Configuring and Managing MPE/iX Internet Services (MPE/iX 6.5)

174 Chapter10
HP WebWise MPE/iX Secure Web Server
Server Keys and Certificates
19:02:9d:3e:9f:32:d0:be:9a:54:3d:bc:c0:ed:63:67:cd:a3:
eb:68:a1:2d:7a:0f:94:87:f0:a8:14:f6:45:cf:bd:a9:bc:13:
9a:4c:cc:fb:a7:ab:73:88:17:23:90:b3:49:58:7f:d5:02:55:
f1:85:81:f8:ea:48:d9:40:bc:29:de:f8:ed:e3:04:9c:b9:b1:
c2:ce:8d:c2:c8:43:e7:73:bc:e6:e5:9f:99:b5:73:98:dd:65:
38:ba
4. $ chmod 400 server.csr
You’re now ready to have your CSR signed by a Certificate Authority (CA). This results
in the creation of a server certificate. You have two options — you can either have an
external trusted CA sign your CSR, or you can create your own CA and use it to sign your
CSR. Choose one of these options which are explained in detail.
Submit Your CSR to an External Trusted CA For Signing...
All web browsers come preconfigured with a list of trusted CAs. Certificates signed by
these trusted CAs will in turn be trusted by the browsers. If your certificate is signed by a
CA unrecognized by the browser, each browser user will get a warning dialog window each
time they visit your web site. So if you’re doing an Internet e-commerce application where
you have no control over the customer’s browser configuration, you will want to obtain your
certificate from one of the default trusted CAs recognized by all browsers.
There are many trusted CAs; VeriSign (www.verisign.com) and Equifax
(www.equifaxsecure.com) are just two examples.By using your browser’s security-related
features, you can list all of the CAs trusted by that particular browser.
You can either purchase a real certificate at this point, or alternatively you can usually
obtain a free test certificate good for a limited time. In either case, the process is the same.
You typically visit the CA’s web site and submit a web registration form that includes a
cut/paste of your CSR, and then the CA e-mails the resulting certificate to you.
You need to cut/paste your CSR in its raw PEM format, which looks like this if you display
the contents of the conf/ssl.csr/server.csr file:
-----BEGIN CERTIFICATE REQUEST-----
MIIB4TCCAUoCAQAwgaAxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNeSBTdGF0ZTEQ
MA4GA1UEBxMHTXkgQ2l0eTETMBEGA1UEChMKTXkgQ29tcGFueTEPMA0GA1UECxMG
TXkgT3JnMRowGAYDVQQDExF3d3cubXljb21wYW55LmNvbTEqMCgGCSqGSIb3DQEJ
ARYbd2VibWFzdGVyQHd3dy5teWNvbXBhbnkuY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDS1iRItFKSDzOhDShFeoiWkfnc0yPGp7rkk17T05y6GCfsJdtb
H/Umn2uM/tSNOiguAPBYce8prLYjNqyXY4QBCzWQNGv/NbGDCoGhElrVzwBEYnBy
+TyPMF/dYdH+1oOaaTZ0ZE0WP0l6CimzzXjvwCupOpcQ82zfh2HTRpPYawIDAQAB
oAAwDQYJKoZIhvcNAQEEBQADgYEAj1vTRa5SamY2IwkLudFcK1ISAJh4lzlbnfaf
grIsPyS74PBHGQKdPp8y0L6aVD28wO1jZ82j62ihLXoPlIfwqBT2Rc+9qbwTmkzM
+6erc4gXI5CzSVh/1QJV8YWB+OpI2UC8Kd747eMEnLmxws6NwshD53O85uWfmbVz
mN1lOLo=
-----END CERTIFICATE REQUEST-----