Generating a CSR

To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match and a replacement has to be made. 
 

Step 1: Generate a Key Pair

NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.

The utility "openssl" is used to generate the key and CSR. This utility comes with the OpenSSL package and is usually installed under /usr/local/ssl/bin. If you have installed them elsewhere you will need to adjust these instructions appropriately.
 
Type the following command at the prompt for a non-encrypted key:

openssl genrsa -out www.yourdomain-example.com.key 2048 
 
For an encrypted key use the below command (Please note, windows version of openssl is not compatible with password protected keys)
 
openssl genrsa -des3 -out www.yourdomain-example.com.key 2048


 
 
This command generates a 2048-bit RSA private key and stores it in the file www.yourdomain-example.com.key.
 
When prompted for a pass phrase: enter a secure password and remember it, as this pass phrase is what protects the private key. Both the private key and the certificate are required to enable SSL.
 
NOTE: To bypass the pass phrase requirement, omit the -des3 option when generating the private key. If you leave the private key unprotected, Geotrust recommends access to the server be restricted so that only authorized server administrators can access or read the private key file.
 

Step 2: Generate the CSR

Type the following command at the prompt:
 
openssl req -new -key www.yourdomain-example.com.key -out www.yourdomain-example.com.csr 


 
This command will prompt for the following X.509 attributes of the certificate:


 
Country Name: Use the two-letter code without punctuation for country, for example: AY or UK.
 
State or Province: Spell out the state completely; do not abbreviate the state or province name, for example: Queensland
 
Locality or City: The Locality field is the city or town name, for example: Perth. Do not abbreviate. For example: Saint Louis, not St. Louis
 
Company: If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll. Example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
 
Organizational Unit: This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request. To skip the OU field, press Enter on your keyboard.
 
Common Name: The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com". For wildcard certificate the syntax should look like *.company.com
 
Geotrust certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "secure.domain.com", because "secure.domain.com" is different from "domain.com".
 
Please do not enter your email address, challenge password or an optional company name when generating the CSR.
 
A public/private key pair has now been created. The private key (www.yourdomain-example.com.key) is stored locally on the server machine and is used for decryption. The public portion, in the form of a Certificate Signing Request (certrequest.csr), will be for certificate enrollment.
 
To copy and paste the information into the enrollment form, open the file in a text editor such as Notepad or Vi and save it as a .txt file. Do not use Microsoft Word as it may insert extra hidden characters that will alter the contents of the CSR.
 
Once the CSR has been created, proceed to Enrollment.
 

Step 3: Backup your private key

It is recommended to back up the .key file and storing of the corresponding pass phrase. A good choice is to create a copy of this file onto a diskette or other removable media. While backing up the private key is not required, having one will be helpful in the instance of server failure. 

To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match and a replacement has to be made.

Step 1: Generate a Key Pair

NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.

If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.

The utility "openssl" is used to generate the key and CSR. This utility comes with the OpenSSL package and is usually installed under /usr/local/ssl/bin. If you have installed them elsewhere you will need to adjust these instructions appropriately.
 
Type the following command at the prompt for a non-encrypted key:

openssl genrsa -out www.yourdomain-example.com.key 2048 
 
For an encrypted key use the below command (Please note, windows version of openssl is not compatible with password protected keys)
 
openssl genrsa -des3 -out www.yourdomain-example.com.key 2048


 
 
This command generates a 2048 bit RSA private key and stores it in the file www.yourdomain-example.com.key.
 
When prompted for a pass phrase: enter a secure password and remember it, as this pass phrase is what protects the private key. Both the private key and the certificate are required to enable SSL.
 
NOTE: To bypass the pass phrase requirement, omit the -des3 option when generating the private key. If you leave the private key unprotected, it is recommended access to the server be restricted so that only authorized server administrators can access or read the private key file.
 

Step 2: Generate the CSR

Type the following command at the prompt:
 
openssl req -new -key www.yourdomain-example.com.key -out www.yourdomain-example.com.csr 


 
This command will prompt for the following X.509 attributes of the certificate:


 
Country Name: Use the two-letter code without punctuation for country, for example: AU or UK.
 
State or Province: Spell out the state completely; do not abbreviate the state or province name, for example: Tasmania
 
Locality or City: The Locality field is the city or town name, for example: Sydney. Do not abbreviate. For example: Saint Louis, not St. Louis
 
Company: If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll. Example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
 
Organizational Unit: This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request. To skip the OU field, press Enter on your keyboard.
 
Common Name: The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com". For wildcard certificate the syntax should look like *.company.com
 
Certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "secure.domain.com", because "secure.domain.com" is different from "domain.com".
 
Please do not enter your email address, challenge password or an optional company name when generating the CSR.
 
A public/private key pair has now been created. The private key (www.yourdomain-example.com.key) is stored locally on the server machine and is used for decryption. The public portion, in the form of a Certificate Signing Request (certrequest.csr), will be for certificate enrollment.
 
To copy and paste the information into the enrollment form, open the file in a text editor such as Notepad or Vi and save it as a .txt file. Do not use Microsoft Word as it may insert extra hidden characters that will alter the contents of the CSR.
 
Once the CSR has been created, proceed to Enrollment.
 

Step 3: Backup your private key

It is recommended to back up the .key file and storing of the corresponding pass phrase. A good choice is to create a copy of this file onto a diskette or other removable media. While backing up the private key is not required, having one will be helpful in the instance of server failure. 

Step 1: Create a Keystore and Private Key

1. Run the following command to create the keystore and private key:
   
   keytool -genkey -alias <your_alias_name> -keyalg RSA -keystore <your_keystore_filename> -keysize 2048
   
   For example:
   
   
   
   
2. Enter and re-enter a keystore password.  Tomcat uses a default password of changeit.  Hit Enter if you want to keep the default password. If you use a different password, you will need to specify a custom password in the server.xml configuration file.
    
3. This command will prompt for the following X.509 attributes of the certificate:
   
   
   
   
   • First and last name (Common Name (CN)): Enter the domain of your website (i.e. www.myside.org) in the "first- and lastname" field.. It looks like "www.company.com" or "company.com". For wildcard certificate the syntax should look like *.company.com
   • Organizational Unit (OU): This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request.
   • Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll.  Example: XY & Z Corporation would be XYZ Corporation  
   • Locality or City (L): The Locality field is the city or town name, for example: Mountain View. 
   • State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California 
   • Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA
     
     Note: Certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", because "www.domain.com" and "secure.domain.com" are different from "domain.com".
      
4. When prompted for the password for the private key alias, press Enter.  The key password is set to the same password used for the keystore from the previous step.  Make note of the private key and the keystore password. If lost they cannot be retrieved.
   
    
    

Step 2: Generate a CSR

1. Run the following command to generate the CSR:
   
   keytool -certreq -keyalg RSA -alias <your_alias_name> -file certreq.csr -keystore <your_keystore_filename>
   
   For example:
   
   
   
    
2. Verify your CSR
    
3. To copy and paste the file certreq.csr into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).  Make sure to include the "BEGIN CERTIFICATE REQUEST" and "END CERTIFICATE REQUEST" header and footer.
   
   The text file should look like this:
   
   -----BEGIN CERTIFICATE REQUEST-----
   
   [encoded data]
   
   -----END CERTIFICATE REQUEST-----
   
   Note: When enrolling for your certificate, you will be prompted to select a server platform.  Please select Apache as the server platform to ensure that you receive the certificate in the correct format.

Generate a Private Key and Certificate Signing Request

1. Start the Certificate Request Generator servlet. The .war file for the servlet is located in the \wlserver6.0\config\mydomain\applications directory. The .war file is automatically installed when you start WebLogic Server.

2. In a Web browser, enter the URL for the Certificate Request Generator servlet as follows: https://hostname:port/Certificate  
    
   The components of this URL are defined as follows:  
    
   hostname: The DNS name of the machine running WebLogic Server 
   port: The number of the port at which WebLogic Server listens for SSL connections. The default is 7002. 

3. The Certificate Request Generator servlet loads a form in your web browser.

4. Complete the form displayed in your browser

5. Click the Generate Request button.

6. You have just created a key pair and a CSR.

7. To copy and paste the information into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).

Step 1: Generate a Keystore and Private Key

1. Create a certificate keystore and private key by executing the following keytool command:
   
   Note: The keytool utility is located in your JDK’s “bin” directory
   Note: For Extended Validation certificates or a certificate with a validity period beyond December 31, 2013 the key bit length must be 2048, add in the below command:  -keysize 2048

2. Specify a password. The default value will be "changeit".

Step 2: Generate a CSR

1. The CSR is then created using the following command:

2. To copy and paste the file certreq.csr into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).

NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.

1. Select Server Management > Security > SSL. The Certificate Information for Server Desktop screen appears along with its associated buttons

2. To create a new self-signed certificate, click Create Self-Signed Certificate and configure the selections as follows:

? City. The city in which the organization is located or registered. It is important that this information is correct and can be verified with a local, regional, or national government, or other official organization.

? State or Province. The state, province, or region in which the above city is located. It is important that this information is correct and can be verified with a local, regional, or national government or other official organization.

? Country. Select the country in which the organization that will use this certificate is located or registered. It is important that this information is correct and can be verified with a local, regional, or national government or other official organization.

? Organization. The official name of the organization owning this certificate. In order to obtain a signed certificate from a certificate authority, the organization name and location must be verifiable with a local, regional, or national government or other official organization. In addition, the certificate authority must be able to verify that the person requesting the certificate is the owner or employee of the named organization.

? Organization Unit. The division or unit of the organization that is using this certificate. This is optional, but may be useful if the person applying for a signed certificate is an employee of a subsidiary of a larger organization.

? Contact Email. The email address to be contacted for information about this certificate.

? Certificate Expiration Date. The date after which the certificate should no longer be considered valid by client software attempting to connect to this server.

3. Click Create Signing Request to create a certificate signing request.

Note: In some cases, the state and province information does not apply, depending on the country and how it is divided into different areas.

