• No results found

e-cert (Server) User Guide For Microsoft IIS 7.0

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "e-cert (Server) User Guide For Microsoft IIS 7.0"

Copied!
40
0
0

Loading.... (view fulltext now)

Download now ( 40 Page )

Full text

(1)

e-Cert (Server) User Guide

For Microsoft IIS 7.0

(2)

Table of Content

A.  Guidelines for e-Cert (Server) Applicant ... 3 

New and Renew Application ... 4 

B.  Generating Certificate Signing Request (CSR) ... 5 

C.  Submitting Certificate Signing Request (CSR) ... 10 

D.  Installing Hongkong Post Root CA Certificate ... 15 

Installing the Sub CA Certificate ... 17 

Installing the “Hongkong Post Root CA 1” Certificate ... 22 

E.  Installing Server Certificate ... 26 

Bind the Certificate to a website ... 27 

F.  Backing up the Private Key ... 29 

G.  Restoring the Private key ... 37 

(3)

Page 3

A. Guidelines for e-Cert (Server) Applicant

After receipt and approval of an e-Cert (Server) application, Hongkong Post Certification Authority will send an e-mail with subject “Submission of Certificate Signing Request (CSR)” to request the applicant (i.e. the Authorized Representative) to submit the CSR at the Hongkong Post CA web site.

This user guide is for reference by applicants of e-Cert (Server) in generating their key pair and Certificate Signing Request (CSR) using Microsoft IIS 7.0 on Windows 2008. The CSR containing the public key will then be submitted to Hongkong Post Certification Authority for certificate signing.

If you lose the private key after the certificate is issued, you will be unable to install or use the certificate. Therefore, it is strongly recommended that you should backup the private key before the submission of the Certificate Signing Request (CSR) and after the installation of the server certificate. To learn the backup and restore procedures of the private key, please follow the instructions as described in the following sections:

(4)

New and Renew Application

Please follow the instructions as described in the following sections for a new or renew application for e-Cert (Server):

B.  Generating Certificate Signing Request (CSR) ... 5 

C.  Submitting Certificate Signing Request (CSR) ... 10 

D.  Installing Hongkong Post Root CA Certificate ... 15 

Installing the Sub CA Certificate ... 17 

Installing the “Hongkong Post Root CA 1” Certificate ... 22 

E.  Installing Server Certificate ... 26 

(5)

Page 5

B. Generating Certificate Signing Request (CSR)

1 Start menu, “Administrative Tools”, and click on “Internet Information Services (IIS) Manager”.

(6)

3 At the right column "Actions" , select “Create Certificate Request”

Note : For renew of e-Cert (Server) application, please do not click “Renew” option to renew the certificate. Please click “Create Certificate Request” as the same

procedures as new application for e-Cert

(7)

Page 7

4 Type the common name (i.e. server name) for your site, organization’s name and your organizational unit, select “HK” for the “Country/Region”. Type “Hong Kong” for both “State/province” and “City/locality”, and then click “Next”.

Note: Please make sure that the correct domain name (i.e. server name) is shown in the “Issued To” field and “HK” in the “Country/Region” field.

Note: For application of e-Cert (Server) with “Multi-domain” feature, please input the “Common Name” field with “Server name used as Subject Name in the Certificate” being filled in the application form. It is not necessary to specify any “Additional Server Name(s)” in the Subject Alternative Name of the CSR to be generated. It will be assigned by the Hongkong Post CA system automatically based on the information applied in the application form when the certificate is issued.

(8)

5 Choose the Cryptographic service provider, “Microsoft RSA SChannel Cryptographic Provider” and 2048 for the “Bit length”, and then click “Next”.

(9)

Page 9

(10)

C. Submitting Certificate Signing Request (CSR)

1. Click on the hyperlink in the e-mail with subject “Submission of Certificate Signing Request (CSR)” sent from Hongkong Post Certification Authority to access the Hongkong Post CA web site.

(11)

Page 11

3. Click “Submit” to confirm the application information. (If the information is incorrect, please contact Hongkong Post Certification Authority.)

(12)

5. Paste the content to the text box, and then click “Submit”.

(13)

Page 13

7. Click to download the Hongkong Post e-Cert (Server)

Note:

1. You can also download your e-Cert (Server) from the Search and Download Certificate web page.

http://www.hongkongpost.gov.hk/en/sc

2. e-Cert (Server) supporting OCSP will be issued by default starting from 1 September 2015. For e-Cert (Server) supporting OCSP, Hongkong Post e-Cert CA 1 - 15 should be installed on your server instead of "Hongkong Post e-Cert CA 1 - 10" or "Hongkong Post e-Cert CA 1 - 14". Click following link to download:

http://www1.hongkongpost.gov.hk/root/ecert_ca_1-15_pem.crt

3. If SHA-1 e-Cert (Server) with 1-year validity period is issued upon your written request, the “Hongkong Post e-Cert CA 1 - 10” certificate should be installed on your server instead of “Hongkong Post e-Cert CA 1 - 14” or “Hongkong Post e-Cert CA 1 - 15”. Click following link to download:

http://www1.hongkongpost.gov.hk/root/ecert_ca_1-10_pem.crt 4. If SHA-256 e-Cert (Server) not supporting OCSP with 1-year validity

period is issued upon your written request, the “Hongkong Post e-Cert CA 1 - 14” certificate should be installed on your server instead of “Hongkong Post e-Cert CA 1 - 10” or “Hongkong Post e-Cert CA 1 - 15”. Click following link to download:

http://www1.hongkongpost.gov.hk/root/ecert_ca_1-14_pem.crt

5. HongKong Post e-Cert Root CA 1 can be downloaded from Hong Kong Post web site:

(14)
(15)

Page 15

D. Installing Hongkong Post Root CA Certificate

1. Start Microsoft Management Console (MMC) by clicking “Start” > “Run”, type “mmc” and click OK, and then select “Add/Remove Snap-in” from the “File” menu.

