SSL uses a "trusted signed certificate" concept to secure the connection and conversation between an SSL server and a SSL client. If you are unfamiliar with trusted signed certificates, the following discussion will help give you a simple understanding.
Example Situation:
Let's use a web browser for this discussion, however, please keep in mind the same ideas discussed here apply for all other types of SSL client/server options such as an FTP, POP3 or SMTP clients.
When a user uses a web browser to connect to a web site in "SSL mode", the web server will send a "signed certificate" to the web browser.
Next, the web browser will analyze the certificate to see if it's valid, whether it has expired and whether it was signed by a trusted Certificate Authority (CA).
If the certificate is valid and has not expired, however, it was signed by someone other than a trusted CA, the browser will inform the user of this situation and give the user the opportunity to accept the certificate as is.
So in order to make everyone happy about the security of a web site, you must obtain (purchase) a signed certificate from a trusted CA vendor such as Thawte, Verisign or others. Wildcat! allows you to create a self signed certificate which you can use temporarily while you await the receipt of a trusted certificate from a CA vendor.
Getting a trusted signed certificate:
Obtaining a trusted signed certificate from a CA vendor is typically a five (5) step process:
Wildcat! SSL Configuration Manager makes the above process easy using the Certificate Wizard.
Step 1 Details:
When you select your CA and begin the process of applying for a certificate, this is typically done using their WEB site. The typical customer information the CA will ask you to provide is:
The most important item is the "common name." The CA will typically enforce this to be the domain name of the server you wish to secure. For example, if you are securing your web site, the common name will probably be www.yourdomain.com. Talk to your CA about using a certificate common name for all services (Web, FTP, POP3, SMTP, etc). This might be a matter of CA cost policy.
After you provide this information on their web site, they will ask you to provide a "certificate request" which is basically a block of information containing the above information in encrypted format. This block will typically look like this:
-----BEGIN CERTIFICATE REQUEST-----
MIICBjCCAW8CAQAwgcUxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdGbG9yaWRhMRIw
EAYDVQQHEwlIb21lc3RlYWQxJDAiBgNVBAoUGyJTYW50cm9uaWNzIFNvZnR3YXJl
LCBJbmMuIjEoMCYGA1UECxQfV2lsZGNhdCEgSW50ZXJhY3RpdmUgTmV0IFNlcnZl
cjEbMBkGA1UEAxMSd3d3LnNhbnRyb25pY3MuY29tMSMwIQYJKoZIhvcNAQkBFhRo
ZWN0b3JAd2luc2VydmVyLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
ummSm9It/XRwgZLppxWt+4htLliHSU1nC1fIE7xa5mWRR/rNDTWeJxq2fwgnEdh2
E4RuFzO7IVsOrVYp6LYVucgC6/oiCDmaXNE9uUj//ZHJaKmB9I0y12TkVuq5IiLn
hrRRNw9pBat683JKHSSkMKcmB3vsBK6rSqm3yUXlXrMCAwEAAaAAMA0GCSqGSIb3
DQEBBAUAA4GBACVEVGOlkCkrMArDWuPfvtpNG49k3kVmTFA87FQwM/VJagguBi/U
yVhrkx7WjXCqLOAbee2SeQg24AxWf+t0WkrzhsG+hD3nkk3r2Oq/8IlrqFzb2Taj
2l19w5sLiH5adBQPfnBJzieuxIWKm/IA+Lqz8RBw8S6Pvfr9HlQT/hKX
-----END CERTIFICATE REQUEST-----
Why is the CA asking you for this block if you have already provided the information during the application?
This is part of the verification process. The certificate request you provide will be encrypted using the private key only you will know, not the CA.
So when they finally ask you to provide this funny looking certificate request block, you will use the Wildcat! Certificate Wizard to create it using the same information you already provided to them.
Step 2 Details:
Use the wizard to create a new key and certificate request. You must provide the same information you already provided to the CA. It is especially important that the common names match. In the final stage in the wizard, it will show you the certificate request block.
Also in this step, the wizard will create a temporary self signed certificate which you can use temporarily while you wait for the trusted certificate request to be processed.
Step 3 Details:
In step 2, the wizard displays the certificate request block which you can copy/paste to the CA certificate request input form. Once the CA has the certificate request block, they will begin the process of processing your request which may take 1 day or more. Talk to your CA about the turn around time.
Step 4 Details:
When the CA has completed your application, the CA will contact you (probably via email) instructing you on how to get your new trusted certificate. Depending on the CA, they might email it to you or they might instruct you to get it from their web site. In either case, it will look something like this:
-----BEGIN CERTIFICATE-----
MIIC6zCCAlSgAwIBAgIDMPMiMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa
QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU
VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww
GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAyMTAwNzA2MDgxN1oXDTAy
MTAyODA2MDgxN1owgcUxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdGbG9yaWRhMRIw
EAYDVQQHEwlIb21lc3RlYWQxJDAiBgNVBAoUGyJTYW50cm9uaWNzIFNvZnR3YXJl
LCBJbmMuIjEoMCYGA1UECxQfV2lsZGNhdCEgSW50ZXJhY3RpdmUgTmV0IFNlcnZl
cjEbMBkGA1UEAxMSd3d3LnNhbnRyb25pY3MuY29tMSMwIQYJKoZIhvcNAQkBFhRo
ZWN0b3JAd2luc2VydmVyLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
ummSm9It/XRwgZLppxWt+4htLliHSU1nC1fIE7xa5mWRR/rNDTWeJxq2fwgnEdh2
E4RuFzO7IVsOrVYp6LYVucgC6/oiCDmaXNE9uUj//ZHJaKmB9I0y12TkVuq5IiLn
hrRRNw9pBat683JKHSSkMKcmB3vsBK6rSqm3yUXlXrMCAwEAAaMlMCMwEwYDVR0l
BAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQCB
Psf3CDR62rXCJZZBUThNqbbaBGwiXQIX3I2L2AmmJlF9kXnvBm9K+VU9HwlqmfUE
TxncuF/XRnhIoxLysWdIbRNWFxJI92ULcfHkPOh26A2arEBoEOUSpFTBKv/4ilZm
RzXxoXKoxr3oEOms/SvnFeV7NvJfplpZh7u63SbpBg==
-----END CERTIFICATE-----
You should save this information to a file with an extension of .crt, for example, "mycert.crt". It is highly recommended, that you keep a backup on diskette.
Step 5 Details:
Finally, you need to add the trusted certificate block or *.crt file to the pending request created in step 2. Use the Wildcat! Certificate Wizard option, "Add trusted certificate to pending request".