Obtaining a Trusted Server Certificate

To obtain a server certificate from a CA that is trusted by the client operating system, consult the documentation from the CA of your choice using the following information as a guide. The CA will require a Certificate Signing Request (CSR).

To generate a CSR

  1. Download the latest version of OpenSSL fromhttps://www.openssl.org/source/.
  2. Install OpenSSL on the Webspace Server.
  3. Click Start, and then Run.
  4. Type cmd, and press Enter.
  5. Type the following command to generate a private key for the server: [OPENSSL_DIR]\bin\openssl genrsa –out server.key 2048 where OPENSSL_DIR is the path to the directory in which OpenSSL is installed (e.g., C:\OpenSSL).
  6. Type the following command:
[OPENSSL_DIR]\bin\openssl req –sha256 –new –key server.key –out server.csr

Running this command will prompt you for the attributes to be included in your certificate, as follows:

Country Name: US State: your state Locality: your city

Organization: your company name Organizational Unit: your department Common Name: your server’s name

E-mail Address: your e-mail address

Unless you are using a wildcard SSL Certificate, the Common Name must match the host name of the Webspace host (the name that users will specify when connecting to the host). Any variation in the name will cause the client to issue a warning when connecting. The output of the above command will be a file named server.csr, which can be sent to your CA. Since Webspace’s SSL implementation is based on the OpenSSL toolkit, the tools used are the same as those used in other OpenSSL-based products, such as the Apache mod_ssl package. Follow instructions provided by your CA for the mod_ssl package to obtain a certificate for your server.

When your CA sends you the signed server certificate file, save it as server.crt. Copy this file and the server.key file (generated in step 5 above) to a directory on the Webspace host that can be accessed from the System account and accounts that belongs to the Administrator group but that cannot be accessed from normal user accounts. Finally, select the signed certificate file in the Webspace Admin Console, as described below.

To select the server certificate

  1. From the Webspace Admin Console, click Tools and then Host Options.
  2. Click the Security tab.
  3. In the Transport list, select SSL.
  4. Type or browse to the path to the server's certificate (e.g., server.crt) file in the SSL Certificate box.
  5. Click OK.
Webspace requires that the certificate and its key be in PEM format. When requesting a certificate from a third-party CA, GE recommends requesting it in PEM format. If this is not possible and the certificate can only be delivered in DER format, it can be converted to PEM format using the following command:
openssl x509 -inform der -in MYCERT>cer -out MYCERT.pem

The resulting MYCERT.pem file can then be renamed to MYCERT.crt for use in Webspace.