Previous     Contents     DocHome     Index     Next     
iPlanet Trustbase Transaction Manager 2.2.1 Utility Guide



Chapter 2   Using CertManager


Generally, the objectives of this chapter are to cover:


Introduction

iPlanet Trustbase Transaction Manager `s CertManager provides the user with information about which certificates are currently active, together with their appropriate certificate hierarchy. Indications about whether they are still trusted or whether they have expired is also supplied within the view.

Figure 2-1    Certificate Manager Overview

The user can also use this tool to view other people's certificates that have been authenticated, usually while involved with an SSL connection. Certstore Management options are also made available to vary how Certificate Information is displayed. Different Certstores with unique passwords can also be constructed so that different user's can view only the CertStores that they have passwords to.

Figure 2-2    CertManager Main Menu

CertManager allows you to view all certificates that have either been generated locally or from a CA that is the guarantor of issued certificates. If a chain of trust can be built between a specific certificate and a trusted CA, the certificate can be trusted (by inference).

CertManager comes with the following main features:

  • Three Frame views:

    • Certstore Database Management Features

    • Certificate Hierarchical Overview

    • Certificate Detailed View

  • General housekeeping functions including the facility to move certificates into different views and Certstores by attaching attributes to certificates

  • The ability to obtain a Certificate from a Certificate Authority

  • Exporting and Importing Certificates from CertManager to other application software

  • Generating Certificates internally

Each feature is now described in the subsequent sections.


CertManager Functionality


The following options are available with CertManager:

  • Open Certificate Store

  • Remove Certificate Store (from viewer only)

  • Create New Certificate

  • Import Certificate

  • Export Certificate

  • Remove Certificate (from store and viewer

  • Certificate

  • Certificate and Private Key

  • Opens a Certificate hierarchy

  • Closes a Certificate hierarchy

  • Arrow keys to move from one field to the next

  • Delete key to remove a store <Delete>

  • Edit field <Mouse Double left click>

  • To display Certificate <Mouse Left click>

  • To paste certificate or refresh view <Right click> on store

  • To Add, remove, copy or edit certificate <Right click> on certificate

  • CertManager Copy and Paste <Ctrl><C><Ctrl><V>

  • Solaris Netscape Copy and Paste <Alt><C><Alt><V>


Frame Views

The CertManager screen is split into three frames:

  • CertStore that allows you to structure your certificates into different directories.

  • CertView that allows you to display the certificate hierarchy for each directory store. By defining certificate Attributes one is able to split certificates into different views.

  • CertDetails that displays the X509 certificate details.


CertView

Certview displays and organises the Certificate hierarchy using the following features:

  • <Expired> indicates that the certificate has now expired



  • indicates a certificate without a private key



  • indicates a certificate with a private key



  • opens the certificate hierarchy



  • closes the certificate hierarchy

  • <Mouse left click> on a certificate within certview, displays the certificate details listed below:

Figure 2-3    CertManager Certificate Hierarchy View

The significance of the numbers attached to this diagram are made clearer later in this section.

The diagram on the previous page has been constructed to test the following situations:

  • Any Certificate Hierarchy that can be generated internally

  • Any x509 compliant Certificate Authority

  • Imported Browser Certificates using Netscape 4.7 or 4.5, IE4 and IE5 from the following Certificate Authorities:

    • Baltimore

    • Interclear

    • Verisign

    • BT Trustwise

    • Entrust

    • Thawte

    • Cybertrust

This is not intended to be an exhaustive list of hierarchy structures. CertManager supports other kinds of hierarchies within a particular hierarchy. Thus, if a chain of trust can be built between a specific certificate and a trusted CA, the certificate can be trusted (by inference). This means that operations such as <remove certificate>, for instance, will semantically remove all leaves below the selected certificate in the hierarchy. Similarly, <copy certificate> will semantically add all guarantors above the selected certificate in the hierarchy.

References as to how each Certificate hierarchy was obtained is now discussed:

  1. 3-tier certificate chain from Cybertrust.

  2. 3-tier certificate chain from Verisign.

  3. 2-tier certificate chain from Entrust.

