VeriSign
Server OnSite FAQ's
--------------------------------------------------------------------------------
TABLE OF CONTENTS
How do I enroll for additional
domains?
How do I Add Server Certs?
Cert count clarification
Where do my end users enroll? What
is the lifecycle services URL?
Why do I get an error "this
certificate has failed to verify for all of its intended purposes" when viewing
my Global ID?
How do I generate a Certificate
Signing Request (CSR) for my web server?
What server vendors are supported
by SafeScrypt Servers for OnSite and Global Server OnSite?
How do I renew a certificate that
was issued through SafeScrypt's Retail product group last year, into my OnSite
account this year?
How many Server OnSite IDs do I
need for a load balancing or clustering environment?
----------------------------------------------------------------
Q. How do I enroll for additional
domains?
A. Please go to either of the
following URL's to enroll for more domain names.
Secure Server OnSite account:
https://onsite.safescrypt.com/OnSiteMoreDomainNames.html
Global Server OnSite account:
https://onsite.safescrypt.com/OnSiteMoreDomainNamesGlobal.html
To avoid any enrollment
complication please enter the following information when asked to enter on the
enrollment page. This information needs to be entered exactly as shown on your
administrator ID.
Company = Your Company, Inc.
Department = Department One
Common Name = Your Name
Email Address =
your.name@yourcompany.com
Domain name processing typically
takes 1-2 business days. If you are not sure how many active domains you have,
here is how you may check.
Go to the Control Center, to the
Certificate Management, tab, and click on User Services on the left. Select the
link to your company's Lifecycle Pages, and then click on Display Registered
Domain Names.
Your first four domains are
included with the OnSite package. After that, additional domains are $150.00
each. Please also note that Replacing an unused domain name will count as adding
an additional. For further pricing concerns or discussion on these final points,
please contact your SafeScrypt salesperson, or call 91-44-22540863 if you do not
have one.
--------------------------------------------------------------------------------
Q. How do I Add Server Certs?
A. To purchase additional server
certificates, please click on the following URL:
https://onsite.safescrypt.com/OnSiteAddlServerCerts.html
To purchase additional Global
server certificates, please click on this URL:
https://onsite.safescrypt.com/OnSiteAddlGlobalServerCerts.html
To avoid any enrollment
complication please enter the following information on the enrollment page. This
information needs to be entered exactly as shown on your administrator ID.
Company = Your Company, Inc.
Department = Department One
Common Name = Your Name
Email Address =
your.name@yourcompany.com
For other accounts not listed above
and for any pricing information, please contact your SafeScrypt salesperson or
call (650) 426-5115.
--------------------------------------------------------------------------------
Q. Cert count clarification:
A. For Secure Server and Global
Server OnSite accounts, any certificate revoked within 30 days of issuance will
be credited back to the account automatically within 24 hours.
Therefore, any certificate that you
revoke after the 30 day grace period will count as an issued certificate and
will be subtracted from the total amount of certificates purchased.
For Client and IPSec OnSite
accounts, there is no crediting regardless of the time of revocation within the
lifecycle of the certificate.
If you need to purchase more
certificates, please consult this FAQ section for instructions. You may also
contact your SafeScrypt Salesperson or call 91-44-22540863.
--------------------------------------------------------------------------------
Q. Where do my end users enroll?
What is the lifecycle services URL?
A. To find the Lifecycle URL in
order to enroll, search for, revoke, or renew certificates (and install a CA or
find registered domain names, if applicable):
Access your Control Center at
https://onsite-admin.safescrypt.com/OnSiteHome.html Once in the Control Center,
click on Certificate Management on the top Navigation Bar. On the left side,
select User Services. Once the page loads, you will see the Lifecycle Services
URL toward the bottom of the page. Clicking on this URL will open a new window
that will present the Lifecycle options to you. You may also distribute this URL
to end-users.
If you do not see this URL, please
contact OnSite Support at 800-579-2848 or email support at
onsite_support@safescrypt.com with a description of the problem and steps taken
to achieve your end-goal.
--------------------------------------------------------------------------------
Q. Why do I get an error "this
certificate has failed to verify for all of its intended purposes" when viewing
my Global ID?
