Working With Certificates

Each SKIP certificate object requires a particular Name Space ID (NSID) and the Master Key ID (certificate ID) of the certificate. NSIDs and certificate IDs are described in "Common Objects" in SunScreen 3.2 Administrator's Overview.

• Certificate IDs that use the IP address use the NSID 0 convention with the IP address as the MKID.

• Certificate IDs use the NSID 1 convention with an MKID of 8 hexadecimal digits (32 bits}.

• Self-generated certificates use the NSID 8 convention with an MKID of 32 hexadecimal digits (128 bits).

You can add SKIP X.509 keys and certificates from a diskette or file, or from a directory that contains only one set of private key and certificate files.

To Add Private Screen Certificates From a Diskette

You cannot add Screen certificates remotely. To add Screen certificates to Screens that are administrated remotely, go to each Screen in turn and follow the steps to add Screen certificates from a diskette or a file.

1. Insert the diskette that contains the private certificate into the diskette drive of the Administration Station.

2. Mount the diskette by typing:

   # volcheck

3. Type the following command, including the path to the directory where the private key and certificate are stored:

   # install_skip_keys -icg /floppy/diskette_name

4. Eject the diskette.

   # eject diskette_name

   ---

   Note -

   Store the diskette that contains the private key and public certificate safely and securely. It contains sensitive information that is not encrypted.

   ---

5. Type the following to restart the SKIP key manager to update the certificate database:

   # skipd_restart

6. Type the following to name the private key and certificate you have just added, and an optional comment if desired:

   edit> add certificate sales-home SINGLE NSID 1 MKID "0xA00050E" COMMENT "Use this cert for tunnelling to home from NY"

   where sales-home is the name that you are giving the certificate; 1 is the NSID; A00050E is the certificate ID.

To Add Private Screen Certificates From a Directory

1. Type the following command, including the path to the directory where the private key and certificate are stored:

   # install_skip_keys -icg /directory_name

2. Type the following to restart the SKIP key manager to update the certificate database:

   # skipd_restart

3. Type the following to name the private key and certificate you have just added, and an optional comment if desired:

   edit> add certificate sales-home SINGLE NSID 1 MKID "0xA00050E" COMMENT "Use this cert for tunnelling to home from NY"

   where sales-home is the name that you are giving the certificate; 1 is the NSID; A00050E is the certificate ID.

To Add Screen Local Identities

You can add Screen local identities only with local administration; therefore, for a remotely administrated Screen, you must gain access to the Screen's shell prompt, for instance with the rlogin command.

To use the rlogin command, you must first save the local identity and the secret key to separate files. For example, you may have extracted the self-generated certificate ID keys that you generated on a Screen to a diskette (because it is impossible to generate the same key later, should you have to reinstall the SunScreen software). Once you have swapped certificate IDs with a number of peer systems, it becomes difficult to fix things in a timely manner. If this seems cumbersome, use telnet, which is more secure than rlogin.

SunScreen installation programs re-key the Screen being installed, so you have to add your old keys back into the database before configuring the Screen for virtual private networks (see "Encryption, Tunneling, and Virtual Private Networks" in SunScreen 3.2 Administrator's Overview for more information about VPNs).

1. Type the following to use the skiplocal command to add the Screen's local identity.

   # skiplocal -a -T soft -t x509 -n 1 -c certificate_filename -s secret_filename

   This example shows adding a CA key and certificate. If you are adding a self-generated key and certificate, the value for -t is dhpublic and the value for -n is 8.

2. Type the following to restart the SKIP key manager to update the certificate database:

   # skipd_restart

3. Type the following to name the private key and certificate you have just added, for example:

   edit> add certificate sales-home SINGLE NSID 1 MKID "0xA000050E" COMMENT "certificate for home sales"

   where:

   • sales-home is the name that you are giving the certificate

   • 1 is the NSID

   • A00050E is the MKID

To Add Self-Generated Screen Certificates for Local Administration

The following example illustrates how to generate a global (512-bit) key.

1. Use the skiplocal command to create a self-generated Screen certificate.

   For example:

   # skiplocal -k -m 512

   ---

   Note -

   If you have installed more than one encryption strength, use the -m flag followed by the modulus size, in bits, of the encryption for which you want to create a new certificate. The modulus sizes are:

   • Global (1024 bits)

   • U.S. and Canada Only (2048. 3072, or 4096 bits)

   The highest modukus size that works with PC-SKIP in the U.S. and Canada is 2048.

   ---

   You see the following message on the Screen:

   generating local secret with 512 modulus size It would help the quality of the random numbers if you would type 50-100 random keys on the keyboard. Hit return when you are done.

