CSR Generation Instruction - Innosoft PMDF-TLS
An Important Note Before You Start
By far the most common problem users have when going through this process is related to private keys. If you lose or cannot access a private key, you cannot use the certificate we issue to you and will need to request a free reissue. To ensure this never happens, we advise that a backup of the private key file is made and that a note is made of the password that is used to protect the export of the private key.
To generate a CSR for Innosoft PMDF-TLS follow the instructions below:
A utility is provided to generate a public key pair and a certificate request. Its output includes three files:
* a file containing the private key, (for testing purposes you may call the file anything you like, but for live operation the file must be named server-priv.pem and stored in the PMDF table directory and it must be protected against world access---this is your private key!),
* a certificate request file containing the public key,
* and a self-signed certificate (which may be used while awaiting signing by a Certificate Authority of the certificate request) also containing the public key.
To use the utility, on OpenVMS, issue the command:
$ RUN PMDF_EXE:tls_certreq
Or on UNIX, issue the command:
Or on NT, issue the command:
If you wish to write live files to the PMDF table directory, make sure that you are privileged to write to the PMDF table directory before invoking the utility. Otherwise, if you are going to do testing writing test files to some other directory, the utility itself does not require that you be privileged.
This utility invokes an interactive script that will prompt you for answers to a number of questions, including:
How many bits of encryption you would like to use.1
The name of the file in which to store the private key part of the RSA key pair.
Your e-mail address (as the person responsible for the certificate request).
The two character ISO country code2 for the country in which the PMDF system is located.
The state or province in which the PMDF system is located.
The city in which the PMDF system is located.
The official name of your organization.
Optional additional organization information.
The name of the file in which to store the generated certificate request.
The number of days for which you would like your temporary self-signed certificate to be valid.
The name of the file in which to store the self-signed certificate. When prompted for information, if there is a default value available, it will be shown within square brackets. Some questions do not require answers and will be presented displaying (optional) if you can simply press RETURN to skip that question.
A sample execution on OpenVMS of PMDF_EXE:tls_certreq is shown in the example below; execution is analogous on UNIX and NT, modulo only different file name syntax.Example 16-1 Sample execution of the tls_certreq utility on OpenVMS
Generating RSA Private Key
How many bits of encryption would you like for your certificate?
512 is used for export-grade encryption, 1024 is typical for domestic certificates :
Generating a 1024 bit RSA private key
Enter a filename where the PRIVATE part of the RSA key pair will be saved. (Note that this file must be protected against public access as doing otherwise would compromise the security offered by
PMDF-TLS. Ensure that the file has a protection like "(RWED,RWED,,)".
Generating Certificate Request
Please enter the Distinguished Name information for your certificate request...
This e-mail address will be used as the contact for this certificate.
You should enter your e-mail address where the Certificate Authority can contact you regarding this certificate request.
E-Mail address of person submitting the request: Joe.Manager@Domain.Com
The domain name entered here will be the "common name" used for the certificate. Clients will verify that the system to which they connected matches this domain name, so you'll want to ensure that you choose the appropriate name for the server. For example, if a system is really named frodo.domain.com, but people will be accessing it as mail.domain.com, the domain name chosen here should be mail.domain.com
Domain name of TLS/SSL server for which request is being generated: *.domain.com
Enter the appropriate two letter code here (US for United States, CA for Canada, etc.).
Two character ISO country code for server's location: US
Enter your state/province name here. Most Certificate Authorities will require that this field be filled in.
State or Province (not abbreviated) where server is located
(optional) : California
Also if desired, enter the name of your city here. Again, most Certificate Authorities will require this to be in your certificate.
City where server is located (optional) : West Covina
This is the full name of the company or organization that will be the official owner of the certificate. The Certificate Authority will probably require that this EXACTLY match the organization's name as officially registered in the organization's local authority.
Official name of organization responsible for server: Domains R Us
Some organizations may have extra distinguishing information that they wish to have included in their certificate.
Extra company name information (optional) : RETURN
If this certificate will be used solely within a particular department, you may wish to include that in the distinguished name on the certificate.
Name of the department within organization responsible for server (optional) : RETURN
This file will contain the certificate request that will be given to a Certificate Authority to sign and generate your certificate.
Enter a filename where the certificate request will be saved
Certificate request has been generated. Follow the instructions provided by the Certificate Authority to obtain your certificate.
Generating Self-Signed Certificate
Since it will typically take some period of time to obtain a signed certificate from a Certificate Authority, the Certificate Request tool also generates a self-signed certificate that can be used temporarily in place of one signed by a Certificate Authority.
Since all certificates have built-in expiration dates, you should choose how long before this self-signed certificate will expire. If you will be proceeding with obtaining a certificate signed by a recognized Certificate Authority, then the default of 365 days will provide ample time. If you intend on using the self-signed certificate permanently, you may wish to choose a longer validity period.
How many days would you like the self-signed certificate to be valid for? : RETURN
Enter a filename where the self-signed certificate will be saved [PMDF_TABLE:SERVER-SELFSIGN.PEM]: RETURN
Self-signed certificate has been generated. You may use this certificate in lieu of one signed by a well-known Certificate Authority if you wish.
Please see the PMDF TLS installation documentation for more information about certificate usage and installation.
Start the certificate request process
To submit the CSR to WoSign for processing you should start the certificate enrollment process.