A. When connecting to a secure Web
site which has a SafeScrypt Global Server ID installed, Microsoft Internet
Explorer (IE) 5.0 returns the error "this certificate has failed to verify for
all of its intended purposes" when viewing the certificate.
Users of IE 5.0 are able to connect
successfully to a server that uses a Global ID. 128-bit Secure Socket Layer
(SSL) is established automatically, with no special action needed on the part of
the client. When the client clicks on the padlock icon in IE 5.0, they will see
a message "this certificate has failed to verify for all of its intended
purposes". VeriSign and Microsoft have determined that there is a slight user
interface error between IE 5.0 and VeriSign Global Server IDs. However, this
error does not affect the basic functionality or security of the two products
and should be invisible to most users. Global IDs are intended to enable 128-bit
strong encryption sessions between both import and export version browsers on
servers that have a Global Server ID.
Note: Your security is NOT
compromised in any way.
This error is due to IE 5.0 not
recognizing a specific Object ID (OID) describing the contents of the
certificate. However, the effect is limited to user interface. The user will
still connect at 128 bits. If the user clicks on the 'Certificate Path' tab in
the same dialog box, a message will be displayed indicating that the Digital ID
is verified and is OK. You can also refer to Microsoft's article about this
error at: http://support.microsoft.com/support/kb/articles/Q233/4/79.ASP
Microsoft and VeriSign take this
user interface error seriously. At this time Microsoft does not have a fix for
this issue, VeriSign is working to develop a solution and will update this
Knowledge Base as soon as one is available.
The Secure Site Service is not
affected by this bug and is available as an alternative if this interface error
is not acceptable.
--------------------------------------------------------------------------------
Q. How do I generate a Certificate
Signing Request (CSR) for my web server?
A. For detailed instructions on the
different web servers and how to create the Certificate Signing Requests (CSR's)
for server certificates, please proceed to the following URL:
http://www.verisign.com/support/csr/index.html
Select your Server Software Vendor
to view detailed instructions for generating a CSR. If your server is not listed
or you need additional information, refer to your server documentation or
contact your server vendor.
Important points to remember when
generating the CSR:
Do not include shift characters in
the enrollment fields. During enrollment for a SafeScrypt Server ID, you may
receive an error "105" after you submit your Certificate Signing Request (CSR).
The error is due to an invalid attribute or character in the CSR that you are
trying to submit. The Web server software used to generate this CSR is using an
incorrect tag or encoding scheme that is preventing our system from reading the
information that is contained in the CSR. The most common cause of this error
are shift characters such as: (, ), @,#,&,!, etc. (most non-alphanumerics).
For example, if you have an "&" in your organization name, you will need to
spell out the word "and" or leave out the "&". During the creation of the
CSR, the following fields are to be entered: Organization, Organizational Unit,
Country, State, Locality, and Common Name. Ensure that the Organization and the
Organizational Unit match exactly as requested upon signing up for the Server
OnSite product.
The Common Name is typically
composed of Host + Domain Name and will look like "www.company.com" or
"company.com". SafeScrypt Server IDs are specific to the Common Name that they
have been issued to at the Host level. The Common Name must be the same as the
Web address you will be accessing when connecting to a secure site. For example,
a Server ID for the domain "domain.com" will receive a warning if accessing a
site named "www.domain.com" or "secure.domain.com", as "www.domain.com" and
"secure.domain.com" are different from "domain.com". You would need to create a
CSR for the correct Common Name. When the Server ID will be used on an Intranet
(or internal network), the Common Name may be one word, and it can also be the
name of the server.
If you do not currently have a
needed domain registered to your account, you will need to follow the process to
do so. Please see S0230 for further details.
Note to non-administrators for the
SafeScrypt OnSite account: Your OnSite administrator will approve, deny, or
expedite approval of the certificate request. SafeScrypt Ltd. does not handle
this responsibility, and we have validated your OnSite administrator to
facilitate these duties through their Control Center.
Please email or contact the support
line at 91-44-22540863 or onsite_support@safescrypt.com if further technical
assistance is required.
