Guidelines on Securing Public Web Servers


    


Signature algorithm identifier  


    


Digital signature over the certification request information. 


Although the specific steps to generate a CSR may differ somewhat for each Web server, 


shows a sample CSR. 


     BEGIN CERTIFICATE REQUEST      


AQAwejELMAkGA1UEBhMCQ0ExEzARBgNVBAgTClRFc3QgU3RhdGUxETA


vbG9yYWR0MRswGQYDVQQKExJDYW5hZGlhbiBUZXN0IE9yZy4xEjAQBg


9mZmljZTESMBAGA1UEAxMJd3d3LmV4LmNhMIGfMA0GCSqGSIb3DQEBA


QKBgQD5PIij2FNa+Zfk1OHtptspcSBkfkfZ3jFxYA6ypo3+YbQhO3PL


WyvoNvL8Gnp1GUPgiw9GvRao603yHebgc2bioAKoTkWTmW+C8+Ka42w


mDnDWOSBWWR1L1j1YkQBK1nQnQzV3U/h0mr+ASE/nV7wIDAQABoAAwDQ


EEBQADgYEAAAhxY1dcw6P8cDEDG4UiwB0DOoQnFb3WYVl7d4+6lfOtK


QoVpOICF3gfAF6wcAbeg5MtiWwTwvXRtJ2jszsZbpOuIt0WU1+cCYiv


rD4s2ZJytkzDTAcz1Nmiuh93eqYw+kydUyRYlOMEIomNFIQ= 


     END CERTIFICATE REQUEST     


Figure 7.2: Sample CSR  


Web servers that are SSL/TLS enabled provide specific instructions for the generation of a 


CSR.


29


 There are two major types of CSRs.  The most popular is the encoded Public Key 


Cryptography Standard (PKCS) #10, Certification Request Syntax Standard, which is used by 


newer Web servers [RSA00].  The other CSR type, based on the Privacy Enhanced Mail 


(PEM) specification, is called either PEM Message Header or Web site Professional format.  


The use of this CSR is generally limited to older Web servers. 


Many of the more recent Web servers generate PKCS #10 compliant CSRs similar to the 


example CSR shown previously.  A CSR provides not only additional information about a 


given entity, or a  challenge password  by which the entity may later request certificate 


revocation but also attributes for inclusion in X.509 certificates [RSA00].  


Spelling and punctuation should be checked when information is provided during the CSR 


generation process.  The URL that is supplied must exactly match the URL for which the 


certificate is used, or SSL/TLS clients are configured to generate an error.  In some instances, a 


user may acknowledge this error in an alert box and proceed ahead despite it. 


Once the CSR has been generated, it must be submitted to a CA.  The CA's role is to fulfill the 


CSR by authenticating the requesting entity and verifying the entity's signature.  If the request 


is valid, the CA constructs an X.509 certificate from the DN and public key, the issuer name 


(or more commonly referred to as the common name [CN]), and the CA's choice of serial 


number, validity period, and signature algorithm.  


Upon receiving a submitted CSR, the CA must verify the CSR and create a signed X.509 


certificate.  At this point, most CAs will then alert the applicant by phone, e mail, etc., that the 


X.509 certificate is available.  Once notified, applicants will be able to download their 


certificates, through an SSL/TLS protected Web based interface.  Figure 7.3 shows an X.509 


                                                   


29


 For CSR generation methods of Web servers, see: 


http://www.thawte.com/getinfo/products/keygen/contents.html


. 


59






Unlimited Web Hosting






  

    
  

  

    
  

  

    
TotalRoute.net Business web hosting division of Vision Web Hosting Inc. All rights reserved.