Ask a Question

Advanced Search

Solution ID : SO2615

Last Modified : 05/22/2018

Generate a CSR for Oracle Web Server

Problem

How to generate a csr for Oracle Web Server
How do I generate a csr on an Oracle Web Server

Solution

Please note that you should be using at least version 4.0.8 of Oracle Application Server (OAS) . 
Version 4.0.7.x does not accept our certificates, despite that fact that the Linux version of OAS 4.0.7.1 experienced no problems when we tested it.

 

To generate a CSR on an Oracle Web Server, perform the following steps:

Note: A key length of 1024 bit is the default, but Thawte requires a minimum 2048 bit key.

In this first step you generate a request for Thawte to issue a certificate. It involves generating a public/private key-pair and identifying the server, the organization using it, and its webmaster. The private key is encrypted and should never leave your server, except for backup purposes.
The public key will become part of the certificate and is therefore sent to Thawte, together with the rest of the information identifying your organization and your server.

To generate a certificate request, you will run the interactive utility genreq and enter the information for which it prompts you.
When the prompt specifies a default value, you can just press return to enter that value, or enter a different value if you prefer.

For an example of how to use genreq, see the following sample genreq session.
Note: Before you start, create a directory to store all SSL related files in, for example $ORACLE_HOME/ows2/ssl. To avoid typing long path names or moving files later, you can start genreq from this directory.

 

To run genreq, do the following:

  1. Start genreq, located in $ORACLE_HOME\OWS20\BIN on NT (typically c:\orant\ows20\bin) and $ORACLE_HOME/ows2/bin on UNIX:
  2. Type G to begin creating a certificate request:
  3. When prompted, type a password (minimum of 8 characters), used in encrypting your private key.
    Note: Remember this password.
  4. Retype the password for confirmation. If the password do not match, genreq will not warn you, it will just repeat step 3.
  5. Choose the public exponent you want to use one in generating the key pair. The only two recognized exponents are 3 and 65537, commonly called Fermat 4 or F4.
  6. Enter the size in bits of the modulus you want to use in generating the key pair. For the version of genreq sold in the United States of America, the size may be from 1 to 1024. The default size is 768 bits and the maximum is 1024 bits. A modulus size of 1024 is recommended for most browsers and also by Thawte. For versions of genreq sold outside the USA, the maximum (and default) modulus size is 512 bits. (NOTE: 1024 bits would be equal to a 128 bit encryption)
  7. Choose one of three methods for generating a random seed to use in generating the key pair:
  • Random file: genreq prompts you to enter the full pathname of a file in your local file system. This can be any file that is at least 256 bytes in size, does not contain any secret information, and has contents that cannot easily be guessed (on UNIX, you can use /var/adm/messages, on NT you can use \WINNT\System32\config\AppEvent.Evt)
  • Random key sequences: genreq prompts you to enter random keystrokes. genreq uses the variation in time between keystrokes to generate the seed. Don't use the keyboard's autorepeat capability, and don't wait longer than two seconds between keystrokes. genreq prompts you when you have typed enough keystrokes. You must delete any unused characters typed after this prompt.
  • Both: genreq prompts you to enter both a file name and random keystrokes. This option is recommended.

 

Certificate Signing Request content

The next steps will tell genreq where it should write certain files. If you've created an ssl directory and have started genreq from this directory, you can accept the defaults. Otherwise, you may want to include full pathnames, or plan to move the files that genreq created later.

  1. Enter the name of a file in which to store your WebServer's distinguished name. You can choose the default, or enter any filename with a .der extension. genreq creates this file in the current directory, though you may later move it to any convenient location.
  2. Enter the name of a file in which to store your WebServer's private key. You can choose the default, or enter any filename with a .der extension. genreq creates this file in the current directory, though you may later move it to any convenient location.
  3. Enter the name of a file in which to store the certificate request. You can choose the default, or enter any filename with a .pkc extension.
  4. Enter the requested identification information for your organization:

Common Name - The fully qualified host name of your organization's Internet point of presence as defined by the Domain Name Service (DNS).
Example: thawte.com

Organizational Unit - The name of the group, division, or other unit of your organization responsible for your Internet presence, or an informal or shortened name for your organization.
Example: Oracle Government

Organization - The official, legal name of your company or organization. Most CAs require you to verify this name by providing official documents, such as a business license.
Example: Thawte Corporation

Locality - The city, principality, or country where your organization is located.
Example: Mountain View

State or Province - The full name of the state or province where your organization is located. Thawte does not accept abbreviations.
Example: California

Country - The two-character ISO-format abbreviation for the country where your organization is located. The country code for the
Example: US

WebMaster's Name - The name of the Web Master responsible for the site. This person will serve as a technical contact.
Example: <leave it empty>

WebMaster's Email Address - The email address where Thawte can contact the Web Master.
Example: <leave it empty>

Server Software Version - The name and version number of the application for which you are getting the certificate (you should accept the default value).

 

Once you submit the CSR and your documentation and receive your certificate, you can follow these instructions to install the certificate on your server: SO2616