Marriott Enrollment Server for Web
User Guide
Table of Contents
TABLE OF CONTENTS
... 2
PREREQUISITES ... 3
ADMINISTRATIVE ACCESS... 3 RNACS ... 3 SUPPORTED BROWSERS... 3DOWNLOADING USING INTERNET EXPLORER ... 4
SSL BROWSER CERTIFICATE REQUEST – IE ... 4
SSL PKCS#10 CERTIFICATE REQUEST - IE... 6
DOWNLOADING USING FIREFOX ... 8
SSL BROWSER CERTIFICATE REQUEST – USING FIREFOX... 8
SSL PKCS#10 CERTIFICATE REQUEST - USING FIREFOX...11
DOWNLOADING CA SIGNER CERTIFICATES ... 14
DOWNLOAD SUBORDINATE CA CERTIFICATE...14
EXPORTING CERTIFICATES VIA INTERNET EXPLORER ... 16
EXPORTING CERTIFICATES VIA FIREFOX ... 20
TROUBLESHOOTING FAQ ... 23
COMMON SSL CONVERSION COMMANDS ... 26
CONVERT PFX/P12 TO PEM ...26
CONVERT PEM TO DER...26
Prerequisites
Administrative access
The user who will be downloading the certificates must be logged into a machine with an account that has administrative privileges on that machine.
NOTE: Please do not attempt to download certificates while logged into a Terminal Server session. The default group policies on the terminal server do NOT allow you to download certificates.
RNACs
All Marriott issued certificates are downloaded using RNACs (Reference Number and Authorization Codes). These are one time use codes, are provided by a PKI
Administrator and are valid for 30 days after issuance. Should the RNACs expire before you have attempted to download your certificate, new RNACs will need to be requested.
All RNACs are requested through Marriott’s Request Center PKI Certificate Request
service.
Supported Browsers
Entrust Authority Enrollment Server for Web is supported on the following Web browsers.
Microsoft Internet Explorer 7.x, 8.x, 9.x and 10.x
Mozilla® Firefox 2.x, 3.x, 4.x, 5.x, 6.x, 7.x, 8.x, 9.x, 10.x, 11.x, 12.x and 13.x
Downloading using Internet Explorer
SSL Browser Certificate Request – IE
This section goes over how to download and activate your (Unmanaged) SSL
Browser certificate using Internet Explorer. Should you need to download a
(Unmanaged) SSL PKCS#10 certificate using Internet Explorer 6, please proceed to the next section, PKCS#10 Certificate Request - IE.
Please ensure that you use the correct ESWeb site based on the environment, otherwise your request will fail.
For Production Certificates, please go to:
https://esweb.marriott.com
For Development/Test/Perf Certificates, please go to:
https://eswebdev.marriott.com
Follow the steps below to activate and download your SSL certificate: Click Create SSL Browser Certificate (unmanaged)
Enter your Reference number and your Authorization Code provided from Request Center
Leave the next two fields at its defaults values o CSP Type: RSA full
o CSP: Microsoft Enhanced Cryptographic Provider v1.0 Choose Submit Request
Choose YES
Choose OK
Choose YES
Choose YES
“You have successfully retrieved your browser certificate into Internet Explorer. This certificate can be used to securely identify yourself to our web servers, and to conduct private, encrypted communication over the internet.”
SSL PKCS#10 Certificate Request - IE
This section goes over how to download and activate your (Unmanaged) SSL
PKCS#10 certificate. Should you need to download a (Unmanaged) SSL Browser
certificate, please proceed to the previous section, SSL Browser Certificate Request – IE.
Please ensure that you use the correct ESWeb site based on the environment, otherwise your request will fail.
For Production Certificates, please go to:
https://esweb.marriott.com
For Development/Test/Perf Certificates, please go to:
https://eswebdev.marriott.com
Follow the steps below to activate and download your SSL PKCS#10 SERVER certificate. This is a two part process.
Part 1
Click "Create a SSL Certificate from a PKCS#10 Request" Enter your Reference number and your Authorization Code
provided or noted from Request Center
Minimize this window for now (you will need to copy the actual CSR request into the bottom half of this screen to complete the request).
Part 2
Generate your CSR (Certificate Signing Request) on your web server
NOTE: When you create your CSR, you will need to put your
REFERENCE NUMBER given to you in Request Center, in the CN
(Common Name) field when prompted. Failure to do this will result in the certificate download failure.
Once the CSR is completed, open the CSR file and copy the actual CSR request, including the BEGIN and END lines (see below) and paste into the bottom half of the original request form.
