Generating a CSR

In order to accept credit cards on your eCommerce site, you will need an SSL certificate to encrypt card data before it is transmitted to the eWAY® payment gateway. eWAY offers a range of the world’s most trusted certificates at heavily discounted prices, and detailed instructions for installing them.

Thank you for using the Trial Version of Telerik UI for ASP.NET AJAX to build more powerful applications faster. Purchase the Commercial Version now to get access to all product updates and the Telerik expert support.
Thank you for using the Trial Version of Telerik UI for ASP.NET AJAX to build more powerful applications faster. Purchase the Commercial Version now to get access to all product updates and the Telerik expert support.
  • 4D Webstar 4.x

    To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match and a replacement has to be made. 
     

    Step 1: Generate a Key Pair

    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.

    The utility "openssl" is used to generate the key and CSR. This utility comes with the OpenSSL package and is usually installed under /usr/local/ssl/bin. If you have installed them elsewhere you will need to adjust these instructions appropriately.
     
    Type the following command at the prompt for a non-encrypted key:

    openssl genrsa -out www.yourdomain-example.com.key 2048 
     
    For an encrypted key use the below command (Please note, windows version of openssl is not compatible with password protected keys)
     
    openssl genrsa -des3 -out www.yourdomain-example.com.key 2048


     
     
    This command generates a 2048-bit RSA private key and stores it in the file www.yourdomain-example.com.key.
     
    When prompted for a pass phrase: enter a secure password and remember it, as this pass phrase is what protects the private key. Both the private key and the certificate are required to enable SSL.
     
    NOTE: To bypass the pass phrase requirement, omit the -des3 option when generating the private key. If you leave the private key unprotected, Geotrust recommends access to the server be restricted so that only authorized server administrators can access or read the private key file.
     

    Step 2: Generate the CSR

    Type the following command at the prompt:
     
    openssl req -new -key www.yourdomain-example.com.key -out www.yourdomain-example.com.csr 


     
    This command will prompt for the following X.509 attributes of the certificate:


     
    Country Name: Use the two-letter code without punctuation for country, for example: AY or UK.
     
    State or Province: Spell out the state completely; do not abbreviate the state or province name, for example: Queensland
     
    Locality or City: The Locality field is the city or town name, for example: Perth. Do not abbreviate. For example: Saint Louis, not St. Louis
     
    Company: If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll. Example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
     
    Organizational Unit: This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request. To skip the OU field, press Enter on your keyboard.
     
    Common Name: The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com". For wildcard certificate the syntax should look like *.company.com
     
    Geotrust certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "secure.domain.com", because "secure.domain.com" is different from "domain.com".
     
    Please do not enter your email address, challenge password or an optional company name when generating the CSR.
     
    A public/private key pair has now been created. The private key (www.yourdomain-example.com.key) is stored locally on the server machine and is used for decryption. The public portion, in the form of a Certificate Signing Request (certrequest.csr), will be for certificate enrollment.
     
    To copy and paste the information into the enrollment form, open the file in a text editor such as Notepad or Vi and save it as a .txt file. Do not use Microsoft Word as it may insert extra hidden characters that will alter the contents of the CSR.
     
    Once the CSR has been created, proceed to Enrollment.
     

    Step 3: Backup your private key

    It is recommended to back up the .key file and storing of the corresponding pass phrase. A good choice is to create a copy of this file onto a diskette or other removable media. While backing up the private key is not required, having one will be helpful in the instance of server failure. 
  • ApacheSSL

    To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match and a replacement has to be made.

    Step 1: Generate a Key Pair

    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.

    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.

    The utility "openssl" is used to generate the key and CSR. This utility comes with the OpenSSL package and is usually installed under /usr/local/ssl/bin. If you have installed them elsewhere you will need to adjust these instructions appropriately.
     
    Type the following command at the prompt for a non-encrypted key:

    openssl genrsa -out www.yourdomain-example.com.key 2048 
     
    For an encrypted key use the below command (Please note, windows version of openssl is not compatible with password protected keys)
     
    openssl genrsa -des3 -out www.yourdomain-example.com.key 2048


     
     
    This command generates a 2048 bit RSA private key and stores it in the file www.yourdomain-example.com.key.
     
    When prompted for a pass phrase: enter a secure password and remember it, as this pass phrase is what protects the private key. Both the private key and the certificate are required to enable SSL.
     
    NOTE: To bypass the pass phrase requirement, omit the -des3 option when generating the private key. If you leave the private key unprotected, it is recommended access to the server be restricted so that only authorized server administrators can access or read the private key file.
     

    Step 2: Generate the CSR

    Type the following command at the prompt:
     
    openssl req -new -key www.yourdomain-example.com.key -out www.yourdomain-example.com.csr 


     
    This command will prompt for the following X.509 attributes of the certificate:


     
    Country Name: Use the two-letter code without punctuation for country, for example: AU or UK.
     
    State or Province: Spell out the state completely; do not abbreviate the state or province name, for example: Tasmania
     
    Locality or City: The Locality field is the city or town name, for example: Sydney. Do not abbreviate. For example: Saint Louis, not St. Louis
     
    Company: If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll. Example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
     
    Organizational Unit: This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request. To skip the OU field, press Enter on your keyboard.
     
    Common Name: The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com". For wildcard certificate the syntax should look like *.company.com
     
    Certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "secure.domain.com", because "secure.domain.com" is different from "domain.com".
     
    Please do not enter your email address, challenge password or an optional company name when generating the CSR.
     
    A public/private key pair has now been created. The private key (www.yourdomain-example.com.key) is stored locally on the server machine and is used for decryption. The public portion, in the form of a Certificate Signing Request (certrequest.csr), will be for certificate enrollment.
     
    To copy and paste the information into the enrollment form, open the file in a text editor such as Notepad or Vi and save it as a .txt file. Do not use Microsoft Word as it may insert extra hidden characters that will alter the contents of the CSR.
     
    Once the CSR has been created, proceed to Enrollment.
     

    Step 3: Backup your private key

    It is recommended to back up the .key file and storing of the corresponding pass phrase. A good choice is to create a copy of this file onto a diskette or other removable media. While backing up the private key is not required, having one will be helpful in the instance of server failure. 
  • BEA WebLogic 10

    To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match. You will have to request a new SSL Certificate and may be charged.
     

    Step 1: Create a Keystore and Private Key

    Note: The recommended key bit size is 2048-bit. All certificates that will expire after October, 2013 must have a 2048-bit key size
     
    Use the keytool utility from Sun Microsystems to create the certificate keystore and private key.
     
    1. Run the following command to create the keystore and private key:

      keytool -genkey -alias <your_alias_name> -keyalg RSA -keystore <your_keystore_filename> -keysize 2048

      For example:



    2. Enter and re-enter a keystore password.  Tomcat uses a default password of changeit.  Hit Enter if you want to keep the default password. If you use a different password, you will need to specify a custom password in the server.xml configuration file.
       
    3. This command will prompt for the following X.509 attributes of the certificate:



      • First and last name (Common Name (CN)): Enter the domain of your website (i.e. www.myside.org) in the "first- and lastname" field.. It looks like "www.company.com" or "company.com". For wildcard certificate the syntax should look like *.company.com
      • Organizational Unit (OU): This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request.
      • Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll.  Example: XY & Z Corporation would be XYZ Corporation  
      • Locality or City (L): The Locality field is the city or town name, for example: Mountain View. 
      • State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California 
      • Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA

        Note: Certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", because "www.domain.com" and "secure.domain.com" are different from "domain.com".
         
    4. When prompted for the password for the private key alias, press Enter.  The key password is set to the same password used for the keystore from the previous step.  Make note of the private key and the keystore password. If lost they cannot be retrieved.

       
       

    Step 2: Generate a CSR

    1. Run the following command to generate the CSR:

      keytool -certreq -keyalg RSA -alias <your_alias_name> -file certreq.csr -keystore <your_keystore_filename>

      For example:



       
    2. Verify your CSR
       
    3. To copy and paste the file certreq.csr into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).  Make sure to include the "BEGIN CERTIFICATE REQUEST" and "END CERTIFICATE REQUEST" header and footer.

      The text file should look like this:

      -----BEGIN CERTIFICATE REQUEST-----

      [encoded data]

      -----END CERTIFICATE REQUEST-----

      Note: 
      When enrolling for your certificate, you will be prompted to select a server platform.  Please select Apache as the server platform to ensure that you receive the certificate in the correct format.
     
    Contact Information
     
    During the verification process, you organization may be contacted. Be sure to provide an email address, phone number, and fax number that will be checked and responded to quickly. These fields are not part of the certificate.
  • BEA WebLogic 6.0

    To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match and a replacement has to be made.
     
    It is recommended that you contact the Weblogic vendor for additional information.

    Generate a Private Key and Certificate Signing Request

    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.
     
    1. Start the Certificate Request Generator servlet. The .war file for the servlet is located in the \wlserver6.0\config\mydomain\applications directory. The .war file is automatically installed when you start WebLogic Server.

    2. In a Web browser, enter the URL for the Certificate Request Generator servlet as follows: https://hostname:port/Certificate  
       
      The components of this URL are defined as follows:  
       
      hostname: The DNS name of the machine running WebLogic Server 
      port: The number of the port at which WebLogic Server listens for SSL connections. The default is 7002. 

    3. The Certificate Request Generator servlet loads a form in your web browser.

    4. Complete the form displayed in your browser

    This command will prompt for the following X.509 attributes of the certificate:
     
    Country Name: Use the two-letter code without punctuation for country, for example: AU or UK.
     
    State or Province: Spell out the state completely; do not abbreviate the state or province name, for example: Tasmania.
     
    Locality or City: The Locality field is the city or town name, for example: Sydney. 

    Company: If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll. 
    Example: XYZ Corporation.

    Organizational Unit: This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request.

    Common Name: The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com". For wildcard certificate the syntax should look like *.company.com
     
    Geotrust certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", because "www.domain.com" and "secure.domain.com" are different from "domain.com".
     
    Please do not enter your email address, challenge password or an optional company name when generating the CSR.
    1. Click the Generate Request button.

    2. You have just created a key pair and a CSR.

    3. To copy and paste the information into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).

  • BEA WebLogic 8.1

    To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match and a replacement has to be made.
     
    BEA Weblogic 8.1 utilizes the java keytool command line utility to create the CSR and install the SSL certificate. Geotrust recommends that you contact the BEA directly for additional information.
     

    Step 1: Generate a Keystore and Private Key

    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.
     
    1. Create a certificate keystore and private key by executing the following keytool command:

      Note: The keytool utility is located in your JDK’s “bin” directory
      Note: For Extended Validation certificates or a certificate with a validity period beyond December 31, 2013 the key bit length must be 2048, add in the below command:  -keysize 2048
    keytool -genkey -alias <your_alias_name> -keyalg RSA -keystore <your_keystore_filename>
    1. Specify a password. The default value will be "changeit".
    For more information, view the Oracle Support Resources.
     

    Step 2: Generate a CSR

    1. The CSR is then created using the following command:
    keytool -certreq -keyalg RSA -alias <your_alias_name> -file certreq.csr -keystore <your_keystore_filename>
     
    Note: When generating a CSR, enter the domain of your website (i.e. www.myside.org) in the "first- and lastname" field.
    1. To copy and paste the file certreq.csr into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).
  • Cisco ACS 3.2

    To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match and a replacement has to be made.

    NOTE: 
    A key length of 1024-bit is the default, but it is recommended to the use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.
     
     
    1. In the navigation bar, click System Configuration.
     
    2. Click ACS Certificate Setup.
     
    3. Click Generate Certificate Signing Request. CiscoSecure ACS displays the Generate new request table on the Generate Certificate Signing Request page. Fill out all of the requested fields.
     
    4. In the Certificate subject box, type the values required by the CA you will submit the CSR to. Cisco Secure ACS requires that one of the values be CN, such as CN=acs01primary. You can specify multiple values. To do so, separate the values with commas. For example:  
     
    CN=www.eway.com.au, O=eWAY, C=AU, S=Australian Capital Territory, L=Phillip.  
     
    Certificates requires Common Name, Organization, Country, State, & Locality (City). An Organization Unit (OU) is optional.
     
    This command will prompt for the following X.509 attributes of the certificate:
     
    Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA. 

    State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: South Australia

    Locality or City (L): The Locality field is the city or town name, for example: Albury. 

    Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll.  Example: XY & Z Corporation would be XYZ Corportation or XY and Z Corportation.

    Organizational Unit (OU): This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request. 

    Common Name (CN): The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com". For wildcard certificate the syntax should look like *.company.com
     
    Certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", because "www.domain.com" and "secure.domain.com" are different from "domain.com".
     
    Please do not enter your email address, challenge password or an optional company name when generating the CSR.
     
    5. In the Private key file box, type the full directory path and name of the file in which the private key is saved, for example, c:privateKeyFile.pem.
     
    6. In the Private key password box, type the private key password that you have would like to use. We does not have access to this password and cannot recover it.
     
    7. In the Retype private key password box, retype the private key password.
     
    8. In the Key length list, select the correct one.
     
    Note: For an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013 choose 2048 bits.
     
    9. From the Digest to sign with list, select SHA1.
     
    10. Click Submit. CiscoSecure ACS displays a CSR in the display area, on the right, under a banner that reads: Now your certificate signing request is ready. You can copy and paste it into any certification authority enrollment tool.You have just created a key pair and a CSR.
  • Cobalt Raq

    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.

    1. Select Server Management > Security > SSL. The Certificate Information for Server Desktop screen appears along with its associated buttons

    2. To create a new self-signed certificate, click Create Self-Signed Certificate and configure the selections as follows:

    ? City. The city in which the organization is located or registered. It is important that this information is correct and can be verified with a local, regional, or national government, or other official organization.

    ? State or Province. The state, province, or region in which the above city is located. It is important that this information is correct and can be verified with a local, regional, or national government or other official organization.

