Certificates

Each type of certificate requires a particular Name Space ID (NSID) and the Master Key ID (certificate ID) of the certificate:

• Certificate IDs that use the IP address use the NSID 0 convention with the IP address as the MKID.

• Certificate IDs use the NSID 1 convention with an MKID of 8 hexadecimal digits (32 bits}.

• Diffie-Hellman certificates use the NSID 8 convention with an MKID of 32 hexadecimal digits (128 bits).

NSIDs and certificate IDs are described in the SunScreen Reference Manual.

To Add Screen Certificates From a Diskette or a File

Presently, you can only do this with local administration. Therefore, for a remotely administrated Screen, you must go to the Screen to add Screen certificates from a diskette or a file.

This example shows adding a private certificate key and certificate.

1. Insert the diskette that contains the private certificate, if you are using Sun CA X.509 keys and certificates, into the diskette drive of the Administration Station.

   You also can add a new private keys and certificates from a directory that contains only one set of private key and certificate files.

   If you are adding a private key and certificate from a directory, you do not need this step and step 2.

2. Mount the diskette by typing:

   # volcheck

3. Type the path to the directory where the private key and certificate are stored and the following command and the name of the directory to add the private key and certificate, for example:

   # install_skip_keys -icg /floppy/unnamed_floppy

4. Type the following to eject the diskette, if you are using Sun CA X.509 keys and certificates:

   # eject unnamed_floppy

   If you are adding a private certificate from a directory, you do not need this step.

   ---

   Note -

   Store the diskette that contains the private key and public certificate safely and securely. It contains sensitive information that is not encrypted.

   ---

5. Type the following to restart the SKIP key manager to update the certificate database:

   # skipd_restart

6. Type the following to name the private key and certificate you have just added, for example:

   edit> add certificate sales-home SINGLE NSID 1 MKID "0xA0050E" COMMENT "Use this cert for tunnelling to home from NY"

   Where sales-home is the name that you are giving the certificate; 1 is the NSID; A00050E is the certificate ID.

To Add Screen Local Identities

Presently, you can only do this with local administration; therefore, for a remotely administrated Screen, you must somehow gain access to the Screen's crt.file, then the commands will work. One means of gaining access to this file might be through the rlogin command, if you have a policy rule that allows this.

To use this command you must first have saved the local identity and the secret key to separate files. For example, you may have extracted the self-generated certificate ID keys that you generated on a Screen to a diskette. You do this because it is impossible to generate the same key later, should you have to reinstall the SunScreen software. Once you have swapped certificate IDs with a number of peer systems, it becomes difficult to fix things in a timely manner.

The SunScreen installation programs all intrinsically rekey the SunScreen being installed. While this is not a serious problem, it means that you have to add your old keys back into the database before configuring the Screen for any virtual private networks (VPN) that existed. See the SunScreen Reference Manual for information about VPNs.

1. Type the following to add the Screen's local identity.

   # skiplocal -a -T soft -t x509 -n 1 -c certificate_filename -s secret_filename

   This example shows adding a CA key and certificate. If you are adding a self-generated key and certificate, the value for -t is dhpublic and the value for -n is 8.

2. Type the following to restart the SKIP key manager to update the certificate database:

   # skipd_restart

3. Type the following to name the private key and certificate you have just added, for example:

   edit> add certificate sales-home SINGLE NSID 1 MKID "0xA000050E" COMMENT "certificate for home sales"

   where sales-home is the name that you are giving the certificate; 1 is the NSID; A00050E is the MKID.

To Add Self-Generated Screen Certificates

• For local administration:

1. Type the following to create a self-generated Screen certificate, for example:

   # skiplocal -k -m 512

   The example shows generating a global (512-bit) key.

   Use the -m followed by the modulus size in bits of the encryption for which you want to create a new certificate, if you have installed more than one encryption strength. The modulus sizes are:

   • Global (1024 bits)

   • U.S. and Canada Only (4096 bits)

   You see the following message on the Screen:

   generating local secret with 512 modulus size It would help the quality of the random numbers if you would type 50-100 random keys on the keyboard. Hit return when you are done.

2. Type 50 to 100 random keys.

   As you type the random keys, the number of keys appears on the screen.

   After you press the Return key, you see the continuation of the message on the screen:

   100 Format: Hashed Public Key (MD5) Name/Hash: 3f 3c f9 d0 52 85 a3 be 1e 6d 4e cb e4 9e 49 e7 Not valid Before: Fri Apr 17 17:00:00 1998 Not valid After: Thu Apr 17 17:00:00 2003 g: 2 p: f52aff3ce1b1294018118d7c84a70a72d686c40319c807297aca950cd9969fab d00a509b0246d3083d66a45d419f9c7cbd894b221926baaba25ec355e92a055f public key: 9945eb0a204efd9643a3aeb42f80d18a22a194232ef6e18809b4b80ac6227100 0b24fbd0a01608a6b3fe92a3ab107efd1970c398cdc2d0f73effea55c1cb0565 Added local identity slot 12

3. Type the following to restart the SKIP key manager to update the certificate database:

   # skipd_restart

4. Type the following to add the new certificate and its name to the certificate database, for example:

   edit> add certificate sales-home SINGLE NSID 8 MKID "0x3f3cf9d05285a3be1e6d4ecbe49e49e7" COMMENT "This is the Screen's key for the home sales network."

   Because this is a self-generated UDH certificate, the NSID is 8.

   To enter the certificate ID:

   1. Run the command skiplocal list command.

   2. Cut the Name (certificate ID) for local ID Slot Name that has the same number that you noted above.

   3. Paste in the command certificate above.

• For remote administration:

1. Type the following to create a self-generated Screen certificate, for example:

   # ssadm -r Screen_name lib/skiplocal keygen -k -m 1024-f

   ---

   Note -

   You must use the -f flag with remote administration. This flag suppresses the prompt to type random keys on the keyboard.

