Kennedy Krieger Institute Helpdesk Portal

Purpose:

The purpose of this document is to describe the steps to generate an internal kki.org SSL Certificate using the XCA program. XCA is a front end for OpenSSL that makes it easier to manage and create SSL Certificate Requests, Private Keys, and a database of SSL Certificates. It also allows exporting the SSL certificates, keys, and requests in various different formats.

This document assumes that you have already downloaded and installed the XCA Software.  https://hohnstaedt.de/xca/index.php/download is the location where the software can be obtained for MAC OS x or Windows.  Linux versions can be installed via the package manager on the Linux OS.

1. Launch the XCA program.
2. Open the certificate database
   1. Click “File” in the menu.
   2. Click “Open Database”
   3. Navigate to the following database location
      1. https://hohnstaedt.de/xca/index.php/download
   4. Open the file KKI.xdb by double clicking it in the file dialog box.
   5. Enter the KKI Admin password.
3. Once the database is loaded the various tabs will show the Keys, Requests, and Certificates in the database.
4. Create a private key if one does not exist.
   1. Click the “Private Keys” tab.
   2. Search for an existing key.
      1. Keys are named using the FQDN of the certificate they are used on unless they are a wildcard or MEGA Certificate that contains multiple domain names.
   3. 
   4. If the key exists continue to step 5.
   5. Click “New Key” to start the process of generating a new Private Key.
   6. Set the “Name” field to match the FQDN of the site the SSL certificate will be created for.
   7. 
   8. Click the “Create” button to generate the new key.
   9. A dialog box will pop up notifying you that the key was successfully create or if there is   an error. Click the “OK” button to continue.
5. Create a new certificate request if one does not exist.
   1. Click the “Certificate signing requests”  tab.
   2. Check the list of Certificate requests to see if one exists. If there was an existing Private Key there is a good chance there is an existing certificate request.
   3. If there is an existing Certificate Request, continue to step 6.
   4. Click the “New Request” button to start a new certificate request.
   5. On the source tab set the following values
      1. Unstructured Name : The main FQDN for the site.
      2. Template for the new certificate: [default] TLS_server
   6. 
   7. Click the “Subject” Tab and fill in the following values.
      1. Internal Name: The FQDN of the site the certificate is being created for.
      2. countryName: US
      3. stateOrProvinceName: MD
      4. localityName: BALTIMORE
      5. organizationName: KENNEDY KRIEGER INSTITUTE
      6. organizationalUnitName: INFORMATION SYSTEMS
      7. commonName: The FQDN of the site the certificate is being created for.
      8. emailAddress: ENGINEERING@KENNEDYKRIEGER.ORG
      9. Private Key: Select the private key that matches the FQDN for the site from the drop down. If one isn’t there you will need to go back and create it.
   8. 
   9. Click the “Extensions” tab.
   10. Click the “Edit” button next to the “X509v3 Subject Alternative Name” field.
   11. A window will open allowing you to add SAN entries for the certificate.
   12. For each FQDN in the certificate you will need 2 entries. One that has the FQDN itself and one that has just the hostname. This allows things like https://gsp-tableau to work without a cert error if people only use the hostname in a URL for an internal resource. IP address entries can also be specified if needed here.
   13. When you finish adding the entries click the “Validate” Button
   14. If you get a successful validation dialog click “OK” to close it and then click the “Apply” Button.
   15. 
   16. The “X509v3 Subject Alternative Name” field will be populated and a green check box will appear.
   17. 
   18. Click the “OK” button to create the Certificate Request.
   19. A confirmation dialog will appear. Click “OK” to close the dialog window.
        
6. Export the new certificate request to the clip board.
   1. Find the certificate request in the list under the “Certificate signing requests” tab.
   2. Right click on the certificate you want to export the request for.
   3. On the pop-up menu, click the “Export” option.
   4. Under the “Export” option click “Clipboard” to export the request to the clipboard.
   5. 
7. Use a web browser to open the internal KKI.ORG CA server.
   1. Browse to https://gsp-ca.kki.org/certsrv
   2. Enter the credentials for your admin account with rights to create certificates.
   3. Click on the “Request a certificate” link on the main page.
   4. Click the “advanced certificate request” link/
   5. Paste the contents of your clipboard into the first box named “Saved Request”
   6. Select the “Certificate Template” of “1YR Web Server” from the drop down menu.
   7. Click the “Submit” button.
   8. 
8. On the final page titled “Certificate Issued” we download the certificate that has been issued.
   1. Select the radio button “Base 64 encoded”
   2. Click the “Download certificate” link to save the new certificate as certnew.cer
      1. If certnew.cer exists then most browsers will add a number to the first part of the filename which makes it certnew(1).cer etc.
   3. 
9. The certificate can now be imported into XCA so that we can export it with the private key in whatever format is required by the webserver or device.
   1. Go back to XCA or re-open it if it was closed.
   2. Click on the “Certificates” Tab.
   3. Click the “Import” Button to  open the import file dialog.
   4. Browse your downloads folder and open the newly created certificate.
   5. A dialog will appear telling you that the certificate was successfully imported
   6. Click the “OK” button to close the  dialog.
10. Exporting a certificate from XCA to be used.
    1. Open XCA if it is not already.
    2. Click on the “Certificates” tab.
    3. Click the > symbol next to kki-KKI-GSPDC-CA in the list to expand the list of certificates for the internal CA.
    4. 
    5. Scroll down and find the certificate you wish to export.
    6. Right Click on the certificate
    7. On the pop-up menu click “Export”
    8. Under “Export” click “File”
    9. Verify the “Name” field shows the correct certificate to be exported.
    10. Click the … button to select the location where the file is to be saved.
    11. Select the appropriate “Export Format” from the dropdown.
        1. PKCS#12 creates a .pfx / .p12 file that is typically used for windows and requires a password.   Which you will be asked for when you click the “OK” button
        2. PEM + KEY exports the Certificate and private key into a single PEM file that is typically used on Apache servers or other Linux based Web servers. This does not require a password but you will need to manually separate the entries into separate files. One for the certificate, one for the private key, and then you will need a copy of the CA ROOT certificate.
    12. Click OK to export the Certificate.
    13. 
    14. If prompted for a password, enter a simple password, confirm it and click “Ok”.
        1. This password may need to be given to the site / server owner so it should not be a separate password that is secure and simple enough to relay to others if necessary.
    15. 
    16. The certificate file should be located in the location you specified. XCA does not give a success message when exporting a certificate.
    17. You can now close XCA, upload your certificate file or files to the server and install them.