17.4 Obtaining a Certificate from a Commercial CA

17.4 Obtaining a Certificate from a Commercial CA

The self-signed certificates created earlier in this chapter allow you to take advantage of the capabilities of any SSL-enabled client or server. These certificates are sufficient for the overwhelming majority of uses. However, many organizations choose to purchase a certificate from a certification authority such as VeriSign. There are several advantages to using a certificate that is signed by a commercial CA in preference to a key that is self-signed:

• Because VeriSign and other CAs have their keys distributed with Internet Explorer and Netscape, your users will not have to manually add your internal CA's key to their web browser.

• Because VeriSign and other CAs attempt to verify the identity of an organization before signing that organization's key, your users may have some assurance that your web server actually belongs to the organization whose name is on the certificate. This can be useful in e-commerce applications where you are asking users to divulge personal information such as their names, addresses, Social Security numbers, or credit card numbers.

If you wish to use a certificate from a commercial CA, you will need to create a certificate signing request, send the CSR to the organization, convince the CA to sign your key, and install the certificate that you get back from the CA. The process of convincing the CA to sign your key usually involves presenting the organization with some sort of tangible proof that you represent the organization whose key is being signed and then paying the CA some amount of money.

VeriSign now offers a 14-day "trial" certificate that companies can use to get up and running immediately. Like the certificates created earlier in this chapter, the VeriSign trial certificate is signed with a "test CA root" rather than the actual VeriSign production root. This test root allows VeriSign to hand out test certificates automatically from its web site, before the bona fides of an organization are verified. Once the bona fides are verified and VeriSign's fee is paid, VeriSign will send you a new certificate that can be installed on top of the trial certificate. No new CSR needs to be produced because both certificates handle the same key.

The steps to obtaining a trial certificate are:

1. Generate a certificate signing request (CSR). This request can be signed by any CA. In the previous pages, it was signed by the Nitroba CA. But it can also be signed by a commercial CA such as VeriSign (see Example 17-3).

2. Submit the CSR.

3. Complete VeriSign's application.

4. Install the test CA root.

5. Install the test server ID.

Generating a CSR with OpenSSL is quite easy: if you followed these steps, a CSR was automatically generated when you created your self-signed key. In fact, OpenSSL generated two CSRs: one for the Nitroba CA, and one for the Unix server. Both of these requests were then signed with the Nitroba CA's private key. If you want to have VeriSign sign your server's public key, all you need to do is to paste the server's CSR into the form on the VeriSign web site (see Figure 17-11). Be careful not to paste in the CSR for your private CA.

Example 17-3. The unix.vineyard.net server certificate signing request (CSR)

unix# cat server.csr  -----BEGIN CERTIFICATE REQUEST----- MIIB5zCCAVACAQAwgaYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNQTEXMBUGA1UE BxMOVmluZXlhcmQgSGF2ZW4xGzAZBgNVBAoTElZpbmV5YXJkLk5FVCwgSW5jLjEW MBQGA1UECxMNVU5JWCBEaXZpc2lvbjEaMBgGA1UEAxMRdW5peC52aW5leWFyZC5u ZXQxIDAeBgkqhkiG9w0BCQEWEXVuaXhAdmluZXlhcmQubmV0MIGfMA0GCSqGSIb3 DQEBAQUAA4GNADCBiQKBgQCnbsBwyd+cuEhMBjhFkCYSjKXWC3QPCP1GPtxfdCeI Czrp8j5S0oR4B85M9iDFQST81tgmbEvJox0kOgehzhlzTLhwUhdVtlTJgChp0+AK MnA5Hy8TexSWbNA7lktZkZZRSFbWSlk8q6y4CUQGOXOmwOxxf+Kx0rGm8bQDbe2m QQIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAOFvLUdhMkXEE61hNNnbimHgMCfve tFF0jxJvJJd3S2ufDV4Gp5HQBNPRd4JXFoMVdaRzB9ysDLgX98IzwbktTn9W1dEd 1D8z3TtFttbB2pQ/FRg7Sst+Ix+zk1BOjhFGnCPubr/VZPfUGAYqiFRinRXIBe4j 1iCQDrLZyUxZJ3A= -----END CERTIFICATE REQUEST-----

Figure 17-11. To get a VeriSign certificate, you must paste your CSR into VeriSign's web site.

It is important to be sure that your CSR has the two-letter ISO abbreviation for your country and not the full, spelled-out name, and that the CSR has the full, spelled-out name of your state, and not a postal abbreviation. VeriSign will not process your request if there is a problem with your CSR. If there are no problems, VeriSign will send you the completed certificate by email. Copy this certificate into a file and place it in the location on your web server, as indicated by the Apache configuration file or by the IIS configuration.