SSL overview  Using Netscape to manage certificates on the client

Chapter 14: Managing Keys and Certificates

Managing keys and certificates on EAServer

EAServer Manager | Certificates folder allows you to manage keys and certificates used by EAServer.


EAServer Manager | Certificates folder management

This section describes the tasks involved in accessing and managing the server certificate database or the certificate database used by client applications. To manage the server certificate database, configure the top-level Certificates folder in EAServer Manager, while connected to the server. To manage the client certificate database, you must run the standalone Security Manager. Other than the tool used, the management tasks are identical for the client and server certificate database.

You can install and use the standalone Security Manager on a client machine to manage client keys, certificates, and trust information in a local database. The standalone Security Manager is completely independent of EAServer Manager and server installations. Except for the login screen, the standalone Security Manager is identical to EAServer Manager | Certificates folder used to manage server keys and certificates.

The Standalone Security Manager allows C++ CORBA clients and Java applications to access servers using SSL features over IIOPS connections. For more information, see these chapters:

StepsAccessing the server certificate database in EAServer Manager

To begin managing the server certificate database:

  1. Start EAServer Manager as described in “Using EAServer Manager” in the EAServer System Administration Guide.

  2. Expand the top level Certificates folder. The first time you put the focus on this folder in your session, you must enter the PIN for the PKCS #11 token. The default for new installations is “sybase”.

StepsStarting the standalone Security Manager

  1. Change to the EAServer bin subdirectory.

  2. Run sasecmgr to start Sybase Central.

  3. In Sybase Central, choose Tools | Connect.

  4. Choose Security Manager.

  5. Enter the PIN for the PKCS #11 token. The default for new installations is “sybase”. Make sure the Client Root setting matches the installation you want to configure; this field should match the value of the JAGUAR or JAGUAR_CLIENT_ROOT environment variable as set for the installation to be configured.

StepsChanging the user PIN

The initial PIN for the PKCS #11 token is “sybase”. You can also use the same PIN to log in to EAServer Manager | Certificates folder and, if installed, the Sybase PKCS #11 token in Netscape. To change to a more secure PIN:

  1. Select the Private Keys folder.

  2. Select File | Change PIN.

  3. Enter and verify the new PIN.

Restart Netscape for the new PIN to propagate to the Sybase PKCS #11 token.

StepsDisplaying PKCS #11 module information

  1. Select the Private Keys folder.

  2. To view information about the Sybase PKCS #11 module, including the library version and the Cryptoki version, select File | Module Information.

    To view information about the Sybase PKCS #11 token that manages your key and certificate information, including status and version information, select File | Token Information.

StepsLogging out of the PKCS #11 module

  1. Select the Private Keys folder.

  2. Select File | Logout.

You are still logged in to EAServer Manager but can no longer access keys or certificates.


Test CA management

The test CA is a signing authority that signs user certificate requests. These certificates can be used by clients and EAServer to test the security features of your applications. Certificates signed by the test CA are not intended for commercial applications. If you already have an in-house CA or other signing authority, you may not need to use the test CA.

NoteThe test CA must exist before you can access the Process Certificate Request and Generate User Test Certificate options.

StepsCreating a test CA

To verify that the test CA is available, highlight the CA Certificates folder. You should see the Sybase Jaguar User Test CA on the right side of the window. If not, you must generate the test CA.

  1. Select the CA Certificates folder.

  2. Select File | Generate Test CA.

The Sybase Jaguar User Test CA displays on the right side of the window. You can now generate test certificates signed by the test CA and process certificate requests.

StepsGenerating a user certificate signed by the test CA

  1. Select the CA Certificates folder.

  2. Select File | Generate User Test Certificate. The Generate User Test Certificate wizard displays.

  3. Supply the required information described in Table 14-1. Click Back and Next to review and modify information.

  4. You can use any of the following characters for the label:

  5. Click Finish to exit the wizard and generate the certificate.

  6. Click OK in the Info dialog. The certificate displays when you highlight the User Certificates folder.

Table 14-1: User test certificate information

Property

Description

Comments/example

Key Strength

Select the authentication key strength. The greater the number, the stronger the encryption. Your options are:

  • 512 bits

  • 768 bits

  • 1024 bits

For international users, key strength is 512.

Key Label

The name that identifies the certificate.

