Generating a Certificate Signing Request for Use with TN3270 Server

What Is a Certificate Signing Request? 
A certificate signing request (CSR) is a special file with encoded information necessary to request a digital certificate from a certificate authority (CA). 

If you have a secure TN3270 server running Secure Sockets Layer (SSL) security code, you need a server certificate. The server certificate is installed on the router. Without the certificate, clients cannot establish secure sessions to the router. 

Cisco does not provide digital certificates. Digital certificates must be obtained from a CA such as Entrust, Verisign, or thawte. CAs normally require you to submit your request for a server certificate as a CSR. 

What Is the Private Key File?
The private key file contains your private encryption keys. It is important to save this file and not allow it to be compromised. If its contents become public, your secure certificate cannot be trusted. After obtaining the signed digital certificate from the CA, you will need the private key file as described later in this document. 

Supplied Applications

As mentioned previously, Cisco does not provide digital certificates. A number of open-source Windows- and UNIX-based programs can be used to create the CSR and private key files. You are welcome to use any of these. 
In order to help you to create a CSR and a private key file, we have provided two sample applications:
  • The CERTREQ.EXE application runs in Windows 95/98. It is very easy to use and generates a private key file and a CSR from the information that is entered. 
  • For maximum flexibility, we have also included the SSLCCERT.EXE application. This program is based on the SSLeay open-source program created by E. A. Young. Please see the copyright information included with the application. This DOS-based, line-mode application is more difficult to use, but it offers more options for the certificates and private keys. 
    • Please refer to the following links for information on downloading the application files and for documentation on their use:
  • Using Windows-based CERTREQ.EXE 
  • Using DOS-based SSLCCERT.EXE

    • Getting a Certificate

    After you have generated the CSR and private key files, you can then make an application to a CA. For example, on Verisign’s Web site at www.verisign.com, you are asked to paste your CSR into the Web page. Only use PEM formats when asked to paste a CSR onto a Web page. You do not need the private key during the CSR process. Do not give the private key file to anyone outside of your trusted administrators. 

    Making the Complete Certificate File

    When you receive the certificate file back from the CA, copy this file to the same directory where the private key is stored. 

    The Cisco TN3270 Server takes a single file containing both the certificate and private key. Concatenate these two files together. The concatenated file should be stored on the flash on the Cisco router according to the TN3270 Server SSL installation instructions. 

    For example, suppose that you have the following files saved in a directory on your Windows machine:
  • certreq-csr.pem (CSR file)
  • certreq-key.pem (private key file)
  • certificate.pem (certificate from CA)
    • At this point you will no longer use the CSR file. To join the private key file and the certificate together, issue the following commands from the DOS command prompt:
    type certificate.pem > certfinal.pem
    type certreq-key.pem >> certfinal.pem 

    This will concatenate both files into the file certfinal.pem, which can then be copied to the flash card on the Cisco router.