Creating a Certificate
In order for ProtectToolkit-M and the HSM to be used for SSL processing, a certificate needs to be set up that specifies the details of the ProtectToolkit-M machine.
There are multiple methods of creating a certificate for the machine:
>Creating a Certificate Using the Microsoft CA server
>Using the createcert utility. Note that self-signed certificates created by the utility are only of use for testing purposes.
Using IIS
When using IIS to install a certificate on the host machine, the following has to be performed:
>Creating a certificate request
>Sending the certificate request to be signed by a CA
>Installing the signed certificate into IIS
To create a certificate request using IIS
1.Start the Internet Services Manager from the Administrative Tools menu.
2.Highlight the Default Web Site entry, and right-click to open a context menu. Select Properties. The default web site properties dialog opens. Select the Directory Security tab.
3.Click on the Server Certificate button. This will start the IIS Certificate Wizard.
4.Choose Create a new certificate from the available options and press Next to continue.
5.Choose Prepare the request now, but send it later from the available options and press Next to continue.
6.Select SafeNet as the security provider. On the Name and Security Settings page that now displays, check the Select cryptographic service provider (CSP) for this certificate checkbox. Click Next to continue.
7.Continue to follow the on-screen prompts until the certificate request is completed.
The IIS Certificate Wizard creates the certificate request as a file. You should now forward this file onto your CA in order to have it signed. The CA returns a new file, which is the signed certificate.
Refer to Installing a Certificate for use with IIS for details on how to install the signed certificate.
Creating a Certificate Using the Microsoft CA server
The Microsoft CA server provides a standard internet browser interface for the creation of certificates.
NOTE Before starting the following procedure, ensure that the current logged on user has Windows administrator privileges and has a valid keyset.
To create a certificate using MS CA server
1.Start the MS CA services interface by opening your web browser and specifying the Microsoft CA server URL. For example:
http://hostname/certsrv
The opening dialog for CA services appears.
2.Select the Request a certificate option and press Next to continue. You are prompted to select the request type.
3.Choose, Advanced request and press Next to continue. You will be presented with the Advanced Certificate Requests screen.
4.Select Submit a certificate request to this CA using a form, and press Next to continue. You will be presented with a form to input the certificate details.
5.Enter the details for the certificate into the fields provided:
a.Certificate Name: enter the host machine's name. This can be found by executing the standard Windows command hostname from a command prompt.
b.Intended Purpose: choose Server Authentication Certificate.
c.Key Options: choose SafeNet RSA SChannel Cryptographic Provider as the CSP
d.Key Usage: choose Exchange
e.Key Size: enter as required, eg. “1024”
f. select Create new key set
g. if you want to be able to back up the keys associated with the certificate at a later date, choose Mark keys as exportable
h. choose Use local machine store
i.Additional Options: choose Hash Algorithm, e.g. “MD5”
NOTE If the current logged-on user’s keyset does not exist when the Safenet CSP is selected, the Hash Algorithm list box at the bottom of the screen will be empty. Should this be the case, abort this operation and create a keyset for the currently logged-on user before attempting this task again.
6.Press the Submit button when you have confirmed your inputs. If the Microsoft CA was configured to “Auto Issue” certificates, you are presented with the Certificate Issued dialog.
Click Install this certificate to complete the certificate request and installation.
If CA Services is not configured to auto-issue certificates, the dialog will state that your certificate request is pending. You will have to check on the status of the certificate using the CA services at a later time. When the certificate is ready, you are presented with the Certificate Issued dialog.
Using the createcert utility
The createcert utility is provided as a simple means to create a self-signed certificate for the ProtectToolkit-M host machine.
NOTE These certificates are intended for development and testing purposes only. Also ensure that the current logged on user has Windows administrator privileges and has a valid keyset.
You will need to know the machine name for the ProtectToolkit-M system. Run the standard Windows command hostname from a command prompt.
To create a self-signed certificate using createcert utility
From a command prompt, execute the utility createcert, specifying the machine name. For example, if the machine name is “betaone”, the command would be as follows:
C:\>createcert CN=betaone
Successful execution of the above will result in an RSA key pair being created, as well as a certificate which is saved in the file “selfsigned.cer”. This certificate is then automatically installed ready for IIS use.
File calles SelfSigned.cer has been saved. Certificate created successfully and installed