Chapter 12 Managing Keys and Certificates

Managing keys and certificates on EAServer

Security Manager allows you to manage keys and certificates used by EAServer.

• "Security Manager management"
• "Test CA management"
• "Key management"
• "Certificate management"

Security Manager management

This section describes the tasks involved in accessing and managing the Sybase Security Manager.

You can install and use the standalone Security Manager on a client machine to manage client keys, certificates, and trust information in a local database. The client Security Manager is completely independent of Jaguar Manager and EAServer. Except for the login screen, the standalone Security Manager is identical to the version used to manage server keys and certificates.

The client's Security Manager allows C++ CORBA clients and Java applications to access servers using SSL features over IIOPS connections. For more information, see these chapters:

• Chapter 5, "Using SSL in Java Clients"
• Chapter 6, "Using SSL in C++ Clients"
• Chapter 7, "Using SSL in ActiveX Clients"

To start Security Manager, see the EAServer System Administration guide.

Changing the user PIN

The initial PIN for the PKCS #11 token is "sybase". You can also use the same PIN to log in to Security Manager and, if installed, the Sybase PKCS #11 token in Netscape. To change to a more secure PIN:

1. Select the Private Keys folder.
2. Select File | Change PIN.
3. Enter and verify the new PIN.

Restart Netscape for the new PIN to propagate to the Sybase PKCS #11 token.

Displaying PKCS #11 module information

1. Select the Private Keys folder.
2. To view information about the Sybase PKCS #11 module, including the library version and the Cryptoki version, select File | Module Information.
   
   To view information about the Sybase PKCS #11 token that manages your key and certificate information, including status and version information, select File | Token Information.

Logging out of the PKCS #11 module

1. Select the Private Keys folder.
2. Select File | Logout.

You are still logged in to Jaguar Manager but can no longer access keys or certificates.

Test CA management

The test CA is a signing authority that signs user certificate requests. These certificates can be used by clients and EAServer to test the security features of your applications. Certificates signed by the test CA are not intended for commercial applications. If you already have an in-house CA or other signing authority, you may not need to use the test CA.

   The test CA must exist before you can access the Process Certificate Request and Generate User Test Certificate options.

Creating a test CA

To verify that the test CA is available, highlight the CA Certificates folder. You should see the Sybase Jaguar User Test CA on the right side of the window. If not, you must generate the test CA.

1. Select the CA Certificates folder.
2. Select File | Generate Test CA.

The Sybase Jaguar User Test CA displays on the right side of the window. You can now generate test certificates signed by the test CA and process certificate requests.

Generating a user certificate signed by the test CA

1. Select the CA Certificates folder.
2. Select File | Generate User Test Certificate. The Generate User Test Certificate wizard displays.
3. Supply the required information described in Table 12-1. Click Back and Next to review and modify information.
4. You can use any of the following characters for the label:
   • Letters A - Z and a - z
   • Numeric values 0 - 9
   • (space) ' ( ) + , - . / : = ?
5. Click Finish to exit the wizard and generate the certificate.
6. Click OK in the Info dialog. The certificate displays when you highlight the User Certificates folder.

Table 12-1: User test certificate information

Property	Description	Comments/example
Key Strength	Select the authentication key strength. The greater the number, the stronger the encryption. Your options are: 512 bits 768 bits 1024 bits	For international users, key strength is 512.
Key Label	The name that identifies the certificate.	Required field. The label must be unique among all labels used for all certificates.
Validity Period	From the drop-down list, select the length of time that the certificate is valid.	When a client (or server) presents a certificate for authentication, EAServer (or the browser) checks to see if the certificate has expired.
Cert Usage	Click the check box for either or both: SSL Client SSL Server	The same certificate can be used by a client and/or EAServer.
Common Name	Your first and last name.	Required field.
User ID	Any ID that would further identify you.
Organization	The name of your company, university, or other organization.	Required field.
Organization Unit	The name of a department within your organization.
Locality	The location of your organization.	You must supply at least one of: Locality State/Province Country
State/Province	State or province name.
Country	Your two-digit country code; for example, "U.S."
Requester Name	The person requesting the certificate.
Server Admin	The name, if any, of the server administrator.
E-Mail	Your e-mail address.
Mark Private Key Exportable	Checked by default, this property allows you to export this certificate along with its private key.	See "Installing and exporting certificates" for more information.    If checked, you can later uncheck this property. Once unchecked, you cannot change this property. If unchecked, you cannot export this certificate and private key.

Processing a certificate request

Security Manager can process a certificate request generated from elsewhere. The test CA signs the request and generates the certificate.

