Generating CSRs for SSL Certificates

To obtain an SSL certificate, you first need to generate a Certificate Signing Request. This request include the common name and contact information. This is presented to a certificated authority who isues the SSL Certificate.

The Common Name

NOTE: When asked for your Common Name, enter the exact FQDN (fully qualified domain name) of the server you want to secure (i.e. "www.example.com" or "secure.example.com"). The prompt on some standard SSL distributions asks for "YOUR name", this is the Common Name

Throughout this document we use "www.example.com" and "secure.example.com". Any place you see either of these host names you should expect to enter the FQDN of the the server you are creating the CSR for. Providing the wrong Common Name is the single most common cause of problems.

Generate CSR for Apache-SSL

Step 1. Go to your SSL directory

	# cd /usr/local/ssl/private

Step 2. Generate a private key 

	# openssl genrsa -des3 1024 > secure.example.com.key

Now PLEASE backup your secure.example.com.key and make a note of the passphrase.

Step 3. Go to your certs directory

# cd /usr/local/ssl/certs

Step 4. Generate a CSR from your key

# openssl req -new -key ../private/secure.example.com.key > secure.example.com.csr

Raven SSL

Please make sure that you backup the private key once it has been generated. Your certificate will not work without that private key.

For users of Raven 1.2, the certificate generation process is invoked with the following command typed at a shell prompt. 

# ./ravenctl -cert

The process first prompts for the name of the certificate. Please enter the server name you wish to generate for. 

Name of the server you are issuing certificate for? --> secure.example.com

##############################################
The key name chosen is secure.example.com.key.
The certificate name is secure.example.com.cert.
The key/certificate pairs will be stored in /usr/local/ssl.
##############################################

You are about to generate a new key and key request. The key request will be sent to the email address of your choice and the keyfile will reside in /usr/local/ssl/private/secure.example.com.key.

Choose the size of your key. Smaller key sizes provide faster server response but will provide diminished security. Keys sizes less than 512 bits are easily cracked. For high security applications you will probably want a key sized not less than 1024 bits.

The process first prompts for the name of the certificate. Input your choice of key size at the prompt. 

Number of bits in key (384 minimum, 1024 maximum)? -->  512

Generating random data
 ................................

Choose a pass phrase that is secure. Don't forget this password. 

Enter PEM pass phrase: ...................
Verifying password - Enter PEM pass phrase: ...................

Key successfully generated.

You'll be prompted as to whether you will be sending the Certificate Request to a CA. Answer Yes to this and No to question regarding the ASN1-Kludge 

Would you like to send a Certificate Request to a CA? [Y/n]: -->  y
Does your CA need the ASN1-Kludge? (VeriSign) [y/N]: -->  n

Generating certificate request. This process will also create a temporary certificate for testing until you receive the certificate from your CA. Please enter the following information:

Using configuration from /usr/local/ssl/lib/ssleay.cnf

The pass phrase entered here is the phrase that you chose above. 

Enter PEM pass phrase: ...................

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.

Country Name (2 letter code) [US]: US
State or Province Name (full name) [State]: Your State
Locality Name (eg, city) [City]: Your Town
Organization Name (eg, company) [Organization]: Your Company name
Organizational Unit Name (eg, section) [Division]: IT Department

It is important that your Common Name matches the name that the server will identify itself as when serving requests. Enter that server name below. For example, if you will be pointing people at https://secure.example.com/ then your server name would be secure.example.com. If your server has a real name ("adonis") and an alias ("secure" or "www") and you will be pointing people at the alias, then make sure you give the alias here, otherwise the browser will claim that the site name does not match the certificate.

It is also important that you give your State name, City name and two-letter UPPER CASE country code. The Organizational Unit field is optional. 