Required field. The label must be unique among all labels used for all certificates.

Validity Period

From the drop-down list, select the length of time that the certificate is valid.

When a client (or server) presents a certificate for authentication, EAServer (or the browser) checks to see if the certificate has expired.

Cert Usage

Click the check box for either or both:

  • SSL Client

  • SSL Server

The same certificate can be used by a client and/or EAServer.

Common Name

Your first and last name.

Required field.

User ID

Any ID that would further identify you.

Organization

The name of your company, university, or other organization.

Required field.

Organization Unit

The name of a department within your organization.

Locality

The location of your organization.

You must supply at least one of:

  • Locality

  • State/Province

  • Country

State/Province

State or province name.

Country

Your two-digit country code; for example, “U.S.”

Requester Name

The person requesting the certificate.

Server Admin

The name, if any, of the server administrator.

E-Mail

Your e-mail address.

Mark Private Key Exportable

Checked by default, this property allows you to export this certificate along with its private key.

See “Installing and exporting certificates” for more information.

NoteIf checked, you can later uncheck this property. Once unchecked, you cannot change this property. If unchecked, you cannot export this certificate and private key.

StepsProcessing a certificate request

EAServer Manager | Certificates folder can process a certificate request generated from elsewhere. The test CA signs the request and generates the certificate.

  1. Select the CA Certificates folder.

  2. Select File | Process Certificate Request.

  3. Paste the certificate request into the window as indicated. Here is an example of a base64 certificate request. You must include the entire contents, including the BEGIN and END lines:

    -----BEGIN NEW CERTIFICATE REQUEST-----
    
    MIH4MIGjAgEAMD4xCjAIBgNVBAMTAWExCjAIBgNVBAoTAWExCjAIBgNVBAcTAWEx
    CzAJBgNVBAgTAmNhMQswCQYDVQQGEwJ1czBcMA0GCSqGSIb3DQEBAQUAA0sAMEgC
    QQC9Yn9AOzflqIarPCC7eRdr3C0wrIG+3B2T+pEs9sdgEjnc/bw1GfxcZKYamWXg
    G1KQycFqkdrFNP79fgRCOd3xAgMBAAGgADANBgkqhkiG9w0BAQQFAANBAIEljmCB
    HbFdNj0MtFDa002f/Trl6FtGCh7Gs23pZlWIUzDlGFowiuJY6iMDzd/1bJz5yYB+
    IvlM9Ath/zTF2eY=
    
    -----END NEW CERTIFICATE REQUEST-----
    
  4. Set the following certificate properties:

  5. Click Next. The certificate is generated and displays in the dialog. Here is the signed base64 certificate:

    -----BEGIN CERTIFICATE-----
    
    MIICYTCCAcqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADCBgjEzMDEGA1UEAxMqU3li
    YXNlIEphZ3VhciBVc2VyIFRlc3QgQ0EgKFRFU1QgVVNFIE9OTFkpMSAwHgYDVQQK
    ExdTeWJhc2UgSmFndWFyIFVzZXIgVGVzdDEpMCcGA1UEBxMgU3liYXNlIEphZ3Vh
    ciBVc2VyIFRlc3QgTG9jYWxpdHkwHhcNOTgwNzAyMDIzOTEzWhcNOTgwOTAyMDIz
    OTEzWjBHMQ0wCwYDVQQDEwR0ZXN0MQ0wCwYDVQQKEwR0ZXN0MQ0wCwYDVQQHEwR0
    ZXN0MQswCQYDVQQIEwJjYTELMAkGA1UEBhMCdXMwXDANBgkqhkiG9w0BAQEFAANL
    ADBIAkEAvzvqs9yjW/PDCt/Rotp9x9PHrULLeGOLlVSubo9poY1f5OYwsrjfaOtT
    bkhWDrakuwJJk8smDNSAl93tdP9r8wIDAQABo2UwYzAMBgNVHRMEBTADAQEAMB0G
    A1UdDgQWBBTAT0n9qsvdfqc9NzGPA5oLKsMzJjAhBgNVHSMEGjAYoBYEFGLT8qZb
    3LtGjw84nxna9YBHb7q6MBEGCWCGSAGG+EIBAQQEAwIAwDANBgkqhkiG9w0BAQQF
    AAOBgQB3OStVqhoWT66yXNsrznCg9t8yNClobnKGOJTqt+VbhV7BUgBH+fVSjf7v
    xJyV4twwlBvU08PsKYQGj4sJ1Ao3lsOXWrr6YZIHZZ6p9P8JXjY016Vg9g5SDmEV
    jgGbwy6ZOZYx27npp4X31WXY27KDZrV/FrwvF6/Pv6mZY7ijUw==
    
    -----END CERTIFICATE-----
    
  6. Select Save to File and enter the full path name to save the generated certificate as a file. You can also select Browse to specify the location for the file.

