Obtain Certificates Directly Though a Certificate Authority (CA)

The steps that are explained in this section are specific to Microsoft Certificate Authority 2008. If you are using any other Certificate Authority, see the documentation of that Certificate Authority.
aa82test
The steps that are explained in this section are specific to
Microsoft Certificate Authority 2008
. If you are using any other Certificate Authority, see the documentation of that Certificate Authority.
To generate a CA-issued certificate:
  1. Access the link to the Certificate Authority of your choice. For a Microsoft Certificate Authority, it is as follows:
    http://<IP_Address_of_the_CA>/certsrv/
  2. Navigate to the link to create and submit the certificate request.
  3. For the 
    MSCA,
    click the following items:
    1. Locate the 
      Select a task
      section.
    2. Click
      Request a certificate
      .
    3. Click 
      advanced certificate request
      .
    4. Click 
      Create and submit a request to this CA
      .
  4. Specify the details on the certificate request form that appears. Use the values in the following table as a guide.
Certificate Attribute
Required Information
Common Name
(Name)
The fully qualified domain name (FQDN) of your server.
Important!
When prompted for Common Name, specify the Fully Qualified Domain Name (FQDN) of the server that you want to protect.
For example, an SSL certificate that is issued for login.example.com does not work for online.example.com.
Email Address
The email ID of the contact person in your organization.
Note:
The email address of the certificate administrator or an administrator in the IT department.
Organization
(Company)
The name of your organization.
Important!
Ensure that this entry is
not
abbreviated. Ensure that you do not specify any suffixes, such as Inc., Corp., or LLC.
Organizational Unit
(Department)
The division (for example, IT) of your Organization handling the certificate.
City
(Locality)
The city (for example, Brisbane) where your Organizational Unit is located.
State
The state or region (for example, Queensland) where your Organizational Unit is located.
Important!
Ensure that this entry is not abbreviated.
Country
(Region)
The ISO code (for example, AU) for the country where your organization is headquartered.
The details of the certificate. Consider the details that are specified in the following table while specifying these certificate details.
Certificate Attribute
Required Information
Certificate Type
Server Authentication Certificate
, if you are generating a server certificate
Client Authentication Certificate
, if you are generating a client certificate
CSP
CSP of your choice
Key Usage
Exchange
Key Size
The key size in bytes.
Key Exportability
Mark keys as exportable
Export keys to file
Full path name (*.pvk)
Request Format
PKCS#12 File
  1. Click
    Submit
    .
  2. Click
    Install the Certificate
    .
Download the Certificates
The certificates that you requested through Microsoft Certificate Authority 2008 are installed in the browser store.Download them to your respective systems. The format in which you have to download the certificate depends on the encryption mode:
  • If software encryption is used, then certificates must be In PKCS#12 Format.
  • If hardware encryption is used, then certificates must be In PEM Format.
PKCS#12 Format
To download the certificate and private key to a PKCS#12 file by using Microsoft CA 2008:
  1. Open an Internet Explorer window.
  2. Navigate to
    Tools
    and then
    Internet Options
    .
    The Internet Options dialog appears.
  3. Activate the
    Content
    tab, in the Certificates section click
    Certificates
    .
    The Certificates dialog appears.
  4. Select the certificate that you want to download and click
    Export
    .
    The Certificate Export Wizard appears.
  5. Click
    Next
    on the Welcome screen.
  6. Choose
    Yes, export the private key
    option, and click
    Next
    .
  7. Ensure that the
    Personal Information Exchange - PKCS # 12 (.PFX)
    option is selected.
  8. Click
    Enable Strong Protection
    , and click
    Next
    .
  9. Enter the password for the PKCS#12 (.PFX) file in the
    Password
    and
    Confirm password
    fields, and click
    Next
    .
  10. Enter the
    File name
    with which you want to download the PKCS#12 (.PFX) file and click
    Next
    .
  11. Click
    Finish
    to complete the wizard.
    The certificate and private key are now available on your system in the specified location.
PEM Format
You cannot directly export the certificate in .PEM format from the browser certificate store. Download it in .DER format first (with the Microsoft Certificate Authority 2008) and then convert to .PEM as follows:
  1. Open an Internet Explorer window.
  2. Navigate to
    Tools
    and then
    Internet Options
    .
    The Internet Options dialog appears.
  3. Activate the
    Content
    tab, in the Certificates section click
    Certificates
    .
    The Certificates dialog appears.
  4. Select the certificate that you want to download and click
    Export
    .
    The Certificate Export Wizard appears.
  5. Click
    Next
    on the Welcome screen.
  6. Choose
    No, do not export the private key
    option and then
    Next
    .
  7. Ensure that the
    DER encoded binary X.509 (.CER)
    option is selected.
  8. Click
    Next
    .
  9. Enter the
    File name
    with which you want to download the certificate, and click
    Next
    .
  10. Click
    Finish
    to complete the wizard.
    The certificate is now available on your system in the specified location.
  11. Convert DER to PEM format.
    To convert the certificate from DER to PEM format, you can use open source tools such as OpenSSL. Use the following command to convert using OpenSSL tool:
    openssl x509 -inform der -in 
    <certificate>
    .cer -out 
    <certificate>
    .pem