Apache SSL Certificate Request

SSL Certificate request for MSIIS 4.0

This document outlines the steps involved in getting a signed certificate from Thawte for Apache-SSL on Unix.

Step 1. Generate a Private key and certificate request.

Thawte provides a good set of instructions for doing this at http://www.thawte.com/certs/server/keygen/apachessl.html. Please follow these instruction. Below are brief descriptions of what should be filled into the blanks during this process. Anything that is in bold must be filled in exactly as given right down to the capitals.

Note that the information you include in the certificate request must be exact and correct. Some data names are misleading. If you are not 100% sure of how to fill in a blank during this process please ask us as it will save a lot of time later. Also note that this process creates a Private Key with a password. If you lose the Private Key or forgets its password your certificate will be useless and you will have to start over and pay again. Note also that the Key must be kept safe as if it gets into public hands then all encryption efforts are lost and your system can be spoofed by others.

Field Name Description of what to enter

Generate a Key

Enter PEM pass phrase
Verifying password - Enter PEM pass phrase If you used the -des3 option you will be asked for a password. This password will protect your key from being used if stolen. This is not nessicary if you feel your system is secure. Note that the key should only be readable on the system by root and the web server be started as root.

Generate a CSR

Enter PEM pass phrase If you used the -des3 option when generating your key the password will be asked for here.

Country Name (2 letter code) CA

State or Province Name (full name) Ontario

Locality Name (eg, city) London

Organization Name (eg, company) The University of Western Ontario

Organizational Unit Name (eg, section) Your Department or Faculty name. Please use its full name and not a short form or acronym.

Common Name (eg, YOUR name) This is the dns name of you web server. This should be what appears in the URL when you access the secure area of your server. (ie. www.dept.uwo.ca)

E-mail Address This should be the e-mail address of the technical contact for the web server. Note if you have a webmaster@dept.uwo.ca then this can be used instead of the person's personal e-mail account.

A challenge password
An optional company name These fields are not nessicary but can be used if required.

STEP 3 - Generate Certificate Note: This step is not required unless you are in a rush to get things up and running.

Enter PEM pass phrase If you used the -des3 option in when generating your key the password will be asked for here.

Step 2. Send the Certificate request to Thawte for signing.

During this process please read all information on these pages and if you have any questions stop the process and send them to web-certificates@julian.uwo.ca.

Open a web browser and goto URL https://www.thawte.com/cgi/server/step1.exe?zone=ssl&theent=UWO
In the first page:

From the certificate request file generated in Step 1 cut the Certificate Signing Request (CSR). This is the part of the file between and including the begin and end lines. Paste this into the web form in the provided scroll box. CSR example:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIB4DCCAUkCAQAwgZ8xCzAJBgasdfe3AkNBMRAwDgYDVQQIEwdPbnRhcmlvMQ8w
DQYDVQQHEwZMb25kb24xKjAoBgNVBAoTIVRoZSBVbml22gJzaXR5IG9mIFdlc3Rl
cm4gT250YXJpbzEoMCYGA1UECxMfSW5mb3JtYXRpb24gVGVjaG5vbG9neSBTZXJ2
aWNlczEXMB13A1UEAxMOa2ltLml0cy51d28uY2EwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBALOJ4G4XO4xDSvTudh0tPpLC56Lhw/icO118/ujsbKG3yuUZvzp9
RIqFR8NRcbN8DQxYT64B9BGXkFO0anpAZ2eCeh23RDzzmDim7RW8LTXLo0VCOojo
0+6JXMRbFnzEUzE9D7j3Un70Pyx6N40XHXyCLD7cW5bDZBh6nC13pNpzAgMBAAGg
ADANBgkqhkiG9w0BAQQFAAOBgQB+wL8e10d9liaHvGjzHeePVP7HtMNz3bnn6Gq0
uFeLIo2y5DIKsAiZI4GEQH7Eu5S3UPh15gsvxI0JQpis/AqmekmMkxasKJJfhpJ3
9p14Ocfw/G1TcabOXBd0xpHau63LbMrhZRaQOs6z/gbVgIznPXIK+PKgV2Wuqx1W
6Og5kw==
-----END NEW CERTIFICATE REQUEST-----

Select your web server type from the drop down list.
Click on 'Next' at the bottom.

