Marriott Enrollment Server for Web User Guide V1.4

Marriott Enrollment Server for Web User Guide V1.4 Page 1 of 26

Table of Contents TABLE OF CONTENTS... 2 PREREQUISITES... 3 ADMINISTRATIVE ACCESS... 3 RNACS... 3 SUPPORTED BROWSERS... 3 DOWNLOADING USING INTERNET EXPLORER... 4 SSL BROWSER CERTIFICATE REQUEST IE... 4 SSL PKCS#10 CERTIFICATE REQUEST - IE... 6 DOWNLOADING USING FIREFOX... 8 SSL BROWSER CERTIFICATE REQUEST USING FIREFOX... 8 SSL PKCS#10 CERTIFICATE REQUEST - USING FIREFOX...11 DOWNLOADING CA SIGNER CERTIFICATES... 14 DOWNLOAD SUBORDINATE CA CERTIFICATE...14 EXPORTING CERTIFICATES VIA INTERNET EXPLORER... 16 EXPORTING CERTIFICATES VIA FIREFOX... 20 TROUBLESHOOTING FAQ... 23 COMMON SSL CONVERSION COMMANDS... 26 CONVERT PFX/P12 TO PEM...26 CONVERT PEM TO DER...26 IMPORT P12 INTO JKS USING KEYTOOL...26 Page 2 of 26

Prerequisites Administrative access The user who will be downloading the certificates must be logged into a machine with an account that has administrative privileges on that machine. NOTE: Please do not attempt to download certificates while logged into a Terminal Server session. The default group policies on the terminal server do NOT allow you to download certificates. RNACs All Marriott issued certificates are downloaded using RNACs (Reference Number and Authorization Codes). These are one time use codes, are provided by a PKI Administrator and are valid for 30 days after issuance. Should the RNACs expire before you have attempted to download your certificate, new RNACs will need to be requested. All RNACs are requested through Marriott s Request Center PKI Certificate Request service. Supported Browsers Entrust Authority Enrollment Server for Web is supported on the following Web browsers. Microsoft Internet Explorer 7.x, 8.x, 9.x and 10.x Mozilla Firefox 2.x, 3.x, 4.x, 5.x, 6.x, 7.x, 8.x, 9.x, 10.x, 11.x, 12.x and 13.x Page 3 of 26

Downloading using Internet Explorer SSL Browser Certificate Request IE This section goes over how to download and activate your (Unmanaged) SSL Browser certificate using Internet Explorer. Should you need to download a (Unmanaged) SSL PKCS#10 certificate using Internet Explorer 6, please proceed to the next section, PKCS#10 Certificate Request - IE. Please ensure that you use the correct ESWeb site based on the environment, otherwise your request will fail. For Production Certificates, please go to: https://esweb.marriott.com For Development/Test/Perf Certificates, please go to: https://eswebdev.marriott.com Follow the steps below to activate and download your SSL certificate: Click Create SSL Browser Certificate (unmanaged) Enter your Reference number and your Authorization Code provided from Request Center Leave the next two fields at its defaults values o CSP Type: RSA full o CSP: Microsoft Enhanced Cryptographic Provider v1.0 Choose Submit Request Choose YES Page 4 of 26

Choose OK Choose YES Choose YES You have successfully retrieved your browser certificate into Internet Explorer. This certificate can be used to securely identify yourself to our web servers, and to conduct private, encrypted communication over the internet. Exit out of your browser session Page 5 of 26

