Installing SKIP Unsigned Diffie-Hellman (UDH) Certificates

Once the SunScreen SKIP software has been installed, you must install at least one local identity (public-private key pair) for this host.

The procedure below creates a SKIP UDH certificate, which is the one you will most likely use. For a more detailed discussion of SKIP UDH certificates, see Appendix C.

Chapter 2 discusses keys, certificates, and hashes in greater detail. If you are installing other kinds of keys and certificates, see the documentation that is supplied with them or contact the vendor. If you are installing keys and certificates from Sun Microsystems' Internet Commerce Group (ICG), see Chapter 3.

The skiplocal command creates and manages all local key types, including UDH certificates, on your system. You can have more than one UDH certificate on your system. Your local identities can also be of different lengths (moduli), depending on the version of SunScreen SKIP that you have. The default will always be the largest modulus you can generate.

Local secret is the term used for an encryption certificate and key.

To generate an UDH key pair locally, type

skiplocal keygen

If you have local identities of different strengths, such 512 (Global), 1024 (Export), and 2048 (U.S. and Canada Only), use the argument -m followed immediately with the bit size of the modulus without an intervening space (Figure 1-1).

When generating an unsigned certificate, no authority exists to certify the identities. This means that each party must verify the name of the certificate over the telephone or some other trusted channel. Without verification through a secure channel, you have no way of knowing if the certificate belongs to the correct party or not.

In Figure 1-1 the skiplocal keygen command was used to generate a local key pair, in this case with a 512-bit modulus.

Figure 1-1 512-bit Modulus

In Figure 1-2 the skiplocal export command is used to print out the local system's current information in a form that can be sent (for example, via e-mail) to other users who wish to communicate with you.

The defaults proposed by skiplocal export work well if you and the party with whom you wish to communicate have one key and one network interface. If you have some other configuration, you should not use skiplocal export.

A safer solution than using skiplocal export is to have each user run skiptool and then call each other on the telephone and type the other person's key ID in the Remote Key ID field in the add window (See Chapter 3).

Figure 1-2 Sending and Loading an ACL Entry

Even when using skiplocal export, make sure you both verify the key ID over the telephone with the other party to make sure no one is impersonating them.

In Figure 1-3, the skiplocal list command is used to list the current local identities.

Figure 1-3 Listing All Local Identities

For more information on the skiplocal command, refer to the man pages for SunScreen SKIP.

If you installed an UDH certificate during installation, the information in Chapter 2 will not apply to you unless you also plan to install SunCA keys and certificates. You may use SKIP UDH certificates and SunCA keys and certificates at the same time on SunScreen SKIP.