Novell ichain Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate Copyright. All rights reserved. Trustis Limited Building 273 New Greenham Park Greenham Common Thatcham RG19 6HN E: info@trustis.com W: www.trustis.com Registered in England No: 03613613
Table of Contents 1 Introduction... 3 2 Install Root and Intermediate CA (AND SSL SERVER) Certificates... 3 3 Certificate Signing Request (CSR) Generation... 5 4 Installing your SSL Server Certificate... 7 T-0104-003-AP-012 Novell i-chain - V0.1.docx Page 2 of 7
1 Introduction This document specifies instructions for Installing the Root and Intermediate certificates, generating your CSR, and Installing your certificate. 2 Install Root and Intermediate CA (AND SSL SERVER) Certificates Before you proceed to this section, you need to have obtained your SSL Server certificate as the process to install the certificate is for both the CA certificates and the SSL Server certificate. Therefore complete sections 3 and 4 and then return here to complete the certificate install process 1. Download the PEM format Bundled CA certificate file (full CA chain) found at http://www.trustis.com/pki/healthcare/ops/healthcarett-chain-pem.txt 2. Open ConsoleOne and open the ICS container for the ichain server. 3. Open the certificate. 4. Select the 'Certificates' tab and press the "Import" button. T-0104-003-AP-012 Novell i-chain - V0.1.docx Page 3 of 7
5. Click 'Read from file' and browse to the PEM format Bundled CA certificate file (full CA chain) downloaded previously. Press 'Next'. 6. Click 'Read from file' and browse to the new SSL server certificate file created earlier (e.g. myserver.cert) or paste it's contents into the window supplied. 7. Click 'Finish' to install the certificate. You may get an error stating that the subject in the certificate does not match the subject in the object (CSR). This may be due to additional OUs in the certificate. Accept the certificate anyway. If a validation is attempted on the certificate in ConsoleOne it will produce an error stating 'Unable to validate the certificate chain to a root certificate'. 1. On the ichain server click 'Apply'. The certificate will be installed but will display an error stating '-1240 Certificate failed parsing - may need external certificate'. 2. Open the accelerator for the web site. The 'Certificate' drop down item in the Secure Exchange portion will now have the certificate available. Select the new certificate, click OK and then press 'Apply'. When the Management display is refreshed the website will be secured with the new certificate. T-0104-003-AP-012 Novell i-chain - V0.1.docx Page 4 of 7
3 Certificate Signing Request (CSR) Generation Start the ichain Management http://yourichain:1959/appliance/config.html Select the Home-Certificate Maintenance panel. Select Create to create the CSR Enter the following fields: Certificate name - Any alphanumeric name as long as it is unique Subject name - The fully qualified domain name of the site that is to be secured Signature algorithm - select RSA encryption with SHA-1 hash RSA Key size - use 2048 bits ONLY Select 'Use external certificate authority' Organization - The organisation that owns the web site Note: Entering spaces may cause problems City - enter your city Note: Entering spaces may cause problems State/Province - UK based installations can use a County Note: Entering spaces may cause problems Country - enter GB Select OK. The Certificate Maintenance panel will now look like this: 2048 Select Apply to generate the CSR. When it is ready the Status will indicate "CSR in Progress". T-0104-003-AP-012 Novell i-chain - V0.1.docx Page 5 of 7
When you select 'View the CSR'. You should see the full certificate request in a browser window. Select and save all text in a file (e.g. mycsr.txt) that you will later use in the enrolment web form. T-0104-003-AP-012 Novell i-chain - V0.1.docx Page 6 of 7
4 Installing your SSL Server Certificate The first part of the installation of your SSL certificate is below. Once this is complete, you need to go to Section 2 of this guide and install the certificate as part of the installation of the Root and Intermediate CA Certificates. You will receive an email from the Registration Authority when your certificate request has been approved that contains a link to a location where your certificate may be obtained. Clicking on this link will bring up a browser window that contains the details of your issued certificate and includes a section that looks something like the following: -----BEGIN CERTIFICATE----- MIAGCSqGSIb3DQEHAqCAMIACAQExADALBgkqhkiG9w0BBwGggDCCAmowggHXA haf UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAUAMF8xCzAJBgNVBAYTAlVTMS Aw (...) E+cFEpf0WForA+eRP6XraWw8rTN8102zGrcJgg4P6XVS4l39+l5aCEGGbauLP5W6 K99c42ku3QrlX2+KeDi+xBG2cEIsdSiXeQS/16S36ITclu4AADEAAAAAAAAA -----END CERTIFICATE----- Copy everything you see between and including the lines that look like -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- and paste it into an appropriately named text file e.g. myserver.cert Now to complete the installation, go to SECTION 2 and install the certificate as part of the installation procedure for the Root and Intermediate CA Certificates. T-0104-003-AP-012 Novell i-chain - V0.1.docx Page 7 of 7