Common Name (eg, YOUR name) [www.servername.com]: secure.example.com
Email Address [webmaster@servername.com]: webmaster@example.com

Using configuration from /usr/local/ssl/lib/ssleay.cnf

Certificate Request:

Data:

Version: 0 (0x0)
Subject: C=US, ST=NH, L=Your Town, O=Your Company Name
OU=IT Department, CN=secure.example.com/Email=webmaster@example.com

Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (512 bit)
        Modulus (512 bit):
            00:c0:34:7e:a5:02:f7:35:8e:42:7b:ce:69:e9:31:
            c0:4e:fd:d2:a7:6e:2f:ee:0b:09:84:00:b5:dc:49:
            3c:36:0b:82:74:7b:c8:65:3b:c4:85:b1:f8:71:86:
            78:71:39:7c:03:16:c0:2b:50:d4:f1:dd:2a:f2:ce:
            f3:68:35:d7:43
        Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
40:26:58:76:fe:a5:69:ab:fe:fd:f6:6e:0d:3b:f8:79:06:7e:
96:e3:1f:e0:44:12:c1:51:c6:58:f8:38:85:92:67:4e:99:ba:
3e:55:42:94:31:94:50:ba:96:19:4e:31:4a:d4:39:d6:91:12:
10:64:20:38:9c:df:df:ea:c8:72

Webmaster email:  webmaster@example.com

Webmaster phone:  +1.603.555.1212

Mailing the CSR to your personal email account will allow you to easily cut and paste the request into the submission form. Please enter that address below. 

Send CSR via Email to? -->  yourmail@example.com

Certificate request sent to yourmail@example.com.

SSLeay

These instructions assume that SSLeay is installed, and that you have the executable ssleay in your PATH. They also assume that you are using version 0.8.1 or later... ssleay version will tell you which version you are using. 

# which ssleay
# ssleay version

Generate your key:

ssleay genrsa -des3 1024 > secure.example.com.key

This command sequence will generate a private key and store it in the file secure.example.com.key. It will ask you for a pass phrase: use something secure and remember it.

Your certificate will be useless without the key.

If you don't want to protect your key with a pass phrase (only if you absolutely trust that server, and you make sure the permissions are carefully set so only you can read that key) you can leave out the -des3 option.

Generate your CSR:

ssleay req -new -key secure.example.com.key> secure.example.com.csr

This command sequence will prompt you for the attributes of your certificate.

Once completed, you will have a private key in secure.example.com.key and a CSR in secure.example.com.csr. Paste the CSR into our forms, and hold on to your key. You will need the key to operate your secure server when we issue your certificate.

Cobalt Raq and XTR

To generate the key and CSR for Cobalt Raq.

  1. Select Server Management > Security > SSL.

    The Certificate Information for Server Desktop screen appears along with its associated buttons

  2. To create a new self-signed certificate, click Create Self-Signed Certificateand configure the selections as follows:
    • City. The city in which the organization is located or registered.
    • State or Province. The state, province, or region in which the above city is located.
    • Country. Select the country in which the organization that will use this certificate is located or registered.
    • Organization. The official name of the organization owning this certificate.

      Note: In order to obtain a signed certificate from a certificate authority, the organization name and location must be verifiable with a local, regional, or national government or other official organization. In addition, the certificate authority must be able to verify that the person requesting the certificate is the owner or employee of the named organization.

    • Organization Unit. The division or unit of the organization that is using this certificate. This is optional, but may be useful if the person applying for a signed certificate is an employee of a subsidiary of a larger organization.
    • Contact Email. The email address to be contacted for information about this certificate.
    • Certificate Expiration Date. The date after which the certificate should no longer be considered valid by client software attempting to connect to this server.
  3. Click Create Signing Request to create a certificate signing request.
  4. After the fields are filled in, activate the Generate Self-Signed Certificate checkbox. This allows you to generate a self-signed certificate along with the signing request. The self-signed certificate can be used temporarily while you wait for the Certificate Authority to process your signing request. The certificate signing request can be submitted to a Certificate Authority to create a signed certificate that Web browsers can verify as authentic.
  5. Click Manage Certificate Authorities to add or remove secondary certificate authorities for this site. The Certificate Authority Management for Server Desktop screen appears.

    Note: Secondary certificate authorities are usually not needed, but certain authorities issue an extra certificate to be used for client authentication in addition to the usual server certificate that most certificate authorities issue.

  6. Configure the settings as follows:
    • Certificate Authority Name. Enter a unique name to identify this secondary certificate authority.
    • Select Certificate. Click Browse to select the file that contains the certificate authority's certificate. The certificate should be the only thing in the file.
  7. Click Import to import a signed certificate.
  8. Click Browse to select the text file containing the certificate to import.