4. After the fields are filled in, activate the Generate Self-Signed Certificate checkbox. This allows you to generate a self-signed certificate along with the signing request. The self-signed certificate can be used temporarily while you wait for the Certificate Authority to process your signing request. The certificate signing request can be submitted to a Certificate Authority to create a signed certificate that Web browsers can verify as authentic.

5. Click Manage Certificate Authorities to add or remove secondary certificate authorities for this site. The Certificate Authority Management for Server Desktop screen appears. Note: Secondary certificate authorities are usually not needed, but certain authorities issue an extra certificate to be used for client authentication in addition to the usual server certificate that most certificate authorities issue.

6. Configure the settings as follows:

? Select Certificate. Click Browse to select the file that contains the certificate authority's certificate. The certificate should be the only thing in the file.

7. Click Import to import a signed certificate

8. Click Browse to select the text file containing the certificate to import.

The certificate file must contain both the private key and certificate sections if you are transferring it from another server. If the certificate is from a certificate authority to which you submitted a certificate signing request generated by this server, only the certificate is necessary, but it is okay if a private key is included with the signed certificate.

9. Click Export to download the current private key and certificate, so the certificate can be transferred to another server.

NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.

If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.

To generate the key and CSR for Cobalt XTR please follow the steps below:

Enable SSL on a virtual site:

1. Select the Server Management tab at the top. The ?Virtual Site List? table appears.

2. Click the green pencil icon next to the virtual site on which you want to enable SSL. The ?User List? table appears.

3. Select Site Settings > General on the left side.

4. Click to enable the check box Enable SSL.

5. Click Save Changes.

The server appliance saves the configuration of the virtual site.

Generate a self-signed certificate

Once the Server Administrator has enabled SSL, the Site Administrator must now create a self-signed certificate. The self-signed certificate can be signed later by an external authority.

1. Under the Site Management (<sitename>) tab, select Site Settings > SSL on the left side. The ?Certificate Subject Information? table appears.

2. Enter the following information:

Country?Enter the two-letter country code (for example, AU for Australia or US for United States).

State?Enter the name of the state (for example, New South Wales or California).

Locality?Enter the city or locality (for example, Sydney or Toronto).

Organization?Enter the name of the organization (for example, The Widgets Corporation).

Organizational Unit?As an option, enter the name of a department (for example, Hardware Engineering).

3. Select Generate self-signed certificate from the pull-down menu at the bottom.

4. Click Save Changes.

The server appliance processes the information and regenerates the screen with the new self-signed certificate in the Certificate Request and Certificate windows.

Links to Cobalt Manuals can be found below:

http://www.sun.com/hardware/serverappliances/

http://www.sun.com/hardware/serverappliances/documentation/

To generate a CSR, you first need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match and a replacement has to be made.

Step 1: Generate a Private Key and Server Certificate

Step 2: Generate a CSR.

To generate a CSR, you first need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match your private key. You will have to request a new SSL Certificate and may be charged.  
 
eWAY recommends that you contact Covalent for additional information.
 

Step 1: Generate a Key Pair

Retail customers Note: The recommended key bit size is 2048-bit. All certificates that will expire after October, 2013 must have a 2048-bit key size.

MPKI for SSL customers Note: The recommended key bit size is 2048-bit. All certificates that will expire after December, 2013 must have a 2048-bit key size.

Use the utility “openssl” to generate the key and CSR. This utility comes with the OpenSSL package. You usually install it under/usr/local/ssl/bin. If it is installed elsewhere, adjust the directory used in these instructions.

• Change directory to your SSL Key directory: cd /usr/local/ssl/private
• Generate a Private key using the following command: openssl genrsa -des3 2048 > privatekeyfilename.key

Note: For Extended Validation certificates the key bit length must be 2048.
 

Step 2: Generate a CSR

1. Change directory to your SSL Certificate directory: cd /usr/local/ssl/crt

2. Generate a CSR using the following command:  
 
openssl req -new -key ../private/ privatekeyfilename.key > csrfilename.csr

This step will create the X.509 attributes of the certificate:

3. Verify your CSR

4. Open the file in a text editor that does not add extra characters (Notepad or vi are recommended).

5. Copy all of the text.

6. Go to the enrollment and paste the information into the  form when prompted for the CSR.

Contact Information

During the verification process, you may be contacted. Be sure to provide an email address, phone number, and fax number that will be checked and responded to quickly. These fields are not part of the certificate.

1. A Security Alert dialog box appears, click Yes
2. The authentication dialog box appears
3. Enter user name and password
4. Click OK
5. The Welcome screen opens.
6. In the navigation pane, click Proxies > Create SSL Certificate Request tab
7. In the Key Information section, select a key length and key file name
8. In the Certificate Information section, enter the following information 
   • Country Name (C): Use the two-letter code without punctuation for country, for example: UK or NZ. 
   • State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: Victoria
   • Locality or City (L): The Locality field is the city or town name, for example: Sydney. 
   • Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll. 
     Example: XYZ Corporation 
   • Organizational Unit (OU): This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request. 
   • Common Name (CN): The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com". For wildcard certificate the syntax should look like *.company.com
     
     Certificates can only be used on web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", because "www.domain.com" and "secure.domain.com" are different from "domain.com".Please do not enter your email address, challenge password or an optional company name when generating the CSR.
      
9. Click Generate Certificate Request

To generate a CSR, you first need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match and a replacement has to be made.

Use the utility "openssl" to generate the key and CSR.

1. This utility comes with the OpenSSL package. You usually install it under /usr/local/ssl/bin. (If you have installed openssl elsewhere you will need to adjust these instructions appropriately)

2. Generate a private key using the following command:

    openssl genrsa -des3 2048 > csrname.key

Note: To create a private key that is not encrypted with a passphrase, simply remove -des3 from the command
 

Step 2: Generate a Certificate Signing Request (CSR)

1. Change directory to your SSL Certificate directory: cd /usr/local/ssl/crt

3 . To copy and paste the information into the enrollment form, open the file csrname.csr in a text editor that does not add extra characters (Notepad or vi are recommended).

4 . Paste the information into the enrollment form when prompted for the CSR.

To generate the key and CSR for IBM through IKEYMAN please follow the instructions below:

First, a Key Database File(.kdb) using IKEYMAN needs to be generated. Please follow these steps :

1. Open the IKEYMAN Utility (From Windows NT click Start -> Programs -> IBM HTTP Server -> Start Key Management Utility
2. From the Menu Bar select "Key Database File"
3. Click on NEW
4. File Name= (The name of new Key Database file)
5. Location= (The location on the harddrive where the .kdb file will be stored)
6. After saving the file to the location specified, a password must be entered
Note: This is the password that will be used to open the .kdb file in IKEYMAN in the future

7. Make sure to click the box that states "Stash the password to a file?"
Note: This will encrypt the password and save the file as a .sth file in the same directory as the .kdb file.
8. Click OK

Generating the CSR

1. Open the Key Database File(.kdb) using the IKEYMAN utility
2. In the middle of the IKEYMAN GUI, there will be a section called "Key database content"
3. Click on the "down arrow" to the right, to display a list of three choices
4. Select "Personal Certificate Requests"
5. Key Label= (Name used to identify certificate in IKEYMAN)
Note: Using the SiteName (ex. www.robo.com) as the label is a good practice

6. Key Size= (2048)
7. Common Name= (SiteName, ex. www.robo.com)
8. Organization= (Company Name)
9. Enter the name of a file in which to store the certificate request
*Saving this file(.arm) in the same directory as the (.kdb) file is recommended.
10. Once the (.arm) file is saved, this completes the CSR generation process

For more information please refer to the IBM technical support link below:
http://www-1.ibm.com/support/docview.wss?rs=0&q=+ikeyman+and+ssl+certificate&uid=swg21006430&loc=en_US&cs=utf8&cc=us&lang=en

For more information on IKEYMAN please refer to the link below:
http://www-306.ibm.com/software/webservers/httpservers/doc/v1312/ibm/9atikeyu.htm#Header_9

To generate a CSR, you first need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, one, your SSL Certificate will no longer match and a replacement has to be made.

eWAY recommends that you contact IBM for additional information.

Step 1: Preparing your system to use the iKeyman utility.

1. Start the iKeyman graphical user interface (GUI) using either the gsk7ikm command (UNIX) or the strmqikm command (Windows).  
   Note: To use the iKeyman GUI, be sure that your machine can run the X Windows system.  
2. Be sure to set the following:
   • Set the DISPLAY environment variable. For example: export DISPLAY=mypc:0.
   • Ensure that the user's path contains /usr/bin.
   • Set the JAVA_HOME environment variable:

                          1. AIX: export JAVA_HOME =/usr/mqm/ssl/jre 
                          2. HP-UX: export JAVA_HOME =/opt/mqm/ssl 
                          3. Linux: export JAVA_HOME =/opt/mqm/ssl/jre 
                          4. Solaris: export JAVA_HOME =/opt/mqm/ssl
 

Step 2: Setting up a key repository.

1. Open the iKeyman GUI, or use the UNIX or Windows command line to do one of the following:  
    
   Using the iKeyman GUI: 
   Choose New from the Key Database File menu. Click Key database type, and select CMS. Type values forFile Name and Location, and set a password. 
    
   Using iKeycmd (UNIX command line): 
   Use these commands:   
   gsk7cmd -keydb -create -db filename -pw password -type cms -expire days –stash 
    
   Using iKeycmd (Windows command line): 
   Use these commands: 
   runmqckm -keydb -create -db filename -pw password -type cms -expire days –stash where:
   • -db filename is the fully qualified name of a CMS key database, with an extension .kdb.
   • -pw password is the password for the CMS key database, with an extension .cms.
   • -type cms is the type of database.
   • -expire days is the expiration time in days of the database password. The default is 60 days.
   • -stash tells iKeycmd to stash the key database password to a file.

On Windows, the key database file (.kdb) is created with read permission for all user IDs, so it is not necessary to change permissions. On UNIX, .kdb and .sth files are created. Access permissions for the key database file are set to give access only to the user ID from which you used iKeyman or iKeycmd.

