Virginia Tech Certification Authority

Technical PKI FAQ

General Technical Information

Certificate Signing Request (CSR)Creation Information

Server Information

How to's


What is OpenSSL?

The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.

Can I setup a simple client and server to test my new certificates?

Yes, OpenSSL provides simple server and client services to test the use of SSL using certificates. S-server provides basic server facilities that can be used by s-client to connect (via TCP/IP). Once the server and client are connected and have successfully opened a socket, both the client and server can pass characters to each other forming a primitive talk session. View for the OpenSSL toolkit documentation.

What is PKCS #12?

PKCS #12 or Public Key Cryptography Standard #12 is a standard for securely storing private keys and certificates. It is often used by browsers including Netscape and Microsoft Internet Explorer for transporting keys when using import and export functions. View for PKCS #12 documentation.

How are certificates stored?

Certificates are kept in special repositories called keystores and can be distributed in several different formats:
1. X509 format (.cer and .crt file-extension for Windows) certificate is widely supported. This file represents the individual certificate.
2. Cryptographic Message Syntax -PKCS #7 Format (.p7b file extension for Windows) This format is used for exporting complete chain.
3. Personal Information Exchange syntax -PKCS #12 Format (.pfx and .p12 file extensions for Windows). This format is used for exporting the public/private key pair. Very helpful in importing key pairs to the browsers.
4. Certificate Signing Request (CSR) Syntax -PKCS #10 Format. This format is used for generating signing requests to trusted certificate signing authorities.



What's the MAC, it keeps saying it is OK?

This is an integrity check. When used with the correct password it can be used to verify that the file has not been corrupted. My PKCS #12 application (and NS/MSIE) currently uses the same password for integrity (MAC) and privacy (encryption) by default. If you use the two pass option you can set and input separate passwords: such files cannot be imported into current versions of MSIE or NS.



What are iteration counts?

The algorithm used to generate keys from passwords and the MAC has an optional iteration count. This determines how many times part of the algorithm is repeated. It's a way of slowing down the key derivation process to make it harder to make dictionary attacks on the password. The OpenSSL PKCS #12 "-info" option now prints information about iteration counts.



What iteration counts are used in OpenSSL PKCS #12?

By default, both iteration counts are set to 2048. If you use the -nomaciter option the MAC iteration count is also set to 1. Some software such as MSIE4 need this option because they do not support mac iteration counts. If you use the -noiter option the iteration count is set to 1; since this makes dictionary attacks on the password easier. This is not recommended.



How can I display the content of a certificate using OpenSSL?

$openssl x509 -in cert.pem -noout -text



How can I display the certificate MD5 fingerprint using OpenSSL?

$openssl x509 -in cert.pem -noout -fingerprint



How can I convert a certificate from PEM to DER format using OpenSSL?

$openssl x509 -in cert.pem - inform PEM -out cert.der -outform DER



How can I tell PEM format from DER?

You can start by editing the file, If the file starts with "------begin ------" and the file contains data that looks like this:

UVMFfq342wkq9Yo/g+4tIWsrA23om5xVhXmMtnS+ACl0YUDcotkYJMnb+dr MWO+am

"-----end ------"

then it is a PEM format. If the file looks like a binary file where there is nothing understandable, then it is DER



Can I use the IIS Certificate Wizard to make a CSR for the VTCA?

Yes, however, you must remove the current server certificate before the the option to create a CSR is available. You may want to backup or export your current certificate before removing it. Your certificate must have at least a 2048 key.

Follow the directions at



Can I use Certificates issued by Virginia Tech on IIS 5.0 and 6.0, if so how?

