IIS Registry EPP Information IIS EPP v3 Create Certificate for IIS EPP v3 Last saved: November 17, 2015 The
List of contents 1 Introduction... 4 1.1 This document... 4 1.2 Abbreviations & Definition of words... 4 1.3 References... 4 1.4 About IIS... 4 2 Certificates... 5 2.1 Valid Certificate... 5 2.2 Problems during upload... 5 2.3 Browser... 6 2.4 Master password... 6 2.5 Sensible information... 7 3 Acquiring a Verisign/Symantec Email Certificate... 8 4 Acquiring a GeoTrust Email Certificate... 11 5 Acquiring a GlobalSign Email Certificate... 12 6 Acquiring a CACert Email Certificate... 17 6.1 Create user and verify email... 17 6.2 Create Certificate... 18 7 Acquiring a Thawte Email Certificate... 21 8 Export and create a certificate file from Firefox... 22 9 Export and create a certificate file from IE... 24 10 Convert the file to pem format... 28 11 Acquiring a Verisign SecureSite SSL Certificate... 29 12 Acquiring a GeoTrust QuickSSL Premium SSL Certificate... 32 13 Acquiring a GlobalSign DomainSSL SSL Certificate... 34 14 Acquiring a Thawte SSL123 SSL Certificate... 36 15 Acquiring a Comodo SSL Certificate... 39 16 Test connection to IIS EPP test server... 42 16.1 Remove root certificate from pem file... 42 16.2 Test connection email certificate... 43 16.3 Test connection SSL certificate... 43 List of figures Figure 1: Firefox Security Preferences...6 Figure 2: Firefox Password...7 Figure 3: Firefox password require window...7 Figure 4: VeriSign main page...8 2
Figure 5: Verisign Product Page...8 Figure 6: VeriSign Digital Ids for Secure Email page...9 Figure 7: VeriSign enrolment page...9 Figure 8: GlobalSign main page...12 Figure 9: GlobalSign Products page...12 Figure 10: GlobalSign - Personal Digital ID's page...13 Figure 11: GlobalSign Select region page...13 Figur 12: GlobalSign Select category page...14 Figur 13: GlobalSign Select product Page...14 Figure 14: FireFox Advanced Preferences...22 Figure 15: FireFox View Certificate page...22 Figure 16: FireFox Master Password question...23 Figure 17: FireFox pkcs12 password page...23 Figure 18: successfully backed up...23 Figure 19: IE Internet Options page...24 Figure 20: Certificate page...25 Figure 21: Certificate Export Wizard....25 Figure 22: Export file format....26 Figure 23: Password page...26 Figure 24: IE File name...27 Figure 25: IE Completing the Certificate Export Wizard...27 Figure 26: VeriSign/Symantec main page...29 Figure 27: VeriSign/Symantec SSL page...29 Figure 28: VeriSign/Symantec SSL Product page...30 Figure 29: VeriSign/Symantec Level of Security page...30 Figure 30: VeriSign/Symantec SSL signup page...31 Figure 31: Geotrust main page...32 Figure 32: Geotrust SSL page...33 Figure 33: Globalsign main page...34 Figure 34: GlobalSign SSL page...34 Figure 35: GlobalSign Select Region page...35 Figur 36: Thawte main page...36 Figur 37: Thawte buy certifikate page...37 Figur 38: Thawte Certificate Center options page...37 Figur 39: Comodo main page, products...39 Figur 40: Comodo SSL Certificate Page...40 Figur 41: Comodo Select SSL terms page...40 3
1 Introduction 1.1 This document This document is meant to give a brief overview of how to order, convert and to use a certificate for the EPP communication with the IIS EPP Servers, both.nu and.se. The document also describes how to use this certificate to make a test connection to the EPP Server. Some of the examples talks about the IIS EPP server but the same procedure and certificates can be used for both EPP Servers (.se and.nu). Please note that the images and the described order procedures in this document may vary from the actual ones on each provider s website. This document is only suppose to be a guidance on how to proceed. 1.2 Abbreviations & Definition of words EPP 1.3 References 1.4 About IIS Extensible Provisioning Protocol, An XML text protocol that permits multiple service providers to perform object provisioning operations using a shared central object repository [1]. [1] Extensible Provisioning Protocol (EPP), IETF RFC 5730. IIS (The Internet Foundation in Sweden) is responsible for the Internet top-level domain for Sweden. As the central registry, IIS manages domain name registrations and the administrative and technical operation of the national domain name system for.se and.nu. IIS is an independent non-profit organisation, supporting the positive development of the Internet in Sweden. Through IIS Internet Fund, the Foundation annually donates means to projects supporting the development and utilisation of the Internet. For more information, please see: www.iis.se/english/ 4
