Configuring and Managing MPE/iX Internet Services (August 2002)

ManualsBrandsHP ManualsSoftwareMPE/iX 7.0 Operating System

151

152

153

154

155

156

157

158

159

160

Chapter 9

HP WebWise MPE/iX Secure Web Server

Server Keys and Certificates

154

49:7a:0a:29:b3:cd:78:ef:c0:2b:a9:3a:97:10:f3:

6c:df:87:61:d3:46:93:d8:6b

Exponent: 65537 (0x10001)

Attributes:

a0:00

Signature Algorithm: md5WithRSAEncryption

8f:5b:d3:45:ae:52:6a:66:36:23:09:0b:b9:d1:5c:2b:52:12:

00:98:78:97:39:5b:9d:f6:9f:82:b2:2c:3f:24:bb:e0:f0:47:

19:02:9d:3e:9f:32:d0:be:9a:54:3d:bc:c0:ed:63:67:cd:a3:

eb:68:a1:2d:7a:0f:94:87:f0:a8:14:f6:45:cf:bd:a9:bc:13:

9a:4c:cc:fb:a7:ab:73:88:17:23:90:b3:49:58:7f:d5:02:55:

f1:85:81:f8:ea:48:d9:40:bc:29:de:f8:ed:e3:04:9c:b9:b1:

c2:ce:8d:c2:c8:43:e7:73:bc:e6:e5:9f:99:b5:73:98:dd:65:

38:ba

4. $ chmod 400 server.csr

You’re now ready to have your CSR signed by a Certificate Authority (CA). This results in the creation of a

server certificate. You have two options — you can either have an external trusted CA sign your CSR, or you

can create your own CA and use it to sign your CSR. Choose one of these options which are explained in

detail.

Submit Your CSR to an External Trusted CA For Signing...

All web browsers come preconfigured with a list of trusted CAs. Certificates signed by these trusted CAs will

in turn be trusted by the browsers. If your certificate is signed by a CA unrecognized by the browser, each

browser user will get a warning dialog window each time they visit your web site. So if you’re doing an

Internet e-commerce application where you have no control over the customer’s browser configuration, you

will want to obtain your certificate from one of the default trusted CAs recognized by all browsers.

There are many trusted CAs; VeriSign (www.verisign.com) and Equifax (www.equifaxsecure.com) are

just two examples. By using your browser’s security-related features, you can list all of the CAs trusted by

that particular browser.

You can either purchase a real certificate at this point, or alternatively you can usually obtain a free test

certificate good for a limited time. In either case, the process is the same. You typically visit the CA’s web site

and submit a web registration form that includes a cut/paste of your CSR, and then the CA e-mails the

resulting certificate to you.

You need to cut/paste your CSR in its raw PEM format, which looks like this if you display the contents of the

conf/ssl.csr/server.csr file:

-----BEGIN CERTIFICATE REQUEST-----

MIIB4TCCAUoCAQAwgaAxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNeSBTdGF0ZTEQ

MA4GA1UEBxMHTXkgQ2l0eTETMBEGA1UEChMKTXkgQ29tcGFueTEPMA0GA1UECxMG

TXkgT3JnMRowGAYDVQQDExF3d3cubXljb21wYW55LmNvbTEqMCgGCSqGSIb3DQEJ

ARYbd2VibWFzdGVyQHd3dy5teWNvbXBhbnkuY29tMIGfMA0GCSqGSIb3DQEBAQUA

A4GNADCBiQKBgQDS1iRItFKSDzOhDShFeoiWkfnc0yPGp7rkk17T05y6GCfsJdtb

H/Umn2uM/tSNOiguAPBYce8prLYjNqyXY4QBCzWQNGv/NbGDCoGhElrVzwBEYnBy

+TyPMF/dYdH+1oOaaTZ0ZE0WP0l6CimzzXjvwCupOpcQ82zfh2HTRpPYawIDAQAB

oAAwDQYJKoZIhvcNAQEEBQADgYEAj1vTRa5SamY2IwkLudFcK1ISAJh4lzlbnfaf

grIsPyS74PBHGQKdPp8y0L6aVD28wO1jZ82j62ihLXoPlIfwqBT2Rc+9qbwTmkzM

+6erc4gXI5CzSVh/1QJV8YWB+OpI2UC8Kd747eMEnLmxws6NwshD53O85uWfmbVz

mN1lOLo=

-----END CERTIFICATE REQUEST-----