    If you want to use this certificate for authentication, you must install the certificate on the same machine that generated the certificate request, since this is where the private key is stored.

NoteCertificates signed by the test CA are intended for testing only. In a real-life situation, the CA would verify user information to establish identity.

StepsExporting the test CA certificate

You can export certificates, including the test CA certificate. Exporting the test CA certificate allows you to load it into Netscape 4.0x browsers and mark it trusted. This prevents Netscape from displaying warnings about untrusted certificate authorities when you use listeners that use certificates signed by the test CA.

  1. Select the CA Certificates folder.

  2. Highlight the Sybase Jaguar User Test CA.

  3. Select File | Export Certificate.

  4. From the Export Certificate wizard, select the format type for the exported certificate. For the Test CA, select Binary Encode X509 Certificate. Click Next.

  5. Select Save to File and enter the full path name to a file that will contain the test CA.

    Do not add any extension to the file name. A .crt extension is automatically added to the exported certificate. Netscape 4.0x recognizes this extension as a X.509 certificate and handles it accordingly.

  6. Click Finish to export the certificate to the file you specified.

For general information about the Export Certificate wizard and certificate types, see “Installing and exporting certificates”.

StepsLoading the test CA’s certificate into Netscape 4.0x

You must be logged in to the Netscape token.

  1. Enter the full path of the file that contains the exported test CA’s certificate in Netscape’s URL/Netsite field.

  2. Select Open and click OK.

  3. Click Install Certificate. Netscape recognizes the .crt extension as belonging to a certificate authority and displays a series of dialogs asking if you want to accept the CA.

    If Netscape does not recognize the .crt file extension, perform these steps and restart Netscape before trying to load the test CA:

    1. From Netscape, select Edit | Preferences.

    2. Under Category, click Applications.

    3. Under Description, scroll down and select “Internet Security Certificate.” Click Edit.

    4. Verify that the Mime Type field contains:

      application/x-x509-ca-cert
      
    5. Click OK.

    Note If you are using UNIX, make sure the following line is in your ~/.mime.types file before you start Netscape:

    application/x-x509-ca-cert      crt cer ber der
    

    This line ensures that Netscape recognizes the .crt file extension.

  4. Follow the instructions in the dialogs to accept this certificate.

Netscape now allows you to connect to EAServer ports that require authentication, and accepts the certificates signed by the test CA without displaying warnings.


Key management

This section describes the tasks involved in key management.

To view the private keys installed in the security module, select the Private Keys folder. The private keys display on the right side of the window.

EAServer Manager | Certificates folder displays any private key that does not have a certificate associated with it, including private keys that have an outstanding certificate request. For example, you may generate a key pair and request a certificate from a CA at the same time. It may take several days to receive your certificate. In the meantime, the private key displays when you highlight the Private Keys folder.

Sybase recommends that you delete any private key that does not have an outstanding certificate request associated with it.

StepsViewing information about a private-key

  1. Select the Private Keys folder.

  2. Highlight the key whose information you want to view.

  3. Select File | Key Information. The Key Information dialog box displays the length of the key.

StepsDeleting a private key

  1. Select the Private Keys folder. The private keys display on the right side of the window.

  2. Select the key that you want to delete.

  3. Select File | Delete Key.


Certificate management

EAServer Manager | Certificates folder comes with several preinstalled CA certificates. EAServer accepts client certificates only if they have been signed by a trusted CA. You can modify the trust attribute for any of the preinstalled certificates. See “Viewing certificate, trust, and export information” for more information.

StepsGenerating a key pair and requesting a certificate

You can generate a key pair and send the certificate request to a CA to be signed. Once the CA has signed and returned the request, you can install the certificate.

