When installing or exporting a certificate, EAServer Manager | Certificates folder determines the type of certificate based on the file extension. The extensions and the type of certificates they represent are:
.crt Belongs to X.509 certificates, including CA certificates. In addition, Netscape certificate chains end with a .crt extension.
.p12 and .pfx Belong to transferred user certificates. Sybase’s PKCS #12 implementation generates PKCS #12 files with a .p12 file extension. This extension is recognized by both Netscape and Internet Explorer. The earlier PKCS #12 standard specified a .pfx file extension. You can install a PKCS #12 file that uses either extension into Sybase’s PKCS #11 token.
Binary and base64 Certificates can either be encoded/decoded using a binary or base64 scheme. Base64 is based on an ASCII format and certificates of this type can be installed from a file or pasted into the appropriate window. Binary certificates, on the other hand, must be read from a file. The encoding scheme has no effect on a certificate’s file extension.
Transferring versus importing and exporting:
Transferring user certificates and private keys allows you
to use the certificate and private key in the target security environment.
Exporting, installing, and marking a CA certificate trusted in the
target security environment simply allows you to accept certificates
that have been signed by that CA.
Installing and exporting certificates
EAServer Manager | Certificates folder allows you to export or import (install):
Certificates signed by the test CA.
Certificates signed by another CA.
Certificate chains – a certificate chain is a certificate that has been signed by a CA, which in turn has been signed by a CA, and so on. The certificate contains information that traces the path of the certificate back to the root CA (the original signer).
A signer’s (CA) certificate. You need to install a signer’s certificate and mark it as trusted so that EAServer accepts certificates signed by that CA.
User certificates and their corresponding private key using the PKCS #12 standard.
PKCS #12 is an RSA standard that specifies a transfer syntax for personal identity information. EAServer’s support of the PKCS #12 standard allows you to move user certificates and private keys between systems and programs that support the PKCS #12 standard, such as Netscape Communicator and Microsoft’s Internet Explorer.
Sybase’s PKCS #12 implementation allows you to transfer certificates and private keys in either a domestic format (128-bit encryption) or international format (40-bit encryption). You can find more information about domestic and international support in “Configuring security profiles”.
Installing a certificate
Select the folder that corresponds to the type of certificate you are installing.
Select File | Install Certificate.
Either paste the entire contents of the certificate into the box (base64 encoded certificates only), or click the Import from File box.
If you select Import from File, the cut and paste area is dimmed. Use the browse feature to locate the certificate.
Click Install. If the certificate is of type .crt or .p7c, it is installed. If the file is a PKCS #12 type (has either a .p12 or .pfx extension) the PKCS #12 Certificate/Private Key window displays:
Enter the password that allows access to the file. This is the password you entered when you exported the certificate and private key.
To export the certificate and its private key at a later time you must check the Mark private key as exportable check box, which is, by default, already selected.
Click Done.
The certificate is assigned to a folder based on its type:
User Your certificates and other user certificates, including certificates signed by the test CA used to authenticate EAServer. These are the certificates that have a matching private key stored in the PKCS #11 token.
CA Certificates obtained from CAs. These identify the signers of certificates that EAServer recognizes.
Trusted A subset of the CA certificates. These are the signers of certificates that EAServer trusts. EAServer accepts the certificates from clients that have been signed by trusted CAs. You must mark a CA as trusted before it appears in the Trusted folder. See “Viewing certificate, trust, and export information” for more information.
Other Certificates obtained from other users or organizations that cannot be identified as User or CA.
Once installed, you can assign a user certificate to a security profile. For more information, see “Configuring security profiles”.
After installing a signer’s certificate, mark it as trusted if you want to accept certificates signed by that signer. See “Viewing certificate, trust, and export information” for more information.
Exporting a certificate
Select the Certificates folder that contains the certificate to be exported.
Highlight the certificate to be exported.
Select File | Export Certificate.
From the Export Certificate wizard, select the format type of the certificate to be exported.
If you have chosen Export Certificate from the User Certificate folder, and you selected “Mark Private Key Exportable” when you generated the key pair and requested a certificate, the PKCS #12 option is available.
