Generating a Web or Device Certificate Using
Entrust Enrollment Server for Web
These are the detailed steps to generate a
certificate using Microsoft IIS and IBM HTTP Server.
Generate a Certificate
for Microsoft IIS
1.
Request a device
certificate from your Registration Authority (RA or LRA) using a Sponsor
Acknowledgement Agreement form
2.
The RA will deliver
activation codes (Reference Number and Authorization Code). These codes have a shelf life of 14 calendar
days. If you fail to use them within
that time frame, you will have to repeat the process.
3.
Log into the Web Server
and open the web configuration
4.
Right-click Default Web Site and click Properties
in the pop-up menu.
5.
Click Directory Security in the dialog box
that opens.
6.
Under Secure Communications, click Server
Certificate. The Web Server Certificate Wizard appears.
7.
Click Next.
8.
Click Create a new certificate and
then click Next.
9.
Ensure that Prepare request now, but send it
later is selected and click Next.
10. Note: Use the web site name as the certificate DN or
users connecting to your Web site will receive a warning stating the
certificate name does not match the name of the Web server.
11. In the bit length list, select bit length of 2048
bits.
12. In the Common Name field, enter the reference number obtained for your
certificate and click Next.
13.
Ensure that the time zone is correct
and click Next.
14.
In the File name field, use the
default, or enter a new path and file name for the file that will contain the
Web server certificate request. Click Next.
15.
The File Summary dialog box
opens.
16.
Click Next, Finish, and OK
to generate the CSR.
17.
Open the file. It should look similar
to this:
-----BEGIN NEW CERTIFICATE
REQUEST-----
MIIBEzCBzgIBADB7MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
YTEQMA4GA1UEBxMHT2FrbGFuZDEbMBkGA1UEChMSQzJOZXQgU29mdHdhcmUg
SW5jMRAwDgYDVQQLEwdUZXN0aW5nMRYwFAYDVQQDEw1nYWJiZXIuYzIubmV0
MEwwDQYJKoZIhvcNAQEBBQADOwAwOAIxAJukoQhq4LanG2k+LnRTGJAcgv9L
JPsdfCsjqRs8ygoyaw4ucOEdx+WdnM0x36NcQIDAQABMA0GCSqGSIb3DQEBB
AUAAzEABRLR6IkG70oNG1MnvuMDeWou4kIvc98ysjssCNKsDKsHAXBSEbfsI
Qs5JRNagVBW
-----END NEW CERTIFICATE REQUEST-----
Copy
the CSR to the clipboard, including the BEGIN and END lines.
18.
Retrieve the certificate using Entrust
Web Connector
Access Enrollment Server for Web
Click Web server
Enter the reference number and
authorization code.
Paste the certificate request into the
large text box.
In the Options field, choose the
format "displayed as PEM encoding of certificate in raw DER"
Click Submit Request
Security Manager generates a certificate
and sends it to Enrollment Server. Copy the entire certificate to the
clipboard. Paste the certificate into a text file in the same directory as the private key and
certificate request
19. Import the Web server certificate
into Microsoft IIS
Open the Internet Services Manager
(click Start > Programs > Administrative Tools > Internet Service
Manager).
In the tree view, right-click Default
Web Site and click Properties in the pop-up menu. Click the Directory
Security tab.
Under Secure Communications, click
Server Certificate. The Web Server Certificate Wizard opens. Click Next.
Select Process the pending request
and install the certificate and click Next.
Click Browse to find the file
that contains the certificate and click Next.
Click Next and Finish.
Generating a Certificate for IBM HTTP Server
1.
Request a device
certificate from your Registration Authority (RA or LRA) using a Sponsor
Acknowledgement Agreement form
2.
The RA will deliver
activation codes (Reference Number and Authorization Code)
3.
Generate a certificate signed request
(CSR) using openSSL. Enter the reference
number when prompted for the CN.
openssl req -config openssl.cnf -new -newkey
rsa:2048 -nodes -keyout key.pem -out request.pem
The certificate request will look similar to this:
-----BEGIN NEW CERTIFICATE
REQUEST-----
MIIBEzCBzgIBADB7MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
YTEQMA4GA1UEBxMHT2FrbGFuZDEbMBkGA1UEChMSQzJOZXQgU29mdHdhcmUg
SW5jMRAwDgYDVQQLEwdUZXN0aW5nMRYwFAYDVQQDEw1nYWJiZXIuYzIubmV0
MEwwDQYJKoZIhvcNAQEBBQADOwAwOAIxAJukoQhq4LanG2k+LnRTGJAcgv9L
JPsdfCsjqRs8ygoyaw4ucOEdx+WdnM0x36NcQIDAQABMA0GCSqGSIb3DQEBB
AUAAzEABRLR6IkG70oNG1MnvuMDeWou4kIvc98ysjssCNKsDKsHAXBSEbfsI
Qs5JRNagVBW
-----END NEW CERTIFICATE REQUEST-----
4.
Obtain copies of the appropriate root
and issuer certificates naming them root.cer and issuer.cer
5.
Retrieve the certificate from Entrust
using Entrust Web Connector
Access Enrollment Server for Web
Click Web server
Enter the reference number and
authorization code.
Paste the certificate request into the
large text box.
In the Options field, choose the
format "displayed as PEM encoding of certificate in raw DER"
Click Submit Request
Security Manager generates a
certificate and sends it to Enrollment Server. Copy the entire certificate to
the clipboard. Paste the certificate into a text file in the same directory as the private key and
certificate request
6.
Combine the certificate and private key
into a PKCS#12 file using openSSL.
openssl pkcs12 -export -inkey key.pem -in web_server.cer -out web_server.p12 -name cert_label
7.
Create a CMS database from the PKCS#12
file using GSK:
gsk7cmd -keydb -convert -db
web_server.p12 -old_format pkcs12 -new_format cms
gsk7cmd -keydb -stashpw -db web_server.kdb
8.
Add the root CA to empty KDB file:
gsk7cmd -cert -add -file root.cer
-db web_server.kdb -format ascii -label rootca -trust enable
9.
Add the intermediate CA to KDB file:
gsk7cmd -cert -add -file
issuer.cer -db web_server.kdb -format ascii -label
issuer -trust enable
10.
Edit the httpd.conf
file. Find the appropriate stanza in the
httpd.conf file.
The SSLEnableCert parameter must match the
label of the certificate in the KDB file.