How to do a CA Request and Get a Certificate
As a reminder, here is the certification process explained. This process can be done either in the Portecle add-on we provide, or with another generator available like openssl, IIS, online sites, or CA provider’s applications.
1. Reminder - Certification process
The certificates are delivered by the Certificates Authorities (CA). This is a 3-step process.
a) The generation of a Key Pair or Private Key in standard RSA 2048 bits. This key will be used to generate a CA Request based on it.
b) The CA Request generated is transmitted to Certificates Authorities (CA). It contains all the necessary information to the provider to deliver a certificate (Country Name 2 letters code, State or Province Full Name, Locality Name, Organization Name e.g Company, valid email address and Common Name (CN) e.g. MyDomainName.com).
The main job consists in creating the Request, correctly inquire a form asking for all the information listed above.
c) The Certificate authority verifies the information you transmitted and returns the certificate. The returned certificate certifies your domain name and eventually also intermediate Certificates that are required to access. The certificate also contains the CA Reply (the validated Private Key). Once you have the certificate, the CA reply, its key pair (private key), and the intermediate certificates, they must be imported in the keystore handled by TS2log
2. How to generate a CSR (Certificate Signing Request)
You will need Microsoft IIS installed on a server or even your desktop.
Simply Turn features on and off for Internet Information Services except for FTP (it can be removed later)
1) Open Internet Information Services (IIS) Manager
1.From Start, select Administrative Tools, and then select Internet Information Services (IIS) Manager.
2.In the Connections panel on the left, click on the server name for which you want to generate the CSR.
3.In the middle panel, double-click Server Certificates.
4.In the Actions panel on the right, click Create Certificate Request.
5.Enter the following Distinguished Name Properties, and then click on Next:
The following characters are not accepted when entering information:< > ~ ! @ # $ % ^ * / \ ( ) ? &
- Common Name — The fully-qualified domain name (FQDN) — or URL — for which you plan to use your certificate (the area of your site you want customers to connect to using SSL).
- An SSL certificate issued for www.coolexample.com is not valid for secure.coolexample.com. If you want your SSL to cover secure.coolexample.com, make sure the common name submitted in the CSR is secure.coolexample.com.
- If you are requesting a wildcard certificate, add an asterisk (*) on the left side of the Common Name (e.g. *.coolexample.com or *.secure.coolexample.com).
- Organization — The name in which your business is legally registered. The organization must be the legal registrant of the domain name in the certificate request. If you are enrolling as an individual, enter the certificate requester’s name in the Organization field, and the Doing Business As (DBA) name in the Organizational Unit field.
- Organizational Unit — Use this field to differentiate between divisions within an organization (such as “Engineering” or “Human Resources”).
- City/Locality — The full name of the city in which your organization is registered/located. Do not abbreviate.
- State/Province — The full name of state or province where your organization is located. Do not abbreviate.
- Country — The two-letter International Organization for Standardization- (ISO-) for the country in which your organization is legally registered.
6.For Cryptographic service provider, select Microsoft RSA SChannel Cryptographic Provider .
7.For Bit length, select 2048 or higher, and then click Next.
8.Click …, enter the location and file name for your CSR, and then click Finish.
3. How to get a SSL Cert
1) Open the csr which you have just saved with Notepad. Copy all of the text, including —-BEGIN NEW CERTIFICATE REQUEST—- and —-END CERTIFICATE REQUEST—-
2) Log into your preferred SSL Cert vendor and create or re-key a SSL Cert.
Paste all of the text, including —-BEGIN NEW CERTIFICATE REQUEST—- and —-END CERTIFICATE REQUEST—-
Complete your vendors instructions and wait until it is ready. When you download it please use the IIS option. When the new cert is ready, please download it. It will be in a .zip. After the download unzip it.
Now that you have the cert what do you do?
1.Click Start, mouse-over Administrative Tools, and then click Internet Services Manager.
2.In the Internet Information Services (IIS) Manager window, select your server.
3.Scroll to the bottom, and then double-click Server Certificates.
4.From the Actions panel on the right, click on Complete Certificate Request....
5.To locate your certificate file, click ….
6.In the Open window, select "." as your file name extension, select your certificate (it might be saved as a .txt, .cer, or .crt), and then click on Open.
7.In the Complete Certificate Request window, enter a Friendly name for the certificate file, and then click OK.
For Wildcard SSL certificates make sure your Friendly Name to match your Common Name (i.e. *.coolexample.com)
4. How do I generate what I need for TS2log?
1) Download and install (for example)the DigiCert Certificate Utility (https://www.digicert.com/util/)
a) click on SSL
b) click on Refresh
You will now see the cert that you have installed highlight your cert:
Click on the bottom button “Export Certificate”:
Ensure that "Yes, export the private key and pfx file / Include all certificates in the certification path if possible" are checked off.
Next, Save the file in the folder with the certs that you have unzipped.
For importation of your SSL certificate see this documentation.