tools > Internet Information Services Manager

• In the IIS Manager, select the server node on the top left under Connections

• In the Features pane (the middle pane), double-click the Server Certificates option located under the IIS or Security heading (depending on your current group-by view)

• From the Actions pane on the top right, select Create Certificate Request. The Distinguished Name Properties dialog box opens

• You will be asked for several pieces of info which will be used by Digi-Sign to create your new
  SSL certificate. These fields include the Common Name (aka domain, FQDN), organization, country, key bit length, etc. Use the CSR Legend in the right-hand column of this page to guide you when asked for this information. The following characters should not be used when typing in your CSR input: < > ~ ! @ # $ % ^ / \ ( ) ? , &

• THIS IS THE MOST IMPORTANT STEP! Enter your site's Common Name. The Common Name is the fully-qualified-domain name for your web site or mail server. What ever your enduser will see in their browser's address bar is what you should put in here. Do not include http:// nor https://. Refer to the CSR legend in the right-hand column of this page for examples. If this is wrong, your certificate will not work properly

• Enter your Organization (e.g., Gotham Books Inc) and Organizational Unit (e.g., Internet Sales). Click Next

• Enter the rest of the fields using the CSR Legend on the right right-hand column of this page for guidance and examples. Click Next to continue

• The next screen of the wizard asks you to choose cryptography options. The default Microsoft RSA SChannel Cryptography Provider is fine and a key bit-length of at least 2048 bits. Click Next to continue

• Finally, specify a file name for the certificate request. It doesn't matter what you call it or where you save it as long as you know where to find it. You'll need it in the next step. We recommend calling it certreq.txt

• Click Finish to complete the certificate request (CSR) Wizard

• Now, from a simple text editor such as Notepad (do not use Word), open the CSR file you just created at c:\certreq.txt (your path/filename may be different). You will need to copy and paste the contents of this file, including the top and bottom lines, into the relevant box during the online order process

Since Microsoft ISA 2000 Server does not have a direct interface for generating Certificate Signing Request, you may need to follow the CSR generation instructions for Microsoft IIS4/IIS5/IIS6 web servers [8]

Microsoft Office Communications Server [OCS] 2007

The best resource for Microsoft OCS 2007 is to go directly to the Microsoft TechNet site and follow the instructions for sub section 3.6 Configure Certificates for Front End, Web Conferencing and A/V Server Roles [9].

Once you have followed these instructions, then visit sub section 3.7 Configure the Web Components Server IIS Certificate [9].

A CSR is a file containing your certificate application information, including your Public Key. Generate your CSR and then copy and paste the CSR file into the web form in the enrollment process or send it via email to your account manager in Digi-Sign:

Generate keys and Certificate Signing Request:

• Select Administrative Tools
• Start Internet Services Manager

• Open the properties window for the SMTP Server the CSR is for. You can do this by right clicking on the Default SMTP Virtual Server and selecting Properties from the menu
• Open Access by clicking the Access tab.









• Click Certificate. The following Wizard will appear:














• Click Create a new certificate and click Next.









• Select Prepare the request and click Next...









• Provide a name for the certificate; this needs to be easily identifiable if you are working with multiple domains. This is for your records only.




• If your server is 256 bit enabled, you will generate a 2048 bit key. If your server is 256 bit you can generate up to 2048 bit keys. We recommend you select the 2048 bit key if the option is available. Click Next









• Enter Organisation and Organisation Unit; these are your company name and department respectively. Click Next.









• The Common Name field should be the Fully Qualified Domain Name (FQDN) of your Mail Exchange server, for which you plan to use your Certificate, e.g. mail.yourdomain.com. If the web address to be used for SSL is mail.yourdomain.com, ensure that the common name submitted in the CSR is mail.yourdomain.com. Click Next.









• Enter your country, state and city. Click Next.









• Enter a filename and location to save your CSR. You will need this CSR to enroll for your Certificate. Click Next.









