Reg.CA Security Certificates/ FAQ's

Security Certificates

What are they?
What does that Mean?
Some Definitions
Browser Compatability of Our SSL Certificates.
How to Generate a Certificate Signing Request (CSR) - Apache
Installing your Web Server Certificate - Apache
How to Generate a Certificate Signing Request (CSR) - IIS
Installing your Web Server Certificate - IIS

What are they?

The SSL Protocol is designed to provide privacy between two communicating applications (a client and a server). Second, the protocol is designed to authenticate the server, and optionally the client. SSL requires a reliable transport protocol (e.g. TCP) for data transmission and reception.

The advantage of the SSL Protocol is that it is application protocol independent. A "higher level" application protocol (e.g. HTTP, FTP, TELNET, etc.) can layer on top of the SSL Protocol transparently. The SSL Protocol can negotiate an encryption algorithm and session key as well as authenticate a server before the application protocol transmits or receives its first byte of data. All of the application protocol data is transmitted encrypted, ensuring privacy.

The SSL protocol provides "channel security" which has three basic properties:

  • The channel is private. Encryption is used for all messages after a simple handshake is used to define a secret key.

  • The channel is authenticated. The server endpoint of the conversation is always authenticated, while the client endpoint is optionally authenticated.

  • The channel is reliable. The message transport includes a message integrity check

What does that Mean?
An SSL digital security certificate is meant to verify to the web browser that you (represented by your website) are who you say you are. 
When SSL is enabled for a web directory then  communication between the web browser and the server is encrypted.
The physical sign that this is happening is the lock symbol located at the lower right hand corner of the web browser.

An SSL digital security certificate is a Web server certificate that allows consumers and Web sites to conduct safe eCommerce with encrypted SSL connections.
Why is Authentication & Validation so Important?
Shopping on the Internet has gone mainstream and a big part of the Trust that your consumers place in You is the security of knowing that Strong SSL Encryption is protecting their personal information. The Lock in your consumer's browser has become one of the most Trusted Symbols regarding online security, but for more than just protection afforded by an SSL Certificate! Equally important is the Validation that you are a Legal and Legitimate Entity.

Some Definitions

Root Certificate: A self-signed Certificate Authority (CA) certificate that identifies a CA. "Trusted" roots are preloaded into the browsers so that their certificates work with no user intervention.
Certificate Signing Request: The CSR contains the identity of the organization requesting the certificate, as well as the public key of the server on which the certificate will be installed.
Secure your site with an SSL Certificate. SSL is an encrypted link between your site and your customer's browser.
Once the link is established all communication between your site and your customer's browser will remain confidential.
This is also essential for your employees logging into your site and sending information in encryted format to preserve important information from being hacked!

Please note: You must have a unique IP for your website in order to install a security certificate!
Browser Compatability of Our SSL Certificates.
Web Browsers (SSL enabled)

  • Microsoft IE 5.01+
  • Netscape Communicator 4.7+
  • Mozilla 1.0+
  • AOL 5+
  • Opera 7+
  • Apple Safari 1.0+
  • Red Hat Linux Konqeror

Email Clients (S/Mime)

  • Microsoft Outlook 99+
  • Netscape Communicator 4.51+
  • Mozilla 1.0+
  • Qualcomm Eudora 6.2+

Application Clients and Servers

  • Sun J2SE 1.4.2_02
  • Sun J2EE 1.4.2_02
  • IBM Web Sphere Micro Environment (WME)
  • IBM Web Sphere Custom Environment (WCE

How to Generate a Certificate Signing Request (CSR) - Apache

If you are hosting with Reg.Ca just ask us and we'll do it for you!
If you are hosting elsewhere you may ask us for help.

Apache + ModSSL + OpenSSL (contact us at if your server is different.)

Follow these instructions to generate a CSR for your Web site. When you have completed this process, click the "close" button below to close this window and continue to the next step. OpenSSL is the open source project that replaced SSLeay. If you are using SSLeay on your system instead of OpenSSL, substitute ssleay with openssl for the commands.