It should look similar to this:
---BEGIN NEW CERTIFICATE REQUEST---
MIIBEzCBzgIBADB7MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm 5p YTEQMA4GA1UEBxMHT2FrbGFuZDEbMBkGA1UEChMSQzJOZXQgU29mdHdhcm Ug SW5jMRAwDgYDVQQLEwdUZXN0aW5nMRYwFAYDVQQDEw1nYWJiZXIuYzIub mV0 MEwwDQYJKoZIhvcNAQEBBQADOwAwOAIxAJukoQhq4LanG2k+LnRTGJAcgv9L JPsdfCsjqRs8ygoyaw4ucOEdx+WdnM0x36NcQIDAQABMA0GCSqGSIb3DQEBB AUAAzEABRLR6IkG70oNG1MnvuMDeWou4kIvc98ysjssCNKsDKsHAXBSEbfsI Qs5JRNagVBW
Your request should look similar to (below):
Proceed to leave your OPTIONS to be displayed in raw DER. Then choose SUBMIT REQUEST to complete your activation and retrieval of your SSL WEB SERVER certificate.
At this point you have two options:
1. Save the .bin file and then copy it your webserver. You can then rename the file (can be safely renamed to .der, .cer, or .crt) and install the certificate on your web server.
2. Your certificate will be displayed on the web page in PEM format. You can then copy this into notepad and save as .PEM the copy this to your server to be installed.
Downloading using Firefox
SSL Browser Certificate Request – Using Firefox
This section goes over how to download and activate your (Unmanaged) SSL
Browser certificate using Fire Fox.
Please ensure that you use the correct ESWeb site based on the environment, otherwise your request will fail.
For Production Certificates, please go to:
https://esweb.marriott.com
For Development/Test/Perf Certificates, please go to:
https://eswebdev.marriott.com
Follow the steps below to activate and download your SSL certificate: Click Create SSL Browser Certificate
Enter your Reference number and your Authorization Code provided or noted from Request Center
Choose Submit Request Choose desired Key Length
Should you desire, you can choose 2048 (High Grade) Lastly, choose Submit Request
NOTE: If this is the first time you’ve downloaded certificates from this website to your terminal server session or local profile, you will need to enter a new Software Security Device password.
Once you’ve entered your designated password, choose OK to continue. Please keep this password somewhere safe but accessible.
A Generating A Private Key window will appear temporarily
Within the Downloading Certificate window, please check all three boxes and then choose OK to continue.
Choose OK below
You will now be presented with the successfully retrieval message below. Your client certificate and the MarriottSubCA1 signer certificate are now in your Firefox certificate/browser store.
SSL PKCS#10 Certificate Request - Using Firefox
This section goes over how to download and activate your (Unmanaged) SSL
PKCS#10 certificate using Fire Fox 2.0.
Please ensure that you use the correct ESWeb site based on the environment, otherwise your request will fail.
For Production Certificates, please go to:
https://esweb.marriott.com
For Development/Test/Perf Certificates, please go to:
https://eswebdev.marriott.com
Follow the steps below to activate and download your SSL WEB SERVER certificate. This is a two part process.
Part 1
Click "Create a SSL Certificate from a PKCS#10 Request" Enter your Reference number and your Authorization Code
provided or noted from Request Center
Minimize this window for now (you will need to copy the actual CSR request into the bottom half of this screen to complete the request). Part 2
Generate your CSR (Certificate Signing Request) on your web server NOTE: When you create your CSR, you will need to put your
REFERENCE NUMBER given to you in Request Center, in the CN (Common Name) field when prompted. Failure to do this will result in the certificate download failure.
Once the CSR is completed, open the CSR file and copy the actual CSR request, including the BEGIN and END lines (see below) and paste into the bottom half of the original request form.
It should look similar to this:
---BEGIN NEW CERTIFICATE REQUEST---
MIIBEzCBzgIBADB7MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm 5p YTEQMA4GA1UEBxMHT2FrbGFuZDEbMBkGA1UEChMSQzJOZXQgU29mdHdhcm Ug SW5jMRAwDgYDVQQLEwdUZXN0aW5nMRYwFAYDVQQDEw1nYWJiZXIuYzIub mV0 MEwwDQYJKoZIhvcNAQEBBQADOwAwOAIxAJukoQhq4LanG2k+LnRTGJAcgv9L JPsdfCsjqRs8ygoyaw4ucOEdx+WdnM0x36NcQIDAQABMA0GCSqGSIb3DQEBB AUAAzEABRLR6IkG70oNG1MnvuMDeWou4kIvc98ysjssCNKsDKsHAXBSEbfsI Qs5JRNagVBW
Your request should look similar to (below):
Proceed to leave your OPTIONS to be displayed in raw DER. Then choose SUBMIT REQUEST.
You will now see a screen that contains your web server certificate in PEM format.
1. Copy this PEM certificate (including BEGIN and END CERTIFICATE LINES) into notepad and save as .PEM. This can then be copied to your server to be installed, OR
2. Choose the DOWNLOAD button
a. Choose Save to Disk, then OK
Your servercert.bin file is now on your desktop and ready for you to transfer to your your web server.
NOTE: You can safely rename to .der, .cer, or .crt then install the certificate to your web server.