    ? Country. Select the country in which the organization that will use this certificate is located or registered. It is important that this information is correct and can be verified with a local, regional, or national government or other official organization.

    ? Organization. The official name of the organization owning this certificate. In order to obtain a signed certificate from a certificate authority, the organization name and location must be verifiable with a local, regional, or national government or other official organization. In addition, the certificate authority must be able to verify that the person requesting the certificate is the owner or employee of the named organization.

    ? Organization Unit. The division or unit of the organization that is using this certificate. This is optional, but may be useful if the person applying for a signed certificate is an employee of a subsidiary of a larger organization.

    ? Contact Email. The email address to be contacted for information about this certificate.

    ? Certificate Expiration Date. The date after which the certificate should no longer be considered valid by client software attempting to connect to this server.

    3. Click Create Signing Request to create a certificate signing request.

    Note: In some cases, the state and province information does not apply, depending on the country and how it is divided into different areas.

    4. After the fields are filled in, activate the Generate Self-Signed Certificate checkbox. This allows you to generate a self-signed certificate along with the signing request. The self-signed certificate can be used temporarily while you wait for the Certificate Authority to process your signing request. The certificate signing request can be submitted to a Certificate Authority to create a signed certificate that Web browsers can verify as authentic.

    5. Click Manage Certificate Authorities to add or remove secondary certificate authorities for this site. The Certificate Authority Management for Server Desktop screen appears. Note: Secondary certificate authorities are usually not needed, but certain authorities issue an extra certificate to be used for client authentication in addition to the usual server certificate that most certificate authorities issue.

    6. Configure the settings as follows:

    ? Select Certificate. Click Browse to select the file that contains the

    certificate authority?s certificate. The certificate should be the only thing in the file.

    7. Click Import to import a signed certificate

    8. Click Browse to select the text file containing the certificate to import.

    The certificate file must contain both the private key and certificate sections if you are transferring it from another server. If the certificate is from a certificate authority to which you submitted a certificate signing request generated by this server, only the certificate is necessary, but it is okay if a private key is included with the signed certificate.

    9. Click Export to download the current private key and certificate, so the certificate can be transferred to another server.

    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.

    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.

    To generate the key and CSR for Cobalt XTR please follow the steps below:

    Enable SSL on a virtual site:

    1. Select the Server Management tab at the top. The ?Virtual Site List? table appears.

    2. Click the green pencil icon next to the virtual site on which you want to enable SSL. The ?User List? table appears.

    3. Select Site Settings > General on the left side.

    4. Click to enable the check box Enable SSL.

    5. Click Save Changes.

    The server appliance saves the configuration of the virtual site.

    Generate a self-signed certificate

    Once the Server Administrator has enabled SSL, the Site Administrator must now create a self-signed certificate. The self-signed certificate can be signed later by an external authority.

    1. Under the Site Management (<sitename>) tab, select Site Settings > SSL on the left side. The ?Certificate Subject Information? table appears.

    2. Enter the following information:

    Country?Enter the two-letter country code (for example, AU for Australia or US for United States).

    State?Enter the name of the state (for example, New South Wales or California).

    Locality?Enter the city or locality (for example, Sydney or Toronto).

    Organization?Enter the name of the organization (for example, The Widgets Corporation).

    Organizational Unit?As an option, enter the name of a department (for example, Hardware Engineering).

    3. Select Generate self-signed certificate from the pull-down menu at the bottom.

    4. Click Save Changes.

    The server appliance processes the information and regenerates the screen with the new self-signed certificate in the Certificate Request and Certificate windows.

    Links to Cobalt Manuals can be found below:

    http://www.sun.com/hardware/serverappliances/

    http://www.sun.com/hardware/serverappliances/documentation/

  • Covalent Apache ERS 2.4

    To generate a CSR, you first need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match and a replacement has to be made.
     
    NOTE: A key length of 1024-bit is the default, but it is recommended to the use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.
     

    Step 1: Generate a Private Key and Server Certificate

    1. Change to the /path/to/ssl1.5/bin directory.
     
    2. Start the Covalent SSL Certificate and Key Management Tool.
     
    3. For the graphical interface, execute: ./sslctl. For the text interface, execute: ./sslctl --textmode.  The main screen displays.
     
    4. Select Generate Certificate and Key.
     
    5. Enter the name of the server you want to certify.
     
    6. Select the size of your private key. It is recommended to use a key size of 2048 bits.
     
    7. Enter and confirm a pass phrase for your private key.
     
    8. Define and enter the information for your server certificate.  
     
    The server certificate is stored in the directory /path/to/ssl1.5/certs and is named yourserver.domain.cert (for example, www.covalent.net.cert).
     
    The key is stored in the directory /path/to/ssl1.5/keys and is named yourserver.domain.key (for example, www.covalent.net.key).
     
    This step will create the X.509 attributes of the certificate:
     
    Country Name (C): Use the two-letter code without punctuation for country, for example: UK or NZ. 

    State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: Western Australia

    Locality or City (L): The Locality field is the city or town name, for example: Berkeley. Do not abbreviate. For example: Saint Louis, not St. Louis.

    Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll. Example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.

    Organizational Unit (OU): This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request. 

    Common Name (CN): The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com".
     
    Geotrust certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", because "www.domain.com" and "secure.domain.com" are different from "domain.com".
     
    Please do not enter your email address, challenge password or an optional company name when generating the CSR.
     
    9. Modify the Apache configuration file if necessary.  
     
    If you are securing the main server and using the included httpsd.conf, the file is configured correctly by default. No modifications are necessary. If you are securing an additional virtual host, you must include two containers for the secure site in the configuration file: 
     
    Include a virtual host for HTTP requests listening on port 80.
     
    Include an SSL virtual host for HTTPS requests listening on port 443. The HTTPS server must use an IP-based address and should include the SSLCertificateFile and SSLCertificateKeyFile directives. 
     
    10. Run the server with the key and temporary server certificate.  

    If your server is running, stop the server by executing:  /path/to/apache1.3/bin/covalent-faststart-ctl stop
     
    11. Start the server with Covalent SSL by executing: /path/to/apache1.3/bin/covalent-faststart-ctl startssl 
     
    During server start-up, you will be prompted to enter the pass phrase for the server certificate.
     
    12. Make a backup of your server certificate and private key.
     

    Step 2: Generate a CSR.

    1. Select Generate Certificate Signing Request from the Covalent SSL Certificate and Key Management Tool. You are prompted to select a server certificate to be signed. Select the certificate vendor.  
     
    2. Covalent SSL automatically generates the correct format CSR.
     
    3. Enter the pass phrase you used to encrypt the key that corresponds to this server certificate.
     
    4. Define and enter the information for your CSR.
     
    5. Select a directory and filename for the generated CSR, for example /root/cert-2507. Covalent SSL saves the CSR to the file you designated.
     
    6. Go to the enrollment and enter the information requested in the enrollment form.
  • Covalent Apache ERS v 3.0 and above

    To generate a CSR, you first need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match your private key. You will have to request a new SSL Certificate and may be charged.  
     
    eWAY recommends that you contact Covalent for additional information.
     

    Step 1: Generate a Key Pair

    Retail customers Note: The recommended key bit size is 2048-bit. All certificates that will expire after October, 2013 must have a 2048-bit key size.

    MPKI for SSL customers Note: The recommended key bit size is 2048-bit. All certificates that will expire after December, 2013 must have a 2048-bit key size.

    Use the utility “openssl” to generate the key and CSR. This utility comes with the OpenSSL package. You usually install it under/usr/local/ssl/bin. If it is installed elsewhere, adjust the directory used in these instructions.

    • Change directory to your SSL Key directory: cd /usr/local/ssl/private
    • Generate a Private key using the following command: openssl genrsa -des3 2048 > privatekeyfilename.key

    Note: For Extended Validation certificates the key bit length must be 2048.
     

    Step 2: Generate a CSR

    1. Change directory to your SSL Certificate directory: cd /usr/local/ssl/crt

    2. Generate a CSR using the following command:  
     
    openssl req -new -key ../private/ privatekeyfilename.key > csrfilename.csr

    This step will create the X.509 attributes of the certificate:

    Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA. 

    State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California 

    Locality or City (L): The Locality field is the city or town name, for example: Berkeley. Do not abbreviate. For example: Saint Louis, not St. Louis.

    Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll. Example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.

    Organizational Unit (OU): This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request. 

    Common Name (CN): The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com". For wildcard certificate the syntax should look like *.company.com
     
    Note: Certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", because "www.domain.com" and "secure.domain.com" are different from "domain.com".
     
    Please do not enter your email address, challenge password or an optional company name when generating the CSR.
     

    3. Verify your CSR

    4. Open the file in a text editor that does not add extra characters (Notepad or vi are recommended).

    5. Copy all of the text.

    6. Go to the enrollment and paste the information into the  form when prompted for the CSR.

    Contact Information

    During the verification process, you may be contacted. Be sure to provide an email address, phone number, and fax number that will be checked and responded to quickly. These fields are not part of the certificate.

  • F5 Big-IP

    To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match and a replacement has to be made.
    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.
     
    Create a new certificate request using the Configuration utility.
    To connect to the Configuration Utility: in a browser, enter the administrative IP address of the BIG-IP device:  https://<IP-Address>
    1. A Security Alert dialog box appears, click Yes
    2. The authentication dialog box appears
    3. Enter user name and password
    4. Click OK
    5. The Welcome screen opens.
    6. In the navigation pane, click Proxies Create SSL Certificate Request tab
    7. In the Key Information section, select a key length and key file name
    8. In the Certificate Information section, enter the following information 
      • Country Name (C): Use the two-letter code without punctuation for country, for example: UK or NZ. 
      • State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: Victoria
      • Locality or City (L): The Locality field is the city or town name, for example: Sydney. 
      • Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll. 
        Example: XYZ Corporation 
      • Organizational Unit (OU): This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request. 
      • Common Name (CN): The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com". For wildcard certificate the syntax should look like *.company.com

        Certificates can only be used on web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", because "www.domain.com" and "secure.domain.com" are different from "domain.com".Please do not enter your email address, challenge password or an optional company name when generating the CSR.
         
    9. Click Generate Certificate Request
  • IBM HTTP Server

    To generate a CSR, you first need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match and a replacement has to be made.

    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyondDecember 31, 2013, the 2048-bit key length will need to be selected.
     

    Step 1: Generate a keypair

    Note: For Extended Validation certificates the key bit length must be 2048.

    Use the utility "openssl" to generate the key and CSR.

    1. This utility comes with the OpenSSL package. You usually install it under /usr/local/ssl/bin. (If you have installed openssl elsewhere you will need to adjust these instructions appropriately)

    2. Generate a private key using the following command:

        openssl genrsa -des3 2048 > csrname.key

    Note: To create a private key that is not encrypted with a passphrase, simply remove -des3 from the command
     

    Step 2: Generate a Certificate Signing Request (CSR)

    1. Change directory to your SSL Certificate directory: cd /usr/local/ssl/crt

    2. Generate a CSR using the following command: 
     
        openssl req -new -key ./csrname .key > csrname.csr

    You have just created a key pair and a CSR.

    3 . To copy and paste the information into the enrollment form, open the file csrname.csr in a text editor that does not add extra characters (Notepad or vi are recommended).

    4 . Paste the information into the enrollment form when prompted for the CSR.

    To generate the key and CSR for IBM through IKEYMAN please follow the instructions below:

    First, a Key Database File(.kdb) using IKEYMAN needs to be generated. Please follow these steps :

    1. Open the IKEYMAN Utility (From Windows NT click Start -> Programs -> IBM HTTP Server -> Start Key Management Utility
    2. From the Menu Bar select "Key Database File"
    3. Click on NEW
    4. File Name= (The name of new Key Database file)
    5. Location= (The location on the harddrive where the .kdb file will be stored)
    6. After saving the file to the location specified, a password must be entered
    Note: This is the password that will be used to open the .kdb file in IKEYMAN in the future

    7. Make sure to click the box that states "Stash the password to a file?"
    Note: This will encrypt the password and save the file as a .sth file in the same directory as the .kdb file.
    8. Click OK

    Generating the CSR

    1. Open the Key Database File(.kdb) using the IKEYMAN utility
    2. In the middle of the IKEYMAN GUI, there will be a section called "Key database content"
    3. Click on the "down arrow" to the right, to display a list of three choices
    4. Select "Personal Certificate Requests"
    5. Key Label= (Name used to identify certificate in IKEYMAN)
    Note: Using the SiteName (ex. www.robo.com) as the label is a good practice

    6. Key Size= (2048)
    7. Common Name= (SiteName, eg. www.robo.com)
    8. Organization= (Company Name)
    9. Enter the name of a file in which to store the certificate request
    *Saving this file(.arm) in the same directory as the (.kdb) file is recommended.
    10. Once the (.arm) file is saved, this completes the CSR generation process

    For more information please refer to IBM technical support.

    For more information on IKEYMAN please refer to IBM server help.

  • IBM Websphere MQ

    To generate a CSR, you first need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, one, your SSL Certificate will no longer match and a replacement has to be made.

    eWAY recommends that you contact IBM for additional information.

    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.
     

    Step 1: Preparing your system to use the iKeyman utility.

    1. Start the iKeyman graphical user interface (GUI) using either the gsk7ikm command (UNIX) or the strmqikm command (Windows).  
      Note: To use the iKeyman GUI, be sure that your machine can run the X Windows system.  
    2. Be sure to set the following:
      • Set the DISPLAY environment variable. For example: export DISPLAY=mypc:0.
      • Ensure that the user's path contains /usr/bin.
      • Set the JAVA_HOME environment variable:

                              1. AIX: export JAVA_HOME =/usr/mqm/ssl/jre 
                              2. HP-UX: export JAVA_HOME =/opt/mqm/ssl 
                              3. Linux: export JAVA_HOME =/opt/mqm/ssl/jre 
                              4. Solaris: export JAVA_HOME =/opt/mqm/ssl
     

    Step 2: Setting up a key repository.

