Generating a Certificate Signing Request, suitable for use with CoSign on Windows

CoSign uses SSL to ensure the integrity of authentication requests between the cosign server and the application server.

The following instructions cover generation of a Certificate Signing Request (CSR) on a Windows server.

If you want to learn how to install and configure CoSign, you should read the instructions on installing CoSign:

Generating the CSR (for IIS6 and IIS7)

Notation

In these instructions the following notation is used:

domainname - this is the root domain name for your web server which will be followed by ".lancs.ac.uk". For example "mydomain.lancs.ac.uk". The domain name must have the SSL certificat associated with it.
servername - this is the name of the web server. For example "MIS-SPRING".

Create a file called "luconfig.cfg" in your "C:\Program Files\IISCosign" folder. The contents of this file are given below. Amend this file to include your web server name and contact email.

[ req ] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca dirstring_type = nobmp [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_value = GB stateOrProvinceName = State or Province name (full name) stateOrProvinceName_value = Lancashire localityName = Locality name (e.g., city) localityName_value = Lancaster organizationName = Organization Name (e.g., company) organizationName_value = Lancaster University organizationalUnitName = Organization Unit Name (e.g., ITCS, LSA) organizationalUnitName_value = Information Systems Services commonName = cp (e.g., web server\'s hostname) commonName_value = domainname.lancs.ac.uk emailAddress = contact e-mail for cert: emailAddress_value = contact@lancaster.ac.uk [req_attributes] [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints = CA:true

Open a command prompt and cd to your "C:\Program Files\IISCosign" folder. Run the following commands:

openssl genrsa 2048 > domainname.key openssl req -new -config luconfig.cfg -key domainname.key -out domainname.csr

Send an e-mail to Steve Bennett, attaching the domainname.csr file.

In reply, you should receive the following files:

LUcosignCA.pem
LUrootCA.pem
domainname-cert.pem

Place these files in the "C:\Program Files\IISCosign\SSL" sub-folder.

Take the 'cert' part of the domainname-cert.pem file and put it into a new file called domainname.cert. The cert part is the data between and including the lines:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Be sure the line with BEGIN CERTIFICATE is the very first line of the domainname.cert file and there should be no extra lines or line breaks after the END CERTIFICATE

Copy the domainname.cert file into the "C:\Program Files\IISCosign\SSL" sub-folder.

For Windows Server2008/IIS7 only

If you are deploying the Cosign Module on Windows Server 2008/IIS7 you will need to complete all the steps above before attempting the steps below. These are required because the Cosign Module retrieves the certificate from the Windows certificate store.

Open a command prompt and cd to your "C:\Program Files\IISCosign" folder. Run the following commands. You will be prompted for a password. Remember this password! You will need it later.

openssl pkcs12 -in domainname.cert -inkey domainname.key -export -out domainname.p12

On the server complete the following instructions (during installation only).

Start -> Run
Type "regedit" and navigate to the following registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY
Give IIS_IUSRS (or the process IIS7 runs as) "Full Control" and "Read" permissions on the registry key

On the server complete the following instructions:

Start -> Run
Type "mmc". If you want the 64 bit version type "mmc /64". If you are asked to confirm the request click Yes.
In the mmc console go to File -> Add/Remove Snap-ins (or press Ctrl+m)
Select Certificates and click on "Add >"
Select Computer account and click on "Next >"
Select Local computer and click on "Finish"
Click on "OK" in the Add/Remove Snap-ins dialog.

Firstly, cosign needs a certificate authority file to verify the identity of the weblogin server it is talking to. This stage only needs to be done during installation.

In the mmc console go to Action -> All Tasks -> Import to run the certificate import wizard.
Click on "Next >"
Click on "Browse", navigate to "C:\Program Files\IISCosign\SSL" and select "LUcosignCA.pem". If you can't see the file make sure "Files of Type" is set to (*.*)
Click on "Next >"
Make sure the .pem file will be placed in the Trusted Root Certificate Authorities" (this should be the default setting)
Click on "Next >" then "Finish". You should get a dialog telling you the import was successful.
Go through the steps again and import the "LUrootCA.pem" file.
In the left of the console expand Certificates (Local Computer) -> Trusted Root Certification Authorities -> Certificates. There should be an entry for Lancaster University Cosign CA and Lancaster University Root CA.

Next, import the Personal Information Exchange File (domainname.p12). This must be done every year before the certificate expires.

In the left of the console expand Certificates (Local Computer) -> Personal -> Certificates. If there is no folder or entry for Certificates then the SSL has not been added correctly. The SSL certificate should already be in the folder.
Right-hand mouse button click on Certificates in the tree hiearchy and select All Tasks -> Import to run the certificate import wizard.
Click on "Next >"
Click on "Browse", navigate to "C:\Program Files\IISCosign" and select "domainname.p12". If you can't see the file make sure "Files of Type" is set to (*.pfx, *.p12)
Click on "Next >"
Enter the password you used when you created the .p12 file earlier.
Click on "Next >", (all certs to be placed in "Personal") "Next >" then "Finish". You should get a dialog telling you the import was successful.
In the left of the console expand Certificates (Local Computer) -> Personal -> Certificates. There should be an entry for "domainname" issued by Lancaster University Cosign CA.
Right-hand mouse button click on the "domainname" certificate and select All Tasks -> Manage Private Keys
Give IIS_IUSRS "Full Control" and "Read" permissions.