Certificates can be obtained from one of the following:
|For performance reasons, limit the use of this option. Validation of self-signed certificates can significantly degrade a server's performance.|
A certificate management tool is provided that creates certificate requests and self-signed certificates, and stores certificates in a client key database. Certificate requests can be made on the Host On-Demand server or locally-installed clients.
Users who currently have a certificate for their browsers can use it directly, or they can export the certificate into a PKCS12 (.p12 or .pfx file type) file format and save it on their workstations to be used for client authentication. Optionally, the certificate can be stored on specialized external media, such as a smart card.
Certificates exported from an older browser are usually weakly encrypted. Use strong encryption when accessing certificates over the Internet with an unsecure protocol, such as http or ftp. To change the encryption strength:
Some CAs have Web pages that you can access for requesting certificates. That is the easiest way to obtain a client certificate.
To create a request in Certificate Management:
Access the CA's Web site and then follow the instructions to request the certificate. Here are the URLs of two CAs:
Depending on the CA you choose, you can either e-mail the certificate request or incorporate the request into the form or file provided by the CA. If you need the CA's root certificate, you can often get it directly from the Web site.
While you are waiting for the CA to process your certificate request, you can create a self-signed certificate to use.
When you receive the certificate, make sure that it is in armored-64 or binary DER format. Only certificates in these formats can be stored in the key database. The Certificate Management program can only accept simple certificates. It cannot accept certificate chains or PKCS7 data. The armored-64 form of a simple certificate starts with "----BEGIN CERTIFICATE----" and ends with "----END CERTIFICATE----".
To receive the certificate:
Make sure the certificate is securely sent. If a non-secure protocol such as e-mail, http or ftp is used to send the file over the Internet, the certificate's security can be compromised.
A certificate can be stored anywhere on the client's computer, on a diskette, or on a Web server.