SSL证书请求文件(CSR)生成指南 - Netscape Enterprise 3.x
重要注意事项 An Important Note Before You Start
在生成CSR文件时同时生成您的私钥,如果您丢了私钥或忘了私钥密码,则颁发证书给您后不能安装成功!您必须重新生成私钥和CSR文件,免费重新颁发新的证书。为了避免此情况的发生,请在生成CSR后一定要备份私钥文件和记住私钥密码,最好是在收到证书之前不要再动服务器。
By far the most common problem users have when going through this process is related to private keys. If you lose or cannot access a private key, you cannot use the certificate we issue to you and will need to request a free reissue. To ensure this never happens, we advise that a backup of the private key file is made and that a note is made of the password that is used to protect the export of the private key.
Key generation under the Netscape Enterprise series of servers is accomplished as follows:
* Generating a Key Pair and Certificate Signing Request Using Netscape Enterprise Server
* Generating a key-pair file on Unix platforms
* Generating a key-pair file on Windows NT platforms
* Generate A Certificate Signing Request
* Back up your Key Pair File
Generate a CSR for Netscape Enterprise 3.x
Solution ID: vs27653
Answer:
Note: In the interest of better security and the enablement of greater trust, we have decided that 1024-bit keys will now be the minimum strength used in the issuance of thawte digital certificates.
Key generation under the Netscape Enterprise series of servers is accomplished as follows:
* Generating a Key Pair and Certificate Signing Request Using Netscape Enterprise Server
* Generating a key-pair file on Unix platforms
* Generating a key-pair file on Windows NT platforms
* Generate A Certificate Signing Request
* Back up your Key Pair File
Generating a Key Pair and Certificate Signing Request Using Netscape Enterprise Server
You will now use your Netscape Enterprise Server to create a key-pair file and a Certificate Signing Request
A key-pair file contains both the public and private keys used for SSL encryption. You use the key-pair file when you request and install a certificate. The key-pair file is stored encrypted in the directory
Generating a key-pair file on Unix platforms
From the Unix command line:
Log in as root and change to the server root directory.
Run the key-pair file generation program by changing to the directory bin/admin/admin/bin and typing ./sec-key.
When prompted, type an alias for the new key-pair file. You might choose an alias that matches your server (for example, web or mail). The alias cannot contain spaces, but it can use symbols that your operating system allows in filenames (such as underscores). By default, the key-pair file is stored in
A screen with a progress meter appears. Type any random keys at different speeds until the progress meter is full. The time between each of your keystrokes will be used to generate a random number for the unique key-pair file.
When prompted, type a password of eight characters or more for your key-pair file. The password must have at least one non-alphabetical character (a number or punctuation mark). Make sure you memorize this password. The security of your server is only as good as the security of the key-pair file and its password.
After you enable SSL for a server (either the administration server or another Netscape server), you must type the key-pair file password when you start the server.
Retype the password and click OK. The file is created and stored.
Generating a key-pair file on Windows NT platforms
From the Windows NT command prompt:
Go to the
Run the sec-key.exe application. The key-pair file generation program appears.
When prompted, type an alias for the new key-pair file. You might choose an alias that matches your server (for example, web or mail). The alias cannot contain spaces, but it can use symbols that your operating system allows in filenames (such as hyphens and underscores). By default, the key-pair file is stored in the directory C:/
A screen with a progress meter appears. Move your mouse in random motions at random speeds. These random movements are used to generate a random number for the unique key-pair file.
When prompted, type a password of eight characters or more for your key-pair file. The password must have at least one non-alphabetical character (a number or punctuation mark). Make sure you memorize this password. The security of your server is only as good as the security of the key-pair file and its password.
After you turn on SSL for a server (either the administration server or another Netscape server), you must type the key-pair file password when you start the server.
Retype the password and click OK. The file is created and stored.
Generate a Certificate Signing Request
After you generate the key-pair file, you must create a Special File called a Certificate Signing Request
In the Server Administration page, choose Keys & Certificates|Request Certificate.
In the form that appears, specify that this is a new certificate.
Specify that you want to submit the request for the certificate via e-mail Put YOUR OWN e-mail address in the space specified for the e-mail address of the CA.
From the drop-down list, select the alias for the key-pair file you want to use when requesting the certificate.
Type the password for your key-pair file.
Type the information that will appear in your Digital ID. This should be as follows:
Common Name is the fully qualified hostname used in DNS lookups (for example, www.netscape.com). This is the hostname in the URL that a browser uses to connect to your site. It's important that these two names are the same, otherwise a client is notified that the certificate name doesn't match the site name, which will make people doubt the authenticity of your certificate. Please make sure that the common name ends in the domain name whose ownership you established in step 2.
Email Address is your business email address. This is used for correspondence between you and VeriSign
Organization is the official, legal name of your company, educational institution, partnership, and so on. This should be the name of the company associated with the Dun & Bradstreet number your generated in step 6
Organizational Unit is an optional field that describes an organization within your company. This can also be used to note a less formal company name (without the Inc., Corp., and so on).
Locality is an optional field that usually describes the city, principality, or country for the organization.
State or Province Spell out in full (e.g. use California instead of CA)
Country is a required, two-character abbreviation of your country name (in ISO format). The country code for the United States is US.
Double-check your work to ensure accuracy. The more accurate the information, the faster VeriSign can approve and issue your certificate
Click OK when the information is correct.
The server generates a certificate signing request that contains your information and your public key. This information is e-mailed to you.
Back up your Key Pair File
It is imperative that you back up your key pair file. Please save this information on a floppy disk, or other removable media, and store it in a secure place, such as a safe or safe-deposit box.
测试CSR和把CSR发给WoSign, Start the certificate request process
生成CSR后,建议您自己测试一下生成的CSR文件是否正确,请点击 这里 测试您的CSR文件。请把测试成功的CSR文件发给WoSign即可。请一定不要再动您的服务器,等待证书的颁发。
To submit the CSR to WoSign for processing you should start the certificate enrollment process.