6.8.4. Procedure – Generating TSA certificate with Windows Certificate Authority on Windows Server 2012
To generate a TSA certificate with Windows Certificate Authority (CA) that works with PSM, generate a CSR (certificate signing request) on a computer running OpenSSL and sign it with Windows CA, then import this certificate into PSM for timestamping.
Prerequisites:
A valid configuration file for OpenSSL with the following extensions:
[ tsa_cert ] extendedKeyUsage = critical,timeStamping
Tip |
---|
You can copy |
The TSA certificate is considered valid, in terms of compatibility with PSM, if the following conditions are met:
The following X509v3 extensions are supported:
Steps:
Create CSR using the new configuration file: openssl req -set_serial 0 -config openssl-temp.cnf -reqexts tsa_cert -new -newkey rsa:2048 -keyout timestamp.key -out timestamp.csr -nodes
Complete the required fields according to your environment:
Generating a 2048 bit RSA private key ........................+++ ......................................+++ writing new private key to 'timestamp.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:HU State or Province Name (full name) []:Budapest Locality Name (eg, city) []:Budapest Organization Name (eg, company) [Internet Widgits Pty Ltd]:BalaBit IT Security Organizational Unit Name (eg, section) []:Service Delivery Common Name (eg, YOUR name) []:scb35-1-i1.tohuvabohu.balabit Email Address []:[email protected]
Create and configure a time stamping web server template in the Certificate Authority, and use that to generate the TSA certificate.
Start the Certification Authority Microsoft Management Console, and select the CA server.
Right-click on
, and choose .The Certificate Templates Console opens.
Right-click on the
template, and choose .The Properties of New Template window is displayed.
Make the following changes to the new template:
On the General tab, change the to TSA.
On the Request Handling tab, enable the option.
On the Extensions tab, make the following changes:
Edit Application Policies:
Select
and click below the list of extensions.Remove Server Authentication:
Select
and click .Add Time Stamping:
Click
, select and click .Make Time Stamping critical:
Select
and enable the option, then click .and are listed in the .
Edit Key Usage:
Select
, click . Enable the option.Select
.Click
.The following are listed in the
.On the Security tab, select , and set to .
Click
. Click . The new TSA template is now displayed in the list of templates.Close this window and return to the Certification Authority main screen, and select the
folder.Right-click under the list, and choose
.The Enable Certificate Templates window is displayed.
Select the TSA certificate template, and choose
. Close this window.Open the command line, and issue the following command:
certreq -submit -attrib "CertificateTemplate:TSA" <CSR>
Replace <CSR> with the full path of the CSR created earlier (in the second step).
The Certification Authority List is displayed. Select the CA.
The Save Certificate window is displayed. Choose an output folder.
The certificate is generated to the specified folder.
In PSM, navigate to .
Click
next to , browse for the previously generated certificate, and click .
Click
next to , browse for the previously generated key, and click .
Published on March 12, 2018
© 2007-2017 Balabit SA
Send your comments to [email protected]