  4. Internally Generated certificates (To obtain these certificates see Section "Create New Certificate").

    1. Standalone certificate. Internally Generated certificate.

    2. 5-tier Chain. Internally generated certificate (2).

    3. 2-tier independent users. Internally Generated certificate (3).

  5. InterClear User Certificate.

  6. 3-tier Certificate Chain from Thawte.

  7. PKCS7/10 request/response Thawte Server certificate


Certstore View

The database can hold multiple views of certificates/keys. For instance, in the example below, the directory "PKCS10 certificates" would contain Server Certificates that have been imported from a Certificate Authority. It can, in fact, be split into any number of folders. However, for purposes of illustration this Certstore database itself has been designed to split the certificates into three categories. "PKCS10 certificates" define server certificates that have been taken from a Certificate Authority by means of a PKCS10 request. "Internally Generated Certificates" define certificates that have been generated from iPlanet Trustbase Transaction Manager and "Certificate Authorities" certificates that have been obtained as browser certificates from a Certificate Authority. This is achieved by exporting from the browser and then importing into Certmanager. Using CertManager in standalone mode it is possible to change how you group certificates.

  • User Name defines the name of the store and in this case is "charles1".

  • Location defines the name of the server in which CertStore resides. In this case is "sunstorm.jcp.co.uk".

Figure 2-4    Certstore Database Hierarchy

There is no reason to suppose that certificate views could not be arranged in other ways. For instance, certificates could be arranged in terms of those certificates that represent internal corporate users and those that represent external customers.


X509 Certificate View

  • Left click on the certificate that you wish to view:

Figure 2-5    Viewing X509 Certificate details

  • The fields Finger Print and Public Key are not supplied by the user but are generated by iPlanet Trustbase Transaction Manager and associated with the details entered by the user, which together constitute a certificate, with a public and private key.


Selecting a Certificate

  • Before removing, creating, exporting or importing a certificate you must decide where you want to put it or where it came from. Before this happens, menu options are shaded out. Thus, left click on the folder (to select a store) or the certificate icon (to select a certificate) where the certificate is to be placed, or selected from.

Figure 2-6    Positioning/Selecting a Certificate within a hierarchy


Certificate Storage


Figure 2-7    Certificate Storage

Certificate Storage provides the ability to:

  • Remove from CertManagers view.

  • Open existing stores.

  • Exit CertManager.


    Note Certificate Storage is available for Certificates, Keys and CRL (revocation) hierarchies. However CRL's are not stored within CertManager, presently, but kept by the appropriate certificate authority.



Remove Certificate Store

The remove feature allows you to remove the selected CertStore form CertManager's view. It does not, however, delete it from the Oracle database. If you need to do this you should consult your Oracle Database Administrator.

  • Select <Certificate Storage> or

    symbol.

  • Select <Remove>.

Figure 2-8    Remove Certstore

  • The Store can no longer be seen.

Figure 2-9    Confirm to Delete CertStore

  • Select <Yes> to remove this store from the viewer.


Open Certificate Store

You can bring the store back again by:

  • Select <Certificate storage> select <Open> or

    symbol.

Figure 2-10    Open CertStore

  • The following Certstore appears. The views "Certificate Authorities", PKCS10 Certificates and internally generated Certificates have been defined by right clicking on "Views (All)" and selecting "Add New view".

Figure 2-11    New CertStore Opened


Note For security reasons no validation takes place. Misspelled store names or passwords must be 100% correct, else CertManager does not load the store at all. Attributes or views that do not already exist within the view are appended as part of the new view. Note also for security reasons, that when reloading CertManager only the original view will load. Developers can, however, change what Certificate views are loaded as default. If you forget your password, the Certstore becomes inoperable and in extreme cases may involve deleting the entire Certstore directory and starting again.



Certificate View


Sometimes its useful to group certificates in a way that you can more easily see them. This is achieved by defining an attribute that is attached to the certificate so that by selecting from the view only certificates with a particular attribute are viewed within the hierarchy. The copy paste feature within CertManager allows you to manage the overall certificate hierarchy. Thus allowing you to easily group certificates into different views.


