Chapter 11. Acting as a certification authority for a private Web network

To conduct commercial business on the Internet, you will want to get a secure server certificate from a widely known certification authority (CA), such as VeriSign.

You may, however, have a project for your company, university, or group where you want to act as your own CA for a private Web network. The Internet Connection Secure Server allows you to be your own CA. As a CA, you will use a utility called certutil, which is provided with the Internet Connection Secure Server, to create signed certificates. However, clients must have browsers, such as Secure WebExplorer or Netscape Navigator, that can receive your CA certificate and designate it as a trusted root.

Note: Your use of this utility is limited to directly certifying end user to end user exchange of data. You are not authorized to issue certificates to third parties or allow others to do so, or to use this utility for any other purpose.

This chapter tells you how to become your own CA and then how to process certificate requests as a CA.

Becoming a CA

Your job as CA is to verify that a certificate should be issued for a client or server. You need to make sure that the person making the request has a legitimate claim to the name in the request. For example, if your company is working on a top secret project, your issuance of a certificate can give a person access to top secret information.

After you have verified a person's claim, you will use the certutil command to process the certificate request. The output from the certutil command is a certificate signed with your CA private key.

After you verify that the information in the certificate created by certutil is correct, you will:

Send your CA certificate to the client or server for whom you're acting as CA. The client or server needs to receive your CA certificate and designate it as a trusted root.
Send the client or server its certificate, which you processed as a CA. The client or server needs to receive its certificate into its key ring after it has received the CA certificate and designated it as a trusted root.

Before you can process certificate requests as a CA, you need to do the following to become a CA:

Create your CA public-private key pair and request a CA certificate
Receive your CA certificate (which is the same as the CA certificate request) into your CA key ring
Designate your CA key as a trusted root

You must carefully protect your CA private key. If it is compromised, then all the certificates you've issued will also be compromised.

Create CA's public-private key pair and request CA's certificate

This chapter describes how to use the Create Key and Request Certificate form to create your CA public-private key pair and request your CA certificate.

Choose Other.
Click Apply to process this part of the Create Key and Request Certificate form. The Other Certificate form appears.
Use Create Key to create your CA key pair.

Specify Key name: Specify a meaningful, unique name to identify your CA key pair. The key name is the label that identifies the key pair and certificate in the key ring. You may use non-alphanumeric characters in key names; however, keep in mind that some platforms have special uses for some of these characters.
Specify Key ring: Specify the fully qualified path and file name for the key ring file. It's best to use a separate key ring to keep your CA key pair. If you specify a file that doesn't exist for key ring, the server creates the file for you.
Specify the Size of the Key Pair: Your private CA key will be used to sign the server and client certificates you process as CA. Your CA public key will be used by those clients and servers to verify your CA signature. The larger the CA key pair, the more secure the key pair will be. If the CA private key is compromised, then all the certificates issued by the CA are also compromised.
Specify a Password: Use this part of the form to specify the password that protects your CA key ring. You should keep your CA keys in a separate key ring with its own password. If your CA private key is compromised, then all the certificates you've issued as a CA are also compromised.
The password must be from the U.S. English character set.

The security of your CA private key, which is used to sign the client and server certificates you process as a CA, depends upon this password. Here are some commonly accepted rules for specifying passwords:
- Make the password at least six characters.
- Make sure the password doesn't spell a word.
- Make sure the password doesn't consist of publicly obtainable information about you; for example, the initials and birth date for you, your spouse, or children.
- Include at least two, nonconsecutive numbers in the password.
Type the password twice to ensure that you have typed it correctly.
If you must record the password, make sure it is stored in a well-secured place.
If, as recommended, you put your CA key pair on a separate key ring, do not check Automatic Login to stash the password for the CA key ring.
Specify Distinguished Name: Specify the Distinguished Name you want associated with your CA certificate and used to identify your CA public key.

Provide the following information for Distinguished Name:
- Server Name: Usually the X.509 common name of the server, which is usually the TCP/IP fully qualified host name; for example, www.ibm.com.
- Optionally, Organizational Unit
- Organization
- Optionally, Locality or City
- At least three characters for State or Province
- Postal code or zip code.
- The two-character country code for the country in which the server resides
Don't specify User's e-mail address.
Specify Mailing Option: Choose Don't mail.
Save Your Certificate Request: Save your CA certificate request in a unique file. The server creates the file for you.
Check your form and make sure you entered each item correctly.
Click Apply to process the form. You receive a Confirmation that the form was successfully processed.
The server:
- Stores the key pair in an encrypted format on the key ring.
- Creates the certificate request and stores it in the file you specified.

