The System Security Officer installs signed server certificates and private keys in the server. You can get a server certificate by:
Using third-party tools provided with existing public-key infrastructure already deployed in the customer environment.
Using the Sybase certificate request tool in conjunction with a trusted third-party CA.
To obtain a certificate, you must request a certificate from a CA. If you request a certificate from a third-party and that certificate is in PKCS #12 format, use the certpk12 utility to convert the certificate into a format that is understood by Open Client/Open Server.
To test the certificate request tool and to verify that the authentication methods are working on your server, Open Client/Open Server provides a certreq and certauth tool, for testing purposes, that allows you to function as a CA and issue a CA-signed certificate to yourself.
The main steps to creating a certificate for use with a server are:
Generate the certificate request.
Generate the public and private key pair.
Securely store the private key.
Send the certificate request to the CA.
After the CA signs and returns the certificate, append the private key to the certificate.
Store the certificate in the server’s installation directory.
Most third-party PKI vendors and some browsers have utilities to generate certificates and private keys. These utilities are typically graphical wizards that prompt you through a series of questions to define a distinguished name and a common name for the certificate.
Follow the instructions provided by the wizard to create certificate requests. Once you receive the signed PKCS #12-format certificate, use certpk12 to generate a certificate file and a private key file. Concatenate the two files into a servername.crt file, where servername is the name of the server, and place it in the server’s installation directory. By default, the certficates for Adaptive Server’s are stored in $SYBASE/$SYBASE_ASE/certificates.
Sybase provides tools for requesting and authorizing certificates. certreq generates public and private key pairs and certificate requests. certauth converts a server certificate request to a CA-signed certificate.
UNIX – $SYBASE/$SYBASE_OCS/bin
Windows – %SYBASE%\%SYBASE_OCS%\bin
WARNING! Use certauth only for testing purposes. Sybase recommends that you use the services of a commercial CA because it provides protection for the integrity of the root certificate, and because a certificate that is signed by a widely accepted CA facilitates the migration to the use of client certificates for authentication.
Preparing a server’s trusted root certificate is a five-step process. Perform all five steps to create a test trusted root certificate so you can verify that you are able to create server certificates. Once you have a test CA certificate (trusted roots certificate) repeat steps three through five to sign server certificates.
Use certreq to request a certificate.
Use certauth to convert the certificate request to a CA self-signed certificate (trusted root certificate).
Use certreq to request a server certificate and private key.
Use certauth to convert the certificate request to a CA-signed server certificate.
Append the private key text to the server certificate and store the certificate in the server’s installation directory.
See “Using Sybase tools to request and authorize certificates” for more information.
certauth and certreq are dependent on RSA and DSA algorithms. These tools only work with vendor-supplied crypto modules that use RSA and DSA algorithms to construct the certificate request.
For information on adding, deleting, or viewing server certificates on Adaptive Server, see the System Administration Guide.