   ---

   The example shows generating a global (1024 bit) key.

   Use the -m flag followed by the modulus size in bits of the encryption for which you want to create a new certificate, if you have installed more than one encryption strength. The modulus sizes are:

   • Global (1024 bits)

   • U.S. and Canada Only (4096 bits)

   You see the following message on the screen:

   generating local secret with 1024 modulus size Format: Hashed Public Key (MD5) Name/Hash: 3f 3c f9 d0 52 85 a3 be 1e 6d 4e cb e4 9e 49 e7 Not valid Before: Fri Apr 17 17:00:00 1998 Not valid After: Thu Apr 17 17:00:00 2003 g: 2 p: f52aff3ce1b1294018118d7c84a70a72d686c40319c807297aca950cd9969fab d00a509b0246d3083d66a45d419f9c7cbd894b221926baaba25ec355e92a055f public key: 9945eb0a204efd9643a3aeb42f80d18a22a194232ef6e18809b4b80ac6227100 0b24fbd0a01608a6b3fe92a3ab107efd1970c398cdc2d0f73effea55c1cb0565 Added local identity slot 12

2. Type the following to restart the SKIP key manager to update the certificate database:

   # ssadm -r Screen_name lib/skipd_restart

3. After entering the editor (remote login), type the following to add the new certificate and its name to the certificate database, for example:

   edit> add certificate sales-home NSID 8 MKID "0x3f3cf9d05285a3be1e6d4ecbe49e49e7" COMMENT "This is the Screen's key for the home sales network."

   Because this is a self-generated UDH certificate, the NSID is 8.

   To enter the certificate ID:

   1. Run the skiplocal list command.

   2. Cut the Name (certificate ID) for local ID Slot Name that has the same number that you noted above and paste in the command certificate above.

For tunnelling with a remote administration station, see the editor command accessremote. For tunnelling with encrypted packet filtering, see "Policy Rules." Tunnelling is also described in the SunScreen Reference Manual.

To Add Certificates from a Diskette or a File

Presently, you can only do this with local administration; therefore, for a remotely administrated Screen, you must go to the Screen to add Screen certificates from a diskette or a file.

1. Insert the diskette that contains the public certificate, if you are using issued certificates, into the diskette drive of the Administration Station.

   You also can add new private keys from a directory that contains only one set of certificate files. If you are adding private certificate from a directory, you do not need this step and step 2.

2. Mount the diskette by typing:

   # volcheck

3. Type the path to the directory where the public certificate are stored and the following command and the name of the directory to add the public certificate, for example:

   # /floppy/floppy0/install_skip_keys A00050B

   This example shows adding a public certificate ID:

4. Type the following in the terminal window to eject the diskette, if you are using issued certificates:

   # eject floppy0

   If you are adding a public certificate from a directory, you do not need this step.

5. Type the following to name the public certificate you have just added, for example:

   edit> add certificate NYcert NSID 1 "0xA00050B" COMMENT "NY office public cert"

   Where NYcert is the name that you are giving the certificate; 1 is the NSID; A00050B is the certificate ID.

   Each type of certificate requires a particular Name Space ID (NSID) and the Master Key ID (certificate ID) of the certificate.

   • Issued certificates use the NSID 1 convention with a certificate ID of 8 hexadecimal digits (32 bit).

   • Diffie-Hellman certificates use the NSID 8 convention with an certificate ID of 32 hexadecimal digits (128 bit).

   NSIDs and certificate IDs are described in the SunScreen Reference Manual.

   ---

   Note -

   The tunnelling address is specified as an option in the rule that uses the key, or in the remote administration rule.

   ---

To Add Certificate Groups

After you have named certificate IDs in the rule, you can group them into logical groups, so that you can use a group instead of single names in a rule:

edit> add certificate sales-list GROUP sales-co sales-il sales-tx sales-sca sales-nca COMMENT "list of U.S. sales offices"

To Add a New Member to a Certificate Group

Type the following to add a new member to a certificate group, for example:

edit> add_member certificate sales-list sales-wy

To Remove a Member From a Certificate Group

Type the following to remove a new member to a certificate group, for example:

edit> del_member certificate sales-list sales-wy

To Rename a Certificate or Certificate Group

To make troubleshooting easier, do not rename the certificates that were created when you installed a remotely administered SunScreen.

When you rename a certificate group using this command, SunScreen checks for all instances in the certificate policy object for the old name and changes them to the new name. It does not rename references in other places, like administrative rules and policy rules.

Type the following to rename a certificate or certificate group, for example:

edit> renamereference certificate sales-ny sales-northeast

To Delete a Certificate or Certificate Group

To make troubleshooting easier, do not delete the certificates that were created when you installed a remotely administered SunScreen.

This command does not check for any references to the certificate or certificate group that you are deleting.

Type the following to delete a certificate or certificate group, for example:

edit> del certificate sales-la

To Check References to a Deleted Certificate

If you want to check references to the certificate that you want to delete or have deleted,

Type the following to find the reference to a certificate and certificate group that you want to delete or have deleted, for example:

edit> refer certificate sales-la

You see a list of all the instances in the certificate database where the certificate is used. You, then, can remove it from the access entries in which it is used, and edit any policy rule in which it is used to remove it.

To Check References to a Deleted Certificate Group

If you want to check references to the certificate group that you want to delete or have deleted,

Type the following to find the reference to a certificate and certificate group that you want to delete or have deleted, for example:

edit> referlist certificate sales-west

You see a list of all the instances in the certificate database where the certificate group is used. You, then, can remove it from the access entries in which it is used, and edit any policy rule in which it is used to remove it.