iX 6.5)

ManualsBrandsHP ManualsSoftwareMPE/iX 6.0 Operating System

171

172

173

174

175

176

177

178

179

180

174 Chapter10

HP WebWise MPE/iX Secure Web Server

Server Keys and Certiﬁcates

19:02:9d:3e:9f:32:d0:be:9a:54:3d:bc:c0:ed:63:67:cd:a3:

eb:68:a1:2d:7a:0f:94:87:f0:a8:14:f6:45:cf:bd:a9:bc:13:

9a:4c:cc:fb:a7:ab:73:88:17:23:90:b3:49:58:7f:d5:02:55:

f1:85:81:f8:ea:48:d9:40:bc:29:de:f8:ed:e3:04:9c:b9:b1:

c2:ce:8d:c2:c8:43:e7:73:bc:e6:e5:9f:99:b5:73:98:dd:65:

38:ba

4. $ chmod 400 server.csr

You’re now ready to have your CSR signed by a Certiﬁcate Authority (CA). This results

in the creation of a server certiﬁcate. You have two options — you can either have an

external trusted CA sign your CSR, or you can create your own CA and use it to sign your

CSR. Choose one of these options which are explained in detail.

Submit Your CSR to an External Trusted CA For Signing...

All web browsers come preconﬁgured with a list of trusted CAs. Certiﬁcates signed by

these trusted CAs will in turn be trusted by the browsers. If your certiﬁcate is signed by a

CA unrecognized by the browser, each browser user will get a warning dialog window each

time they visit your web site. So if you’re doing an Internet e-commerce application where

you have no control over the customer’s browser conﬁguration, you will want to obtain your

certiﬁcate from one of the default trusted CAs recognized by all browsers.

There are many trusted CAs; VeriSign (www.verisign.com) and Equifax

(www.equifaxsecure.com) are just two examples.By using your browser’s security-related

features, you can list all of the CAs trusted by that particular browser.

You can either purchase a real certiﬁcate at this point, or alternatively you can usually

obtain a free test certiﬁcate good for a limited time. In either case, the process is the same.

You typically visit the CA’s web site and submit a web registration form that includes a

cut/paste of your CSR, and then the CA e-mails the resulting certiﬁcate to you.

You need to cut/paste your CSR in its raw PEM format, which looks like this if you display

the contents of the conf/ssl.csr/server.csr ﬁle:

-----BEGIN CERTIFICATE REQUEST-----

MIIB4TCCAUoCAQAwgaAxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNeSBTdGF0ZTEQ

MA4GA1UEBxMHTXkgQ2l0eTETMBEGA1UEChMKTXkgQ29tcGFueTEPMA0GA1UECxMG

TXkgT3JnMRowGAYDVQQDExF3d3cubXljb21wYW55LmNvbTEqMCgGCSqGSIb3DQEJ

ARYbd2VibWFzdGVyQHd3dy5teWNvbXBhbnkuY29tMIGfMA0GCSqGSIb3DQEBAQUA

A4GNADCBiQKBgQDS1iRItFKSDzOhDShFeoiWkfnc0yPGp7rkk17T05y6GCfsJdtb

H/Umn2uM/tSNOiguAPBYce8prLYjNqyXY4QBCzWQNGv/NbGDCoGhElrVzwBEYnBy

+TyPMF/dYdH+1oOaaTZ0ZE0WP0l6CimzzXjvwCupOpcQ82zfh2HTRpPYawIDAQAB

oAAwDQYJKoZIhvcNAQEEBQADgYEAj1vTRa5SamY2IwkLudFcK1ISAJh4lzlbnfaf

grIsPyS74PBHGQKdPp8y0L6aVD28wO1jZ82j62ihLXoPlIfwqBT2Rc+9qbwTmkzM

+6erc4gXI5CzSVh/1QJV8YWB+OpI2UC8Kd747eMEnLmxws6NwshD53O85uWfmbVz

mN1lOLo=

-----END CERTIFICATE REQUEST-----