    1. Open the iKeyman GUI, or use the UNIX or Windows command line to do one of the following:  
       
      Using the iKeyman GUI
      Choose New from the Key Database File menu. Click Key database type, and select CMS. Type values forFile Name and Location, and set a password. 
       
      Using iKeycmd (UNIX command line)
      Use these commands:   
      gsk7cmd -keydb -create -db filename -pw password -type cms -expire days –stash 
       
      Using iKeycmd (Windows command line)
      Use these commands: 
      runmqckm -keydb -create -db filename -pw password -type cms -expire days –stash where:
      • -db filename is the fully qualified name of a CMS key database, with an extension .kdb.
      • -pw password is the password for the CMS key database, with an extension .cms.
      • -type cms is the type of database.
      • -expire days is the expiration time in days of the database password. The default is 60 days.
      • -stash tells iKeycmd to stash the key database password to a file.

    On Windows, the key database file (.kdb) is created with read permission for all user IDs, so it is not necessary to change permissions. On UNIX, .kdb and .sth files are created. Access permissions for the key database file are set to give access only to the user ID from which you used iKeyman or iKeycmd.

    1. If you are running UNIX, run chmod to give access to an MCA. For example:
      • chmod g+r /var/mqm/qmgrs/QM1/ssl/key.kdb
      • chmod g+r /var/mqm/qmgrs/QM1/ssl/key.sth
    1. If you are running a queue manager, change the key repository location. For example:
      • ALTER QMGR SSLKEYR ('/var/mqm/qmgrs/QM1/ssl/MyKey')

    Step 3: Generating a CSR.Using the iKeyman GUI

    1. Start the iKeyman graphical user interface (GUI) using either the gsk7ikm command (UNIX) or the strmqikm command (Windows).
    2. In the iKeyman GUI, choose Open from the Key Database File menu. Click Key database type, and selectCMS.
    3. Click Browse to navigate to the directory containing the key database files.
    4. Select the appropriate key database file, for example key.kdb.
    5. Click Open.
    6. Type the key database password and click OK.
    7. Click New Certificate Request from the Create menu.
    8. Type the following in the Key Label field:
      • For a queue manager, ibmwebspheremq followed by the name of your queue manager (in lowercase). For example, for QM1, type ibmwebspheremqqm1.
      • For a WebSphere MQ client, ibmwebspheremq followed by your logon user ID (in lowercase). For example, ibmwebspheremqmyuserid.
    1. Type values for Common NameOrganizationOrganizational UnitCity/LocalityState/Province and select a Country from the list.
    1. For Enter the name of a file in which to store the certificate request, either accept the default certreq.arm, or type a new pathname.
    2. Click OK. When the confirmation window displays, click OK again.
    3. The file you created contains the CSR. Submit the CSR to Geotrust.

    Using iKeycmd (command line interface)

    1. To generate a CSR in iKeycmd (using UNIX command line), use these commands:
      • gsk7cmd -certreq -create -db filename -pw password -label label -dn distinguished_name -size key_size-filefilename

    To generate a CSR in iKeycmd (using Windows command line), use these commands:

      • runmqckm -certreq -create -db filename -pw password -label label -dn distinguished_name -size key_size-filefilename

             where:

      • -db filename is the fully qualified name of a CMS key database, with an extension .kdb.
      • -pw password is the password for the CMS key database, with an extension .cms.
      • -label label is the key label attached to the certificate.
      • -dn distinguished_name is the X.500 distinguished name enclosed in double quotes. Note that only the CN, O, and C attributes are required, and that you can supply only one OU attribute.
      • -size key_size is the key size. We recommend that you make this value 2048 
      • -file filename is the filename for the certificate request.
    1. The file you created contains the CSR. Submit the CSR to eWAY.
  • IFactory Commerce Builder

    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.

    1. Select the HTTP server that you want to be secure.

    2. Select the SSL tab on the main screen.

    3. The next thing you need to do is name the secure server with the following information:

    Common Name: usually www.registered domain name.com

    E-Mail address: i.e. webmaster@registered domain name.com

    Organization: Company Name

    Organizational Unit: i.e. Research & Development

    State or Province: i.e. California

    Country: i.e. US

    4. Next you must generate the certificate request. Select the certificate request button and you will be prompted to enter the following information:

    Organization

    Organizational Unit

    Common Name

    Locality - usually being the city

    State

    Country

    5. Select the generate button after all the above information is entered and the server will take a minute or so to generate the request. You will get back a confirmation screen informing you that the certificate has been generated.

    6. Select the view certificate information button and click on the certificate request tab and there will be a CSR in the text area below the tabs. Select the copy button so that the request can be pasted into the request form.

    You will now have a valid CSR which can be pasted into the certificate request form.

  • Infinite InterChange

    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.

    To generate a CSR for Infinite InterChange follow the instructions below:

    Before you obtain a Certificate, you must generate a Certificate Signing Request (CSR) and a private encryption key. The SSL Module installation program prompts you to generate a server certificate after installing the SSL Module files.

    If you generated a server certificate during the installation, you also created a CSR and a private encryption key. Go to the Infinite InterChange or WebMail SSL subdirectory. This directory contains your private key and CSR. Copy the contents of the SERVER.CSR file into the appropriate field of the online certification request form.

    If you did not generate a server certificate during SSL Module installation, use the procedure that follows to generate a CSR

    1. From the Configure menu, select System Services. The Configure System Services dialog box displays.

    2. From the list of system services, select SSL and use the Configure button. The SSL Module displays a dialog box explaining why you need an SSL server certificate and how to obtain a Certificate of Authority.

    3. Read all of the information on this dialog box and use the OK button. A Server Information dialog box displays.

    4. Enter the appropriate information for your Infinite InterChange or WebMail server in each field on the server information dialog box. (If you need more information on filling out any of the fields, press the Help button in that dialog.) The SSL Module includes this information in the server certificate that verifies your server?s identity to remote clients

    5. Use the Generate Server Certificate button. The SSL module generates a server certificate, CSR, and a private key.

    6. Use the OK button to exit the installation program.

    7. Go to the Infinite InterChange or WebMail SSL subdirectory. This directory contains your private key and CSR. Copy the contents of the SERVER.CSR file into the appropriate field of the online certification request form.

    Back up the contents of the SSL subdirectory to protect your CSR and private key.  

  • Innosoft PMDF-TLS

    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.

    A utility is provided to generate a public key pair and a certificate request. Its output includes three files:

    * a file containing the private key, (for testing purposes you may call the file anything you like, but for live operation the file must be named server-priv.pem and stored in the PMDF table directory and it must be protected against world access---this is your private key!),

    * a certificate request file containing the public key,

    * and a self-signed certificate (which may be used while awaiting signing by a Certificate Authority of the certificate request) also containing the public key.

    To use the utility, on OpenVMS, issue the command:

    $ RUN PMDF_EXE:tls_certreq

    Or on UNIX, issue the command:

    % /pmdf/bin/tls_certreq

    Or on NT, issue the command:

    C:\> \pmdf\bin\tls_certreq

    If you wish to write live files to the PMDF table directory, make sure that you are privileged to write to the PMDF table directory before invoking the utility. Otherwise, if you are going to do testing writing test files to some other directory, the utility itself does not require that you be privileged.

    This utility invokes an interactive script that will prompt you for answers to a number of questions, including:

    How many bits of encryption you would like to use.¹

    The name of the file in which to store the private key part of the RSA key pair.

    Your e-mail address (as the person responsible for the certificate request).

    The two character ISO country code² for the country in which the PMDF system is located.

    The state or province in which the PMDF system is located.

    The city in which the PMDF system is located.

    The official name of your organization.

    Optional additional organization information.

    The name of the file in which to store the generated certificate request.

    The number of days for which you would like your temporary self-signed certificate to be valid.

    The name of the file in which to store the self-signed certificate. When prompted for information, if there is a default value available, it will be shown within square brackets. Some questions do not require answers and will be presented displaying (optional) if you can simply press RETURN to skip that question.

    A sample execution on OpenVMS of PMDF_EXE:tls_certreq is shown in the example below; execution is analogous on UNIX and NT, modulo only different file name syntax.Example 16-1 Sample execution of the tls_certreq utility on OpenVMS

  • Lotus Domino 5.0 - 8.0

    To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match and a replacement has to be made.

    It is recommended that you contact the Domino vendor for additional information. 

    NOTE: A key length of 1024 bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.
     
    1. Launch the Domino Administration client.
     
    2. Select File-Open Server and select the Domino server you wish to administer
     
    3. Click the File tab
     
    4. Double click on Server Certificate Administration database (certsrv.nsf)
     
    5. From the administration panel, click System Databases and choose Open Domino Server Certificate Administration (CERTSRV.NSF) on the local machine.
     
    6. Click Create Key Ring.
     
    7. Enter a name for the key ring file in the "Key Ring File Name" field.
     
    8. Enter a password for the server key ring file in the "Key Ring Password" field.
     
    Note: Password is an alphanumeric set of characters that protects the key ring from unauthorized use. The password is case sensitive. You should specify at least 12 alphanumeric characters for the password.
     
    9. Specify the components of your server's distinguished name.
     
    10. Click Create Key Ring.
     
    11. After you read the information about the key ring file and distinguished server name, click OK.
     
    12. Click Create Certificate Request.
     
    13 If you want to log information about this request in the Server Certificate Administration application, select Yes in the "Log Certificate Request" field. Otherwise, select No.
     
    14. Click Create Certificate Request.
     
    15. Enter the password of the key ring file that you specified in step 4.
     
    You have just created a key pair and a CSR.
     
    16. To copy and paste the information into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).
     
    17. Copy and paste the CSR into the enrollment pages on the request website.
  • Mac OS X 10.6 (snow leopard)

    To generate a Certificate Signing Request (CSR) file using Apple Mac OS X 10.6, snow leopard, perform the following steps:

    1. Launch the Server Admin tool and connect to the server where you want to install the certificate.
      1. Applications Server Server Admin
    2. Double click the server name in the SERVERS list.
    3. Enter the password, click Connect
    4. From the toolbar select Certificates
    5. Click + (add) button
    6. Select Create a Certificate Identity to open Certificate Assistant
      • Name: Your certificate name (e.g. www.verisign.com)
      • Identity Type: Self Signed Root
      • Certificate Type: SSL Server
      • Override the defaults by selecting the option “Let me override defaults”
    7. Click Continue
    8. Changes to the Serial Number or Validity Period is not required, click Continue
    9. Enter the Certificate Information:
      • Email Address - An email address of the responsible party for certificates
      • Common Name - The fully-qualified domain name for which you plan to use your certificate (e.g., - "www.example.com").
      • Organization - The full legal name of your organization. The listed organization must be the legal registrant of the domain name in the certificate request.
      • Organizational Unit (Optional) - Enter the name of a business unit or group. If applicable, you may enter the DBA (doing business as) name in this field.
      • City (Locality) - Name of the city in which your organization is registered/located. Please spell out the name of the city. Note: Do not abbreviate.
      • State/Province - Name of state or province where your organization is located. Please enter the full name. Note: Do not abbreviate.
      • Country - The two-letter International Organization for Standardization (ISO) format country code for the country in which your organization is legally registered.
    10. Click Continue
    11. Key Pair Information:
      • Key Size: 2048 bits
      • Algorithm: RSA
    12. Click Continue
    13. Proceed through the following screens, accept the defaults for each of the following:

      1. Key Usage Extension
      2. Extended Key Usage Extension
      3. Basic Constraints Extension
      4. Subject Alternative Name Extension
    14. After the last screen, the Certificate Assistant will save the Certificate and quit. You will be returned to Server Admin, and the self signed certificate should be displayed in the Certificates pane.
    15. Select the new certificate.
    16. Below the certificate name, click the Action menu (looks like a gear) and choose Generate Certificate Signing Request (CSR).
    17. Click Save to save the CSR.
       

    For additional information please see the following Apple Support article:

    http://support.apple.com/kb/HT3976

  • Mac OS X Server

    To generate a CSR for Apple Mac OS X Server, perform the following steps:

    Note: Using the Server Admin utility to create certificate requests for new certificates and renewals is not recommended, as it can lead to issues when installing the new SSL certificate.

    To create a CSR for the SSL certificate enrollment or renewal, the administrator (root) password will be required, along with access to the servers' command line - either via Terminal.app or SSH.

    Connect to your server and run the following three commands at the command line:

    cd /etc/httpd/ sudo openssl req -new -newkey rsa:2048 -nodes -keyout ssl.key/private.key -out certreq.txt sudo chmod 640 ssl.key/private.key 

    When the second command is run, the administrator password will be requested and a short wizard will run to specify the information that will appear in the SSL certificate - see below for details:

    • Country Name: The uppercase two-letter code for the country where your organization operates.
    • State or Province Name: The state in which your organization operates - must NOT be abbreviated.
    • Locality Name: The city or suburb where your organization is located - must NOT be abbreviated.
    • Organization Name: The full, legal entity name for your organization - must NOT be abbreviated.
    • Organizational Unit Name: The department of your organization that will be using the SSL certificate.
    • Common Name: The website address or FQDN that will be secured by the SSL certificate. For wildcard certificate the syntax should look like *.company.com
    • Email Address: Leave blank.
    • A challenge password: Leave blank.
    • An optional company name: Leave blank.

    The new private key (private.key) and CSR (certreq.txt) files will be created. The third command prevents the private key from being world readable - the private key should be protected at all times to prevent compromise of the SSL certificate.

    During enrollment or renewal, you will need the contents of the certreq.txt file from the above openssl command; open the file in a text editor and copy the entire contents in to the enrollment form where requested.

  • Marimba

    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.

    To generate a CSR for Marimba follow the instructions below:

    To request a certificate for a Marimba Transmitter, run Marimba's Certificate Manager Channel from a Marimba Tuner.

    The Certificate Manager provides a certificate request wizard to help with the request process.

    Click on the Request Button on the Certificate Manager GUI to start the wizard.

    The first window of the wizard contains a check box for ordering test certificates.

    Leave this box unchecked, and click the Next button proceed with the ordering process.