SSL PKCS#10 Certificate Request - IE This section goes over how to download and activate your (Unmanaged) SSL PKCS#10 certificate. Should you need to download a (Unmanaged) SSL Browser certificate, please proceed to the previous section, SSL Browser Certificate Request IE. Please ensure that you use the correct ESWeb site based on the environment, otherwise your request will fail. For Production Certificates, please go to: https://esweb.marriott.com For Development/Test/Perf Certificates, please go to: https://eswebdev.marriott.com Follow the steps below to activate and download your SSL PKCS#10 SERVER certificate. This is a two part process. Part 1 Click "Create a SSL Certificate from a PKCS#10 Request" Enter your Reference number and your Authorization Code provided or noted from Request Center Minimize this window for now (you will need to copy the actual CSR request into the bottom half of this screen to complete the request). Part 2 Generate your CSR (Certificate Signing Request) on your web server NOTE: When you create your CSR, you will need to put your REFERENCE NUMBER given to you in Request Center, in the CN (Common Name) field when prompted. Failure to do this will result in the certificate download failure. Once the CSR is completed, open the CSR file and copy the actual CSR request, including the BEGIN and END lines (see below) and paste into the bottom half of the original request form. It should look similar to this: -----BEGIN NEW CERTIFICATE REQUEST----- MIIBEzCBzgIBADB7MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm 5p YTEQMA4GA1UEBxMHT2FrbGFuZDEbMBkGA1UEChMSQzJOZXQgU29mdHdhcm Ug SW5jMRAwDgYDVQQLEwdUZXN0aW5nMRYwFAYDVQQDEw1nYWJiZXIuYzIub mv0 MEwwDQYJKoZIhvcNAQEBBQADOwAwOAIxAJukoQhq4LanG2k+LnRTGJAcgv9L JPsdfCsjqRs8ygoyaw4ucOEdx+WdnM0x36NcQIDAQABMA0GCSqGSIb3DQEBB AUAAzEABRLR6IkG70oNG1MnvuMDeWou4kIvc98ysjssCNKsDKsHAXBSEbfsI Qs5JRNagVBW -----END NEW CERTIFICATE REQUEST----- Page 6 of 26

Your request should look similar to (below): Proceed to leave your OPTIONS to be displayed in raw DER. Then choose SUBMIT REQUEST to complete your activation and retrieval of your SSL WEB SERVER certificate. At this point you have two options: 1. Save the.bin file and then copy it your webserver. You can then rename the file (can be safely renamed to.der,.cer, or.crt) and install the certificate on your web server. 2. Your certificate will be displayed on the web page in PEM format. You can then copy this into notepad and save as.pem the copy this to your server to be installed. Congratulations!! You re done Page 7 of 26

Downloading using Firefox SSL Browser Certificate Request Using Firefox This section goes over how to download and activate your (Unmanaged) SSL Browser certificate using Fire Fox. Please ensure that you use the correct ESWeb site based on the environment, otherwise your request will fail. For Production Certificates, please go to: https://esweb.marriott.com For Development/Test/Perf Certificates, please go to: https://eswebdev.marriott.com Follow the steps below to activate and download your SSL certificate: Click Create SSL Browser Certificate Enter your Reference number and your Authorization Code provided or noted from Request Center Choose Submit Request Choose desired Key Length 1024 (Medium Grade) is the default Page 8 of 26

Should you desire, you can choose 2048 (High Grade) Lastly, choose Submit Request NOTE: If this is the first time you ve downloaded certificates from this website to your terminal server session or local profile, you will need to enter a new Software Security Device password. Once you ve entered your designated password, choose OK to continue. Please keep this password somewhere safe but accessible. A Generating A Private Key window will appear temporarily Within the Downloading Certificate window, please check all three boxes and then choose OK to continue. Page 9 of 26

Choose OK below You will now be presented with the successfully retrieval message below. Your client certificate and the MarriottSubCA1 signer certificate are now in your Firefox certificate/browser store. Page 10 of 26