2. If you are running UNIX, run chmod to give access to an MCA. For example:

• chmod g+r /var/mqm/qmgrs/QM1/ssl/key.kdb
• chmod g+r /var/mqm/qmgrs/QM1/ssl/key.sth

3. If you are running a queue manager, change the key repository location. For example:

• ALTER QMGR SSLKEYR ('/var/mqm/qmgrs/QM1/ssl/MyKey')

Step 3: Generating a CSR.Using the iKeyman GUI

1. Start the iKeyman graphical user interface (GUI) using either the gsk7ikm command (UNIX) or the strmqikm command (Windows).
2. In the iKeyman GUI, choose Open from the Key Database File menu. Click Key database type, and selectCMS.
3. Click Browse to navigate to the directory containing the key database files.
4. Select the appropriate key database file, for example key.kdb.
5. Click Open.
6. Type the key database password and click OK.
7. Click New Certificate Request from the Create menu.
8. Type the following in the Key Label field:

• For a queue manager, ibmwebspheremq followed by the name of your queue manager (in lowercase). For example, for QM1, type ibmwebspheremqqm1.
• For a WebSphere MQ client, ibmwebspheremq followed by your logon user ID (in lowercase). For example, ibmwebspheremqmyuserid.

9. Type values for Common Name, Organization, Organizational Unit, City/Locality, State/Province and select a Country from the list.

10. For Enter the name of a file in which to store the certificate request, either accept the default certreq.arm, or type a new pathname.
11. Click OK. When the confirmation window displays, click OK again.
12. The file you created contains the CSR. Submit the CSR to Geotrust.

Using iKeycmd (command line interface)

1. To generate a CSR in iKeycmd (using UNIX command line), use these commands:

• gsk7cmd -certreq -create -db filename -pw password -label label -dn distinguished_name -size key_size-filefilename

To generate a CSR in iKeycmd (using Windows command line), use these commands:

• runmqckm -certreq -create -db filename -pw password -label label -dn distinguished_name -size key_size-filefilename

         where:

• -db filename is the fully qualified name of a CMS key database, with an extension .kdb.
• -pw password is the password for the CMS key database, with an extension .cms.
• -label label is the key label attached to the certificate.
• -dn distinguished_name is the X.500 distinguished name enclosed in double quotes. Note that only the CN, O, and C attributes are required, and that you can supply only one OU attribute.
• -size key_size is the key size. We recommend that you make this value 2048 
• -file filename is the filename for the certificate request.

2. The file you created contains the CSR. Submit the CSR to eWAY.

NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.

1. Select the HTTP server that you want to be secure.

2. Select the SSL tab on the main screen.

3. The next thing you need to do is name the secure server with the following information:

Common Name: usually www.registered domain name.com

E-Mail address: i.e. webmaster@registered domain name.com

Organization: Company Name

Organizational Unit: i.e. Research & Development

State or Province: i.e. California

Country: i.e. US

4. Next you must generate the certificate request. Select the certificate request button and you will be prompted to enter the following information:

Organization

Organizational Unit

Common Name

Locality - usually being the city

State

Country

5. Select the generate button after all the above information is entered and the server will take a minute or so to generate the request. You will get back a confirmation screen informing you that the certificate has been generated.

6. Select the view certificate information button and click on the certificate request tab and there will be a CSR in the text area below the tabs. Select the copy button so that the request can be pasted into the request form.

You will now have a valid CSR which can be pasted into the certificate request form.

NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.

To generate a CSR for Infinite InterChange follow the instructions below:

Before you obtain a Certificate, you must generate a Certificate Signing Request (CSR) and a private encryption key. The SSL Module installation program prompts you to generate a server certificate after installing the SSL Module files.

If you generated a server certificate during the installation, you also created a CSR and a private encryption key. Go to the Infinite InterChange or WebMail SSL subdirectory. This directory contains your private key and CSR. Copy the contents of the SERVER.CSR file into the appropriate field of the online certification request form.

If you did not generate a server certificate during SSL Module installation, use the procedure that follows to generate a CSR

1. From the Configure menu, select System Services. The Configure System Services dialog box displays.

2. From the list of system services, select SSL and use the Configure button. The SSL Module displays a dialog box explaining why you need an SSL server certificate and how to obtain a Certificate of Authority.

3. Read all of the information on this dialog box and use the OK button. A Server Information dialog box displays.

4. Enter the appropriate information for your Infinite InterChange or WebMail server in each field on the server information dialog box. (If you need more information on filling out any of the fields, press the Help button in that dialog.) The SSL Module includes this information in the server certificate that verifies your server's identity to remote clients

5. Use the Generate Server Certificate button. The SSL module generates a server certificate, CSR, and a private key.

6. Use the OK button to exit the installation program.

7. Go to the Infinite InterChange or WebMail SSL subdirectory. This directory contains your private key and CSR. Copy the contents of the SERVER.CSR file into the appropriate field of the online certification request form.

Back up the contents of the SSL subdirectory to protect your CSR and private key.  

NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.

A utility is provided to generate a public key pair and a certificate request. Its output includes three files:

* a file containing the private key, (for testing purposes you may call the file anything you like, but for live operation the file must be named server-priv.pem and stored in the PMDF table directory and it must be protected against world access---this is your private key!),

* a certificate request file containing the public key,

* and a self-signed certificate (which may be used while awaiting signing by a Certificate Authority of the certificate request) also containing the public key.

To use the utility, on OpenVMS, issue the command:

$ RUN PMDF_EXE:tls_certreq

Or on UNIX, issue the command:

% /pmdf/bin/tls_certreq

Or on NT, issue the command:

C:\> \pmdf\bin\tls_certreq

If you wish to write live files to the PMDF table directory, make sure that you are privileged to write to the PMDF table directory before invoking the utility. Otherwise, if you are going to do testing writing test files to some other directory, the utility itself does not require that you be privileged.

This utility invokes an interactive script that will prompt you for answers to a number of questions, including:

How many bits of encryption you would like to use.¹

The name of the file in which to store the private key part of the RSA key pair.

Your e-mail address (as the person responsible for the certificate request).

The two character ISO country code² for the country in which the PMDF system is located.

The state or province in which the PMDF system is located.

The city in which the PMDF system is located.

The official name of your organization.

Optional additional organization information.

The name of the file in which to store the generated certificate request.

The number of days for which you would like your temporary self-signed certificate to be valid.

The name of the file in which to store the self-signed certificate. When prompted for information, if there is a default value available, it will be shown within square brackets. Some questions do not require answers and will be presented displaying (optional) if you can simply press RETURN to skip that question.

A sample execution on OpenVMS of PMDF_EXE:tls_certreq is shown in the example below; execution is analogous on UNIX and NT, modulo only different file name syntax.Example 16-1 Sample execution of the tls_certreq utility on OpenVMS

To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match and a replacement has to be made.

It is recommended that you contact the Domino vendor for additional information. 

To generate a Certificate Signing Request (CSR) file using Apple Mac OS X 10.6, snow leopard, perform the following steps:

1. Launch the Server Admin tool and connect to the server where you want to install the certificate.
   1. Applications > Server > Server Admin
      
2. Double click the server name in the SERVERS list.
3. Enter the password, click Connect
4. From the toolbar select Certificates
5. Click + (add) button
6. Select Create a Certificate Identity to open Certificate Assistant
   • Name: Your certificate name (e.g. www.verisign.com)
   • Identity Type: Self Signed Root
   • Certificate Type: SSL Server
   • Override the defaults by selecting the option “Let me override defaults”
     
7. Click Continue
8. Changes to the Serial Number or Validity Period is not required, click Continue
9. Enter the Certificate Information:
   • Email Address - An email address of the responsible party for certificates
   • Common Name - The fully-qualified domain name for which you plan to use your certificate (e.g., - "www.example.com").
   • Organization - The full legal name of your organization. The listed organization must be the legal registrant of the domain name in the certificate request.
   • Organizational Unit (Optional) - Enter the name of a business unit or group. If applicable, you may enter the DBA (doing business as) name in this field.
   • City (Locality) - Name of the city in which your organization is registered/located. Please spell out the name of the city. Note: Do not abbreviate.
   • State/Province - Name of state or province where your organization is located. Please enter the full name. Note: Do not abbreviate.
   • Country - The two-letter International Organization for Standardization (ISO) format country code for the country in which your organization is legally registered.
10. Click Continue
11. Key Pair Information:
    • Key Size: 2048 bits
    • Algorithm: RSA
12. Click Continue
13. Proceed through the following screens, accept the defaults for each of the following:
    
    
    1. Key Usage Extension
    2. Extended Key Usage Extension
    3. Basic Constraints Extension
    4. Subject Alternative Name Extension
14. After the last screen, the Certificate Assistant will save the Certificate and quit. You will be returned to Server Admin, and the self signed certificate should be displayed in the Certificates pane.
15. Select the new certificate.
16. Below the certificate name, click the Action menu (looks like a gear) and choose Generate Certificate Signing Request (CSR).
17. Click Save to save the CSR.
     

For additional information please see the following Apple Support article:

http://support.apple.com/kb/HT3976

To generate a CSR for Apple Mac OS X Server, perform the following steps:

Note: Using the Server Admin utility to create certificate requests for new certificates and renewals is not recommended, as it can lead to issues when installing the new SSL certificate.

To create a CSR for the SSL certificate enrollment or renewal, the administrator (root) password will be required, along with access to the servers' command line - either via Terminal.app or SSH.

Connect to your server and run the following three commands at the command line:

cd /etc/httpd/ sudo openssl req -new -newkey rsa:2048 -nodes 
-keyout ssl.key/private.key -out certreq.txt sudo chmod 640 
ssl.key/private.key 

When the second command is run, the administrator password will be requested and a short wizard will run to specify the information that will appear in the SSL certificate - see below for details:

• Country Name: The uppercase two-letter code for the country where your organization operates.
• State or Province Name: The state in which your organization operates - must NOT be abbreviated.
• Locality Name: The city or suburb where your organization is located - must NOT be abbreviated.
• Organization Name: The full, legal entity name for your organization - must NOT be abbreviated.
• Organizational Unit Name: The department of your organization that will be using the SSL certificate.
• Common Name: The website address or FQDN that will be secured by the SSL certificate. For wildcard certificate the syntax should look like *.company.com
• Email Address: Leave blank.
• A challenge password: Leave blank.
• An optional company name: Leave blank.