    The certificate file must contain both the private key and certificate sections if you are transferring it from another server. If the certificate is from a certificate authority to which you submitted a certificate signing request generated by this server, only the certificate is necessary, but it is okay if a private key is included with the signed certificate.

  9. Click Export to download the current private key and certificate, so the certificate can be transferred to another server.

To generate the key and CSR for Cobalt XTR.

  • Enable SSL on a virtual site:
    1. Select the Server Management tab at the top. The "Virtual Site List" table appears.
    2. Click the green pencil icon next to the virtual site on which you want to enable SSL. The "User List" table appears.
    3. Select Site Settings > General on the left side.
    4. Click to enable the check box Enable SSL.
    5. Click Save Changes.

    The server appliance saves the configuration of the virtual site.

  • Generate a self-signed certificate

    Once the Server Administrator has enabled SSL, the Site Administrator must now create a self-signed certificate. The self-signed certificate can be signed later by an external authority.

    1. Under the Site Management (<sitename>) tab, select Site Settings > SSL on the left side. The "Certificate Subject Information" table appears.
    2. Enter the following information:
      • Country - Enter the two-letter country code (for example, AU for Australia or US for United States).
      • State - Enter the name of the state (for example, New South Wales or California).
      • Locality - Enter the city or locality (for example, Sydney or Toronto).
      • Organization - Enter the name of the organization (for example, The Widgets Corporation).
      • Organizational Unit - As an option, enter the name of a department (for example, Hardware Engineering).
    3. Select Generate self-signed certificate from the pull-down menu at the bottom.
    4. Click Save Changes.

    The server appliance processes the information and regenerates the screen with the new self-signed certificate in the Certificate Request and Certificate windows.

C2Net Stronghold Web Server

  1. Enter the Stronghold Configuration Manager.
  2. Select New Key Generation to create a new key file.
  3. Enter key size (either 512 or 1024 bits) and follow instructions for generating the random data. 1024 bits is the recommended key size.

    Note: The encryption key size (512 bit, 1024 bit) has nothing to do with the actual session key (128 bit, 40 bit)

  4. Enter the DN (Distinguished Name) Field information.

    The following characters can not be accepted: < > ~ ! @ # $ % ^ * / \ ( ) ? . &

    DN Field Explanation Example
    Country Name The two-letter ISO abbreviation for your country US = United States
    State or Province Name The state or province where your organization is located. Cannot be abbreviated. New Hampshire
    City or Locality The city where your organization is located. Manchester
    Organization The exact legal name of your organization. Do not abbreviate your organization name. My Great Company, Inc.
    Organizational Unit Optional for additional organizational information. Marketing
    Common Name The FQDN (fully qualified domain name) for your web server. You will get a certificate name check warning if this is not an exact match. secure.example.com
    SA E-mail Address The e-mail address for the Server Administrator (optional) admin@example.com
  5. The key pair will be generated and saved in the file: strongholdserverroot/private/hostname.key. 
    example: /usr/local/stronghold/private/secure.example.com.key
  6. Edit this file to extract the CSR data to paste into the form. This is the text beginning with "-----BEGIN NEW CERTIFICATE REQUEST-----" up to and including the text "-----END NEW CERTIFICATE REQUEST-----".

Note: See also C2Net's documentation on key generation and installation instructions for both STRONGHOLD 2.3 and STRONGHOLD 2.4.x .

IBM HTTP Server

  • Firstly a Key Database File(.kdb) using IKEYMAN needs to be generated. Please follow these steps:
    1. Open the IKEYMAN Utility (From Windows NT click Start -> Programs -> IBM HTTP Server -> Start Key Management Utility
    2. From the Menu Bar select "Key Database File"
    3. Click on NEW
    4. File Name= (The name you want to give the new Key Database file you are creating)
    5. Location= (the location on the harddrive you wish to store the .kdb file)

      Note: On NT this is usually the /IBM Http Server/ssl directory

    6. After Saving the file to the location specified you will be prompted to enter a password

      Note: This is the password that will be used to open the .kdb file in IKEYMAN in the future

    7. Make sure to click the box that states "stash the password to a file?"

      Note: This will encrypt the password and save the file as a .sth file in the same directory as the .kdb file.

