Anonymous_User Absent Member.
Absent Member.
2721 views

CSR Generation

All,

We have purchased a Verisign certificate and I'm trying to get a CSR generated for my Mobility server. I've got Mobility installed and running but just need to SSL-ize it.

I tried using 'gwcsrgen' as the documentation states. However, 'gwcsrgen' does not work on SLES11 (OpenMotif libraries not on SLES11). Can this be run from a different machine? Then I started looking around Novell's site and Verisign's site for CSR generation information. Verisign has nothing (despite many listings) and most of the Novell docs want me to drop it into Apache. I found some information about using the 'openssl' command but I wasn't sure if that applied to what I was trying to do (as to whether the commands were specific to Apache or would work for GMS too).

Does anyone have any information on how I can get the CSR generated or can at least point me in the right direction?


Thanks,
Aaron
Labels (1)
0 Likes
2 Replies
dzanre1 Absent Member.
Absent Member.

Re: CSR Generation

I don't really see any reason to use gwcsrgen other than gw admins seem
to like GUIs. Here's an excerpt from my book.

Run

openssl genrsa -des3 -out mobility.key 2048

Because we are using the -des3 command, we are putting a passkey on our
private key, which we are naming “mobility.key” with a 2048 bit key
name. We find that this is sufficient for most sites. You will be
asked for a pass phrase for your key. You will need to know this pass
phrase in a few minutes when we generate the CSR, and also after you
receive the certificate for further use. In other words, use a pass
phrase that you will not readily forget! Once our private key has been
created (we named ours mobility.key), we will create the CSR. To do so,
type the following in the terminal window:

openssl req -new -key mobility.key -out mobility.csr

We are requested a new CSR be generated, using our private key of
mobility.key, and naming the CSR mobility.csr.

You will be asked for the following information:
• Pass Phrase: This is the pass phrase that you just used for creating
your private key.
• Country Name 2 letter code: For example, AU, US, DE
• State or Province Name (full name): For example, Colorado
• Locality Name (eg, city): Put in your city name
• Organization Name (eg, company): For example, Caledonia
• Organizational Unit Name: For example, IS • Common Name: This is
actually the host name, so for example, gw.company.com
• Email Address: This should be a domain contact person

You will then be presented some optional information, that you can
simply press ENTER at those prompts if you do not wish to include the
information in the request. You will now have a CSR file (in our case
mobility.csr) that can be sent to the Certificate Authority for
generation. Most CAs do all of this over the Internet now, having you
simply copy and paste the information from your CSR directly into a box
on their website, or ask you to upload the CSR file to their servers.

Once you receive the certificate from your Certificate Authority, you
will need to prepare the certificate file for use by the Mobility
Server. When you go to retrieve your certificate, if asked what server
you are using, you can simply choose the “Apache2” download. The
Mobility Server runs on CherryPy, but we've found no issues with using
the “Apache2” formatted certificate. First, in order to use the private
key that you created above for the Mobility Server certificate, we will
need to remove the passphrase. In a terminal window, change to the
directory where you created your private key and run the following:

openssl rsa -in mobility.key -out mobilitynew.key

You will be asked for the pass phrase for your private key. In our
case we have taken our mobility.key and created a new key called
mobilitynew.key that has no passphrase.

Now on to the certificates received from your Certificate Authority.
Typically you receive your certificate in a file that ends with .crt.
You may also receive one or more files that are “intermediate”
certificates. For example, GoDaddy generally sends a file called
gd_bundle.crt, Comodo sends ca_bundle.crt, and so on. For use with the
Mobility Server, you must create a single file that contains the private
key, server certificate and intermediate certificate all in one file.
It will look like this:

-----BEGIN RSA PRIVATE KEY-----key text -----END RSA PRIVATE
KEY----------BEGIN CERTIFICATE-----certificate text -----END
CERTIFICATE----------BEGIN INTERMEDIATE CERTIFICATE-----intermediate
certificate text -----END INTERMEDIATE CERTIFICATE-----

While you could use a text editor to do this, you can also just use the
Linux “cat” command to manage it all. Since you need a safe place to put
your files anyway, create a directory on your new SLES 11 server, and
place your unpassworded key file (ours is called mobilitynew.key), and
your certificate files in the same directory. If you only have two
files (for example, your CA sends you only a single crt file), you would
have perhaps:

mobilitynew.key

gw.company.com.crt

So you could run the following command in this directory to create your
mobility.pem file:

cat mobilitynew.key gw.company.com.crt > mobility.pem

This will create a mobility.pem file containing both the private key and
the certificate file. If your CA sends you multiple files, chain them
together in the order of private key, server certificate, intermediate.

For example

cat mobilitynew.key gw.company.com.crt intermediate.crt > mobility.pem


--
Danita - http://www.caledonia.net/gw-mobility.html
Anonymous_User Absent Member.
Absent Member.

Re: CSR Generation

Awesome! Got the CSR generated and will talk to Verisign tomorrow. Thanks, Danita!


Aaron


dzanre;2036401 wrote:
I don't really see any reason to use gwcsrgen other than gw admins seem
to like GUIs. Here's an excerpt from my book.....
--
Danita - Shopping Cart
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.