1. Certificate Request Generation using WebCert
If you already have a certificate request file (often identified with a .csr extension), you can skip to 2.
In order to generate a new certificate, we need to create a certificate signing request (CSR). The request will carry the name and possibly other details of its future owner. Using Create CSR from the top menu bar will call buildrequest.cgi, and the necessary form will be displayed. At a minimum, the Common Name (CN) of the future certificate must be provided there. You can also select the key type and size, or accept the displayed values as a standard.
2. External Certificate Generation
If you already have a certificate request, say its already generated for you by a smart network or firewall device (i.e. Cisco, Netscreen), you already got a key pair that stays in the system. Here you simply cut and paste the certificate request into the certrequest.cgi form using the Verify CSR menu item, and generate the certificate. Once done, simply import the certificate into your device.
A valid certificate request looks like this (example):
-----BEGIN CERTIFICATE REQUEST----- MIICGjCCAYMCAQAwgbQxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpXaGVyZS1ldmVy MRMwEQYDVQQKEwpDdXN0b21lciBBMREwDwYDVQQLEwhOZXR3b3JrczEZMBcGA1UE AxMQMDA1MjA3MjAwMjAwMDI0NTEVMBMGA1UEAxMMMTExLTExMS0xMTExMRAwDgYD VQQDEwdyc2Eta2V5MQ8wDQYDVQQDEwZuczV4dC4xEzARBgNVBAMTCkZyYW5rcy01 WFQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPdC5s9c3ESCnrZ9YgSXYEW3 sT9yJmpxGJDNgI6SUZbNG4Sek5rbePusCHPtLESe2K2oEF5A0tSaY3pj2QMREs5R lC4TSPJY5VvJA+sR1wppU5w0ocOCLzxKe0KYGklpyGEvTPmmE+GIYcwCSHYir4kZ /iUKhx+exarH+m+CvZlxAgMBAAGgJTAjBgkqhkiG9w0BCQ4xFjAUMBIGA1UdEQQL MAmCB25zNXh0LgAwDQYJKoZIhvcNAQEFBQADgYEALQy5g2ntoVxO8AgQHPIpe3DD gUrhvYTm35G5SjfM9SiO841Wcta8tRkeOWaWh46T6uQaj+r4N8VhybF9gFZdsZGq 6S3uWY80eC0/MHo+yJcyyqjpl9s2yPLMlGR8MqM14mLO9vVqx+rdMRZFulNJ5YsD 9bSue4v0pECcZZMv6r8= -----END CERTIFICATE REQUEST-----
You need to paste such a request, including the "Begin" and "End" lines, into the certrequest.cgi form and press [verify].
3. Certificate Request Verification
After a external certificate request has been pasted into WebCert, or WebCerts certificate building form has been used, a verification will show you the certificate information that will be signed.
Here, several additional certificate extensions can be set such as the key usage, defining the type of the certificate. The extended key usage option can be be added to certificates who *really* need it. Please enable this option only if you are sure this is needed. For example, server certificates used with Microsoft Windows to enable the Active Directory ldaps:// function need the addition of the "SSL/TLS Web Server Authentication" extended key usage setting.
Note: An externally generated certificate request, that is pasted into Webcert could already carry certificate extensions. In that case, WebCert uses their requested values and does not provide the option to override that data.
Next, we need to define the start and end date the certificate should become valid for. The default selection will set it to become valid immediately, with a expiration date of 3 years. The expiration date can be changed, or specific time frames can be set to precisely define the time period.
Important: If Webcert was used to create the certificate request together with the key, we need to save the private key which is displayed only here. For security reasons, no other copy is kept on the server. Simply copy&paste the displayed PEM key data into a local text file.
4. Certificate Signing
Finally, we use Sign Request to generate the certificate, singing it with WebCerts root CA certificate. If the process is successful, you'll get a certificate displayed that looks like this:
-----BEGIN CERTIFICATE----- MIID7DCCA1WgAwIBAgIBDjANBgkqhkiG9w0BAQQFADCBmTELMAkGA1UEBhMCVVMx CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxSZWR3b29kIENpdHkxFTATBgNVBAoTDE9y YWNsZSBDb3JwLjEoMCYGA1UECxMfR2xvYmFsIElUIFNlY3VyaXR5IEFyY2hpdGVj dHVyZTElMCMGCSqGSIb3DQEJARYWZmlyZXdhbGxfdXNAb3JhY2xlLmNvbTAeFw0w MzA2MTgyMDM0MjBaFw0wNDA2MTcyMDM0MjBaMIG0MQswCQYDVQQIEwJDQTETMBEG A1UEBxMKV2hlcmUtZXZlcjETMBEGA1UEChMKQ3VzdG9tZXIgQTERMA8GA1UECxMI TmV0d29ya3MxGTAXBgNVBAMTEDAwNTIwNzIwMDIwMDAyNDUxFTATBgNVBAMTDDEx MS0xMTEtMTExMTEQMA4GA1UEAxMHcnNhLWtleTEPMA0GA1UEAxMGbnM1eHQuMRMw EQYDVQQDEwpGcmFua3MtNVhUMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD3 QubPXNxEgp62fWIEl2BFt7E/ciZqcRiQzYCOklGWzRuEnpOa23j7rAhz7SxEntit qBBeQNLUmmN6Y9kDERLOUZQuE0jyWOVbyQPrEdcKaVOcNKHDgi88SntCmBpJachh L0z5phPhiGHMAkh2Iq+JGf4lCocfnsWqx/pvgr2ZcQIDAQABo4IBJTCCASEwCQYD VR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm aWNhdGUwHQYDVR0OBBYEFH23Br/vBZex2NWJLoqLa+mRPVUiMIHGBgNVHSMEgb4w gbuAFJlwj84ZPgPIfPHbDN3AZFMHR1twoYGfpIGcMIGZMQswCQYDVQQGEwJVUzEL MAkGA1UECBMCQ0ExFTATBgNVBAcTDFJlZHdvb2QgQ2l0eTEVMBMGA1UEChMMT3Jh Y2xlIENvcnAuMSgwJgYDVQQLEx9HbG9iYWwgSVQgU2VjdXJpdHkgQXJjaGl0ZWN0 dXJlMSUwIwYJKoZIhvcNAQkBFhZmaXJld2FsbF91c0BvcmFjbGUuY29tggEAMA0G CSqGSIb3DQEBBAUAA4GBAD2f9Lb+KJ3kqvKhyb7k+uLpvIvl13qxY+HyAF/DPqYx EXa3CYdy8IR8ulj703vLtPbZcKjXvtjyr/reGBgD8REKNK6bHcjBAjUa61vlg9dW pdsIsSEWBjqO93o2LAnJaZSXJ/axmLtErEh4tfUG0IlU2Ol38avGBtdZbGLYYYSc -----END CERTIFICATE-----
Now you can cut and paste it via an editor such as Windows Notepad
into a text file and save it locally. Alternatively, you can use
the Export functions to download the certificate as a file.