    8. Once you click OK, you are done.
  • Generating the CSR
    1. Open the Key Database File(.kdb) using the IKEYMAN utility
    2. In the middle of the IKEYMAN GUI you will see a section called "Key database content"
    3. Click on the "down arrow" to the right, to display a list of three choices
    4. Select "Personal Certificate Requests"
    5. Key Label= (The name you want to give the certificate to identify it in IKEYMAN)

      Note: Using the SiteName (ex. www.robo.com) as the label is a good practice

    6. Key Size= (1024 for 128bit, 512 for 56bit)
    7. Common Name= (SiteName, ex. www.robo.com)

      Note: This is the name that the GeoTrust will register, so it is important it matches the actual SiteName

    8. Organization= (Company Name)
    9. Enter the name of a file in which to store the certificate request

      Note: This is the file (.arm) that will contain your request. It is a simple text file that can be opened in any text editor. The information contained in this file is what GeoTrust needs you to provide us.

      *Saving this file(.arm) in the same directory as the (.kdb) file is recommended.

    10. Once you save the file (.arm) you are done with creating the request

More Info:

iPlanet 4.x

To activate the SSL protocol for your server, you will need to perform the procedures outlined in the following sections:

Create a New Server Instance

  1. Access the Enterprise Administration Server and choose the Servers tab.
  2. Click the Add Server link.
  3. Enter the desired information for the specified fields.

Create a Certificate Trust Database

A certificate database is a key-pair and certificate database installed on the local host. When you use an internal token, the certificate database is the database into which you install the key and certificate. In Enterprise Server 4.0, each server instance (including the Enterprise Administration Server) has its own certificate/key pair which is referred to as a trust database.

A key-pair file contains both the public and private keys used for SSL encryption. You use the key-pair file when you request and install a certificate. The key-pair file is stored encrypted in the following directory: 

server_root/alias/<alias>-key.db

When you create the key, you specify a password that you later use when you request the certificate and when you start a server that is using encrypted communications.

To create the certificate trust database, perform the following steps:

  1. Access the Enterprise Administration Server and choose the Security tab.
  2. Select the desired cryptographic module (the PKCS#11 cryptographic module is the default).
  3. Type the password in Database Password.
  4. Re-type the password in Password (again).
  5. Click OK.

If no database exists, Enterprise Server creates the proper key and certificate database files and stores them in the alias/ directory (otherwise, Enterprise Server displays an error message).

Requesting a Certificate

  1. Access the Enterprise Administration Server and choose the Security tab.
  2. Click the Request Certificate link.
  3. In the form that Enterprise Server displays, specify if this is a new certificate or a renewal.
  4. Perform the following steps to specify how you want to submit the request for the certificate:
    1. If the CA expects to receive the request in an email message, check CA Email and enter the email address of the CA. For a list of CAs, click List of available certificate authorities.
    2. If you are requesting the certificate from an internal CA that is using Netscape Certificate Server, click CA URL and enter the URL for the Certificate Server. This URL should point to the certificate servers' program that handles certificate requests. A sample URL might be: https://CA.mozilla.com:444/cms.
  5. From the drop-down list, select the cryptographic module for the key-pair file you want to use when requesting the certificate.
  6. Type the password for your key-pair file. This is the same password you specified when you created the trust database in Creating a Certificate Trust Database. The server uses the password to get your private key and encrypt a message to the CA. The server then sends both your public key and the encrypted message to the CA. The CA uses the public key to decrypt your message.
  7. Type your identification information. The information required is listed as follows:
    • Common Name must be the fully qualified hostname used in DNS lookups (for example, secure.example.com). This is the hostname in the URL that a browser uses to connect to your site. It's important that these two names are the same, otherwise a client is notified that the certificate name doesn't match the site name, which will make people doubt the authenticity of your certificate.
    • Organizational Unit is field that describes an organization within your company. This can also be used to note a less formal company name (without the Inc., Corp., and so on).
    • Locality is an field that usually describes the city, principality, or country for the organization.
    • State or Province is usually required, but can be optional for some CAs. Note that most CAs won't accept abbreviations, but check with them to be sure.
    • Country is a required, two-character abbreviation of your country name (in ISO format). The country code for the United States is US.