Creating a New View

  • Right Click on <Views (All)>.

Figure 2-12    Creating a new view

  • Select <Add New View>.

Figure 2-13    Defining a View Name

  • The new view <External Customers> is now successfully created.

Figure 2-14    New View Name


Defining a view

This is achieved by:

  • Right clicking on the certificate of interest within Certview and selecting <edit view attribute> as illustrated below:

Figure 2-15    Edit View Attribute

  • Defining a certificate attribute to be used within Certview.

Figure 2-16    View Attributes

  • In order to view the attribute Right clicking on the view of interest within Certstore, selecting <refresh> followed by the attribute to view.

Figure 2-17    Refresh and change view


Copying from one view to another

As an alternative to attaching view attributes to certificates, they can simply be copied from one view to another:

  • Position the cursor over certificate to copy from and select <copy certificate>.

Figure 2-18    CertView Right Click Options

  • Position the cursor over the new view you wish the certificate to appear in and select <paste>.

Figure 2-19    Paste a Certificate into a new view


Moving a certificate from one view to another

Collections of certificates can be moved from one view to another.

  • Right click on the certificate you wish to move.

  • Select <Copy certificate>.

  • Select <Remove certificate>.

Figure 2-20    Moving a certificate from one view to another

  • Right click on new view.

  • Select <Paste>.

Figure 2-21    Right click on new view and paste

  • Your certificate can be found in a new location and at the same time deleted from the old view.


Creating a new view from a different store

  • Select <Certificate Storage> and open a new store. Right Click on Views (All).

Figure 2-22    Defining a new view from a different store

  • Select <Add a New View> Entering a new view name is illustrated below:

Figure 2-23    Defining a new view in a new store

  • Select <Show All Views>.


Copying from one store to another store

Copying from one store to another is achieved in the same way as copying from one view to another:

  • Open new store. Select or create a new view as defined in the previous section.

  • Select the view that you wish to copy certificates from.

  • Right click on the certificate you wish to copy.

  • Select <Copy Certificate>.

Figure 2-24    Copying a certificate from one store to another

  • Right click on new view <External Customers> in the other store.

  • Select <Paste>.

Figure 2-25    Pasting from one store to another

  • Your certificate can be found in the new location in the other Certstore.


Refreshing the screen

From time to time a <Refresh> may be needed when CertManager is left idle for any length of time and at the same time iPlanet Trustbase Transaction Manager has updated some certificates.

Figure 2-26    Refresh


Certificate Access


Figure 2-27    Certificate Access

The following features are available with this option:

  • The ability to generate

    new certificates and keys.

  • A facility to remove

    specified certificates from the database.

  • A facility to import

    and export

    certificates in several different formats. See section on import/export for details of formats currently supported.

  • Functionality "Generate PKCS10 certificate Request (CSR)" for generating PKCS-10 certificate requests and a facility "Add Requested Certificate Response" to paste the corresponding response from the certificate Authority (sometimes referred to as a PKCS7 Response).


Import Certificates

Figure 2-28    Import Certificate Dialog

  • Select <Import Certificates> or

    symbol. This opens a standard file open dialog, from where the user can select the file.

Figure 2-29    Selecting a Certificate to be imported

  • In the drop down box displayed below, the user has selected the specific import type that corresponds to the selected file.

    • Microsoft PKCS12 (IE 4.xx) - this represents certificate(s) and key that have been exported from Microsoft's Internet Explorer browser, version 4.xx, and are in Microsoft's interpretation of the PKCS12 standard.

    • Microsoft PKCS12 (IE 5.xx) - this represents certificate(s) and key that have been exported from Microsoft's Internet Explorer browser, version 5, and are in Microsoft's interpretation of the PKCS12 standard.

Figure 2-30    Certificate formats available for Import

    • PKCS7-represents certificate(s) that are stored in the PKCS7 standard.

    • PKCS12-represents certificate(s) and key(s) that are stored in the PKCS12 standard.

    • Netscape Certificate Chain - represents certificate(s) that are stored in BER and Base64 encoded format.