  1. Install OpenSSL, if not found on your server.
  2. Create a RSA key for your Apache server:

    If you have a different path, cd to your server’s private key directory

  3. Type the following command to generate a private key that is file encrypted. You will be prompted for the password to access the file and also when starting your webserver: Warning: If you lose or forget the passphrase, you must purchase another certificate.

    openssl genrsa -des3 -out domainname.key 1024

You could also create a private key without file encryption:

openssl genrsa -out domainname.key 1024

Note: We recommend that you name the private key using the domain name that you are purchasing the certificate for ie domainname.key

  1. Type the following command to create a CSR with the RSA private key (output will be PEM format):

    openssl req -new -key domainname.key -out domainname.csr

  2. * Note: You will be prompted for your PEM passphrase if you included the "-des3" switch in step 3.

  3. When creating a CSR you must follow these conventions. Enter the information to be displayed in the certificate. The following characters can not be accepted: < > ~ ! @ # $ % ^ * / \ ( ) ?.,&

    DN Field

    Explanation

    Example

    Common Name The fully qualified domain name for your web server. This must be an exact match. If you intend to secure the URL https://www.reg.ca, then your CSR's common name must be www.reg.ca.
    Organization The exact legal name of your organization. Do not abbreviate your organization name. RegCA
    Organization Unit Section of the organization Internet Services
    City or Locality The city where your organization is legally located. Vancouver
    Province or State The province or state where your organization is legally located. Can not be abbreviated. British Columbia
    Country The two-letter ISO abbreviation for your country. CA

  4. Do not enter extra attributes at the prompt.
  5. Warning: Leave the challenge password blank (press )

    Note: If you would like to verify the contents of the CSR, use the following command:

    openssl req -noout -text -in domainname.csr

  6. Submit your CSR to RegCA   http://www.reg.ca/certificate.html 

Create a backup of your private key!

Make a copy of the private key file (domainname.key) generated in step 3 and store it in a safe place! If you lose this file, you must purchase a new certificate.

* The private key file should begin with (when using a text editor)

-----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----.

To view the contents of the private key, use the following command:

    openssl rsa -noout -text -in domainname.key


Installing your Web Server Certificate

Apache + ModSSL + OpenSSL

If you are hosting with Reg.Ca just ask us and we'll do it for you!
If you are hosting elsewhere you may ask us for help.

Your certificate will be sent to you by email. The email message includes the web server certificate that you purchased in the body of the email message.

Copy the certificate from the body of the email and paste it into a text editor (such as notepad) to create text files.

If you have not already set up a secure virtual host or would like to learn more about installing SSL, refer to the following link for more information:
http://www.linuxdoc.org/HOWTO/SSL-RedHat-HOWTO.html#toc4"

Note: The examples below use the following naming conventions: "Your Private Key" = "domainname.key"; "Your Web Server Certificate" = "domainname.crt"

  1. Copy the certificate to the Apache server directory in which you plan to store your certificates (by default: /usr/local/apache/conf/ssl.crt/ or /etc/httpd/conf/ssl.crt/).

    Note: Copy the entire contents of the certificate from (and including) the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.


  2. Open the httpd.conf file in a text editor.


  3. Locate the secure virtual host pertaining to your order. You should have the following directives within this virtual host. Please add them if they are not present:

    SSLCertificateFile /usr/local/apache/conf/ssl.crt/domainname.crt (or server.crt)
    SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/domainname.key
    (or server.key)

  4. Save the changes and exit the editor.


  5. Start or Restart your apache web server using one of the following commands:
    By default:
    /usr/local/apache/bin/apachectl startssl
    or
    /usr/local/apache/bin/apachectl restart

    Other commands:
    /usr/sbin/httpd startssl or restart
    /usr/sbin/httpsd startssl or restart

Note: You may refer to the original ModSSL instructions at:

http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL

Test your certificate by using a browser to connect to your server. Use the https protocol directive (e.g. https://your server/) to indicate you wish to use secure HTTP.

Note: The padlock icon on your browser will be displayed in the locked position if your certificates are installed correctly and the server is properly configured for SSL.

