documentation > Certificate Signing Requests
Certificate Signing Requests
Monday, 7 May 2012 by
Bill Welliver
How to generate a CSR
I had a bit of trouble generating a CSR that Verisign would accept for Caudium. Here is what it took.
Prerequisites
You will need the openssl libraries installed. I did this with OpenSSL 0.9.6 and it worked. Pike was not compiled with the OpenSSL libraries. I used a Caudium 1.0.35 Snapshot taken 6/1/2001 by kiwi to get this working. bja was instrumental in getting the openSSL stuff working properly.
Generating the CSR
If you use Thawte as your registrar, you can generate the CSR through the Caudium Configuration Interface.
Instructions for generating a CSR that Verisign will accept:
In the Caudium Configuration Interface, click on Actions, Click on Security, Click on Generate a new RSA Key Pair.
At the prompt where it asks for a key file name, put in a filename such as the servername.key -- I would suggest that you preface the filename with ../ so that if you ever upgrade caudium you don't have to move the key file and certs from server.old to server
At the shell prompt, change to the directory where you created the servername.key file and type:
openssl req -new -key servername.key > servername.csr
It will ask you for a number of parameters:
|
Valid character rule -- if you have to hit the Shift key to generate a punctuation mark, its probably not a valid character.
|
Country Name (using the ISO 2 letter Country Code).
State (must be spelled out, no abbreviations).
Locality or City (you can use a . or , in this field, but most other punctuation will render the CSR invalid).
Organization Name (Again, . or , are acceptable, most other punctuation is not).
Organizational Unit (put a . here to leave this field blank. If you are clustering servers, you can use this field as an identifier if the common name is the same for each of the keys you generate).
Common Name (This is your host name, such as www.servername.com -- IF you generate the key with just servername.com, your users will need to put in
http://servername.com and
http://www.servername.com will present you with a server name mismatch when you browse).
Email address.
__Challenge password__ -- Verisign does in fact use this when revoking certificates or asking for replacement certificates when you move servers.
Optional Company Name - put a . here to leave it blank
After you finish, it will create a file called servername.csr. View that file, cut and paste the results into the window on Verisign's site that asks for the CSR.
Depending on what you use to Cut & Paste, you might want to make sure there are no trailing spaces at the end of the lines when you paste the CSR into Verisign's page.
After Verisign accepts the CSR, make sure you enter the information on the Technical contact screen carefully. That information is used to let you know when a new certificate is generated (if you purchase 2 years in advance). It also is the only contact information that can request a new certificate, revoke a certificate or move a certificate from one server to another.
After you fill in that page, Verisign will send you an email with the Server ID. Generally takes a few minutes, but can take up to an hour.
Once you've received your key via email, create a file called servername.cert in the /usr/local/caudium directory. Then follow these steps:
Create a new server (or modify an existing server).
Go into the Server Variables, Click on Listen ports, Change the Port to 443, the protocol to SSL3, Click Use these values.
You will then be prompted for the Certificate and Key file names. If you generated them in the directory above the server directory, make sure to preface the filenames for the Certificate and Key files with ../ or put in the full path.
Click Use these values again. Then click Save. You will then be prompted for the URL -- make sure it says
https://servername.com rather than
http://servername.com if you copied the configuration to mirror a non-secure server.
After hitting save the second time, it should activate the server and you should be able to go into the Config Interface for the Server, and click on the Server URL and it should pop up.
|
IE will NOT consider a page that loads graphics from a non-secure server as secure and will not present the little lock icon. If you are loading images with absolute references, you will need to adjust this.
|
After you get done with this, modify any code that you have that refers to id->remoteaddr to understand that it COULD be presented with "" as an IP number. It appears that somewhere in the socket communication process when a machine is behind some firewalls, the IP address returned is "". Its pretty tough to consistently reproduce this because access logging doesn't work for the ones where the IP address returned is "" -- so unless you have something that generates a backtrace, you'll probably never notice this.
Helpful pages
http://www.verisign.com/products/site/index.html - the page to start the process of creating a Verisign ID
http://www.verisign.com/support/tlc/csr/ssleay/v01.html - The page that contained most of the information to create the key
http://www.verisign.com/support/tlc/csr/intro.html - describes some of the character requirements.
No comments
| | RSS Feed
| BackLinks |