Obtain Certificates Directly Though a Certificate Authority (CA)
The steps that are explained in this section are specific to Microsoft Certificate Authority 2008. If you are using any other Certificate Authority, see the documentation of that Certificate Authority.
aa821test
The steps that are explained in this section are specific to
Microsoft Certificate Authority 2008
. If you are using any other Certificate Authority, see the documentation of that Certificate Authority.To generate a CA-issued certificate:
- Access the link to the Certificate Authority of your choice. For a Microsoft Certificate Authority, it is as follows:http://<IP_Address_of_the_CA>/certsrv/
- Navigate to the link to create and submit the certificate request.
- For theMSCA,click the following items:
- Locate theSelect a tasksection.
- ClickRequest a certificate.
- Clickadvanced certificate request.
- ClickCreate and submit a request to this CA.
- Specify the details on the certificate request form that appears. Use the values in the following table as a guide.
Certificate Attribute
| Required Information
|
Common Name (Name) | The fully qualified domain name (FQDN) of your server. Important! When prompted for Common Name, specify the Fully Qualified Domain Name (FQDN) of the server that you want to protect.For example, an SSL certificate that is issued for login.example.com does not work for online.example.com. |
Email Address | The email ID of the contact person in your organization. Note: The email address of the certificate administrator or an administrator in the IT department. |
Organization (Company) | The name of your organization. Important! Ensure that this entry is not abbreviated. Ensure that you do not specify any suffixes, such as Inc., Corp., or LLC. |
Organizational Unit (Department) | The division (for example, IT) of your Organization handling the certificate. |
City (Locality) | The city (for example, Brisbane) where your Organizational Unit is located. |
State | The state or region (for example, Queensland) where your Organizational Unit is located. Important! Ensure that this entry is not abbreviated. |
Country (Region) | The ISO code (for example, AU) for the country where your organization is headquartered. |
The details of the certificate. Consider the details that are specified in the following table while specifying these certificate details.
Certificate Attribute
| Required Information
|
Certificate Type | Server Authentication Certificate , if you are generating a server certificateClient Authentication Certificate , if you are generating a client certificate |
CSP | CSP of your choice |
Key Usage | Exchange |
Key Size | The key size in bytes. |
Key Exportability | Mark keys as exportable Export keys to file Full path name (*.pvk) |
Request Format | PKCS#12 File |
- ClickSubmit.
- ClickInstall the Certificate.
Download the Certificates
The certificates that you requested through Microsoft Certificate Authority 2008 are installed in the browser store.Download them to your respective systems. The format in which you have to download the certificate depends on the encryption mode:
- If software encryption is used, then certificates must be In PKCS#12 Format.
- If hardware encryption is used, then certificates must be In PEM Format.
PKCS#12 Format
To download the certificate and private key to a PKCS#12 file by using Microsoft CA 2008:
- Open an Internet Explorer window.
- Navigate toToolsand thenInternet Options.The Internet Options dialog appears.
- Activate theContenttab, in the Certificates section clickCertificates.The Certificates dialog appears.
- Select the certificate that you want to download and clickExport.The Certificate Export Wizard appears.
- ClickNexton the Welcome screen.
- ChooseYes, export the private keyoption, and clickNext.
- Ensure that thePersonal Information Exchange - PKCS # 12 (.PFX)option is selected.
- ClickEnable Strong Protection, and clickNext.
- Enter the password for the PKCS#12 (.PFX) file in thePasswordandConfirm passwordfields, and clickNext.
- Enter theFile namewith which you want to download the PKCS#12 (.PFX) file and clickNext.
- ClickFinishto complete the wizard.The certificate and private key are now available on your system in the specified location.
PEM Format
You cannot directly export the certificate in .PEM format from the browser certificate store. Download it in .DER format first (with the Microsoft Certificate Authority 2008) and then convert to .PEM as follows:
- Open an Internet Explorer window.
- Navigate toToolsand thenInternet Options.The Internet Options dialog appears.
- Activate theContenttab, in the Certificates section clickCertificates.The Certificates dialog appears.
- Select the certificate that you want to download and clickExport.The Certificate Export Wizard appears.
- ClickNexton the Welcome screen.
- ChooseNo, do not export the private keyoption and thenNext.
- Ensure that theDER encoded binary X.509 (.CER)option is selected.
- ClickNext.
- Enter theFile namewith which you want to download the certificate, and clickNext.
- ClickFinishto complete the wizard.The certificate is now available on your system in the specified location.
- Convert DER to PEM format.To convert the certificate from DER to PEM format, you can use open source tools such as OpenSSL. Use the following command to convert using OpenSSL tool:openssl x509 -inform der -in<certificate>.cer -out<certificate>.pem