The test CA is a signing authority that signs user certificate requests. These certificates can be used by clients and EAServer to test the security features of your applications. Certificates signed by the test CA are not intended for commercial applications. If you already have an in-house CA or other signing authority, you may not need to use the test CA.
The test CA must exist before you can access the Process
Certificate Request and Generate User Test Certificate options.
To verify that the test CA is available, highlight the CA Certificates folder. You should see the Sybase Jaguar User Test CA on the right side of the window. If not, you must generate the test CA.
Select the CA Certificates folder.
Select File | Generate Test CA.
The Sybase Jaguar User Test CA displays on the right side of the window. You can now generate test certificates signed by the test CA and process certificate requests.
Generating a user certificate signed by the test CA
Select the CA Certificates folder.
Select File | Generate User Test Certificate. The Generate User Test Certificate wizard displays.
Supply the required information described in Table 14-1. Click Back and Next to review and modify information.
You can use any of the following characters for the label:
Letters A – Z and a – z
Numeric values 0 – 9
(space) ’ ( ) + , - . / : = ?
Click Finish to exit the wizard and generate the certificate.
Click OK in the Info dialog. The certificate displays when you highlight the User Certificates folder.
Property |
Description |
Comments/example |
|---|---|---|
Key Strength |
Select the authentication key strength. The greater the number, the stronger the encryption. Your options are:
|
For international users, key strength is 512. |
Key Label |
The name that identifies the certificate. |
Required field. The label must be unique among all labels used for all certificates. |
Validity Period |
From the drop-down list, select the length of time that the certificate is valid. |
When a client (or server) presents a certificate for authentication, EAServer (or the browser) checks to see if the certificate has expired. |
Cert Usage |
Click the check box for either or both:
|
The same certificate can be used by a client and/or EAServer. |
Common Name |
Your first and last name. |
Required field. |
User ID |
Any ID that would further identify you. |
|
Organization |
The name of your company, university, or other organization. |
Required field. |
Organization Unit |
The name of a department within your organization. |
|
Locality |
The location of your organization. |
You must supply at least one of:
|
State/Province |
State or province name. |
|
Country |
Your two-digit country code; for example, “U.S.” |
|
Requester Name |
The person requesting the certificate. |
|
Server Admin |
The name, if any, of the server administrator. |
|
Your e-mail address. |
||
Mark Private Key Exportable |
Checked by default, this property allows you to export this certificate along with its private key. |
See “Installing and exporting certificates” for more information.
|
Processing a certificate request
EAServer Manager | Certificates folder can process a certificate request generated from elsewhere. The test CA signs the request and generates the certificate.
Select the CA Certificates folder.
Select File | Process Certificate Request.
Paste the certificate request into the window as indicated. Here is an example of a base64 certificate request. You must include the entire contents, including the BEGIN and END lines:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIH4MIGjAgEAMD4xCjAIBgNVBAMTAWExCjAIBgNVBAoTAWExCjAIBgNVBAcTAWEx CzAJBgNVBAgTAmNhMQswCQYDVQQGEwJ1czBcMA0GCSqGSIb3DQEBAQUAA0sAMEgC QQC9Yn9AOzflqIarPCC7eRdr3C0wrIG+3B2T+pEs9sdgEjnc/bw1GfxcZKYamWXg G1KQycFqkdrFNP79fgRCOd3xAgMBAAGgADANBgkqhkiG9w0BAQQFAANBAIEljmCB HbFdNj0MtFDa002f/Trl6FtGCh7Gs23pZlWIUzDlGFowiuJY6iMDzd/1bJz5yYB+ IvlM9Ath/zTF2eY=