2. Type 50 to 100 random keys.

   As you type the random keys, the number of keys appears on the screen.

3. Press the Return key.

   The continuation of the message appears on the screen:

   100 Format: Hashed Public Key (MD5) Name/Hash: 3f 3c f9 d0 52 85 a3 be 1e 6d 4e cb e4 9e 49 e7 Not valid Before: Fri Apr 17 17:00:00 1998 Not valid After: Thu Apr 17 17:00:00 2003 g: 2 p: f52aff3ce1b1294018118d7c84a70a72d686c40319c807297aca950cd9969 fabd00a509b0246d3083d66a45d419f9c7cbd894b221926baaba25ec355e92a055f public key: 9945eb0a204efd9643a3aeb42f80d18a22a194232ef6e18809b4b80ac62271000 b24fbd0a01608a6b3fe92a3ab107efd1970c398cdc2d0f73effea55c1cb0565 Added local identity slot 12

4. Type the following to restart the SKIP key manager to update the certificate database:

   # skipd_restart

5. Type the following to add the new certificate and its name to the certificate database, for example:

   edit> add certificate sales-home SINGLE NSID 8 MKID "0x3f3cf9d05285a3be1e6d4ecbe49e49e7" COMMENT "This is the Screen's key for the home sales network."

   Because this is a self-generated UDH certificate, the NSID is 8.

6. Type the certificate ID:

   1. Run the command skiplocal -l command.

   2. Cut the Name (certificate ID) for local ID Slot Name that has the same number that you noted above.

   3. Paste in the command certificate above.

To Add Self-Generated Screen Certificates Using Remote Administration

The example shows generating a global (1024 bit) key.

1. Use the ssadm -r command to create a self-generated Screen certificate.

   For example:

   # ssadm -r Screen_name lib/skiplocal -k -m 1024-f

   ---

   Note -

   You must use the -f flag with remote administration. This flag suppresses the prompt to type random keys on the keyboard.

   If you have installed more than one encryption strength, use the -m flag followed by the modulus size, in bits, of the encryption for which you want to create a new certificate. The modulus sizes are:

   • Global (1024 bits)

   • U.S. and Canada Only (2048. 3072, or 4096 bits)

   The highest modukus size that works with PC-SKIP in the U.S. and Canada is 2048.

   ---

   The following message appears on the screen:

   generating local secret with 1024 modulus size Format: Hashed Public Key (MD5) Name/Hash: 3f 3c f9 d0 52 85 a3 be 1e 6d 4e cb e4 9e 49 e7 Not valid Before: Fri Apr 17 17:00:00 1998 Not valid After: Thu Apr 17 17:00:00 2003 g: 2 p: f52aff3ce1b1294018118d7c84a70a72d686c40319c807297aca950cd9969fabd 00a509b0246d3083d66a45d419f9c7cbd894b221926baaba25ec355e92a055f public key: 9945eb0a204efd9643a3aeb42f80d18a22a194232ef6e18809b4b80ac622710 00b24fbd0a01608a6b3fe92a3ab107efd1970c398cdc2d0f73effea55c1cb0565 Added local identity slot 12

2. Type the following to restart the SKIP key manager to update the certificate database:

   # ssadm -r Screen_name lib/skipd_restart

3. Start the editor on the remote Screen.

4. Type the following to add the new certificate and its name to the certificate database.

   For example:

   edit> add certificate sales-home NSID 8 MKID "0x3f3cf9d05285a3be1e6d4ecbe49e49e7" COMMENT "This is the Screen's key for the home sales network."

   Because this is a self-generated UDH certificate, the NSID is 8.

5. Type the certificate ID:

   1. Run the skiplocal -l command.

   2. Cut the Name (certificate ID) for local ID Slot Name that has the same number that you noted above and paste in the command certificate above.

For tunnelling with a remote Administration Station, see the editor command accessremote. For tunnelling with encrypted packet filtering, see "Working With Policies". Tunnelling is also described in "Encryption, Tunneling, and Virtual Private Networks" in SunScreen 3.2 Administrator's Overview.

To Add Public Certificates from a Diskette or a File

You can do this only with local administration; therefore, for a remotely administrated Screen, you must go to the Screen to add Screen certificates from a diskette or a file.

1. Insert the diskette that contains the public certificate, if you are using issued certificates, into the diskette drive of the Administration Station.

   You also can add new private keys from a directory that contains only one set of certificate files. If you are adding private certificate from a directory, you do not need this step and step 2.

