InfoCenter Home >
5: Securing applications -- special topics >
5.5: Certificate-based authentication >
5.5.4: Requesting certificates >
5.5.4.2: Getting a production certificate from a certificate authority
5.5.4.2: Getting a production certificate from a certificate authority
To obtain a certificate from a certificate authority, you
must create file containing a certificate signing request (CSR).
You then send the file to the CA. The procedure for getting
the file to the CA varies with the CA and with the type of
certificate, test or production, being requested.
This file describes how to get a production certificate from a specific
commercial CA, VeriSign. Getting a production certificate can be
expensive, depending on the type of certificate and its strength.
It is often instructive to request a test certificate from a CA
before requesting a production certificate.
After you have created file containing a certificate signing request,
request a production certificate by following these steps:
- Start your Web browser and link to VeriSign's home page at
http://www.verisign.com.
- Choose Web Server Certificates --> Buy Now --> [Buy] Global Site
Services. This begins a series of pages that collect the
information VeriSign needs to process your certificate request.
Read each page carefully. When you complete a page, display
the next page by clicking the Continue button.
The page titled Before You Start lists the things you should do before
beginning this process, including installing web server software,
setting up your Internet proxies, determining how you will pay for the
certificate, reviewing the legal agreement and, if necessary, printing
the enrollment guide. You should treat any references to "web server
software" as references to the WebSphere software.
- The page titled Step 1: Obtain Proof of Right provides
instructions on one of the authentication steps that VeriSign
performs. In this case, you must prove that your enterprise
has the right to operate under the Organization name that you
specified in your CSR. The VeriSign process is optimized
to using D-U-N-S numbers for this purpose. If you take this
approach, you must provide your D-U-N-S number or, if you are
a U.S. company, VeriSign can look it up for you.
If you don't have a D-U-N-S number, or if you don't want to use
this to prove your right to the Organization name, you can provide
alternate proof of right. For example, if you have a letter of
incorporation or similar article, you can fax a copy to VeriSign.
Using an alternate proof of right will slow the process down,
because you will not be able to continue until VeriSign has received
and processed the alternative proof.
- The page titled Step 2: Confirm Domain Name informs you that
you (your enterprise) must own the domain name indicated in
the common name of your certificate. These domain names are
registered with NIC, and VeriSign will verify that the domain
name you specified belongs to your enterprise; this is part
of the authentication process completed by certificate
authorities.
- The page titled Step 3: Generate CSR instructs you to create your
CSR. If you have already created a CSR file, you can skip this
step.
- The page titled Step 4: Submit CSR provides you with an edit box.
This is where you will insert the CSR.
- Open the file containing the CSR; use any text editor that
supports cut-and-paste actions.
- In your editor window, select all of the text, including the header
-----BEGIN NEW CERTIFICATE REQUEST-----
and the corresponding trailer.
- Paste the test into the edit box on the Submit CSR page in your
browser.
- The page titled Step 5: Complete Application page requires you
to enter a lot of information. Verify your distinguished name
and enter the following:
- Server information
- Vendor of the server software: Click the pull-down
button and select IBM.
- A challenge phrase: A text string. This can be anything
you like, and you should treat it like a password. You
will be asked to present this same challenge phrase when
you submit a renewal request or if you ask to have the
certificate revoked (for example, if the certificate is
compromised). You may also be asked to supply this
challenge phrase when speaking with VeriSign.
- Technical contact information: This should identify you.
Your e-mail address is particularly important; VeriSign will
e-mail the certificate to this address.
- Organizational contact information: This should be someone
other than yourself who is a member of your enterprise.
VeriSign will contact this person during the authentication
process, to verify the legitimacy of your request.
- Billing contact information: Enter the person in your
organization who is responsible for payment.
- The type of Secure Server ID that you are requesting
- Payment information
- Organizational information (your D-U-N-S number): If you use
an alternate proof of right, then VeriSign will instruct you
on how to fill out this information.
- Review the Server Certificate Agreement. To accept the conditions
and submit your request, click the Accept button. If reject the
conditions, click the Decline button.
VeriSign will send you an e-mail message containing your signed
production certificate. The certificate must be installed in
a keyring class.
|
|