Chapter 3: Tutorial: Requesting and Issuing Server Certificates

This tutorial shows how to request and issue server certificates, using the scripts supplied with the demonstration CA.

Introduction

In this tutorial, you first take the role of a Web site owner requesting a server certificate from the CA. Then you take the role of the CA and issue the requested certificate. To do this, you use the following scripts:

• create_srv_req.cmd creates a request for a server certificate, using the OpenSSL command openssl req. It creates a public/private key pair for your server, putting the public key in a certificate request, which you subsequently send to the CA.
• sign_srv.cmd, which processes a server certificate request created with the above script, and signs it using the openssl ca command. It creates a signed certificate, which containing the public key from the certificate request.

These scripts are supplied with Micro Focus Demo CA and are by default in C:\Program Files\Micro Focus\DemoCA. To find out the directory, look up the registry key HKLM\Software\Micro Focus\DemoCA\1.0\Setup\DemoCAFolder.

Requesting a Server Certificate

In this section, you take the role of a Web site owner running a server and asking the CA for a server certificate. As the server owner you create for yourself a private key and a public key, the latter in a certificate request (usually called a Certificate Signing Request, CSR) to send to the CA.

Most CAs are commercial ventures. With a commercial CA, you would typically contact them first, learn about what types of certificates they supply, and find out their prices, terms and conditions.

1. Run the batch utility create_srv_req.cmd, in the DemoCA installation directory.

   The batch file creates a public/private key pair for your server, and creates a certificate request with the public key, to send to the CA.

   The private key is generated first and is stored in srvkey.pem.

2. At the prompt, enter a pass phrase. Use a pass phrase that is easy for you to remember and yet hard for others to guess, for exampleopen sesame. You must supply this pass phrase to access your server's private key. You are prompted to confirm the pass phrase.
3. The utility prompts you for the following details. These default to the values that you entered when you installed Micro Focus Demo CA:
   • Country Name
   • State or Province
   • Locality
   • Organization Name
   • Organizational Unit
   • Common Name

   For example, you can enter something like:

   Country Name: US
   State or Province Name: California
   Locality: Palo Alto
   Organization Name: Bloggs Widgets Inc
   Organizational Unit Name: Marketing
   Common Name: [Press Enter to accept
   the server name value configured on installation.]
   Email Address: bloggs@widgets.com

   The details you enter are included in your server certificate to identify you.

4. At the Enter an additional challenge password prompt, press Enter to ignore it. You can specify a pass phrase to protect your public certificate, but since it is a public certificate, it is seldom appropriate to protect it in this way.
5. At the Unstructured Name prompt, press Enter to ignore.
6. When the batch file finishes, confirm that the following were created in the installation directory:
   • Your server's private key in srvkey.pem. You can view this in a text editor.
   • Your public key in a certificate request file called srvcertreq.csr. The CSR file is formatted according to the PKCS #10 standard, and is informally known as a PKCS #10 file, P10 file, or CSR file. You can view this using the req as follows:

     openssl req -in srvcertreq.csr -text

7. In a real case you would now send srvcertreq.csr to the CA.

Issuing a Server Certificate

In this section, you take the role of the CA and you issue the server certificate.

1. Run the batch file sign_srv.cmd, which is in the DemoCA installation directory. When the batch file asks if you ready, press any key.

   The batch file calls the ca command of the openssl utility to create a signed certificate, srvcert.pem, containing the public key from the certificate request.

2. When you are prompted for the passphrase, enter the CA passphrase srvrootpwd. This confirms your right to access the CA private key file cakey.pem, and then displays the certificate request (from the CSR file srvcertreq.csr).
3. When asked whether to sign the certificate, reply y twice.

   The certificate is then created and signed with your private key from cakey.pem. It is in PEM format. It is saved in srvcert.pem, with a copy in newcerts\01.pem. If this tutorial has been run before, and 01.pem already exists, the copy will be called 02.pem and so on.

4. As before, view the certificate using the openssl x509 command:

   openssl x509 -in 01.pem -text

   Notice that the Issuer is shown as the Distinguished Name of your Demo CA, while the Subject - the entity to whom the certificate has been issued - is the Distinguished Name of your server.

5. Copy 01.pem from the newcerts directory to the certs, which is your Demo CA's database of certificates it has issued.
6. In a real case the CA would now send srvcert.pem to the server owner to install it in their SSL software so that Web users can download it.

Copyright © 2009 Micro Focus (IP) Ltd. All rights reserved.