Certificates Authorities PKI

Here is how to create and use digital certificates to protect software application data. This is a companion page on private key architecture kerberos using Cryptography, a superset of what Amazon AWS uses.

“Badges? We don't need no stinking badges!” —from "BLAZING SADDLES" movie

Topics this page:

Site Map  
About this site  

Who Needs Digital Certificates?

More and more organizations require that communication with them be protected in several ways:

1. People are who they say they are and software come from where they say they come from (they are "authentic").
2. Contents of communications are "secure" -- read only by those authorized to read them.

So skill at dealing with digital certificates is becoming a common part of working software programs.

IETF's PKIX, based on X.509 [RFC 2459], a directory method involving Certification Authorities. has become the preferred approach over PGP (Pretty Good Privacy), a "referral" method.

Uses for digital certificates are specified by the Extended Key Usage (EKU) and OID (object ID) numbers used by Microsoft:

EKU/OID

Use	EKU	OID
SSL/TLS Web Server Authentication	serverAuth	1.3.6.1.5.5.7.3.1
SSL/TLS Web Client Authentication	clientAuth	1.3.6.1.5.5.7.3.2
Code signing	codeSigning	1.3.6.1.5.5.7.3.3
E-mail Protection (S/MIME)	emailProtection	1.3.6.1.5.5.7.3.4
Trusted Timestamping	timeStamping	1.3.6.1.5.5.7.3.8
Microsoft Individual Code Signing (authenticode)	msCodeInd	1.3.6.1.4.1.311.2.1.21
Microsoft Commercial Code Signing (authenticode)	msCodeCom	1.3.6.1.4.1.311.2.1.22
Microsoft Trust List Signing	msCTLSign	1.3.6.1.4.1.311.10.3.1
Microsoft Server Gated Crypto	msSGC	1.3.6.1.4.1.311.10.3.3
Microsoft Encrypted File System	msEFS	1.3.6.1.4.1.311.10.3.4
Netscape Server Gated Crypto	nsSGC	2.16.840.1.113730.4.1

• Internet browsers issue a warning message even after you install a website's SSL certificate issued by a CA not among Microsoft or Firefox's default list.
• Email text need to be encrypted
• VBA macros in Excel and other apps in Microsoft Office need to be code signed
• Data files in databases require controlled access by multiple people

Setup Email Encryption with S/MIME Certificate - Step 1

How do I encrpyt an email?

First, Who's Your Certificate Authority?

Each CA presents its own Certification Practice Statement (CPS). Make sure you reference the correct version and update:
• Thawte, a CA in South Africa (purchased by VeriSign) offers free keys for personal use.
• Verisign Practices Updates and Notices
• GoDaddy
• Baltimore Technologies PLC (based in London:BLM, with a development center in Ireland) acquired GTE's CyberTrust Jan. 2000 and dissolved after the stock market crash of March 2000.

Exchange of Bodily Information

The first step in Thawte's process was to create an ID number containing a country code and the national identifcation code (a Social Security Number in the US).

I hesitated about giving out my social security number to yet another organization. I thought about what I was trusting:

• I trust that, enroute to the CA, HTTPS is protecting my data.

• I trust that the CA isn't a front for the Russian mafia or other nefarious organization. I trust that the CA won't distribute the list or let it fall in enemy hands (like our FBI and CIA manage to do).

  It turns out Thawte is owned by VeriSign, the “big daddy” of Certificate Authories. Thawte is one of only two global Certificate Authorities trusted by all leading S/MIME X.509 secure messaging software, such as Microsoft Outlook Express and Netscape Communicator. (Talk about monopolies!)

• I trust that someone can't somehow derive the number from the digital signature (a hash of my private key) or the public key.

So I opted to give them my drivers license instead of my social security number. That's actually a state identity number, not a national number. But that didn't occur to me until after I pressed the send button.

I'll use a real number the next time.

Email Identity & Client

What ever identity number I gave Thawte, that number is associated with the email account in the certificate.

This can't be a web-based mail account such as hotmail or Yahoo mail. The email I use must be a POP3 mail account such as Earthlink. (I don't know about AOL)

The bottom line is that I must use a mail client which does S/MIME processing, such as Outlook or Eudora Pro. I don't like Outlook 2000 because it's too slow and (by default) makes me go down 3 levels of pull down menus to select the action I use 99% of the time.

Choice of Strong Passwords

Example of passphrases in movies: In “Aladdin“, to get into the castle, say "open sesame". In “Tron”, to get into the MCP, say “raindeer flotilla”.

I think that one of the weakest aspect of consumer password security is that people habitually use the same passwords everywhere. As a creatures of habit, many get used to simply incrementing numbers or letters when they are required to change their password. If someone ever gets my password (reading a database at the many websites where I've given it out), ALL of my accounts would be compromised. (This, by the way, is the problem with Microsoft's Passport authentication service).

So I keep a list of where I've signed up, and encrypt it with a password I haven't used on anything else.

I've gone to using programs to generate password generation passwords and passphrases.

Copy of Certificate In a Safe Place

In case I'm hit by that perverbial truck, I printed out a screen image, wrote down the password, and filed the paper in the portable box where I keep unused credit cards, my passport, birth certificate, diplomas, Prometric score reports, and other valuables.

BTW, I should keep originals in a bank safe deposit box in case my home burns down, and only keep copies in the house.

Step 2: First Time Entry Into Personal Certification Home Page

After Thawte made sure that no one else was using the identity information I supplied, they made sure that I could remember what I entered.

I could use this link from Thawte to access my account (given that I can remember my email address and password).