• Check the details you have entered. If you have made a mistake click Back and amend the details. Be especially sure to check the domain name the Certificate is to be "Issued To". Your Certificate will only work on this domain. Click Next when you are happy the details are absolutely correct.




• When you make your application, make sure you include the CSR in its entirety into the appropriate section of the enrollment form - including

-----BEGIN CERTIFICATE REQUEST-----to-----END CERTIFICATE REQUEST-----

• Click Next
• Confirm your details in the enrollment form
• Finish

To save your private key:

• Go to: Certificates snap in the MMC
• Select Requests
• Select All tasks
• Select Export



We recommend that you make a note of your password and backup your key as these are known only to you, so if you loose them we can't help! A floppy diskette or other removable media is recommended for your backup files.

Ironport C100 is currently unable to create keys and certificate requests, however, below are some guidelines on how to generate a CSR and install an SSL certificate on your IronPort device:

*** Generate RSA Key and Certificate Request (CSR) ***

Ironport C100 is currently unable to create keys and certificate requests. You can use "openssl" toolkit on Linux/Windows to generate the CSR. Here are the commands you can use:

On a Linux/Windows computer with OpenSSL toolkit installed:

shell> openssl genrsa -des3 -out server.key 2048 openssl req -new -key
shell> servername.key -out server.csr openssl rsa -in servername.key
shell> -out server.key.PEMunsecure

*** Request Certificate from Digi-Sign **

Send the contents of the "server.csr" file to your account manager in Digi-Sign

1. Sign onto the Web server and select the server to manage

2. Select the Security tab and then Request a Certificate

3. Complete the required boxes and click OK

4. An email is then sent to the email address specified containing your CSR

5. The CSR will be required when requesting your certificate.

1. Restart the administration server by typing the following commands:

# /usr/iplanet/servers/https-admserv/stop
# /usr/iplanet/servers/https-admserv/start

2. To request the server certificate, click the Security tab near the top of this page.

The Create Trust Database window is displayed.

3. Select the Request a Certificate link on the left frame.

The screenshot depicts the following options:

New certificate or Certificate renewal; View a list of available certificate authorities; Submit to Certificate Authority (CA [6]) via CA Email Address or CA URL; a drop-down menu to select the Cryptographic Module to use with this certificate ("nobody@engineering" is displayed as the default); a field for the Key Pair File Password; a link to an overview of the certificate process; fields for Requestor name, Telephone number, Common name, and Email address.

4. Fill out the form to generate a certificate request, using the following information:

a. Select a New Certificate.

If you can directly post your certificate request to a web-capable certificate authority or registration authority, select the CA URL link. Otherwise, choose CA Email Address and enter an email address where you would like the certificate request to be emailed to.

b. Select the Cryptographic Module you want to use.

Each realm has its own entry in this pull-down menu. Be sure that you select the correct realm. To use the Sun Crypto Accelerator 1000, you must select a module in the form of user@realm-name.

c. In the Key Pair File Password dialog box, provide the password for the user@realm-name that will own the key.

d. Provide the appropriate information for the following fields:

• Requestor Name: Contact information for the requestor
• Telephone Number: Contact information for the requestor
• Common Name: Website Domain that is typed in a visitor's browser hostname.domain
• Email Address: Contact information for requestor
• Organization: A value for the Organization to be asserted on the certificate
• Organizational Unit: (Optional) A value for the Organizational Unit that will be asserted on the certificate
• Locality: (Optional) City, county, principality, or country, which is also asserted on the certificate if provided
• State: (Optional) The full name of the state in this field
• Country: The two-letter ISO code for the country (for example, the United States is US)

e. Click the OK button to submit the information.

5. Send the CSR to Digi-Sign.

• If you choose to post your certificate request to a CA URL, the certificate request is automatically posted there.
• If you choose the CA Email Address, copy the certificate request that was mailed to you with the headers and hand it off to your certificate authority.

6. Once the certificate is generated, copy it, along with the headers, to the clipboard.

NOTE that the certificate is different from the certificate request and is usually presented to you in text form.

