Page History

* Decide on the CN (Common Name) for the application certificate.  The CN must be of the form {color:blue}appname{color}.app.mit.edu.
* Create a directory which will be used to for generating the certificate request.

* cd to the newly created directory.

* Execute the following command:

        openssl genrsa 1024 2048 > servername appname-key.pem

    where servername appname matches the name of the server that the final certificate will apply to (e.g. if the server application certificate CN is going to be foo.app.mit.edu, then this file would be foo-key.pem).

    servernameappname-key.pem is the server certificate's private key.   Do Do not loose this key.   Store Store it in a safe and secure location.

To generate a request for a server an application certificate, execute to following command line:

    openssl req -key servername appname-key.pem -new > servername appname-req.pem

where servername appname is as in a. above.

When prompted for input, use these answers: (or use the default answers for all but Common name and challenge password)

Country Name (2 letter code): US
State or Province Name (full name): Massachusetts
Locality Name (eg, city): Cambridge
Organization Name (eg, company): Massachusetts Institute of Technology
Organizational Unit Name (eg, section): (e.g. Information Services & Technology)
Common Name (eg, YOUR name): servernameappname.app.mit.edu (i.e. the lower case server namename of the application certificate)
Email Address: enter a valid email address.
A challenge password: (anything you choose - – keep a record. You may be asked for this password at a later date.)
An optional company name: (no entry required)

The file, servername appname-req.pem, contains the information for the server your certificate.   Cut Cut and paste the contents of this file into an email and sent it to mitcert@mit.edu.   When When you paste the contents of the servername- req.pem file into the email, be sure to include the BEGIN and END lines.

The Subject line of the email should read: Request for a Server an Application Certificate.

Also include in the body of the email, a short line stating that you are requesting a Server an Application Certificate.   Stating Stating that you want a Server an Application Certificate is important.

When After a few days, you will receive an email that contains has your Server Certificate, save the Server Application Certificate as an attachment. Save the Application Certificate to the directory you created in a. 1a above. You can change the name of the certificate file to something that is meaningful to you. In this document, the Server Application Certificate was assumed to be saved as servername appname.cer, where appname is as in section 1 above.

servernameappname.cer is the actual server application certificate.   Do Do not loose this certificate.   Store Store the certificate (along with it's private key generated in 1. above) in a safe and secure location.

View the Server Application Certificate to verify that you have the correct certificate. To view the certificate, execute the following command line:

           openssl x509 -in servername appname*.cer -text

Find the line that says: Netscape Cert Type. The line immediately following this line should say: SSL Client, SSL Server, S/MIME, Object Signing.   If If this is not the case, then you may have the wrong type of certificate.

Also verify that the issuer of the certificate is the MIT client certificate authority by finding the following line (either of these is fine):      

Issuer: C=US, ST=Massachusetts, O=Massachusetts Institute of Technology, OU=Client CA V1

Issuer: C=US, O=Internet2, OU

=InCommon, CN=InCommon Server CA

Also verify that the certificate is for your machine by finding your server application certificate name in the certificate's Subject: line. It will be the CN entry and will be of the form appname.app.mit.edu

Finally verify the certificate's activation and expiration dates by looking at the two lines following Validity.