(16)

3. Select “Computer account”, and then click “Next”.

(17)

Page 17 Installing the Sub CA Certificate

The following example use “Hongkong Post e-Cert CA 1 – 15”.

5. Expand “Intermediate Certification Authorities” and right-click “Certificates”, and then select “All Tasks” > “Import”.

6. In the “Certificate Import Wizard”, click “Next” to continue. Note:

For installation of SHA-256 e-Cert (Server) supporting OCSP, please use “Hongkong Post e-Cert CA 1 – 15”

(http://www1.hongkongpost.gov.hk/root/ecert_ca_1-15_pem.crt)

For installation of SHA-256 e-Cert (Server) not supporting OCSP, please use “Hongkong Post e-Cert CA 1 – 14”

(http://www1.hongkongpost.gov.hk/root/ecert_ca_1-14_pem.crt)

For installation of SHA-1 e-Cert (Server), please use “Hongkong Post e-Cert CA 1 – 10”

(18)
(19)

Page 19

7. Click “Browse” to locate the “Hongkong Post e-Cert CA 1 - 15” certificate that you downloaded in Part C Step 7 (ecert_ca_1-15_pem.crt ), and then click “Next”.

(Hongkong Post e-Cert CA 1-15 can also be downloaded from Hongkong Post web site: http://www1.hongkongpost.gov.hk/root/ecert_ca_1-15_pem.crt )

(20)

9. Click “Finish” to close the wizard.

(21)

Page 21

(22)

Installing the “Hongkong Post Root CA 1” Certificate

11. Expand “Trusted Root Certification Authorities” and right-click “Certificates”, and then select “All Tasks” > “Import”.

(23)

Page 23

13. Click “Browse” to locate the “Hongkong Post Root CA 1” certificate that you downloaded in Part C Step 7 (root_ca_1_pem.crt), and then click “Next”.

(24)

14. Select “Place all certificates in the following store”, and then click “Next”.

(25)

Page 25 16. Click “OK” to complete.

(26)

E. Installing

Server

Certificate

1. In “Internet Information Services (IIS) Manager”, select your web site, and then double-click “Server Certificates”. At the right column "Actions", select “Complete Certificate Request”.

(27)

Page 27

3. “Hongkong Post e-Cert (Server)” certificate has been successfully installed

Bind the Certificate to a website

(28)

2 click “Add…”

(29)

Page 29 F. Backing up the Private Key

1. Start Microsoft Management Console (MMC) by clicking “Start” > “Run”, type “mmc” and click OK, and then select “Add/Remove Snap-in” from the “File” menu.

(30)

3. Select “Computer account”, and then click “Next”.

(31)

Page 31 5 Backup the private key

(32)
(33)

Page 33 6 In Certificate Export Wizard , choose “Next

(34)

8 Select “Personal Information Exchange - PKCS #12 (.PFX)” and check the box “Include all certificates in the certificate path if possible”, and then click “Next”

9 Type and confirm a password for the private key, and then click “Next”.

(35)

Page 35

10 Specify the name of the file you want to export, and then click “Next”. (By default, the file will be saved with a .PFX extension.)

11 Click “Finish” to close the wizard.

(36)
(37)

Page 37 G. Restoring the Private key

1 Start menu, “Administrative Tools”, and click on “Internet Information Services (IIS) Manager”.

(38)

4 Enter the path and file name of the file containing the certificate , and password, then click “OK”.

Note: You may uncheck the box “Allow this certificate to be exported” to not allow the certificate to be exported. Or to allow you to back up or transport your

certificate at a later time, you may check the box “Allow this certificate to be exported”.

(39)

Page 39 Bind the Certificate to a website

6 Click on the website that you want to bind the certificate to. Click “Bindings”

(40)

References

Download now ( PDF - 40 Page - 1.91 MB )

Related documents

Globe Hosting Certification Authority Globe Hosting, Inc. 501 Silverside Road, Suite 105, Wilmington, DE 19809, County of New Castle, United States

applicant submits the required information: Certificate Signing Request (CSR), e-mail address, common name, organizational information, country code, verification method and

The Media, Implementation of the Nigerian National Communication Policy, and Citizens’ Participation in Development

information, and bring development closer to the people, especially those in rural areas, the federal government in 2006 set up a committee chaired by renowned scholar

Enterprise Random Password Manager

The configuration of the e-mail server (including enabling SSL and establishing a certificate trust) is done outside ERPM. 6) A Web server (IIS 7.5 or later) with ASP (Active

Cisco TelePresence VCS Certificate Creation and Use

The default "Web Server" certificate template used by the Microsoft Certification Authority application will only create a certificate for Server Authentication. The

This document uses the following conventions for items that may need to be modified:

Creating a Certificate Signing Request (CSR) To create a Certificate Signing Request (CSR): 1) Stop the Contract Management Web server. 2) Run the following command to create

e-cert (Server) User Guide For Apache Web Server

Change to the Apache server directory containing the certificate files (e.g. /usr/local/apache/conf/ssl.crt/), and then type the following command at the prompt to create a

>copy openssl.cfg openssl.conf (use the example configuration to create a new configuration)

Generating a CSR (Certificate Signing Request) The following contains information and instructions on generating a Certificate Signing Request (CSR) which you are required to send

SharePoint Services: Using Workflows

instructions. After a workflow starts, the server assigns tasks to all participants.. If e-mail alerts are enabled for the server, the server also sends e-mail alerts to