通常,提供者的开发者需要申请证书。不过,作为站点安全策略的一部分,将指派系统管理员处理此申请。
请使用 elfsign request 命令向 Sun 申请证书。
该命令在生成证书申请的同时会生成一个私钥。
% elfsign request -k private-keyfile -r certificate-request |
指向私钥位置的路径。随后,系统管理员针对 Solaris 加密框架签署提供者时需要此密钥。该目录应该是安全的。请使用与包含 Sun 证书的目录不同的目录。
证书申请的路径。
以下示例说明如何将典型申请提交给 Sun:
% elfsign request \ -k /securecrypt/private/MyCompany.private.key \ -r /reqcrypt/MyCompany.certrequest Enter Company Name / Stock Symbol or some other globally unique identifier. This will be the prefix of the Certificate DN:MYCORP The government of the United States of America restricts the export of "open cryptographic interfaces", also known as "crypto-with-a-hole". Due to this restriction, all providers for the Solaris cryptographic framework must be signed, regardless of the country of origin. The terms "retail" and "non-retail" refer to export classifications for products manufactured in the USA. These terms define the portion of the world where the product may be shipped. Roughly speaking, "retail" is worldwide (minus certain excluded nations) and "non-retail" is domestic only (plus some highly favored nations). If your provider is subject to USA export control, then you must obtain an export approval (classification) from the government of the USA before exporting your provider. It is critical that you specify the obtained (or expected, when used during development) classification to the following questions so that your provider will be appropriately signed. Do you have retail export approval for use without restrictions based on the caller (for example, IPsec)? [Yes/No] N If you have non-retail export approval for unrestricted use of your provider by callers, are you also planning to receive retail approval restricting which export sensitive callers (for example, IPsec) may use your provider? [Y/N] Y |
私钥置于指定的文件名(例如 /etc/crypto/private/MyCompany.private.key 文件)中。证书申请也置于指定的文件名(例如 /reqcrypt/MyCompany.certrequest 文件)中。
将证书申请提交给 Sun。
将证书申请发送到以下电子邮件地址: solaris-crypto-req@sun.com
Sun 将根据证书申请文件生成证书。然后将证书的副本发送回来。
将从 Sun 收到的证书存储在 /etc/crypto/certs 目录中。
为了安全起见,应该将私钥和证书申请存储在另外的目录中。