Security Certificates
What are they?
What does that Mean?
Some Definitions
Browser Compatability of Our SSL Certificates.
How to Generate a Certificate Signing Request (CSR) - Apache
Installing your Web Server Certificate - Apache
How to Generate a Certificate Signing Request (CSR) - IIS
Installing your Web Server Certificate - IIS
What are they?
The SSL Protocol is designed to provide privacy between two
communicating applications (a client and a server). Second, the
protocol is designed to authenticate the server, and optionally the
client. SSL requires a reliable transport protocol (e.g. TCP) for data
transmission and reception.
The advantage of the SSL Protocol is that it is application protocol
independent. A "higher level" application protocol (e.g. HTTP, FTP,
TELNET, etc.) can layer on top of the SSL Protocol transparently. The
SSL Protocol can negotiate an encryption algorithm and session key as
well as authenticate a server before the application protocol
transmits or receives its first byte of data. All of the application
protocol data is transmitted encrypted, ensuring privacy.
The SSL protocol provides "channel security" which has three basic
properties:
- The channel is private. Encryption is used for all messages after
a simple handshake is used to define a secret key.
- The channel is authenticated. The server endpoint of the
conversation is always authenticated, while the client endpoint is
optionally authenticated.
- The channel is reliable. The message transport includes a message
integrity check
What does that Mean?
An SSL digital security certificate is meant to verify to the web
browser that you (represented by your website) are who you say you
are.
When SSL is enabled for a web directory then communication
between the web browser and the server is encrypted.
The physical sign
that this is happening is the lock symbol located at the lower right
hand corner of the web browser.
An SSL digital security certificate is a Web server certificate that allows consumers and Web sites to conduct safe eCommerce with encrypted SSL connections.
Why is Authentication & Validation so Important?
Shopping on the Internet has gone mainstream and a big part of the
Trust that your consumers place in You is the security of knowing that
Strong SSL Encryption is protecting their personal information. The
Lock
in your consumer's browser has become one of the most Trusted Symbols
regarding online security, but for more than just protection afforded
by an SSL Certificate! Equally important is the Validation that you are
a Legal and Legitimate Entity.
Some Definitions
Root Certificate:
A self-signed Certificate Authority (CA) certificate that identifies a CA. "Trusted" roots are preloaded
into the browsers so that their certificates work with no user intervention.
Certificate Signing Request:
The CSR contains the identity of the organization requesting the certificate, as well as
the public key of the server on which the certificate will be installed.
Secure your site with an SSL Certificate. SSL is an encrypted link
between your site and your customer's browser.
Once the link is
established all communication between your site and your customer's
browser will remain confidential.
This is also essential for your employees logging into your site and
sending information in encryted format to preserve important
information from being hacked!
Please note: You must have a unique IP for your website in order to install a security certificate!
Browser Compatability of Our SSL Certificates.
Web Browsers (SSL enabled)
- Microsoft IE 5.01+
- Netscape Communicator 4.7+
- Mozilla 1.0+
- AOL 5+
- Opera 7+
- Apple Safari 1.0+
- Red Hat Linux Konqeror
Email Clients (S/Mime)
- Microsoft Outlook 99+
- Netscape Communicator 4.51+
- Mozilla 1.0+
- Qualcomm Eudora 6.2+
Application Clients and Servers
- Sun J2SE 1.4.2_02
- Sun J2EE 1.4.2_02
- IBM Web Sphere Micro Environment (WME)
- IBM Web Sphere Custom Environment (WCE
How to Generate a Certificate Signing Request (CSR) - Apache
If you are hosting with Reg.Ca just ask us and we'll do it for you!
If you are hosting elsewhere you may ask us for help.
Apache + ModSSL + OpenSSL (contact us at
if your server is different.)
Follow these instructions to generate a CSR for your Web site. When you have
completed this process, click the "close" button below to close this window
and continue to the next step. OpenSSL is the open source project that replaced
SSLeay. If you are using SSLeay on your system instead of OpenSSL, substitute
ssleay with openssl for the commands.
- Install OpenSSL, if not found on your server.