    All this information is combined as a series of attribute-value pairs called the distinguished name (DN), which uniquely identifies the subject of the certificate.

  8. Double-check your work to ensure accuracy. The more accurate the information, the faster your certificate is likely to be approved.
  9. Click OK once you've checked that the information is correct.

Installing and Managing Certificates

To install the issued Certificate, please refer to the following solution: vs26896

iPlanet 6.x

  1. Launch the Administration HTML interface: 
       Select Start > Programs > iPlanet Web Server > Administer Web Server
  2. Select the server instance you wish to administer by selecting the correct server name from the drop down list.
  3. Select Manage
  4. Select the Security tab
  5. Select Create Database from the menu options available in the left frame.
  6. Supply a password for your new Trust Database.
  7. Supply your password again for verification.

    It is very important that you remember this password. If you forget it you will not be able to gain access to your Private Key.

  8. Select 'OK' to continue
  9. Select 'OK' to complete Trust Database creation.
  10. Select 'Request a Certificate' from the menu options available in the left frame to generate your Certificate Signing Request.
  11. Select the 'New Certificate' radio button.
  12. Select the 'CA Email address' radio button, and supply your own email address in the space provided.
  13. Supply the password for your Key pair File in the space provided.
  14. Supply your name, telephone number, and email address in the spaces provided.
  15. Enter the distinguished name (DN) of your server, keeping the following example in mind:
    • "CN" - Common Name = secure.example.com (this is the URL of your website)
    • "O" - Organization = Company Name Pty Ltd
    • "OU" - Organizational Unit = Internet Department
    • "L" - Locality = Your Town
    • "St" - State/Province = Your State
    • "C" - Country/Region = US

    If the Web server name does not match the common name in the certificate, some browsers will refuse to establish a secure connection with your site. Do not specify the protocol (http://), any port numbers or pathnames in the Common Name (CN). Do not use wildcards such as * or ?.

  16. Select 'OK' once you have entered the necessary information.
  17. Copy the Certificate Signing Request (including the "-----BEGIN NEW CERTIFICATE REQUEST-----" and "-----END NEW CERTIFICATE REQUEST-----" lines) and paste into a text document for later retrieval.

You have successfully created your Private Key and Certificate Signing Request (CSR).

Lotus Domino Go server

  • Go the the "Create Keys" link on the Admin page under "Security".
  • Choose "Other" as your CA.
  • On the next page, DO NOT GIVE A POSTAL CODE.
  • Specify your country as the two-letter code in UPPER CASE.
  • Give your full state name if you are in the USA. Don't mail the certificate request to the CA, you are going to save it to a file instead.
  • Make a note where you saved it (the default is C:\WWW\Bin\CertReq.txt). That file is what you paste into our forms - it is your CSR.

Ensim server

Open the Apache web server manager

  1. Select SSL settings
  2. At the bottom of the form select Generate
  3. Enter the CSR information

    When creating a CSR you must follow these convention. Ente rthe inforamtion to be displayed in the certificate. The following characters cannot be accepted: < > ~ ! @ # $ % ^ * / \ ( ) ? . , &

    • Common Name - the FQDN of your server (secure.example.com)
    • Organization - your company name (Your Company, Inc.)
    • Organization Unit - an optional internal unit name (IT Department)
    • City or Locality - your city (Manchester)
    • State or Province - your state (New Hampshire)
    • Country - the ISO two character code for your country (US)
  4. Click Save
  5. The SSL window will then display the certificate request in an encrypted format.
  6. Submit your CSR

Microsoft IIS 4.0

WARNING: Microsoft IIS 4.0 has serious issues with CSRs for SSL certificates. Please refer to the thawt article on SSL and IIS 4

  1. Create your key pair
    • Open the Microsoft Management Console (MMC) for IIS (available in the Windows NT 4.0 Option Pack > Microsoft Internet Information Server > Internet Service Manager.)
    • In the MMC, Expand the Internet Information Server folder and expand the computer name.
    • Open the properties window for the website the CSR is for. You can do this by right clicking on the website.
    • Open Directory Security Folder.
    • Go to the Secure Communications area of this Property Sheet.
    • Open Key Manager. Select WWW. Go to "Key", then select "Create New Key"
  2. Create the CSR
    • Select "Put the request in a file that you will send to an authority" and give you file a path and a name that you will remember.
    • Then click "Next"
  3. Enter a Password for the Private Key

    Note: if you forget this password you will not be able to install your certificate. This password is kept locally and we have nothing to do with it. If you forget it, we cannot tell you what it is and you will have to buy another certificate.