Next, you need to receive your CA certificate request.

Receive CA's certificate

Use the Receive Certificate form to receive the CA certificate request that you saved. The CA's certificate is the same as the certificate request.

Provide:
Name of file containing certificate: The fully qualified path and file name of the file in which you saved the CA certificate request (Save certificate request to file on the Create Key and Request Certificate form).
Key ring: The fully qualified path and file name of the key ring you specified on the Create Key and Request Certificate form for your CA certificate.
Key ring password: The password you specified on the Create Key and Request Certificate form for your CA key ring.
Check your form and make sure you entered each item correctly.
Click Apply to process the form. You receive a Confirmation that the form was successfully processed.
The server stores your CA certificate in the CA key ring. It is referenced in the key ring with the key name you specified on the Create Key and Request Certificate form.

You now have your CA certificate (also known as a self-signed certificate) signed with your CA private key in your CA key ring.

Next, the CA key needs to be a trusted root on the server.

Designate the CA key as a trusted root

Use the Key Management form.

Check the key ring file name shown on this form. If it is not the key ring that contains your CA key, go to the Security Configuration form and designate your CA key ring as the current key ring. After you receive your confirmation message, come back to the Key Management form, which should show the CA key ring as the current key ring.
Specify the key ring password for the CA key.
Choose the option Designate Trusted Root Keys.
Click Apply to process the form. The Designate Trusted Root Keys form appears.

On the Designate Trusted Root Keys form:

Select the name of the CA key.
Click Apply to process the form. You receive a Confirmation that the form was successfully processed.
If you have a key ring that contains keys the server uses for secure network communications, it should be the current key ring. You can use the Security Configuration form to designate the server's key ring as the current key ring.

Now, you are ready to process the certificate request for clients and servers.

Processing certificates as a CA

After you have created your CA key pair, obtained your CA certificate, and designated your CA public key as a trusted root, you are ready to act as a CA and process certificates for this server and for other servers and clients.

Servers can use the Configuration and Administration forms to create their public-private key pair and request their certificate. They should use the Other Certificate form. If you provide them with your e-mail address, they can specify it on the form and have the certificate request electronically mailed to you. Or, they can save the certificate request in a file and electronically mail it to you later.

Some browsers, such as Secure WebExplorer and Netscape Navigator, allow clients to create their public-private key pair and request their certificate. Clients can electronically mail their certificate requests to you.

Some e-mail programs may alter files and should not be used to send or receive certificate requests or certificates. For example, some programs may pad the lines of the certificate request or certificate with blanks and invalidate it.

To process certificates for clients and servers, you will:

Receive certificate requests from clients and servers and verify that the person making the request has a legitimate claim to the name in the request.
Use the certutil command to process the certificate request. The output from the certutil command is a certificate signed with your CA private key.
Check the information printed in the output file and verify to whom the certificate is being issued before sending it to the client or server.
Send the client or server:
- Your CA certificate. This certificate must be received into the key ring of the client or server and then designated as a trusted root.
- The client or server certificate that was processed by you as CA. After the client or server has received the CA certificate into its key ring and designated it as a trusted root, the client or server can receive its certificate into the key ring.

Then, the client or server can use the certificate you created as a CA to communicate securely with other clients and servers within your private Web network.

Use certutil command to process client and server certificates

Use the certutil command to process certificate requests for the clients and servers for whom you're acting as CA. The output of the certutil command is a client or server certificate that has been signed with your private CA key.

Before using the certutil command, verify that the person making the request has a valid claim to the name in the request.