  1. Select the Private Keys folder.

  2. Select File | Key/Cert Wizard.

  3. Supply the required information, described in Table 14-2. Use Back and Next to review or change any information.

    You can use any of the following characters:

    In Asian-language editions of EAServer, you can enter an Asian-language date in the Certificate Signing Request wizard in Security Manager. Before generating requests that contain UTF-8 characters, check with your certificate authority (CA) whether UTF-8 data is supported.

  4. Click Finish to exit the wizard. EAServer Manager | Certificates folder generates the key pair and saves the certificate request to a file that you specify, or installs a certificate if you have pasted one into the certificate dialog.

  5. Send your certificate request to a CA for signing. Depending on the CA, this could be through e-mail or by attaching to the CA’s URL.

  6. When you receive it, install the certificate. See “Installing and exporting certificates”.

The new private key appears on the right side of the window when you highlight the Private Keys folder. Once the certificate is received and installed, the private key is removed from the private key list.

Table 14-2: Certificate request information

Property

Description

Comments/example

Key Strength

Select the authentication key strength. The greater the number, the stronger the encryption. Your options are:

  • 512 bits

  • 768 bits

  • 1024 bits

For international users, key strength is 512.

Key Label

The name that identifies the private key/certificate.

Required field. The label must be unique among all labels used for certificates.

Mark Private Key Exportable

Check this box to allow the export of this certificate along with its private key.

See “Installing and exporting certificates” for more information.

NoteIf checked, you can later uncheck this property. Once unchecked, you cannot change this property. If unchecked, you cannot export this certificate and private key.

UTF-8 Encoding

Check this box to allow entry of UTF-8 encoded characters.

Allows entry of Asian-language text. Before generating requests that contain UTF-8 characters, check with your certificate authority (CA) whether UTF-8 data is supported.

Common Name

This could be your first and last name or name of a university or EAServer host name.

Required field.

User ID

Any user ID that would further identify you.

Organization

The name of your company, university, or other organization.

Required field.

Organization Unit

The name of a department within your organization.

Locality

The location of your organization.

You must supply at least one of:

  • Locality

  • State/Province

  • Country

State/Province

The name of your state or province.

Country

Your two-digit country code; for example, “U.S.”

Requester Name

The person requesting the certificate.

Server Admin

The name, if any, of the server administrator.

E-Mail

Your e-mail address.

Server Certificate Request

Displays the request information along with the generated public key.

Depending on the CA, you might be able to copy and paste the certificate request from this window into an e-mail and forward it for signing.

Save to File

Select this option and enter the full path name to save the generated certificate request as a text file.

You can also use the browse feature to locate and save the file.

If you do not immediately send the certificate request to be signed, save the certificate request to a file and send it for signature later.

Cut and Paste the Certificate

If available, paste the signed certificate in this window for installation.

If you do not install the signed certificate now, you can use the Install Certificate option when you receive your signed certificate.

Format Type

Identifies the format of the certificate request. Your options are “base64” or “binary.”

For server certificates, you would normally use a base64 format.


Certificate file extensions and types

When installing or exporting a certificate, EAServer Manager | Certificates folder determines the type of certificate based on the file extension. The extensions and the type of certificates they represent are:

NoteTransferring versus importing and exporting: Transferring user certificates and private keys allows you to use the certificate and private key in the target security environment. Exporting, installing, and marking a CA certificate trusted in the target security environment simply allows you to accept certificates that have been signed by that CA.

StepsInstalling and exporting certificates

EAServer Manager | Certificates folder allows you to export or import (install):

  1. Certificates signed by the test CA.

  2. Certificates signed by another CA.

  3. Certificate chains – a certificate chain is a certificate that has been signed by a CA, which in turn has been signed by a CA, and so on. The certificate contains information that traces the path of the certificate back to the root CA (the original signer).

  4. A signer’s (CA) certificate. You need to install a signer’s certificate and mark it as trusted so that EAServer accepts certificates signed by that CA.

  5. User certificates and their corresponding private key using the PKCS #12 standard.

    PKCS #12 is an RSA standard that specifies a transfer syntax for personal identity information. EAServer’s support of the PKCS #12 standard allows you to move user certificates and private keys between systems and programs that support the PKCS #12 standard, such as Netscape Communicator and Microsoft’s Internet Explorer.

    Sybase’s PKCS #12 implementation allows you to transfer certificates and private keys in either a domestic format (128-bit encryption) or international format (40-bit encryption). You can find more information about domestic and international support in “Configuring security profiles”.

