How To Request A Free Certificate
We have an account wiht CACert.org which is the open certificate community. This is a new organization and also being "free" the certificate authority recognition is still low. Almost all web browsers do not have the root certificate of CAcert installed. In addition all host names will have to end in imorgon.net which obviously won't be entered in the customer's DNS. So these issues will cause a Certificate Authentication Alert on most browser.
Nevertheless, it can be used to install a SSL certificate and you can get the web browser using secure encryption via the HTTPS protocol.
- Use this Certificate Authority if you want a free SSL certificate for the purpose of testing or internal use.
- If you are giving the access to customer, please warn them that they get a security warning when they access the site.
- If they do not want the warning, either they need to purchase a commercial certificate (which we normally cannot do since we do not own the customer's domain) or they can manually install their Root Certificate at http://www.cacert.org/index.php?id=3 by clicking the first line for Microsoft IE or getting PEM or DER format certificate for other browsers.
To Request a Certificate from CACert
Note that at most locations outgoing HTTP requests are OK so you can do all of below right at the customer server if that's the case.
- First go to IIS of the target system, and request a new certificate the procedure is listed below with the following differences. Because certificates are based on the domain and we do not control the domain of customers, all free certificate requests must have a host name ending imorgon.net Please come up with any reasonable name for the purpose of creating a temporary free certificate. It will never match the host name so it will always generate an certificate error but it will still encrypt HTTPS properly. If they absolutely cannot live with that they can put the "fake" host names in their own machines C:\windows\system32\drivers\etc\Hosts file and then import the root certificate also into their own machines.
- Open the Internet Services Manager (or your custom MMC containing the IIS snap-in).
- Browse to the site where you want to enable secure communications.
- Right-click the friendly name of the site and go to properties.
- Click the Directory Security tab.
- Under the Secure Communications section, click Server Certificate.
- This starts the new Web Site Certificate Wizard.
- Click Next.
- Choose the Create a New Certificate option and click Next (there should be a slight pause before the next screen appears).
- Choose the Prepare a New Request but Send it Later option and click Next.
NOTE: The Send the request immediately to an online certification authorityoption is unavailable unless IIS has access to an Enterprise CA, which requires Certificate Server 2.0 to be installed in Microsoft Windows 2000 with Active Directory.
- Choose a Friendly Name for the site (this can be anything you want it to be, for example, the friendly name of the site in the MMC, or the name of the customer the Web site belongs to).
- Choose the bit length of the key you want to use and whether you want to use SGC (Server Gated Cryptography), and then click Next.
NOTE: For more information on bit length and SGC, see the IIS Help that is located on the server at the following address:
http://<servername>/iishelp/iis/htm/core/iistesc.htmNote that in order for this URL to work, you must replace server name with the name of your IIS server.
- Input your Organization (O) and your Organizational Unit (OU). For example, if your company is called Widgets and you are setting up a Web server for the Sales department, you would enter Widgets for the Organization and Sales for your Organizational Unit. Click Next when complete.
- Input the common name (CN) for your site. This should be the same name that the user will input when requesting your Web site. For example, if a user inputs https://imorgon.st-joseph-hospital.imorgon.net to access your Web site, then your Common Name would be imorgon.st-joseph.imorgon.net. Note: If you are requesting a Free Certificate from CACert, all domain must end with imorgon.net. When you are complete, click Next.
- Input you Country/Region, City, and State. It is very important that you do not abbreviate the names of the state or city. When complete, click Next.
- Enter the contact information for the person responsible for this certificate or Web site. This is usually how the Certificate Authority contacts you, and then click Next.
- Choose a name for the certificate request file you are about to create. This file will contain all the information you created here, as well as your public key for your site. You can browse the file name if you want. This creates a .txt file when you are complete. The default name for the file is Certreq.txt. When you have finished this step, click Next.
- You will now be presented with a summary screen of all the information you entered. Make sure all this information is correct, and then click Next.
- You have now created your certificate request file.
- Open this file in Notepad and do a Copy of the content so that you can later Paste it in the next steps.
- Go to: https://www.cacert.org/index.php?id=4
- User: firstname.lastname@example.org, Pass: Series 1
- Click "Server Certificates"
- Paste in the Request
- Back to the right menu on the web site, click View and then download the certificate.
How To Install The Same Certificate for The Mirrored System
Since we point web to the Virtual IP, we request a single certificate and then install a single server certificate in two server. This can be done by exporting the server certificate installed in one machine along with the private key.
First off, yes you can do this. The procedure is very clearly explained in this Microsoft article:
Just in case we lose above article, here is the gist of how it is done.
- Request and install the cert on the first server as you would normally do. Don't do the request from other servers, if you do, remove any pending cert requests.
- Open the MMC and add the Certificate module.
- Open the Computer Account then Personal certificate folder.
- Navigate down to the Web Certificate you want to export.
- Right click tasks and Export.
- In the wizard select to include the Private Key and include all certificates in the path in the next page.
- Copy the exported result to another server
- Do the same MMC stuff
- Import the stuff you exported into the Personal store
- From the IIS certificate section of the Directory Security, do the "Assign an Existing Certificate"
That's basically all you need to do.
Chain Certificate Installation Steps
1. You will get the Chain Certificate from your certificate authority. Please contact your CA.
2. CA will provide you the Certificate in Text format.
3. Copy the Entrust Chain Certificate to your clipboard. You must include the "----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines:
4. Paste the certificate into a text editor such as Notepad, and ensure that the entire text is flushed to the left with no leading or trailing white space.
If there are any extra spaces the server will not recognize the format of the file and you will not be able to install the certificate.
5. Save the file.
6. Rename the text file. Because you are installing the certificate in a Microsoft Windows-based web server the filename should have the extension .crt (for example, "entrustchaincert.crt").
7. Open the file that contains the chain certificate in Windows Explorer (for example, double-click the file). The Certificate dialog box appears.
8. In the General tab Click Install Certificate. The Certificate Manager Import Wizard appears.
9. Select Next
10. Select Place all certificates into the following store.
11. Select Browse... The Select Certificate Store dialog box appears.
12. Select Show Physical Stores.
13. Expand Intermediate Certification Authority by clicking the "+" sign beside the item in the dialog box
14. Select Local Computer and click the OK button.
15. Select Next
16. Select Finish. A confirmation dialog appears.
17. Select OK
You must restart the computer to ensure that the registry settings take effect.
You have just installed the Entrust Chain Certificate in the correct location in your registry.