How to Generate a Certificate Signing Request (CSR) - IIS

IIS 5.0/6.0

  • Go to Start -> All Programs -> Administrative Tools -> Internet Services Manager (IIS) Manager
  • Right-click the name of the website you wish to secure, then click Properties. Go to the Directory Security tab.
  • Click Create a new certificate (or Renew the current certificate if that's what you're doing)
  • Select Prepare the request now, but send it later, and 1024 as the bit length.
  • Country Name (C): Use your two-letter country code such as CA or US.
  • State or Province (S): Spell out the full province state name such as: British Columbia
  • Locality or City (L): Your city or town name
  • Organization (O): Your full company name, without punctuation, such as: DotAlliance Inc
  • Organizational Unit (OU): The name of the department or organization unit making the request, such as: Secure Services
  • Common Name (CN): The full domain name of the certificate such as www.my-domain.ca or secure.my-domain.ca or my-domain.ca. The domain should be an exact match for what you want to be in the URL bar (ex: https://www.my-domain.ca/) - your users will get a security warning if a user goes to a domain different from the Common Name. (Such as if they go to https://www.my-domain.ca/ when their certificate specified my-domain.ca).
  • Click Finish to generate the CSR.
  • Send us the completed CSR.

    IIS 7.0

  • Go to Start -> All Programs -> Administrative Tools -> Internet Services Manager (IIS) Manager
  • Under the left-hand Connections panel, click on your server name (the upper-level server name, not your website under Sites)
  • In the middle panel, double click Server Certificates
  • Click Create Certificate Request...
  • Common Name: The full domain name of the certificate such as www.my-domain.ca or secure.my-domain.ca or my-domain.ca. The domain should be an exact match for what you want to be in the URL bar (ex: https://www.my-domain.ca/) - your users will get a security warning if a user goes to a domain different from the Common Name. (Such as if they go to https://www.my-domain.ca/ when their certificate specified my-domain.ca).
  • Organization: Your full company name, without punctuation, such as: DotAlliance Inc
  • Organizational unit: The name of the department or organization unit making the request, such as: Secure Services
  • City/locality: Your city or town name
  • State/province: Spell out the full province state name such as: British Columbia
  • Country/region: Use your two-letter country code such as CA or US.
  • Click Next
  • Select Microsoft RSA SChannel Cryptography Provider, and 1024 as the bit length. Click Next
  • Select a location and file to save the CSR, then click Finish
  • Send us the completed CSR.

    Installing your Web Server Certificate - IIS

    IIS 5.0/6.0

  • You should have an email with a section like this:
    -----BEGIN CERTIFICATE-----
    [encoded data]
    -----END CERTIFICATE-----
    Copy-and-paste this entire section into notepad (make sure you have all the dashes), then save it as a .txt file.
  • Go to Start -> All Programs -> Administrative Tools -> Internet Services Manager (IIS) Manager
  • Right-click the name of the website you wish to secure, then click Properties. Go to the Directory Security tab.
  • Click Server Certificate
  • Select Process the Pending Request, then Install the Certificate, then click Next
  • Select the certificate file, then click Next
  • Make sure this is the correct certificate, then click Next
  • At the confirmation screen, click Next
  • Start and stop the webserver to make sure it takes effect. Make sure the site is using Port 443, and it is correctly assigned to your site's IP. (Your can only host one security certificate per IP). -----BEGIN CERTIFICATE----- [encoded data] -----END CERTIFICATE-----

    IIS 7.0

  • You should have an email with a section like this:
    -----BEGIN CERTIFICATE-----
    [encoded data]
    -----END CERTIFICATE-----
    Copy-and-paste this entire section into notepad (make sure you have all the dashes), then save it as a .txt file.
  • Go to Start -> All Programs -> Administrative Tools -> Internet Services Manager (IIS) Manager
  • Under the left-hand Connections panel, click on your server name (the upper-level server name, not your website under Sites)
  • In the middle panel, under IIS double click Server Certificates
  • In the right-hand Actions panel, click Complete Certificate Request...
  • Select the certificate file (just put in the domain name for the friendly name), then click OK
  • Go back to your server name (as above), then open Sites, then click on your server entry.
  • Under the right-hand Actions panel, click Bindings...
  • Click Add...
  • For binding Type, specify https, and make sure Port is set to 443.
  • For SSL certificate, select the friendly name you entered above (likely your domain name)
  • Click OK.

    HOME
    Go back