2 Certificates 2.1 Valid Certificate As of EPP Server Version 3 the user is required to use a certificate for login in and performing EPP commands. For the new system we will support the following certificate issuers: VeriSign (Secure Site SSL certificates) Symantec Email Certificate (previously Verisign Email certificate) GeoTrust (e-mail and Quick SSL and Quick SSL Premium certificates. Certificates issued by RapidSSL is not supported, although they are owned by GeoTrust) GlobalSign (e-mail and Domain SSL certificates) Thawte (only SSL123 SSL certificates) CACert (www.cacert.org) Comodo SSL Certificate The cheapest certificate you can use is an Email or Digitally signing Certificate. This is not easily found at the different issuers so we will try to guide you through the procedure later in this document. Observe! We do support Comodo SSL certificate, but Comodo s email certificate will not work as its not designed to be used by a ssl connection only for email signing and verification. 2.2 Problems during upload If you have a certificate issued from one of the companies above but still can t upload the certificate through the web interface it might be due to problems with root certificates. In this case please send an e-mail to registry@iis.se with the following information: Name of the certificate issuer Type of certificate you are using (SSL or e-mail certificate) and the name of the certificate you are using, for instance Quick SSL, Domain SSL, SSL 123 or any other name if thats the case. The certificate you have tried to upload in.pem-format Your technical contact person Phone number to your technical contact person 5
2.3 Browser As there are some problems with installing and handling certificates on Microsoft Internet Explorer the strong recommendation is that you use Mozilla Firefox browser to acquire and upload your certificate. 2.4 Master password To protect your sensitive information and to enable you to install S/MIME Certificates, you can use a master password to encrypt and protect the sensitive information stored in Firefox. This is also required to install S/MIME certificate. If you have not done this before you should enable this now. 2.4.1 Setting a master password Using a master password is not selected by default; you will need to set one. You do this by: Edit Preferences Security Figure 1: Firefox Security Preferences You then click in Use a Master Password Firefox will then pop-up a password window: 6
Figure 2: Firefox Password Make sure that you are able to remember or otherwise retrieve the master password you choose. 2.4.2 Using Master Password When you have set a master password you will get a password popup when you start Firefox and it has to do something with the protected information, like login in to a website with stored passwords or using one of your Certificates. Figure 3: Firefox password require window 2.5 Sensible information Note that the certificate files are sensible information and contain security information and should be treated as such, and should be stored in a secure way. The examples in this document talks about /tmp but that s just used as an example and should never be used in a production environment. 7
3 Acquiring a Verisign/Symantec Email Certificate To get a certificate from VeriSign (now labled Symantec) to use with IIS EPP server you start by going to the VeriSign main page (http://verisign.com). Figure 4: VeriSign main page Then Select products: Figure 5: Verisign Product Page 8
