VIP Manager - Help and Support - Managing VIP Certificates

Managing VIP Certificates

Certificate Enrollment Overview

You need a VIP certificate to secure communications and identify yourself to the VIP service. In communications with the VIP service, the certificate is used as a TLS/SSL client certificate.

VIP Manager can automatically create a private key for you when you request a VIP certificate. Instructions for requesting and downloading a VIP certificate are provided below. However, if you wish to use your own private key to request a VIP certificate, you need to generate a Certificate Signing Request (CSR). Instructions for generating a CSR are provided below. Refer to Using Your Own Private Key to Request a Certificate for details.

Once you have downloaded your VIP certificate, you can install it for use with any application that communicates with VIP Services. For example:

Install it for Use with VIP Web Services
Install it for use with VIP Enterprise Gateway
Install it for use with a Cisco� Router for VPN

Follow these steps to request a certificate and to download the VIP certificate:

	Select Account in the navigation bar at the top of the page.
	Click Manage VIP Certificates in the Links pane on the right side of the page. You see the Manage VIP Certificates page.
	On the Manage VIP Certificates page, click Request a Certificate. You see the Certificate Instructions page.
	Read the instructions on the Certificate Instructions page, and click Continue. You see the Request a Certificate page.
	Type a name for the certificate in the Certificate Name field. You may want to include "VIP" in the name, so that you'll remember that this is the certificate you use to access VIP Services.
	Read the text in the Important Service Requirements area, and click Submit Request. You see the Your Certificate Request has been Approved page.
	Provide the required information, and then click the link to download your certificate. VIP Manager supplies a VIP certificate that you can download to your hard drive. Important: Do not change the certificate name.

Follow these steps to generate a VIP certificate using your own private key:

Generating a Key and Certificate Signing Request (CSR)
Requesting a Certificate and Downloading the VIP Certificate (PKCS#7 File)
Combining the Key and Certificate Chain

Generating a Key Pair and Certificate Signing Request (CSR)

Generate a key pair and PKCS#10-compliant CSR using the tool of your choice. You will need to generate a key and CSR outside of VIP Manager.

Symantec provides detailed instructions for generating a CSR Using openSSL, or Using Java Keytool.

You can generate a CSR using one of the above tools, or you can generate one using a different tool of your choice. If you use a tool other than the ones documented in Help and Support, see the documentation that came with the tool you are using.

Generating a Key Pair and CSR Using openSSL

This section provides the steps for generating a CSR using openSSL. You can obtain openSSL at http://www.openssl.org.

Use openSSL to create a Certificate Signing Request (CSR) for certificate enrollment. Use this command:

openssl req -newkey rsa:<key size> -sha256 -keyout <key file> -out <csr file>

Where key size is 2048 (bits), key file is the file containing your key pair, and csr file is the file containing the CSR.

For example:

openssl req -newkey rsa:2048 -sha256 -keyout vipKey.pem -out vipCSR.pem

Note: You are prompted to enter additional information, including your pass phrase, country name, state, locality, organization, organizational unit, and email address. (Not all of this information is required.) OpenSSL combines the first and last name data and uses it as the Common Name in CSR. VIP Manager overrides the Common Name and replaces it with the Certificate Name you entered on the Request a Certificate page in VIP Manager.

Go to VIP Manager and submit the CSR file (vipCSR.pem), as documented in Requesting a Certificate and Downloading the VIP Certificate (PKCS#7 File).

Generating a Key and CSR using a Java Keytool

This section provides the steps for generating a CSR using Java Keytool.

	Use Java Keytool to generate a key for certificate enrollment. Use this command: keytool -genkey -alias <key alias> -keyalg RSA -keysize <key size> -sigalg SHA256withRSA -dname "O=<company>, OU=<department>, CN=<common name>" -keypass <key password> -keystore <key store file> -storepass <store password> Where key alias is the name of the key in the key store, key size is 2048 (bits), company is your company name, department is your department or division in the company, common name is a unique name for the certificate, key password is the password to protect the key, key store file is the file storing your key pair, and store password is the password to protect the key store. The key and key store passwords can be the same value if you prefer. For example: keytool -genkey -alias vip -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "O=My Company, OU=My Department, CN=VIP Cert" -keypass Password1 -keystore vip.ks -storepass Password1 Note: VIP Manager overrides what you enter for the dname option with the Organization, Organizational Unit, Company, and Department from your VIP Manager account. VIP Manager overrides the Common Name with the Certificate Name you entered on the VIP Manager Request a Certificate page.
	Create a Certificate Signing Request (CSR) for certificate enrollment as follows: keytool -certreq -alias <key alias> -sigalg SHA256withRSA -file <csr file> -keypass <key password> -keystore <key store file> -storepass <store password> Where key alias is the name of the key in the key store, csr file is the file containing the CSR, key password is the password to protect the key, key store file is the file storing your key pair, and store password is the password to protect the key store. The key and key store passwords in this step are the same passwords as in Step 1. The key and store passwords can be the same value if you prefer. For example: keytool -certreq -alias vip -sigalg SHA256withRSA -file vipCSR.pem -keypass Password1 -keystore vip.ks -storepass Password1
	Go to VIP Manager and submit the CSR file (vipCSR.pem), as documented in Requesting a Certificate and Downloading the VIP Certificate (PKCS#7 File).

