Generate a Certificate Signing Request (CSR) and install a certificate for your server. Send the generated CSR file to NDSU IT Security through Secure FileTransfer at filetransfer.ndsu.edu/filedrop/ndsu.itso@ndsu.edu.

• Windows
• Linux/MacOS
• Other

Windows

1. Create inf file C:\software\certs\reqInstructionFile.inf that contains:
   

   [Version] 
   Signature="$Windows NT$" 
   [NewRequest] 
   Subject = "CN=SERVERNAME.ndsu.edu, O=North Dakota University 
   System, OU=NDSU, L=Fargo, S=North Dakota, C=US, E=cert- 
   YOUREMAILADDRESS@ndsu.edu" 
   KeySpec = 1 
   KeyLength = 2048 
   Exportable = TRUE 
   MachineKeySet = TRUE 
   SMIME = False 
   PrivateKeyArchive = FALSE 
   UserProtected = FALSE 
   UseExistingKeySet = FALSE 
   ProviderName = "Microsoft RSA SChannel Cryptographic Provider" 
   ProviderType = 12 
   RequestType = PKCS10 
   KeyUsage = 0xa0 
   [EnhancedKeyUsageExtension] 
   OID=1.3.6.1.5.5.7.3.1 ;this is for Server Authentication

2. Generate the CSR
   1. Open an elevated command Prompt
   2. cd \software\certs
   3. certreq -new reqInstructionFile.inf nameofserverYYYYMMDD.req
3. Send the CSR to the IT Security Office through Secure FileTransfer
4. The Security Office will process your request and GlobalSign will send you a certificate
5. Install the certificate
   1. Copy the certificate to c:\software\certs\nameofserverYYYYMMDD.crt
   2. Open an elevated command prompt
   3. cd \software\certs
   4. certreq -accept nameofserverYYYYMMDD.crt
6. The new certificate should now be installed on the computer

Linux/MacOS

Unix-based hosts can use OpenSSL to generate a CSR request.

Before you run the openssl command to generate the certificate signing request (CSR), you should choose a good, long passphrase to use for securing the SSL secret key. You should store the passphrase in a secure location as there is no way to retrieve it.

1. In a terminal, run:

   $ openssl req -sha256 -newkey rsa:2048 -keyout nameofserver.ndsu.edu.key.enc -out nameofserver.ndsu.edu.csr

   When prompted, enter the strong PEM passphrase and following data points:
   • Country Code: US
   • State: North Dakota
   • Locality: Fargo
   • Organization Name: North Dakota State University
   • Organizational Unit Name: Department Name
   • Common Name: nameofserver.ndsu.edu
   • Email Address: your.email@ndsu.edu
   • Challenge password: leave blank
2. You now have a Secret Key, which should stay on the server, and a CSR. Send the CSR to the IT Security Office through Secure FileTransfer
3. The Security Office will process your request and GlobalSign will send you a certificate
4. Install the certificate according to the directions for the application server that you are installing.
   
   When you get the signed certificate back from the certificate authority, and you put it and the secret key in place on the application server, you will still need to decrypt the secret key and store the decrypted secret key in a file so that the application server doesn't require the passphrase every time the application server is started, such as:

   openssl rsa -in secure.key.enc -out secure.key

It is essential that you store the key passphrase and the secret key securely. File permissions for the secret key should be 600 and the file should be owned by root.

Other

For other hosts or integrated system you will need to research the CSR procedure on your own.

1. Generate the CSR
2. Send the CSR to the IT Security Office through Secure FileTransfer
3. The Security Office will process your request and GlobalSign will send you a certificate
4. Install the certificate according to the directions for the application server that you are installing