The new private key (private.key) and CSR (certreq.txt) files will be created. The third command prevents the private key from being world readable - the private key should be protected at all times to prevent compromise of the SSL certificate.

During enrollment or renewal, you will need the contents of the certreq.txt file from the above openssl command; open the file in a text editor and copy the entire contents in to the enrollment form where requested.

NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.

To generate a CSR for Marimba follow the instructions below:

To request a certificate for a Marimba Transmitter, run Marimba's Certificate Manager Channel from a Marimba Tuner.

The Certificate Manager provides a certificate request wizard to help with the request process.

Click on the Request Button on the Certificate Manager GUI to start the wizard.

The first window of the wizard contains a check box for ordering test certificates.

Leave this box unchecked, and click the Next button proceed with the ordering process.

The instructions will lead you through the following steps:

Step 1 - Digital ID information

Enter the host name and company information for the Transmitter.

Step 2 - Passwords

Enter a password for storing your certificate on your local disk, then click the Next button

Step 3 - Key Generation

Enter the 256 key strokes required to generate a key pair then click the Next button

Step 4 - Choosing a Certificate Authority

Select the Vendor enrollment entry in the drop down menu then click the Next button. 

To generate a CSR, use the Exchange Management Shell. To access the Exchange Management Shell perform the following steps: 

Retail customers Note: The recommended key bit size is 2048-bit. All certificates that will expire after October, 2013 must have a 2048-bit key size.

MPKI for SSL customers Note: The recommended key bit size is 2048-bit. All certificates that will expire after December, 2013 must have a 2048-bit key size.

1. Click Start
    
2. Click All Programs
    
3. Click Microsoft Exchange Server 2007
   
   
4. Click Exchange Management Shell
   
   
5. From the Exchange Management Shell enter the following command:
   
   New-ExchangeCertificate -GenerateRequest -SubjectName "C=US, S=State, L=City, O=Organization, OU=Organizational Unit, CN=www.website.com" -privatekeyexportable:$true -keysize 2048 -Path c:\certificate_request.txt
   
   The CSR needs to contain the following attributes:
   
   Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.
   State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California.
   Locality or City (L): The Locality field is the city or town name, for example: Berkeley.
   Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
   Organizational Unit (OU): This field is the name of the department or organization unit making the request.
   Common Name (CN): The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com". For wildcard certificate the syntax should look like *.company.com
   Subject Alternative Names (SANs): During enrollment for the SSL certificate, SANs can be entered into the enrollment fields.
   
    
6. Verify your CSR
    
7. Proceed to enrollment.
         

To generate a CSR for Microsoft Exchange 2010, use the Exchange Certificate Wizard.  Please perform the following steps:

1. Open the Exchange Management Console by going to Start > Programs > Microsoft Exchange 2010 > Exchange Management Console.
    
2. Select Manage Databases
    
3. Select Server Configuration in the left menu, and then New Exchange Certificate from the actions menu on the right.
    
4. When prompted for a friendly name, enter a name by which you can easily remember and identify this certificate. This name is used for identification only and does not form part of the CSR.
    
5. Under Domain Scope, leave the option to Enable wild card certificate unchecked and click Next.
   Note: If you are requesting a Wildcard Certificate, select this option, click Next, and proceed to Step 8.
    
6. In the Exchange Configuration menu, select the services that will be secured, and enter the URLs used to connect to those services.  
    
7. Click Next.
    
8. In the Certificate Domains section, Exchange 2010 will provide a list of domains to include in your certificate request.  
   Note: eWAY enrollment pages will only recognize the URL that you Set as common name.  It is recommended that you delete / remove the other URLs in this list.  You will need to manually enter these URLs as Subject Alternative Names (SANs) when enrolling for the certificate (at Step 16).
    
9. Click Next.
    
10. In the Organization and Location section, please provide the following information:
     
    • Organization: If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
    • Organizational unit: This field is the name of the department or organization unit making the request.
    • Country/region: Use the two-letter code without punctuation for country, for example: US or CA.
    • City/locality: The Locality field is the city or town name, for example: Berkeley.
    • State/province: Spell out the state completely; do not abbreviate the state or province name, for example: California.
11. Click Next.
     
12. Click Browse to save the CSR to your computer as a .req file, then click Save. 
     
13. Click Next > New > Finish.
     
14. You will now be able to open the CSR with notepad. Copy everything from the first - of the BEGIN line right through to the last - of the END line into the online order form.
     
15. Verify your CSR
     
16. Proceed to Enrollment.

 

1. Open the Internet Services Manager. Click Start > All Programs > Administrative Tools > Internet Services Manager.

2. In the IIS Manager, choose your server name

3. In the Features pane (the middle pane), double-click the Server Certificates option located under the Security heading.

4. To begin the process of requesting a new certificate, from the Actions pane, choose the Create Certificate Request option.

5. The first screen of the wizard asks for details regarding the new site. The common name should match the fully-qualified domain name for the site. Otherwise, provide information about your site, making sure to spell out the name of your state and locality.

6. Click Next to continue.

7. The next screen of the wizard asks you to choose cryptography options. The default, Microsoft RSA SChannel Cryptography Provider is fine. Select 2048 bit length.

8. Click Next to continue.

9. Provide a filename to which to save the certificate request. You will need the contents of this file in the enrollment, so make sure you know where to find it.

NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.

1. After you have installed Netscape Commerce server, start up the admin server and connect to it.

2. Select the server you want to run in secure mode and you will be presented with a page entitled "Netscape Server Manager - Commerce Server".

3. Under "Security Configuration" there is a link called "generate a key".

4. Select it and follow the instructions. This creates your private key. Next, select "request a certificate" to generate a CSR.

5. In the space where it asks for a Certificate authority enter your own email address.

6. A copy of the CSR will be mailed to you by the server - you can keep this for future reference.

When you have completed the form, submit it. The resulting page gives you your CSR. It looks like this:

-----BEGIN CERTIFICATE REQUEST-----

MIIBujCCASMCAQAwejELMAkGA1UEBhMCQ0ExEzARBgNVBAgTClRFc3QgU3RhdGUx

ETAPBgNVBAcTCENvbG9yYWR0MRswGQYDVQQKExJDYW5hZGlhbiBUZXN0IE9yZy4x

EjAQBgNVBAsTCU9VIE9mZmljZTESMBAGA1UEAxMJd3d3LmV4LmNhMIGfMA0GCSqG

SIb3DQEBAQUAA4GNADCBiQKBgQD5PIij2FNa+Zfk1OHtptspcSBkfkfZ3jFxYA6y

po3+YbQhO3PLTvNfQj9mhb0xWyvoNvL8Gnp1GUPgiw9GvRao603yHebgc2bioAKo

TkWTmW+C8+Ka42wMVrgcW32rNYmDnDWOSBWWR1L1j1YkQBK1nQnQzV3U/h0mr+AS

E/nV7wIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAAAhxY1dcw6P8cDEDG4UiwB0D

OoQnFb3WYVl7d4+6lfOtKfuL/Ep0blLWXQoVpOICF3gfAF6wcAbeg5MtiWwTwvXR

tJ2jszsZbpOuIt0WU1+cCYivxuTi18CQNQrsrD4s2ZJytkzDTAcz1Nmiuh93eqYw

+kydUyRYlOMEIomNFIQ=

-----END CERTIFICATE REQUEST-----

Copy your CSR from that page, and save it for future reference.

NOTE: A key length of 1024 bit is the default, but it is recommended to use a 2048 bit key.
If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048 bit key length will need to be selected.

Key generation under the Netscape Enterprise series of servers is accomplished as follows:

    * Generating a Key Pair and Certificate Signing Request Using Netscape Enterprise Server

    * Generating a key-pair file on Unix platforms

    * Generating a key-pair file on Windows NT platforms

    * Generate A Certificate Signing Request

    * Back up your Key Pair File

Generating a Key Pair and Certificate Signing Request Using Netscape Enterprise Server 

You will now use your Netscape Enterprise Server to create a key-pair file and a Certificate Signing Request

A key-pair file contains both the public and private keys used for SSL encryption. You use the key-pair file when you request and install a certificate. The key-pair file is stored encrypted in the directory <server_root>/alias/<alias>-key.db. When you create the key, you specify a password that you later use when you start a server that is using encrypted communications.

 Generating a key-pair file on Unix platforms

From the Unix command line:

1. Log in as root and change to the server root directory.
    
2. Run the key-pair file generation program by changing to the directory bin/admin/admin/bin and typing ./sec-key.
    
3. When prompted, type an alias for the new key-pair file. You might choose an alias that matches your server (for example, web or mail). The alias cannot contain spaces, but it can use symbols that your operating system allows in filenames (such as underscores). By default, the key-pair file is stored in <server_root>/alias/<alias> -key.db, where <alias> is the alias you typed. If you used the alias mail, your key-pair file would be <server_root> /alias/mail-key.db.
    
4. A screen with a progress meter appears. Type any random keys at different speeds until the progress meter is full. The time between each of your keystrokes will be used to generate a random number for the unique key-pair file.
    
5. When prompted, type a password of eight characters or more for your key-pair file. The password must have at least one non-alphabetical character (a number or punctuation mark). Make sure you memorize this password. The security of your server is only as good as the security of the key-pair file and its password.
    
6. After you enable SSL for a server (either the administration server or another Netscape server), you must type the key-pair file password when you start the server.
    
7. Retype the password and click OK. The file is created and stored.      

 Generating a key-pair file on Windows NT platforms

From the Windows NT command prompt:

1. Go to the <server root>/bin/admin/admin/bin directory.
    
2. Run the sec-key.exe application. The key-pair file generation program appears.
    
3. When prompted, type an alias for the new key-pair file. You might choose an alias that matches your server (for example, web or mail). The alias cannot contain spaces, but it can use symbols that your operating system allows in filenames (such as hyphens and underscores). By default, the key-pair file is stored in the directory C:/<server_root>/alias/<alias>-key.db where <alias> is the alias you typed. If you used the alias mail, your key-pair file would be C:/<server_root>/alias/mail-key.db.
    