    If your server is 40 bit enabled, you will generate a 512 bit key only. 128 bit versions can generate up to 1024 bit keys. We suggest you select 1024 bit.

  4. Fill in the details that you want in the certificate
    • Organisation name
    • Organisation unit
    • The common name is the web address that the certificate will be securing (secure.example.com)
    • Then click "Next"

    Do not use any of the following characters in the CSR fields: [! @ # $ % ^ * ( ) ~ ? > < & / \ , . " ']

  5. Then choose your Country Code, enter your State and City and then click "Next"
  6. Enter your Name, email address and phone number and then click "Next"
  7. Finish the Key Generation process
    • Now you have created your CSR. You can now click "Finish" to complete the process.
  8. Commit Changes

    This is possibly the most important step in the process. Do not forget to Commit Changes before you exit.

    If you don't click on the YES button your private key will not be saved to the registry and the certificate you ultimately receive from us will not install and you will have to buy another one. Make very sure you Commit all changes.

Microsoft IIS 5.0

WARNING: Microsoft IIS 4.0 has serious issues with CSRs for SSL certificates. Please refer to the thawt article on SSL and IIS 5

Start the Key/CSR Generation Process

  1. Open the Internet Services Manager 
    Start > Programs > Administrative Tools
  2. Right-click on the Web site you would like to create the Key/CSR pair for.
  3. Select "Properties".
  4. Click the "Directory Security" tab.
  5. Under the "Secure Communications" section, click "Server Certificate".
  6. This will start the "Web Site Certificate Wizard". Click "Next".
  7. From the "Web Site Certificate Wizard", select the "Create a new Certificate" option.
  8. Select the "Prepare the request now, but send it later" option from the list.

    You will need to prepare the request now but will only submit the request (CSR) via our online request forms. We do not accept CSR's via email.

  9. Enter a name for the Certificate and select a bit length of the Key file.

    At this point you will decide what encryption strength your Private Key and CSR will be set at. It is advised to choose a 1024-bit key size and please note that you cannot have a bigger key size than 1024-bit, as browsers will not make a session with a bigger key size.

    Note: You will now create the Certificate Signing Request (CSR). This information will be displayed on your Certificate, and identifies the owner of the key to users. The CSR is only used to request the certificate. Certain characters must be excluded from your CSR fields, or your certificate may not work. Do not use any of the following characters: [! @ # $ % ^ * ( ) ~ ? > < & / \ , " ']

  10. Enter your Organization Information.
  11. Enter your Common Name

    The term "common name" is X.509 speak for the name that distinguishes the Certificate best, and ties it to your Organization. In the case of SSL Web Server Certificates, enter your exact host and domain name that you wish to secure. Example: If you wish to secure secure.example.com, then you will need to enter the exact host (secure) and domain name in this field. If you enter example.com then the Certificate issued to you will only work error free on that exact domain name. It will cause an error when you or your users access the domain name as secure.example.com

  12. Enter the geographical details of your Organization.
  13. Enter the file name for the certificate request (CSR) and the location of where you would like to save the file.
  14. The next page will display the summary of the Certificate you want to install.
  15. Click on 'Finish' to complete the "Web Server Certificate wizard".

Finish up and exit IIS Certificate Wizard

Backup your private key.

Netscape Commerce

  1. After you have installed Netscape Commerce server, start up the admin server and connect to it.
  2. Select the server you want to run in secure mode and you will be presented with a page entitled "Netscape Server Manager - Commerce Server".
  3. Under "Security Configuration" there is a link called "generate a key".
  4. Select it and follow the instructions. This creates your private key. Next, select "request a certificate" to generate a CSR.
  5. In the space where it asks for a Certificate authority enter your own email address.
  6. A copy of the CSR will be mailed to you by the server - you can keep this for future reference.