Request a certificate

To request a certificate, perform the following steps:

1. For the Server Manager you must first select the server instance from the drop-down list.

Click the Request a Certificate link.
Select if this is a new certificate or a certificate renewal.

2. Perform the following steps to specify how you want to submit the request for the certificate:

Digi-Sign usually expects to receive the request in an email message; therefore you need to enter the email address of your account manager in Digi-Sign or Digi-Sign Production Department.

At the end of this process, you may also copy your request in a text format and apply for your certificate online through Digi-Sign website at: http://www.digi-sign.com/product/digi-ssl/ [10] or through your Digi-CA™ [11] Service Account, if you are using the Digi-Sign certificate management system. When prompt, paste your request into a Certificate Signing Request (CSR) box.

3. Select the cryptographic module for the key-pair file you want to use when requesting the certificate from the drop-down list.

4. Enter the password for your key-pair file.

This is the password you specified when you created the trust database, unless you selected a cryptographic module other than the internal module. The server uses the password to get your private key and encrypt a message to Digi-Sign. The server then sends both your public key and the encrypted message to Digi-Sign. Digi-Sign uses the public key to decrypt your message.

5. Enter your identification information.

Required Information

You need to provide the following information:
Common Name must be the fully qualified hostname used in DNS lookups (for example, www.yourdomain.com [12]). This is the hostname in the URL that a browser uses to connect to your site. If these two names don't match, a client is notified that the certificate name doesn't match the site name, creating doubt about the authenticity of your certificate.

Email Address is your business email address. This can be used for correspondence between you and Digi-Sign.

Organization is the official, legal name of your company, educational institution, partnership, and so on. You need to verify this information with legal documents (such as a copy of a business license).

Organizational Unit is an optional field that describes an organization within your company. This can also be used to note a less formal company name (without the Inc., Corp., and so on).

Locality is a field that usually describes the city, principality, or country for the organization.

State or Province is usually required, but can be optional.

Country is a required, two-character abbreviation of your country name (in ISO format). The country code for the United States is U.S.

All this information is combined as a series of attribute-value pairs called the distinguished name (DN), which uniquely identifies the subject of the certificate.

Double-check your work to ensure accuracy. The more accurate the information, the faster your certificate is likely to be approved.

6. Click OK.

7. For the Server Manager, click Apply, and then Restart for changes to take effect.

The server generates a certificate request that contains your information. The request has a digital signature [13] created with your private key. Digi-Sign uses a digital signature to verify that the request wasn't tampered with during routing from your server machine to Digi-Sign. In the rare event that the request is tampered with, Digi-Sign will usually contact you by phone.

If you chose to email the request, the server composes an email message containing the request and sends the message to Digi-Sign. Typically, the certificate is then returned to you via email.

If for any reason your network security settings or a firewall configuration prevents your server from sending the certificate request via email, copy the entire request string, that should appear on the screen and send it manually to your account manager in Digi-Sign or to Digi-Sign Production Department from a PC, that has access to Internet mail.

Once you receive the certificate from Digi-Sign, you can install it. In the meantime, you can still use your server without SSL.

In this first step you generate a request for Digi-Sign to issue a certificate. It involves generating a public/private key-pair and identifying the server, the organization using it, and its Webmaster. The private key is encrypted and should never leave your server, except for backup purposes. The public key will become part of the certificate and is therefore sent to Digi-Sign, together with the rest of the information identifying your organization and your server.

To generate a certificate request, you will run the interactive utility genreq and enter the information for which it prompts you.

When the prompt specifies a default value, you can just press return to enter that value, or enter a different value if you prefer.

