- Home

  - About Treasury PKI

  - About SSP

  - Why Choose Treasury?

  - Certificate Policies

  - CRL's and Certificates

  - Forms and Downloads

  - FAQ

  - Glossary

  - PKI Fundamentals

  - Contact Us

Generating a Web or Device Certificate Using Entrust Enrollment Server for Web

You have been granted a Public Key Infrastructure (PKI) certificate from the Treasury Operational Certificate Authority (TOCA) for the purpose of non-classified authentication to Treasury’s systems.

This certificate is not suitable to protect National Security Systems and National Security Information.

This certificate shall not be used to conceal an unauthorized act as specified in Federal law or Department of the Treasury regulations. Examples of such actions include, but are not limited to, the following:

• Use of PKI certificates to gain unauthorized access to a Federal facility, information system, or electronic data (e.g., privacy information), or to enable others to gain such access.

• Use of PKI certificates to facilitate and/or hide an unauthorized action, such as:

• Transfer information to an unauthorized individual.
• Generate income for oneself or for an organization.
• View sexually explicit material, gamble, or conduct unlawful or malicious activities.
• Negatively affect the integrity, accessibility, and/or confidentiality of the Department’s cyber infrastructure.

To generate a certificate using Microsoft IIS v6.0 and IIS v7.0, and IBM HTTP Server, follow these steps:

Generating a Certificate for Microsoft IIS v6.0

Note: The production web connector reference below for TOCA is located at https://wc.treas.gov,

1.     Request a device certificate from your Registration Authority (RA or LRA) using the Application for Certificate form.

2.     The RA will deliver the activation codes (Reference Number and Authorization Code). These codes are valid for 30 calendar days. If the codes are not used within that time frame, the RA can reissue them.

3.     Log into the Web Server and open the web configuration.

4.     Right-click Default Web Site > select Properties in the pop-up menu.

5.     Click Directory Security in the dialog box that opens.

6.     Under Secure Communications, click Server Certificate. The Web Server Certificate Wizard appears.

7.     Click Next.

8.     Click Create a new certificate.

9.     Click Next.

10.   Ensure that Prepare request now, but send it later is selected.

11.   Click Next.

12.   Note: Use the Website name as the certificate DN or users connecting to your Website will receive a warning stating the certificate name does not match the name of the Web server.

13.   In the bit length list, select bit length of 2048 bits.

14.   In the Common Name field, enter the reference number obtained for your certificate.

15.   Click Next.

16.   Ensure that the time zone is correct.

17.   Click Next.

18.   In the File name field, use the default, or enter a new path and file name for the file that will contain the Web server certificate request.

19.   Click Next.

20.   The File Summary dialog box opens.

21.   Click Next > Finish > OK to generate the CSR.

Open the file. The certificate request should look similar to this:

22.   Retrieve the certificate using Entrust Web Connector, https://wc.treas.gov.

o    Access Enrollment Server for Web.

o    Click Web server.

o    Enter the reference number and authorization code.

o    Paste the certificate request into the large text box including the BEGIN and END lines.

o    In the Options field, choose the format "displayed as PEM encoding of certificate in raw DER".

o    Click Submit Request.

o    Security Manager generates a certificate and sends it to Enrollment Server. Copy the entire certificate to the clipboard box including the BEGIN and END lines.

o    Paste the certificate into a text file in the same directory as the private key and certificate request.

23.   Import the Web server certificate into Microsoft IIS.

o    Open the Internet Services Manager > Start > Programs > Administrative Tools > Internet Service Manager.

o    In the tree view, right-click Default Web Site and click Properties in the pop-up menu. Click the Directory Security tab.

o    Under Secure Communications, click Server Certificate. The Web Server Certificate Wizard opens.

o    Click Next.

o    Select Process the pending request and install the certificate.

o    Click Next.

o    Click Browse to find the file that contains the certificate.

o    Click Next.

o    Click Next > Finish.

Installing SSL Certificates in Microsoft IIS 7

Obtain and complete a certificate request form and send it to your RA. The RA will return to you a set of activation codes consisting of a reference number and an authorization code.

1.     Generate a Certificate Signing Request (CSR) in Microsoft IIS 7

·          Click Start, Administrative Tools, and then Internet Information Services (IIS) Manager.

·          In the left panel, click the server name where you want to generate the CSR.

·          Double click Server Certificates.

·          In the Actions panel on the right, click Create Certificate Request... .

·          Enter Distinguished Name Properties, and then click Next.

Note: Use the reference number for the CN field. Other fields can be completed, but will be ignored in the generation of the certificate.