When you have completed the form, submit it. The resulting page gives you your CSR. It looks like this: 

-----BEGIN CERTIFICATE REQUEST-----
MIIBujCCASMCAQAwejELMAkGA1UEBhMCQ0ExEzARBgNVBAgTClRFc3QgU3RhdGUx
ETAPBgNVBAcTCENvbG9yYWR0MRswGQYDVQQKExJDYW5hZGlhbiBUZXN0IE9yZy4x
EjAQBgNVBAsTCU9VIE9mZmljZTESMBAGA1UEAxMJd3d3LmV4LmNhMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQD5PIij2FNa+Zfk1OHtptspcSBkfkfZ3jFxYA6y
po3+YbQhO3PLTvNfQj9mhb0xWyvoNvL8Gnp1GUPgiw9GvRao603yHebgc2bioAKo
TkWTmW+C8+Ka42wMVrgcW32rNYmDnDWOSBWWR1L1j1YkQBK1nQnQzV3U/h0mr+AS
E/nV7wIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAAAhxY1dcw6P8cDEDG4UiwB0D
OoQnFb3WYVl7d4+6lfOtKfuL/Ep0blLWXQoVpOICF3gfAF6wcAbeg5MtiWwTwvXR
tJ2jszsZbpOuIt0WU1+cCYivxuTi18CQNQrsrD4s2ZJytkzDTAcz1Nmiuh93eqYw
+kydUyRYlOMEIomNFIQ=
-----END CERTIFICATE REQUEST-----

Copy your CSR from that page, and save it for future reference.

O'Reilly Website Professional

  1. Open the Server Properties console
  2. Select KEY RING tab
  3. Click on NEW KEY PAIR to open the Certificate wizard, and then enter your web site information in the forms provided. You will also need to generate your Private Key and Request.
  4. Your new certificate request will be in a new .pern file or your Windows clipboard. copy the contents of this file from the "-----BEGIN CERTIFICATE REQUEST-----" up to and including the "-----END CERTIFICATE REQUEST-----"

    Note: Do not "click here to choose certificate authority".

4D Webstar Server Suite

Generate a Key Pair

Use the 4D WebSTAR Server Suite Key Generator application that comes with your 4D WebSTAR Server Suite/SSL server to generate a key file containing a public/private key pair for use with your secure server.

  1. Launch the Key Generator application by double clicking its icon.
  2. Enter a password to protect the use of your key pair. 4D WebSTAR Server Suite will ask for this password when you initially launch the server.

    Do not forget this password! You'll need it later to authorize 4D WebSTAR Server Suite to use your public/private key pair. We recommend that you write it down and store it in a safe place. If you lose the password, you will have to purchase a new Digital ID.

  3. Click the Create Key button to generate your public/private key pair.

    Generating a key can take a few minutes.

  4. The Public/Private Key file is stored in an encrypted file.

    The file must be named "Public/Private Key" and must be stored in the same folder as the 4D WebSTAR Server Suite server.

  5. If necessary, move the Public/Private Key file to the 4D WebSTAR Server Suite folder.

Generate a CSR

Use the Certificate Request application to enter the Certificate Signing Request information for your site. A Certificate Signing Request includes identifiers such as the name of your organization, department within the organization, and where the organization is located. It also includes the public key for your site.

Your Certificate Signing Request may be rejected if the information is not properly formatted. Be sure to closely follow the conventions outlined in the instructions. If any of the information is improperly formatted, you will be asked to correct it and send the request again.

The Certificate Signing Request process requires that you supply an email address and certain identifying information. All the fields except Organizational Unit are required.

  • Common Name (CN): the server's fully qualified host name (such as: secure.example.com)
  • Organization (O): legal, registered organization name
  • Organizational Unit (OU): optional department name
  • Locality (L): city the organization resides or is registered in
  • State or Province (ST): unabbreviated state/province name
  • Country (C): two-character country code

Follow these steps:

  1. Launch the Certificate Request application by double clicking its icon.
  2. Type the name of your Web site in the Common Name field, for example: secure.example.com

    Make sure that the Common Name you specify will be the actual domain name of your 4D WebSTAR Server - it will be encoded into the server certificate and cannot be changed later without purchasing a new certificate.

