Just a comment: if you have followed the steps in the installation manual, you may have come across this issue, like I had, and the fix is to generate the certificates with CRL.
So, in order to start this you will first need the Win32 OpenSSL package (you can get the light package, or the complete one). I used in my generation the Win32OpenSSL_Light-1_0_2d.exe.
Next, after you install the OpenSSL for Windows, you have to create some folders / files; I presume you will did not touch any of the installed files (openssl.cfg in particular), so go and create a new demoCA folder in the already existing bin folder, and then in it two files: clrnumber and index.txt.
Also, in the bin folder create a new file called cidRetail247CRLSetup.cfg and append this content:
crlDistributionPoints = URI:http://hostname/cidRetail247CRL.crl
authorityInfoAccess = OCSP;URI:http://hostname
(hostname variable must be replaced with the actual machine name you are going to install the certificates on). Also, one important note: all the names that start with cid can be replaced with whatever name you wish, as long as you keep the names properly throughout all the commands.
Now, open up a cmd and run each of the following commands:
set OPENSSL_CONF=C:\OpenSSL-Win32\bin\OpenSSL.cfg
openssl genrsa -out cidRetailCA.key 4096
openssl req -new -x509 -days 1826 -key cidRetailCA.key -out cidRetailCA.crt
openssl genrsa -out cidRetail247.key 4096
openssl req -new -key cidRetail247.key -out cidRetail247.csr
openssl x509 -req -days 730 -in cidRetail247.csr -CA cidRetailCA.crt -CAkey cidRetailCA.key -set_serial 01 -out cidRetail247.crt -extfile cidRetail247CRLSetup.cfg
openssl ca -gencrl -keyfile cidRetailCA.key -cert cidRetailCA.crt -out cidRetail247CRL.pem
openssl crl -inform PEM -in cidRetail247CRL.pem -outform DER -out cidRetail247CRL.crl
openssl pkcs12 -export -out cidRetail247.pfx -inkey cidRetail247.key -in cidRetail247.crt -chain -CAfile cidRetailCA.crt
So, now you can go ahead and install the two files you need on your MPOS machine: the CA .crt file in the Trusted Root Certification Authorities and the .pfx file in Personal.
I have also copied the cidRetail247CRL.crl file in the inetpub\wwwroot folder on the machine for which I generated the certificates (I suppose you have a web site on port 80 that is running, otherwise just change the address in your cfg file) - although I must admit I haven't tested if this step is actually required, or you can skip it.
Also, I did not mention anything about what you should enter as the data for your certificates at steps 3 and 6, but I believe you are familiar with that.
And, finally you will get the thumbprints for the certificate very easy using Powershell like:
get-childitem -path cert:\LocalMachine\My
No comments:
Post a Comment