Yes, you can use certificates issued by Virginia Tech CA's with IIS version 5.0 and 6.0. You can follow these steps to do so:

  1. Generate a Certificate Signing Request (CSR) using OpenSSL as outlined in this FAQ
  2. Read and do the procedures for the type of subscription you need:
  3. After You received an email notice instructing you how to retrieve your signed certificate you will need to do the following:
    1. Make a PKCS #12 file using your certificate and the corresponding private key.
    2. Import the PKCS #12 or .p12 file into your certificate store.
  4. Import the Global Qualified Server chain into your certificate store. Navigate to and in the CA: Virginia_Tech_Global_Qualified_Server_CA section click on the "Download to Internet Explorer" link on the following two CA certificates: CN= Trusted Root CA SHA256 G2; CN=Virginia Tech Global Qualified Server CA.
  5. Enable SSL on your server using the procedure at How can I configure SSL on IIS web server?



How can I generate RSA key pair and make a PKCS #10 request using OpenSSL?

  1. Generate the RSA key pair and certificate signing request (CSR) as follows (use the default file names key.pem and req.pem or substitute your own file names):
    $openssl req -newkey rsa:2048 -keyout key.pem -out req.pem -nodes

    If you wish to encrypt your private key then do not include the -nodes option.

  2. Detailed directions are at OpenSSL + Related



How can I package my certificate and its corresponding private key into a PKCS #12 file?

You will receive your certificate from IMS in DER format. You must convert it to PEM format.
$openssl x509 -inform DER -in download.cer -outform PEM -out download.pem

Then you can package your certificate to a PKCS #12 file using the below OpenSSL command:

openssl pkcs12 -export -inkey key.pem -in download.pem -out myserver.p12 -name "my test cert"

download.cer is: The certificate you received from IMS
key.pem: The key you created when you made your CSR request
myserver.p12:is the output file where the PKCS #12 file will be stored
my test cert: just a friendly name that can be anything you like



How to Import a Server Certificate for Use in Internet Information Services 5.0 or 6.0?

  1. Open the Certificates (Local Computer) snap-in and navigate to Personal, and then Certificates.
    Note: Certificates may not be listed. If it is not, that is because there are no certificates installed.
  2. Right-click Certificates (or Personal if that option does not exist.)
  3. Choose All Tasks, and then click Import.
  4. When the wizard starts, click Next. Browse to the PFX or p12 file you created containing your server certificate and private key. Click Next.
  5. Enter the password you gave the PFX or p12 file when you created it. Be sure the Mark the key as exportable option is selected if you want to be able to export the key pair again from this computer. As an added security measure, you may want to leave this option unchecked to ensure that no one can make a backup of your private key.
  6. Click Next, and then choose the Certificate Store you want to save the certificate to. You should select Personal because it is a Web server certificate. If you included the certificates in the certification hierarchy, it will also be added to this store.
  7. Click Next. You should see a summary of screen showing what the wizard is about to do. If this information is correct, click Finish.
  8. You will now see the server certificate for your Web server in the list of Personal Certificates. It will be denoted by the common name of the server (found in the subject section of the certificate).
  9. To complete the installation and configuration of the server certificate, the CA certificates chain MUST also be installed on the server. Please refer to your server documentation on how to configure your server to use trusted CA chains. You can save the VTGlobalQualifiedServerSHA256_chain to a local file by right clicking on the preceding link.



How to Export a Server Certificate stored in Internet Information Services 5.0 or 6.0?

  1. Open a blank Microsoft Management Console (MMC).
  2. Add the Certificates snap-in.
  3. When you are prompted, select Computer Account and Local Computer.
  4. Expand Personal, and then expand Certificates. A certificate with the name of your Web site appears in the "Issued To " column.
  5. Right-click your certificate, click All Tasks, and then click Export.
  6. In the Export window, click Next.
  7. Click Yes, export the private key, and then click Next.
    NOTE: If you do not have the option to click Yes in the Export Private Keys window, the private key has already been exported to another computer or the key never existed on this computer. You cannot use this certificate on ISA Server. You must request a new certificate for this site for ISA Server.
  8. Select Personal Information Exchange, and then click to select the check boxes for all three options.
  9. Assign a password and confirm it.
  10. Assign a file name and location.
  11. Click Finish. Make sure that you safeguard the file that you just created, because your ability to use the SSL protocol depends upon this file.
  12. Copy the file that you created to ISA Server.



