Creating a vendor-signed SSL Certificate using OpenSSL

Use OpenSSL to create a certificate as described below:

 1) Collect all needed data: Use your values in place of the example data below

 • Country (2 letter Abbrev)                   US

• State                                                 California

• Locality (or City)                               San Diego

• Organizational Name                       MicroFocus

• Organization Unit                             NetIQ

• Common Name (i.e. domain)           ssprdemo.com

• Email Address                                  admin@ssprdemo.com

_ Public-Private Key file                      ssprdemo_com_privkey.pem

_ CSR file                                            ssprdemo_com.csr

_ Server Certificate (End-Entity) file    ssprdemo_com_ee.crt

_ Intermediate Certificate file              ssprdemo_com_i1.crt

_ PKCS12 (PFX) file                           ssprdemo_com.pfx

Notes:

A) Vendors will have different default names for their certificate files, the names are not important, you just need to be able to identify each certificate.

B) I have not seen a case where more than one intermediate certificate is needed, however, if you have this case, you can copy all the intermediate certificates into a single file, being sure to preserve everything from -----BEGIN CERTIFICATE----- to ----END CERTIFICATE----- or in other words, just paste the contents of the second file at the end of the first file.

2) Generate a 2048 bit (or greater) RSA Public-Private Key pair

·       IMPORTANT - You should perform this process on a secured machine.  (This does not need to be done on the SSPR server; it can be done on any machine where OpenSSL is installed.)  For higher security this machine should not have internet/network capabilities. In this case, internet functions will need to be performed on a different machine, and the CSR and Certificate files moved between machines by hand.  Type the following:

·       openssl genrsa -out ssprdemo_com_privkey.pem 2048

3) Generate the CSR. Type the following:

·       openssl req -new -sha256 -key ssprdemo_com_privkey.pem -out ssprdemo_com.csr

• ·       When prompted, enter the location data collected in step 1 above
• ·       You can skip the non-required fields: “challenge password” and “optional company name” by just pressing [Enter], or you can supply appropriate data for those fields.

4) Submit the CSR to your Certificate Vendor

• ·       You will need to be able to prove that you are the administrator for the domain you are securing. Typically this is done by specific account email validation (ex. admin@ssprdemo.com)
• ·       Depending on the type of certificate, you may need further interaction with the Certificate Vendor to provide detailed proof of domain ownership and company affiliation.
• ·       The exact steps to accomplish this task as well as the next task will vary between vendors.

5) Acquire X.509 certificate and any intermediate certificates from your Certificate vendor

• ·       The server certificate (AKA End-Entity Certificate) (ex. ssprdemo_com_ee.crt)
• ·       Any intermediate certificate(s) Make sure to acquire the one(s) that match your server certificate. (ex. ssprdemo_com_i1.crt)
• ·       For the purpose of these instructions, save each certificates in its own file.
• ·      Each file must be PEM encoded. Your vendor may provide multiple file formats, make sure that the one you acquire has the format that includes: ----BEGIN CERTIFICATE----

Note: Most Certificate vendors offer several different levels of certificates. In addition, with the current security vulnerabilities around the SHA-1 algorithm, vendors are offering a choice of the root certificate in the chain, either SHA-1 or SHA256.

In other words, although your server certificate and any intermediate certificates will always be signed using SHA256, the root certificate can be either a SHA-1 (older) or SHA256 (newer) signed root. The reason for choosing the SHA-1 root would be if you need to support older clients that have not been upgraded to include the newer SHA256 root, otherwise choose the SHA256 root.

6) Create the PKCS12 (PFX) file.  Type the following:

·       openssl pkcs12 -export -inkey ssprdemo_com_privkey.pem -in ssprdemo_com_ee.crt –certfile ssprdemo_com_i1.crt -out ssprdemo_com.pfx

7) Import the PKCS12 file into your SSPR configuration.

• ·       Login to your SSPR applications as an SSPR administrator
• ·       Open the SSPR Configuration Editor
• ·       Browse to the Settings ⇨ HTTP Server
• ·       Click the Import Private Key & Certificate button
• ·       Specify the password, and use the Choose File button to select the PKCS12 file previously created (ex. ssprdemo_com.pfx)
• ·       Click the Upload button
• ·       Click the Save changes button in the upper right corner
• ·       Confirm the change by selecting OK in the pop-up

NOTE: You must restart Tomcat in order for the change to take place

• ·       Windows: Restart the service or reboot Windows
• ·       Appliance: Reboot the appliance

8) Backup and secure the key files

• Make sure to create one or more backups of all the files used in this process, and keep them in a secure place (ex. a fire-proof safe, or a secure off-site storage). If/when you want to renew a certificate, your vendor will probably require them. Note: renewal usually costs less than getting a new certificate.
• ·      If the machine you created the key on will not be secure at all times, you should delete the public-private key file and the pkcs12 file using a tool designed to permanently delete sensitive data. But only after creating one or more backups and securely storing the backups.