iTP Secure WebServer System Administrator's Guide (iTPWebSvr 6.0+)
Integrating the WebSafe2 Internet Security
Processor (WISP)
iTP Secure WebServer System Administrator’s Guide—523346-002
5-13
Generating the Public/Private Key Pair and
Obtaining the Certificate
Step 3. Requesting a Certificate From a Certificate Authority
(CA)
To request a certificate, e-mail the file cert-req.txt to a CA. For more information
about this process, see Requesting a Certificate on page 4-10.
Step 4. Obtaining a KEK Pair Using Variant 31
You obtain a KEK pair using variant 31 by performing the following steps:
a. Select Encryption Key MFK1.
b. Define Key Under MFK1.
c. Select 1 for a single length (8-byte) key.
d. Enter 1 as the number of key parts.
e. Select the MFK.
f. Enter input variant 310.
g. Create and record the left portion of the clear text. You can enter your own
clear KEK or have the SCT generate one for you.
h. Record the left portion of the cryptogram.
i. Create and record the right portion of the clear text. You can enter your own
clear KEK or have the SCT generate one for you.
j. Record the right portion of the cryptogram.
When you finish the procedure, the SCT displays the check digits for the whole
cryptogram.
The KEK pair you obtain will be used to encrypt data the WISP sends to the iTP
Secure WebServer during runtime. Make a note of the keys, because you will need to
enter them when installing the certificate.
Step 5. Installing the Certificate
Once a certificate from a CA has been received and a KEK pair has been generated
using variant 31, the certificate can be installed through the keyadmin command using
the -websafeadd and -kek_mfk31 arguments.
You can add certificates that have DNs that are different from the DN used during key
generation. A typical case where this occurs is when a DN is changed by an issuing
CA.
When you install such a certificate for the first time, the iTP Secure WebServer creates
a file called newdn.txt (in the root directory) that contains the new DN. If you install
any certificates subsequently that have DNs that are different from those used during
key generation or those installed previously, those certificates’ DNs are appended to