Then select (from products) Digital IDs for Secure Email. Figure 6: VeriSign Digital Ids for Secure Email page Here you can click on the By Online link. It will then pop up a window where you will fill in the necessary information to purchase a certificate. First part is select browser: Figure 7: VeriSign enrolment page You go through the enrolment process here and fill in all the information including the payment information. When this is done you will get an email to the email address you specified. 9
IMPORTANT - INSTALLATION INSTRUCTIONS FOR YOUR NEW VERISIGN DIGITAL ID ------------------------------------ Dear VeriSign Digital ID Holder: Thank you again for choosing a Digital ID from VeriSign designed to provide the best S/MIME email security for encrypting and digitally signing documents online. To complete setup and installation of your VeriSign Digital ID, please follow the instructions below. You must use the same computer you used to begin the process. 1. Please copy your Digital ID PIN number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 2. Go to VeriSign's secure Digital ID Center https://digitalid.verisign.com/enrollment/nspickup.htm 3. Paste (or enter) your Digital ID PIN where requested, then select the Submit button to install your Digital ID. Your VeriSign Digital ID is now installed on your machine and is ready for use to encrypt and digitally sign documents online. Please feel free to visit our Frequently Asked Questions (FAQs) if you have additional questions at https://knowledge.verisign.com/support/digital-id-support/index.html or conltact us at.idsupport@verisign.com Thank you again for choosing the VeriSign Digital ID, the best in class PKI for secured encryption and signing. VeriSign Customer Support ID-support@verisign.com You then follow the link to download and install your certificate. 10
4 Acquiring a GeoTrust Email Certificate GeoTrust don t provide an email certificate anymore so how to acquire this kind of certificate cannot be described. However, you may be able to use GeoTrust QuickSSL Premium SSL certificate, see chapter 12 in this document. 11
5 Acquiring a GlobalSign Email Certificate To get a certificate from GlobalSign to use with IIS EPP server you start by going to the GlobalSign main page (http://www.globalsign.com). Figure 8: GlobalSign main page Then Select Products Figure 9: GlobalSign Products page Then click on the link S/Mime Certificates. 12
Figure 10: GlobalSign - Personal Digital ID's page Then click on the How to Buy link for the Secure Email (the first button). Figure 11: GlobalSign Select region page Then you need to Select region for you purchase 13
Figure 12: GlobalSign Select category page The select category (Consumer) Figure 13: GlobalSign Select product Page Select PersonalSign 1 ceritificate (You can select multiple years later if you like) This will now take you through the ordering process. 14
When you have created your request for a certificate you will receive an email with instructions of how to approve the order. This is to verify that the email address is okay. Dear Customer, An application for a PersonalSign 1 Certificate has been placed with GlobalSign for xxx@xxx.com (-) and Order ID XXXXXXXXXX. In order for GlobalSign to issue the Certificate, the email address must be validated. Please follow the below link to choose to APPROVE or NOT APPROVE the application. Only if you approve the application will the Certificate be issued. https://regist.globalsign.com/ra/arrivalmailapproval/arrivalmailapproval/arrivalmailapproval.do?r=xxxxx&e=7xxx11 2233&c=8dd69xxxxx261489bad8fad411aaf7d8b8bb3 Make sure your browser address bar contains the complete unbroken URL. For your information, the Applicant has provided the following details: ContactName : XXX XXX Applicant Email Address : xxx@xxx.com If you have any questions about this application, please contact us using the details below. Kind Regards, GlobalSign Support Team When you have approved the order you will receive a new email with the download instructions. -------------------------------------------------- Please note that this e-mail is automatically sent from a noreply mailbox. To contact GlobalSign