- Create a RSA key for your Apache server:
If you have a different path, cd to your server’s private key directory
- Type the following command to generate a private key that is file encrypted.
You will be prompted for the password to access the file and also when starting
your webserver: Warning: If you lose or forget the
passphrase, you must purchase another certificate.
openssl genrsa -des3 -out domainname.key 1024
You could also create a private key without file encryption:
openssl genrsa -out domainname.key 1024
Note: We recommend that you name the private key using
the domain name that you are purchasing the certificate for ie domainname.key
- Type the following command to create a CSR with the RSA
private key (output will be PEM format):
openssl req -new -key domainname.key -out domainname.csr
* Note: You will be prompted for your PEM passphrase if you included the
"-des3" switch in step 3.
- When creating a CSR you must follow these conventions. Enter the information
to be displayed in the certificate. The following characters can not be accepted:
< > ~ ! @ # $ % ^ * / \ ( ) ?.,&
DN Field
|
Explanation
|
Example
|
Common Name |
The fully qualified domain name for your web
server. This must be an exact match. |
If you intend to secure the URL https://www.reg.ca,
then your CSR's common name must be www.reg.ca. |
Organization |
The exact legal name of your organization.
Do not abbreviate your organization name. |
RegCA |
Organization Unit |
Section of the organization |
Internet Services |
City or Locality |
The city where your organization is legally
located. |
Vancouver |
Province or State |
The province or state where your organization
is legally located. Can not be abbreviated. |
British Columbia |
Country |
The two-letter ISO abbreviation for your country.
|
CA |
- Do not enter extra attributes at the prompt.
Warning: Leave the challenge password blank (press )
Note: If you would like to verify the contents of the
CSR, use the following command:
openssl req -noout -text -in domainname.csr
- Submit your CSR to RegCA http://www.reg.ca/certificate.html
Create a backup of your private key!
Make a copy of the private key file (domainname.key)
generated in step 3 and store it in a safe place! If you lose this file, you
must purchase a new certificate.
* The private key file should begin with (when using a text editor)
-----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----.
To view the contents of the private key, use the following command:
openssl rsa -noout -text -in domainname.key
Installing your Web Server Certificate
Apache + ModSSL + OpenSSL
If you are hosting with Reg.Ca just ask us and we'll do it for you!
If you are hosting elsewhere you may ask us for help.
Your certificate will be sent to you by email. The email message includes
the web server certificate that you purchased in the body of the email message.
Copy the certificate from the body of the email and paste it into a text editor
(such as notepad) to create text files.
If you have not already set up a secure virtual host or would like to learn
more about installing SSL, refer to the following link for more information:
http://www.linuxdoc.org/HOWTO/SSL-RedHat-HOWTO.html#toc4"
Note: The examples below use the following naming conventions: "Your Private
Key" = "domainname.key"; "Your Web Server Certificate"
= "domainname.crt"
- Copy the certificate to the Apache server directory in which
you plan to store your certificates (by default: /usr/local/apache/conf/ssl.crt/
or /etc/httpd/conf/ssl.crt/).
Note: Copy the entire contents of the certificate from (and
including) the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
- Open the httpd.conf file in a text editor.
- Locate the secure virtual host pertaining to your order. You should have
the following directives within this virtual host. Please add them if they
are not present:
SSLCertificateFile /usr/local/apache/conf/ssl.crt/domainname.crt
(or server.crt)
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/domainname.key
(or server.key)
- Save the changes and exit the editor.
- Start or Restart your apache web server using one of the following
commands:
By default:
/usr/local/apache/bin/apachectl startssl
or
/usr/local/apache/bin/apachectl restart
Other commands:
/usr/sbin/httpd startssl or restart
/usr/sbin/httpsd startssl or restart
Note: You may refer to the original ModSSL instructions
at:
http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL
Test your certificate by using
a browser to connect to your server. Use the https protocol directive (e.g.
https://your server/) to indicate you wish to use secure HTTP.
Note: The padlock icon on your browser will be displayed in the locked position
if your certificates are installed correctly and the server is properly configured
for SSL.
