Obtaining a certificate

The system security officer installs server certificates and private keys for Adaptive Server by:

• Using third-party tools provided with existing public-key infrastructure already deployed in the customer environment.

• Using the Adaptive Server certificate request tool in conjunction with a trusted third-party CA.

To obtain a certificate, you must request a certificate from a certificate authority (CA). Adaptive Server requires SSL certificates to use the PEM format. However, the certificate authority may deliver certificates in a format other than PEM. You must convert the certificate to the PEM format If you request a certificate from a third party and that certificate is in PKCS #12 format, use the certpk12 utility to convert the certificate into a format that is understood by Adaptive Server (see the Utility Guide).

To test the Adaptive Server certificate request tool and to verify that the authentication methods are working on your server, Adaptive Server provides a tool, for testing purposes, that allows you to function as a CA and issue CA-signed certificate to yourself.

The main steps to creating a certificate for use with Adaptive Server are:

1. Generate the public and private key pair.

2. Securely store the private key.

3. Generate the certificate request.

4. Send the certificate request to the CA.

5. After the CA signs and returns the certificate, store it in a file and append the private key to the certificate.

6. Store the certificate in the Adaptive Server installation directory.

Most third-party PKI vendors and some browsers have utilities to generate certificates and private keys. These utilities are typically graphical wizards that prompt you through a series of questions to define a distinguished name and a common name for the certificate.

Follow the instructions provided by the wizard to create certificate requests. Once you receive the signed PKCS #12-format certificate, use certpk12 to generate a certificate file and a private key file. Concatenate the two files into a servername.crt file, where servername is the name of the server, and place it in the certificates directory under $SYBASE/$SYBASE_ASE. See the Utility Guide.

Adaptive Server provides two tools for requesting and authorizing certificates. certreq generates public and private key pairs and certificate requests. certauth converts a server certificate request to a CA-signed certificate.

Preparing the server’s trusted root certificate is a five-step process. Perform the first two steps to create a test trusted root certificate so you can verify that you are able to create server certificates. Once you have a test CA certificate (trusted roots certificate) repeat steps three through five to sign server certificates.

1. Use certreq to request a certificate.

2. Use certauth to convert the certificate request to a CA self-signed certificate (trusted root certificate).

3. Use certreq to request a server certificate and private key.

4. Use certauth to convert the certificate request to a CA-signed server certificate.

5. Append the private key text to the server certificate and store the certificate in the server’s installation directory.

For information about Sybase utilities, certauth, certreq, and certpk12 for requesting, authorizing and converting third-party certificates, see the Utility Guide.