SSL证书请求文件(CSR)生成指南 - Oracle Web Server(OAS)
重要注意事项 An Important Note Before You Start
By far the most common problem users have when going through this process is related to private keys. If you lose or cannot access a private key, you cannot use the certificate we issue to you and will need to request a free reissue. To ensure this never happens, we advise that a backup of the private key file is made and that a note is made of the password that is used to protect the export of the private key.
Please note that you should be using at least version 4.0.8 of Oracle Application Server (OAS) .
Version 4.0.7.x does not accept our certificates, despite that fact that the Linux version of OAS 220.127.116.11 experienced no problems when we tested it.
Generating a CSR (Certificate Signing Request)
Note: In the interest of better security and the enablement of greater trust, we have decided that 1024-bit keys will now be the minimum strength used in the issuance of thawte digital certificates.
In this first step you generate a request for Thawte to issue a certificate. It involves generating a public/private key-pair and identifying the server,
the organization using it, and its webmaster. The private key is encrypted and should never leave your server, except for backup purposes.
The public key will become part of the certificate and is therefore sent to Thawte, together with the rest of the information identifying your organization and your server.
To generate a certificate request, you will run the interactive utility genreq and enter the information for which it prompts you.
When the prompt specifies a default value, you can just press return to enter that value, or enter a different value if you prefer.
For an example of how to use genreq, see the following sample genreq session. Before you start, create a directory to store all SSL related files in, for example $ORACLE_HOME/ows2/ssl. To avoid typing long path names or moving files later, you can start genreq from this directory.
To run genreq, do the following:
- Start genreq, located in $ORACLE_HOME\OWS20\BIN on NT (typically c:\orant\ows20\bin) and $ORACLE_HOME/ows2/bin on UNIX:
- Type G to begin creating a certificate request:
- When prompted, type a password (minimum of 8 characters), used in encrypting your private key. Remember this password.
- Retype the password for confirmation. If the password do not match, genreq will not warn you, it will just repeat step 3.
- Choose the public exponent you want to use one in generating the key pair. The only two recognized exponents are 3 and 65537, commonly called Fermat 4 or F4.
- Enter the size in bits of the modulus you want to use in generating the key pair. For the version of genreq sold in the United States of America, the size may be from 1 to 1024. The default size is 768 bits and the maximum is 1024 bits. A modulus size of 1024 is recommended for most browsers and also by Thawte. For versions of genreq sold outside the USA, the maximum (and default) modulus size is 512 bits. (NOTE: 1024 bits would be equal to a 128 bit encryption)
- Choose one of three methods for generating a random seed to use in generating the key pair:
- Random file: genreq prompts you to enter the full pathname of a file in your local file system. This can be any file that is at least 256 bytes in size, does not contain any secret information, and has contents that cannot easily be guessed (on UNIX, you can use /var/adm/messages, on NT you can use \WINNT\System32\config\AppEvent.Evt)
- Random key sequences: genreq prompts you to enter random keystrokes. genreq uses the variation in time between keystrokes to generate the seed. Don't use the keyboard's autorepeat capability, and don't wait longer than two seconds between keystrokes. genreq prompts you when you have typed enough keystrokes. You must delete any unused characters typed after this prompt.
- Both: genreq prompts you to enter both a file name and random keystrokes. This option is recommended.
The next three steps will tell genreq where it should write certain files. If you've created an ssl directory and have started genreq from this directory, you can accept the defaults. Otherwise, you may want to include full pathnames, or plan to move the files that genreq created later.
- Enter the name of a file in which to store your WebServer's distinguished name. You can choose the default, or enter any filename with a .der extension. genreq creates this file in the current directory, though you may later move it to any convenient location.
- Enter the name of a file in which to store your WebServer's private key. You can choose the default, or enter any filename with a .der extension. genreq creates this file in the current directory, though you may later move it to any convenient location.
- Enter the name of a file in which to store the certificate request. You can choose the default, or enter any filename with a .pkc extension.
- Enter the requested identification information for your organization:
Common Name - The fully qualified host name of your organization's Internet point of presence as defined by the Domain Name Service (DNS).
Organizational Unit (optional) - The name of the group, division, or other unit of your organization responsible for your Internet presence, or an informal or shortened name for your organization.
Example: Oracle Government
Organization - The official, legal name of your company or organization. Most CAs require you to verify this name by providing official documents, such as a business license.
Example: Oracle Corporation
Locality - (optional) The city, principality, or country where your organization is located.
State or Province - The full name of the state or province where your organization is located. Thawte does not accept abbreviations.
Country - The two-character ISO-format abbreviation for the country where your organization is located. The country code for the
Example: United States is US.
WebMaster's Name - The name of the Web Master responsible for the site. This person will serve as a technical contact.
Example: Sergio Leunissen
WebMaster's Email Address - The email address where Thawte can contact the Web Master.
Server Software Version - The name and version number of the application for which you are getting the certificate (you should accept the default value).
测试CSR和把CSR发给WoSign, Start the certificate request process
生成CSR后，建议您自己测试一下生成的CSR文件是否正确，请点击 这里 测试您的CSR文件。请把测试成功的CSR文件发给WoSign即可。请一定不要再动您的服务器，等待证书的颁发。
To submit the CSR to WoSign for processing you should start the certificate enrollment process.