4. A screen with a progress meter appears. Move your mouse in random motions at random speeds. These random movements are used to generate a random number for the unique key-pair file.
    
5. When prompted, type a password of eight characters or more for your key-pair file. The password must have at least one non-alphabetical character (a number or punctuation mark). Make sure you memorize this password. The security of your server is only as good as the security of the key-pair file and its password.
    
6. After you turn on SSL for a server (either the administration server or another Netscape server), you must type the key-pair file password when you start the server.
    
7. Retype the password and click OK. The file is created and stored.

 Generate a Certificate Signing Request

After you generate the key-pair file, you must create a Special File called a Certificate Signing Request

1. In the Server Administration page, choose Keys & Certificates|Request Certificate.
    
2. In the form that appears, specify that this is a new certificate.
    
3. Specify that you want to submit the request for the certificate via e-mail Put YOUR OWN e-mail address in the space specified for the e-mail address of the CA.
    
4. From the drop-down list, select the alias for the key-pair file you want to use when requesting the certificate.
    
5. Type the password for your key-pair file.
    
6. Type the information that will appear in your Digital ID. This should be as follows:
   
   
   
   • Common Name is the fully qualified hostname used in DNS lookups (for example, www.netscape.com). This is the hostname in the URL that a browser uses to connect to your site. It's important that these two names are the same, otherwise a client is notified that the certificate name doesn't match the site name, which will make people doubt the authenticity of your certificate. Please make sure that the common name ends in the domain name whose ownership you established in step 2. For a wildcard certificate the syntax should look like *.company.com
      
   • Email Address is your business email address. This is used for correspondence between you and the issuer.
      
   • Organization is the official, legal name of your company, educational institution, partnership, and so on. This should be the name of the company associated with the Dun & Bradstreet number your generated in step 6
      
   • Organizational Unit is an optional field that describes an organization within your company. This can also be used to note a less formal company name (without the Inc., Corp., and so on).
      
   • Locality is an optional field that usually describes the city, principality, or country for the organization.
      
   • State or Province Spell out in full (e.g. use California instead of CA)
      
   • Country is a required, two-character abbreviation of your country name (in ISO format). The country code for the United States is US.
      
   • Double-check your work to ensure accuracy. The more accurate the information, the faster the approval and issue of your certificate
      
   • Click OK when the information is correct.
      
   • The server generates a certificate signing request that contains your information and your public key. This information is e-mailed to you.

 Back up your Key Pair File

It is imperative that you back up your key pair file. Please save this information on a floppy disk, or other removable media, and store it in a secure place, such as a safe or safe-deposit box.

To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match. You will have to request a new SSL Certificate and may be charged.

It is recommended that you contact the iPlanet vendor for additional information. 

Retail customers Note: The recommended key bit size is 2048-bit. All certificates that will expire after October, 2013 must have a 2048-bit key size.

MPKI for SSL customers Note: The recommended key bit size is 2048-bit. All certificates that will expire after December, 2013 must have a 2048-bit key size.
 

Step 1: Create a Key Database

1. Select the server instance to manage and click Manage.
2. Click Security
3. Click Create Database
4. Enter and confirm a password to protect this database.

 

Step 2: Generate a CSR

1. Click Request a Certificate
   1. Enter your email address as the CA Email address. VeriSign does not use this email for accepting certificates, so a copy will be emailed to you.
   2. Enter a key pair file password to protect your keys. This can be the same password as the key database.
   3. Fill out all of the CSR information, and click OK.

This step will prompt for the following X.509 attributes of the certificate:

Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA. 
State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California 
Locality or City (L): The Locality field is the city or town name, for example: Berkeley. 
Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll. 
Example: XYZ Corporation 
Organizational Unit (OU): This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request. 
Common Name (CN): The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com". For a wildcard certificate the syntax should look like *.company.com

Certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", because "www.domain.com" and "secure.domain.com" are different from "domain.com".

2. The server will generate the CSR and display it on the page. To copy and paste the information into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).
3. Click Apply to commit the changes. You have just created a key pair and a CSR.
4. Verify your CSR
5. Go to Enrollment.

Contact Information

During the verification process, You may need to be contacted. Be sure to provide an email address, phone number, and fax number that will be checked and responded to quickly. These fields are not part of the certificate.

2. Select your newly created certificate identifier in the drop-down menu at the top.

3. Fill out the fields including the common name, organization and location information. Common Name: for a wildcard certificate the syntax should look like *.company.com

4. Select the bit length.

5. Click Update.

6. Click Apply button on the top of the screen.

7. To copy and paste the information into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).

8. Click Apply Changes.

9. Copy and past the CSR into the enrollment pages

Step 1: Create a new wallet for Oracle Wallet Manager

1. From the menu bar, select Wallet > New
2. Enter the password twice > click OK
   Note: The password must contain eight alphanumeric characters and special characters
3. Select Add a certificate request.  If not, select Cancel > select Wallet > Save in the system default to save the new wallet

 

1. Select Operations > Add Certificate Request
   
2. A dialog box will appear to enter your certificate information. Common Name: For a wildcard certificate the syntax should look like *.company.com
3. Select OK

Step 3: Export a Certificate Signing Request (CSR) as a file

1. In the left panel, select the Certificate Signing Request you want to export
2. From the menu bar, select Operations > Export Certificate Request
3. Enter a file name and directory you want to save your file to > select OK

To generate a CSR on an Oracle Web Server, perform the following steps:

NOTE: A key length of 1024-bit is the default, but Thawte recommends the use of a 2048-bit key.
If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.

In this first step you generate a request for the certificate issuer. It involves generating a public/private key-pair and identifying the server, the organization using it, and its webmaster. The private key is encrypted and should never leave your server, except for backup purposes.

The public key will become part of the certificate and is therefore sent to the issuer, together with the rest of the information identifying your organization and your server.

To generate a certificate request, you will run the interactive utility genreq and enter the information for which it prompts you.

When the prompt specifies a default value, you can just press return to enter that value, or enter a different value if you prefer.

For an example of how to use genreq, see the following sample genreq session. Before you start, create a directory to store all SSL related files in, for example $ORACLE_HOME/ows2/ssl. To avoid typing long path names or moving files later, you can start genreq from this directory.

To run genreq, do the following:

- Start genreq, located in $ORACLE_HOME\OWS20\BIN on NT (typically c:\orant\ows20\bin) and $ORACLE_HOME/ows2/bin on UNIX:

- Type G to begin creating a certificate request:

- When prompted, type a password (minimum of 8 characters), used in encrypting your private key. Remember this password.

- Retype the password for confirmation. If the password do not match, genreq will not warn you, it will just repeat step 3.

- Choose the public exponent you want to use one in generating the key pair. The only two recognized exponents are 3 and 65537, commonly called Fermat 4 or F4.

- Enter the size in bits of the modulus you want to use in generating the key pair. For the version of genreq sold in the United States of America, the size may be from 1 to 1024. The default size is 768 bits and the maximum is 1024 bits. A modulus size of 1024 is recommended for most browsers and also by Thawte. For versions of genreq sold outside the USA, the maximum (and default) modulus size is 512 bits. (NOTE: 1024 bits would be equal to a 128-bit encryption)

- Choose one of three methods for generating a random seed to use in generating the key pair:

- Random file: genreq prompts you to enter the full pathname of a file in your local file system. This can be any file that is at least 256 bytes in size, does not contain any secret information, and has contents that cannot easily be guessed (on UNIX, you can use /var/adm/messages, on NT you can use \WINNT\System32\config\AppEvent.Evt)

- Random key sequences: genreq prompts you to enter random keystrokes. genreq uses the variation in time between keystrokes to generate the seed. Don't use the keyboard's autorepeat capability, and don't wait longer than two seconds between keystrokes. genreq prompts you when you have typed enough keystrokes. You must delete any unused characters typed after this prompt.

- Both: genreq prompts you to enter both a file name and random keystrokes. This option is recommended.

The next three steps will tell genreq where it should write certain files. If you've created an ssl directory and have started genreq from this directory, you can accept the defaults. Otherwise, you may want to include full pathnames, or plan to move the files that genreq created later.

- Enter the name of a file in which to store your WebServer's distinguished name. You can choose the default, or enter any filename with a .der extension. genreq creates this file in the current directory, though you may later move it to any convenient location.

- Enter the name of a file in which to store your WebServer's private key. You can choose the default, or enter any filename with a .der extension. genreq creates this file in the current directory, though you may later move it to any convenient location.

- Enter the name of a file in which to store the certificate request. You can choose the default, or enter any filename with a .pkc extension.

- Enter the requested identification information for your organization:

Common Name - The fully qualified host name of your organization's Internet point of presence as defined by the Domain Name Service (DNS).

Example: govt.us.oracle.com

Organizational Unit (optional) - The name of the group, division, or other unit of your organization responsible for your Internet presence, or an informal or shortened name for your organization.

Example: Oracle Government

Organization - The official, legal name of your company or organization. Most CAs require you to verify this name by providing official documents, such as a business license.

Example: Oracle Corporation

Locality - (optional) The city, principality, or country where your organization is located.

Example: Bethesda

State or Province - The full name of the state or province where your organization is located. eWAY does not accept abbreviations.

Example: Victoria

Country - The two-character ISO-format abbreviation for the country where your organization is located. The country code for the

Example: United Kingdom is UK.

WebMaster's Name - The name of the Web Master responsible for the site. This person will serve as a technical contact.

Example: Milla Jovovich

WebMaster's Email Address - The email address where Thawte can contact the Web Master.

Example: mj@us.oracle.com

Server Software Version - The name and version number of the application for which you are getting the certificate (you should accept the default value).

Creating a keystore with a certificate: 

Creating a secure site: 

To generate a CSR for Plesk 8.1, perform the following steps:

NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.

