Generating a Certificate Signing Request and Private Key

Before the GroupWise agents can use SSL, you must create a Certificate Signing Request (CSR) and obtain a public certificate file. The CSR includes the hostname of the server where the agents run. Therefore, you must create a CSR for every server where you want the GroupWise agents to use SSL. However, all GroupWise agents running on the same server can all use the same resulting certificate, so you do not need separate CSRs for different agents.The CSR also includes your choice of name and password for the private key file that must be used with each certificate. This information is needed when configuring the agents to use SSL.

One way to create a CSR is to use the GWCSRGEN utility. This utility takes the information you provide and creates a .csr file from which a public certificate file can be generated.

1. Start the GroupWise Generate CSR utility.

   On Linux, the utility (gwcsrgen) is installed to the /opt/novell/groupwise/agents/bin directory. You must be logged in as root to start the utility.

   On Windows, the utility (gwcsrgen.exe) is located in the \admin\utility\gwcsrgen directory either on the GroupWise 6.5 Administrator CD or in the GroupWise software distribution directory.

   
   

2. Fill in the fields in the Private Key box. The private key information is used to create both the Private Key file and the Certificate Signing Request file.

   Key Filename: Enter a name for the Private Key file (for example, server1.key). If you don't want the file stored in the same directory as the GWCSRGEN utility, specify a full path with the filename (for example, c:\server1.key or /opt/novell/groupwise/certs/server1.key).

   Key Password: Enter the password for the private key. The password can be up to 256 characters (single-byte environments).

   Verify Password: Enter the password again.

3. Fill in the fields in the Certificate Signing Request box.

   CSR Filename: Enter a name for the Certificate Signing Request file (for example, server1.csr). If you don't want the file stored in the same directory as the GWCSRGEN utility, specify a full path with the filename (for example, c:\server1.csr or /opt/novell/groupwise/certs/server1.csr).

4. Fill in the fields in the Required Information box. This information is used to create the Certificate Signing Request file. You must fill in all fields to generate a valid CSR file.

   Country: Enter the two-letter abbreviation for your country (for example, US).

   State/Province: Enter the name of your state or province (for example, Utah). Enter the full name. Do not abbreviate it.

   City: Enter the name of your city (for example, Provo).

   Organization: Enter the name of your organization (for example, Novell, Inc.).

   Division: Enter your organization's division that this certificate is being issued to (for example, Novell Product Development).

   Hostname of Server: Enter the DNS hostname of the server where the server certificate will be used (for example, dev.provo.novell.com).

5. Click Create to generate the CSR file and Private Key file.

   The CSR and Private Key files are created with the names and in the locations you specified in the Key Filename and CSR Filename fields.

Submitting the Certificate Signing Request to a Certificate Authority

To obtain a server certificate, you can submit the Certificate Signing Request (server_name.csr file) to a Certificate Authority. If you have not previously used a Certificate Authority, you can use the keywords "Certificate Authority" to search the Web for Certificate Authority companies. The Certificate Authority must be able to provide the certificate in Base64/PEM or PFX format.

The process of submitting the CSR varies from company to company. Most provide online submission of the request. Please follow their instructions for submitting the request.

Creating Your Own Certificate

The Novell^® Certificate Server^TM, which runs on a NetWare^® server with Novell eDirectory^TM, enables you to establish your own Certificate Authority and issue server certificates for yourself. For complete information, see the Novell Certificate Server Web site.

To quickly create your own public certificate in ConsoleOne:

1. Click Help > About Snap-ins to see if the Certificate Server snap-in to ConsoleOne is installed.

   If it is not installed, you can obtain it from Novell Product Downloads. If you are using eDirectory on Linux, the Certificate Server snap-in is installed by default.

   NOTE:  You can create a server certificate in Novell iManager, as well as in ConsoleOne, using steps similar to those provided below.

2. Browse to and select the container where your Server object is located.

3. Click Tools > Issue Certificate.

   
   

4. Browse to and select the CSR file created by GWCSRGEN in Generating a Certificate Signing Request and Private Key, then click Next.

   By default, your own organizational certificate authority signs the request.

5. Click Next.

   
   

6. In the Type box, select Custom.

7. In the Key Usage box, select all three usage options.

8. Click Next.

9. In the Validity Period field, select the length of time you want the certificate to be valid.

   You might want to change the setting to a longer period of time to best meet the needs of your organization.

10. Click Next, view the summary information, then click Finish.

    
    

11. Select File in Base64 Format.

12. Specify the path and filename for the certificate.

    Limit the filename to 8 characters. Retain the .b64 extension.

13. Click Save.

Installing the Certificate on the Server

After processing your CSRs, the Certificate Authority returns to you a public certificate (server_name.crt) file and a private key (server_name.key) file for each CSR. The certificate file might have a different suffix, such as .pem or .pfx. The suffix is unimportant as long as the file format is correct.

If you used the Issue Certificate feature in ConsoleOne, the public certificate file has the .b64 extension and you use the private key file generated by GWCSRGEN in Generating a Certificate Signing Request and Private Key.

Copy the files to any convenient location on each server. The location must be accessible to the GroupWise agents that run on the server.

Configuring the Agents to Use SSL

To configure the agents to use SSL you must first enable them for SSL and then provide certificate and key file information. For detailed instructions, see the following sections:

• Enhancing Post Office Security with SSL Connections to the POA
• Enhancing Domain Security with SSL Connections to the MTA
• Securing Internet Agent Connections Via SSL in Internet Agent
• Securing WebAccess Agent Connections Via SSL in WebAccess