For an example of how to use genreq, see the following sample genreq session. Before you start, create a directory to store all SSL related files in, for example $ORACLE_HOME/ows2/ssl. To avoid typing long path names or moving files later, you can start genreq from this directory. To run genreq, do the following:

• Start genreq, located in $ORACLE_HOME\OWS20\BIN on NT (typically c:\orant\ows20\bin) and $ORACLE_HOME/ows2/bin on UNIX:
• Type G to begin creating a certificate request:
• When prompted, type a password (minimum of 8 characters), used in encrypting your private key. Remember this password.
• Retype the password for confirmation. If the password does not match, genreq will not warn you, it will just repeat step 3.
• Choose the public exponent you want to use one in generating the key pair. The only two recognized exponents are 3 and 65537, commonly called Fermat 4 or F4.
• Enter the size in bits of the modulus you want to use in generating the key pair. For the version of genreq sold in the United States of America, the size may be from 1 to 2048. The default size is 768 bits and the maximum is 2048 bits. A modulus size of 2048 is recommended for most browsers and also by Digi-Sign. For versions of genreq sold outside the USA, the maximum (and default) modulus size is 512 bits. (NOTE: 2048 bits would be equal to a 256 bit encryption)
• Choose one of three methods for generating a random seed to use in generating the key pair:
• Random file: genreq prompts you to enter the full pathname of a file in your local file system. This can be any file that is at least 256 bytes in size, does not contain any secret information, and has contents that cannot easily be guessed (on UNIX, you can use /var/adm/messages, on NT you can use \WINNT\System32\config\AppEvent.Evt)
• Random key sequences: genreq prompts you to enter random keystrokes. Genreq uses the variation in time between keystrokes to generate the seed. Do not use the keyboard's auto repeat capability, and do not wait longer than two seconds between keystrokes. Genreq prompts you when you have typed enough keystrokes. You must delete any unused characters typed after this prompt.
• Both: genreq prompts you to enter both a file name and random keystrokes. This option is recommended.



The next three steps will tell genreq where it should write certain files. If you have created an SSL directory and have started genreq from this directory, you can accept the defaults. Otherwise, you may want to include full pathnames, or plan to move the files that genreq created later.

• Enter the name of a file in which to store your WebServer's distinguished name. You can choose the default, or enter any filename with a .der extension. Genreq creates this file in the current directory, though you may later move it to any convenient location.
• Enter the name of a file in which to store your WebServer's private key. You can choose the default, or enter any filename with a .der extension. Genreq creates this file in the current directory, though you may later move it to any convenient location.
• Enter the name of a file in which to store the certificate request. You can choose the default, or enter any filename with a .pkc extension.
• Enter the requested identification information for your organization:
• Common Name - The fully qualified host name of your organization's Internet point of presence as defined by the Domain Name Service (DNS). Example: www.yoursitename.com [14]
• Organizational Unit (optional) - The name of the group, division, or other unit of your organization responsible for your Internet presence, or an informal or shortened name for your organization. Example: Marketing Department
• Organization - The official, legal name of your company or organization. Most CAs [6] require you to verify this name by providing official documents, such as a business license. Example: My Company Inc.
• Locality - (optional) The city, principality, or country where your organization is located. Example: Montreal
• State or Province - The full name of the state or province where your organization is located. Digi-Sign does not accept abbreviations. Example: Quebec
• Country - The two-character ISO-format abbreviation for the country where your organization is located. The country code for Example: Canada is CA
• WebMaster's Name - The name of the Web Master responsible for the site. This person will serve as a technical contact. Example: Sergio Leunissen
• WebMaster's Email Address-The email address where Digi-Sign can contact the Web Master. Example: sleuniss@yoursitename.com [15]
• Server Software Version - The name and version number of the application for which you are getting the certificate (you should accept the default value).

A CSR is a file containing your certificate application information, including your Public Key. Generate your CSR and then copy and paste the CSR file into the web form in the enrollment process.

Important Notes on Certificates

• In order to use SSL certificates for a given domain, the domain MUST be set-up for
  IP-Based hosting.




• When an IP-based hosting account is created with SSL support, a default SSL certificate is uploaded automatically. However, this certificate will not be recognized by a browser as one that is signed by a certificate signing authority.




• The default SSL certificate can be replaced by either a self-signed certificate or one signed by a recognized certificate-signing authority. The self-signed certificate is valid and secure, but many clients prefer to have a certificate signed by a known Certificate Signing Authority.




