Santronics Software, Inc.,
How to obtain a certificate for Wildcat! SSL operations
SSL uses a "trusted signed certificate" concept to secure the connection and conversation between an SSL server and a SSL client. If you are unfamiliar with trusted signed certificates, the following discussion will help give you a simple understanding.
Let's use a web browser for this discussion, however, please keep in mind the same ideas discussed here apply for all other types of SSL client/server options such as an FTP, POP3 or SMTP clients.
When a user uses a web browser to connect to a web site in "SSL mode", the web server will send a "signed certificate" to the web browser.
Next, the web browser will analyze the certificate to see if it's valid, whether it has expired and whether it was signed by a trusted Certificate Authority (CA).
If the certificate is valid and has not expired, however, it was signed by someone other than a trusted CA, the browser will inform the user of this situation and give the user the opportunity to accept the certificate as is.
So in order to make everyone happy about the security of a web site, you must obtain (purchase) a signed certificate from a trusted CA vendor such as Thawte, Verisign or others. Wildcat! allows you to create a self signed certificate which you can use temporarily while you await the receipt of a trusted certificate from a CA vendor.
Getting a trusted signed certificate:Obtaining a trusted signed certificate from a CA vendor is typically a five (5) step process:
- Select one of the trusted CA vendors in the market place to purchase a trusted signed certificate. Thawte (http://www.thawte.com ) and Verisign (http://www.verisign.com ) are popular CA vendors. Follow their specific instructions to apply for a trusted certificate. At some point during the application the CA will ask you to provide a "certificate request" that will contain specific customer information. It is at this point where you will use the Wildcat! Certificate Wizard to create this certificate request.
- Using the Wildcat! Certificate Wizard, create a new private key and a certificate request using specific information you provide including domain name information (common name) for the server you wish to secure. In this step, a temporary self signed certificate will also be created which can be used for SSL operations while you wait for your request to be processed by the CA. Send the certificate request information to a CA vendor for processing. How this information is sent to the CA depends on the vendor. However, typically, when you apply for a trusted signed certificate, it is usually done via the WEB and during the application they will eventually ask you to cut and paste the certificate request information into a web page. This is the method used by Thawte.
- Receive the trusted signed certificate from the CA vendor. The CA might email the trusted signed certificate to you and/or they might show it to you on a web site which you will then copy and paste it into a local file (*.crt)
- Finally, add the trusted signed certificate to the pending certificate request.
Wildcat! SSL Configuration Manager makes the above process easy using the
Step 1 Details:When you select your CA and begin the process of applying for a certificate, this is typically done using their WEB site. The typical customer information the CA will ask you to provide is:
- Common Name
- Country Code
- Locality (City)
- Organization Name (company)
- Organization Unit (i.e. division/department/etc)
- Optional Email Address:
The most important item is the "common name." The CA will typically enforce this to be the domain name of the server you wish to secure. For example, if you are securing your web site, the common name will probably be www.yourdomain.com. Talk to your CA about using a certificate common name for all services (Web, FTP, POP3, SMTP, etc). This might be a matter of CA cost policy.
After you provide this information on their web site, they will ask you to provide a "certificate request" which is basically a block of information containing the above information in encrypted format. This block will typically look like this:
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
Why is the CA asking you for this block if you have already provided the information during the application?
This is part of the verification process. The certificate request you provide will be encrypted using the private key only you will know, not the CA.
So when they finally ask you to provide this funny looking certificate request block, you will use the Wildcat! Certificate Wizard to create it using the same information you already provided to them.
Step 2 Details:
Use the wizard to create a new key and certificate request. You must provide the same information you already provided to the CA. It is especially important that the common names match. In the final stage in the wizard, it will show you the certificate request block.
Also in this step, the wizard will create a temporary self signed certificate which you can use temporarily while you wait for the trusted certificate request to be processed.
Step 3 Details:
In step 2, the wizard displays the certificate request block which you can copy/paste to the CA certificate request input form. Once the CA has the certificate request block, they will begin the process of processing your request which may take 1 day or more. Talk to your CA about the turn around time.
Step 4 Details:
When the CA has completed your application, the CA will contact you (probably via email) instructing you on how to get your new trusted certificate. Depending on the CA, they might email it to you or they might instruct you to get it from their web site. In either case, it will look something like this:
Finally, you need to add the trusted certificate block or *.crt file to the pending request created in step 2. Use the Wildcat! Certificate Wizard option, "Add trusted certificate to pending request".