Finding Your Way

How Do I ... Generate a certificate signing request and have it signed by Thawte Certification for Apache Web Servers with SSL

Contents

Introduction

This document outlines the steps involved to generate a certificate signing request for Apache Web Servers with SSL and get it signed by Thawte Certification.

Generate a Private key and certificate request.

Apache provides a good set of instructions for doing this at http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#realcert

Please follow these instruction. Below are brief descriptions of what should be filled into the blanks during this process. Anything that is in bold must be filled in exactly as given right down to the capitals.

Note that the information you include in the certificate request must be exact and correct. Some data names are misleading. If you are not 100% sure of how to fill in a blank during this process please ask us as it will save a lot of time later. Also note that this process creates a Private Key with a password. If you lose the Private Key or forgets its password your certificate will be useless and you will have to start over and pay again. Note also that the Key must be kept safe as if it gets into public hands then all encryption efforts are lost and your system can be spoofed by others.

 

You must use a 2048 key
openssl genrsa -des3 -out server.key 2048  

 

Field Name Description of what to enter
Generate a Key
Enter PEM pass phrase
Verifying password - Enter PEM pass phrase 		If you used the -des3 option you will be asked for a password. This password will protect your key from being used if stolen. This is not necessary if you feel your system is secure. Note that the key should only be readable on the system by root and the web server be started as root.


Generate a CSR
Enter PEM pass phrase If you used the -des3 option when generating your key the password will be asked for here. 
Country Name (2 letter code) CA
State or Province Name (full name) Ontario
Locality Name (eg, city) London
Organization Name (eg, company) The University of Western Ontario
Organizational Unit Name (eg, section) Your Department or Faculty name. Please use its full name and not a short form or acronym.
Common Name (eg, YOUR name) This is the DNS name of you web server. This should be what appears in the URL when you access the secure area of your server. (ie. www.dept.uwo.ca)
E-mail Address This should be the e-mail address of the technical contact for the web server. Note if you have a webmaster@dept.uwo.ca then this can be used instead of the person's personal e-mail account.
A challenge password
An optional company name 		These fields are not necessary but can be used if required.


Generate Certificate Note: This step is not required unless you are in a rush to get things up and running.
Enter PEM pass phrase If you used the -des3 option in when generating your key the password will be asked for here.

 

Send the Certificate request for signing.

During this process please read all information on these pages and if you have any questions stop the process and send them to web-certificates@uwo.ca.

  • Email address:

  • Server domain Name

    This is the DNS name of your web server. This should be what appears in the URL when you access the secure area of your server. (ie. www.dept.uwo.ca)
    Server domain Name:

  • Paste your certificate signing request

    From the certificate request file generated above cut the Certificate Signing Request (CSR).
    This is the part of the file between and including the begin and end lines. Paste this into the web form in the provided scroll box.

    • CSR example: 


      -----BEGIN NEW CERTIFICATE REQUEST-----
      MIIB4DCCAUkCAQAwgZ8xCzAJBgasdfe3AkNBMRAwDgYDVQQIEwdPbnRhcmlvMQ8w
      DQYDVQQHEwZMb25kb24xKjAoBgNVBAoTIVRoZSBVbml22gJzaXR5IG9mIFdlc3Rl
      cm4gT250YXJpbzEoMCYGA1UECxMfSW5mb3JtYXRpb24gVGVjaG5vbG9neSBTZXJ2
      aWNlczEXMB13A1UEAxMOa2ltLml0cy51d28uY2EwgZ8wDQYJKoZIhvcNAQEBBQAD
      gY0AMIGJAoGBALOJ4G4XO4xDSvTudh0tPpLC56Lhw/icO118/ujsbKG3yuUZvzp9
      RIqFR8NRcbN8DQxYT64B9BGXkFO0anpAZ2eCeh23RDzzmDim7RW8LTXLo0VCOojo
      0+6JXMRbFnzEUzE9D7j3Un70Pyx6N40XHXyCLD7cW5bDZBh6nC13pNpzAgMBAAGg
      ADANBgkqhkiG9w0BAQQFAAOBgQB+wL8e10d9liaHvGjzHeePVP7HtMNz3bnn6Gq0
      uFeLIo2y5DIKsAiZI4GEQH7Eu5S3UPh15gsvxI0JQpis/AqmekmMkxasKJJfhpJ3
      9p14Ocfw/G1TcabOXBd0xpHau63LbMrhZRaQOs6z/gbVgIznPXIK+PKgV2Wuqx1W
      6Og5kw==
      -----END NEW CERTIFICATE REQUEST-----