    • Netscape PKCS12 (v4.xx) - this represents certificate(s) and key(s) that have been exported from Netscape's Communicator browser, version 4, and are in Netscape's interpretation of the PKCS12 standard.

  • Certificates that are stored in any of the PKCS12 certificate formats listed above (i.e. Microsoft, Netscape, standard) can only be decrypted with a password entered by the user.


    Note Whenever the Netscape Certificate chain or PKCS7 file formats are selected the password input field is disabled, as these formats do not need the user provide a password to import these files.


  • If a certificate(s) is selected for exporting and it does not possess a private key then <Netscape Certificate chain> is the only export option.


Export Certificate(s)

Figure 2-31    Export Certificates

  • Select the certificate (see Section "Selecting a Certificate") that you wish to export. In the diagram above, the certificate called "Internally Generated Certificate (2)" would be exported.

  • Select <Export Certificates> or

    symbol and the following dialog will be displayed:

Figure 2-32    Export Certificates / Keys Dialog

  • This button will only be enabled if there is a selected certificate.

  • There are two choices for export. Either to select all certificate guarantors or simply the certificate itself.

  • The certificate selected from the database view in the CertManager GUI screen will be exported to the file specified.

  • The format of this export file is decided by the user's selected choice from the drop down box, the contents of which have previously been described in the "Import Certificates" section of this document.


    Note As with importing certificates, Netscape Certificate Chain or PKCS7 formats do not require the user to supply a password with which to encrypt the certificates.



    Note Netscape Certificate Chain and PKCS7 formats store certificates, where as all the PKCS12 formats provided can store certificates and private keys.



    Note When the user selects a certificate from the view, all it's guarantor certificates in the chain will be exported along with the selected certificate.


Figure 2-33    Export format Options


Note The number of export options is reduced if the certificate selected does not contain its private key.



Create New Certificate

  • Before creating a new certificate, you need to consider where you want to position your certificate and what kind of Certificate Hierarchy you wish to construct.

  • Mouse Left click on the

    certificate and store to indicate where you want to position your new certificate ( see section "Selecting a Certificate").

  • Select <Create New Certificate> or

    symbol.

  • Enter an internally Generated Certificate from CertManager as illustrated below.

Figure 2-34    Create New Certificate

  • The following screen appears (in this case deals with the distinguished name only).

Figure 2-35    Entering X509 Details

  • If you want to, you can also change the X509 fields that you wish to enter. To do this, select <Options> to specify which fields you wish to enter.

Figure 2-36    Select X509 fields to enter

  • The screen above displays all fields that constitute a distinguished Name.

  • At least one of these must be selected in order to create Distinguished Name.

  • Certificate Details:

    • Guarantor. Drop down box which allows the user to either make the certificate "self signed" or to set the guarantor to the currently selected certificate from the database view, provided the selected certificate also has a private key associated with it.

    • Common Name. Name to give the certificate.

    • Serial Number. Digits only.

    • Organisation Unit. Represents the department or subsidiary of the organisation to which the user/entity belongs.

    • Organisation. Represents the organisation to which the entity/user creating the certificate belongs.

    • Locality Name where the user is based.

    • Country. Country which the user is based, as defined as an ISO standard http://www.iso.ch and X500 standard http://www.itu.int/itudoc/itu-t/rec/x/x500up/x500.html or in http://docs.iplanet.com/docs/manuals/directory/schema/contents.htm

    • E-mail. Email to contact for queries relating to the certificate.

    • Validity start date. From when the certificate is valid from (Format: dd / mm / yyyy) Only dates in the past are acceptable.

    • Validity end date. Until when the certificate valid to (Format: dd / mm / yyyy) Only dates in the future are acceptable.

Figure 2-37    Select Signatures, Algorithms and Key sizes

  • MD5 with RSA Encryption is the most commonly used here and is used to create your unique digital signature.

  • Select your Key size from the drop down menu. Options are illustrated below:

Figure 2-38    Key Size Options

  • Once all these fields have had meaningful data entered, the <generate> button will become enabled.

Figure 2-39    Enter valid date range and serial number

  • The user can then press the <generate> button, which will create the certificate and generate the public and private key pair that will be associated with the certificate along with the certificate's individual fingerprint.