please use the Contact Details at the foot of this email. -------------------------------------------------- Dear Xxx Xxxx, Your PersonalSign 1 Certificate is now ready for collection. Please follow the Pickup & Install instructions below. This email includes details about your order, your account and also how to contact us should you need assistance. We suggest that you keep a copy for future reference. YOUR ORDER INFORMATION -------------------------------------------------- Order Number: PC201011011xx3 Product Type: PersonalSign 1 Cert Common Name: xxx@xxxxx.com Validity Period: 1 year Placed by User ID: PAR3xxxx_xxxxxxxx -------------------------------------------------- HOW TO PICK UP & INSTALL YOUR CERTIFICATE -------------------------------------------------- You must complete this process on the machine from which you intend to use the Certificate. * Windows 2000 & XP Users: We recommend you use the Internet Explorer or Firefox browsers. * Windows Vista Users: We recommend you do NOT use Internet Explorer. Please use Firefox (available free of charge from www.mozilla.com) to complete the process. If you have to use Internet Explorer, please click on the link below for detailed instructions on preparing the browser: www.globalsign.com/support/keygen/microsoft.php Click on the link below to initiate the Certificate generation and installation process. https://system.globalsign.com/pc/public/certificate/install.do?p=d46xxxdxccxc73x4x8xb530xbx4x156xxexd5xxc Make sure the above link is unbroken and complete. Copy and Paste the entire link into your browser if necessary. 15
You then follow the link to download and install your certificate. 16
6 Acquiring a CACert Email Certificate 6.1 Create user and verify email Connect to WWW.CACERT.ORG and click on join the cacert community link. You will have to fill in the form with your information. When clicking on the next button the cacert.org system will send an email to the address you specified. This email contains a link for verification. You have to click/follow that link to verify that you have control over that email address. 17
Click on Yes verify this email button. When this is done you have successfully created the user and verified the mail for the cacert.org site. 6.2 Create Certificate Connect to WWW.CACERT.ORG and click on password login link. Login using the email address and password you just created. When logged in click on Client certificate link, and then the new link. 18
Click on Add checkbox for the email address you just created, and then click on next button. 19
Click on the Create Certificate Request button. This will create the certificate and you can now install it into Mozilla Firefox. Click on the Click here link to install the certificate into Mozilla Firefiox. When this is done you will get a popup confirmation that the certificate is installed. 20
7 Acquiring a Thawte Email Certificate Thawte don t provide an Email or Digitally signing Certificate anymore so how to acquire this kind of certificate cannot be described. However, you may be able to use Thawte s SSL certificate, see chapter 14 in this document. 21
8 Export and create a certificate file from Firefox To be able to use the certificate with the V3 EPP server we first need to export it (backup) from Firefox to an external file. This is done by clocking on Edit and then Preference menu. Then click on Advanced and then the Encryption tab. Figure 14: FireFox Advanced Preferences Then click on the View Certificate button. Figure 15: FireFox View Certificate page Select the certificate you just installed (you will probably only have one here), and click on the Backup button. The system will ask for the file name to store the file in. The file suffix.p12 will be added by default. You will be asked for the Master password before you can export the file. 22
Figure 16: FireFox Master Password question As the export will export you private keys, you will need to set a password for the pkcs12 file. Figure 17: FireFox pkcs12 password page When this is done you will get a popup confirmation that the certificate is backed up. Figure 18: successfully backed up This is now done and we can go on and covert the file to.pem format. 23
