InfoCenter Home >
5: Securing applications -- special topics >
5.5: Certificate-based authentication >
5.5.4: Requesting certificates >
5.5.4.2: Getting a production certificate from a certificate authority

5.5.4.2: Getting a production certificate from a certificate authority

To obtain a certificate from a certificate authority, you must create file containing a certificate signing request (CSR). You then send the file to the CA. The procedure for getting the file to the CA varies with the CA and with the type of certificate, test or production, being requested.

This file describes how to get a production certificate from a specific commercial CA, VeriSign. Getting a production certificate can be expensive, depending on the type of certificate and its strength. It is often instructive to request a test certificate from a CA before requesting a production certificate.

After you have created file containing a certificate signing request, request a production certificate by following these steps:

  1. Start your Web browser and link to VeriSign's home page at http://www.verisign.com.
  2. Choose Web Server Certificates --> Buy Now --> [Buy] Global Site Services. This begins a series of pages that collect the information VeriSign needs to process your certificate request. Read each page carefully. When you complete a page, display the next page by clicking the Continue button.

    The page titled Before You Start lists the things you should do before beginning this process, including installing web server software, setting up your Internet proxies, determining how you will pay for the certificate, reviewing the legal agreement and, if necessary, printing the enrollment guide. You should treat any references to "web server software" as references to the WebSphere software.
  3. The page titled Step 1: Obtain Proof of Right provides instructions on one of the authentication steps that VeriSign performs. In this case, you must prove that your enterprise has the right to operate under the Organization name that you specified in your CSR. The VeriSign process is optimized to using D-U-N-S numbers for this purpose. If you take this approach, you must provide your D-U-N-S number or, if you are a U.S. company, VeriSign can look it up for you.

    If you don't have a D-U-N-S number, or if you don't want to use this to prove your right to the Organization name, you can provide alternate proof of right. For example, if you have a letter of incorporation or similar article, you can fax a copy to VeriSign. Using an alternate proof of right will slow the process down, because you will not be able to continue until VeriSign has received and processed the alternative proof.
  4. The page titled Step 2: Confirm Domain Name informs you that you (your enterprise) must own the domain name indicated in the common name of your certificate. These domain names are registered with NIC, and VeriSign will verify that the domain name you specified belongs to your enterprise; this is part of the authentication process completed by certificate authorities.
  5. The page titled Step 3: Generate CSR instructs you to create your CSR. If you have already created a CSR file, you can skip this step.
  6. The page titled Step 4: Submit CSR provides you with an edit box. This is where you will insert the CSR.
  7. Open the file containing the CSR; use any text editor that supports cut-and-paste actions.
  8. In your editor window, select all of the text, including the header
    -----BEGIN NEW CERTIFICATE REQUEST-----
    and the corresponding trailer.
  9. Paste the test into the edit box on the Submit CSR page in your browser.
  10. The page titled Step 5: Complete Application page requires you to enter a lot of information. Verify your distinguished name and enter the following:
    • Server information
      • Vendor of the server software: Click the pull-down button and select IBM.
      • A challenge phrase: A text string. This can be anything you like, and you should treat it like a password. You will be asked to present this same challenge phrase when you submit a renewal request or if you ask to have the certificate revoked (for example, if the certificate is compromised). You may also be asked to supply this challenge phrase when speaking with VeriSign.
    • Technical contact information: This should identify you. Your e-mail address is particularly important; VeriSign will e-mail the certificate to this address.
    • Organizational contact information: This should be someone other than yourself who is a member of your enterprise. VeriSign will contact this person during the authentication process, to verify the legitimacy of your request.
    • Billing contact information: Enter the person in your organization who is responsible for payment.
    • The type of Secure Server ID that you are requesting
    • Payment information
    • Organizational information (your D-U-N-S number): If you use an alternate proof of right, then VeriSign will instruct you on how to fill out this information.
  11. Review the Server Certificate Agreement. To accept the conditions and submit your request, click the Accept button. If reject the conditions, click the Decline button.

VeriSign will send you an e-mail message containing your signed production certificate. The certificate must be installed in a keyring class.

Go to previous article: Getting a test certificate Go to next article: Using test certificates

 

 
Go to previous article: Getting a test certificate Go to next article: Using test certificates