Generating a Certificate Signing Request, suitable for use with CoSign on Windows
CoSign uses SSL to ensure the integrity of authentication requests between
the cosign server and the application server.
The following instructions cover generation of a Certificate Signing Request (CSR) on a Windows server.
If you want to learn how to install and configure CoSign, you should read the instructions on installing CoSign:
Generating the CSR (for IIS6 and IIS7)
Notation
In these instructions the following notation is used:
- domainname - this is the root domain name for your web server which will be followed by ".lancs.ac.uk". For example "mydomain.lancs.ac.uk". The domain name must have the SSL certificat associated with it.
- servername - this is the name of the web server. For example "MIS-SPRING".
Create a file called "luconfig.cfg" in your "C:\Program Files\IISCosign" folder. The contents of this file are given below.
Amend this file to include your web server name and contact email.
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
dirstring_type = nobmp
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_value = GB
stateOrProvinceName = State or Province name (full name)
stateOrProvinceName_value = Lancashire
localityName = Locality name (e.g., city)
localityName_value = Lancaster
organizationName = Organization Name (e.g., company)
organizationName_value = Lancaster University
organizationalUnitName = Organization Unit Name (e.g., ITCS, LSA)
organizationalUnitName_value = Information Systems Services
commonName = cp (e.g., web server\'s hostname)
commonName_value = domainname.lancs.ac.uk
emailAddress = contact e-mail for cert:
emailAddress_value = contact@lancaster.ac.uk
[req_attributes]
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
Open a command prompt and cd to your "C:\Program Files\IISCosign" folder.
Run the following commands:
openssl genrsa 2048 > domainname.key
openssl req -new -config luconfig.cfg
-key domainname.key
-out domainname.csr
Send an e-mail to Steve Bennett, attaching the domainname.csr file.
In reply, you should receive the following files:
- LUcosignCA.pem
- LUrootCA.pem
- domainname-cert.pem
Place these files in the "C:\Program Files\IISCosign\SSL" sub-folder.
Take the 'cert' part of the domainname-cert.pem
file and put it into a new file called domainname.cert.
The cert part is the data between and including the lines:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Be sure the line with BEGIN CERTIFICATE is the very first line of the domainname.cert
file and there should be no extra lines or line breaks after the END CERTIFICATE
Copy the domainname.cert file into the "C:\Program Files\IISCosign\SSL" sub-folder.
For Windows Server2008/IIS7 only
If you are deploying the Cosign Module on Windows Server 2008/IIS7 you will need to complete all
the steps above before attempting the steps below. These are required because the
Cosign Module retrieves the certificate from the Windows certificate store.
Open a command prompt and cd to your "C:\Program Files\IISCosign" folder.
Run the following commands. You will be prompted for a password. Remember this password! You will need it later.
openssl pkcs12
-in domainname.cert
-inkey domainname.key
-export -out domainname.p12
On the server complete the following instructions (during installation only).
On the server complete the following instructions:
- Start -> Run
- Type "mmc". If you want the 64 bit version type "mmc /64". If you are asked to confirm the request click Yes.
- In the mmc console go to File -> Add/Remove Snap-ins (or press Ctrl+m)
- Select Certificates and click on "Add >"
- Select Computer account and click on "Next >"
- Select Local computer and click on "Finish"
- Click on "OK" in the Add/Remove Snap-ins dialog.
Firstly, cosign needs a certificate authority file to verify the identity of the weblogin server it is talking to. This stage only needs to be done during installation.
- In the mmc console go to Action -> All Tasks -> Import to run the certificate import wizard.
- Click on "Next >"
- Click on "Browse", navigate to "C:\Program Files\IISCosign\SSL" and select "LUcosignCA.pem".
If you can't see the file make sure "Files of Type" is set to (*.*)
- Click on "Next >"
- Make sure the .pem file will be placed in the Trusted Root Certificate Authorities" (this should be the default setting)
- Click on "Next >" then "Finish". You should get a dialog telling you the import was successful.
- Go through the steps again and import the "LUrootCA.pem" file.
- In the left of the console expand Certificates (Local Computer) -> Trusted Root Certification Authorities -> Certificates.
There should be an entry for Lancaster University Cosign CA and Lancaster University Root CA.
Next, import the Personal Information Exchange File (domainname.p12). This must be done every year before the certificate expires.
- In the left of the console expand Certificates (Local Computer) -> Personal -> Certificates.
If there is no folder or entry for Certificates then the SSL has not been added correctly. The SSL certificate should already be in the folder.
- Right-hand mouse button click on Certificates in the tree hiearchy and select All Tasks -> Import to run the certificate import wizard.
- Click on "Next >"
- Click on "Browse", navigate to "C:\Program Files\IISCosign" and select "domainname.p12".
If you can't see the file make sure "Files of Type" is set to (*.pfx, *.p12)
- Click on "Next >"
- Enter the password you used when you created the .p12 file earlier.
- Click on "Next >", (all certs to be placed in "Personal") "Next >" then "Finish". You should get a dialog telling you the import was successful.
- In the left of the console expand Certificates (Local Computer) -> Personal -> Certificates.
There should be an entry for "domainname" issued by Lancaster University Cosign CA.
- Right-hand mouse button click on the "domainname" certificate and select All Tasks -> Manage Private Keys
- Give IIS_IUSRS "Full Control" and "Read" permissions.