    The instructions will lead you through the following steps:

    Step 1 - Digital ID information

    Enter the host name and company information for the Transmitter.

    Step 2 - Passwords

    Enter a password for storing your certificate on your local disk, then click the Next button

    Step 3 - Key Generation

    Enter the 256 key strokes required to generate a key pair then click the Next button

    Step 4 - Choosing a Certificate Authority

    Select the Vendor enrollment entry in the drop down menu then click the Next button. 

  • Microsoft Exchange 2007

    To generate a CSR, use the Exchange Management Shell. To access the Exchange Management Shell perform the following steps: 

    Retail customers Note: The recommended key bit size is 2048-bit. All certificates that will expire after October, 2013 must have a 2048-bit key size.

    MPKI for SSL customers Note: The recommended key bit size is 2048-bit. All certificates that will expire after December, 2013 must have a 2048-bit key size.

    1. Click Start
       
    2. Click All Programs
       
    3. Click Microsoft Exchange Server 2007

    4. Click Exchange Management Shell

    5. From the Exchange Management Shell enter the following command:

      New-ExchangeCertificate -GenerateRequest -SubjectName "C=US, S=State, L=City, O=Organization, OU=Organizational Unit, CN=www.website.com" -privatekeyexportable:$true -keysize 2048 -Path c:\certificate_request.txt


      The CSR needs to contain the following attributes:

      Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.
      State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California.
      Locality or City (L): The Locality field is the city or town name, for example: Berkeley.
      Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
      Organizational Unit (OU): This field is the name of the department or organization unit making the request.
      Common Name (CN): The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com". For wildcard certificate the syntax should look like *.company.com
      Subject Alternative Names (SANs): During enrollment for the SSL certificate, SANs can be entered into the enrollment fields.

       
    6. Verify your CSR
       
    7. Proceed to enrollment.
            
  • Microsoft Exchange 2010

    To generate a CSR for Microsoft Exchange 2010, use the Exchange Certificate Wizard.  Please perform the following steps:

    1. Open the Exchange Management Console by going to Start Programs Microsoft Exchange 2010 > Exchange Management Console.
       
    2. Select Manage Databases
       
    3. Select Server Configuration in the left menu, and then New Exchange Certificate from the actions menu on the right.
       
    4. When prompted for a friendly name, enter a name by which you can easily remember and identify this certificate. This name is used for identification only and does not form part of the CSR.
       
    5. Under Domain Scope, leave the option to Enable wild card certificate unchecked and click Next.
      Note: If you are requesting a Wildcard Certificate, select this option, click Next, and proceed to Step 8.
       
    6. In the Exchange Configuration menu, select the services that will be secured, and enter the URLs used to connect to those services.  
       
    7. Click Next.
       
    8. In the Certificate Domains section, Exchange 2010 will provide a list of domains to include in your certificate request.  
      Note: eWAY enrollment pages will only recognize the URL that you Set as common name.  It is recommended that you delete / remove the other URLs in this list.  You will need to manually enter these URLs as Subject Alternative Names (SANs) when enrolling for the certificate (at Step 16).
       
    9. Click Next.
       
    10. In the Organization and Location section, please provide the following information:
       
      • Organization: If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
      • Organizational unit: This field is the name of the department or organization unit making the request.
      • Country/region: Use the two-letter code without punctuation for country, for example: US or CA.
      • City/locality: The Locality field is the city or town name, for example: Berkeley.
      • State/province: Spell out the state completely; do not abbreviate the state or province name, for example: California.
    11. Click Next.
       
    12. Click Browse to save the CSR to your computer as a .req file, then click Save. 
       
    13. Click Next > New > Finish.
       
    14. You will now be able to open the CSR with notepad. Copy everything from the first - of the BEGIN line right through to the last - of the END line into the online order form.
       
    15. Verify your CSR
       
    16. Proceed to Enrollment.
  • Microsoft IIS 5.0

    To generate a CSR, you will need to create a key pair for your server.
     
    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.
     
    Generate a Private Key Pair

    Note: 
    For Extended Validation certificates the key bit-length must be 2048.
     
    1. Open the Internet Services Manager. Click Start All Programs Administrative Tools > Internet Services Manager.
     
    2. Open the Properties window by right-clicking on the name of the Web site you wish to secure.

    3. Click the Directory Security tab.
     
    4. Click Server Certificate in the Secure communications section. If you have not used this option before the Edit button will not be active.

    5. Select Create a new certificate

    Note: If you are renewing an SSL certificate, select Renew the Current Certificate. This will generate a CSR based on the information of the certificate currently installed on the server.
     
    6. Select Prepare the request now, but send it later. Geotrust only accepts CSR’s through the enrollment process forms. We do not accept CSR's via email.

    7. Enter a Name for the certificate. Please note that this is not the Common Name of the certificate request.  Select the bit length of 2048 for the certificate.

    8. Provide the Organization and the Organizational Unit information and click Next.

    Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.

    Organizational Unit (OU): This field is the name of the department or organization unit making the request.

    9. Provide the Common Name and click Next.

    Common Name (CN): The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com". For wildcard certificate the syntax should look like *.company.com


    10. Provide the Geographical Information for your Organization and Click Next.

    Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.
    State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California.
    Locality or City (L): The Locality field is the city or town name
     
    11. Provide a file name and location to save your CSR.  You will need this CSR in order to enroll for your SSL certificate.  Click Next.

    12. Confirm the CSR Summary Information.  Click Next Finish.

     
    A CSR file has been generated.  To copy and paste the information into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).

     

  • Microsoft IIS 6.0

    To generate a CSR, you will need to create a key pair for your server.
     
    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.
     

    1. Open the Internet Services Manager. Click Start All Programs Administrative Tools > Internet Services Manager.

    2. Open the Properties window by right-clicking on the name of the Web site you wish to secure.

    3. Click the Directory Security tab.
     
    4. Click Server Certificate in the Secure communications section. If you have not used this option before the Edit button will not be active.

    5. Select Create a new certificate

    Note: If you are renewing an SSL certificate, select Renew the Current Certificate. This will generate a CSR based on the information of the certificate currently installed on the server.
     
    6. Select Prepare the request now, but send it later. Geotrust only accepts CSR’s through the enrollment process forms. We do not accept CSR's via email.

    7. Enter a Name for the certificate. Please note that this is not the Common Name of the certificate request.  Select the bit length of 2048 for the certificate.

    8. Provide the Organization and the Organizational Unit information and click Next.

    Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.

    Organizational Unit (OU): This field is the name of the department or organization unit making the request.

    9. Provide the Common Name and click Next.

    Common Name (CN): The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com". For wildcard certificate the syntax should look like *.company.com

    10. Provide the Geographical Information for your Organization and Click Next.

    Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.
    State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California.
    Locality or City (L): The Locality field is the city or town name
     
    11. Provide a file name and location to save your CSR.  You will need this CSR in order to enroll for your SSL certificate.  Click Next.

    12. Confirm the CSR Summary Information.  Click Next Finish.

    A CSR file has been generated.  To copy and paste the information into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).
  • Microsoft IIS 7.0

    To generate a CSR for Microsoft IIS 7.0, perform the following steps:
     
     
    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.
     
     
    1. Choose Start Administrative Tools Internet Information Services (IIS) Manager

    2. In the IIS Manager, choose your server name

    3. In the Features pane (the middle pane), double-click the Server Certificates option located under the Security heading.

    4. To begin the process of requesting a new certificate, from the Actions pane, choose the Create Certificate Request option.

    5. The first screen of the wizard asks for details regarding the new site. The common name should match the fully-qualified domain name for the site. Otherwise, provide information about your site, making sure to spell out the name of your state and locality.

    6. Click Next to continue.

    7. The next screen of the wizard asks you to choose cryptography options. The default, Microsoft RSA SChannel Cryptography Provider is fine. Select 2048 bit length.

    8. Click Next to continue.

    9. Provide a filename to which to save the certificate request. You will need the contents of this file in the enrollment, so make sure you know where to find it.

  • Netscape Commerce

    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.

    1. After you have installed Netscape Commerce server, start up the admin server and connect to it.

    2. Select the server you want to run in secure mode and you will be presented with a page entitled "Netscape Server Manager - Commerce Server".

    3. Under "Security Configuration" there is a link called "generate a key".

    4. Select it and follow the instructions. This creates your private key. Next, select "request a certificate" to generate a CSR.

    5. In the space where it asks for a Certificate authority enter your own email address.

    6. A copy of the CSR will be mailed to you by the server - you can keep this for future reference.

    When you have completed the form, submit it. The resulting page gives you your CSR. It looks like this:

    -----BEGIN CERTIFICATE REQUEST-----

    MIIBujCCASMCAQAwejELMAkGA1UEBhMCQ0ExEzARBgNVBAgTClRFc3QgU3RhdGUx

    ETAPBgNVBAcTCENvbG9yYWR0MRswGQYDVQQKExJDYW5hZGlhbiBUZXN0IE9yZy4x

    EjAQBgNVBAsTCU9VIE9mZmljZTESMBAGA1UEAxMJd3d3LmV4LmNhMIGfMA0GCSqG

    SIb3DQEBAQUAA4GNADCBiQKBgQD5PIij2FNa+Zfk1OHtptspcSBkfkfZ3jFxYA6y

    po3+YbQhO3PLTvNfQj9mhb0xWyvoNvL8Gnp1GUPgiw9GvRao603yHebgc2bioAKo

    TkWTmW+C8+Ka42wMVrgcW32rNYmDnDWOSBWWR1L1j1YkQBK1nQnQzV3U/h0mr+AS

    E/nV7wIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAAAhxY1dcw6P8cDEDG4UiwB0D

    OoQnFb3WYVl7d4+6lfOtKfuL/Ep0blLWXQoVpOICF3gfAF6wcAbeg5MtiWwTwvXR

    tJ2jszsZbpOuIt0WU1+cCYivxuTi18CQNQrsrD4s2ZJytkzDTAcz1Nmiuh93eqYw

    +kydUyRYlOMEIomNFIQ=

    -----END CERTIFICATE REQUEST-----

    Copy your CSR from that page, and save it for future reference.

  • Netscape Enterprise 3.x

    NOTE: A key length of 1024 bit is the default, but it is recommended to use a 2048 bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048 bit key length will need to be selected.

    Key generation under the Netscape Enterprise series of servers is accomplished as follows:

        * Generating a Key Pair and Certificate Signing Request Using Netscape Enterprise Server

        * Generating a key-pair file on Unix platforms

        * Generating a key-pair file on Windows NT platforms

        * Generate A Certificate Signing Request

        * Back up your Key Pair File

    Generating a Key Pair and Certificate Signing Request Using Netscape Enterprise Server 

    You will now use your Netscape Enterprise Server to create a key-pair file and a Certificate Signing Request

    A key-pair file contains both the public and private keys used for SSL encryption. You use the key-pair file when you request and install a certificate. The key-pair file is stored encrypted in the directory <server_root>/alias/<alias>-key.db. When you create the key, you specify a password that you later use when you start a server that is using encrypted communications.

     Generating a key-pair file on Unix platforms

    From the Unix command line:

    1. Log in as root and change to the server root directory.
       
    2. Run the key-pair file generation program by changing to the directory bin/admin/admin/bin and typing ./sec-key.
       
    3. When prompted, type an alias for the new key-pair file. You might choose an alias that matches your server (for example, web or mail). The alias cannot contain spaces, but it can use symbols that your operating system allows in filenames (such as underscores). By default, the key-pair file is stored in <server_root>/alias/<alias> -key.db, where <alias> is the alias you typed. If you used the alias mail, your key-pair file would be <server_root> /alias/mail-key.db.
       
    4. A screen with a progress meter appears. Type any random keys at different speeds until the progress meter is full. The time between each of your keystrokes will be used to generate a random number for the unique key-pair file.
       
    5. When prompted, type a password of eight characters or more for your key-pair file. The password must have at least one non-alphabetical character (a number or punctuation mark). Make sure you memorize this password. The security of your server is only as good as the security of the key-pair file and its password.
       
    6. After you enable SSL for a server (either the administration server or another Netscape server), you must type the key-pair file password when you start the server.
       
    7. Retype the password and click OK. The file is created and stored.      

     Generating a key-pair file on Windows NT platforms

    From the Windows NT command prompt:

    1. Go to the <server root>/bin/admin/admin/bin directory.
       
    2. Run the sec-key.exe application. The key-pair file generation program appears.
       
    3. When prompted, type an alias for the new key-pair file. You might choose an alias that matches your server (for example, web or mail). The alias cannot contain spaces, but it can use symbols that your operating system allows in filenames (such as hyphens and underscores). By default, the key-pair file is stored in the directory C:/<server_root>/alias/<alias>-key.db where <alias> is the alias you typed. If you used the alias mail, your key-pair file would be C:/<server_root>/alias/mail-key.db.
       
    4. A screen with a progress meter appears. Move your mouse in random motions at random speeds. These random movements are used to generate a random number for the unique key-pair file.
       
    5. When prompted, type a password of eight characters or more for your key-pair file. The password must have at least one non-alphabetical character (a number or punctuation mark). Make sure you memorize this password. The security of your server is only as good as the security of the key-pair file and its password.
       
    6. After you turn on SSL for a server (either the administration server or another Netscape server), you must type the key-pair file password when you start the server.
       
    7. Retype the password and click OK. The file is created and stored.

     Generate a Certificate Signing Request

    After you generate the key-pair file, you must create a Special File called a Certificate Signing Request

    1. In the Server Administration page, choose Keys & Certificates|Request Certificate.
       
    2. In the form that appears, specify that this is a new certificate.
       
    3. Specify that you want to submit the request for the certificate via e-mail Put YOUR OWN e-mail address in the space specified for the e-mail address of the CA.
       