Depending on the type of certificate you select, one of two windows appears:
If you have selected a certificate format that is not PKCS #12, select Save to File and enter the full path name to a file that contains the certificate.
Do not add any extension to the file name. The appropriate extension is automatically added to the exported certificate.
If you have selected PKCS #12, enter and confirm a password used to protect access to the exported certificate and its private key. When you try to install the certificate, you are prompted for this password; there are also several advanced options you can configure that affect the exported certificate. See “Advanced PKCS #12 options”. When you are finished, click Next.
Select Save to File and enter the full path name to a file to contain the certificate.
Do not add any extension to the file name. The appropriate extension is automatically added to the exported certificate.
Click Finish to export the certificate to the file you specified.
The advanced screen allows you to modify the PKCS #12 options listed below. The default settings are appropriate in most cases and should only be modified by experienced users:
Include certificate trust chain If the certificate is part of a chain, clicking this box adds information about the CAs in the certificate’s chain. See “Verifying a certificate” for additional information about certificate chains.
Private key encoding algorithm The password-based algorithm used to protect the contents of the exported private key. The default algorithm is 40BitRC2, which is accepted by most browsers. If you want to export the private key using stronger or weaker encryption, select an algorithm from the drop-down list, but be sure that the target browser accepts the stronger encryption. EAServer Manager | Certificates folder can export or import private keys that are shrouded with any of the listed algorithms.
Certificate encoding algorithm The password-based algorithm used to protect the contents of the exported user certificate. The default algorithm is 40BitRC2, which is accepted by most browsers. If you want to export the certificate using stronger or weaker encryption, select an algorithm from the drop-down list, but be sure that the target browser accepts the stronger encryption. EAServer Manager | Certificates folder can export or import user certificates that are shrouded with any of the listed algorithms. See “Configuring security profiles” for a description of the various encryption methods and terms.
Viewing certificate, trust, and export information
You can view the information about the certificates that you have installed and your own certificates, including identifying, trust, and usage information. To view certificate information:
Select the folder for the type of certificate you want to view:
User
CA
Trusted
Other
Select the certificate you want to view.
Select File | Certificate Info.
The Certificate Information dialog appears. Use the scroll bar to view all of the information.
The Certificate dialog includes a Trusted Certificate check box. Based on the policies of your organization, trustworthiness of the certificate signer, and other considerations, specify whether or not to mark a certificate as trusted. Only CA certificates can be marked as trusted or untrusted.
Certificates that are marked as trusted display when you select the Trusted folder.
For user certificates, an Exportable Private Key check box is provided. If this box is checked, you can export the certificate, along with its private key. To prevent future exports, you can uncheck the box. Once unchecked, the private key can never be exported. See “Installing and exporting certificates” for more information.
Verifying a certificate
EAServer Manager | Certificates folder verifies the signature, expiration date, and validity of a certificate. If the certificate is part of a chain of certificates, it verifies each certificate in the chain.
A chain involves more than one certificate. Each certificate in the chain is signed by the preceding certificate. For the certificate to be verified, the entire chain must be verified. If a peer offers a certificate for authentication that belongs to a chain, at least one CA within the chain must be trusted for the certificate to be accepted.
To verify a certificate:
Select the folder for the type of certificate you want to verify.
Highlight the certificate you want to verify.
Select File | Verify.
A dialog appears that either verifies the certificate or informs you that verification was unsuccessful. Do not use certificates that fail verification.
Renaming a certificate
Only the label of the certificate is changed. The content of the certificate remains the same.
Select the folder type for the certificate you want to rename.
Highlight the certificate to rename.
Select File | Rename Certificate.
Enter the new name of the certificate. Click Done.
Deleting a certificate and its associated private key
EAServer Manager | Certificates folder allows you to delete your own certificates and associated private keys, the test CA, and certificates that you have obtained from others.
Select the folder for the type of certificate you want to delete.
Highlight the certificate you want to delete.
Select File | Delete Certificate.
If
you delete the test CA, certificates that were signed by the test
CA are no longer useful. In this case, you need to generate a new
test CA and new certificates signed by the new test CA to test your
security scenarios.
| Copyright © 2005. Sybase Inc. All rights reserved. |
|
|
