Obtaining a certificate

The System Security Officer installs signed server certificates and private keys in the server. You can get a server certificate by:

To obtain a certificate, you must request a certificate from a CA. If you request a certificate from a third-party and that certificate is in PKCS #12 format, use the certpk12 utility to convert the certificate into a format that is understood by Open Client and Open Server.

To test the certificate request tool and to verify that the authentication methods are working on your server, Open Client and Open Server provides a certreq and certauth tool, for testing purposes, that allows you to function as a CA and issue a CA-signed certificate to yourself.

Following are the main steps to creating a certificate for use with a server:

  1. Generate the certificate request.

  2. Generate the public and private key pair.

  3. Securely store the private key.

  4. Send the certificate request to the CA.

  5. After the CA signs and returns the certificate, append the private key to the certificate.

  6. Store the certificate in the server’s installation directory.


Third-party tools to request certificates

Most third-party PKI vendors and some browsers have utilities to generate certificates and private keys. These utilities are typically graphical wizards that prompt you through a series of questions to define a distinguished name and a common name for the certificate.

Follow the instructions provided by the wizard to create certificate requests. Once you receive the signed PKCS #12-format certificate, use certpk12 to generate a certificate file and a private key file. Concatenate the two files into a servername.crt file, where servername is the name of the server, and place it in the server’s installation directory. By default, the certificates for Adaptive Server are stored in $SYBASE/$SYBASE_ASE/certificates.


Using Sybase tools to request and authorize certificates

Sybase provides tools for requesting and authorizing certificates. certreq generates public and private key pairs and certificate requests. certauth converts a server certificate request to a CA-signed certificate.

WARNING! Use certauth only for testing purposes. Sybase recommends that you use the services of a commercial CA because it provides protection for the integrity of the root certificate, and because a certificate that is signed by a widely accepted CA facilitates the migration to the use of client certificates for authentication.

Preparing a server’s trusted root certificate is a five-step process. Perform all five steps to create a test trusted root certificate so you can verify that you are able to create server certificates. Once you have a test CA certificate (trusted roots certificate) repeat steps 3 through 5 to sign server certificates.

  1. Use certreq to request a certificate.

  2. Use certauth to convert the certificate request to a CA self-signed certificate (trusted root certificate).

  3. Use certreq to request a server certificate and private key.

  4. Use certauth to convert the certificate request to a CA-signed server certificate.

  5. Append the private key text to the server certificate and store the certificate in the server’s installation directory.

See “Using Sybase tools to request and authorize certificates” for more information.

Notecertauth and certreq are dependent on RSA and DSA algorithms. These tools only work with vendor-supplied crypto modules that use RSA and DSA algorithms to construct the certificate request.

For information on adding, deleting, or viewing server certificates on Adaptive Server, see the System Administration Guide.