Format

certutil [-p validity-period] [-k ca-key-ring] < cert-req-file > cert-file-name

validity-period can be 1 to 9999 for the number of days the certificate is valid. If you don't specify validity-period, the default is 365 days.
ca-key-ring is the fully qualified path and file name you specified for the CA Key ring on the Create Key and Request Certificate form. If you don't specify ca-key-ring, the default is keyfile.kyr.
cert-req-file is the fully qualified path and file name of the file that contains the client or server certificate you are processing. For clients or servers who mail their certificate request to you through e-mail, it is the file into which you received the certificate request with your e-mail program. For a certificate for this server, it is the file you specified for Save certificate request to file on the Create Key and Request Certificate form when you were requesting the server certificate.
cert-file-name is the unique, fully qualified path and file name of the output file where you want to put the signed certificate created by the certutil command.

Example

certutil -p 730 -k D:/WWW/BIN/cakeyfil.kyr < D:/WWW/BIN/CertReq.txt
> D:/WWW/BIN/Cert.txt

Note: The certutil command should be on one line. It is shown on more than one line because of formatting.

After you enter the command, you are prompted for the password of the key ring that has the CA key.

If certutil cannot create the signed certificate, you will get an error message.

It's a good idea to check the output file and verify that the certificate correctly states to whom it is being issued.

What you do next depends on whose certificate you are processing:

If you are processing this server's certificate, go to "Receive certificate for this server".
If you are processing certificates for other servers or clients, go to "Send clients and other servers their processed certificates".

Receive certificate for this server

If you are processing this server's certificate, you need to:

Use the Receive Certificate form to receive the CA certificate into the server's key ring.

Provide:
- Name of file containing certificate: Specify the file name of the file into which you saved the CA certificate request. The request is the same as the CA's certificate.
- Key ring: The key ring you specified on the Create Key and Request Certificate form when you created this server's keys and requested its certificate.
- Key ring password: The password you specified on the Create Key and Request Certificate form for this server's key ring.
Check your form and make sure you entered each item correctly.
Click Apply to process the form. You receive a Confirmation that the form was successfully processed.
The server stores the certificate in its key ring. It is referenced in the key ring with the key name you specified on the Create Key and Request Certificate form for the server's certificate.
Go to the Key Management form. Make sure that the server's key ring is the current key ring. If it is not the current key ring, go to the Security Configuration form and make the server's key ring the current key ring. After you receive the confirmation message, come back to the Key Management form.
On the Key Management form, specify the key ring password for the server's key ring.
Choose the option Designate Trusted Root Keys and click Apply to process the form. The Designate Trusted Root Keys form appears.
On the Designate Trusted Root Keys form, select the CA certificate. For the CA certificate, you will see the Distinguished Name (DN) of the CA rather than the key name.
Click Apply to process the form. You receive a Confirmation that the form was successfully processed.
Use the Receive Certificate form to receive the server's certificate into its key ring.

Provide:
- Name of file containing certificate: Specify the file name you provided for cert-file-name when you used the certutil command.
- Key ring: The key ring you specified on the Create Key and Request Certificate form when you created this server's keys and requested its certificate.
- Key ring password: The password you specified on the Create Key and Request Certificate form for this server's key ring.
Check your form and make sure you entered each item correctly.
Click Apply to process the form. You receive a Confirmation that the form was successfully processed.
The server stores the certificate in its key ring. It is referenced in the key ring with the key name you specified on the Create Key and Request Certificate form for the server's certificate.
After you receive your Confirmation for the Receive Certificate form, you can make changes to other Configuration and Administration forms. However, when you are ready to use the server's keys for secure network communications, you must stop the server and then start it again. The server will not pick up the changes you've made to the key ring if you only restart it.

Send clients and other servers their processed certificates

You need to send the clients and other servers for whom you are acting as CA:

Your CA certificate. Clients and other servers need to receive this certificate and designate it as a trusted root. You can send clients and servers your CA certificate request. It is your signed CA certificate.
The client or server certificate you processed as CA. After the client or server has received the CA certificate and designated it as a trusted root, the client or server can receive its certificate into the key ring.

Note: Some e-mail programs may alter files and should not be used to send or receive certificate requests or certificates. For example, some programs may pad the lines of the certificate request or certificate with blanks and invalidate it.

After a client or server receives the CA certificate, designates it as a trusted root, and receives the client or server certificate, the client or server certificate can be used for secure network communications. Before a server's keys are used for secure network communications, the server must be stopped and then started again. The server will not pick up the changes you made to the server's key ring if you only restart it.

[ Top of Page | Previous Page | Next Page | Table of Contents ]