15.3 Obtaining a Certificate from an External CA

15.3.1 Requesting the CSR

  1. In the browser-based management tool, click Home, click Certificate Maintenance, then click Create.

    The Create Certificate screen displays:

  2. Specify an appropriate name for the certificate as explained in Section 15.1, Naming Certificates.

  3. Type an appropriate subject name as explained in Section 15.1, Naming Certificates.

  4. Click the Signature Algorithm drop-down list, then select the algorithm you want to use (SHA-1 or MD-5).

  5. Click the RSA Key Size drop-down list, then select the RSA key size that you want to use.

    You cannot select a key size larger than the maximum key size on the appliance.

  6. (Optional) Select PrivateKey.

    This flag is disabled by default. For added security, when it is enabled, you cannot backup the certificate.

  7. Click Use External Certificate Authority.

    The external certificate authority sets the validity period. You cannot set it using the Validity period option.

  8. Type a name for the Organizational Unit.

    This is used to describe departments or divisions.

  9. Type a name for the Organization.

    This is used to differentiate between organizational divisions.

  10. Type the city or town where your organization does business.

    This is commonly referred to as the Locality.

  11. Type the non-abbreviated name of the state or province where the organization does business.

    This is commonly referred to as the State.

  12. Type the International Standards Organization (ISO) country code for the country where the organization does business.

    This is commonly referred to as the Country and must be a valid, two-character ISO country code.

  13. Click OK.

  14. Look at the Action and Status fields.

    The Action field should have red arrows on the left and the word Request displayed on a green background. The Status should be Building.

    The red arrows and green background indicate that you need to click Apply.

  15. Click Apply.

    If any errors occur during the certificate request process, they are displayed in the Error field on a red background.

  16. If an error occurs, click Modify.

  17. In the Modify Certificate dialog box, make the changes necessary to resolve the errors, click OK.

  18. Click Apply and repeat the modification process until the Status field displays the words CSR in Progress on a yellow background.

    NOTE:As an added precaution, Update Clone can be used to help safeguard the private key of the certificate until the certificate is returned and stored. After the certificate is returned and stored, it can then be backed up. Update Clone is found in the iChain Proxy Server browser-based administration tool under System > Actions.

15.3.2 Sending the CSR

  1. Click View CSR to open a new browser window that displays the CSR contents.

  2. Select and copy the complete CSR text into your computer’s Clipboard. After you have copied the text you can close that browser window.

  3. Paste the CSR text from the Clipboard to the e-mail message or HTML form as required by your CA.

    The method for sending the CSR varies depending on the authority. VeriSign, for example, uses a Web page interface.

    IMPORTANT:The header and trailer must be on lines separate from the body of the CSR.

    The header line will be similar to the following:

    ----- BEGIN NEW CERTIFICATE REQUEST-----
    

    The trailer line will be similar to the following:

    -----END NEW CERTIFICATE REQUEST-----
    

    If required, you must use hard returns to separate these two lines from the body of the CSR.

  4. Wait for the certificate to be returned from the external CA.

15.3.3 Storing the Certificate

After the external CA responds with the certificate:

  1. In the browser-based tool, click Home > Certificate Maintenance > the name of the certificate you want to store > Store Certificate.

  2. In the Store Certificates dialog box, paste the CA certificate into the CA Certificate Contents box.

  3. Paste your newly issued certificate in the Server Certificate Contents box.

  4. Click Create.

  5. Look at the Action and Status fields.

    The Action field should have red arrows on the left and the word Create displayed on a green background. The Status should be CSR in Process.

    The red arrows and green background indicate that you need to click Apply.

  6. Click Apply.

    If any errors occur during the certificate creation process, they are displayed in the Error field on a red background.

  7. If an error occurs, click Store Certificate

  8. In the Store Certificate dialog box, make sure the correct certificates are pasted in the boxes, then click OK.

  9. Click Apply.

15.3.4 Importing a CSR Signed by Intermediates

  1. Convert the response file into PKCS #7 format using a current, patched version of Internet Explorer*.

    1. Save the response file (certificate) sent from Verisign* using Wordpad as a .cer file.

    2. Open Tools, select Internet Options, select Content, then select Certificates.

    3. Click Import, click Next, then browse to the response file sent from Verisign.

    4. Choose “Automatically select the certificate based on the type of certificate”.

    5. Click Next, then click Finish.

    6. Open Tools, select Internet Options, click Content, click Certificates, then click Other People.

    7. Highlight the imported certificate, click Export, then click Next.

    8. Select Cryptographic message syntax standard - PKSC #7 (.P7b) and select Include all certificates in the certification path if possible.

    9. Select Next, then save and export the file.

  2. Enable NCP on the iChain box and login to the ICS_tree.

    1. Either load c:\nwserver\ncpip.old or rename to c:\nwserver\ncpip.nlm and load ncpip.nlm.

    2. Follow the editing instructions in the Tune.ncf file or specify the following set parameters at the server console:

      • SET NCP include IP addresses = All
      • SET NCP exclude IP addresses = None
      • SET NCP over UDP = On
    3. Log in to the ICS_Tree using the IP address of the iChain box.

      NOTE:For security reasons, should be disabled when you finish.

  3. Import the certificate.

    1. Launch ConsoleOne and right-click on the Key Material Object for the respective certificate in the ICS_tree.

      The Key Material Object has the same name that was given when you created the CSR in the iChain browser-based administrative tool.

    2. Select Properties, select Public Key Certificate on the drop-down of the Certificate tab.

    3. Click Import, check the mark “No Trusted Root Certificate Available” check box, then click Next.

      NOTE:The trusted root was included in the PKCS #7 file that was created in Step 1.

    4. At the “Paste your Server Certificate here or read it from a file” screen, select Read from file, browse to the .pb7 file and finish importing the file.

      NOTE:An informational message might appear when finishing the import stating that the issuer or subject do not match. Click Continue.

  4. Restart the server and back up the certificate using the iChain browser-based administration tool.

    When the certificate is successfully imported, restart the server, open the iChain browser-based wizard, and back up the certificate

    1. Open the browser-based administration utility, click Home, then click Certificate Maintenance.

    2. Highlight the certificate.

    3. Click Backup.