2. Mount the diskette by typing:

   # volcheck

3. Type the path to the directory where the public certificates are stored and the following command and the name of the directory to add the public certificate, for example:

   # /floppy/floppy0/install_skip_keys A00050B

   This example shows adding a public certificate ID.

4. If you are using issued certificates, type the following in the terminal window to eject the diskette:

   # eject floppy0

   If you are adding a public certificate from a directory, you do not need this step.

5. Type the following to name the public certificate you have just added, for example:

   edit> add certificate NYcert NSID 1 "0xA00050B" COMMENT "NY office public cert"

   Where NYcert is the name that you are giving the certificate, 1 is the NSID, and A00050B is the certificate ID. NSIDs and certificate IDs are described in "Common Objects" in SunScreen 3.2 Administrator's Overview.

Each SKIP certificate requires a particular Name Space ID (NSID) and the Master Key ID (certificate ID) of the certificate.

• Issued certificates that use the IP address use the NSID 0 convention with the IP address as the certificate ID.

• Issued certificates use the NSID 1 convention with a certificate ID of 8 hexadecimal digits (32 bit).

• Self-generated certificates use the NSID 8 convention with an certificate ID of 32 hexadecimal digits (128 bits).

The tunnel address can be specified as an option in the rule that uses the certificate or in the remote administration rule.

Using Certificate Groups

These procedures describe how to create and work with certificate groups. The examples in these tasks use a list of U.S. sales offices (sales-list) as the certificate group and individual sales offices (such as sales-il for the Illinois office).

To Add Certificate Groups

After you have named certificate IDs in the rule, you can group them into logical groups so that you can use a group instead of single names in a rule.

Use the GROUP option to group named certificate IDS.

For example:

edit> add certificate sales-list GROUP {sales-co sales-il sales-tx sales-sca sales-nca} {} COMMENT "list of U.S. sales offices"

To Add a New Member to a Certificate Group

Use the add_member subcommand to add a new member to a certificate group.

For example:

edit> add_member certificate sales-list sales-wy

To Remove a Member From a Certificate Group

Use the del_member subcommand to remove a member from a certificate group.

For example:

edit> del_member certificate sales-list sales-wy

To Rename a Certificate or Certificate Group

To make troubleshooting easier, do not rename the certificates that were created when you installed SunScreen.

Use the renamerefernce subcommand to rename a certificate or certificate group.

For example:

edit> renamereference certificate sales-ny sales-northeast

When you rename a certificate group using this command, SunScreen checks for all instances in the certificate policy object for the old name and changes them to the new name. It does not rename references in other places, such as administrative rules and policy rules.

To Delete a Certificate or Certificate Group

To make troubleshooting easier, do not delete the certificates that were created when you installed a remotely administered SunScreen.

This command does not check for references to the certificate or certificate group that you are deleting.

Use the del subcommand to delete a certificate or certificate group.

For example:

edit> del certificate sales-la

To Check References to a Deleted Certificate

Use the refer subcommand to find the reference to a certificate and certificate group that you want to delete or have deleted.

For example:

edit> refer certificate sales-la

To Check References to a Deleted Certificate Group

Use the referlist subcommand to find the reference to a certificate and certificate group that you want to delete or have deleted, for example:

edit> referlist certificate sales-west

This displays a list of all the instances in the certificate database where the certificate group is used. You can remove it from the access entries in which it is used and edit any policy rule in which it is used to remove it.

IKE Policy Rule Syntax

For tunneling mode, pre-shared key usage:

[SCREEN scrn] svc srcaddr dstaddr \
 IPSEC { AH(authalg1) | ESP(encralg1[, authalg2]) }+ \
IKE(encralg2, authalg3, oakleygroup, PRE-SHARED, pskey) \
 [SOURCE_SCREEN srcscrn] [DESTINATION_SCREEN dstscrn] \
[SOURCE_TUNNEL srctunaddr] [DESTINATION_TUNNEL dsttunaddr] \
ALLOW

For tunneling mode, certificate usage:

[SCREEN scrn] svc srcaddr dstaddr \
IPSEC { AH(authalg1) | ESP(encralg1[, authalg2]) }+ \
IKE(encralg2, authalg3, oakleygroup, authmethod, \
srccert, dstcert) \
[SOURCE_SCREEN srcscrn] [DESTINATION_SCREEN dstscrn] \
[SOURCE_TUNNEL srctunaddr] [DESTINATION_TUNNEL dsttunaddr] \
ALLOW

For tunneling mode, manual key usage:

