test

Solaris 开发者安全性指南

Procedure申请提供者签署证书

通常,提供者的开发者需要申请证书。不过,作为站点安全策略的一部分,将指派系统管理员处理此申请。

  1. 请使用 elfsign request 命令向 Sun 申请证书。

    该命令在生成证书申请的同时会生成一个私钥。


    % elfsign request -k private-keyfile -r certificate-request
    private-keyfile

    指向私钥位置的路径。随后,系统管理员针对 Solaris 加密框架签署提供者时需要此密钥。该目录应该是安全的。请使用与包含 Sun 证书的目录不同的目录。

    certificate-request

    证书申请的路径。

    以下示例说明如何将典型申请提交给 Sun:


    % elfsign request \

-k /securecrypt/private/MyCompany.private.key \

-r /reqcrypt/MyCompany.certrequest



Enter Company Name / Stock Symbol or some other globally unique identifier.

This will be the prefix of the Certificate DN:MYCORP



The government of the United States of America restricts the export of 

"open cryptographic interfaces", also known as "crypto-with-a-hole".

Due to this restriction, all providers for the Solaris cryptographic

framework must be signed, regardless of the country of origin.



The terms "retail" and "non-retail" refer to export classifications 

for products manufactured in the USA.  These terms define the portion of the

world where the product may be shipped.  Roughly speaking, "retail" is 

worldwide (minus certain excluded nations) and "non-retail" is domestic 

only (plus some highly favored nations).  If your provider is subject to

USA export control, then you must obtain an export approval (classification)

from the government of the USA before exporting your provider.  It is

critical that you specify the obtained (or expected, when used during 

development) classification to the following questions so that your provider

will be appropriately signed.



Do you have retail export approval for use without restrictions based

on the caller (for example, IPsec)? [Yes/No] N



If you have non-retail export approval for unrestricted use of your

provider by callers, are you also planning to receive retail approval

restricting which export sensitive callers (for example, IPsec) may

use your provider? [Y/N] Y

    私钥置于指定的文件名(例如 /etc/crypto/private/MyCompany.private.key 文件)中。证书申请也置于指定的文件名(例如 /reqcrypt/MyCompany.certrequest 文件)中。

  2. 将证书申请提交给 Sun。

    将证书申请发送到以下电子邮件地址: solaris-crypto-req@sun.com

    Sun 将根据证书申请文件生成证书。然后将证书的副本发送回来。

  3. 将从 Sun 收到的证书存储在 /etc/crypto/certs 目录中。

    为了安全起见,应该将私钥和证书申请存储在另外的目录中。