Obtain Certificate from CA
This section describes the steps for obtaining a certificate from a Certificate Authority (CA). In order to enable SSL encryption for LicenseServer, you will need the following files:
•Private Key file: generated by you, by using: (i) an application that may already exist on your operating system (such as Keychain Access on macOS or OpenSSL on Linux), or (ii) third party applications (such as OpenSSL).
•Certificate file: This is the public key that is based on your private key, and which you purchase from a recognized Certificate Authority (CA) such as VeriSign or Thawte. For the purchase, you will need: (i) the Private Key file you generated, and (ii) a Certificate Signing Request (CSR), which can also be generated by your SSL application.
•Certificate Chain files (or Intermediate Certificate files): provided by the CA along with the public key certificate file.
The steps to obtain these three files are listed below.
Since OpenSSL typically comes pre-installed on most Linux distributions and on macOS machines, and can also be installed on Windows computers, the steps listed below are explained withe OpenSSL commands. For download links to Open SSL installer binaries, see the OpenSSL Wiki.
Steps for generating private key and obtaining certificates from CA
SSL requires that a private key is installed on the server. To create the private key, use the following OpenSSL command: openssl genrsa -out private.key 2048
This creates a file called private.key, which contains your private key. The private key must be in PEM (Privacy Enhanced Mail) format. The file extension is usually .pem, but can also be .key, .cert, .cer, or .crt. The private key must not be password-protected. Save the file in a secure location and make a note of the location. (See the topic Private Key Requirements for details.) You will need the private key to generate the Certificate Signing Request (CSR) in the next step.
|
2.Generate a Certificate Signing Request (CSR)
A Certificate Signing Request (CSR) is sent to a certificate authority (CA) to request a public key certificate. The CSR is based on your private key and contains information about your organization. Create a CSR with the following OpenSSL command (which provides the private-key file, private.key, that was created in Step 1, as one of its parameters): openssl req -new -nodes -key private.key -out my.csr
During generation of the CSR you will need to give information about your organization, such as that listed below. This information will be used by the certificate authority to verify your company's identity.
•Country •Locality (the city where your business is located) •Organization (your company name). Do not use special characters; these will invalidate your certificate •Common Name (the DNS name of your server). This must exactly match the fully qualified domain name (FQDN) of the host machine on which the server runs •A challenge password. Keep this entry blank!
|
Purchase an SSL certificate from a recognized certificate authority (CA) such as VeriSign or Thawte. For the rest of these instructions, we follow the VeriSign procedure. The procedure with other CAs is similar.
•Go to the VeriSign website. •Click Buy SSL Certificates. •Different types of SSL certificates are available. For LicenseServer, Secure Site or Secure Site Pro certificates are sufficient. EV (extended verification) is not necessary, since there is no "green address bar" for users to see. •Proceed through the sign-up process, and fill in the information required to place your order. •When prompted for the CSR (created in Step 2), copy and paste the content of the my.csr file into the order form. •Pay for the certificate with your credit card.
|
4.Receive public key and intermediate files from CA
Your certificate authority will complete the enrollment process over the next two to three business days. During this time you might get emails or phone calls to check whether you are authorized to request an SSL certificate for your DNS domain. Please work with the authority to complete the process.
After the authorization and enrollment process has been completed, you will get an email containing the public key of your SSL certificate. The public key will be in plain text form or attached as a .cer file.
You will also receive two intermediate certificate files (primary and secondary), either as text or in files. In some cases, your certificate authority (CA) will list content of intermediate certificates on its website.
•Verisign's intermediate certificates: https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR657&actp=LIST&viewlocale=en_US •Verisign's intermediate certificates for its Secure Site product: https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR1735
Copy-paste both intermediate certificates (primary and secondary) into separate text files and save them on your computer.
|
For use with LicenseServer, the public key must be saved in PEM (Privacy Enhanced Mail) format. The file extension is usually .pem, but can also be .key, .cert, .cer, or .crt. If the public key was supplied as text, copy-paste all the lines from
--BEGIN CERTIFICATE-- ... --END CERTIFICATE--
into a text file that we will call certificate.cer.
|
6.Save CA's intermediate certificates to a single file
To enable SSL encryption for LicenseServer, you must combine the primary and secondary intermediate certificates into a single file. The intermediate files were received from the CA (see Step 4 above).
Copy-paste both intermediate certificates into one file so that they are in sequence. The order of the sequence is important: (i) secondary intermediate certificate, (ii) primary intermediate certificate. Ensure that there are no lines between certificates. --BEGIN CERTIFICATE-- secondary intermediate certificate --END CERTIFICATE-- --BEGIN CERTIFICATE-- primary intermediate certificate --END CERTIFICATE--
Save the resulting combined certificate text to a file named intermediates.cer. (The file extension can be any of: .pem, .key, .cert, .cer, or .crt.) This file contains the complete chain of trust in the form of the intermediate certificates that were used by the CA to sign your certificate.
|
Result files
After you have carried out the steps listed above, you should have the following files:
•Private Key file: named private.key in the steps above (see Step 1)
•Certificate file: named certificate.cer in the steps above (see Steps 2 to 5)
•Certificate Chain files (or Intermediate Certificate files): named intermediates.cer in the steps above (see Steps 4 and 6)
Save these files to a suitable location. You will need to enter their filepaths when enabling SSL encryption in the Web UI settings of the Settings tab.