[SCREEN ] \
IPSEC { AH(spi1, authalg, key1) \
| ESP(spi2, encralg2, key2 [, spi3, authalg3, key3]) } \
[SOURCE_SCREEN srcscrn] [DESTINATION_SCREEN dstscrn] \
[SOURCE_TUNNEL srctunaddr] [DESTINATION_TUNNEL dsttunaddr] \
ALLOW

An alternative syntax follows:

[SCREEN scrn] svc srcaddr dstaddr \
IPSEC { AH(spi1, authalg, key1) | ESP(spi2, encralg2, \
key2 [, add key "key_des" SINGLE "1234567812345678" 
edit> add key "key_ah" SINGLE "1234567890abcdef1234567890abcdef"

To Add Rules Using Keys Added on Both Screens

See the SunScreen 3.2 Configuration Examples manual for an example of how to use the GUI to perform this same function.

1. On Screen 1:

   1 "telnet" "screen1_host" "screen2_host" IPSEC ESP(0x123, "DES", "key_des") AH(0x345, "MD5", "key_ah") SOURCE_SCREEN "screen1" ALLOW 2 "telnet" "screen2_host" "screen1_host" IPSEC ESP(0x123, "DES", "key_des") AH(0x345, "MD5", "key_ah") DESTINATION_SCREEN "screen1" ALLOW

2. On Screen 2:

   1 "telnet" "screen2_host" "screen_host1" IPSEC ESP(0x123, "DES", "key_des") AH(0x345, "MD5", "key_ah") SOURCE_SCREEN "screen2" ALLOW 2 "telnet" "screen1_host" "screen2_host" IPSEC ESP(0x123, "DES", "key_des") AH(0x345, "MD5", "key_ah") DESTINATION_SCREEN "screen2" ALLOW

   ---

   Note -

   The hex values 0x123, 0x345 are SPI values and must be between 0x000 and 0xFFF.

   ---

3. If you choose different algorithms, like 3DES or SHA1, define manual keys of the proper length.

   In hex strings, the lengths are respectively.

   • CBC 16

   • 3DES 48

   • MD5 32

   • SHA1 40

4. Save and activate the policy.

To Work with IKE Rules with Pre-Shared Key

See the SunScreen 3.2 Configuration Examples manual for an example of how to use the GUI to perform this same function.

1. Add the pre-shared secret key on both Screens

   edit> add key "shared-secret" SINGLE "shared_secret"

2. Add rules like the following using keys added on both Screens.

   1. On Screen1:

      1 "telnet" "screen1_host" "screen2_host" IPSEC ESP("DES") IKE("DES", "MD5", 2, PRE-SHARED, "shared-secret") SOURCE_SCREEN "screen1" ALLOW 2 "telnet" "screen2_host" "screen1_host" IPSEC IPSEC ESP("DES") IKE("DES", "MD5", 2, PRE-SHARED, "shared-secret") DESTINATION_SCREEN "screen1" ALLOW

   2. On Screen2:

      1 "telnet" "screen2_host" "screen1_host" IPSEC ESP("DES") IKE("DES", "MD5", 2, PRE-SHARED, "shared-secret") SOURCE_SCREEN "screen2" ALLOW 2 "telnet" "screen1_host" "screen2_host" IPSEC IPSEC ESP("DES") IKE("DES", "MD5", 2, PRE-SHARED, "shared-secret") DESTINATION_SCREEN "screen2" ALLOW

3. Save and activate policy.

To Work with IKE Rules with Self-Signed Certificates

See the SunScreen 3.2 Configuration Examples manual for an example of how to use the GUI to perform this same function.

1. Generate certificates or private keys on both Screens using ssadm certlocal:

   1. On Screen1:

      # ssadm certlocal -Iks -m 512 -t rsa-md5 -D "C=US,\ O=YourOrg, CN=screen1_name"

   2. On Screen2:

      # ssadm certlocal -Iks -m 512 -t rsa-md5 -D "C=US,\ O=YourOrg, CN=screen2_name"

2. Export the certificates to the other Screen.

   1. On Screen1:

      # ssadm certdb -I -e "SUBJECT=C=US, \ O=YourOrg, CN=screen1_name" > /tmp/cert1

   2. On Screen2:

      # ssadm certdb -I -e "SUBJECT=C=US, \ O=YourOrg, CN=screen2_name" > /tmp/cert2

3. Securely transport the file /tmp/cert1 to the Screen1 and /tmp/cert2 to Screen 2.

4. Import the exported certificate to the Screen certificate database.

   1. On Screen2:

      # ssadm certdb -I -a < /tmp/cert1

   2. On Screen1:

      # ssadm certdb -I -a < /tmp/cert2

5. Add certificate objects on both systems:

   edit> add certificate "screen1_cert" SINGLE IKE "C=US, O=YourOrg,CN=screen1_name" edit> add certificate "screen2_cert" SINGLE IKE "C=US, O=YourOrg,CN=screen2_name"

6. Mark the certificate you imported in Steps 3 and 4 as trusted on both systems using ssadm edit:

   1. On Screen 1:

      edit> add member certificate "IKE manually verified certificates" "screen2_cert"

   2. On Screen 2:

      edit> >add member certificate "IKE manually verified certificates" "screen1_cert"

      The group name "IKE manually verified certificates" is reserved for a trusted Certificate Group.