1. Select the CA Certificates folder.
2. Select File | Process Certificate Request.
3. Paste the certificate request into the window as indicated. Here is an example of a base64 certificate request. You must include the entire contents, including the BEGIN and END lines:

   -----BEGIN NEW CERTIFICATE REQUEST-----
   

   MIH4MIGjAgEAMD4xCjAIBgNVBAMTAWExCjAIBgNVBAoTAWExCjAIBgNVBAcTAWEx
   CzAJBgNVBAgTAmNhMQswCQYDVQQGEwJ1czBcMA0GCSqGSIb3DQEBAQUAA0sAMEgC
   QQC9Yn9AOzflqIarPCC7eRdr3C0wrIG+3B2T+pEs9sdgEjnc/bw1GfxcZKYamWXg
   G1KQycFqkdrFNP79fgRCOd3xAgMBAAGgADANBgkqhkiG9w0BAQQFAANBAIEljmCB
   HbFdNj0MtFDa002f/Trl6FtGCh7Gs23pZlWIUzDlGFowiuJY6iMDzd/1bJz5yYB+
   IvlM9Ath/zTF2eY=
   

   -----END NEW CERTIFICATE REQUEST-----
   

4. Set the following certificate properties:
   • Format Type Identifies the format type of the request, either "base64" or "binary."
   • Cert Usage Depending on how you will use the certificate, select SSL Client, SSL Server, or both.
   • Validity Period Select the length of time that the certificate is valid.
5. Click Next. The certificate is generated and displays in the dialog. Here is the signed base64 certificate:

   -----BEGIN CERTIFICATE-----
   

   MIICYTCCAcqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADCBgjEzMDEGA1UEAxMqU3li
   YXNlIEphZ3VhciBVc2VyIFRlc3QgQ0EgKFRFU1QgVVNFIE9OTFkpMSAwHgYDVQQK
   ExdTeWJhc2UgSmFndWFyIFVzZXIgVGVzdDEpMCcGA1UEBxMgU3liYXNlIEphZ3Vh
   ciBVc2VyIFRlc3QgTG9jYWxpdHkwHhcNOTgwNzAyMDIzOTEzWhcNOTgwOTAyMDIz
   OTEzWjBHMQ0wCwYDVQQDEwR0ZXN0MQ0wCwYDVQQKEwR0ZXN0MQ0wCwYDVQQHEwR0
   ZXN0MQswCQYDVQQIEwJjYTELMAkGA1UEBhMCdXMwXDANBgkqhkiG9w0BAQEFAANL
   ADBIAkEAvzvqs9yjW/PDCt/Rotp9x9PHrULLeGOLlVSubo9poY1f5OYwsrjfaOtT
   bkhWDrakuwJJk8smDNSAl93tdP9r8wIDAQABo2UwYzAMBgNVHRMEBTADAQEAMB0G
   A1UdDgQWBBTAT0n9qsvdfqc9NzGPA5oLKsMzJjAhBgNVHSMEGjAYoBYEFGLT8qZb
   3LtGjw84nxna9YBHb7q6MBEGCWCGSAGG+EIBAQQEAwIAwDANBgkqhkiG9w0BAQQF
   AAOBgQB3OStVqhoWT66yXNsrznCg9t8yNClobnKGOJTqt+VbhV7BUgBH+fVSjf7v
   xJyV4twwlBvU08PsKYQGj4sJ1Ao3lsOXWrr6YZIHZZ6p9P8JXjY016Vg9g5SDmEV
   jgGbwy6ZOZYx27npp4X31WXY27KDZrV/FrwvF6/Pv6mZY7ijUw==
   

   -----END CERTIFICATE-----
   

6. Select Save to File and enter the full path name to save the generated certificate as a file. You can also select Browse to specify the location for the file.
   
   If you want to use this certificate for authentication, you must install the certificate on the same machine that generated the certificate request, since this is where the private key is stored.

   Certificates signed by the test CA are intended for testing only. In a real-life situation, the CA would verify user information to establish identity.

Exporting the test CA certificate

You can export certificates, including the test CA certificate. Exporting the test CA certificate allows you to load it into Netscape 4.0x browsers and mark it trusted. This prevents Netscape from displaying warnings about untrusted certificate authorities when you use listeners that use certificates signed by the test CA.

1. Select the CA Certificates folder.
2. Highlight the Sybase Jaguar User Test CA.
3. Select File | Export Certificate.
4. From the Export Certificate wizard, select the format type for the exported certificate. For the Test CA, select Binary Encode X509 Certificate. Click Next.
5. Select Save to File and enter the full path name to a file that will contain the test CA.
   