-----END NEW CERTIFICATE REQUEST-----
Set the following certificate properties:
Click Next. The certificate is generated and displays in the dialog. Here is the signed base64 certificate:
-----BEGIN CERTIFICATE-----
MIICYTCCAcqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADCBgjEzMDEGA1UEAxMqU3li YXNlIEphZ3VhciBVc2VyIFRlc3QgQ0EgKFRFU1QgVVNFIE9OTFkpMSAwHgYDVQQK ExdTeWJhc2UgSmFndWFyIFVzZXIgVGVzdDEpMCcGA1UEBxMgU3liYXNlIEphZ3Vh ciBVc2VyIFRlc3QgTG9jYWxpdHkwHhcNOTgwNzAyMDIzOTEzWhcNOTgwOTAyMDIz OTEzWjBHMQ0wCwYDVQQDEwR0ZXN0MQ0wCwYDVQQKEwR0ZXN0MQ0wCwYDVQQHEwR0 ZXN0MQswCQYDVQQIEwJjYTELMAkGA1UEBhMCdXMwXDANBgkqhkiG9w0BAQEFAANL ADBIAkEAvzvqs9yjW/PDCt/Rotp9x9PHrULLeGOLlVSubo9poY1f5OYwsrjfaOtT bkhWDrakuwJJk8smDNSAl93tdP9r8wIDAQABo2UwYzAMBgNVHRMEBTADAQEAMB0G A1UdDgQWBBTAT0n9qsvdfqc9NzGPA5oLKsMzJjAhBgNVHSMEGjAYoBYEFGLT8qZb 3LtGjw84nxna9YBHb7q6MBEGCWCGSAGG+EIBAQQEAwIAwDANBgkqhkiG9w0BAQQF AAOBgQB3OStVqhoWT66yXNsrznCg9t8yNClobnKGOJTqt+VbhV7BUgBH+fVSjf7v xJyV4twwlBvU08PsKYQGj4sJ1Ao3lsOXWrr6YZIHZZ6p9P8JXjY016Vg9g5SDmEV jgGbwy6ZOZYx27npp4X31WXY27KDZrV/FrwvF6/Pv6mZY7ijUw==
-----END CERTIFICATE-----
Select Save to File and enter the full path name to save the generated certificate as a file. You can also select Browse to specify the location for the file.
If you want to use this certificate for authentication, you must install the certificate on the same machine that generated the certificate request, since this is where the private key is stored.
Certificates signed by the test CA are intended for
testing only. In a real-life situation, the CA would verify user
information to establish identity.
Exporting the test CA certificate
You can export certificates, including the test CA certificate. Exporting the test CA certificate allows you to load it into Netscape 4.0x browsers and mark it trusted. This prevents Netscape from displaying warnings about untrusted certificate authorities when you use listeners that use certificates signed by the test CA.
Select the CA Certificates folder.
Highlight the Sybase Jaguar User Test CA.
Select File | Export Certificate.
From the Export Certificate wizard, select the format type for the exported certificate. For the Test CA, select Binary Encode X509 Certificate. Click Next.
Select Save to File and enter the full path name to a file that will contain the test CA.
Do not add any extension to the file name. A .crt extension is automatically added to the exported certificate. Netscape 4.0x recognizes this extension as a X.509 certificate and handles it accordingly.
Click Finish to export the certificate to the file you specified.
For general information about the Export Certificate wizard and certificate types, see “Installing and exporting certificates”.
Loading the test CA’s certificate into Netscape
4.0x
You must be logged in to the Netscape token.
Enter the full path of the file that contains the exported test CA’s certificate in Netscape’s URL/Netsite field.
Select Open and click OK.
Click Install Certificate. Netscape recognizes the .crt extension as belonging to a certificate authority and displays a series of dialogs asking if you want to accept the CA.
If Netscape does not recognize the .crt file extension, perform these steps and restart Netscape before trying to load the test CA:
From Netscape, select Edit | Preferences.
Under Category, click Applications.
Under Description, scroll down and select “Internet Security Certificate.” Click Edit.
Verify that the Mime Type field contains:
application/x-x509-ca-cert
Click OK.
If you are using UNIX, make sure the following line
is in your ~/.mime.types file before
you start Netscape:
application/x-x509-ca-cert crt cer ber der
This line ensures that Netscape recognizes the .crt file extension.
Follow the instructions in the dialogs to accept this certificate.
Netscape now allows you to connect to EAServer ports that require authentication, and accepts the certificates signed by the test CA without displaying warnings.