How to Generate a Certificate Signing Request (CSR) - IIS
IIS 5.0/6.0
Go to Start -> All Programs -> Administrative Tools -> Internet Services Manager (IIS) Manager
Right-click the name of the website you wish to secure, then click Properties. Go to the Directory Security tab.
Click Create a new certificate (or Renew the current certificate if that's what you're doing)
Select Prepare the request now, but send it later, and 1024 as the bit length.
Country Name (C): Use your two-letter country code such as CA or US.
State or Province (S): Spell out the full province state name such as: British Columbia
Locality or City (L): Your city or town name
Organization (O): Your full company name, without punctuation, such as: DotAlliance Inc
Organizational Unit (OU): The name of the department or organization unit making the request, such as: Secure Services
Common Name (CN): The full domain name of the certificate such as www.my-domain.ca or secure.my-domain.ca or my-domain.ca. The domain should be an exact match for what you want to be in the URL bar (ex: https://www.my-domain.ca/) - your users will get a security warning if a user goes to a domain different from the Common Name. (Such as if they go to https://www.my-domain.ca/ when their certificate specified my-domain.ca).
Click Finish to generate the CSR.
Send us the completed CSR.
IIS 7.0
Go to Start -> All Programs -> Administrative Tools -> Internet Services Manager (IIS) Manager
Under the left-hand Connections panel, click on your server name (the upper-level server name, not your website under Sites)
In the middle panel, double click Server Certificates
Click Create Certificate Request...
Common Name: The full domain name of the certificate such as www.my-domain.ca or secure.my-domain.ca or my-domain.ca. The domain should be an exact match for what you want to be in the URL bar (ex: https://www.my-domain.ca/) - your users will get a security warning if a user goes to a domain different from the Common Name. (Such as if they go to https://www.my-domain.ca/ when their certificate specified my-domain.ca).
Organization: Your full company name, without punctuation, such as: DotAlliance Inc
Organizational unit: The name of the department or organization unit making the request, such as: Secure Services
City/locality: Your city or town name
State/province: Spell out the full province state name such as: British Columbia
Country/region: Use your two-letter country code such as CA or US.
Click Next
Select Microsoft RSA SChannel Cryptography Provider, and 1024 as the bit length. Click Next
Select a location and file to save the CSR, then click Finish
Send us the completed CSR.
Installing your Web Server Certificate - IIS
IIS 5.0/6.0
You should have an email with a section like this:
-----BEGIN CERTIFICATE-----
[encoded data]
-----END CERTIFICATE-----
Copy-and-paste this entire section into notepad (make sure you have all the dashes), then save it as a .txt file.
Go to Start -> All Programs -> Administrative Tools -> Internet Services Manager (IIS) Manager
Right-click the name of the website you wish to secure, then click Properties. Go to the Directory Security tab.
Click Server Certificate
Select Process the Pending Request, then Install the Certificate, then click Next
Select the certificate file, then click Next
Make sure this is the correct certificate, then click Next
At the confirmation screen, click Next
Start and stop the webserver to make sure it takes effect. Make sure the site is using Port 443, and it is correctly assigned to your site's IP. (Your can only host one security certificate per IP).
-----BEGIN CERTIFICATE-----
[encoded data]
-----END CERTIFICATE-----
IIS 7.0
You should have an email with a section like this:
-----BEGIN CERTIFICATE-----
[encoded data]
-----END CERTIFICATE-----
Copy-and-paste this entire section into notepad (make sure you have all the dashes), then save it as a .txt file.
Go to Start -> All Programs -> Administrative Tools -> Internet Services Manager (IIS) Manager
Under the left-hand Connections panel, click on your server name (the upper-level server name, not your website under Sites)
In the middle panel, under IIS double click Server Certificates
In the right-hand Actions panel, click Complete Certificate Request...
Select the certificate file (just put in the domain name for the friendly name), then click OK
Go back to your server name (as above), then open Sites, then click on your server entry.
Under the right-hand Actions panel, click Bindings...
Click Add...
For binding Type, specify https, and make sure Port is set to 443.
For SSL certificate, select the friendly name you entered above (likely your domain name)
Click OK.
|