• You can generate a certificate with the SSLeay utility and submit it to any valid certificate authority. This can be done using the CSR option within PSA.




• If the given domain has the www prefix enabled, you must set-up your CSR or self-signed certificate with the www prefix included. If you do not, you will receive a warning message when trying to access the domain with the www prefix.




• Remember to enter your certificate information in PEM format. PEM format means that the RSA Private Key text must be followed by the Certificate text.




• All certificates are located in the ../vhosts/'domain name'/cert/httpsd.pem file. Where this directory reads "domain name", you must enter the domain name for which the certificate was created.

Generate a Self-signed Certificate or Certificate Signing Request
Access the domain management function by clicking on the Domains button at the top of the PSA interface. The Domain List page appears.

1. Click the domain name that you want to work with. The Domain Administration page appears.

2. If you have established an IP based hosting account with SSL support, the Certificate button will be enabled.

3. Click the Certificate button. The SSL certificate setup page appears.

4. The Certificate Information: section lists information needed for a certificate signing request, or a self-signed certificate. You must fill out these fields before generating your CSR or self-signed certificate.

5. The Bits selection allows you to choose the level of encryption of your SSL certificate. Select the appropriate number from the drop down box next to Bits.

6. To enter the information into the provided text input fields (State or Province, Locality, Organization Name and Organization Unit Name (optional)) click in the text boxes and enter the appropriate name.

7. To enter the Domain Name for the certificate click in the text box next to Domain Name: and enter the appropriate domain.

8. The domain name is a required field. This will be the only domain name that can be used to access the Control Panel without receiving a certificate warning in the browser. The expected format is www.domainname.com [16] or domainname.com.

9. Click on the Request button.

10. Selecting Request results in the sending of a certificate-signing request (CSR) to the email address you provided in the certificate fields discussed above. When a CSR (certificate signing request) is generated there are two different text sections, the RSA Private Key and the Certificate Request. Do not lose your RSA private key. You will need this during the certificate installation process. Losing it is likely to result in the need to purchase another certificate.

11. Copy and paste the Certificate Request emailed to you into the InstantSSL web form where it requests a CSR (Certificate Signing Request).

12. When you are satisfied that the SSL certificate has been generated or the SSL certificate

Follow these instructions to generate a CSR for your Web site. When you have completed this process, you will have a CSR ready to submit to your provider in order to be generated into a SSL Security Certificate.

Access the domain management function by clicking on the Domains button at the top of the PSA interface. The Domain List page appears.

1. Click the domain name that you want to secure with SSL. The Domain Administration page then appears.

2. If you have an IP based hosting account with SSL support, the Certificate button will be enabled. If you have a name based hosting account the Certificate button will be greyed out. You must have an IP based hosting account to continue.

3. Click the Certificate button. The SSL certificate setup page appears.

4. The Certificate Information: section lists asks for a number of fields to be completed to generate your CSR.







5. The Bits selection allows you to choose the level of encryption of your SSL certificate. Select the appropriate number from the drop down box next to Bits.

6. Enter your details into the State or Province, Locality, Organization Name and Organization Unit Name (optional) fields.

7. Enter your domain name into the Domain Name: field.

8. The domain name is a required field. This will be the only domain name that can be used to access the Control Panel without receiving a certificate warning in the browser. The expected format is www.domainname.com [16] or domainname.com

9. Click on the Request button displayed to the right of your details.

10. Plesk will now email your CSR to the email address provided when you signed up. You will see that the email contains two sections - the RSA Private Key and the Certificate Signing Request. Do not lose your RSA Private Key, you will need this later.

11. Copy and paste the Certificate Request emailed to you into your SSL Provider's enrolment form where it requests a CSR (Certificate Signing Request).

12. Click Up Level to return to the Domain Administration page.

Generating a certificate signing request

To generate a certificate signing request (CSR) follow these steps:

1. At the Certificate repository page, click on the ADD button. The certificate creation page will open.

2. Specify the certificate name.

3. The Bits selection allows you to choose the level of encryption of your SSL certificate. Select the appropriate number from the drop-down list.

