Server Registration - Secure your server with a free GlobalSign Certificate

Notice: If you are looking for resources on HyFlex teaching, please visit our Teach HyFlex Page

Generate a Certificate Signing Request (CSR) and install a certificate for your server

Generate a Certificate Signing Request (CSR) and install a certificate for your server. Send the generated CSR file to NDSU IT Security through Secure FileTransfer at filetransfer.ndsu.edu/filedrop/ndsu.itso@ndsu.edu.

Windows

  1. Create inf file C:\software\certs\reqInstructionFile.inf that contains:
    [Version] 
    Signature="$Windows NT$"
    [NewRequest]
    Subject = "CN=SERVERNAME.ndsu.edu, O=North Dakota University
    System, OU=NDSU, L=Fargo, S=North Dakota, C=US, E=cert-
    YOUREMAILADDRESS@ndsu.edu
    KeySpec = 1
    KeyLength = 2048
    Exportable = TRUE
    MachineKeySet = TRUE
    SMIME = False
    PrivateKeyArchive = FALSE
    UserProtected = FALSE
    UseExistingKeySet = FALSE
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    ProviderType = 12
    RequestType = PKCS10
    KeyUsage = 0xa0
    [EnhancedKeyUsageExtension]
    OID=1.3.6.1.5.5.7.3.1 ;this is for Server Authentication
  2. Generate the CSR
    1. Open an elevated command Prompt
    2. cd \software\certs
    3. certreq -new reqInstructionFile.inf nameofserverYYYYMMDD.req
  3. Send the CSR to the IT Security Office through Secure FileTransfer
  4. The Security Office will process your request and GlobalSign will send you a certificate
  5. Install the certificate
    1. Copy the certificate to c:\software\certs\nameofserverYYYYMMDD.crt
    2. Open an elevated command prompt
    3. cd \software\certs
    4. certreq -accept nameofserverYYYYMMDD.crt
  6. The new certificate should now be installed on the computer

Linux/MacOS

Unix-based hosts can use OpenSSL to generate a CSR request.

Before you run the openssl command to generate the certificate signing request (CSR), you should choose a good, long passphrase to use for securing the SSL secret key. You should store the passphrase in a secure location as there is no way to retrieve it.

  1. In a terminal, run:
    $ openssl req -sha256 -newkey rsa:2048 -keyout nameofserver.ndsu.edu.key.enc -out nameofserver.ndsu.edu.csr
    When prompted, enter the strong PEM passphrase and following data points:
    • Country Code: US
    • State: North Dakota
    • Locality: Fargo
    • Organization Name: North Dakota State University
    • Organizational Unit Name: Department Name
    • Common Name: nameofserver.ndsu.edu
    • Email Address: your.email@ndsu.edu
    • Challenge password: leave blank
  2. You now have a Secret Key, which should stay on the server, and a CSR. Send the CSR to the IT Security Office through Secure FileTransfer
  3. The Security Office will process your request and GlobalSign will send you a certificate
  4. Install the certificate according to the directions for the application server that you are installing.

    When you get the signed certificate back from the certificate authority, and you put it and the secret key in place on the application server, you will still need to decrypt the secret key and store the decrypted secret key in a file so that the application server doesn't require the passphrase every time the application server is started, such as:
    openssl rsa -in secure.key.enc -out secure.key
  • Be certain you specify -sha256, as all new certificates should use SHA256 as the signing algorithm
  • Be certain you specify rsa:2048, as 1024 bit keys are no longer supported
  • You may omit the -days 1065 or change it to some other value, as appropriate. GlobalSign ignores days setting
  • Both generated files will be in PEM format
  • In the rare occasion the server doesn't have /dev/random or equivalent, you should use the openssl -rand option

It is essential that you store the key passphrase and the secret key securely. File permissions for the secret key should be 600 and the file should be owned by root.

Other

Other hosts you will need to research the CSR procedure on your own.

  1. Generate the CSR
  2. Send the CSR to the IT Security Office through Secure FileTransfer
  3. The Security Office will process your request and GlobalSign will send you a certificate
  4. Install the certificate according to the directions for the application server that you are installing