A detailed description for generating a S/Mime certificate to enable e-mail encryption is here: http://fm4dd.com/howto/openssl/webcert-smime-howto.htm
5. Certificate Export
Certificates can be exported for easy download in either DER, PEM or PKCS12 format. When requested for the first time, the selected format is written to the /export directory on the WebCert server, and a download link is provided to save the file locally.
To create a PKCS12 container for easy use with Windows S/MIME you will need the previously generated private key in PEM format for pasting it into the export form. The PKCS12 container will be secured with the supplied passphrase in the export form. This passphrase is needed when the .p12 file is imported by Windows.
6. Certificate Installation
Certificates can be installed/loaded from the cut&paste text files or from the downloaded certificate files which were exported. For some applications, the filename must have a certain extension such as [certfile].pem for PEM files - try to rename it if that is the case. Sometimes it is also necessary to co-install the CA Root certificate to enable the verification of the generated certificate. WebCerts singing Root CA certificate is available for download through the Root CA Cert menu item.
7. Certificate Management
All certificates are stored in the /cert directory on the WebCert server. They can be viewed with the List Certs menu option. WebCert conveniently displays the certificate subject, along with the remaining time each certificate is valid.
The Detail button displays the certificate data including its PEM format, convenient for importing it into various certificate stores. The Renew button creates a new CSR from the existing certificate data for simple renewal.
8. Certificate Search
To find a particular certificate, the Search Cert menu option brings up a selection of filters that will extract the applicable certs from the cert store per subject field, serial number, validation or expiration date. For example, this helps to identify certificates that are about to expire, and let us renew them before they become invalid.
9. Certificate Validation
The Verify Certs menu option is a powerful way to identify issues around certificates. A crucial part of using certificates lies in the validation through a chain of "signing" certificates. With this function, the chain can be constructed and verified, similar to the way applications, such as a web browser would do. This works with all certificates, not just the ones created with WebCert.
This function can upload local certificate files, or it can connect directly to a remote SSL server and extract the certificate data from there. It is very convenient to verify if a servers SSL setup is correct.
10. Certificate Revocation
The certificate detail view has the action item "Revoke". This option asks for the certificate private key as authorization, and if successful it adds the certificate serial number into the revoked certs database file.
Webcert maintains a certificate revocation list (CRL) file. The CRL can be found by displaying the CA cert information, and its location can also be embedded into newly created certs.
11. Common Errors
Not including the "Begin" or "End" lines, or having an additional empty line before or after the "Begin" or "End" lines when pasting the request into the form will result in a "Error invalid request format, no BEGIN/END lines".
Accidentially hitting [return] somewhere in the paste window, generating a newline in the request data, will result in a "Error cant read request content with PEM function".
In short, CAREFULLY pasting the request resolves most errors.
Trying to generate a certificate from a request that has been already processed works just fine.
12. Browser Complaints
Browser constantly asks if this certificate can be trusted and complains about various things:
Importing the Root CA "parent" certificate can help resolve this issue. Thats what the "Get Root CA cert" is for. Loading the Root CA into your browser enables the automatic verification of the certificate every time you connect. No questions asked.
If there is still the window popping up asking if you want to accept this certificate, then its mostly a missmatch between the certificate common name (CN) and the device name/server name/device IP/server IP. Either the certificate was requested wrongly, or the device changed its name/IP recently. Ask the device owner to generate a new certificate (request) with the valid device name/IP entry.
Certificates are signed to be valid for a time range and "expire". The expiration defaults to 3 years. This should give plenty of time to regenerate a new certificate when the time comes. Certificates still can work when when expired, but the browser comes up with and error message. Re- certification of devices is a good way to enforce inventory updates.
OpenSSL on 32-bit systems may encounter the year-2038 bug. WebCert can restrict the certificate generation prior to the critical date.
last update 1/11/2016 @2003-2016 Frank4DD