4. Select a country from the drop-down list

5. Specify the state or province, location (city).

6. Enter the appropriate organization name and department/division in the field provided.

7. Enter the Domain Name for which you wish to generate the certificate-signing request.

8. Click the REQUEST button. A certificate-signing request will be generated and added to the repository. You will be able to add the other certificate parts later on.

NOTE: Do not lose your RSA Private Key, you will need this later.
Generating a CSR using an existing private key

In some cases you have a certificate in the repository, which has only the private key part and the other parts are missing due to some reasons. To generate a new Certificate Signing Request using the existing private key, follow these steps:

1. At the certificate repository page, select from the list a certificate, which has the private key part only. You will be taken to the SSL certificate properties page.

2. Click REQUEST.

Follow these instructions to generate a CSR for your Web site. When you have completed this process, you will have a CSR ready to submit to your provider in order to be generated into a SSL Security Certificate.

1. Login to the Plesk 7 Control Panel select 'Domains' on the left hand menu.

2. Click on the domain name that you wish to generate the CSR for.

3. On the Certificate repository page click on the Add button.

4. Specify a certificate name.

5. Select the bit size from the drop-down list. 2048 is recommended.

6. Select a country from the drop-down list.

7. Specify the state or province, location (city).

8. Enter the appropriate organization name and department in the field provided.

9. Enter the Domain Name for which you wish to generate the certificate signing request.

10. Click the Request button. A certificate signing request will be generated and added to the repository. When you return to the Certificates page from the list at the bottom of the page, click on the certificate name that you just created. Copy the content of this box labelled 'CSR'. It should look similar to the example below:

-----BEGIN CERTIFICATE REQUEST-----
MIIBSzCB9gIBADCBkDELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFzMQ4wDAYD
....
HNX2uFXghrjBJw3mtZ36JhG7cLeWZK7B+4dmOL4f2ToreSW946wQMxK5ZYYOK68=
-----END CERTIFICATE REQUEST-----

11. Your CSR will now have been created. Copy and paste the contents into your SSL Provider's online enrolment form when requested.

Accessing the Domain SSL Certificates Repository

To access the Domain certificates repository page, click the Certificates icon at the Domain administration page. The certificates repository page will open displaying the list of available certificates:

The four icons, preceding the certificate name in the list, indicate the present parts of a certificate. The icon displayed in the R column indicates that the Certificate Signing request part is present in the certificate, the icon in the K column indicates that the private key is contained within the certificate, the icon in the C column indicates that the SSL certificate text part is present and the icon in the A column indicates that CA [6] certificate part is present. The number in the Used column indicates the number of IP addresses the certificate is assigned to.

Adding a certificate to the repository

To add a certificate to the

repository, click the Add Certificate icon at the Domain certificate repository page. The SSL certificate creation page will open. On this page you can generate a self-signed certificate, certificate-signing request, purchase a SSL certificate, and add the certificate parts to an existing certificate.

NOTE: When acquiring or generating new certificates, make sure that the values you enter into the fields 'domain name', 'email address', 'state or province', 'location', 'organization name', and 'department name' do not exceed the limit of 64 symbols.

Generating a Certificate Signing Request

To generate a certificate signing request (CSR) follow these steps:

1. Specify the certificate name.

2. The Bits selection allows you to choose the level of encryption of your SSL certificate. Select the appropriate number from the drop-down list.

3. Select a country from the drop-down list.

4. Specify the state or province, location (city).

5. Enter the appropriate organization name and department/division in the field provided.

6. Enter the Domain Name for which you wish to generate the certificate signing request.

7. Specify the E-mail address.

8. Click the Request button. A certificate-signing request will be generated and added to the repository. You will be able to add the other certificate parts later on.