On the second page:

Verify the data in the certificate is correct and that the following fields match exactly down to the Capitals:

ISO Country Code: CA
State or Province: Ontario
City or Town: London
Organization: The University of Western Ontario

DO NOT select 'Please enable 128-bit security on our web server' as we are not vetted for it.
For the Authorizing Contact Person fill in the information for the head of the department or faculty requesting this certificate. Note that this person must be the director or dean and have signing authority for the department/faculty and verify that the department/faculty is requesting this certificate for its web server. This person must also indicate they have appointed the technical contact as the person responsible for the server. This person will be contacted by an ITS representative to verify this certificate request. An independent search for the head of the department/faculty will be completed and if the result of this search do not match the data given here then the authenticity of this request may be questioned. Please note that if the certificate is for a larger department/Faculty than you belong to then the signing authority should be that of the larger department/Faculty (example. I work for the department of technical services inside the faculty of science. The department maintains the faculty's web server which the certificate is for. Therefor the dean of science is the Authorizing Contact person for this request.)
For the Technical Contact/Webmaster fill in the information for the person responsible for maintaining the web server. Note that this should not be a generic name and email address like webmaster.
Click on 'Next' at the bottom.

On the third page:

Enter in a password. This will protect your signing request from being monitored by other people. Please do not use the same password that you used to sign your private key.
This is your last chance. Click 'Next' only if all is correct.

On the Results page:

a code like CATHEU# will be given. Write this code down as you may be required to use this code to retrieve your certificate once it has been issued. This code should be given in any correspondence with Thawte or ITS in reguards to this certificate.

Step 3. Verification process and Payment.

Three e-mails will be sent by Thawte. One each to the Authorizing Contact, Technical Contact and to a member of ITS. The ITS representative will then contact the Authorizing Contact and Technical Contact to verify the request. Payment for the certificate of $100 US will be finalized. Once payment has been received ITS will approve the certificate signing and Thawte will issue the certificate.

Step 4. Retrieving the certificate.

When the certificate has been approved and signed Thawte will send another email to the Technical Contact. This email will contain a URL which will allow you to download your certificate. Goto this URL and enter in your password. This is the password you gave on the third page of Step 2. On the next screen you will be asked what format you want to download the certificate in. Select 'Standard Certificate Format' and use the 'Fetch Certificate' button to retrieve your certificate.
It will look a lot like the CSR. Copy it off this page into a text file. This file will be used to install the certificate into your web server. Backup this file along with the Private Key and keep them safe.

Step 5. Install your certificate.

At the end of the instructions from Thawte to generate a CSR used in step 1 are the required steps to install the certificate into your web server.

Getting Help

If you require assistance during any of this process please send an e-mail to web-certificates@julian.uwo.ca.

Field Name	Description of what to enter
Generate a Key
Enter PEM pass phrase Verifying password - Enter PEM pass phrase	If you used the -des3 option you will be asked for a password. This password will protect your key from being used if stolen. This is not nessicary if you feel your system is secure. Note that the key should only be readable on the system by root and the web server be started as root.

Generate a CSR
Enter PEM pass phrase	If you used the -des3 option when generating your key the password will be asked for here.
Country Name (2 letter code)	CA
State or Province Name (full name)	Ontario
Locality Name (eg, city)	London
Organization Name (eg, company)	The University of Western Ontario
Organizational Unit Name (eg, section)	Your Department or Faculty name. Please use its full name and not a short form or acronym.
Common Name (eg, YOUR name)	This is the dns name of you web server. This should be what appears in the URL when you access the secure area of your server. (ie. www.dept.uwo.ca)
E-mail Address	This should be the e-mail address of the technical contact for the web server. Note if you have a webmaster@dept.uwo.ca then this can be used instead of the person's personal e-mail account.
A challenge password An optional company name	These fields are not nessicary but can be used if required.

STEP 3 - Generate Certificate	Note: This step is not required unless you are in a rush to get things up and running.
Enter PEM pass phrase	If you used the -des3 option in when generating your key the password will be asked for here.