9 Export and create a certificate file from IE To be able to use the certificate with the V3 EPP server we first need to export it (backup) from Internet Explorer Certificate Store to an external file. The export format is pkcs12 but the normal extension for IE is pfx. You can use openssl to convert it to a pem file in the same way as we decribed to convert it from pkc12 to pem. Start by opening up the internet options from the meny Tools Internet Options. Then select the Content tab. Figure 19: IE Internet Options page Then click on the Certificates... button. 24
Figure 20: Certificate page Select the certificate you just installed (you will probably only have one here), and click on the Export (backup) button. Figure 21: Certificate Export Wizard. Click on next. 25
Figure 22: Export file format. Make sure you have the PKCS #12 option clicked, and Include all certificates as well as the Enable Strong protection. Figure 23: Password page As we are exporting the private part also we need to specify a password. 26
Figure 24: IE File name Select the file-name you want to export the file to. Figure 25: IE Completing the Certificate Export Wizard If all things are ok, press Finish and the system will create the pfx file for you. You can now convert it to a pem file and upload it to the IIS EPP Server. 27
10 Convert the file to pem format To be able to upload the certificate to the EPP server you need to convert the certificate from pkcs12 format to.pem format. We also need to extract only the public key part of it. This is done with the openssl program. The pem file should not contain the root certificate when you send it in to us. For this example the original file exported/backed up from Firefox is in /tmp/verisign.p12 and the pem file is created in the /tmp/verisign.pem file. $ openssl pkcs12 -nokeys -clcerts -in /tmp/verisign.p12 -out /tmp/verisign.pem Enter Import Password: XXXXXXXXXXXX MAC verified OK $ The Import password is the password you used when exporting the pkcs12 file from Firefox. You will now be able to send in the certificate to us. Please send in the pem file and fill in the forma so that we can verify the certificate with you. There are a number of other commands for the openssl command. As an example, if you need a pem file with the private part to connect to our epp server you could use the following command to create a pem file from the p12 file exported from firefox: $ openssl pkcs12 -clcerts -in /tmp/verisign.p12 -out /tmp/verisign.pem Enter Import Password: XXXXXXXXXXXX MAC verified OK Enter PEM pass phrase: YYYYYYYYYYYY Verifying - Enter PEM pass phrase: YYYYYYYYYYYY $ If you need to have the certificate in other formats, please consult the man page for openssl. 28
11 Acquiring a Verisign SecureSite SSL Certificate To get a SSL certificate from Verisign (now owned by Symantec) to use with IIS EPP server you start by going to the Verisign main page (http://www.verisign.com). Figure 26: VeriSign/Symantec main page Then click on Buy SSL Certificate. Figure 27: VeriSign/Symantec SSL page Then select Buy Online in the Next Step frame 29
Figure 28: VeriSign/Symantec SSL Product page Then select the Buy Now button on the Secure Site frame from Individual certificate. Figure 29: VeriSign/Symantec Level of Security page Then click on By Now for a Secure Site SSL Certificate. 30
Figure 30: VeriSign/Symantec SSL signup page Now you need to fill in all the technical details, including payment options. This is done on multiple pages. When you are asked for the CSR, you need to generate one. Generate a key file: openssl genrsa -out mycert.key 2048 Create the csr file: openssl req -new -key mycert.key -out mycert.csr Then cut and paste the content of the mycert.csr fiile into the CSR field when asked for it. Once the certificate has been signed for you, you will get an Order Confirmation email and then an approved message with the csr file. Alternatively you can login to the Verisign Trust Center and pickup you certificate from there. 31
