Courses Academic Links Functional Stuff and Widgets Cool Stuff

CACert for Footprints

Process for Getting Certificate Upgraded for Web Server

I use CACert for my web server certificates. My servers are very low priority/security, so I'm not willing to pay real money for a certificate from Verisign or someone else. CACert offers free web server certificates. The only real downside to it is that the certificates expire in six months.

I use the IIS Cosign filter for Penn State's WebAccess. I have that tied to my installation of Footprints for our department's internal IT trouble reporting system. So, every six months, I need to put a new certificate on the webserver.

I created these instructions for myself because I botched up the installation of the certificate into the web server twice in the previous year. So, I figured that if I wrote up some notes this last time, I would have a better chance of remembering how to do it. These instructions are mostly for me - but if someone else gets benefit out of them - so much the better.

  • Go to CACertís website
  • Log in with the email address you originally used to get the 1st certificate
  • Request a new certificate for the web server (donít try to upgrade the certificate, just get a new one)
  • Paste the CSR from the text file above into the CSR field of the web form
  • Get the key (from email or web)
  • Copy the block of text and save on the web server as cert.key
  • Return to ISM! Do not attempt to import through the MMC.
  • Import the certificate through ISM to match the CSR
  • Now, you can go to the MMC Certificates snap-in and follow these instructions to export the key for WebAccess: http://aset.its.psu.edu/docs/webaccess/exporting.html
  • Make sure that you name the files the names that are in the Cosign filter config file in C:\Program Files\IISCosign\cosign.dll.config
  • The PEM file is referred to in the ChainFilePath tag

    The key file is referred to in the PrivateKeyFilePath tag

    Make sure that the filenames match what is in those tags Ė like you didnít do correctly in June 2007, you idiot.

    To confirm that the filter is working properly, go to the ISM, right click on the website, go to properties, ISAPI filter tab. Make sure that the Status Arrow is green!