  • Web Server Software

    Select your web server type from the drop down list

  • Authorizing Contact Person

    For the Authorizing Contact Person fill in the information for the head of the department or faculty requesting this certificate. Note, that this person must be the director or Dean and have signing authority for the department/faculty and verify that the department/faculty is requesting this certificate for its web server. This person must also indicate they have appointed the technical contact as the person responsible for the server. This person will be contacted by an ITS representative to verify this certificate request. An independent search for the head of the department/faculty will be completed and if the result of this search do not match the data given here then the authenticity of this request may be questioned. Please note that if the certificate is for a larger department/Faculty than you belong to then the signing authority should be that of the larger department/Faculty (example. I work for the department of technical services inside the faculty of science. The department maintains the faculty's web server which the certificate is for. Therefor the dean of science is the Authorizing Contact person for this request.)

     

    Full name:
    Job title:
    Telephone:
    (include area code and extension) E.g. (519)661-2111x84737
    Email address:
    E.g. name@uwo.ca

     

     

  • Technical Contact Person

    For the Technical Contact/Webmaster fill in the information for the person responsible for maintaining the web server. Note that this should not be a generic name or email address like webmaster.

    Full name:
    Job title:
    Telephone:
    (include area code and extension) E.g. (519)661-2111x84737
    Email address:
    E.g. name@uwo.ca
    Peoplesoft #:

     

  • Department
    Select your department from the drop down list

     

     

Verification process and Payment.

Three e-mails will be sent by Thawte. One each to the Authorizing Contact, Technical Contact and to a member of ITS. The ITS representative will then contact the Authorizing Contact and Technical Contact to verify the request. Payment for the certificate will be finalized. Once payment has been received ITS will approve the certificate signing and Thawte will issue the certificate.

Retrieving the certificate.

When the certificate has been approved and signed Thawte will send another email to the Technical Contact. This email will contain a URL which will allow you to download your certificate. Goto this URL and enter in your password. This is the password you gave on the third page of sending your certificate signing request to thawte. On the next screen you will be asked what format you want to download the certificate in. Select 'Standard Certificate Format' and use the 'Fetch Certificate' button to retrieve your certificate. It will look a lot like the CSR. Copy it off this page into a text file. This file will be used to install the certificate into your web server. Backup this file along with the Private Key and keep them safe.

Install your certificate.

The instructions from Apache are the required steps to install the certificate into your web server.

Getting Help

If you require assistance during any of this process please send an e-mail to web-certificates@uwo.ca . More info on the PKI environment at UWO is available at http://www.uwo.ca/its/pki

 

Disclaimer: The provided instructions are for information purposes only. Neither The University of Western Ontario nor the Division of Information Technology Services assume any responsibility for loss of use or damage to a computer system (including any data or software contained within the computer system) which is the result (directly or indirectly) of the application of these instructions. Any problems, questions or concerns not addressed by these instructions should be directed to the vendor and/or the manufacturer and not to The University of Western Ontario or any of its employees or incumbents.

©2010, The University of Western Ontario. Permission is granted to copy in whole or in part provided that due credit is given to the authors, Information Technology Services, and The University of Western Ontario.

Western provides the best student experience among Canada's leading research-intensive universities.