12 Acquiring a GeoTrust QuickSSL Premium SSL Certificate The geotrust certificate we have tested with and knows working is the GeoTrust QuickSSL Premium SSL certificate. To get a SSL certificate from GeoTrust to use with IIS EPP server you start by going to the GeoTrust main page (http://www.geotrust.com/) Figure 31: Geotrust main page Then select (from By SLL Certificate ) SSL Certificate. 32
Figure 32: Geotrust SSL page Then select BUY $149 in the QuickSSL Premium Certificate frame. This will popup the QuickSSL Premium page Now you need to fill in all the technical details, including payment options. This is done on multiple pages. When you are asked for the CSR, you need to generate one. Generate a key file: openssl genrsa -out mycert.key 2048 Create the csr file: openssl req -new -key mycert.key -out mycert.csr Then cut and paste the content of the mycert.csr fiile into the CSR field, and click on continue. After you have filled in all the information, you will get a confirmation email to the addresses you specified. Once you have approved the certificate request, you will get the email with the signed certificate. 33
13 Acquiring a GlobalSign DomainSSL SSL Certificate The globalsign certificate we have tested with and knows working is the Globalsign DomainSSL SSL certificate. To get a certificate from GlobalSign to use with.se's EPP server you start by going to the GlobalSign main page (http://www.globalsign.com/) Figure 33: Globalsign main page Then select (from SLL ) DOMAIN SSL. Figure 34: GlobalSign SSL page Then select BUY NOW in the Domain SSL Certificate frame. 34
Figure 35: GlobalSign Select Region page Then select the Area (or currecy) you want to pay in and then press the Select and Continue button. Now you need to fill in all the technical details, including payment options. This is done on multiple pages. When you are asked for the CSR, you need to generate one. Generate a key file: openssl genrsa -out mycert.key 2048 Create the csr file: openssl req -new -key mycert.key -out mycert.csr Then cut and paste the content of the mycert.csr fiile into the CSR field, and click on continue. After you have filled in all the information, you will get a confirmation email to the addresses you specified. Once you have approved the certificate request, you will get the email with the signed certificate. 35
14 Acquiring a Thawte SSL123 SSL Certificate The Thawte certificate we have tested with and knows working is the Thawte ssl123 SSL certificate. To get a certificate from Thawte to use with IIS EPP server you start by going to the Thawte main page (http://www.thawte.com/) Figure 36: Thawte main page Then select (from BUY CERTIFICATE ) buy SSL certificate. 36
Figure 37: Thawte buy certifikate page Then select BUY in the SSL123 column on the Buy Certifiate page. Figur 38: Thawte Certificate Center options page Then click on the continue button. Now you need to fill in all the technical details, including payment options. This is done on multiple pages. When you are asked for the CSR, you need to generate one. 37
Generate a key file: openssl genrsa -out mycert.key 2048 Create the csr file: openssl req -new -key mycert.key -out mycert.csr Then cut and paste the content of the mycert.csr file into the CSR field, and click on continue. After you have filled in all the information, you will get a confirmation email to the addresses you specified. You will have to approve the email by following a link so that Thawte will now you have control over the email and domain. You will then get an email with the signed certificate that you can use. 38
15 Acquiring a Comodo SSL Certificate The Comodo certificate we have tested with and knows working is the Comdo SSL certificate. To get a certificate from Comodo to use with IIS EPP server you start by going to the Comodo s main page (http://www.comodo.com/) Figure 39: Comodo main page, products Then select (from Products -> SSL Certificate ) Comodo SSL. 39