Requesting a Certificate and Downloading the VIP Certificate (PKCS#7 File)

Once you have a CSR, go to VIP Manager and follow these steps to request a certificate and to download the VIP certificate (PKCS#7 file).

	Select Account in the navigation bar at the top of the page.
	Click Manage VIP Certificates in the Links pane on the right side of the page. You see the Manage VIP Certificates page.
	On the Manage VIP Certificates page, click Request a Certificate. You see the Certificate Instructions page.
	Read the instructions on the Certificate Instructions page, and click Continue.
	On the Request a Certificate page, click the link at the top of the page to enter the CSR you have generated. You see the field to enter the CSR.
	Type a name for the certificate in the Certificate Name field. You may want to include "VIP" in the name, so that you'll remember that this is the certificate you use to access VIP Services..
	Copy all of the CSR text, including the words "BEGIN CERTIFICATE REQUEST," "END CERTIFICATE REQUEST," and all of the dashes and spaces, and paste the text in the CSR field.
	Read the text in the Important Service Requirements area, and click Submit Request. You see the Your Certificate Request has been Approved page.
	Read all of the instructions on the page, and then click the link to download your certificate. VIP Manager supplies a VIP certificate (PKCS#7 file) that you can download to your hard drive.
	If you are using Internet Explorer, browse to the location where you created the key and CSR, and click Save. If you are using Firefox, after downloading the certificate, copy the file to the location where you created the key and CSR.
	Important: Do not change the certificate name. The rest of the instructions for the VIP certificate enrollment process use the default certificate name, vip_cert.p7b.

Combining the Key and Certificate Chain

After you have downloaded the VIP certificate, you need to combine the key and certificate chain outside of VIP Manager. You should perform this step using the same tool that you used to generate the key and CSR.

Combining the Key and Certificate Chain Using openSSL

If you used openSSL to generate the key and CSR, follow these steps to combine the key and certificate chain.

	Use openSSL to convert the VIP certificate (PKCS#7 file) to PEM format: openssl pkcs7 -inform DER -outform PEM -in vip_cert.p7b -print_certs -out <certificate pem file> Where certificate pem file is the PEM format version of the PKCS#7 certificate chain downloaded from VIP Manager. For example: openssl pkcs7 -inform DER -outform PEM -in vip_cert.p7b -print_certs -out vipCert.pem
	Type the following command to combine the PEM key and PEM certificate file to create a PKCS#12 file: openssl pkcs12 -export -out <p12 file> -inkey <key file> -in <p7 pem file> Where p12 file is the PKCS#12 file, key file is the file containing your key pair, and p7 pem file is the input key file. (The key file is the same one you used to generate the key pair and CSR.) For example: openssl pkcs12 -export -out vip.p12 -inkey vipKey.pem -in vipCert.pem
	Use the PKCS#12 file in the application you are developing.

Combining the Key and Certificate Chain Using Java Keytool

If you used Java Keytool to generate the key and CSR, follow these steps to combine the key and certificate chain.

Use Java Keytool to import the PKCS#7 certificate chain into the keystore:

keytool -import -alias <key alias> -file vip_cert.p7b -noprompt -keypass <key password> -keystore <key store file> -storepass <store password>

Where key alias is the name of the key in the key store, key password is the password to protect the key, key store file is the file storing your key pair, and store password is the password to protect the key store.

For example:

keytool -import -alias vip -file vip_cert.p7b -noprompt -keypass Password1 -keystore vip.ks -storepass Password1

Note: You should use the same key and store passwords you used to generate the key and CSR.

Use the Java keystore in the application you are developing.

After downloading your VIP certificate, copy and save it to the appropriate location for your application. You can then use the certificate in your own application to communicate with VIP Web services. If you use a Java keystore to manage your certificates, you do not need to import the VIP certificate.

For details on using your VIP certificate with your Web application, refer to the VIP Authentication Service Web Services Developer's Guide or VIP User Services Developer's Guide, as appropriate.

After downloading your VIP certificate, copy and save it to a location on your VIP Enterprise Gateway Configuration Console host. You can then import the certificate into the Configuration Console to securely communicate with the VIP Validation Service:

	Access the VIP Enterprise Gateway Configuration Console and select the Configuration -> Required tab.
	Click Add a VIP Certificate to view the Add VIP Certificate page.
	Enter the path and file name of the VIP certificate in the FileName text box, or click Browse to locate the VIP certificate you downloaded.
	Type the password you selected when downloading the certificate.
	Click Submit.

After downloading your VIP certificate, use the Cisco® Small Business Pro Security Appliance Configuration Utility to enable VIP authentication to your virtual private network (VPN):

	Log in to the Cisco Small Business Pro Security Appliance Configuration Utility.
	From the Getting Started (Basic) page, select VPN at the top of the screen.
	Select VeriSign ID Protection from the left navigation panel.
	Select VIP Configuration to display the VIP Configuration page. Select the checkbox to Enable VIP. Select VIP Production from the Service Type drop-down menu. Click Apply.
	Load the VIP certificate you downloaded using VIP Manager. Browse to the location where you stored the VIP certificate you downloaded. Enter the password you selected when downloading the certificate. Click Upload.