  3. Type the name of your organization in the Organization field, for example: Foo Corporation
  4. Type the name of the department or other organization unit in the Org Unit field (this is compulsory - the CSR will not be accepted without it), for example: Support
  5. Type the name of the city or town in which your organization is located in the Locality field, for example: San Jose
  6. Type the name of the state or province in which the organization is located in the State/Province field, for example: California
  7. Type a two-letter code for the country in which you are located in the Country Code field, for example: US
  8. Type the email address of the site's Webmaster in the email Address field, for example: webmaster@foo.com
  9. In the Phone Number field, type a phone number where GeoTrust can reach you. Type your fax number in the FAX Number field.

    The email Address, Phone Number, and FAX Number fields are not part of the certificate. They are used these fields to contact you if it finds a problem with the certificate request.

  10. Click Select Key File and select the Public/Private Key File you created.
  11. Enter the password required to access your public/private key pair (the password you entered when generating the key pair, as described in "Generate a Public/Private Key" on page 24).
  12. Click the Create button to generate your encrypted certificate request form.

    The application creates a file named "Certificate Request" and then quits.

See the 4D WebSTAR Server Suite Installation Guide for further information about installing and setting up your 4D WebSTAR Server.

Zeus Server

Zeus Server allows each of your virtual servers to have their own SSL certificates. This allows multiple secure sites to run on the same Zeus server. Each virtual server requires its own public and private certificates for secure communication. Secure certificates are added to a virtual server by clicking on the SSL Configuration link from the Edit Server page. The easiest way to configure SSL on your virtual server is to use the 'SSL Quick Setup' wizard. Click the 'SSL Quick Setup' button and fill in the form

You can configure your SSL server manually. You can use the certificate tool ($ZEUSHOME/admin/bin/cert) or an equivalent tool like openssl to generate the keys and certificates.

Generating a private key

# $ZEUSHOME/admin/bin/cert -new -type private -keysize 1024 -out private.key
Generating keys, this may take a few seconds
Your new private key has been written to 'private.key'

Generating a certificate request

# $ZEUSHOME/admin/bin/cert -new -type request -key private.key -out cert.csr
The following information is required to make up the certificate.
Optional fields can be left blank by entering a '.'
Country: GB
State/Province (optional outside US): .
Locality (town/city): Cambridge
Organisation: Zeus
Organisational Unit (optional): .
Common Name (full DNS name of the machine): secure.example.com
Your certificate request has been written to the file 'cert.csr'.

Generating a public certificate

# $ZEUSHOME/admin/bin/cert -new -type public -key private.key -out public.cert
The following information is required to make up the certificate.
Optional fields can be left blank by entering a '.'
Country: GB
State/Province (optional outside US): .
Locality (town/city): Cambridge
Organisation: Zeus
Organisational Unit (optional): .
Common Name (full DNS name of the machine): secure.example.com
Your new public certificate has been written to the file 'public.cert'.

Displaying the public certificate

# $ZEUSHOME/admin/bin/cert -in public.cert -text
X509 Certificate:
Certificate Info:
Version: 00
Serial Number: 00
Signature Algorithm: md5withRSAEncryption
Issuer:
C=UK, L=Cambridge, O=Zeus, CN=atlas
Validity:
Not Before: Mon, 15 May 2000 17:40:11 GMT
Not After: Tue, 15 May 2001 17:40:11 GMT
Subject:
C=GB, L=Cambridge, O=Zeus, CN=www.zeus.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryptionPublic Key:
Modulus:
c4:84:c7:63:36:e0:d4:52:fb:41:44:31:38:9b:91:5e:62:
....
Exponent:
01:00:01
Signature Algorithm:
md5withRSAEncryption
Signature:
29:eb:c2:62:73:b8:b7:82:94:33:1f:da:9b:83:39:8b:75:1c:47:f5:41: ....

Verifying Key/Certificate pairs

# $ZEUSHOME/admin/bin/cert -check -key private.key -in public.cert