Figure 40: Comodo SSL Certificate Page Then select Get Now Comodo SSL button. Figure 41: Comodo Select SSL terms page Then click on the Continue to Step 2 button. Now you need to fill in all the technical details, including payment options. This is done on multiple pages. When you are asked for the CSR, you need to generate one. 40
Generate a key file: openssl genrsa -out mycert.key 2048 Create the csr file: openssl req -new -key mycert.key -out mycert.csr Then cut and paste the content of the mycert.csr fiile into the CSR field, and click on continue. After you have filled in all the information, you will get a confirmation email to the addresses you specified. You will have to approve the email by following a link so that Thawte will now you have control over the email and domain. You will then get an email with the signed certificate that you can use. 41
16 Test connection to IIS EPP test server This chapter describes how to make a test connection to the IIS EPP test server. In this example we use a certificate from CACert but it is basically the same procedure for a certificate from any of the other issuers. 16.1 Remove root certificate from pem file The pem file created contains your private key, your public key and usually the root certificate. To be able to use this for testing against the IIS EPP server, with openssl, you will need to edit the file and remove the root certificate. You must have a file with your private key and your public part of the certificate to be able to connect to the EPPserver. The file looks something like this ([deleted] means deleted lines): Bag Attributes friendlyname: CAcert WoT User's Root CA ID #2 localkeyid: 4E 12 F7 48 75 8B EB 3D F0 50 01 E1 BC 3D 98 80 62 F3 D9 31 Key Attributes: <No Attributes> -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,F2597A05E925EB79 GwgsrKG+1fsoUnKDLOVp4w8Xz3FrmU9NqlPnURhhIIQ/Ae0Hr4F7WcWv9/fc/iQG NgI5kKSMiPdl39+8+wVT9wGXsszNoXnaCfUfpJrZ7Ej3ijTWhiJ9leQAhTa7pOGz -----END RSA PRIVATE KEY----- [deleted] Bag Attributes friendlyname: CA Cert Signing Authority - Root CA subject=/o=root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org issuer=/o=root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org -----BEGIN CERTIFICATE----- MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwd Sb290 omtxjbzcotwcfbluvfuufqb1na5v9frwk9p2rsvztmvd -----END CERTIFICATE----- [deleted] Bag Attributes friendlyname: CAcert WoT User's Root CA ID #2 localkeyid: 4E 12 F7 48 75 8B EB 3D F0 50 01 E1 BC 3D 98 80 62 F3 D9 31 subject=/cn=cacert WoT User/emailAddress=jansaell@hotmail.com issuer=/o=root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org -----BEGIN CERTIFICATE----- MIIFNzCCAx+gAwIBAgIDB5zlMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB 1Jv [deleted] Q0cVn34ZrqZT5WKHXPKxFSC6TTqNPlat1chk9bacuGztQb226bPOPmL9uw== -----END CERTIFICATE----- The line that needs to be edited out is the middle part, the following lines: 42
Bag Attributes friendlyname: CA Cert Signing Authority - Root CA subject=/o=root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org issuer=/o=root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org -----BEGIN CERTIFICATE----- MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwd Sb290 omtxjbzcotwcfbluvfuufqb1na5v9frwk9p2rsvztmvd -----END CERTIFICATE----- Use you preferred editor and remove these lines (root certificate), save the.pem file and use it to connect to the EPP-server. 16.2 Test connection email certificate You can now use this file and the command openssl to make a test connection. Please note that this example below is used for an email certificate issued by CACert. openssl s_client -crlf -connect epptestv3.iis.se:700 -key /tmp/cacert.pem -pass 'pass:xxxxxx' -cert /tmp/cacert.pem 16.3 Test connection SSL certificate To test the connection if you are using a SSL certificate the open_ssl command is slightly different as you normally have a separate crt file and a key file. Below is another example but for a SSL certificate issued by Thawte. In both this and the previous example you must change the path to the file where you have stored your certificate. The Cert/thawte/thawte.crt is the crt file you