   Do not add any extension to the file name. A .crt extension is automatically added to the exported certificate by Security Manager. Netscape 4.0x recognizes this extension as a X.509 certificate and handles it accordingly.
6. Click Finish to export the certificate to the file you specified.

For general information about the Export Certificate wizard and certificate types, see "Installing and exporting certificates".

Loading the test CA's certificate into Netscape 4.0x

You must be logged in to the Netscape token.

1. Enter the full path of the file that contains the exported test CA's certificate in Netscape's URL/Netsite field.
2. Select Open and click OK.
3. Click Install Certificate. Netscape recognizes the .crt extension as belonging to a certificate authority and displays a series of dialogs asking if you want to accept the CA.
   
   If Netscape does not recognize the .crt file extension, perform these steps and restart Netscape before trying to load the test CA:
   1. From Netscape, select Edit | Preferences.
   2. Under Category, click Applications.
   3. Under Description, scroll down and select "Internet Security Certificate." Click Edit.
   4. Verify that the Mime Type field contains:

      application/x-x509-ca-cert
      

   5. Click OK.
   
   
      If you are using UNIX, make sure the following line is in your ~/.mime.types file before you start Netscape:

   application/x-x509-ca-cert      crt cer ber der
   

   This line ensures that Netscape recognizes the .crt file extension.
   
4. Follow the instructions in the dialogs to accept this certificate.

Netscape now allows you to connect to EAServer ports that require authentication, and accepts the certificates signed by the test CA without displaying warnings.

Key management

This section describes the tasks involved in key management.

To view the private keys installed in the security module, select the Private Keys folder. The private keys display on the right side of the window.

Security Manager displays any private key that does not have a certificate associated with it, including private keys that have an outstanding certificate request. For example, you may generate a key pair and request a certificate from a CA at the same time. It may take several days to receive your certificate. In the meantime, the private key displays when you highlight the Private Keys folder.

Sybase recommends that you delete any private key that does not have an outstanding certificate request associated with it.

Viewing information about a private-key

1. Select the Private Keys folder.
2. Highlight the key whose information you want to view.
3. Select File | Key Information. The Key Information dialog box displays the length of the key.

Deleting a private key

1. Select the Private Keys folder. The private keys display on the right side of the window.
2. Select the key that you want to delete.
3. Select File | Delete Key.

Certificate management

Security Manager comes with several preinstalled CA certificates. EAServer accepts client certificates only if they have been signed by a trusted CA. You can modify the trust attribute for any of the preinstalled certificates. See "Viewing certificate, trust, and export information" for more information.

Generating a key pair and requesting a certificate

You can generate a key pair and send the certificate request to a CA to be signed. Once the CA has signed and returned the request, you can install the certificate.

1. Select the Private Keys folder.
2. Select File | Key/Cert Wizard.
3. Supply the required information, described in Table 12-2. Use Back and Next to review or change any information.
   
   You can use any of the following characters:
   • Letters A - Z and a - z
   • Numeric values 0 - 9
   • (space) ' ( ) + , - . / : = ?
4. Click Finish to exit the wizard. Security Manager generates the key pair and saves the certificate request to a file that you specify, or installs a certificate if you have pasted one into the certificate dialog.
5. Send your certificate request to a CA for signing. Depending on the CA, this could be through e-mail or by attaching to the CA's URL.
6. When you receive it, install the certificate. See "Installing and exporting certificates".

The new private key appears on the right side of the window when you highlight the Private Keys folder. Once the certificate is received and installed, the private key is removed from the private key list.

Table 12-2: Certificate request information

Property	Description	Comments/example
Key Strength	Select the authentication key strength. The greater the number, the stronger the encryption. Your options are: 512 bits 768 bits 1024 bits	For international users, key strength is 512.
Key Label	The name that identifies the private key/certificate.	Required field. The label must be unique among all labels used for certificates.
Common Name	This could be your first and last name or name of a university or EAServer host name.	Required field.
User ID	Any user ID that would further identify you.
Organization	The name of your company, university, or other organization.	Required field.
Organization Unit	The name of a department within your organization.
Locality	The location of your organization.	You must supply at least one of: Locality State/Province Country
State/Province	The name of your state or province.
Country	Your two-digit country code; for example, "U.S."
Requester Name	The person requesting the certificate.
Server Admin	The name, if any, of the server administrator.
E-Mail	Your e-mail address.
Server Certificate Request	Displays the request information along with the generated public key.	Depending on the CA, you might be able to copy and paste the certificate request from this window into an e-mail and forward it for signing.
Save to File	Select this option and enter the full path name to save the generated certificate request as a text file. You can also use the browse feature to locate and save the file.	If you do not immediately send the certificate request to be signed, save the certificate request to a file and send it for signature later.
Cut and Paste the Certificate	If available, paste the signed certificate in this window for installation.	If you do not install the signed certificate now, you can use the Install Certificate option when you receive your signed certificate.
Format Type	Identifies the format of the certificate request. Your options are "base64" or "binary."	For server certificates, you would normally use a base64 format.
Mark Private Key Exportable	Check this box to allow the export of this certificate along with its private key.	See "Installing and exporting certificates" for more information.    If checked, you can later uncheck this property. Once unchecked, you cannot change this property. If unchecked, you cannot export this certificate and private key.