7. Add packet filtering rules on both Screens.

   1. On Screen1:

      1."telnet" "screen1_host" "screen2_host" IPSEC ESP("DES") IKE("DES", "MD5", 2, RSA-SIGNATURES, "screen1_cert", "screen2_cert") ALLOW 2 "telnet" "screen2_host" "screen1_host" IPSEC IPSEC ESP("DES") IKE("DES", "MD5", 2, RSA-SIGNATURES, "screen2_cert", "screen1_cert") ALLOW

   2. On Screen2:

      1."telnet" "screen2_host" "screen1_host" IPSEC ESP("DES") IKE("DES", "MD5", 2, RSA-SIGNATURES, "screen2_cert", "screen1_cert") ALLOW 2 "telnet" "screen1_host" "screen2_host" IPSEC IPSEC ESP("DES") IKE("DES", "MD5", 2, RSA-SIGNATURES, "screen1_cert", "screen2_cert") ALLOW

8. Refer to the man page of ssadm-certlocal(1M) and ssadm-certdb(1M) for more information.

9. Save and activate the policy.

To Work with IKE Rules with Issued Certificates

See the SunScreen 3.2 Configuration Examples manual for an example of how to use the GUI to perform this same function.

1. Generate keys and certificate requests on each Screen.

   1. On Screen1:

      # ssadm certlocal -Ikc -m 512 -t rsa-md5 -D "C=US, \ O=YourOrg,CN=screen1_issued"

   2. On Screen2:

      # ssadm certlocal -Ikc -m 512 -t rsa-md5 -D "C=US, \ O=YourOrg,CN=screen2_issued"

2. Bring the requests to a certificate server and have them signed and you should get three files from the CA:

   screen1_issued.cert: screen1's cert. screen2_issued.cert: screen2 's cert root.cert: the CA's cert

   Further detailed instructions on this step depends on your certificate server.

3. Securely transport the files to each system under /tmp and import them.

4. Import three certificates on each Screen:

   # ssadm certdb -I -a < /tmp/screen1_issued.cert # ssadm certdb -I -a < /tmp/screen2_issued.cert # ssadm certdb -I -a < /tmp/root.cert

   In this example, it is assumed you are using a certificate server with CA's subject

   DN = "C=US, O=YourOrg.com, OU=sunscreen, CN=Certificate Manager"

5. Add certificate objects for each Screen and mark the root CA as trusted. On each Screen:

   edit> add certificate root_cert SINGLE IKE "C=US, O=YourOrg.com, OU=sunscreen, CN=Certificate Manager" edit> add certificate screen2_issued_cert SINGLE IKE "C=US, O=YourOrg, CN=screen2_issued" edit> add certificate screen1_issued_cert SINGLE IKE "C=US, O=YourOrg, CN=screen1_issued" edit> add_member certificate "IKE root CA certificates" root_cert

   The group name "IKE root CA certificates" is reserved for a trusted Certificate Group.

6. Add packet filtering rules on both Screens.

   1. On Screen1:

      1."telnet" "screen1_host" "screen2_host" IPSEC ESP("DES") IKE("DES", "MD5", 2, RSA-SIGNATURES, "screen1_issued_cert", "screen2_issued_cert") ALLOW 2 "telnet" "screen2_host" "screen1_host" IPSEC IPSEC ESP("DES") IKE("DES", "MD5", 2, RSA-SIGNATURES, "screen2_issued_cert", "screen1_issued_cert") ALLOW

   2. On Screen2:

      1."telnet" "screen2_host" "screen1_host" IPSEC ESP("DES") IKE("DES", "MD5", 2, RSA-SIGNATURES, "screen1_issued_cert", "screen2_issued_cert") ALLOW 2 "telnet" "screen1_host" "screen2_host" IPSEC IPSEC ESP("DES") IKE("DES", "MD5", 2, RSA-SIGNATURES, "screen2_issued_cert", "screen1_issued_cert") ALLOW

7. Save and activate the policy.