InfoCenter Home > 5.5.4: Requesting certificatesWhen you request a certificate from a certificate authority, you need to take into account:
Time requirementsBecause of the diligence expected of a commercial CA, the authentication process for principals can take a significant amount of time. Commercial CAs often require up to a week to complete their authentication process. Even on-site CAs can take between minutes and days to complete their authentication process. As a result, when planning to add a new application server or host (name server) to your enterprise, you must take into account the time it takes to get a certificate. Although primarily of concern for production certificates, it can also be a concern in getting test certificates as well. Note that if your server's certificate is compromised, or if some other server in its trust-base is compromised, you must acquire a replacement certificate. This involves similar time requirements. Requirements on the format of informationWhen you create a certificate request, you need to provide the information about the owner of the certificate. The required information and its format vary across certificate authorities. Also, the WebSphere Application Server graphical tool and command-line tools vary in the way they represent the name. Certificates use names in the X.500 format. A name in this style consists of many components. The entire name is called a distinguished name (DN). It consists of a set of components, which often includes a common name (CN), and organization (O), an organization unit (OU), a country (C), a locality (L) and many others. For example, an X.500 name for a server called PolicyServer1 as part of the Accounting division of the US-based AccountingCorp can look like this: "CN=PolicyServer1, OU=Accounting, O=AccountingCorp, c=US" Certificates are often used to represent server principals, so a typical convention is to create CNs of the form host_name/server_name, for example, for the server PolicyServer1 on the host centralops.acctcorp.com, the common name is centralops.acctcorp.com/PolicyServer1. Some CAs require the use of fully-qualified host names in common names. For example, VeriSign does not sign your certificate unless the domain portion of the host name is owned by your organization. Check with the CA for any requirements on common-name fields. The distinguished name can include other information as well. Some certificate authorities, including VeriSign, require that you spell out completely the state or province fields. For example, you need to specify "New York" rather than "NY." Check with the CA for any such requirements before generating your certificate requests. |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|