Downloading CA Signer Certificates
Download Subordinate CA Certificate
Since our environment is set up with an online Subordinate CA with offline Root CA, you will need to also download the Subordinate CA’s certificate. To do this, on the left hand side of the website, under CA Certificates, click on Install SubCA x509.
NOTE: During the certificate download process, the Root CA Signer certificate should automatically be downloaded into your browser store. If you don’t see it there, then you can manually download it by choosing Install RootCA x509.
Choose Open
Choose Next
Choose Next
Choose Finish
Exporting Certificates via Internet
Explorer
ONLY APPLIES TO UNMANAGED CERTIFICATES
Go to TOOLS > INTERNET OPTIONS in your Internet Explorer browser
Select the appropriate certificate, and then EXPORT.
Choose NEXT
Select Include all certificates in the certification path if possible and Enable strong protection
Enter a password for the private key twice and choose NEXT to continue.
NOTE: Please make sure to remember this password, otherwise, you will have to repeat the export process out of Internet Explorer again.
Confirm the information is correct, and select Finish (or Back if changes are necessary)
Select OK
Exporting Certificates via Firefox
ONLY APPLIES TO UNMANAGED CERTIFICATES Open your Firefox Browser, then go to TOOLS > OPTIONS > ADVANCED
Then choose VIEW CERTIFICATES to open your Certificate Manager Then under CERTIFICATE NAME, locate the certificate you wish to
Then choose a file name and location to save your exported .pkcs12 file, then choose SAVE
You will now be prompted for the Software Security Device password that you created in the previous step. Enter the password and choose OK to continue.
You will now need to assign a new password for your private key that you are backing up or exporting. Please enter the password twice and choose OK to continue. Please keep this password somewhere safe but
accessible as you will need this in order to IMPORT this into your respective end key store on your server
NOTE: The password quality meter will tell you how strong your password is. The fuller the bar, the stronger the password and less likely it will be compromised. Therefore, please take this into consideration when choosing a password.
Troubleshooting FAQ
Problem:When attempting to download the certificate, you get the following error:
“The error ‘80090024’ occurred. Your certificate request could not be generated”
No key pair has been created by the CSP. Please make sure that you have the latest patches for this browser. See your administrator for details.
Please contact your administrator for details. Reason(s):
You are logged into a machine that does not have administrative access
You are logged into a terminal server that does not allow certificate downloads Solution:
Log into a local machine with an administrator account and retry your download Problem:
When attempting to download the certificate, you get the following error:
“CMS-API call failure. Please contact your administrator for details”
Reason(s):
You are using the wrong ESWeb site You’ve entered your RNACs incorrectly
Your RNACs have expired or have already been used Solution:
For production certificates, go to: https://esweb.marriott.com
For dev, test and perf certificates, go to: https://eswebdev.marriott.com
Confirm that your RNACs are correct (make sure there are no extra spaces before or after the codes)
Problem:
When attempting to download the certificate, you get the following error:
“An error has occurred: (-3274) Security protocol failure. Please contact your administrator for details”
Reason:
The RNACs issued to you have become corrupted Solution:
Request new RNACs
Problem:
When attempting to download the certificate, you get the following error:
“An error has occurred: Invalid reference number was provided. Please contact your administrator for details”
Reason:
The Reference Number you have entered is not valid or has already been used Solution:
Verify that your RNACs are correct
Request new RNACs in the event your previous RNACs were already used
Problem:
When attempting to download the certificate, you observe the following scenario:
Instead of seeing a certificate in your browser keystore (client certificate) or being prompted to save a bin file (server certificate), you instead are prompted to save a client.cgi file.
Reason:
You have attempted to download your certificate using an unsupported browser.
Solution:
Request new RNACs via the PKI Request Center service and download your certificate using a supported browser.
Problem:
When attempting to download the certificate, you observe the following scenario:
“Server certificate request not specified or invalid. Please contact your administrator for details”.
Reason:
You have attempted to download your certificate using an unsupported browser.
Solution:
Request new RNACs via the PKI Request Center service and download your certificate using a supported browser.
Common SSL Conversion Commands
Convert PFX/P12 to PEM
Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
You can add -nocerts to only output the private key or add -nokeys to only output the certificates.
openssl pkcs12 -in keyStore.pfx -out privatekey.pem -nodes -nocerts openssl pkcs12 -in keyStore.pfx -out cert.pem -nodes –nokeys
Convert PEM to DER
Convert a PEM file to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
Import P12 into JKS using Keytool
The command keytool -pkcs12 lists options to import a PKCS12 key. The keystore password for the (*.jks) file should be the one used for the J2EE keystore. The command for the conversion is:
keytool -pkcs12 -pkcsFile fileName -pkcsKeyStorePass password - pkcsKeyPass password -jksFile outputFileName -jksKeyStorePass password
This will result in a JKS file that has the key (the private key and the certificate chain) in the file
Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
You can add -nocerts to only output the private key or add -nokeys to only output the certificates.