The CSR (Certificate Signing Request) is essential for the issuing of the certificate, as it contains the public key. The public key will be generated by your web host or the administrators of the servers, on which the domain runs that you wish to secure with the SSL certificate. Generating the Private Key - Linux 1. Open the Terminal. Navigate to the folder with the ListManager directory. Type the following: openssl genrsa -out rsa.private 1024 4. The private key is generated and saved in a file named 'rsa.private' located in the same folder. Generating the Public Key - Linux 1. Open the Terminal. I need to create a public/private key pair for a certificate request. I would like to use IIS. Once the certificate is signed I will be distributing it to multiple servers and therefor will need the private key.
How to generate a CSR in Microsoft IIS 7
1. Click Start, then Administrative Tools, then Internet Information Services (IIS) Manager. 2. Click on the server name. 3. From the center menu, double-click the 'Server Certificates' button in the 'Security' section (it is near the bottom of the menu).
4. Next, from the 'Actions' menu (on the right), click on 'Create Certificate Request.' This will open the Request Certificate wizard.
5. In the 'Distinguished Name Properties' window, enter the information as follows:
Common Name - The name through which the certificate will be accessed (usually the fully-qualified domain name, e.g., www.domain.com or mail.domain.com).
Organization - The legally registered name of your organization/company.
Organizational unit - The name of your department within the organization (frequently this entry will be listed as 'IT,' 'Web Security,' or is simply left blank).
City/locality - The city in which your organization is located.
State/province - The state in which your organization is located.
In the Number of bits in a generated key box, enter 2048. Click Generate to generate a public/private key pair. As the key is being generated, move the mouse around the blank area as directed. (Optional) Enter a passphrase for the private key in the Key passphrase box and reenter it in the Confirm passphrase box. Set up SSH public key authentication This guide contains description of setting up public key authentication for use with WinSCP. You may want to learn more about public key authentication or SSH keys instead.
6. Click Next. 7. In the 'Cryptographic Service Provider Properties' window, leave both settings at their defaults (Microsoft RSA SChannel and 2048) and then click next.
8. Enter a filename for your CSR file.
9. Remember the filename that you choose and the location to which you save it. You will need to open this file as a text file and copy the entire body of it (including the Begin and End Certificate Request tags) into the online order process when prompted
2. Back Up Private Key
To backup a private key on Microsoft IIS 6.0 follow these instructions:
1. From your server, go to Start > Run and enter mmc in the text box. Click on the OK button. 2. From the Microsoft Management Console (MMC) menu bar, select Console > Add/Remove Snap-in. 3. Click on the Add button. Select Certificates from the list of snap-ins and then click on the Add button.
4. Select the Computer account option. Click on the Next button.
5. Select the Local computer (the computer this console is running on) option. Click on the Finish button. 6. Click on the Close button on the snap-in list window. Click on the OK button on the Add/Remove Snap-in window. 7. Click on Certificates from the left pane. Look for a folder called REQUEST or 'Certificate Enrollment Request> Certificates
8. Select the private key that you wish to backup. Right click on the file and choose > All Tasks > Export
9. The certificate export wizard will start, please click Next to continue. In the next window select Yes, export the private key and click Next
10. Leave the default settings selected and click Next.
11. Set a password on the private key backup file and click Next 12. Click on Browse and select a location where you want to save the private key Backup file to and then click Next to continue. By default the file will be saved with a .pfx extension. 13. Click Finish, to complete the export process
3. Convert to RSA Private Key Format
The private key is backed up as a ‘.pfx’ file, which stands for Personal Information Exchange.
To convert it to RSA Private Key format supported by inSync:
1. Download and install latest version of OpenSSL for windows from http://www.slproweb.com/products/Win32OpenSSL.html.
Note: OpenSSL requires Visual C++ 2008 Redistributables which can be downloaded from the same website.
2. Open command prompt, navigate to C:OpenSSL-Win32bin>, and run the following commands.
3. The private key will be saved as ‘myserver.key’.
4. Carefully protect the private key. Be sure to backup the private key, as there is no means to recover it, should it be lost.
-->
Certificate Services is one foundation for the Public Key Infrastructure (PKI) that provides the means for safeguarding and authenticating information. The relationship between a certificate holder, the certificate holder's identity, and the certificate holder's public key is a critical portion of PKI. This infrastructure is made up of the following parts:
The Public/Private Key Pair
PKI requires the use of public/private key pairs. The mathematics of public/private key pairs is beyond the scope of this documentation, but it is important to note the functional relationship between a public and a private key. PKI cryptographic algorithms use the public key of the receiver of an encrypted message to encrypt data, and the related private key and only the related private key to decrypt the encrypted message.
Similarly, a digital signature of the content, described in greater detail below, is created with the signer's private key. The corresponding public key, which is available to everyone, is used to verify this signature. The secrecy of the private key must be maintained because the framework falls apart after the private key is compromised.