StepsInstalling a certificate

  1. Select the folder that corresponds to the type of certificate you are installing.

  2. Select File | Install Certificate.

  3. Either paste the entire contents of the certificate into the box (base64 encoded certificates only), or click the Import from File box.

    If you select Import from File, the cut and paste area is dimmed. Use the browse feature to locate the certificate.

  4. Click Install. If the certificate is of type .crt or .p7c, it is installed. If the file is a PKCS #12 type (has either a .p12 or .pfx extension) the PKCS #12 Certificate/Private Key window displays:

    1. Enter the password that allows access to the file. This is the password you entered when you exported the certificate and private key.

    2. To export the certificate and its private key at a later time you must check the Mark private key as exportable check box, which is, by default, already selected.

    3. Click Done.

    The certificate is assigned to a folder based on its type:

Once installed, you can assign a user certificate to a security profile. For more information, see “Configuring security profiles”.

After installing a signer’s certificate, mark it as trusted if you want to accept certificates signed by that signer. See “Viewing certificate, trust, and export information” for more information.

StepsExporting a certificate

  1. Select the Certificates folder that contains the certificate to be exported.

  2. Highlight the certificate to be exported.

  3. Select File | Export Certificate.

  4. From the Export Certificate wizard, select the format type of the certificate to be exported.

    If you have chosen Export Certificate from the User Certificate folder, and you selected “Mark Private Key Exportable” when you generated the key pair and requested a certificate, the PKCS #12 option is available.

  5. Depending on the type of certificate you select, one of two windows appears:

  6. Click Finish to export the certificate to the file you specified.

Advanced PKCS #12 options

The advanced screen allows you to modify the PKCS #12 options listed below. The default settings are appropriate in most cases and should only be modified by experienced users:

StepsViewing certificate, trust, and export information

You can view the information about the certificates that you have installed and your own certificates, including identifying, trust, and usage information. To view certificate information:

  1. Select the folder for the type of certificate you want to view:

  2. Select the certificate you want to view.

  3. Select File | Certificate Info.

The Certificate Information dialog appears. Use the scroll bar to view all of the information.

The Certificate dialog includes a Trusted Certificate check box. Based on the policies of your organization, trustworthiness of the certificate signer, and other considerations, specify whether or not to mark a certificate as trusted. Only CA certificates can be marked as trusted or untrusted.

Certificates that are marked as trusted display when you select the Trusted folder.

For user certificates, an Exportable Private Key check box is provided. If this box is checked, you can export the certificate, along with its private key. To prevent future exports, you can uncheck the box. Once unchecked, the private key can never be exported. See “Installing and exporting certificates” for more information.

StepsVerifying a certificate

EAServer Manager | Certificates folder verifies the signature, expiration date, and validity of a certificate. If the certificate is part of a chain of certificates, it verifies each certificate in the chain.

A chain involves more than one certificate. Each certificate in the chain is signed by the preceding certificate. For the certificate to be verified, the entire chain must be verified. If a peer offers a certificate for authentication that belongs to a chain, at least one CA within the chain must be trusted for the certificate to be accepted.

To verify a certificate:

  1. Select the folder for the type of certificate you want to verify.

  2. Highlight the certificate you want to verify.

  3. Select File | Verify.

A dialog appears that either verifies the certificate or informs you that verification was unsuccessful. Do not use certificates that fail verification.

StepsRenaming a certificate

Only the label of the certificate is changed. The content of the certificate remains the same.

  1. Select the folder type for the certificate you want to rename.

  2. Highlight the certificate to rename.

  3. Select File | Rename Certificate.

  4. Enter the new name of the certificate. Click Done.

StepsDeleting a certificate and its associated private key

EAServer Manager | Certificates folder allows you to delete your own certificates and associated private keys, the test CA, and certificates that you have obtained from others.

  1. Select the folder for the type of certificate you want to delete.

  2. Highlight the certificate you want to delete.

  3. Select File | Delete Certificate.

NoteIf you delete the test CA, certificates that were signed by the test CA are no longer useful. In this case, you need to generate a new test CA and new certificates signed by the new test CA to test your security scenarios.





Copyright © 2005. Sybase Inc. All rights reserved. Using Netscape to manage certificates on the client