- A person must act as the certificate Subscriber for non-human entities (servers and other devices). These individuals are called PKI Sponsors. The PKI Sponsor for the device should be the System Administrator (or comparable role) for the device.
- The PKI Sponsor must be authorized, in writing, to obtain certificates for the organization. ACES Component/Server Certificate Authorization Letter
- IMPORTANT: The PKI Sponsor that will be named in the certificate request must submit the online request themselves, in your own name. You may NOT make an online request on behalf of another individual.
- A workstation with a FIPS 140-1/2 Level 1 cryptographic compliant web browser is required. This includes Internet Explorer 5.5 and above and Firefox 1.5 and above. At this time, requests may only be made through Internet Explorer or Firefox. Do not attempt to make your request through other browsers, such as Google Chrome or Safari.
- The PKI Sponsor will create a CSR to generate certificate key pairs with the correct specifications.
- PKI Sponsors should create a back-up file of the key pair generated by the CSR to mitigate the risk of technical failure. The ACES Certificate Policy requires private keys to be protected with a password or PIN at a minimum. NOTE: Server certificate private keys and not usually password protected when installed and operational on the server. But all other instances of the private key (like a back-up file) should be password protected.
Making a CSR
The specifics of making a CSR and key generation are specific to your server. Your server may have a specific procedure or you may use a common tool, like OpenSSL. When creating the CSR, you will need the following information:
- Key Length or Key Size: 2048 bits
- Hash Algorithm: SHA2 or SHA256
- Subject values: C=US, O=Company/Organization Name, OU=Department, CN=domain name/hostname/IP address
- Exportable: yes or true (in most cases, you want the private key to be exportable)
- Request type or output: PKCS10
After reading the requirements above: