Generating keys and certificates

A certificate consists of a public key, used to encrypt data, and a private key, used to decipher data. Certificates are issued by a Certificate Authority (CA). You can generate a certificate from an internal certificate server, or obtain a client certificate from any third-party CA, such as VeriSign.

The CA issuing the client certificate must be trusted by web protection software. Typically, this is determined by a browser setting.

There are many tools that you can use to generate a self-signed certificate, including the OpenSSL toolkit (available from openssl.org).

Regardless of the method you choose for generating the certificate, use the following general steps.

Steps

Generate a private key (server.key).

For the best browser compatibility, an Elliptic Curve key should be generated using either the secp256r1 (aka P-256) or secp384r1 (aka P-384) named curves.
Generate a Certificate Signing Request (CSR) with the private key.

Important:
When prompted for the CommonName, enter the IP address of the Filtering Service machine. If you skip this step, client browsers will display a security certificate error.

A separate certificate must be generated for each Filtering Service.
Submit the CSR to a CA to be signed or use the CSR to create a self-signed certificate (server.crt).

The certificate should be signed using SHA-256 or a similar algorithm in the SHA-2 family.
Save the server.crt and server.key files in a location that you software can access, and where they can be read by Filtering Service.
1. If OpenSSL is used to generate a certificate, use the following commands:
  openssl ecparam -name secp384r1 -genkey -out
  
  <name>.key
  
  openssl req -new -key <name>.key -out <name>.csr
  
  You will be prompted to enter the required data fields for the certificate.
2. To create a self-signed certificate from the CSR, use the command
  openssl x509 -req -in <name>.csr -out <name>.crt
  
  -signkey <name>.key -days <days before expiration>
  
  -sha256