Using Digital Certificates for Server and Client Authentication (Solaris 9 12/03 Installation Guide)

Solaris 9 12/03 Installation Guide

Using Digital Certificates for Server and Client Authentication

The WAN boot installation method can use PKCS#12 files to perform an installation over HTTPS with server or both client and server authentication. For requirements and guidelines about using PKCS#12 files, see Digital Certificate Requirements.

To use a PKCS#12 file in a WAN boot installation, you perform the following tasks.

Split the PKCS#12 file into separate SSL private key and trusted certificate files.
Insert the trusted certificate in the client's truststore file in the /etc/netboot hierarchy. The trusted certificate instructs the client to trust the server.
(Optional) Insert the contents of the SSL private key file in the client's keystore file in the /etc/netboot hierarchy.

The wanbootutil command provides options to perform the tasks in the previous list.

Before you split a PKCS#12 file, create the appropriate subdirectories of the /etc/netboot hierarchy on the WAN boot server.

For overview information that describes the /etc/netboot hierarchy, see Storing Configuration and Security Information in the /etc/netboot Hierarchy.
For instructions about how to create the /etc/netboot hierarchy, see Creating the /etc/netboot Hierarchy on the WAN Boot Server.

Creating a Trusted Certificate and Client Private Key

Assume the same user role as the web server user on the WAN boot server.

Extract the trusted certificate from the PKCS#12 file. Insert the certificate in the client's truststore file in the /etc/netboot hierarchy.
# wanbootutil p12split -i p12cert \ -t /etc/netboot/net-ip/client-ID/truststore
p12split

Option to wanbootutil command that splits a PKCS#12 file into separate private key and certificate files.

-i p12cert

Specifies the name of the PKCS#12 file to split.

-t /etc/netboot/net-ip/client-ID/truststore

Inserts the certificate in the client's truststore file. net-ip is the IP address of the client's subnet. client-ID can be a user-defined ID or the DHCP client ID.

(Optional) Decide if you want to require client authentication.
- If yes, continue with the following steps.
- If no, go to Creating a Hashing Key and an Encryption Key.
1. Insert the client certificate in the client's certstore.
  # wanbootutil p12split -i p12cert -c \ /etc/netboot/net-ip/client-ID/certstore -k keyfile
  p12split
  
  Option to wanbootutil command that splits a PKCS#12 file into separate private key and certificate files.
  
  -i p12cert
  
  Specifies the name of the PKCS#12 file to split.
  
  -c /etc/netboot/net-ip/client-ID/certstore
  
  Inserts the client's certificate in the client's certstore. net-ip is the IP address of the client's subnet. client-ID can be a user-defined ID or the DHCP client ID.
  
  -k keyfile
  
  Specifies the name of the client's SSL private key file to create from the split PKCS#12 file.
2. Insert the private key in the client's keystore.
  # wanbootutil keymgmt -i -k keyfile \ -s /etc/netboot/net-ip/client-ID/keystore -o type=rsa
  keymgmt -i
  
  Inserts an SSL private key in the client's keystore
  
  -k keyfile
  
  Specifies the name of the client's private key file that was created in the previous step
  
  -s /etc/netboot/net-ip/client-ID/keystore
  
  Specifies the path to the client's keystore
  
  -o type=rsa
  
  Specifies the key type as RSA

Example 40–2 Creating a Trusted Certificate for Server Authentication

In the following example, you use a PKCS#12 file to install client 010003BA152A42 on subnet 192.168.255.0. This command sample extracts a certificate from a PKCS#12 file that is named client.p12. The command then places the contents of the trusted certificate in the client's truststore file.

# wanbootutil p12split -i client.p12 \
   -t /etc/netboot/192.168.255.0/010003BA152A42/truststore
# chmod 600 /etc/netboot/192.168.255.0/010003BA152A42/truststore