    4. From the drop-down list, select the alias for the key-pair file you want to use when requesting the certificate.
       
    5. Type the password for your key-pair file.
       
    6. Type the information that will appear in your Digital ID. This should be as follows:

      • Common Name is the fully qualified hostname used in DNS lookups (for example, www.netscape.com). This is the hostname in the URL that a browser uses to connect to your site. It's important that these two names are the same, otherwise a client is notified that the certificate name doesn't match the site name, which will make people doubt the authenticity of your certificate. Please make sure that the common name ends in the domain name whose ownership you established in step 2. For a wildcard certificate the syntax should look like *.company.com
         
      • Email Address is your business email address. This is used for correspondence between you and the issuer.
         
      • Organization is the official, legal name of your company, educational institution, partnership, and so on. This should be the name of the company associated with the Dun & Bradstreet number your generated in step 6
         
      • Organizational Unit is an optional field that describes an organization within your company. This can also be used to note a less formal company name (without the Inc., Corp., and so on).
         
      • Locality is an optional field that usually describes the city, principality, or country for the organization.
         
      • State or Province Spell out in full (e.g. use California instead of CA)
         
      • Country is a required, two-character abbreviation of your country name (in ISO format). The country code for the United States is US.
         
      • Double-check your work to ensure accuracy. The more accurate the information, the faster the approval and issue of your certificate
         
      • Click OK when the information is correct.
         
      • The server generates a certificate signing request that contains your information and your public key. This information is e-mailed to you.

     Back up your Key Pair File

    It is imperative that you back up your key pair file. Please save this information on a floppy disk, or other removable media, and store it in a secure place, such as a safe or safe-deposit box.

  • Netscape iPlanet Server

    To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match. You will have to request a new SSL Certificate and may be charged.

    It is recommended that you contact the iPlanet vendor for additional information. 

    Retail customers Note: The recommended key bit size is 2048-bit. All certificates that will expire after October, 2013 must have a 2048-bit key size.

    MPKI for SSL customers Note: The recommended key bit size is 2048-bit. All certificates that will expire after December, 2013 must have a 2048-bit key size.
     

    Step 1: Create a Key Database

    1. Select the server instance to manage and click Manage.
    2. Click Security
    3. Click Create Database
    4. Enter and confirm a password to protect this database.

     

    Step 2: Generate a CSR

    1. Click Request a Certificate
      1. Enter your email address as the CA Email address. VeriSign does not use this email for accepting certificates, so a copy will be emailed to you.
      2. Enter a key pair file password to protect your keys. This can be the same password as the key database.
      3. Fill out all of the CSR information, and click OK.

    This step will prompt for the following X.509 attributes of the certificate:

    Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA. 
    State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California 
    Locality or City (L): The Locality field is the city or town name, for example: Berkeley. 
    Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll. 
    Example: XYZ Corporation 
    Organizational Unit (OU): This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request. 
    Common Name (CN): The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com". For a wildcard certificate the syntax should look like *.company.com

    Certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", because "www.domain.com" and "secure.domain.com" are different from "domain.com".

    1. The server will generate the CSR and display it on the page. To copy and paste the information into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).
    2. Click Apply to commit the changes. You have just created a key pair and a CSR.
    3. Verify your CSR
    4. Go to Enrollment.

    Contact Information

    During the verification process, You may need to be contacted. Be sure to provide an email address, phone number, and fax number that will be checked and responded to quickly. These fields are not part of the certificate.

  • NetScreen Screen OS

    To generate a CSR, you will need to create a key pair for your server.
     
    Generating a Key Pair and CSR
     
    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.
     
    1. Open the WebUI.
     
    2. From the Options menu, click Configuration,  then Date/Time.
     
    3. From the Date/Time page, click Sync Click with Client. Ensure that 'Automatically adjust clock for daylight savings changes' is selected.
     
    4. From the Options menu, click Network, then click DNS.
     
    5. Enter the Hostname of the device in the Hostname textbox. Enter the Domain name of the device in the Domain name textbox. These two together will become the Common Name.
     
    6. From the Options menu, click Objects, click Certificates, and then click New.
     
    7. Fill out all of the necessary fields and then click Generate.
     
    You have just created a key pair and a CSR.
     
    8. To copy and paste the information into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).
     
    9. Copy and paste the CSR into the enrollment pages.
  • Nortel SSL Accelerator

    To generate a CSR, you will need to create a key pair for your server.
     
    Generate a Key Pair and Certificate Signing Request
     
    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.
     
    1. Click SSL > Certificates > Generate > Request.

    2. Select your newly created certificate identifier in the drop-down menu at the top.

    3. Fill out the fields including the common nameorganization and location information. Common Name: for a wildcard certificate the syntax should look like *.company.com

    4. Select the bit length.

    5. Click Update.

    6. Click Apply button on the top of the screen.

    7. To copy and paste the information into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).

    8. Click Apply Changes.

    9. Copy and past the CSR into the enrollment pages

  • Oracle Wallet Manager

    Step 1: Create a new wallet for Oracle Wallet Manager

    Note to Retail customers: The recommended key bit size is 2048-bit. All certificates that will expire after October, 2013 must have a 2048-bit key size.

    Note to MPKI for SSL customers: The recommended key bit size is 2048-bit. All certificates that will expire after December, 2013 must have a 2048-bit key size.
     
    1. From the menu bar, select Wallet New
    2. Enter the password twice > click OK
      Note: The password must contain eight alphanumeric characters and special characters
    3. Select Add a certificate request.  If not, select Cancel > select Wallet Save in the system default to save the new wallet

     

    1. Select Operations > Add Certificate Request
    2. A dialog box will appear to enter your certificate information. Common Name: For a wildcard certificate the syntax should look like *.company.com
    3. Select OK

    Step 3: Export a Certificate Signing Request (CSR) as a file

    1. In the left panel, select the Certificate Signing Request you want to export
    2. From the menu bar, select Operations Export Certificate Request
    3. Enter a file name and directory you want to save your file to > select OK
  • Oracle Web Server

    To generate a CSR on an Oracle Web Server, perform the following steps:

    NOTE: A key length of 1024-bit is the default, but Thawte recommends the use of a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.

    In this first step you generate a request for the certificate issuer. It involves generating a public/private key-pair and identifying the server, the organization using it, and its webmaster. The private key is encrypted and should never leave your server, except for backup purposes.

    The public key will become part of the certificate and is therefore sent to the issuer, together with the rest of the information identifying your organization and your server.

    To generate a certificate request, you will run the interactive utility genreq and enter the information for which it prompts you.

    When the prompt specifies a default value, you can just press return to enter that value, or enter a different value if you prefer.

    For an example of how to use genreq, see the following sample genreq session. Before you start, create a directory to store all SSL related files in, for example $ORACLE_HOME/ows2/ssl. To avoid typing long path names or moving files later, you can start genreq from this directory.

    To run genreq, do the following:

    - Start genreq, located in $ORACLE_HOME\OWS20\BIN on NT (typically c:\orant\ows20\bin) and $ORACLE_HOME/ows2/bin on UNIX:

    - Type G to begin creating a certificate request:

    - When prompted, type a password (minimum of 8 characters), used in encrypting your private key. Remember this password.

    - Retype the password for confirmation. If the password do not match, genreq will not warn you, it will just repeat step 3.

    - Choose the public exponent you want to use one in generating the key pair. The only two recognized exponents are 3 and 65537, commonly called Fermat 4 or F4.

    - Enter the size in bits of the modulus you want to use in generating the key pair. For the version of genreq sold in the United States of America, the size may be from 1 to 1024. The default size is 768 bits and the maximum is 1024 bits. A modulus size of 1024 is recommended for most browsers and also by Thawte. For versions of genreq sold outside the USA, the maximum (and default) modulus size is 512 bits. (NOTE: 1024 bits would be equal to a 128-bit encryption)

    - Choose one of three methods for generating a random seed to use in generating the key pair:

    - Random file: genreq prompts you to enter the full pathname of a file in your local file system. This can be any file that is at least 256 bytes in size, does not contain any secret information, and has contents that cannot easily be guessed (on UNIX, you can use /var/adm/messages, on NT you can use \WINNT\System32\config\AppEvent.Evt)

    - Random key sequences: genreq prompts you to enter random keystrokes. genreq uses the variation in time between keystrokes to generate the seed. Don't use the keyboard's autorepeat capability, and don't wait longer than two seconds between keystrokes. genreq prompts you when you have typed enough keystrokes. You must delete any unused characters typed after this prompt.

    - Both: genreq prompts you to enter both a file name and random keystrokes. This option is recommended.

    The next three steps will tell genreq where it should write certain files. If you've created an ssl directory and have started genreq from this directory, you can accept the defaults. Otherwise, you may want to include full pathnames, or plan to move the files that genreq created later.

    - Enter the name of a file in which to store your WebServer's distinguished name. You can choose the default, or enter any filename with a .der extension. genreq creates this file in the current directory, though you may later move it to any convenient location.

    - Enter the name of a file in which to store your WebServer's private key. You can choose the default, or enter any filename with a .der extension. genreq creates this file in the current directory, though you may later move it to any convenient location.

    - Enter the name of a file in which to store the certificate request. You can choose the default, or enter any filename with a .pkc extension.

    - Enter the requested identification information for your organization:

    Common Name - The fully qualified host name of your organization's Internet point of presence as defined by the Domain Name Service (DNS).

    Example: govt.us.oracle.com

    Organizational Unit (optional) - The name of the group, division, or other unit of your organization responsible for your Internet presence, or an informal or shortened name for your organization.

    Example: Oracle Government

    Organization - The official, legal name of your company or organization. Most CAs require you to verify this name by providing official documents, such as a business license.

    Example: Oracle Corporation

    Locality - (optional) The city, principality, or country where your organization is located.

    Example: Bethesda

    State or Province - The full name of the state or province where your organization is located. eWAY does not accept abbreviations.

    Example: Victoria

    Country - The two-character ISO-format abbreviation for the country where your organization is located. The country code for the

    Example: United Kingdom is UK.

    WebMaster's Name - The name of the Web Master responsible for the site. This person will serve as a technical contact.

    Example: Milla Jovovich

    WebMaster's Email Address - The email address where Thawte can contact the Web Master.

    Example: mj@us.oracle.com

    Server Software Version - The name and version number of the application for which you are getting the certificate (you should accept the default value).

  • O'Reilly WebSite Professional Server

    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.
      
    1. Open Server Properties (enter the Key Ring password if requested) and click "Key Ring". If this is a new Website Pro installation and you have not previously opened Server Properties, you will be prompted to create a password for the Key Ring at this time.

    2. Click New Key Pair or right click in the window and select New Key Pair from the context menu. The first page of the New Key Pair Wizard appears.

    3. Click Next to start building the Distinguished Name (DN), which consists of several pieces of information collected by the wizard.

    4. Go through the wizard and enter all the information you will need for the CSR (Certificate Signing Request)

    5. You can save the request file as a .txt file , click Next.

    6. When the process is complete, the Congratulations page appears. Click Done to exit the wizard. The Key Ring page adds the certificate request to the list of certificates and trusted roots. The request is identified by the key-question mark icon.

    7. Make a backup copy of the Key Ring database file, located in \WebSite\Admin\website-key.

    8. Make a backup copy of the Certificate Signing Request just created by the wizard (by default, request files are located in the \WebSite\Admin directory).

    9. Store the backup copies on a removable disk.

    10. You can now Request your Certificate online.
  • Orion Web Server

    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.
     

    Creating a keystore with a certificate: 

    1. keytool -genkey -keyalg "RSA" -keystore keystore -storepass 123456 -validity 360 

    2. keytool -certreq -keyalg "RSA" -file my.host.com.csr -keystore keystore 

    3. Submit your CSR in enrollment.

    4. Once the certificate is issued, paste it into my.host.com.cer 

    5. keytool -keystore keystore -keyalg "RSA" -import -trustcacerts -file my.host.com.cer  
     
    You should now have a keystore file in your current directory
     

    Creating a secure site: 

    1. Copy the default-web-site.xml config in the /config directory to secure-web-site.xml and edit it. 

    2. Add secure="true" as an attribute to the <web-site ...> <web-site> tag. 

    3. Add <ssl-config keystore="../my/keystore" keystore-password="123456" /> the keystore to the main body. 

    4. Install the site: this is done by adding %lt;web-site path="./secure-web-site.xml" /> the site to server.xml.
  • Plesk 8.1

    To generate a CSR for Plesk 8.1, perform the following steps:

    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.

    1. Click the Domains shortcut in the navigation pane. 
    2. Click the required domain name in the list. 
    3. Click  Certificates in the Services group. A list of SSL certificates that you have in your repository will be displayed. 
    4. Click  Add New Certificate. 
      Specify the certificate properties: 
    • Certificate name. This will help you identify this certificate in the repository. 
    • Encryption level. Choose the encryption level of your SSL certificate. We recommend that you choose a value more than 1024-bit.
    • Specify your location and organisation name and organisation unit, eg sales or IT etc. The values you enter should not exceed the length of 64 symbols. 
    • Specify the domain name for the SSL certificate. This should be a fully qualified domain name. Example: www.your-domain.com. For a wildcard certificate the syntax should look like *.company.com 
    • Make sure that all the provided information is correct and accurate, as it will be used to generate your private key.

    5. Click Request. Your private key and certificate signing request will be generated and stored in the repository. 
    6. Download the certificate signing request (CSR) file and save it on your machine. To do this, click the respective  icon. 
    7. Open the file in a text editor, copy the text enclosed in lines -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- to the clipboard. 
    You can then use the CSR to purchase a certificate from eWAY.

  • Qpopper

    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected. 
     
    Create or choose a directory for the certificates and your private key.  Because the private key is stored unencrypted, it is very important that only user root has access to this directory.  For example, the following three commands:

    mkdir -p -m665 /etc/mail/certs

    chown root:mail /etc/mail/certs

    chmod 660 /etc/mail/certs
     
     
    Use openssl to create a public-private key pair and a Certificate Signing Request (CSR).  For example, the following command (this text should be entered at a command prompt as one long line):

    /usr/local/ssl/bin/openssl req -new -nodes -out req.pem -keyout /etc/mail/certs/cert.pem

    When you run openssl it prompts you for items of information.  It is very important that you properly answer these prompts; the default explanation may not be accurate.  It asks you:

    Country Name:   Supply the ISO-standard two-letter code for your country.

