How do I generate a certificate request for a 3rd party cert

The Knowledgebase provides a database of answers to many Technical questions.

How do I generate a certificate request for a 3rd party cert

Postby FTP » Thu Dec 10, 2009 9:55 am

Step 1 - Create a new SSL certificate using WingFTP
You can create a new SSL certificate at "Server->Settings->SSL Certificate Manager". Wing FTP will automatically generate three files in your directory, with extension of ".crt", ".key" and ".csr" respectively. For example, if you name the SSL certificate file “yoursite”, you will find:
“yoursite.crt” : the certificate file signed by Wing FTP.
“yoursite.key” : the private key file. Please keep it secret for it is very important.
“yoursite.csr”: the Certificate Signing Request file, need to be sent to the certificate authorities(CAs) to apply for a digital identity certificate.

Step 2 - Send the Certificate Signing Request file to CA
If your request is successful, you will get a digitally signed identity certificate from the CA. Replace your previous certificate file with the new .crt file from the CA.

Please note that if your SSL certificate is issued by some intermediate certificate authorities, you may need to take some further steps to make it work. You need to create a new file with extension of ".crt" and make a certificate chain in it. The basic format of the certificate chain is like this:
-----BEGIN CERTIFICATE-----
your site certificate signed by CA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate CA 1
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate CA 2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate CA n
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Root CA
-----END CERTIFICATE-----

step 3 - Config your domain with the certificate signed by CA
After your certificate be signed and it shows correct at the "SSL Certificate Manager", you need select it for the special domain at "domains->settings->General settings->Miscellaneous->SSL certificate".


What is the intermediate certificate?
There are two types of certificate authorities (CAs), root CAs and intermediate CAs. In order for a certificate to be trusted, and often for a secure connection to be established at all, that certificate must have been issued by a CA that is included in the trusted store of the device that is connecting.
If the certificate was not issued by a trusted CA, the connecting device (e.g., a web browser) will then check to see if the issuing CA of the certificate was issued by a trusted CA, and so on until either a trusted CA is found (at which point a trusted, secure connection will be established) or no trusted CA can be found (at which point the device will usually display an error).
To facilitate this process of verifying a "chain" of trust, every certificate includes the fields "Issued To" and "Issued By". An intermediate CA will show different information in these two fields, showing a connecting device where to continue checking, if necessary, in order to establish trust.
Root CA's, on the other hand, are "Issued To" and "Issued By" themselves, so no further checking is possible or necessary in order to establish trust (or lack thereof).
For example, if I have a certificate issued to "mysite.com" and issued by "Intermediate CA1", and my web browser trusts "Root CA", trust may be established in the following manner.
Certificate 1 - Issued To: mysite.com; Issued By: Intermediate CA 1
Certificate 2 - Issued To: Intermediate CA 1; Issued By: Intermediate CA 2
Certificate 3 - Issued To: Intermediate CA 2; Issued By: Intermediate CA 3
Certificate 3 - Issued To: Intermediate CA 3; Issued By: Root CA

My browser trusts "Root CA", and a secure connection can now be established. Since this process is often called "certificate chaining," intermediate CA certs are sometimes called "chained certificates". For enhanced security purposes, most end user certificates today are issued by intermediate certificate authorities.
Installing an intermediate CA signed certificate on a web server or load balancer usually requires installing a bundle of certificates.

Note: When you create the self-signed certificate in the first step, the "Domain Name/Common Name" field must match the fully qualified domain name or IP address of your server, or clients will encounter "Certificate Mismatch" error.
FTP
Site Admin
 
posts 1200
 
joined Tue Sep 29, 2009 6:09 am

Return to Knowledgebase

Who is online

Users browsing this forum: No registered users and 1 guest