Acquiring Certificates
Procedure
First, make the request (create the private key):
Generate the request on the server, where the secured service will be installed.
Prerequisites
-
Domain name that clients will use for connecting to the secured service. If you are using a public CA, the domain name must be registered as an internet DNS server.
-
Administrative access to the server, where the secured service will be installed.
-
Web access to the certification authority (CA) that will issue the certificate. The access does not need to be from the server where the secured service is located, but any access will do.
-
The certreq.exe command line administration tool is available and corresponds the server version.
Procedure
If the IIS Manager is available on the server, you can make the request with the wizard it provides. Otherwise, follow the procedure below.
-
Create the certificate request in a text editor, for example Notepad, as shown in the screenshot below.
For example, copy the text from the file Example_Internal_Server_Certificate.inf or Example_Client_Connection_Certificate.inf file in the Install folder Examples and Templates. Make sure there is no linefeed in the Subject line.
[NewRequest] Subject = "CN=<common name>,O=<organization>,OU=<organizational unit>,L=<location/city>,S=<state/province>,C=<country>" Exportable = TRUE KeySpec = 1 KeyUsage = "CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_ENCIPHERMENT_KEY_USAGE" KeyLength = 2048 MachineKeySet = TRUE HashAlgorithm = sha256 [EnhancedKeyUsageExtension] OID = 1.3.6.1.5.5.7.3.1 OID = 1.3.6.1.5.5.7.3.2
where:
-
[common name]: The address that the clients will use for connecting to the Connection Server. We recommend using domain name in the address, for example cos1.acme.com. This name must be a real existing domain.
If the certificate is used for ECF, the common name must be either IP address or Fully Qualified Domain Name (FQDN).
-
[organization]: Company name.
-
[organizational unit]: Department or division.
-
[location/city]: The city where your organization is physically located.
-
[state/province]: The area where your organization is physically located.
-
[country]: The country where your organization is physically located. Do not enter the country name but the two-character abbreviation defined in the ISO 3166 standard, for example Finland = FI, Sweden = SE, Germany = DE.
- KeyUsage: This must be defined for Java applications.
-
[EnhancedKeyUsageExtension]: use one of the following values, or both:
-
With the OID value 1.3.6.1.5.5.7.3.1 the certificate can be used as an SSL server certificate (Ensures the identity of a remote computer). Typically this value is used for client connection certificates, such as Connection Server sertificate.
-
The OID = 1.3.6.1.5.5.7.3.2 certificate can be used as an SSL client certificate. (Proves your identity to a remote computer) The term
client certificate
here does not mean the user authentication client certificate (SSO). -
Both values must be added if the certificate is used as an Internal Server Certificate.
-
-
If you need to secure with the same certificate different DNS addresses, consider using Subject Alternative Name (SAN). Enter in the newcert.inf file:
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "DNS=DNS name resolved to VU1 IP&"
_continue_ = "DNS=DNS name resolved to VU2 IP&"…
Note:Make sure that DNS names are resolved to IP addresses by the DNS server, or manually by adding resolving in the hosts file located under C:\Windows\System32\drivers\etc. For more information, see Microsoft documentation about creating SANs with certreq.exe.
For more information about parameters, see Microsoft documentation about certreq.exe syntax. For example, you can adjust the KeyLength according to your needs.
-
-
Save the file with the name newcert.inf.
-
Start the command prompt and change to the directory, where you saved the file above.
-
Execute the following command using the file name you have created above:
certreq -new newcert.inf newcert.req.
-
If everything goes as expected, the command does not write any response on screen, but a new file called newcert.req appears. You will need this file in the next phase. The request looks like the screenshot below:
Note:Make a backup copy of the request file in a secure place. If this private key is lost, for example by a hard-disk failure, the server cannot be recognized, and you must apply for a new certificate.
- Acquire the public key from a certification authority (CA).
- Install the certificate on your server and verify it.
- Configure the certificate for the service it is meant for.
For more information, see Installation Guide.