Server Registration - Secure your server with a free GlobalSign Certificate
Generate a Certificate Signing Request (CSR) and install a certificate for your server. Send the generated CSR file to NDSU IT Security through Secure FileTransfer at filetransfer.ndsu.edu/filedrop/ndsu.itso@ndsu.edu.
Windows
- Create inf file
C:\software\certs\reqInstructionFile.inf
that contains:
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=SERVERNAME.ndsu.edu, O=North Dakota University
System, OU=NDSU, L=Fargo, S=North Dakota, C=US, E=cert-
YOUREMAILADDRESS@ndsu.edu"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ;this is for Server Authentication - Generate the CSR
- Open an elevated command Prompt
cd \software\certs
certreq -new reqInstructionFile.inf nameofserverYYYYMMDD.req
- Send the CSR to the IT Security Office through Secure FileTransfer
- The Security Office will process your request and GlobalSign will send you a certificate
- Install the certificate
- Copy the certificate to
c:\software\certs\nameofserverYYYYMMDD.crt
- Open an elevated command prompt
cd \software\certs
certreq -accept nameofserverYYYYMMDD.crt
- Copy the certificate to
- The new certificate should now be installed on the computer
Linux/MacOS
Unix-based hosts can use OpenSSL to generate a CSR request.
Before you run the openssl
command to generate the certificate signing request (CSR), you should choose a good, long passphrase to use for securing the SSL secret key. You should store the passphrase in a secure location as there is no way to retrieve it.
- In a terminal, run:
When prompted, enter the strong PEM passphrase and following data points:$ openssl req -sha256 -newkey rsa:2048 -keyout nameofserver.ndsu.edu.key.enc -out nameofserver.ndsu.edu.csr
- Country Code: US
- State: North Dakota
- Locality: Fargo
- Organization Name: North Dakota State University
- Organizational Unit Name: Department Name
- Common Name: nameofserver.ndsu.edu
- Email Address: your.email@ndsu.edu
- Challenge password: leave blank
- You now have a Secret Key, which should stay on the server, and a CSR. Send the CSR to the IT Security Office through Secure FileTransfer
- The Security Office will process your request and GlobalSign will send you a certificate
- Install the certificate according to the directions for the application server that you are installing.
When you get the signed certificate back from the certificate authority, and you put it and the secret key in place on the application server, you will still need to decrypt the secret key and store the decrypted secret key in a file so that the application server doesn't require the passphrase every time the application server is started, such as:openssl rsa -in secure.key.enc -out secure.key
- Be certain you specify
-sha256
, as all new certificates should use SHA256 as the signing algorithm - Be certain you specify
rsa:2048
, as 1024 bit keys are no longer supported - You may omit the
-days 1065
or change it to some other value, as appropriate. GlobalSign ignores days setting - Both generated files will be in PEM format
- In the rare occasion the server doesn't have
/dev/random
or equivalent, you should use the openssl-rand
option
It is essential that you store the key passphrase and the secret key securely. File permissions for the secret key should be 600
and the file should be owned by root
.
Other
For other hosts or integrated system you will need to research the CSR procedure on your own.
- Generate the CSR
- Send the CSR to the IT Security Office through Secure FileTransfer
- The Security Office will process your request and GlobalSign will send you a certificate
- Install the certificate according to the directions for the application server that you are installing