Figure 2-40    Certificate created

  • Select one of <Add To Store>, <Cancel> or <back>. Once the process has been completed the new certificate will be added to the database view, from where it can be selected and it's details viewed in the panel where the information was entered as shown above.

  • The fields Public Key Algorithm, Public Key, Signature algorithm and Signature are not supplied by the user but are generated by iPlanet Trustbase Transaction Manager and associated with the details entered by the user, which together constitute a certificate, with a public and private key.


Remove Certificate

Figure 2-41    Removing a Certificate

  • The user selects the certificate they wish to remove, then pressing <Remove certificate>. Pressing the <delete> key or

    symbol also has the same effect. (In the diagram above the certificate "Internally Generated Certificate (1)" would be removed).


    Note The certificate selected for removal can be a `leaf' certificate - this means that the certificate must be the last certificate in the chain, a certificate that does not guarantee any other certificates. Selecting the certificate at the top of the chain will delete all certificates below.


  • When a certificate eligible for removal has been selected the <Remove Certificate> button will be enabled.

  • The user can then press this button, which will display a dialog confirming the users choice.

  • The user must then press the <Ok> button to confirm and the certificate and any associated private key will be removed from the database view.


Management Options

Figure 2-42    Management Options

There are two kinds of Management options available:

  • The <Default Cryptographic provider Selection> that allows you to select how much detail from an X509 certificate you wish to view. There are currently two options here: JCP and JSAFE that enables the Hardware Security Module.

Figure 2-43    Selecting a display of X509 Certificate details

  • The <Look and feel> option that allows you to express how you want the screen to appear.

Figure 2-44    Selecting the overall appearance of CertManager


Obtaining Certificates from a CA


Certificates can be obtained using external CA's where the private and public key are generated from within CertManager.


Using a CA for certificate Generation

Certificates can be obtained from Certificate Authorities such as self-run CMS or Baltimore Installations or centralised CA's such as Verisign, Trustwise, Entrust, Thawte, CyberTrust and Interclear. This is not an exhaustive list, but intended as a guideline as to which CA's have been tested using iPlanet Trustbase Transaction Manager Software.

Certificates can be obtained by selecting the "generate certificate request" option within CertManager as a Certificate Signing Request (CSR).

  1. Generate a PKCS10 request for a certificate (CSR).


    Note In this case it is not necessary to position this certificate since CertManager positions this certificate as a new chain.


Figure 2-45    Select Generate new certificate

Figure 2-46    Create PKCS10 Certificate Request

  1. Cut & Paste the resulting PKCS10 Request from the window below. When copying and pasting certificates <Ctrl> C and <Ctrl> V and <Alt> C and <Alt> V must be used correctly. For instance CertManager uses <Ctrl> C and <Ctrl> V and Netscape on Solaris uses <Alt> C <Alt> V.

Figure 2-47    PKCS10 Request Generated

  1. Go to the CA Website and search for the section that involves creating a Certificate from a PKCS10 request and paste in this request as appropriate.

Figure 2-48    Paste PKCS10 Request into CA Website

  1. Collect the corresponding certificate response using cut and paste. When copying and pasting certificates <Ctrl> C and <Ctrl> V and <Alt> C and <Alt> V must be used correctly. For instance CertManager uses <Ctrl> C and <Ctrl> V and Netscape on Solaris uses <Alt> C <Alt> V.

Figure 2-49    Copy certificate response from CA

  1. Collect your certificate by selecting <Certificate Access> and pasting the Certificate response into the box indicated as follows:

Figure 2-50    Collect Response Certificate

Select <Add Requested Certificate Response>.

Figure 2-51    Pasting a Certificate response into certmanager

  1. Finally, paste the response to the CertStore.

Figure 2-52    Add Pasted Certificate Response to Store.


Previous     Contents     DocHome     Index     Next     
Copyright © 2001 Sun Microsystems, Inc. Some preexisting portions Copyright © 2001 Netscape Communications Corp. All rights reserved.

Last Updated April 18, 2001