Certificate file extensions and types

When installing or exporting a certificate, Security Manager determines the type of certificate based on the file extension. The extensions and the type of certificates they represent are:

• .p7c Belongs to a PKCS #7 certificate chain.
• .crt Belongs to X.509 certificates, including CA certificates. In addition, Netscape certificate chains end with a .crt extension.
• .p12 and .pfx Belong to transferred user certificates. Sybase's PKCS #12 implementation generates PKCS #12 files with a .p12 file extension. This extension is recognized by both Netscape and Internet Explorer. The earlier PKCS #12 standard specified a .pfx file extension. You can install a PKCS #12 file that uses either extension into Sybase's PKCS #11 token.
• Binary and base64 Certificates can either be encoded/decoded using a binary or base64 scheme. Base64 is based on an ASCII format and certificates of this type can be installed from a file or pasted into the appropriate window. Binary certificates, on the other hand, must be read from a file. The encoding scheme has no effect on a certificate's file extension.

Installing and exporting certificates

Security Manager allows you to export or import (install):

1. Certificates signed by the test CA.
2. Certificates signed by another CA.
3. Certificate chains - a certificate chain is a certificate that has been signed by a CA, which in turn has been signed by a CA, and so on. The certificate contains information that traces the path of the certificate back to the root CA (the original signer).
4. A signer's (CA) certificate. You need to install a signer's certificate and mark it as trusted so that EAServer accepts certificates signed by that CA.
5. User certificates and their corresponding private key using the PKCS #12 standard.
   
   PKCS #12 is an RSA standard that specifies a transfer syntax for personal identity information. EAServer's support of the PKCS #12 standard allows you to move user certificates and private keys between systems and programs that support the PKCS #12 standard, such as Netscape Communicator and Microsoft's Internet Explorer.
   
      Transferring versus importing and exporting: Transferring user certificates and private keys allows you to use the certificate and private key in the target security environment. Exporting, installing, and marking a CA certificate trusted in the target security environment simply allows you to accept certificates that have been signed by that CA.
   
   
   Sybase's PKCS #12 implementation allows you to transfer certificates and private keys in either a domestic format (128-bit encryption) or international format (40-bit encryption). You can find more information about domestic and international support in "Configuring security profiles".

Installing a certificate

1. Select the folder that corresponds to the type of certificate you are installing.
2. Select File | Install Certificate.
3. Either paste the entire contents of the certificate into the box (base64 encoded certificates only), or click the Import from File box.
   
   If you select Import from File, the cut and paste area is dimmed. Use the browse feature to locate the certificate.
4. Click Install. If the certificate is of type .crt or .p7c, it is installed. If the file is a PKCS #12 type (has either a .p12 or .pfx extension) the PKCS #12 Certificate/Private Key window displays:
   
   
   1. Enter the password that allows access to the file. This is the password you entered when you exported the certificate and private key.
   2. To export the certificate and its private key at a later time you must check the Mark private key as exportable check box, which is, by default, already selected.
   3. Click Done.
   
   
   The certificate is assigned to a folder based on its type:
   • User Your certificates and other user certificates, including certificates signed by the test CA used to authenticate EAServer. These are the certificates that have a matching private key stored in the PKCS #11 token.
   • CA Certificates obtained from CAs. These identify the signers of certificates that EAServer recognizes.
   • Trusted A subset of the CA certificates. These are the signers of certificates that EAServer trusts. EAServer accepts the certificates from clients that have been signed by trusted CAs. You must mark a CA as trusted before it appears in the Trusted folder. See "Viewing certificate, trust, and export information" for more information.
   • Other Certificates obtained from other users or organizations that cannot be identified as User or CA.

Once installed, you can assign a user certificate to a security profile. For more information, see "Configuring security profiles".

After installing a signer's certificate, mark it as trusted if you want to accept certificates signed by that signer. See "Viewing certificate, trust, and export information" for more information.