    State or Province Name:   Type the full name of your state or province.

    Locality Name:   Type the full name of your city or municipal area.

    Organization Name:   Type the legal name of your company or organization.

    Organizational Unit Name:   Type the name of your division or section of your company.

    Common Name:   Type the fully-qualified host name of the mail server host.  Do not type your personal name, even if the openssl prompt sounds like that is what you should do.  This must be the same name that a client enters to get to your server. For a wildcard certificate the syntax should look like *.company.com

    Email Address:   This should be your email address, or that of an institutional role (such as postmaster). 
     
    Ensure that the file which now contains the private key (and will later contain the signed certificate) is owned by and only accessible by root.  For example, the following two commands:
     
    chmod 600 /etc/mail/certs/cert.pem

    chown root:0 /etc/mail/certs/cert.pem

    Send the CSR (file req.pem) to eWAY for signing.  You will receive back a signed request.
  • Quid Pro Quo Secure

    Note: In the interest of better security and the enablement of greater trust, we have decided that 1024-bit keys will now be the minimum strength used in the issuance of digital certificates.


    To request a certificate do the following:


    1. Launch Quid Pro Quo Secure, and select "Request Certificate..." from the Control menu.

    You will be presented with the Certificate Request dialog. 

    To create your request, you must fill out the required information, and generate a private key.

    2. Generate your private key. If you are using a US-only version of Quid Pro Quo Secure, you will have three options for private key sizes: 512, 768, and 1024 bits. 

    The recommended key size is 1024 bits. 

    It is the most secure key available, and there is little reason for choosing a smaller key size. If you are using an exportable version of Quid Pro Quo Secure, you will only have the 512-bit key size available.

    3. Click the "Generate" button. After a few seconds (or more, depending on the size of the key selected and the speed of your computer's processor), you be asked to save your private key.

    4. Save the file in your Quid Pro Quo Secure application folder, giving the file whatever descriptive name you would like, such as "Server Private Key".

    5. Enter information for all requested information fields. In order to generate your request, you must fill out all of the fields:

    Webmaster (This is either your name or the name of the person that will be the contact point for the certificate authority.

    If the certificate authority needs to verify information or otherwise contact your organization, this is the person they will contact.)

    Common Name (This is the domain name of your server exactly as users will type it into their browsers, for instance "www.socialeng.com"). For a wildcard certificate the syntax should look like *.company.com

    Wildcard characters, such as "*.socialeng.com" are not allowed. It is important to get the domain name correct; if its not, users will get a warning dialog each time they connect to your site.

    Contact Email Address (This is the email address of the person listed in the Webmaster field)

    Organization  (This is the name of your organization as you would like it to appear in your certificate.

    Certificate authorities will verify your right to use the name that appears in this field, so it should be the full legal name of your organization, for instance "Social Engineering Incorporated".)

    Organization Unit (This field is used to describe the sub-group of your organization for

    Locality This is the city in which your organization is located, for instance "Berkeley" )

    State (This is the non-abbreviated name of the state or province in which your organization is located, for instance "California" )

    Country Code (This is the two character ISO country code for the country in which your server is located, for instance in the United Stated, "US", and in Canada, "CA" )

    Telephone Number (This is the telephone number of the person listed as your contact in the Webmaster field.)

    When you have all of the fields filled out and your private key has been generated, click the "OK" button.

    Your certificate request will be generated and you will be asked to save the request. Save the file.

    Quid Pro Quo Secure certificate requests are created in standard PKCS #10 format.

    This is the format accepted by eWAY.

    The certificate request you have created is saved as a SimpleText file with a plain-text description of the certificate request and the PKCS-encoded certificate request.

    The request will look something like:

    -----BEGIN NEW CERTIFICATE REQUEST-----

    MIIB1DCCAT0CAQAwgZUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh

    MREwDwYDVQQHEwhCZXJrZWxleTEoMCYGA1UEChQfU29jaWFsIEVuZ2luZWVyaW5n

    IEluY29ycG9yYXRlZDEYMBYGA1UECxQPV2lkZ2V0IERpdmlzaW9uMRowGAYDVQQD

    FBF3d3cuc29jaWFsZW5nLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA

    u4/YSMVdCDEwPraIMIg5CpOXLREoF3CPQLHUF48XJiGBROxFOKcp5vkAqSRionVD

    tbUFVGXFzc4dB8Ofsul1ryZRIbgAU2gkOsoKC+qzOS8wl/3Eqd6h7IDG1VjdfJ5A

    oPvAE4l73PjaKfL3o1T3/FW/iMbCsA3Fx6rM0ti6jWMCAwEAATANBgkqhkiG9w0B

    AQQFAAOBgQBULi2DAHKpUwXM66imT/SqYa5E1GJZan5lpyVbf3LFdHw3BtlOapGM

    WuVEODtWOSTkbaqxBz4VthcnH/5gpfVIeH2pU1NYsGtwF2zW2tWTjRadZ2od2S12

    SxPzPYe4k6+QWJHrFrvd12nLV38QiVvsW2TPPPTI2vZ1FOqe2ZklhA==

    -----END NEW CERTIFICATE REQUEST-----

    Copy your newly generated request (including the "-----BEGIN..." and "-----END..." tags) to the clipboard.

    This is the CSR that you have to paste into the enrollment form. 

  • Raven SSL

    Note: In the interest of better security and the enablement of greater trust, we have decided that 2048-bit keys will now be the minimum strength used in the issuance of digital certificates.

    These instructions were provided by Covalent, and at this stage Covalent will provide all technical support for Raven SSL. 

    Please make sure that you are especially careful to backup the private key once it has been generated.  Your certificate will not work without that private key.

    For users of Raven 1.2, the certificate generation process is invoked with the following command typed at a shell prompt. 

    # ./ravenctl -cert

    The process first prompts for the name of the certificate.

    Please enter the server name you wish to generate for. 

    # ./ravenctl -cert

    Name of the server you are issuing certificate for? -->

    example.covalent.net

    ######################################################################

    The key name chosen is example.covalent.net.key.

    The certificate name is example.covalent.net.cert.

    The key/certificate pairs will be stored in /usr/local/ssl.

    ######################################################################

    You are about to generate a new key and key request. The key request will be sent to the email address of your choice and the keyfile will reside in /usr/local/ssl/private/example.covalent.net.key.

    Choose the size of your key. Select 2048 bits

    The process first prompts for the name of the certificate.

    Input your choice of key size at the prompt. 

    # ./ravenctl -cert

    Number of bits in key (384 minimum, 2048 maximum)? -->  2048 

    Generating random data, using the truerand library developed by Matt Blaze, Jim Reeds, and Jack Lacy at AT&T. This may take some time.

    Generating 2048 bits of randomness: ................................

    Generating 2048 random bits based on measuring the time interval between your keystrokes.  Please enter random text on your keyboard.

    Generating the key. This may also take some time. Be patient.

    The passphrase you enter here is very important. Do not lose it.

    640 semi-random bytes loaded

    Generating RSA private key ,512 bit long modulus

    ...+++++

    ....+++++

    e is 65537 (0x10001)

    Choose a pass phrase that is secure. Don't forget this password. 

     Enter PEM pass phrase: ...................

    Verifying password - Enter PEM pass phrase: ...................

    Key successfully generated.

    You must respond below with "Y" to generate a signing request. 

    # ./ravenctl -cert

    Would you like to send a Certificate Request to a CA? [Y/n]: -->  y

    A Thawte CSR does *not* require the following options. Answer "N". 

    Does your CA need the ASN1-Kludge? (VeriSign) [y/N]: -->  n

    Generating certificate request. This process will also create a temporary certificate for testing until you receive the certificate from your CA. Please enter the following information:

    Using configuration from /usr/local/ssl/lib/ssleay.cnf

    The pass phrase entered here is the phrase that you chose above. 

    Enter PEM pass phrase: ...................

    You are about to be asked to enter information that will be incorporated into your certificate request.

    What you are about to enter is what is called a Distinguished Name or a DN.

    There are quite a few fields but you can leave some blank For some fields there will be a default value,

    If you enter '.', the field will be left blank.

    -----

    Country Name (2 letter code) [US]: AU

    State or Province Name (full name) [State]: Victoria

    Locality Name (eg, city) [City]: Melbourne

    Organization Name (eg, company) [Organization]: Umbrella Pharmaceuticals PTY LTD.

    Organizational Unit Name (eg, section) [Division]: Secure Services

    It is important that your Common Name matches the name that the server will identify itself as when serving requests. Enter that server name below. For example, if you will be pointing people at https://www.bob.com/ then your server name would be www.bob.com. If your server has a real name ("adonis") and an alias ("secure" or "www") and you will be pointing people at the alias, then make sure you give the alias here, otherwise the browser will claim that the site name does not match the certificate.

    It is also important that you give your State name, City name and two-letter UPPER CASE country code.  The Organizational Unit field is optional.

    Common Name (eg, YOUR name) [www.servername.com]: example.covalent.net

    Email Address [webmaster@servername.com]: webmaster@covalent.net

    Using configuration from /usr/local/ssl/lib/ssleay.cnf

    Certificate Request:

    Data:

    Version: 0 (0x0)

    Subject: C=AU, ST=Victoria, L=Melbourne, O=Umbrella Pharmaceuticals PTY LTD.

    OU=Secure Services, CN=example.covalent.net/Email=webmaster@umbrella.com

    Subject Public Key Info:

        Public Key Algorithm: rsaEncryption

        RSA Public Key: (512 bit)

            Modulus (512 bit):

                00:c0:34:7e:a5:02:f7:35:8e:42:7b:ce:69:e9:31:

                c0:4e:fd:d2:a7:6e:2f:ee:0b:09:84:00:b5:dc:49:

                3c:36:0b:82:74:7b:c8:65:3b:c4:85:b1:f8:71:86:

                78:71:39:7c:03:16:c0:2b:50:d4:f1:dd:2a:f2:ce:

                f3:68:35:d7:43

            Exponent: 65537 (0x10001)

    Signature Algorithm: md5WithRSAEncryption

    40:26:58:76:fe:a5:69:ab:fe:fd:f6:6e:0d:3b:f8:79:06:7e:

    96:e3:1f:e0:44:12:c1:51:c6:58:f8:38:85:92:67:4e:99:ba:

    3e:55:42:94:31:94:50:ba:96:19:4e:31:4a:d4:39:d6:91:12:

    10:64:20:38:9c:df:df:ea:c8:72

    Webmaster email:  webmaster@umbrella.com

    Webmaster phone:  +1.402.441.5710

    Mailing the CSR to your personal email account will allow you to easily cut and paste the request into the Thawte submission form. Please enter that address below. 

    Send CSR via Email to? -->  yourmail@umbrella.com

    Certificate request sent to yourmail@umbrella.com.

    Creating a self-signed certificate for use until your chosen CA delivers your signed certificate.

    Using configuration from /usr/local/ssl/lib/ssleay.cnf

    The pass phrase entered here is the phrase that you chose above. 

    Enter PEM pass phrase: ...................

    The following questions should match the information previously provided above. 

    You are about to be asked to enter information that will be incorporated into your certificate request.

    What you are about to enter is what is called a Distinguished Name or a DN.

    There are quite a few fields but you can leave some blank

    For some fields there will be a default value,

    If you enter '.', the field will be left blank.

    -----

    Country Name (2 letter code) [US]: AU

    State or Province Name (full name) [State]: Victoria

    Locality Name (eg, city) []:Melbourne

    Organization Name (eg, company) [Organization]: Umbrella Pharmaceuticals PTY LTD.

    Organizational Unit Name (eg, section) [Division]: Secure Services

    Common Name (eg, YOUR name) [www.servername.com]: example.umbrella.com

    Email Address [webmaster@servername.com]: webmaster@umbrella.com

    Key and certificate have been successfully installed.

    CSR generation process is complete. Check your email to obtain the CSR. Cut and paste this request into the certificate request forms. 

    Again, please backup the contents of /usr/local/ssl/private so that you are sure you have backup copies of your private key.  

  • Raven SSL CTL Interface

    Note: In the interest of better security and the enablement of greater trust, we have decided that 1024-bit keys will now be the minimum strength used in the issuance of thawte digital certificates.

    The RavenCTL Management Interface

    The following procedure shows the process required to generate a key file and CSR (certificate signing request) for your SSL server.

    Generate the Private Key

    Name of the file to store certificate/key?

               [server.domain.com] --> www.domain.com

    At the prompt above, enter the name of the file that you wish to store the certificate and key file in. This is typically the Common Name of the server or the Apache configured ServerName.

    The key file name you have chosen is www.domain.com.key.

    The certificate file name will be www.domain.com.cert.

    Press [ENTER] to continue:

    The prompt above indicates the file names in which you have chosen to store this certificate and key. These file names will be stored in /usr/local/raven/module/pki/keys and /usr/local/raven/module/pki/certs respectively.

    Choose the size of your key. Smaller key sizes provide faster server response but will provide diminished security.

    Key sizes less than 512 bits are easily cracked. For high security applications you will want a key size not less than 1024 bits.

    Number of bits in key (512 minimum, 1024 maximum)? [1024] --> 512

    Deciding how strong the key pair should be

    At the prompt above, enter the number of bits that you want your key file to contain. More bits means that the key will be harder to crack but there will be more server overhead required to encrypt the data. Fewer bits means less overhead for the server to encrypt the data, but makes the key easier to crack. Enter values divisable by 128. ie (512, 640, 768, 896, 1024).

    Generating random data, using the truerand library developed by Matt Blaze, Jim Reeds, and Jack Lacy at AT&T. This may take some time.

    Generating 1024 bits of randomness: ...............................

    Generating 1024 random bits based on measuring the time interval between your keystrokes.  Please enter random text on your keyboard.

