Published on Digi-Sign, The Certificate Corporation (http://www2.digi-sign.com)

Home > Stronghold Server

By Digi-Sign
Created Feb 18 2008 - 14:38

Stronghold Server

Important Note:

Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]

Instructions

NOTE: Keys and certificates are managed through three scripts: genkey, getca and genreq. These are part of the normal Stronghold distribution. Keys and certificates are stored in the directory$SSLTOP/private/, where SSLTOP is typically /usr/local/ssl.

To generate a key pair and CSR for your server:

  • Run genkey, specifying the name of the host or virtual host: genkey hostname. The genkey script displays the filenames and locations of the key file and CSR file it will generate:
    • Key file: /usr/local/www/sslhostname.key
    • CSR file: /usr/local/www/sslhostname.cert

    NOTE: If you already have a key for your server, run genreq [servername] to generate only the CSR.

  • Press Enter. The genkey script reminds you to be sure you are not overwriting an existing key pair and certificate.
  • When prompted, enter a key size in bits. It is recommended that you use the largest key size available: 2048.
  • When prompted, enter random keystrokes. Stop when the counter reaches zero and genkey beeps. This random data is used to create a unique public and private key pair.
  • When prompted, enter 'y' to create the key pair and CSR.
    • For your CA [2] select 'Other'.
    • Enter the two-letter country code for your country. You must use the correct ISO country code; other abbreviations will not be recognized. For example the correct code for the United Kingdom is GB, not UK.
    • Enter the full name of your state or province. Do not abbreviate.
    • Enter the name of your city, town, or other locality.
    • Enter the name of your organization.
    • Enter the name of your unit within the specified organization.
    • Enter your web site's fully qualified name. For example www.company.com [3]. This is also known as your site's common name.
    • When you have finished entering the CSR data, genkey automatically creates the CSR.

Back up your key file and CSR on a floppy disk and store the disk in a secure location. If you lose your private key or forget the password, you will not be able to install your certificate.

Source URL: http://www2.digi-sign.com/support/digi-ssl/c2net

Links:
[1] http://www2.digi-sign.com/about/announcements/2048
[2] http://www2.digi-sign.com/certificate+authority
[3] http://www.company.com