SSL PKCS#10 Certificate Request - Using Firefox This section goes over how to download and activate your (Unmanaged) SSL PKCS#10 certificate using Fire Fox 2.0. Please ensure that you use the correct ESWeb site based on the environment, otherwise your request will fail. For Production Certificates, please go to: https://esweb.marriott.com For Development/Test/Perf Certificates, please go to: https://eswebdev.marriott.com Follow the steps below to activate and download your SSL WEB SERVER certificate. This is a two part process. Part 1 Click "Create a SSL Certificate from a PKCS#10 Request" Enter your Reference number and your Authorization Code provided or noted from Request Center Minimize this window for now (you will need to copy the actual CSR request into the bottom half of this screen to complete the request). Part 2 Generate your CSR (Certificate Signing Request) on your web server NOTE: When you create your CSR, you will need to put your REFERENCE NUMBER given to you in Request Center, in the CN (Common Name) field when prompted. Failure to do this will result in the certificate download failure. Once the CSR is completed, open the CSR file and copy the actual CSR request, including the BEGIN and END lines (see below) and paste into the bottom half of the original request form. It should look similar to this: -----BEGIN NEW CERTIFICATE REQUEST----- MIIBEzCBzgIBADB7MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm 5p YTEQMA4GA1UEBxMHT2FrbGFuZDEbMBkGA1UEChMSQzJOZXQgU29mdHdhcm Ug SW5jMRAwDgYDVQQLEwdUZXN0aW5nMRYwFAYDVQQDEw1nYWJiZXIuYzIub mv0 MEwwDQYJKoZIhvcNAQEBBQADOwAwOAIxAJukoQhq4LanG2k+LnRTGJAcgv9L JPsdfCsjqRs8ygoyaw4ucOEdx+WdnM0x36NcQIDAQABMA0GCSqGSIb3DQEBB AUAAzEABRLR6IkG70oNG1MnvuMDeWou4kIvc98ysjssCNKsDKsHAXBSEbfsI Qs5JRNagVBW -----END NEW CERTIFICATE REQUEST----- Page 11 of 26

Your request should look similar to (below): Proceed to leave your OPTIONS to be displayed in raw DER. Then choose SUBMIT REQUEST. You will now see a screen that contains your web server certificate in PEM format. At this point you have two options: Page 12 of 26

1. Copy this PEM certificate (including BEGIN and END CERTIFICATE LINES) into notepad and save as.pem. This can then be copied to your server to be installed, OR 2. Choose the DOWNLOAD button a. Choose Save to Disk, then OK Your servercert.bin file is now on your desktop and ready for you to transfer to your your web server. NOTE: You can safely rename to.der,.cer, or.crt then install the certificate to your web server. Congratulations!! You re done Page 13 of 26

Downloading CA Signer Certificates Download Subordinate CA Certificate Since our environment is set up with an online Subordinate CA with offline Root CA, you will need to also download the Subordinate CA s certificate. To do this, on the left hand side of the website, under CA Certificates, click on Install SubCA x509. NOTE: During the certificate download process, the Root CA Signer certificate should automatically be downloaded into your browser store. If you don t see it there, then you can manually download it by choosing Install RootCA x509. Choose Open Choose Install Certificate Page 14 of 26

Choose Next Choose Next Choose Finish Choose OK Page 15 of 26

Exporting Certificates via Internet Explorer ONLY APPLIES TO UNMANAGED CERTIFICATES Go to TOOLS > INTERNET OPTIONS in your Internet Explorer browser Select the CONTENT tab, and then the CERTIFICATES Page 16 of 26

Select the appropriate certificate, and then EXPORT. Choose NEXT Choose YES, export the private key Page 17 of 26

Select Include all certificates in the certification path if possible and Enable strong protection Enter a password for the private key twice and choose NEXT to continue. NOTE: Please make sure to remember this password, otherwise, you will have to repeat the export process out of Internet Explorer again. Type in a file name or browse to a specific directory on your system. Page 18 of 26

Confirm the information is correct, and select Finish (or Back if changes are necessary) Select OK Finally a successful export message should appear. Page 19 of 26

Exporting Certificates via Firefox ONLY APPLIES TO UNMANAGED CERTIFICATES Open your Firefox Browser, then go to TOOLS > OPTIONS > ADVANCED Then choose VIEW CERTIFICATES to open your Certificate Manager Then under CERTIFICATE NAME, locate the certificate you wish to export, highlight it, then choose BACKUP Page 20 of 26

