Versions Compared

Old Version 14

changes.mady.by.user David E Tanner

Saved on

compared with

New Version Current

changes.mady.by.user Samantha Medeiros

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

...

    Before you begin, you must have the following:

Panel
indent

* openssl must be installed on your work station.  If you are using a OS other than Microsoft Windows, openssl usually comes bundled with the OS.
If you do not have openssl installed, you can {color:blue}[download | http://www.openssl.org/related/binaries.html]{color} openssl now.

...

    a. Generate a rsa key for an application certificate

Panel
indent

* Decide on the CN (Common Name) for the application certificate.  The CN must be of the form {color:blue}appname{color}.app.mit.edu.
* Create a directory which will be used to for generating the certificate request.
* cd to the newly created directory.
* Execute the following command:

        openssl genrsa 1024 2048 > appname-key.pem

    where appname matches the name the final certificate will apply to (e.g. if the application certificate CN is going to be foo.app.mit.edu, then this file would be foo-key.pem).

    appname-key.pem is the certificate's private key. Do not loose this key. Store it in a safe and secure location.

...

Panel

After a few days, you will receive an email that has your Application Certificate as an attachment. Save the Application Certificate to the directory you created in 1a above. You can change the name of the certificate file to something that is meaningful to you. In this document, the Application Certificate was assumed to be saved as appname.cer, where appname is as in section 1 above.

appname.cer is the actual application certificate. Do not loose this certificate. Store the certificate (along with it's private key generated in 1. above) in a safe and secure location.

View the Application Certificate to verify that you have the correct certificate. To view the certificate, execute the following command line:

    openssl x509 -in appname*.cer -text

Find the line that says: Netscape Cert Type. The line immediately following this line should say: SSL Client, SSL Server, S/MIME, Object Signing. If this is not the case, then you have the wrong type of certificate.

Also verify that the issuer of the certificate is the MIT client certificate authority by finding the following line (either of these is fine):    

Issuer: C=US, ST=Massachusetts, O=Massachusetts Institute of Technology, OU=Client CA V1

Issuer: C=US, O=Internet2, OU=InCommon, CN=InCommon Server CA

Also verify that the certificate is for your machine by finding your application certificate name in the certificate's Subject: line. It will be the CN entry and will be of the form appname.app.mit.edu

Finally verify the certificate's activation and expiration dates by looking at the two lines following Validity.