1. Click the Domains shortcut in the navigation pane. 
2. Click the required domain name in the list. 
3. Click  Certificates in the Services group. A list of SSL certificates that you have in your repository will be displayed. 
4. Click  Add New Certificate. 
  Specify the certificate properties: 

• Certificate name. This will help you identify this certificate in the repository. 
• Encryption level. Choose the encryption level of your SSL certificate. We recommend that you choose a value more than 1024-bit.
• Specify your location and organization name and organisation unit, eg sales or IT etc. The values you enter should not exceed the length of 64 symbols. 
• Specify the domain name for the SSL certificate. This should be a fully qualified domain name. Example:www.your-domain.com. For a wildcard certificate the syntax should look like *.company.com 
• Make sure that all the provided information is correct and accurate, as it will be used to generate your private key.

5. Click Request. Your private key and certificate signing request will be generated and stored in the repository. 
6. Download the certificate signing request (CSR) file and save it on your machine. To do this, click the respective  icon. 
7. Open the file in a text editor, copy the text enclosed in lines -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- to the clipboard. 
You can then use the CSR to purchase a certificate from eWAY.

Note: In the interest of better security and the enablement of greater trust, we have decided that 1024-bit keys will now be the minimum strength used in the issuance of digital certificates.

To request a certificate do the following:

1. Launch Quid Pro Quo Secure, and select "Request Certificate..." from the Control menu.

You will be presented with the Certificate Request dialog. 

To create your request, you must fill out the required information, and generate a private key.

2. Generate your private key. If you are using a US-only version of Quid Pro Quo Secure, you will have three options for private key sizes: 512, 768, and 1024 bits. 

The recommended key size is 1024 bits. 

It is the most secure key available, and there is little reason for choosing a smaller key size. If you are using an exportable version of Quid Pro Quo Secure, you will only have the 512-bit key size available.

3. Click the "Generate" button. After a few seconds (or more, depending on the size of the key selected and the speed of your computer's processor), you be asked to save your private key.

4. Save the file in your Quid Pro Quo Secure application folder, giving the file whatever descriptive name you would like, such as "Server Private Key".

5. Enter information for all requested information fields. In order to generate your request, you must fill out all of the fields:

Webmaster (This is either your name or the name of the person that will be the contact point for the certificate authority.

If the certificate authority needs to verify information or otherwise contact your organization, this is the person they will contact.)

Common Name (This is the domain name of your server exactly as users will type it into their browsers, for instance "www.socialeng.com"). For a wildcard certificate the syntax should look like *.company.com

Wildcard characters, such as "*.socialeng.com" are not allowed. It is important to get the domain name correct; if its not, users will get a warning dialog each time they connect to your site.

Contact Email Address (This is the email address of the person listed in the Webmaster field)

Organization  (This is the name of your organization as you would like it to appear in your certificate.

Certificate authorities will verify your right to use the name that appears in this field, so it should be the full legal name of your organization, for instance "Social Engineering Incorporated".)

Organization Unit (This field is used to describe the sub-group of your organization for

Locality This is the city in which your organization is located, for instance "Berkeley" )

State (This is the non-abbreviated name of the state or province in which your organization is located, for instance "California" )

Country Code (This is the two character ISO country code for the country in which your server is located, for instance in the United Stated, "US", and in Canada, "CA" )

Telephone Number (This is the telephone number of the person listed as your contact in the Webmaster field.)

When you have all of the fields filled out and your private key has been generated, click the "OK" button.

Your certificate request will be generated and you will be asked to save the request. Save the file.

Quid Pro Quo Secure certificate requests are created in standard PKCS #10 format.

This is the format accepted by eWAY.

The certificate request you have created is saved as a SimpleText file with a plain-text description of the certificate request and the PKCS-encoded certificate request.

The request will look something like:

-----BEGIN NEW CERTIFICATE REQUEST-----

MIIB1DCCAT0CAQAwgZUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh

MREwDwYDVQQHEwhCZXJrZWxleTEoMCYGA1UEChQfU29jaWFsIEVuZ2luZWVyaW5n

IEluY29ycG9yYXRlZDEYMBYGA1UECxQPV2lkZ2V0IERpdmlzaW9uMRowGAYDVQQD

FBF3d3cuc29jaWFsZW5nLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA

u4/YSMVdCDEwPraIMIg5CpOXLREoF3CPQLHUF48XJiGBROxFOKcp5vkAqSRionVD

tbUFVGXFzc4dB8Ofsul1ryZRIbgAU2gkOsoKC+qzOS8wl/3Eqd6h7IDG1VjdfJ5A

oPvAE4l73PjaKfL3o1T3/FW/iMbCsA3Fx6rM0ti6jWMCAwEAATANBgkqhkiG9w0B

AQQFAAOBgQBULi2DAHKpUwXM66imT/SqYa5E1GJZan5lpyVbf3LFdHw3BtlOapGM

WuVEODtWOSTkbaqxBz4VthcnH/5gpfVIeH2pU1NYsGtwF2zW2tWTjRadZ2od2S12

SxPzPYe4k6+QWJHrFrvd12nLV38QiVvsW2TPPPTI2vZ1FOqe2ZklhA==

-----END NEW CERTIFICATE REQUEST-----

Copy your newly generated request (including the "-----BEGIN..." and "-----END..." tags) to the clipboard.

This is the CSR that you have to paste into the enrollment form. 

Note: In the interest of better security and the enablement of greater trust, we have decided that 2048-bit keys will now be the minimum strength used in the issuance of digital certificates.

These instructions were provided by Covalent, and at this stage Covalent will provide all technical support for Raven SSL. 

Please make sure that you are especially careful to backup the private key once it has been generated.  Your certificate will not work without that private key.

For users of Raven 1.2, the certificate generation process is invoked with the following command typed at a shell prompt. 

# ./ravenctl -cert

The process first prompts for the name of the certificate.

Please enter the server name you wish to generate for. 

# ./ravenctl -cert

Name of the server you are issuing certificate for? -->

example.covalent.net

######################################################################

The key name chosen is example.covalent.net.key.

The certificate name is example.covalent.net.cert.

The key/certificate pairs will be stored in /usr/local/ssl.

######################################################################

You are about to generate a new key and key request. The key request will be sent to the email address of your choice and the keyfile will reside in /usr/local/ssl/private/example.covalent.net.key.

Choose the size of your key. Select 2048 bits

The process first prompts for the name of the certificate.

Input your choice of key size at the prompt. 

# ./ravenctl -cert

Number of bits in key (384 minimum, 2048 maximum)? -->  2048 

Generating random data, using the truerand library developed by Matt Blaze, Jim Reeds, and Jack Lacy at AT&T. This may take some time.

Generating 2048 bits of randomness: ................................

Generating 2048 random bits based on measuring the time interval between your keystrokes.  Please enter random text on your keyboard.

Generating the key. This may also take some time. Be patient.

The passphrase you enter here is very important. Do not lose it.

640 semi-random bytes loaded

Generating RSA private key ,512 bit long modulus

...+++++

....+++++

e is 65537 (0x10001)

Choose a pass phrase that is secure. Don't forget this password. 

 Enter PEM pass phrase: ...................

Verifying password - Enter PEM pass phrase: ...................

Key successfully generated.

You must respond below with "Y" to generate a signing request. 

# ./ravenctl -cert

Would you like to send a Certificate Request to a CA? [Y/n]: -->  y

A Thawte CSR does *not* require the following options. Answer "N". 

Does your CA need the ASN1-Kludge? (VeriSign) [y/N]: -->  n

Generating certificate request. This process will also create a temporary certificate for testing until you receive the certificate from your CA. Please enter the following information:

Using configuration from /usr/local/ssl/lib/ssleay.cnf

The pass phrase entered here is the phrase that you chose above. 

Enter PEM pass phrase: ...................

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [US]: AU

State or Province Name (full name) [State]: Victoria

Locality Name (eg, city) [City]: Melbourne

Organization Name (eg, company) [Organization]: Umbrella Pharmaceuticals PTY LTD.

Organizational Unit Name (eg, section) [Division]: Secure Services

It is important that your Common Name matches the name that the server will identify itself as when serving requests. Enter that server name below. For example, if you will be pointing people at https://www.bob.com/ then your server name would be www.bob.com. If your server has a real name ("adonis") and an alias ("secure" or "www") and you will be pointing people at the alias, then make sure you give the alias here, otherwise the browser will claim that the site name does not match the certificate.

It is also important that you give your State name, City name and two-letter UPPER CASE country code.  The Organizational Unit field is optional.

Common Name (eg, YOUR name) [www.servername.com]: example.covalent.net

Email Address [webmaster@servername.com]: webmaster@covalent.net

Using configuration from /usr/local/ssl/lib/ssleay.cnf

Certificate Request:

Data:

Version: 0 (0x0)

Subject: C=AU, ST=Victoria, L=Melbourne, O=Umbrella Pharmaceuticals PTY LTD.

OU=Secure Services, CN=example.covalent.net/Email=webmaster@umbrella.com

Subject Public Key Info:

    Public Key Algorithm: rsaEncryption

    RSA Public Key: (512 bit)

        Modulus (512 bit):

            00:c0:34:7e:a5:02:f7:35:8e:42:7b:ce:69:e9:31:

            c0:4e:fd:d2:a7:6e:2f:ee:0b:09:84:00:b5:dc:49:

            3c:36:0b:82:74:7b:c8:65:3b:c4:85:b1:f8:71:86:

            78:71:39:7c:03:16:c0:2b:50:d4:f1:dd:2a:f2:ce:

            f3:68:35:d7:43

        Exponent: 65537 (0x10001)

Signature Algorithm: md5WithRSAEncryption

40:26:58:76:fe:a5:69:ab:fe:fd:f6:6e:0d:3b:f8:79:06:7e:

96:e3:1f:e0:44:12:c1:51:c6:58:f8:38:85:92:67:4e:99:ba:

3e:55:42:94:31:94:50:ba:96:19:4e:31:4a:d4:39:d6:91:12:

10:64:20:38:9c:df:df:ea:c8:72

Webmaster email:  webmaster@umbrella.com

Webmaster phone:  +1.402.441.5710

Mailing the CSR to your personal email account will allow you to easily cut and paste the request into the Thawte submission form. Please enter that address below. 

