Configuring your server to use SSL is a straightforward process. However, if you are planning to use a server certificate from a third-party certificate authority, you should be warned that it can be a long process. Receiving a server certificate can take several weeks. This process also can be expensive. Verisign, for example, currently charges $349 for a server certificate, and you must pay $249 each additional year the certificate is renewed.
Three main steps are involved in installing SSL. First, you must generate a certificate request file and an encryption key pair file using the Web Server Certificate Wizard. Next, you must apply for a server certificate at a third-party certificate authority by providing it with your certificate request file. Finally, after you receive your server certificate, you must install it by using the Web Server Certificate Wizard.
Generating a Certificate Request File
To create a certificate request filealso called a certificate signing request (CSR) open the Web Server Certificate Wizard by completing the following steps:
The Web Server Certificate Wizard guides you through the task of creating the certificate request file (see Figure 21.2).
Figure 21.2. The Web Server Certificate Wizard.
To create the certificate request file, supply the following information:
After you supply this information to the wizard, a certificate request file is saved to your hard drive. At this point, the certificate request file has been generated, but the certificate has not been installed. If you're curious , here's an example of a certificate request file:
-----BEGIN NEW CERTIFICATE REQUEST----- MIIChjCCAjACAQAwdjEUMBIGA1UEAxMLc3VwZXJleHBlcnQxFDASBgNVBAsTC1N1 cGVyZXhwZXJ0MRQwEgYDVQQKEwtTdXBlcmV4cGVydDEQMA4GA1UEBxMHU2VhdHRs ZTETMBEGA1UECBMKV2FzaGsafsdsbjELMAkGA1UEBhMCVVMwXDANBgkqhkiG9w0B AQEFAANLADBIAkEAyeavOog01j1aPdoEi6dO1qKB6WLie0Ilz/Yr1NioPmRRNxw8 7QbgGoVcaDNmxCBWFE9UzCasffsMHZL9GCey3QIDAQABoIIBUzAaBgorBgEEAYI3 DQIDMQwWCjUuMC4yMTk1LjIwNQYKKwYBBAGCNwIBDjEnMCUwDgYDVR0PAQH/BAQD AgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMIH9BgorBgEEAYI3DQICMYHuMIHrAgEB HloATQBpAGMAcgBvAHMAbwBmAHQAIABSAFMAQQAgAFMAQwBoAGEAbgBuAGUAbAAg AEMAcgB5AHAAdABvAGcAcgBhAHAAaABpAGMAIABQAHIAbwB2AGkAZABlAHIDgYkA 0jwwllPCwtmzxrLJ/2/rpGCvHrqzYzASmxr2ltdVP4OJogQKKcWQz5vkwdEPmEY2 3Ivam+3jSC5oZ6+I54thisdfszNLyHZ5lZK11nalKu/dN6hbwBhBemxUoi4NpIFf dw6MIxm1bmlcLFxaI4jtJ7UDIg+pMMiMraSAo4zAaBMAAAAAAAAAADANBgkqhkiG 9w0BAQUFAANBAL2Y6L96BpQMWayt0LzHtTjRGf+dNDHUFFNtWWB3iVwztCdJsvFa luqFigBWYWLubHjOp+0MKg18p62BG5tVfoI= -----END NEW CERTIFICATE REQUEST-----
Applying for a Server Certificate
After you generate a certificate request file, you can apply for a server certificate from a certificate authority. These three are the more popular ones:
To apply for a Verisign server certificate, for example, go to http://www.verisign.com and choose Secure Server ID. You need to provide Verisign with identifying information about your organization, such as your Dun and Bradstreet DUNS number, your articles of incorporation, or your business license. After you provide this information, you can submit your certificate request file through an online form. After your information is verified , you receive an e-mail message that contains instructions for downloading your new server certificate.
Installing Your Server Certificate
The last step in preparing your server to use SSL is to actually install the server certificate. To do so, launch the Web Server Certificate Wizard once again and choose the option labeled Process the Pending Request and Install the Certificate. Then open the server certificate file from your hard drive. The server certificate should now be installed on your server.
If you must transfer your certificate to a new server, you can use the Web Server Certificate Wizard to create a backup copy of your certificate. You can then load the certificate on the new server by launching the Web Server Certificate Wizard and selecting the option labeled Import a Certificate from a Key Manager Backup File. The new server must have exactly the same Internet domain name as the original server (the IP address can be different).