Wednesday
Jan172007
Creating Certificate Signing Requests
Wednesday, January 17, 2007 at 22:21
OK, the title might sound a little weird, but trust me.....
I work on a daily basis with digital certificates (end-user, and SSL certificates). These things get more, and more common these days. More and more webservices are being 'secured' by SSL certificates. The only problem is that the technicians who run the services don't know shit (well, most of them do) about SSL and/or PKI. I don't blame them, because it tends to be a little complex.
SSL certificates can be generated as selfsigned certificates, or you might wanna get a commercial SSL certificate from Certificate Authorities like VeriSign, Thawte, GeoTrust, etc. Anyway, in every case, you need to generate a certificate signing request (CSR), and submit it to the Certificate Authority.
The problem is that there are some applications that stay in a pending mode if you generate a CSR, and wait for the resulting certificate to come back from the CA. This might take a couple of days. It would be a lot nicer if you can request the certificate on another platform, and import it in the application when you get the thing.
There are several ways to generate a CSR on the different platforms;
But what if your application needs a SSL certificate, or your webserver is located on the other side of the world (and you have no way of accessing it directly)? How the hell do you generate a CSR? The Windows platform itself doesn't have any tools for creating certificates (only if you use IIS or have a CA running on the platform).
I hope to solve this by creating an application (cross platform off course) which creates these CSR's, and create pkcs12 (or .pfx) files when you import the resulting certificate in the tool. This pkcs12 file can be installed on the server as needed.
Finally, a challenge for me to start programming again.
I work on a daily basis with digital certificates (end-user, and SSL certificates). These things get more, and more common these days. More and more webservices are being 'secured' by SSL certificates. The only problem is that the technicians who run the services don't know shit (well, most of them do) about SSL and/or PKI. I don't blame them, because it tends to be a little complex.
SSL certificates can be generated as selfsigned certificates, or you might wanna get a commercial SSL certificate from Certificate Authorities like VeriSign, Thawte, GeoTrust, etc. Anyway, in every case, you need to generate a certificate signing request (CSR), and submit it to the Certificate Authority.
The problem is that there are some applications that stay in a pending mode if you generate a CSR, and wait for the resulting certificate to come back from the CA. This might take a couple of days. It would be a lot nicer if you can request the certificate on another platform, and import it in the application when you get the thing.
There are several ways to generate a CSR on the different platforms;
- OpenSSL - equivalent to rocket science for most people, since it's a commandline tool
- Via webserver tooling (IIS, JAVA Keytool, etc.)
- XCA - Not very user friendly if you're requesting just one or two certificates a year.
- And probably some other 'obscure' ways
But what if your application needs a SSL certificate, or your webserver is located on the other side of the world (and you have no way of accessing it directly)? How the hell do you generate a CSR? The Windows platform itself doesn't have any tools for creating certificates (only if you use IIS or have a CA running on the platform).
I hope to solve this by creating an application (cross platform off course) which creates these CSR's, and create pkcs12 (or .pfx) files when you import the resulting certificate in the tool. This pkcs12 file can be installed on the server as needed.
Finally, a challenge for me to start programming again.
Willem | Post a Comment |
Reader Comments