Finding Your Way
How Do I ... Generate a certificate signing request and have it signed by Thawte Certification for MS IIS Version 4.0, 5.0, 6.0 and 7
- Generate a Private key and certificate request
- Send the Certificate request to Thawte for signing
- Verification process and Payment
- Retrieving the certificate
- Install your certificate
- Getting Help
SHA-1 certificates will trigger warning in new edition of Chrome see http://www.uwo.ca/its/pki/thawte/SHA-1_certificates.html
To check your certificate request see https://ssltools.thawte.com/checker/views/csrCheck.jsp
This document outlines the steps involved to generate a certificate signing request for Microsoft Internet Information Server (IIS) 4.0, 5.0 and 6 and get it signed by Thawte Certification.
Thawte provides instructions for doing this for:
- Microsoft Internet Information Server 4.0 http://support.microsoft.com/default.aspx?scid=kb;EN-US;228991
- Microsoft Internet Information Server 5 http://support.microsoft.com/default.aspx?scid=kb;en-us;277891
- Microsoft Internet Information Server 6 http://support.microsoft.com/default.aspx?scid=kb;en-us;299875
- Microsoft Internet Information Server 7+ http://technet.microsoft.com/en-us/library/cc732906%28v=ws.10%29.aspx
- A server certificate renewal request that is created in Internet Information Services 7.0 is invalid
The error occurs because the renewal CSR created in IIS 7.0 is too large to be accepted by Thawte
This is a known Microsoft IIS 7.0 issue. For more information, please see the following Microsoft Knowledge Base Article http://support.microsoft.com/kb/971832/EN-US Resolution
To resolve this issue, select the option to Create Certificate Request as opposed to Renew. This will generate a new, shorter CSR that will be accepted by the enrollment page.
- How To Renew or Create New Certificate Signing Request While Another Certificate Is Currently Installed
Please look up the instructions from this site for you brand of web server and follow them. Below are brief descriptions of what may be requested during this process. Anything that is in bold must be filled in exactly as given right down to the capitals.
Note that the information you include in the certificate request must be exact and correct. Some data names are misleading. If you are not 100% sure of how to fill in a blank during this process please ask us as it will save a lot of time later. Also note that this process creates a Private Key with a password. If you lose the Private Key or forget its password your certificate will be useless and you will have to start over and pay again. Note also that the Key must be kept safe as if it gets into public hands then all encryption efforts are lost and your system can be spoofed by others.
|Field Name||Description of what to enter|
|Password and Confirm Password||This is the password for your private key. This should be something that can be remembered but nothing obvious like the server name. WRITE THIS DOWN NOW.|
|Bit Length||This is the bit length of the key. This must be 2048.|
|Organization||The University of Western Ontario|
|Organizational Unit||Your Department or Faculty name. Please use its full name and not a short form or acronym.|
|Common Name||This is the dns name of you web server. This should be what appears in the URL when you access the secure area of your server. (ie. www.dept.uwo.ca)|
|Your Name||This should be the name of the technical contact for the web server. Most likely this will be you.|
|E-mail Address||This should be the e-mail address of the technical contact for the web server. Note if you have a firstname.lastname@example.org then this can be used instead of the person's personal e-mail account.|
|Phone Number||This should be the phone number of the technical contact for the web server. Note if there is a help line for this server it can be used here. Whoever answers this line should know what to do with questions regarding the secure web server.|
During this process please read all information on these pages and if you have any questions stop the process and send them to email@example.com.
Three e-mails will be sent by Thawte. One each to the Authorizing Contact, Technical Contact and to a member of ITS. The ITS representative will then contact the Authorizing Contact and Technical Contact to verify the request. Payment for the certificate will be finalized. Once payment has been received ITS will approve the certificate signing and Thawte will issue the certificate.
When the certificate has been approved and signed Thawte will send another email to the Technical Contact. This email will contain a URL which will allow you to download your certificate. Go to this URL and enter in your password. This is the password you gave on the third page of sending your certificate signing request to thawte. On the next screen you will be asked what format you want to download the certificate in. Select 'Standard Certificate Format' and use the 'Fetch Certificate' button to retrieve your certificate. It will look a lot like the CSR. Copy it off this page into a text file. This file will be used to install the certificate into your web server. Backup this file along with the Private Key and keep them safe.
At the end of the instructions from Thawte to generate a CSR used to generate a CSR above, are the required steps to install the certificate into your web server.