·          Common Name — <reference number>

Access wc.treas.gov and click on Web Server

Copy, and paste the CSR into the Entrust Web Connector. Paste all of the text, including ----CERTIFICATE REQUEST---- and ----END CERTIFICATE REQUEST----

Retrieve your certificate from the Entrust Web Connector site using the reference number, activation code, and CSR.  Download the intermediate and root certificates.

2.     Install the root and issuer certificates in Microsoft IIS 7

·          To install the root certificate, click Start, and then click Run....

·          Type mmc, and then click OK. The Microsoft Management Console (Console) window opens.

·          In the Console1 window, click the File menu, and then select Add/Remove Snap-in.

·          In the Add or Remove Snap-in window, select Certificates, and then click Add.

·          In the Certificates snap-in window, select Computer Account, and then click Next.

·          In the Select Computer window, select Local Computer, and then click Finish.

·          In the Add or Remove Snap-in window, click OK.

·          In the Console1 window, click + to expand the folder.

·          Right-click Trusted Root Certification Authorities, mouse-over All Tasks, and then click Import.

·          In the Certificate Import Wizard window, click Next.

·          Click Browse to find the root certificate file.

·          In the Certificate Import Wizard window, click Next.

·          Select Place all certificates in the following store, and then click Browse.

·          In the Select Certificate Store window, select Trusted Root Certification Authorities, and then click OK.

·          In the Certificate Import Wizard window, click Next.

·          Click Finish.

·          Click OK.

Repeat this process for the issuer certificate placing the certificate in the Intermediate Certification Authorities store in place of the Trusted Root store

Close the Console1 window, and then click No to remove the console settings.

3.     Install the user certificate in Microsoft IIS 7

·          Click Start, mouse-over Administrative Tools, and then click Internet Services Manager.

·          In the Internet Information Services (IIS) Manager window, select your server.

·          Double-click Server Certificates.

·          From the Actions panel on the right, click Complete Certificate Request....

·          To locate your certificate file, click ....

·          In the Open window, select *.* as your file name extension, select your certificate and click Open.

·          In the Complete Certificate Request window, enter a Friendly name for the certificate file, and then click OK.

·          In the Internet Information Services (IIS) Manager window, select the name of the server where you installed the certificate.

·          Click + beside Sites, select the site to secure with the SSL certificate.

·          In the Actions panel on the right, click Bindings....

·          Click Add....

·          In the Add Site Binding window:

·          For Type, select https.

·          For Port, type 443. (Or the port selected for SSL)

·          For SSL Certificate, select the SSL certificate you just installed, and then click OK.

·          Close the Site Bindings window.

·          Close the Internet Information Services (IIS) Manager window.

Generating a Certificate for IBM HTTP Server

1.     Request a device certificate from your Registration Authority (RA or LRA) using the Application for Certificate form.

2.     The RA will deliver the activation codes (Reference Number and Authorization Code). These codes are valid for 30 calendar days. If the codes are not used within that time frame, the RA can reissue them.

3.     Generate a certificate signed request (CSR) using openSSL. Enter the reference number when prompted for the CN.

opensslreq -configopenssl.cnf -new -newkey rsa:2048 -nodes -keyoutkey.pem -out request.pem

The certificate request will look similar to this:

4.     Obtain copies of the appropriate root and issuer certificates naming them root.cer and issuer.cer.

5.     Retrieve the certificate from Entrust using Entrust Web Connector, https://wc.treas.gov.

o    Access Enrollment Server for Web.

o    Click Web server.

o    Enter the reference number and authorization code.

o    Paste the certificate request into the large text box including the BEGIN and END lines.

o    In the Options field, choose the format "displayed as PEM encoding of certificate in raw DER".

o    Click Submit Request.

o    Security Manager generates a certificate and sends it to Enrollment Server. Copy the entire certificate to the clipboard box including the BEGIN and END lines.

o    Paste the certificate into a text file in the same directory as the private key and certificate request.

6.     Combine the certificate and private key into a PKCS#12 file using openSSL.

openssl pkcs12 -export -inkeykey.pem -in web_server.cer -out web_server.p12 -name cert_label

7.     Create a CMS database from the PKCS#12 file using GSK:

gsk7cmd -keydb -convert -db web_server.p12 -old_format pkcs12 -new_formatcms

gsk7cmd -keydb -stashpw -dbweb_server.kdb

8.     Add the root CA to empty KDB file:

gsk7cmd -cert -add -file root.cer -dbweb_server.kdb -format ascii -label rootca -trust enable

9.     Add the intermediate CA to KDB file:

gsk7cmd -cert -add -file issuer.cer -dbweb_server.kdb -format ascii -label issuer -trust enable

10.   Edit the httpd.conf file. Find the appropriate stanza in the httpd.conf file. The SSLEnableCertparameter must match the label of the certificate in the KDB file.