Then choose a file name and location to save your exported.pkcs12 file, then choose SAVE You will now be prompted for the Software Security Device password that you created in the previous step. Enter the password and choose OK to continue. You will now need to assign a new password for your private key that you are backing up or exporting. Please enter the password twice and choose OK to continue. Please keep this password somewhere safe but accessible as you will need this in order to IMPORT this into your respective end key store on your server NOTE: The password quality meter will tell you how strong your password is. The fuller the bar, the stronger the password and less likely it will be compromised. Therefore, please take this into consideration when choosing a password. Page 21 of 26

You have now successfully exported your certificate. Choose OK to exit. Page 22 of 26

Troubleshooting FAQ Problem: When attempting to download the certificate, you get the following error: The error 80090024 occurred. Your certificate request could not be generated No key pair has been created by the CSP. Please make sure that you have the latest patches for this browser. See your administrator for details. Please contact your administrator for details. Reason(s): You are logged into a machine that does not have administrative access You are logged into a terminal server that does not allow certificate downloads Solution: Log into a local machine with an administrator account and retry your download Problem: When attempting to download the certificate, you get the following error: CMS-API call failure. Please contact your administrator for details Reason(s): You are using the wrong ESWeb site You ve entered your RNACs incorrectly Your RNACs have expired or have already been used Solution: For production certificates, go to: https://esweb.marriott.com For dev, test and perf certificates, go to: https://eswebdev.marriott.com Confirm that your RNACs are correct (make sure there are no extra spaces before or after the codes) Check to ensure you RNACs are still valid. If not, request some new RNACs Page 23 of 26

Problem: When attempting to download the certificate, you get the following error: An error has occurred: (-3274) Security protocol failure. Please contact your administrator for details Reason: The RNACs issued to you have become corrupted Solution: Request new RNACs Problem: When attempting to download the certificate, you get the following error: An error has occurred: Invalid reference number was provided. Please contact your administrator for details Reason: The Reference Number you have entered is not valid or has already been used Solution: Verify that your RNACs are correct Request new RNACs in the event your previous RNACs were already used Problem: When attempting to download the certificate, you observe the following scenario: Instead of seeing a certificate in your browser keystore (client certificate) or being prompted to save a bin file (server certificate), you instead are prompted to save a client.cgi file. Reason: You have attempted to download your certificate using an unsupported browser. Solution: Request new RNACs via the PKI Request Center service and download your certificate using a supported browser. Page 24 of 26

Problem: When attempting to download the certificate, you observe the following scenario: Server certificate request not specified or invalid. Please contact your administrator for details. Reason: You have attempted to download your certificate using an unsupported browser. Solution: Request new RNACs via the PKI Request Center service and download your certificate using a supported browser. Page 25 of 26

Common SSL Conversion Commands Convert PFX/P12 to PEM Convert a PKCS#12 file (.pfx.p12) containing a private key and certificates to PEM openssl pkcs12 -in keystore.pfx -out keystore.pem -nodes You can add -nocerts to only output the private key or add -nokeys to only output the certificates. openssl pkcs12 -in keystore.pfx -out privatekey.pem -nodes -nocerts openssl pkcs12 -in keystore.pfx -out cert.pem -nodes nokeys Convert PEM to DER Convert a PEM file to DER openssl x509 -outform der -in certificate.pem -out certificate.der Import P12 into JKS using Keytool The command keytool -pkcs12 lists options to import a PKCS12 key. The keystore password for the (*.jks) file should be the one used for the J2EE keystore. The command for the conversion is: keytool -pkcs12 -pkcsfile filename -pkcskeystorepass password - pkcskeypass password -jksfile outputfilename -jkskeystorepass password This will result in a JKS file that has the key (the private key and the certificate chain) in the file Convert a PKCS#12 file (.pfx.p12) containing a private key and certificates to PEM openssl pkcs12 -in keystore.pfx -out keystore.pem -nodes You can add -nocerts to only output the private key or add -nokeys to only output the certificates. Page 26 of 26