    1024 <- remaining

    The key generation process provides an internal random entropy generator. The process will create twice the number of random bits that you have chosen for you key size. After the internal random data generator completes it's process, you will be prompted to enter key strokes to create yet another random entropy pool. This process helps assure that your key is difficult to predict and thereby crack.

    Generating the key. This will take some time. Be patient. The passphrase you enter here is very important. Do not lose it.

    192 semi-random bytes loaded

    Generating RSA private key, 512 bit long modulus

    ..........+++++

    ...+++++

    e is 65537 (0x10001)

    Enter PEM pass phrase:

    Verifying password - Enter PEM pass phrase:

    Entering a Passphrase for the encryption of the private key

    After the key is created, you will be prompted to enter a pass phrase to use to encrypt your key as it is stored on disk. It is not necessary to keep keys encrypted on disk and this adds to difficulty in automating the startup process for the server since an encrypted key will require you to enter a pass phrase during the server startup phase.

    You should make note of the passphrase at this point. If you forget it you will not be able to access your private key and the certificate that corresponds to that private key will be effectively useless and you will have to buy a new one.


    Backing up the Private Key

    You should also make a backup of your private key as well. If you lose your private key you will not be able to use your certificate and you will have to buy a new one. Read our tough Key Loss Policy.

    I'll say it again -- back up your Private Key!
     

    Generate the CSR and temporary self-signed certificate

    Self-signing certificate for temporary internal use.

    Using configuration from /usr/local/raven/module/pki/lib/certtool.conf

    Enter PEM pass phrase:

    Enter the pass phrase that you have chosen for this certificate in the generation process above.

    You are about to be asked to enter information that will be incorporated into your certificate request.

    What you are about to enter is what is called a Distinguished Name or a DN.

    There are quite a few fields but you can leave some blank

    For some fields there will be a default value,

    If you enter '.', the field will be left blank.

    -----

    Country Name (2 letter code) [US]:

    State or Province Name (full name) [Some-State]:

    Enter the State or Province for the company being represented by this certificate.

    Locality Name (eg, city) [Some-City]:

    Enter the City for the company being represented by this certificate.

    Organization Name (eg, company) [Some-Company/Organization]:

    Enter the Company Name being represented by this certificate.

    Organizational Unit Name (eg, section) [Secure Services Division]:

    Enter the division of the company being represented by this certificate.

    Common Name (eg, server name) [www.servername.com]:

    Enter the Apache ServerName being represented by this certificate.

    Email Address [webmaster@servername.com]:

    Enter the email contact for the person representing this company.

    Key and certificate have been successfully installed.

    Thanks for choosing Raven. Press [ENTER] to continue:

  • Red Hat Secure Web Server

    To generate a CSR, you will need to create a key pair for your server.
    You will also need to create a password.  If you lose your password and generate a new one, your SSL Certificate will no longer match and a replacement has to be made.
     

    Step 1: Generating the Private Key

    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.
     
     
    1. Use the cd command to move to the /etc/httpd/conf directory.
     
    2. As root, type in one of the following three commands to generate your key:
     
    A. If you're using Official Red Hat Linux Professional and you want to use the included password feature, type in the following command:
     
    make genkey

    Your key will be generated and you will be asked to enter and confirm a password. Your password should be at least eight characters, should include numbers or punctuation and should not be a word in a dictionary. Also, remember that your password is case sensitive.
     
    Please note that you will need to remember and enter this password every time you start your secure Web server, so don't forget it.
     
    B. If you're using Official Red Hat Linux Professional and you don't want to be required to type in a password every time you start your secure Web server, type the following command, all on one line,  instead of "make genkey" to create your key:
     
                /usr/sbin/sslgenrsa -rand /dev/urandom -out ssl.key/server.key 2048

                Then use the following command to set the correct permissions on your key:

                chmod go-rwx ssl.key/server.key
     
    If you use the above commands to create your key, you will not need to use a password to start your secure Web server. However, we don't recommend that you disable the password feature for your secure Web server, since it decreases the level of security for your server.
     
    C. If you're using Official Red Hat Linux Professional International Edition, type in the following single command, all on one line:
     
    /usr/bin/openssl genrsa -rand /dev/urandom -out /etc/httpd/conf/server.key 2048

     You will not be required to enter a password if you're using Official Red Hat Linux Professional International Edition.

    3. Your key will be created and saved to a file named server.key.
     
    If you're using Official Red Hat Linux Professional, server.key will be located in the /etc/httpd/conf/ssl.key directory.
     
    If you're using Official Red Hat Linux Professional International Edition, server.key will be located in /etc/httpd/conf.

    The server.key file should be owned by root and should not be accessible to any other user. Make a backup copy of this file and keep the backup copy in a safe, secure place. You need the backup copy because if you lose the server.key file after using it to create your CSR and purchase a certificate, your certificate will no longer work and we will not be able to help you. Your only option would be to apply for a new certificate.
     

    Step 2: Create the Certificate Signing Request

    1. In the /etc/httpd/conf directory, become root and type in one of the following two commands:
     
    A. If you're using Official Red Hat Linux Professional, type in the following command: 
     
    make certreq
     
    B. If you're using Official Red Hat Linux Professional International Edition, type in the following single command (all on one line): 
     
    /usr/bin/openssl req -new -key /etc/httpd/conf/server.key -out /etc/httpd/conf/server.csr

    2. You will be prompted for your password (if you used a password when you generated your key). Type in the password, if necessary.

    3. You'll see some instructions and you will be prompted for responses. Your inputs will be incorporated into the CSR.

    4. When you've finished entering your information, a file named server.csr will be created. If you're using Official Red Hat Linux Professional, server.csr will be located in the /etc/httpd/conf/ssl.csr directory.

    5. You have just created a key pair and a CSR.

    6. The server.csr file contains your certificate request. To copy and paste the information into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).
  • Roxen

    For Roxen Challenger Key and CSR Generation, perform the following steps:
     
    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.
     
    Versions 1.0, 1.1 and 1.1.1 of the Roxen Challenger web server use the free SSLeay library for secure web browsing. We also use the tools distributed with SSLeay for managing keys and certificates. 
     
    Instructions:

    1. First, install SSLeay, version 0.6.4 or later. (Make sure that the ssleay program is in your PATH. It is usually installed in /usr/local/ssl/bin).

    You probably want to set your umask to 077, and perhaps also log in as root, to ensure that no one else can read any of the files created below. 
     
    To generate a new random RSA key pair, it is recommended that you first find some large relatively random files. If you are lucky, your system has a random device, and you can create such a file (named randomness) with dd if=/dev/random of=randomness bs=500 count=1. If not, log files and current process status, compressed and encrypted with a random password will do, depending on how paranoid you are. You should destroy these files when you are done. 
     
    Then type ssleay genrsa -rand randomness 1024 >my_key.rsa. This generates your private key, which must be kept secret. Note that we do not protect it with a password, as Roxen needs to read it, and there is usually no one there to type in the password each time you start it.
      
    2. The next step is to create a Certificate Signing Request (CSR).
     
    First you will have to enter the components of your distinguished name (X.509). When you are asked about your Common Name, you should enter your domain name or a wild card, for example www.infovav.se or *.infovav.se.
     
    When you have all that information ready, type ssleay req -new -key my_key.rsa >my_csr.csr and fill in the information.
     
    Of the resulting files, use my_csr.csr in enrollment, and keep your secret key my_key.rsa some place safe and secret. 
     
  • Sambar

    To generate a CSR for Sambar, perform the following steps:
     
    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.
     
     
    To generate a key:  type: openssl genrsa -rand randfile -out key.pem 1024
     
    This command sequence will generate a 1024-bit RSA private key and store it in the file key.pem. This key file should be copied to the config directory of the Sambar Server. The key should look like: 
     
    -----BEGIN RSA PRIVATE KEY-----

    MIIBOwIBAAJBALtv55QyzG6i2PlwZ1pah7++Gv8L5j6Hnyr/uTZE1NLG0ABDDexm

    q/R4KedLjFEIYjocDui+IXs62NNtXrT8odkCAwEAAQJAbwXq0vJ/+uyEvsNgxLko

    nWmM1KvqnAo5uQIhALqEADu5U1Wvt8UN8UDGBRPQulHWNycuNV45d3nnskWPAiAw

    ueTyr6WsZ5+SD8g/Hy3xuvF3nPmJRH+rwvVihlcFOg==

    -----END RSA PRIVATE KEY----- 


    Obtaining a certificate (Digital ID)

    Next you must generate a Certificate Signing Request (CSR). The CSR is what contains the name information for the certificate (Country, State/Province, City, Organization, Division, Web Server Domain Name, etc). It also contains your public key. 
     
    The formats of certificate and CSR used by the Sambar Server are the same as those used by Apache-SSL (both servers use SSLeay for their SSL implementations).
     
    To generate your CSR, run: openssl req -new -key key.pem -out req.pem -config ..\config\openssl.cnf

    This command sequence will prompt you for the attributes of your certificate. Remember to give the secure server domain name when you would be prompted for "Common Name". The request should look like: 
     
    -----BEGIN CERTIFICATE REQUEST-----

    MIIBGzCBxgIBADBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEa

    MBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGkNsaWVudCB0ZXN0

    2NNtXrT8odkCAwEAATANBgkqhkiG9w0BAQQFAANBAC5JBTeji7RosqMaUIDzIW13

    oO6+kPhx9fXSpMFHIsY3aH92Milkov/2A4SuZTcnv/P6+8klmS0EaiUKcRzak4E=

    -----END CERTIFICATE REQUEST----- 
     
    You will now have a private key file (key.pem) and a CSR file (req.pem). 
  • Silverstream webserver

    Note: In the interest of better security and the enablement of greater trust, we have decided that 2048-bit keys will now be the minimum strength used in the issuance of digital certificates.

    1. Run the SilverStream AgDigitalIDStep1 program to generate a CSR and private key (PKCS8 password protected). 

    2. Goto a CA and submit the CSR. 

    3. Get the X.509 Certificate in Base64 encoded format from the CA

    4. Run the SilverStream AgDigitalIDStep2 program to upload the Certificate and the private key to SilverServer. 

    5. Restart SilverServer to make SSL port active.

    There is a configuration (httpd.props) setting that will allow you to change which CN (certificate domain name) the server will look for. You are allowed multiple certificates (with different CN) to be uploaded to the server, since they are stored in the master dB that all servers in a SilverStream Cluster use. Each server will then use the CN that matches it.

    Generating a CSR using Novel Silverstream

    A CSR is a file containing your certificate application information, including your Public Key. Generate your CSR and then copy and paste the CSR file into the webform in the enrollment process:

    Generate keys and Certificate Signing Request:

    • Start the SMC and select the Security icon from the toolbar
       
    • Select Certificates
       
    • Select the RSA tab
       
    • Choose Generate Request
       
    • Complete the items on the panel
       
    • The Server DNS Name field should be the Fully Qualified  Name(FQDN) or the web address for which you plan to use your Certificate, e.g. the area of your site you wish customers to connect to using SSL. For example, an SSL Certificate issued for domain.com will not be valid forsecure.domain.com. If the web address to be used for SSL is secure.domain.com, ensure that the common name submitted in the CSR is secure.domain.com
       
    • Click Next
       
    • The following panel allows you to specify the size of the key pair to generate - Select 2048 and click Next
    • If prompted, specify the size of the key pair to generate
       
    • Click Next
       
    • The following panel shows the paths for the CSR (Certificate Signing Request). You may edit these paths if you choose. You will use this information later when installing the certificate
    • Click Next 
       
    • You may click Copy CSR to Clipboard to copy the contents of the CSR and paste into our web form
       
    • Click Finish
  • SonicWall SSL Offloaders

    To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match and a replacement has to be made.

    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.
     
    1. Create a directory called ‘C:\test’.


    2
    . Launch “OpenSSL”.

    3. Enter the following command to create a private key.

        genrsa -des3 -out c:\test\key.pem 2048

    4. Enter in a passphrase to protect the key (at least six characters).

    5. Enter the following command to create a certificate request:

        req –new –key c:\test\key.pem –out c:\test\req.pem –config openssl_config.txt 

    6. Enter in all the required fields for the certificate you want to generate.

    7. You have just created a key pair and a CSR.

    8. To copy and paste the information into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).

    9. Copy and paste the CSR into the enrollment page.

  • SSLeay

    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.

    For SSLeay Key and CSR Generation, perform the following steps:

    More and more secure web servers and value-added cryptographic applications are using the SSLeay free cryptographic toolkit, which includes a variety of libraries and utilities to manage secure sockets and public key cryptography.

    These servers by and large use the same key and certificate format, and generate Certificate Signing Requests (CSR's) that are compatible with the eWAY Certification System.

    Examples are Sioux, Stronghold, ApacheSSL, Alibaba (which is linked against a very old version of SSLeay) and secure versions of WN.

    In all of these servers you can use the following procedure to generate your CSR:

    Locate ssleay

    These instructions assume that SSLeay is installed, and that you have the executable ssleay in your PATH.

    They also assume that you are using version 0.8.1 or later... ssleay version will tell you which version you are using.

    Generate your key:

    ssleay genrsa -des3 1024 > www.myserver.com.key 
    This command sequence will generate a private key and store it in the file www.myserver.com.key. It will ask you for a pass phrase: use something secure and remember it.

    Your certificate will be useless without the key.

    If you don't want to protect your key with a pass phrase (only if you absolutely trust that server, and you make sure the permissions are carefully set so only you can read that key) you can leave out the -des3 option.

    Generate your CSR:

    ssleay req -new -key www.myserver.com.key> www.myserver.com.csr

    This command sequence will prompt you for the attributes of your certificate.

    You will now have a private key in www.myserver.com.key and a CSR in www.myserver.com.csr.

    Paste the CSR into our forms, and hold on to your key. You will need the key to operate your secure server when we issue your certificate. 

  • Stronghold Server

    To generate a CSR, you will need to create a key pair for your server.

    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.
     
