首页>技术支持>SSL证书请求文件(CSR)生成指南 - iPlanet 4.x

SSL证书请求文件(CSR)生成指南 - iPlanet 4.x

重要注意事项 An Important Note Before You Start

在生成CSR文件时同时生成您的私钥,如果您丢了私钥或忘了私钥密码,则颁发证书给您后不能安装成功!您必须重新生成私钥和CSR文件,免费重新颁发新的证书。为了避免此情况的发生,请在生成CSR后一定要备份私钥文件和记住私钥密码,最好是在收到证书之前不要再动服务器。

By far the most common problem users have when going through this process is related to private keys. If you lose or cannot access a private key, you cannot use the certificate we issue to you and will need to request a free reissue. To ensure this never happens, we advise that a backup of the private key file is made and that a note is made of the password that is used to protect the export of the private key.

Generate a CSR for iPlanet 4.x

Solution ID: vs26895

Answer:

Note: In the interest of better security and the enablement of greater trust, we have decided that 1024-bit keys will now be the minimum strength used in the issuance of thawte digital certificates.

To activate the SSL protocol for your server, you will need to perform the procedures outlined in the following sections:

Create a New Server Instance

Create a Certificate Trust Database

Requesting a Certificate

Installing and Managing Certificates

1. To add another server instance, perform the following steps:

1.1. Access the Enterprise Administration Server and choose the Servers tab.

1.2. Click the Add Server link.

1.2.3. Enter the desired information for the specified fields.

2. To create a Certificate Trust Database:

A certificate database is a key-pair and certificate database installed on the local host. When you use an internal token, the certificate database is the database into which you install the key and certificate. In Enterprise Server 4.0, each

server instance (including the Enterprise Administration Server) has its own certificate/key pair which is referred to as a trust database.

A key-pair file contains both the public and private keys used for SSL encryption. You use the key-pair file when you request and install a certificate.

The key-pair file is stored encrypted in the following directory:

server_root/alias/-key.db

When you create the key, you specify a password that you later use when you request the certificate and when you start a server that is using encrypted communications.

To create the certificate trust database, perform the following steps:

2.1. Access the Enterprise Administration Server and choose the Security tab.

2.2. Select the desired cryptographic module (the PKCS#11 cryptographic module is the default).

2.3. Type the password in Database Password.

2.4. Re-type the password in Password (again).

2.5. Click OK.

If no database exists, Enterprise Server creates the proper key and certificate database files and stores them in the alias/ directory (otherwise, Enterprise Server displays an error message).

3. Requesting a Certificate:

3.1. Access the Enterprise Administration Server and choose the Security tab.

3.2. Click the Request Certificate link.

3.3. In the form that Enterprise Server displays, specify if this is a new certificate or a renewal.

3.4. Perform the following steps to specify how you want to submit the request for the certificate:

3.4.1. If the CA expects to receive the request in an email message, check CA Email and enter the email address of the CA.

For a list of CAs, click List of available certificate authorities.

3.4.2. If you are requesting the certificate from an internal CA that is using Netscape Certificate Server, click CA URL and enter the URL for the Certificate Server. This URL should point to the certificate servers' program that handles certificate requests. A sample URL might be: https://CA.mozilla.com:444/cms .

3.5. From the drop-down list, select the cryptographic module for the key-pair file you want to use when requesting the certificate.

3.6. Type the password for your key-pair file.

This is the same password you specified when you created the trust database in Creating a Certificate Trust Database.

The server uses the password to get your private key and encrypt a message to the CA. The server then sends both your public key and the encrypted message to the CA. The CA uses the public key to decrypt your message.

3.7. Type your identification information. The information required is listed as follows:

Common Name must be the fully qualified hostname used in DNS lookups (for example, www.netscape.com ). This is the hostname in the URL that a browser uses to connect to your site. It?s important that these two names

are the same, otherwise a client is notified that the certificate name doesn?t match the site name, which will make people doubt the authenticity of your certificate. However, some CAs might require different information, so it?s

important to contact them. Note that you can not use wildcards in a common name.

Organization is the official, legal name of your company, educational

institution, partnership, and so on. Most CAs require that you verify this

information with legal documents (such as a copy of a business license).

Installing and Managing Certificates

Organizational Unit is field that describes an organization within your company. This can also be used to note a less formal company name (without the Inc., Corp., and so on).

Locality is an field that usually describes the city, principality, or country for the organization.

State or Province is usually required, but can be optional for some CAs. Note that most CAs won?t accept abbreviations, but check with them to be sure.

Country is a required, two-character abbreviation of your country name (in ISO format).

The country code for the United States is US.

All this information is combined as a series of attribute-value pairs called the distinguished name (DN), which uniquely identifies the subject of the certificate.

3.8. Double-check your work to ensure accuracy. The more accurate the information, the faster your certificate is likely to be approved.

3.9. Click OK once you've checked that the information is correct.

测试CSR和把CSR发给WoSign, Start the certificate request process

生成CSR后,建议您自己测试一下生成的CSR文件是否正确,请点击 这里 测试您的CSR文件。请把测试成功的CSR文件发给WoSign即可。请一定不要再动您的服务器,等待证书的颁发。

To submit the CSR to WoSign for processing you should start the certificate enrollment process.