WebCert - Help and additional Information
 Server: www.frank4dd.com:80 Home | Paste Requests | Get Root CA Cert | List all Certs | Search for Certs | Help | CA policy  Generated for: 38.103.63.60 

WebCert v1.7.2 (03/20/2008) Help and additional information
                       WebCert Help
                       ============

1. Certificate Generation

Fill out the form in buildrequest.cgi and a certificate
request along with the public/private key pair will be
generated. You will see the subject information of the
generated request and the corresponding private key.
Copy and paste the private key into a local file, you
will need it in order to use the certificate. Since the
private key is private for a reason, no copy is left on
the server so if you miss this part you won't be able to
use the generated certificate.

If you already have a certificate request, say its already
generated for you by a smart network or firewall device
(i.e. Cisco, Netscreen), you already got a key pair
that stays in the system. Here you simply cut and paste
the certificate request into the certrequest.cgi form
and generate the certificate. Once done, simply import
the certificate into your device.

A valid certificate request looks like this (example):

-----BEGIN CERTIFICATE REQUEST-----
MIICGjCCAYMCAQAwgbQxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpXaGVyZS1ldmVy
MRMwEQYDVQQKEwpDdXN0b21lciBBMREwDwYDVQQLEwhOZXR3b3JrczEZMBcGA1UE
AxMQMDA1MjA3MjAwMjAwMDI0NTEVMBMGA1UEAxMMMTExLTExMS0xMTExMRAwDgYD
VQQDEwdyc2Eta2V5MQ8wDQYDVQQDEwZuczV4dC4xEzARBgNVBAMTCkZyYW5rcy01
WFQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPdC5s9c3ESCnrZ9YgSXYEW3
sT9yJmpxGJDNgI6SUZbNG4Sek5rbePusCHPtLESe2K2oEF5A0tSaY3pj2QMREs5R
lC4TSPJY5VvJA+sR1wppU5w0ocOCLzxKe0KYGklpyGEvTPmmE+GIYcwCSHYir4kZ
/iUKhx+exarH+m+CvZlxAgMBAAGgJTAjBgkqhkiG9w0BCQ4xFjAUMBIGA1UdEQQL
MAmCB25zNXh0LgAwDQYJKoZIhvcNAQEFBQADgYEALQy5g2ntoVxO8AgQHPIpe3DD
gUrhvYTm35G5SjfM9SiO841Wcta8tRkeOWaWh46T6uQaj+r4N8VhybF9gFZdsZGq
6S3uWY80eC0/MHo+yJcyyqjpl9s2yPLMlGR8MqM14mLO9vVqx+rdMRZFulNJ5YsD
9bSue4v0pECcZZMv6r8=
-----END CERTIFICATE REQUEST-----

You need to paste such a request, including the "Begin" and
"End" lines, into the certrequest.cgi form and press [verify].

If you pasted a valid certificate request, the verification screen 
will show you the subject information that will be signed. Select
the certificate type from the list and set a expiration date
counted in days from now. (365 = 1yr, 730 = 2 yrs, 1460 = 4 yrs).
Hit [Sign Request] and the certificate will be generated. If
successful, you'll get a certificate displayed that looks like
this:

-----BEGIN CERTIFICATE-----
MIID7DCCA1WgAwIBAgIBDjANBgkqhkiG9w0BAQQFADCBmTELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxSZWR3b29kIENpdHkxFTATBgNVBAoTDE9y
YWNsZSBDb3JwLjEoMCYGA1UECxMfR2xvYmFsIElUIFNlY3VyaXR5IEFyY2hpdGVj
dHVyZTElMCMGCSqGSIb3DQEJARYWZmlyZXdhbGxfdXNAb3JhY2xlLmNvbTAeFw0w
MzA2MTgyMDM0MjBaFw0wNDA2MTcyMDM0MjBaMIG0MQswCQYDVQQIEwJDQTETMBEG
A1UEBxMKV2hlcmUtZXZlcjETMBEGA1UEChMKQ3VzdG9tZXIgQTERMA8GA1UECxMI
TmV0d29ya3MxGTAXBgNVBAMTEDAwNTIwNzIwMDIwMDAyNDUxFTATBgNVBAMTDDEx
MS0xMTEtMTExMTEQMA4GA1UEAxMHcnNhLWtleTEPMA0GA1UEAxMGbnM1eHQuMRMw
EQYDVQQDEwpGcmFua3MtNVhUMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD3
QubPXNxEgp62fWIEl2BFt7E/ciZqcRiQzYCOklGWzRuEnpOa23j7rAhz7SxEntit
qBBeQNLUmmN6Y9kDERLOUZQuE0jyWOVbyQPrEdcKaVOcNKHDgi88SntCmBpJachh
L0z5phPhiGHMAkh2Iq+JGf4lCocfnsWqx/pvgr2ZcQIDAQABo4IBJTCCASEwCQYD
VR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm
aWNhdGUwHQYDVR0OBBYEFH23Br/vBZex2NWJLoqLa+mRPVUiMIHGBgNVHSMEgb4w
gbuAFJlwj84ZPgPIfPHbDN3AZFMHR1twoYGfpIGcMIGZMQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCQ0ExFTATBgNVBAcTDFJlZHdvb2QgQ2l0eTEVMBMGA1UEChMMT3Jh
Y2xlIENvcnAuMSgwJgYDVQQLEx9HbG9iYWwgSVQgU2VjdXJpdHkgQXJjaGl0ZWN0
dXJlMSUwIwYJKoZIhvcNAQkBFhZmaXJld2FsbF91c0BvcmFjbGUuY29tggEAMA0G
CSqGSIb3DQEBBAUAA4GBAD2f9Lb+KJ3kqvKhyb7k+uLpvIvl13qxY+HyAF/DPqYx
EXa3CYdy8IR8ulj703vLtPbZcKjXvtjyr/reGBgD8REKNK6bHcjBAjUa61vlg9dW
pdsIsSEWBjqO93o2LAnJaZSXJ/axmLtErEh4tfUG0IlU2Ol38avGBtdZbGLYYYSc
-----END CERTIFICATE-----