    Stronghold keys and certificates are managed through three scripts: genkey, getca and genreq. These are part of the normal Stronghold distribution. Keys and certificates are stored in the directory $SSLTOP/private/, where SSLTOP is typically /usr/local/ssl.
     
    To generate a key pair and CSR for your server:

    1. Run genkey, specifying the name of the host or virtual host: genkey hostname. The genkey script displays the filenames and locations of the key file and CSR file it will generate:  
     
        Key file: /usr/local/www/sslhostname.key  
        CSR file: /usr/local/www/sslhostname.cert  
     
    Note: If you already have a key for your server, run genreq [servername] to generate only the CSR.

    2. Press Enter. The genkey script reminds you to be sure you are not overwriting an existing key pair and certificate.

    3. When prompted, enter a key size in bits. We recommend using the largest key size available: 2048 bits.

    4. When prompted, enter random key strokes. Stop when the counter reaches zero and genkey beeps. This random data to create a unique public and private key pair.

    5. When prompted, enter to create the key pair and CSR.

    6. Select your CA.

    7. Enter all of the information requested and press Enter. Back up your key file and CSR on a USB stick and store the disk in a secure location. If you lose your private key or forget the password, you will not be able to install your Secure Server ID and will need to request and purchase a new one.

    You have just created a key pair and a CSR.

    8. To copy and paste the information into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).

    9. Copy and past the CSR into the enrollment page.

  • Sun Java Web Server 6.x

    To generate a CSR, you first need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match and a replacement has to be made.

    It is recommended that you contact Sun for additional information on Java System Web Server 6.x.
     
    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.
     

    Step 1: Create a Key Database

    1. Select the server instance to manage and click Manage.
     
    2. Click Security.
     
    3. Click Create Database.
     
    4. Enter and confirm a password to protect this database.
     

    Step 2: Generate a CSR

     
    1. Click Request a Certificate.
     
    2. Enter your own email address as the CA Email address. Although your Sun server supports the use of email for sending certificate requests, Geotrust requires you to paste the certificate request into the enrollment form.
     
    3. Enter a key pair file password to protect your keys. This can be the same password as the key database.
     
    4. Fill out all of the CSR information, and click OK.
     
    The server will generate the CSR and display it on the page.
     
    5. To copy and paste the information into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or vi are recommended).

    6. Click Apply to commit the changes. You have just created a key pair and a CSR.

    Paste the information into the enrollment form when prompted for the CSR.
  • Sun ONE (Using IIS 4.0)

    To generate a CSR, you first need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match and a replacement has to be made.

    NOTE: 
    A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.
     

    Step 1: Create a Key Database

    1. Select the server instance to manage and click Manage.
     
    2. Click Security.
     
    3. Click Create Database.
     
    4. Enter and confirm a password to protect this database.
     

    Step 2: Generate a CSR.

    1. Click Request a Certificate.
    • Enter your own email address as the CA Email address. Although your Sun server supports the use of email for sending certificate requests, Geotrust requires you to paste the certificate request into the enrollment form.
    • Enter a key pair file password to protect your keys.
    • Fill out all of the CSR information, and click OK.

    2. The server will generate the CSR and display it on the page. Copy and paste the CSR into a text editor that does not add extra characters (Notepad or Vi are recommended).  

    You have just created a key pair and a CSR.

    3. Go to the Enrollment URL.

    4. Paste the information into the enrollment form when prompted for the CSR.

    Note: You must copy the entire CSR, including every character in the Begin New Certificate Request and End New Certificate Request lines.

  • Sybase EA Server

    To generate a CSR, you first need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match and a replacement has to be made.  
     
    It is recommended that you contact Sybase for additional information.

    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.

    1. Run the Security Manager application.

    2. Select the Private Keys folder.

    3. Select File > Key/Cert Wizard.

    4. Supply the required information. Use Back and Next to review or change any information.

    5. Click Finish to exit the wizard. Security Manager generates the key pair and saves the certificate request to a file that you specify.

    6. Go to the enrollment form and paste the information into the form when prompted for the CSR.

    The new private key appears on the right side of the window when you highlight the Private Keys folder. Once the certificate is received and installed, the private key is removed from the private key list.

  • Sybase Manage Anywhere Studio (Using IIS 5.0)

    To generate a CSR, you first need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match and a replacement has to be made.

    It is recommended that you contact Sybase for additional information.
     
    Generate a Private Key Pair

    NOTE: 
    A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.

    1. Under Administrative Toolsopen Internet Services Manager.

    2. Open the Properties window by right-clicking on the name of the Web site you wish to secure.

    3. Click the Directory Security tab.

    4. Click Server Certificate in the Secure communications section. If you have not used this option before the Editbutton will not be active.

    5. Select Create a new certificate

    6. Select Prepare the request now, but send it later.

    7. Complete the information requested by the IIS Certificate Wizard to create a private key that is stored locally on your server and a public key (the Certificate Signing Request) that you will use during the enrollment process. You have successfully generated a CSR file.

    8. Click Finish to exit the IIS Certificate Wizard. A CSR file has been generated.

    9. Go to the enrollment form and paste the information into the form when prompted for the CSR.

  • Sybase Manage Anywhere Studio (Using Microsoft IIS 4.0)

    To generate a CSR, you first need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match your private key. You will have to request a new SSL Certificate and may be charged. 

    The CSR needs to contain the following attributes:

    Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.
    State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California.
    Locality or City (L): The Locality field is the city or town name, for example: Berkeley.
    Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corportation or XY and Z Corportation.
    Organizational Unit (OU): This field is the name of the department or organization unit making the request.
    Common Name (CN): The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com".

    Note: VeriSign certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", because "www.domain.com" and "secure.domain.com" are different from "domain.com".

    eWAY recommends that you contact Sybase for additional information.

    Note: The recommended key bit size is 2048-bit. All certificates that will expire after December 31, 2013 must have a 2048-bit key size

    Generate a Key Pair and Certificate Signing Request

    1. Open the Microsoft Management Console (MMC) for IIS. This is normally reached by selecting Start -> Programs -> Windows NT 4.0 Option Pack -> Microsoft Internet Information Server -> Internet Service Manager.
    2. Expand the Internet Information Server folder by selecting the + sign and then select the + sign next to the computer name.
    3. Locate the website that is going to be using the SSL Certificate. This is usually the Default Web Site. Right click the website and choose Properties.
    4. In the Properties window, click the Directory Security tab.
    5. Click Edit and then click Key Manager.
    6. In Key Manager window, right click WWW and select Create New Key.
    7. Choose Put the request in a file that you will send to an authority. Select an appropriate filename (or accept the default).
    8. Enter values in the next window. Key lengths available will depend on the version and Service Packs installed. Remember the password you enter. Without it, you will not be able to install or back up the certificate.  
      Note: You must install a certificate for every website using SSL that has a distinct DNS name. Each website for SSL must also have a distinct IP address.
    9. You must specify a bit length for the CSR. Choose 2048.
      Note:
       For Extended Validation certificates the key bit length must be 2048.
    10. Fill out the appropriate contact information and click Finish. This information can be whatever you like as it will not show on the certificate.
    11. Key Manager displays a key icon under the WWW icon with a red slash through it indicating it is not complete.
    12. Choose Exit from the Computers menu. When asked to commit changes, click Yes. You have just created a key pair and a CSR.
    13. Verify your CSR
    14. To copy and paste the information into the enrollment form, open the file in a text editor that does not add extra characters (Notepad is recommended).
    15. Go to the enrollment form and paste the information into the form when prompted for the CSR.

    Contact Information

    During the verification process, the certificate issuer may need to contact your organization. Be sure to provide an email address, phone number, and fax number that will be checked and responded to quickly. These fields are not part of the certificate.

  • Tenon WebTen

    Note: In the interest of better security and the enablement of greater trust, we have decided that 2048-bit keys will now be the minimum strength used in the issuance of digital certificates.

    WebTen Key and CSR Generation

    In order to obtain a server certificate, a Certificate Signing Request (CSR) must be sent to the Certificate Authority, along with other proof of identity documents.

    1. Fill out the SSL Settings form within the WebTen Administration Server.

    2. Submit the completed CSR to the Certificate Authority. Cut and paste the CSR from the SSL Settings form into the eWAY online form.

    Your official certificate will be digitally signed and e-mailed to you by the CA.

    Rename the certificate to "xx.xx.xx.xx.crt" (where <xx.xx.xx.xx> is the IP address of the virtual host for which the certificate was generated),

    and place the official certificate in the tenon/ssl/private folder.

    The official certificate will replace the temporary self-signed certificate generated by WebTen for use prior to receipt of the official certificate.

    SSL Settings
    To generate a certificate request, click on the Certificate button beside the SSLSecurity entry in the WebTen Virtual Host Configuration table found here:

    http://www.tenon.com/products/webten/UserGuide2.0/8_VirtualHosts.html#11497

    The SSL Settings page is a form for generating a Certificate Signing Request (CSR).

    SSL Certificate Request Form

    Common Name: The Common Name is the domain name of the Web server or of an IP-based virtual host.For a wildcard certificate the syntax should look like *.company.com

    This must be a fully qualified domain name, not an IP address or a DNS alias.

    Organization Name: The Organization Name is the legal organization name.

    Organizational Unit: The Organizational Unit is the department name or the name of a unit within an organization. This field is optional.

    Locality:The Locality is the name of the city in which the organization resides. This field is optional.

    State or Province: The State or Province is the name of the state or province in which the organization resides.

    Country Code: The Country Code is a two-character country code for the country in which the organization resides.

    Email Address: The Email Address is the email address of a contact or representative within this organization.

    Generating a CSR

    To generate a Certificate Signing Request (CSR) save the SSL Settings via the Save CSR button. This action has several effects.

    If a private key for this virtual host does not exist, such a key is created and saved in a secure area in WebTen's internal file system.

    The actual Certificate Signing Request information is displayed in the WebTen Administration Server.

    This CSR is a X.509 formatted document which can be copied and pasted directly into Thawte's online request form.

    This CSR is also saved in the tenon/ssl/certs folder in a file named xx.xx.xx.xx.csr (where <xx.xx.xx.xx> is the IP address of the virtual host for which the CSR was generated).

    Certificate Signing Request A temporary, self-signed certificate is created for use while your CSR is being processed by the CA.

    The self-signed certificate will allow your virtual server to perform secure transactions while your official certificate request is being processed. 

    Instructions can also be found at the website:

    http://www.tenon.com/products/webten/UserGuide2.0/8_VirtualHosts.html#11497

  • Tomcat

    To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match and a replacement has to be made.
     

    Step 1: Create a Keystore and Private Key

    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.

    Please use JDK 1.3.1 or later.
     
    1. Create a certificate keystore and private key by executing the following command:
     
    Unix: $JAVA_HOME/bin/keytool -genkey -alias <your_alias_name> -keyalg RSA -keystore <your_keystore_filename> -keysize 2048
     
    NoteFor Extended Validation certificates the key bit length must be 2048, add in the command above:  -keysize 2048
     
    This command will prompt for the following X.509 attributes of the certificate:
     
    Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA. 

    State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California 

    Locality or City (L): The Locality field is the city or town name, for example: Berkeley. 

    Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll.  Example: XY & Z Corportation would be XYZ Corporation 

    Organizational Unit (OU): This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request. 

    Common Name (CN): The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com".  

    NOTE: When prompted for your "first- and lastname", enter the desired Common Name.
     
    Geotrust certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", because "www.domain.com" and "secure.domain.com" are different from "domain.com".
     
    2. Specify a password. The default value will be "changeit".
     
    For further information, please refer to the Tomcat Web site.
     

    Step 2: Generate a CSR

     1. The CSR is then created using the following command:
     
    keytool -certreq -keyalg RSA -alias <your_alias_name> -file certreq.csr -keystore <your_keystore_filename>
     
    2. To copy and paste the file certreq.csr into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).
  • Windows NT - IIS 4.0

    To generate a CSR, you will need to create a key pair for your server.

    Generate a Key Pair and Certificate Signing Request

    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected

    1. Open the Microsoft Management Console (MMC) for IIS. This is normally reached by selecting Start -> Programs -> Windows NT 4.0 Option Pack -> Microsoft Internet Information Server -> Internet Service Manager.
    2. Expand the Internet Information Server folder by selecting the + sign and then select the + sign next to the computer name.
    3. Locate the website that is going to be using the SSL Certificate. This is usually the Default Web Site. Right click the website and choose Properties.
    4. In the Properties window, click the Directory Security tab.
    5. Click Edit and then click Key Manager.
    6. In Key Manager window, right click WWW and select Create New Key.
    7. Choose Put the request in a file that you will send to an authority. Select an appropriate filename (or accept the default).
    8. Enter values in the next window. Key lengths available will depend on the version and Service Packs installed. Remember the password you enter. Without it, you will not be able to install or backup the certificate.  
      Note: For every website using SSL that has a distinct DNS name, there must be a certificate installed. Each website for SSL MUST also have a distinct IP address as well. SSL does not support the use of host headers.
    9. You must specify a bit length for the CSR. Choose 2048
    10. Fill out the appropriate contact information and click Finish. This information can be whatever you like as it will not show on the certificate.
    11. Key Manager displays a key icon under the WWW icon with a red slash through it indicating it is not complete.
    12. Choose Exit from the Computers menu. When asked to commit changes, click Yes. You have just created a key pair and a CSR.
    13. To copy and paste the information into the enrollment form, open the file in a text editor that does not add extra characters (Notepad is recommended).
    14. Go to the Enrollment.
    15. Paste the information into the enrollment form when prompted for the CSR.
  • Zeus Web Server

    To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match and a replacement has to be made.

    NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
    If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.
    1. Open the Zeus Web Controller. For example: http://server:9090
    2. Click SSL Certificates > Certificates > Create
    3. Choose the option: Buy a certificate from another certifying authority.
    4. Fill out all fields for the Certificate Signing Request.
    5. Click OK.
    6. Save the CSR file to a safe location.
    7. Copy and paste the CSR into the online purchase process on eWAY's website.
  • adnxs