Page History

* Create a directory which will be used to for generating the certificate request.\\
* cd to the newly created directory.\\
* Execute the following command:\\
\\
    *openssl genrsa 10242048 > {color:blue}servername{color}-key.pem*\\
\\
where {color:blue}servername{color} matches the name of the server that the final certificate will apply to (e.g. if the server is going to be *foo.mit.edu*, then this file would be foo-key.pem).\\
\\
{color:blue}servername{color}\-key.pem is the server certificate's private key.  Do *not* loose this key.  Store it in a safe and secure location.\\

\\
\\
    *openssl req -key {color:blue}servername{color}-key.pem \-new > {color:blue}servername{color}-req.pem

*\\
\\
where {color:blue}servername{color} is as in a. above.\\
\\
When prompted for input, use these answers:\\
\\
Country Name (2 letter code): *US*\\
State or Province Name (full name): *Massachusetts*\\
Locality Name (eg, city): *Cambridge*\\
Organization Name (eg, company): *Massachusetts Institute of Technology*\\
Organizational Unit Name (eg, section): *(e.g. Information Services & Technology)*\\
Common Name (eg, YOUR name): *{color:blue}servername{color}.mit.edu* (i.e. the *lower case* server name)\\
Email Address: *enter a valid email address*.\\
A challenge password: *anything you choose - keep a record*. You may be asked for this password at a later date.\\
An optional company name: *no entry required*\\
\\
The file, {color:blue}servername{color}\-req.pem, contains the information for the server certificate.  Cut and paste the contents of this file into an email and sent it to [mailto:mitcert@mit.edu].  When you paste the contents of the {color:blue}servername{color}\-req.pem file into the email, be sure to include the BEGIN and END lines.\\
\\
The Subject line of the email should read: *Request for a Server Certificate.*\\
\\
Also include in the body of the email, a short line stating that you are requesting a *Server Certificate*.  Stating that you want a *Server Certificate* is important.\\

\\
\\
You can change the name of the certificate file to something that is meaningful to you. In this document, the Server Certificate was assumed to be saved as {color:blue}servername{color}.cer.\\
\\
{color:blue}servername{color}.cer is the actual server certificate.  Do *not* loose this certificate.  Store the certificate (along with it's private key generated in 1. above) in a safe and secure location.\\
\\
View the Server Certificate to verify that you have the correct certificate. To view the certificate, execute the following command line:\\
\\
       *openssl x509 -in {color:blue}servername{color}.cer -text*\\
\\
Find the line that says: *Netscape Cert Type*. The line immediately following this line should say: *SSL Client, SSL Server, S/MIME, Object Signing*.  If this is not the case, then you may have the wrong type of certificate.\\
\\
Also verify that the issuer of the certificate is the MIT client certificate authority by finding the following line:\\
\\
      *Issuer: C=US, ST=Massachusetts, O=Massachusetts Institute of Technology, OU=MIT Certification Authority*\\
\\
Also verify that the certificate is for your machine by finding your server certificate name in the certificate's *Subject:* line.\\
\\
Finally verify the certificate's activation and expiration dates by looking at the two lines following *Validity*.\\