Given enough time and resources, a public/private key pair can be compromised, that is, the private key can be discovered. The longer the key, the more difficult it is to use brute force to discover the private key. In practice, sufficiently strong keys can be used to make it unfeasible to determine the private key in a timely manner, making the Public Key Infrastructure a viable security mechanism.
A private key can be stored, in protected format, on a disk, in which case it can only be used with that specific computer unless it is physically moved to another computer. An alternative is to have a key on a smart card that can be used on a different computer provided it has a smart card reader and supporting software.
The public key, but not the private key, of the subject of a digital certificate is included as part of the certificate request. (Hence, a public/private key pair must exist before making the certificate request.) That public key becomes part of the issued certificate.
The Certificate Request
Before a certificate is issued, a certificate request must be generated. This request applies to one entity, for example, an end-user, a computer, or an application. For discussion, assume that the entity is yourself. Details of your identity are included in the certificate request. After the request is generated, it is submitted to a certification authority (CA). The CA then uses your identity information to determine whether the request meets the CA's criteria for issuing a certificate. If the CA approves the request, it issues a certificate to you, as the entity named in the request.
The Certification Authority
Before issuing your certificate, the CA verifies your identity. When the certificate is issued, your identity is bound to the certificate, which contains your public key. Your certificate also contains the CA's digital signature (which can be verified by anyone who receives your certificate).
Because your certificate contains the identity of the issuing CA, an interested party that trusts this CA can extend that trust to your certificate. The issuance of a certificate does not establish trust, but transfers trust. If the certificate consumer does not trust the issuing CA, it will not (or at least should not) trust your certificate.
Generate Public Certificate From Private Key Code
A chain of signed certificates allows trust to be transferred to other CAs as well. This allows parties who use different CAs to still be able to trust certificates (provided there is a common CA in the chain, that is, a CA that is trusted by both parties).
The Certificate
In addition to your public key and the identity of the issuing CA, the issued certificate contains information about the purposes of your key and certificate. Furthermore, it includes the path to the CA's list of revoked certificates, and it specifies the certificate validity period (beginning and ending dates).
Assuming the certificate consumer trusts the issuing CA for your certificate, the certificate consumer must determine whether the certificate is still valid by comparing the certificate's beginning and ending dates with the current time and by checking that your certificate in not on the CA's list of revoked certificates.
The Certificate Revocation List
Openssl Generate Public Certificate From Private Key
Assuming the certificate is being used in a valid time period and the certificate consumer trusts the issuing CA, there is one more item for the certificate consumer to check before using the certificate: the certificate revocation list (CRL). The certificate consumer checks the CA's CRL (the path to which is included as an extension in your certificate) to ensure your certificate is not on the list of certificates that have been revoked. CRLs exist because there are times when a certificate has not expired, but it can no longer be trusted. Periodically, the CA will publish an updated CRL. Certificate consumers are responsible for comparing certificates to the current CRL before considering the certificate trustworthy.
Your Public Key Used for Encryption
If a sender wants to encrypt a message before sending it to you, the sender first retrieves your certificate. After the sender determines that the CA is trusted and your certificate is valid and not revoked, the sender uses your public key (recall it is part of the certificate) with cryptographic algorithms to encrypt the plaintext message into ciphertext. When you receive the ciphertext, you use your private key to decrypt the ciphertext.
If a third party intercepts the ciphertext email message, the third party will not be able to decrypt it without access to your private key.
Note that the bulk of the activities listed here are handled by software, not directly by the user.
Your Public Key Used for Signature Verification
A digital signature is used as confirmation that a message has not been altered and as confirmation of the message sender's identity. This digital signature is dependent on your private key and the message contents. Using the message as input and your private key, cryptographic algorithms create the digital signature. The contents of the message are not changed by the signing process. A recipient can use your public key (after checking your certificate's validity, issuing CA, and revocation status) to determine whether the signature corresponds to the message contents and to determine whether the message was sent by you.
If a third party intercepts the intended message, alters it (even slightly), and forwards it and the original signature to the recipient, the recipient, upon examination of the message and signature, will be able to determine that the message is suspect. Similarly, if a third party creates a message and sends it with a bogus digital signature under the guise that it originated from you, the recipient will be able to use your public key to determine that the message and signature do not correspond to each other.
Nonrepudiation is also supported by digital signatures. If the sender of a signed message denies sending the message, the recipient can use the signature to refute that claim.
Certificate And Private Key
Note that the bulk of the activities listed here are also handled by software, not directly by the user.
Microsoft Certificate Services Role
Cert Public Key
Microsoft Certificate Services has the role of issuing certificates or denying requests for certificates, as directed by policy modules, which are responsible for ensuring the identity of the certificate requester. Certificate Services also provides the ability to revoke a certificate, as well as publish the CRL. Certificate Services can also centrally distribute (for example, to a directory service) issued certificates. The ability to issue, distribute, revoke, and manage certificates, along with the publication of CRLs, provides the necessary capabilities for public key infrastructure.