--------------------------------------------------------------------------------
Q. What server vendors are
supported by SafeScrypt Servers for OnSite and Global Server OnSite?
A. Solution S1790 contains a
current list of supported vendors. These servers are known to work with the
OnSite product to successfully generate compliant certificates.
http://www.verisign.com/cgi-bin/kb/clearexp_cgi/solution.html?probdesc.objid=268508373
The contents of S1790 are also
listed below for your convenience. Please note that we are continually
monitoring and updating this list as compatibility extends to more vendors and
versions of server software. We will do the best we can to accommodate your
request should you make a one to add a vendor not seen below. Requests can be
made to the Enterprise Support group at
onsite_support@versign.com or by
calling 91-44-22540863.
--------------------------------------------------------------------------------
Q. How do I renew a certificate
that was issued through SafeScrypt's Retail product group last year, into my
OnSite account this year?
A. This is only applicable for
Secure Server and Global Server ID's, if accepted by the OnSite product. As
Class 1 client ID's are not issued through OnSite, the customer may renew
through Retail or consider purchasing OnSite if they have a large-scale
necessity for Class 2 client ID's.
In order to renew a certificate
that was previously issued through SafeScrypt's retail channel, you will need to
create a new CSR. You will not be able to use your server's "create renewal key"
option in the server software as the formatting of the headers will differ from
a new enrollment. You can, however, use the exact same Distinguished Name
information (i.e.- Common Name, Organization, Organizational Unit, etc.). You
will need to submit this request on your company's OnSite enrollment URL as a
new request. This will allow you to issue the new certificate and migrate the ID
to your account.
You may not renew an OnSite-issued
certificate through Retail. A new CSR will need to be created and submitted at
the Retail pages if you choose not to use the OnSite account.
Another situation where you may not
renew through OnSite occurs when the products differ. For instance, your company
has a Secure Server OnSite account but a Global Server certificate obtained
through Retail is expiring. As the OnSite product is specific to the type of
certificate it issues, a decision will need to be made as to whether you enroll
for a Secure Server certificate through the company's OnSite account or renew at
the Retail pages for another Global Server certificate.
For end-users, not OnSite
administrators: Please consult your OnSite administrator for the necessary URL,
or check within your organization whether an OnSite account exists. More
information can be obtained about the OnSite product from our Sales department
at 91-44-22540863.
--------------------------------------------------------------------------------
Q. How many Server OnSite IDs do I
need for a load balancing or clustering environment?
A. SafeScrypt recommends that one
SSL Server or Global Server ID be used to secure each domain name on every
server in a multi-server environment, and that the corresponding private keys be
generated from the hosting server.
Some enterprises or ISP's practice
certificate sharing (using a single SSL Server ID to secure multiple servers) in
order to secure back-up servers or ensure high-quality service on high-traffic
sites by balancing traffic among several servers. However, certificate sharing
does not satisfy the fundamentals of trust that SSL was designed to instill.
SafeScrypt recommends that organizations accomplish load balancing using the
following methods:
Multiple sites with different
common names on multiple servers: To prevent browsers from detecting that the
URL of the site visited differs from the common name in the certificate, and to
protect the security of private keys, a different certificate should be used for
each server/domain name combination.
Multiple sites with the same common
name on multiple servers: Instead of jeopardizing private key functionality by
copying the key for multiple servers, a different certificate should be used for
each server. Each certificate may have the same common name and organizational
name, but slightly different organizational unit values. This variation can be
either a completely different OU or as simple as a change in case somewhere in
the OU (for example: "Services" to "services").
Additional Terms and Conditions can
be found at the following URL:
http://www.safescrypt.com/repository/subscriber/server.html
Please proceed to your OnSite
Lifecycle URL to enroll for additional certificates. Upon submission, your
OnSite administrator will evaluate your request. For any questions or concerns
regarding certificate generation or installation, we would like to direct you to
first contact your OnSite administrator. If the issue cannot be resolved, you
may conference the administrator in on a phone call to (650) 426-3535 or
carbon-copy them in an email to onsite_support@safescrypt.com.