get back from the SSL certificate issuer and the Cert/thawte/thawte.key is your key file. openssl s_client -connect epptestv3.iis.se:700 -cert Cert/thawte/thawte.crt -key Cert/thawte/thawte.key You should now get the greeting back from the EPP test server. The system will reply with the following answer if all works well: CONNECTED(00000003) depth=0 /C=SE/ST=Stockholm/L=Stockholm/O=Stiftelsen for Internetinfrastrucktur/CN=epptest.iis.se verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=SE/ST=Stockholm/L=Stockholm/O=Stiftelsen for Internetinfrastrucktur/CN=epptest.iis.se verify error:num=27:certificate not trusted verify return:1 depth=0 /C=SE/ST=Stockholm/L=Stockholm/O=Stiftelsen for Internetinfrastrucktur/CN=epptest.iis.se verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 43
0 s:/c=se/st=stockholm/l=stockholm/o=stiftelsen for Internetinfrastrucktur/CN=epptest.iis.se i:/c=za/st=western Cape/L=Cape Town/O=Thawte Consulting cc/ou=certification Services Division/CN=Thawte Premium Server CA/emailAddress=premiumserver@thawte.com --- Server certificate -----BEGIN CERTIFICATE----- MIIDeTCCAuKgAwIBAgIQMLF0bbTsGDPfu/bWE+CZLzANBgkqhkiG9w0BAQUFADC B zjelmakga1uebhmcwkexftatbgnvbagtdfdlc3rlcm4gq2fwztesmbaga1ue BxMJ Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYG A1UE CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh d3rlifbyzw1pdw0gu2vydmvyienbmsgwjgyjkozihvcnaqkbfhlwcmvtaxvtlxnl cnzlckb0agf3dguuy29tmb4xdta5mdixmzawmdawmfoxdtewmdixmzizntk1ov ow fjelmakga1uebhmcu0uxejaqbgnvbagmcvn0b2nrag9sbtesmbaga1uebwwj U3Rv Y2tob2xtMS4wLAYDVQQKDCVTdGlmdGVsc2VuIGZvciBJbnRlcm5ldGluZnJhc3Ry dwnrdhvymrcwfqydvqqdda5lchb0zxn0lmlpcy5zztcbnzanbgkqhkig9w0baq EF AAOBjQAwgYkCgYEAxw0d+/pqrBexKuN6UaK7gySf1RK/mVpfvWZJRg/jx1irvISj hdr1qjryv+gznvffvm0r4xotjrzp8tev58jsfqygna8qq6xrt6uq9ah7izberq4r j8gxszyv+q4sqbtkqphj4qycq2zpo4pd+owgokgan9jwdlalrdnio7kqzfmcawe A AaOBpjCBozAMBgNVHRMBAf8EAjAAMEAGA1UdHwQ5MDcwNaAzoDGGL2h0dHA 6Ly9j cmwudghhd3rllmnvbs9uagf3dgvtzxj2zxjqcmvtaxvtq0euy3jsmb0ga1udjq QW MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBggrBgEFBQcBAQQmMCQwIgYIKwY BBQUH MAGGFmh0dHA6Ly9vY3NwLnRoYXd0ZS5jb20wDQYJKoZIhvcNAQEFBQADgYEAk kjl 71NM6iwITIsCjh/HDw5pIbWh5MDKCuhgBLdH+Wv+VWeL4kLVsHT66S9f6qaVIVUh bihmcvu+dtbmbbqfhv7bxn7h95thau1llzcwk+pxyum0yzamzjzjwah/59qgq2w o nukuffbiwseo58wkdi6bfhq9fyvzgd1uc6k48vu= -----END CERTIFICATE----- subject=/c=se/st=stockholm/l=stockholm/o=stiftelsen for Internetinfrastrucktur/CN=epptest.iis.se issuer=/c=za/st=western Cape/L=Cape Town/O=Thawte Consulting cc/ou=certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com --- No client certificate CA names sent --- SSL handshake has read 1065 bytes and written 1937 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 8082DD8F41A189006D635CC8CB0CC842480FC13799CB44A9F9D224D290CEE3C 8 44
Session-ID-ctx: Master-Key: 4E9A7C4BE3E754AD058AC3D031D3DF129BADC8FEEC534816C4D99C6A894FDA 0CAE22BDACB542A86213DEAFC8EF17A759 Key-Arg : None Krb5 Principal: None Start Time: 1255955125 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- <?xml version="1.0" encoding="utf-8" standalone="no"?> <epp xsi:schemalocation="urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsd" xmlns="urn:ietf:params:xml:ns:epp-1.0" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"> <greeting> <svid>epp.iis.se</svid> <svdate>2009-10-19t12:11:44.0z</svdate> <svcmenu> <version>1.0</version> <lang>en</lang> <objuri>urn:ietf:params:xml:ns:domain-1.0</objuri> <objuri>urn:ietf:params:xml:ns:contact-1.0</objuri> <objuri>urn:ietf:params:xml:ns:host-1.0</objuri> <svcextension> <exturi>urn:ietf:params:xml:ns:secdns-1.0</exturi> <exturi>urn:se:iis:xml:epp:iis-1.1</exturi> </svcextension> </svcmenu> <dcp> <access> <all /> </access> <statement> <purpose> <prov /> </purpose> <recipient> <ours /> <public /> </recipient> <retention> <stated /> </retention> </statement> </dcp> </greeting> </epp> Please use the <CTRL> + d to disconnect, as you cannot send EPP frames in this way. This is only to test that the certificate and connection works. The end of the connection reply is the normal EPP server greeting. 45