Generating a CSR using an existing private key

A situation may occur in some cases, that you have a certificate in the repository, which has only the private key part and the other parts are missing due to some reasons. To generate a new Certificate Signing Request using the existing private key, follow these steps:

1. At the certificate repository page, select from the list a certificate, which has the private key part only. You will be taken to the SSL certificate properties page.

2. Click Request.

Requesting a Private Key and Digital Certificate

You must submit your request in a particular format called a Certificate Signature Request (CSR). WebLogic Server includes a Certificate Request Generator servlet that creates a CSR. The Certificate Request Generator servlet collects information from you and generates a private key file and a certificate request file. You must then submit the CSR. Before you can use the Certificate Request Generator servlet, WebLogic Server must be installed and running.

Start the Certificate Request Generator servlet (certificate.war). The .war file is automatically installed when you start WebLogic Server. In a Web browser, enter the URL for the Certificate Request Generator servlet as follows:

https://hostname:port/Certificate [17]

Hostname is the DNS name of the machine running WebLogic Server. Port is the number of the port at which WebLogic Server listens for SSL connections.

For example, if WebLogic Server is running on a machine named 'server' and it is configured to listen for SSL communications at the default port 7002 to run the Certificate Request Generator servlet, you must enter the following URL in your Web browser:

https://server:7002/certificate [18]

The Certificate Request Generator servlet loads a form in your web browser. Complete the form displayed in your browser.

Click the Generate Request button. The Certificate Request Generator servlet displays messages informing you if any required fields are empty or if any fields contain invalid values. Click the Back button in your browser and correct any errors.

NOTE: Private Key Password if you do not specify a password, you will get an unencrypted RSA private key. If you specify a password, you will get a PKCS-8 encrypted private key. When using PKCS-8 encrypted private keys, you need to enable the Use Encrypted Keys field on the SSL tab of the Server window in the Administration Console.

When all fields have been accepted, the Certificate Request Generator servlet generates the following files in the start-up directory of your WebLogic Server: mydomain_com-key.der-The private key file. The name of this file should go into the Server Key File Name field on the SSL tab in the Administration Console. mydomain_com-request.dem-The certificate request file, in binary format. mydomain_com-request.pem-The CSR file that you submit... It contains the same data as the .dem file but is encoded in ASCII so that you can copy it into email or paste it into a Web form.

A CSR is a file containing your certificate application information, including your Public Key. Generate your CSR and then copy and paste the CSR file into the web form in the enrollment process.

Generate keys and Certificate Signing Request:

• Open Website Server Properties and select Key Ring









• Select New Key Pair and follow the wizard:









• Ensure all the details you enter are correct.
• When you have completed the wizard select Done, do not select the box to choose a Certification Authority.









• When enrolling for a Certificate locate the CSR file and copy/paste the Certificate Request text into the CSR box. Complete the online enrolment process

1. From WS_FTP Server, in the left pane, expand the FTP host and select SSL. The SSL Host Options appear in the right pane.

2. Click Certificate Management, then select the Certificate Creation tab.

3. Enter a name in the Certificate Set Name box. This will be the name of the certificate that is generated by WS_FTP Server.

4. Click the Browse (...) button in the Output Location box to select the folder you want the certificate created in.

5. Enter information in all of the Certificate Information boxes:

• City/Town. City or town where you are located. (Ex. Augusta)
• State/Province. State or Province where you are located. (Ex. Georgia)
• Organization. Company or individual user name.
• Common Name. This can be either the name of the person creating the certificate or the fully qualified domain name of the server associated with the host.
• Pass Phrase. Pass phrase that is to be used to encrypt the private key. It is important to remember this pass phrase. The pass phrase can be any combination of words, symbols, spaces, or numbers.
• Pass Phrase Confirmation. Re-enter the same pass phrase as above.
• Country. The country you are in. This must be a valid two-letter country code. (Ex. US)
• Email. E-mail address of the person the certificate belongs to.
• Unit. Name of organizational unit. (Ex. Research and Development)

6. After all of the boxes are filled in correctly click Create to generate the keys, certificate, and certificate-signing request. If all of the boxes are not filled in, you cannot create the certificate.