Send CSR via Email to? -->  yourmail@umbrella.com

Certificate request sent to yourmail@umbrella.com.

Creating a self-signed certificate for use until your chosen CA delivers your signed certificate.

Using configuration from /usr/local/ssl/lib/ssleay.cnf

The pass phrase entered here is the phrase that you chose above. 

Enter PEM pass phrase: ...................

The following questions should match the information previously provided above. 

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [US]: AU

State or Province Name (full name) [State]: Victoria

Locality Name (eg, city) []:Melbourne

Organization Name (eg, company) [Organization]: Umbrella Pharmaceuticals PTY LTD.

Organizational Unit Name (eg, section) [Division]: Secure Services

Common Name (eg, YOUR name) [www.servername.com]: example.umbrella.com

Email Address [webmaster@servername.com]: webmaster@umbrella.com

Key and certificate have been successfully installed.

CSR generation process is complete. Check your email to obtain the CSR. Cut and paste this request into the certificate request forms. 

Again, please backup the contents of /usr/local/ssl/private so that you are sure you have backup copies of your private key.  

Note: In the interest of better security and the enablement of greater trust, we have decided that 1024-bit keys will now be the minimum strength used in the issuance of thawte digital certificates.

The RavenCTL Management Interface

The following procedure shows the process required to generate a key file and CSR (certificate signing request) for your SSL server.

Generate the Private Key

Name of the file to store certificate/key?

           [server.domain.com] --> www.domain.com

At the prompt above, enter the name of the file that you wish to store the certificate and key file in. This is typically the Common Name of the server or the Apache configured ServerName.

The key file name you have chosen is www.domain.com.key.

The certificate file name will be www.domain.com.cert.

Press [ENTER] to continue:

The prompt above indicates the file names in which you have chosen to store this certificate and key. These file names will be stored in /usr/local/raven/module/pki/keys and /usr/local/raven/module/pki/certs respectively.

Choose the size of your key. Smaller key sizes provide faster server response but will provide diminished security.

Key sizes less than 512 bits are easily cracked. For high security applications you will want a key size not less than 1024 bits.

Number of bits in key (512 minimum, 1024 maximum)? [1024] --> 512

Deciding how strong the key pair should be

At the prompt above, enter the number of bits that you want your key file to contain. More bits means that the key will be harder to crack but there will be more server overhead required to encrypt the data. Fewer bits means less overhead for the server to encrypt the data, but makes the key easier to crack. Enter values divisible by 128. ie (512, 640, 768, 896, 1024).

Generating random data, using the truerand library developed by Matt Blaze, Jim Reeds, and Jack Lacy at AT&T. This may take some time.

Generating 1024 bits of randomness: ...............................

Generating 1024 random bits based on measuring the time interval between your keystrokes.  Please enter random text on your keyboard.

1024 <- remaining

The key generation process provides an internal random entropy generator. The process will create twice the number of random bits that you have chosen for you key size. After the internal random data generator completes it's process, you will be prompted to enter key strokes to create yet another random entropy pool. This process helps assure that your key is difficult to predict and thereby crack.

Generating the key. This will take some time. Be patient. The passphrase you enter here is very important. Do not lose it.

192 semi-random bytes loaded

Generating RSA private key, 512 bit long modulus

..........+++++

...+++++

e is 65537 (0x10001)

Enter PEM pass phrase:

Verifying password - Enter PEM pass phrase:

Entering a Passphrase for the encryption of the private key

After the key is created, you will be prompted to enter a pass phrase to use to encrypt your key as it is stored on disk. It is not necessary to keep keys encrypted on disk and this adds to difficulty in automating the startup process for the server since an encrypted key will require you to enter a pass phrase during the server startup phase.

You should make note of the passphrase at this point. If you forget it you will not be able to access your private key and the certificate that corresponds to that private key will be effectively useless and you will have to buy a new one.


Backing up the Private Key

You should also make a backup of your private key as well. If you lose your private key you will not be able to use your certificate and you will have to buy a new one. Read our tough Key Loss Policy.

I'll say it again -- back up your Private Key!
 

Generate the CSR and temporary self-signed certificate

Self-signing certificate for temporary internal use.

Using configuration from /usr/local/raven/module/pki/lib/certtool.conf

Enter PEM pass phrase:

Enter the pass phrase that you have chosen for this certificate in the generation process above.

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [US]:

State or Province Name (full name) [Some-State]:

Enter the State or Province for the company being represented by this certificate.

Locality Name (eg, city) [Some-City]:

Enter the City for the company being represented by this certificate.

Organization Name (eg, company) [Some-Company/Organization]:

Enter the Company Name being represented by this certificate.

Organizational Unit Name (eg, section) [Secure Services Division]:

Enter the division of the company being represented by this certificate.

Common Name (eg, server name) [www.servername.com]:

Enter the Apache ServerName being represented by this certificate.

Email Address [webmaster@servername.com]:

Enter the email contact for the person representing this company.

Key and certificate have been successfully installed.

Thanks for choosing Raven. Press [ENTER] to continue:

Step 1: Generating the Private Key

Step 2: Create the Certificate Signing Request

Note: In the interest of better security and the enablement of greater trust, we have decided that 2048-bit keys will now be the minimum strength used in the issuance of digital certificates.

1. Run the SilverStream AgDigitalIDStep1 program to generate a CSR and private key (PKCS8 password protected). 

2. Goto a CA and submit the CSR. 

3. Get the X.509 Certificate in Base64 encoded format from the CA

4. Run the SilverStream AgDigitalIDStep2 program to upload the Certificate and the private key to SilverServer. 

5. Restart SilverServer to make SSL port active.

There is a configuration (httpd.props) setting that will allow you to change which CN (certificate domain name) the server will look for. You are allowed multiple certificates (with different CN) to be uploaded to the server, since they are stored in the master dB that all servers in a SilverStream Cluster use. Each server will then use the CN that matches it.

Generating a CSR using Novel Silverstream

A CSR is a file containing your certificate application information, including your Public Key. Generate your CSR and then copy and paste the CSR file into the webform in the enrollment process:

Generate keys and Certificate Signing Request:

• Start the SMC and select the Security icon from the toolbar
   
• Select Certificates
   
• Select the RSA tab
   
• Choose Generate Request
   
• Complete the items on the panel
   
• The Server DNS Name field should be the Fully Qualified  Name(FQDN) or the web address for which you plan to use your Certificate, e.g. the area of your site you wish customers to connect to using SSL. For example, an SSL Certificate issued for domain.com will not be valid forsecure.domain.com. If the web address to be used for SSL is secure.domain.com, ensure that the common name submitted in the CSR is secure.domain.com. 
   
• Click Next
   
• The following panel allows you to specify the size of the key pair to generate - Select 2048 and click Next

• If prompted, specify the size of the key pair to generate
   
• Click Next
   
• The following panel shows the paths for the CSR (Certificate Signing Request). You may edit these paths if you choose. You will use this information later when installing the certificate

• Click Next 
   
• You may click Copy CSR to Clipboard to copy the contents of the CSR and paste into our web form
   
• Click Finish

2. Launch “OpenSSL”.

3. Enter the following command to create a private key.

    genrsa -des3 -out c:\test\key.pem 2048

4. Enter in a passphrase to protect the key (at least six characters).

5. Enter the following command to create a certificate request:

    req –new –key c:\test\key.pem –out c:\test\req.pem –config openssl_config.txt 

6. Enter in all the required fields for the certificate you want to generate.

7. You have just created a key pair and a CSR.

8. To copy and paste the information into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).

9. Copy and paste the CSR into the enrollment page.

NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.

For SSLeay Key and CSR Generation, perform the following steps:

More and more secure web servers and value-added cryptographic applications are using the SSLeay free cryptographic toolkit, which includes a variety of libraries and utilities to manage secure sockets and public key cryptography.

SSLeay can be found at ftp://psych.uq.edu.au/pub/Crypto/SSL/.

These servers by and large use the same key and certificate format, and generate Certificate Signing Requests (CSR's) that are compatible with the eWAY Certification System.

Examples are Sioux, Stronghold, ApacheSSL, Alibaba (which is linked against a very old version of SSLeay) and secure versions of WN.

In all of these servers you can use the following procedure to generate your CSR:

Locate ssleay

These instructions assume that SSLeay is installed, and that you have the executable ssleay in your PATH.

They also assume that you are using version 0.8.1 or later... ssleay version will tell you which version you are using.

Generate your key:

ssleay genrsa -des3 1024 > www.myserver.com.key 
This command sequence will generate a private key and store it in the file www.myserver.com.key. It will ask you for a pass phrase: use something secure and remember it.

Your certificate will be useless without the key.

If you don't want to protect your key with a pass phrase (only if you absolutely trust that server, and you make sure the permissions are carefully set so only you can read that key) you can leave out the -des3 option.

Generate your CSR:

ssleay req -new -key www.myserver.com.key> www.myserver.com.csr

This command sequence will prompt you for the attributes of your certificate.

You will now have a private key in www.myserver.com.key and a CSR in www.myserver.com.csr.

Paste the CSR into our forms, and hold on to your key. You will need the key to operate your secure server when we issue your certificate. 

To generate a CSR, you will need to create a key pair for your server.

1. Run genkey, specifying the name of the host or virtual host: genkey hostname. The genkey script displays the filenames and locations of the key file and CSR file it will generate:  
 
    Key file: /usr/local/www/sslhostname.key  
    CSR file: /usr/local/www/sslhostname.cert  
 
Note: If you already have a key for your server, run genreq [servername] to generate only the CSR.

2. Press Enter. The genkey script reminds you to be sure you are not overwriting an existing key pair and certificate.

3. When prompted, enter a key size in bits. We recommend using the largest key size available: 2048 bits.

4. When prompted, enter random key strokes. Stop when the counter reaches zero and genkey beeps. This random data to create a unique public and private key pair.