Exporting a certificate

1. Select the Certificates folder that contains the certificate to be exported.
2. Highlight the certificate to be exported.
3. Select File | Export Certificate.
4. From the Export Certificate wizard, select the format type of the certificate to be exported.
   
   If you have chosen Export Certificate from the User Certificate folder, and you selected "Mark Private Key Exportable" when you generated the key pair and requested a certificate, the PKCS #12 option is available.
5. Depending on the type of certificate you select, one of two windows appears:
   
   
   • If you have selected a certificate format that is not PKCS #12, select Save to File and enter the full path name to a file that contains the certificate.
     
     Do not add any extension to the file name. The appropriate extension is automatically added to the exported certificate by Security Manager.
   • If you have selected PKCS #12, enter and confirm a password used to protect access to the exported certificate and its private key. When you try to install the certificate, you are prompted for this password; there are also several advanced options you can configure that affect the exported certificate. See "Advanced PKCS #12 options". When you are finished, click Next.
     
     Select Save to File and enter the full path name to a file to contain the certificate.
     
     Do not add any extension to the file name. The appropriate extension is automatically added to the exported certificate by Security Manager.
6. Click Finish to export the certificate to the file you specified.

Advanced PKCS #12 options

The advanced screen allows you to modify the PKCS #12 options listed below. The default settings are appropriate in most cases and should only be modified by experienced users:

• Include certificate trust chain If the certificate is part of a chain, clicking this box adds information about the CAs in the certificate's chain. See "Verifying a certificate" for additional information about certificate chains.
• Private key encoding algorithm The password-based algorithm used to protect the contents of the exported private key. The default algorithm is 40BitRC2, which is accepted by most browsers. If you want to export the private key using stronger or weaker encryption, select an algorithm from the drop-down list, but be sure that the target browser accepts the stronger encryption. Security Manager can export or import private keys that are shrouded with any of the listed algorithms.
• Certificate encoding algorithm The password-based algorithm used to protect the contents of the exported user certificate. The default algorithm is 40BitRC2, which is accepted by most browsers. If you want to export the certificate using stronger or weaker encryption, select an algorithm from the drop-down list, but be sure that the target browser accepts the stronger encryption. Security Manager can export or import user certificates that are shrouded with any of the listed algorithms. See "Configuring security profiles" for a description of the various encryption methods and terms.

Viewing certificate, trust, and export information

You can view the information about the certificates that you have installed and your own certificates, including identifying, trust, and usage information. To view certificate information:

1. Select the folder for the type of certificate you want to view:
   • User
   • CA
   • Trusted
   • Other
2. Select the certificate you want to view.
3. Select File | Certificate Info.

The Certificate Information dialog appears. Use the scroll bar to view all of the information.

The Certificate dialog includes a Trusted Certificate check box. Based on the policies of your organization, trustworthiness of the certificate signer, and other considerations, specify whether or not to mark a certificate as trusted. Only CA certificates can be marked as trusted or untrusted.

Certificates that are marked as trusted display when you select the Trusted folder.

For user certificates, an Exportable Private Key check box is provided. If this box is checked, you can export the certificate, along with its private key. To prevent future exports, you can uncheck the box. Once unchecked, the private key can never be exported. See "Installing and exporting certificates" for more information.

Verifying a certificate

Security Manager verifies the signature, expiration date, and validity of a certificate. If the certificate is part of a chain of certificates, it verifies each certificate in the chain.

A chain involves more than one certificate. Each certificate in the chain is signed by the preceding certificate. For the certificate to be verified, the entire chain must be verified. If a peer offers a certificate for authentication that belongs to a chain, at least one CA within the chain must be trusted for the certificate to be accepted.

To verify a certificate:

1. Select the folder for the type of certificate you want to verify.
2. Highlight the certificate you want to verify.
3. Select File | Verify.

A dialog appears that either verifies the certificate or informs you that verification was unsuccessful. Do not use certificates that fail verification.

Renaming a certificate

Only the label of the certificate is changed. The content of the certificate remains the same.

1. Select the folder type for the certificate you want to rename.
2. Highlight the certificate to rename.
3. Select File | Rename Certificate.
4. Enter the new name of the certificate. Click Done.

Deleting a certificate and its associated private key

Security Manager allows you to delete your own certificates and associated private keys, the test CA, and certificates that you have obtained from others.

1. Select the folder for the type of certificate you want to delete.
2. Highlight the certificate you want to delete.
3. Select File | Delete Certificate.

   If you delete the test CA, certificates that were signed by the test CA are no longer useful. In this case, you need to generate a new test CA and new certificates signed by the new test CA to test your security scenarios.

Copyright © 2002 Sybase, Inc. All rights reserved.