Now you can cut and paste it via an editor such as Windows Notepad
into a text file and save it locally. Alternatively, you can use
the [Export] functions to download the certificate as a file.

A detailed how-to for generating a S/Mime certificate is here:
http://www.frank4dd.com/howto/openssl/webcert-smime-howto.htm

2. Certificate Export

Certificates can be exported for easy download in either DER, PEM
or PKCS12 format. They are written to the webcert export directory
and a link is provided to save the file locally.
To create a PKCS12 container for easy use with Windows S/MIME you
will need the previously generated private key in PEM format for
pasting it into the export form. The PKCS12 container will be
secured with the supplied passphrase in the export form. This
passphrase is needed when the .p12 file is imported by Windows.

3. Certificate Installation

Certificates can be installed/loaded from the cut&paste text files
or from the downloaded certificate files which were exported.
For some applications, the filename must have a certain extension
such as .pem for PEM files - try to rename it if that is
the case. Sometimes it is also necessary to co-install the CA Root
certificate to enable the verification of the generated certificate.

4. Certificate Management

All certificates are stored in a directory  on this server. They
can be viewed with the "list certificates" item (certstore.cgi).
It conveniently displays the subject along with the remaining
time for the certificate to be valid.

The "ViewPEM" button displays the certificate in PEM format,
convenient for importing it into various certificate stores.
The "ViewTXT" button shows the certificate data readable in
ASCII text format.

5. Certificate Search

To find particular certificates, the certsearch CGI can filter
the cert store per subject field, serial number, validation or
expiration date. This helps to identify certificates that are
about to expire, and renew them before they become invalid.

6. Most Common Errors:

Hit "Generate" with no certificate in the paste cert form will
result in a "Error getting request from certrequest.cgi form".

Not including the "Begin" or "End" lines, or having an additional
empty line before or after the "Begin" or "End" lines when 
pasting the request into the form will result in a "Error invalid
request format, no BEGIN/END lines". 

Accidentially hitting  somewhere in the paste window,
generating a newline in the request data, will result in a
"Error cant read request content with PEM function".

In short, CAREFULLY pasting the request resolves most errors.

Trying to generate a certificate from a request that has been
already processed works just fine.

7. Browser Complaints

Browser constantly asks if this certificate can be trusted and
complains about various things:

Importing the Root CA "parent" certificate can help resolve
this issue. Thats what the "Get Root CA cert" is for. Loading
the Root CA into your browser enables the automatic
verification of the certificate every time you connect. No
questions asked.

If there is still the window popping up asking if you want
to accept this certificate, then its mostly a missmatch between
the certificate common name (CN) and the device name/server
name/device IP/server IP.  Either the certificate was requested
wrongly, or the device changed its name/IP recently. Ask the
device owner to generate a new certificate (request) with the
valid device name/IP entry.

Certificates are signed to be valid for a time range and
"expire". The expiration defaults to 3 years. This should
give plenty of time to regenerate a new certificate when
the time comes. Certificates still can work when when expired,
but the browser comes up with and error message. Re-
certification of devices is a good way to enforce inventory
updates.  Setting the expiration date to far into the future
(>11663days = >32years) or trying negative values will result
in a error.

last update 12/20/2007			@2003-2007 Frank4DD
End