5. When prompted, enter y to create the key pair and CSR.

6. Select your CA.

7. Enter all of the information requested and press Enter. Back up your key file and CSR on a USB stick and store the disk in a secure location. If you lose your private key or forget the password, you will not be able to install your Secure Server ID and will need to request and purchase a new one.

You have just created a key pair and a CSR.

8. To copy and paste the information into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).

9. Copy and past the CSR into the enrollment page.

Step 1: Create a Key Database

Step 2: Generate a CSR

6. Click Apply to commit the changes. You have just created a key pair and a CSR.

Step 1: Create a Key Database

Step 2: Generate a CSR.

• Enter your own email address as the CA Email address. Although your Sun server supports the use of email for sending certificate requests, Geotrust requires you to paste the certificate request into the enrollment form.
• Enter a key pair file password to protect your keys.
• Fill out all of the CSR information, and click OK.

2. The server will generate the CSR and display it on the page. Copy and paste the CSR into a text editor that does not add extra characters (Notepad or Vi are recommended).  

You have just created a key pair and a CSR.

3. Go to the Enrollment URL.

4. Paste the information into the enrollment form when prompted for the CSR.

Note: You must copy the entire CSR, including every character in the Begin New Certificate Request and End New Certificate Request lines.

To generate a CSR, you first need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match and a replacement has to be made.  
 
It is recommended that you contact Sybase for additional information.

NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected.

1. Run the Security Manager application.

2. Select the Private Keys folder.

3. Select File > Key/Cert Wizard.

4. Supply the required information. Use Back and Next to review or change any information.

5. Click Finish to exit the wizard. Security Manager generates the key pair and saves the certificate request to a file that you specify.

6. Go to the enrollment form and paste the information into the form when prompted for the CSR.

The new private key appears on the right side of the window when you highlight the Private Keys folder. Once the certificate is received and installed, the private key is removed from the private key list.

1. Under Administrative Tools, open Internet Services Manager.

2. Open the Properties window by right-clicking on the name of the Web site you wish to secure.

3. Click the Directory Security tab.

4. Click Server Certificate in the Secure communications section. If you have not used this option before the Editbutton will not be active.

5. Select Create a new certificate

6. Select Prepare the request now, but send it later.

7. Complete the information requested by the IIS Certificate Wizard to create a private key that is stored locally on your server and a public key (the Certificate Signing Request) that you will use during the enrollment process. You have successfully generated a CSR file.

8. Click Finish to exit the IIS Certificate Wizard. A CSR file has been generated.

9. Go to the enrollment form and paste the information into the form when prompted for the CSR.

To generate a CSR, you first need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match your private key. You will have to request a new SSL Certificate and may be charged. 

The CSR needs to contain the following attributes:

- Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.
- State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California.
- Locality or City (L): The Locality field is the city or town name, for example: Berkeley.
- Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corportation or XY and Z Corportation.
- Organizational Unit (OU): This field is the name of the department or organization unit making the request.
- Common Name (CN): The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com".

Note: VeriSign certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", because "www.domain.com" and "secure.domain.com" are different from "domain.com".

eWAY recommends that you contact Sybase for additional information.

Note: The recommended key bit size is 2048-bit. All certificates that will expire after December 31, 2013 must have a 2048-bit key size

Generate a Key Pair and Certificate Signing Request

1. Open the Microsoft Management Console (MMC) for IIS. This is normally reached by selecting Start -> Programs -> Windows NT 4.0 Option Pack -> Microsoft Internet Information Server -> Internet Service Manager.
2. Expand the Internet Information Server folder by selecting the + sign and then select the + sign next to the computer name.
3. Locate the website that is going to be using the SSL Certificate. This is usually the Default Web Site. Right click the website and choose Properties.
4. In the Properties window, click the Directory Security tab.
5. Click Edit and then click Key Manager.
6. In Key Manager window, right click WWW and select Create New Key.
7. Choose Put the request in a file that you will send to an authority. Select an appropriate filename (or accept the default).
8. Enter values in the next window. Key lengths available will depend on the version and Service Packs installed. Remember the password you enter. Without it, you will not be able to install or back up the certificate.  
   Note: You must install a certificate for every website using SSL that has a distinct DNS name. Each website for SSL must also have a distinct IP address.
9. You must specify a bit length for the CSR. Choose 2048.
   Note: For Extended Validation certificates the key bit length must be 2048.
10. Fill out the appropriate contact information and click Finish. This information can be whatever you like as it will not show on the certificate.
11. Key Manager displays a key icon under the WWW icon with a red slash through it indicating it is not complete.
12. Choose Exit from the Computers menu. When asked to commit changes, click Yes. You have just created a key pair and a CSR.
13. Verify your CSR
14. To copy and paste the information into the enrollment form, open the file in a text editor that does not add extra characters (Notepad is recommended).
15. Go to the enrollment form and paste the information into the form when prompted for the CSR.

Contact Information

During the verification process, the certificate issuer may need to contact your organization. Be sure to provide an email address, phone number, and fax number that will be checked and responded to quickly. These fields are not part of the certificate.

Note: In the interest of better security and the enablement of greater trust, we have decided that 2048-bit keys will now be the minimum strength used in the issuance of digital certificates.

WebTen Key and CSR Generation

In order to obtain a server certificate, a Certificate Signing Request (CSR) must be sent to the Certificate Authority, along with other proof of identity documents.

1. Fill out the SSL Settings form within the WebTen Administration Server.

2. Submit the completed CSR to the Certificate Authority. Cut and paste the CSR from the SSL Settings form into the eWAY online form.

Your official certificate will be digitally signed and e-mailed to you by the CA.

Rename the certificate to "xx.xx.xx.xx.crt" (where <xx.xx.xx.xx> is the IP address of the virtual host for which the certificate was generated),

and place the official certificate in the tenon/ssl/private folder.

The official certificate will replace the temporary self-signed certificate generated by WebTen for use prior to receipt of the official certificate.

SSL Settings
To generate a certificate request, click on the Certificate button beside the SSLSecurity entry in the WebTen Virtual Host Configuration table found here:

http://www.tenon.com/products/webten/UserGuide2.0/8_VirtualHosts.html#11497

The SSL Settings page is a form for generating a Certificate Signing Request (CSR).

SSL Certificate Request Form

Common Name: The Common Name is the domain name of the Web server or of an IP-based virtual host.For a wildcard certificate the syntax should look like *.company.com

This must be a fully qualified domain name, not an IP address or a DNS alias.

Organization Name: The Organization Name is the legal organization name.

Organizational Unit: The Organizational Unit is the department name or the name of a unit within an organization. This field is optional.

Locality:The Locality is the name of the city in which the organization resides. This field is optional.

State or Province: The State or Province is the name of the state or province in which the organization resides.

Country Code: The Country Code is a two-character country code for the country in which the organization resides.

Email Address: The Email Address is the email address of a contact or representative within this organization.

Generating a CSR

To generate a Certificate Signing Request (CSR) save the SSL Settings via the Save CSR button. This action has several effects.

If a private key for this virtual host does not exist, such a key is created and saved in a secure area in WebTen's internal file system.

The actual Certificate Signing Request information is displayed in the WebTen Administration Server.

This CSR is a X.509 formatted document which can be copied and pasted directly into Thawte's online request form.

This CSR is also saved in the tenon/ssl/certs folder in a file named xx.xx.xx.xx.csr (where <xx.xx.xx.xx> is the IP address of the virtual host for which the CSR was generated).

Certificate Signing Request A temporary, self-signed certificate is created for use while your CSR is being processed by the CA.

The self-signed certificate will allow your virtual server to perform secure transactions while your official certificate request is being processed. 

Instructions can also be found at the website:

http://www.tenon.com/products/webten/UserGuide2.0/8_VirtualHosts.html#11497

To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match and a replacement has to be made.
 

Step 1: Create a Keystore and Private Key

Step 2: Generate a CSR

To generate a CSR, you will need to create a key pair for your server.

Generate a Key Pair and Certificate Signing Request

NOTE: A key length of 1024-bit is the default, but it is recommended to use a 2048-bit key.
If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048-bit key length will need to be selected

1. Open the Microsoft Management Console (MMC) for IIS. This is normally reached by selecting Start -> Programs -> Windows NT 4.0 Option Pack -> Microsoft Internet Information Server -> Internet Service Manager.
2. Expand the Internet Information Server folder by selecting the + sign and then select the + sign next to the computer name.
3. Locate the website that is going to be using the SSL Certificate. This is usually the Default Web Site. Right click the website and choose Properties.
4. In the Properties window, click the Directory Security tab.
5. Click Edit and then click Key Manager.
6. In Key Manager window, right click WWW and select Create New Key.
7. Choose Put the request in a file that you will send to an authority. Select an appropriate filename (or accept the default).
8. Enter values in the next window. Key lengths available will depend on the version and Service Packs installed. Remember the password you enter. Without it, you will not be able to install or backup the certificate.  
   Note: For every website using SSL that has a distinct DNS name, there must be a certificate installed. Each website for SSL MUST also have a distinct IP address as well. SSL does not support the use of host headers.
9. You must specify a bit length for the CSR. Choose 2048
10. Fill out the appropriate contact information and click Finish. This information can be whatever you like as it will not show on the certificate.
11. Key Manager displays a key icon under the WWW icon with a red slash through it indicating it is not complete.
12. Choose Exit from the Computers menu. When asked to commit changes, click Yes. You have just created a key pair and a CSR.
13. To copy and paste the information into the enrollment form, open the file in a text editor that does not add extra characters (Notepad is recommended).
14. Go to the Enrollment.
15. Paste the information into the enrollment form when prompted for the CSR.

To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match and a replacement has to be made.

1. Open the Zeus Web Controller. For example: http://server:9090
2. Click SSL Certificates > Certificates > Create
3. Choose the option: Buy a certificate from another certifying authority.
4. Fill out all fields for the Certificate Signing Request.
5. Click OK.
6. Save the CSR file to a safe location.
7. Copy and paste the CSR into the online purchase process on eWAY's website.