How can I configure SSL on IIS web server?

This procedure assumes that your site has already has a certificate assigned to it.

  1. Log on to the Web server computer as an administrator.
  2. Click Start, point to Settings, and then click Control Panel.
  3. Double-click Administrative Tools, and then double click Internet Services Manager.
  4. Select the Web site from the list of different served sites in the left pane.
  5. Right-click the Web site, folder, or file for which you want to configure SSL communication, and then click Properties.
  6. Click the Directory Security tab.
  7. Click Edit.
  8. Click Require secure-channel (SSL) if you want the Web site, folder, or file to require SSL communications.
  9. Click Require 128-bit encryption to configure 128-bit (instead of 40-bit) encryption support.
  10. To allow users to connect without supplying their own certificate, click Ignore client certificates.

    Alternatively, to allow a user to supply their own certificate, use Accept client certificates.
  11. To configure client mapping, click Enable client certificate mapping, and then click Edit to map client certificates to users.

    If you configure this functionality, you can map client certificates to individual users in Active Directory. You can use this functionality to automatically identify a user according to the certificate they supplied when they access the Web site. You can map users to certificates on a one-to-one basis (one certificate identifies one user) or you can map many certificates to one user (a list of certificates is matched against a specific user according to specific rules. The first valid match becomes the mapping).
  12. Click OK.



How can I configure SSL to use 128-bit encryption or better using mod_SSL on Apache web server?

This facility is called Server Gated Cryptography (SGC) and details you can find in the README.GlobalID document in the mod_ssl distribution. In short: The server has a Global ID server certificate, signed by a special CA certificate from Verisign which enables strong encryption in export browsers. This works as following: the browser connects with an export cipher, the server sends its Global ID certificate, the browser verifies it and subsequently upgrades the cipher suite before any HTTP communication takes place. The question now is: How can we allow this upgrade, but enforce strong encryption. Or in other words: Browsers either have to initially connect with strong encryption or have to upgrade to strong encryption, but are not allowed to keep the export ciphers. Although VTCA does not issue certificates with SGC, the following does the trick:

# allow all ciphers for the initial handshake,
# so export browsers can upgrade via SGC facility
< Directory /usr/local/apache/htdocs>
# but finally deny all browsers which haven't upgraded
< /Directory>



How can I configure TLS/SSL for OpenLDAP server?

Referance for the latest information on configuring TLS/SSL for OpenLDAP servers.



How can I use certificates with servers like Tomcat and Jboss?

Note: download the file and instructions at:

  1. Generate a RSA key pair using the directions at How can I generate RSA key pair and make a PKCS #10 request using OpenSSL? and submit to IMS, save the private key as key.pem.
  2. Receive signed cert via IMS's email and save as cert.pem.
  3. Convert both private key and cert into DER format via these commands on the server:
    • openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER
    • openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
  4. Create a password protected keystore with the keytool utility and place the Trusted Root CA SHA256 G2 and VT Global Qualified Server CA certificates in it.
  5. Edit to suit your environment, updating it with the password of the previously created keystore should be sufficient.
  6. Run javac ImportKey.Java.
  7. Run "java -Dkeystore=<keystore_filename> ImportKey <key_filename> <cert_filename> <key_alias>".
  8. Modify your server configuration file to take new keystore and new password.



How do I create and install VT SSL Server cert for Windows 2008 Server using IIS Certificate Wizard?

Follow the directions provided at Create and install VT Server certificate using IIS wizard


How can I find my certificate by certificate serial number on the EJBCA website?

The serial number given for a cert in Mac keychain, doesn't work correctly for search for certificate on the EJBCA website, use the serial number that is called "other name" instead.







Last updated on February 19, 2015