To access a Windows 2000 server (for example, “Certx”) hosting Web Enrollment Support:

http://Certx/certsrv

Step 3: Confirm Ownership with Email Pong

I waited a few minutes and checked my email. I then clicked the “pong.exe" with a single-use magic number. This proves to Thawte that I am really in control of the email account I supplied them.

Step 4: Request Certificate

Now that Thawte considers my email address "trusted", I could request, view, and revoke my certificates from Thawte's Certificate Manager page at https://www.thawte.com/cgi/personal/cert/contents.exe

A different X.509 certificate is needed for each email client. The options:

• Netscape Communicator or Messenger
• Microsoft Internet Explorer, Outlook and Outlook Express
• Lotus Notes R5
• OperaSoftware Browser
• C2Net SafePassage Web Proxy

Cryptographic Service Provider

I had to choose a CSP (Cryptographic Service Provider):
• Microsoft Base Cryptographic Provider v1.0 (the default)
• Gemplus GemSAFE Card CSP v1.0
• Schlumberger Cryptographic Service Provider
• Microsoft Base DSS Cryptographic Provider
• Microsoft Exchange Cryptographic Provider v1.0
• Microsoft RSA SChannel Cryptographic Provider
• Microsoft Base DSS and Diffie-Hellman Cryptographic Provider

By US export regulations U.S. Department of Justice FAQ on Encryption Policy April 24, 1998 the “Base DSS and Diffie-Hellman Cryptographic Provider” and Microsoft Enhanced Cryptographic Provider can only be used in the United States. In the US, export controls on commercial encryption products are administered by the Bureau of Export Administration (BXA) in the U.S. Department of Commerce.

Next, I clicked OK to this pop-up window:

Step 5: Install Certificates

After I clicked OK, an email from Thawte notified me:

“You need to be running the same browser, on the same machine, logged in as the same user, as you were when you made the request."

To confirm that the certificate was really installed in MSIE 5, select Tools -> Internet Options... -> Content tab -> Certificates... button.

Clicking on the "View" button, I notice in the Details section that the Public key is 1024 bits and the thumbprint (hash) algorithm is SHA1.

Step 6: Backup, Export, and Restore PFX file via CER DER

If (when) my computer (eventually) crashes, I will need to be able to restore the keys. I also want to prevent access to my private key by deleting the .pfx file from the computer's hard disk, and importing the keys to the recovery agent account from a USB thumb drive or diskette I can take away with me.

Key Export Formats

But first I must export the certificate to that a removeable media and store it somewhere safe (in my lockbox or on a physically secure stand-alone computer for recovery operations) so that I don't have to go through the hassle of requesting another from the CA (Thawte).

Different export formats can be specified during drag-and-drop copy (in the MSIE "Advanced Options" window):

• DER (Distinguished Encoding Rules) Encoded Binary X.509 (*.cer) certificate file — the default for Windows machines.

• Base 64 [RFC 1521] Encoded X.509 (*.cer file) for text-based (e-mail) transmission and for “interoperability” with non-Windows servers.

• PKCS #7 Certificates (*.p7b file) are in the Cryptographic Message Syntax Standard, a binary format using passphrase-based encryption. It enables the transfer of all certificates in the computer's certification path.

Importing Certificates

Importing a certificate into my certificate store is easy. (Maybe too easy?) On my Windows machine, I just double click on (or a link to) a .cer file, such as GlobalSign's root CA certificate for this pop-up to select type of Trust. (When prompted, click "Open this file from its current location", then the "Install Certificate..." button)

Root CA on Microsoft IE7 browsers include:

• Entrust.net Secure Server Certification Authority
• Equifax Secure Global eBusiness CA-1
• Go Daddy Class 2 Certification Authority
• Microsoft Authenticode(tm)
• Network Solutions
• Starfield Class 2
• Symantec Root CA
• Thawte
• UTN - DataCorp User Trust Network
• VeriSign Commercial Software Publishers, VeriSign Trust Network,
• Valicert.com

Root CA on Firefox browsers include:

• America OnLine
• AOL Time Warner
• Baltimore
• beTRUSTed
• CertPlus
• COMODO CA
• DigiCert
• Digital Signature Trust
• Earthlink
• GeoTrust
• GlobalSign
• GTE
• IPS Internet Publishing
• QuoVadis
• RSA
• SECOM Trust.net
• VISA
• Wells Fargo
• XRamp Security Services

Note: Windows 2000 SP2 added several CA root certificates.

.cer files have MIME type of
application/x-x509-ca-cert
application/pkix-cert
application/keychain_access

Import the Certificate as a Trusted Certificate from a Java .jar file.

Step 7: Configure Email Client

Next, I went into Outlook 2000 client Tools -> Options -> "Security" tab -> Secure email settings.

Notice that I left the default selections of SHA and DES based on my earlier observations.

I chose not to sign all my emails. That would seem rather pretentious and a bit too nerdly for internet dating emails.

Step 8: Send Signed Email to someone

As a test, I signed a message to my mom's hotmail account. A few days later, I got a call from her. "Part of your message was all scrambled. Did you send me a virus? Are you practicing high-risk activities?"

"No. Now you can tell whether a email is really from me." I explained.

"I can always tell it's from you. It's got your name at the top." she said rather impatiently.

"But what if someone forged my name?"

"I'll still know because no one is as disrespectful to his mother as you are." ;)

Anyway, Hotmail and other web-based email cannot accept certificates. A client program such as Microsoft Outlook, Outlook Express, or Eudora is required. Gmail can accept certs.

Step 9: What Was Your Name Again?

I noticed on Thawte page that the trust level is marked "Freemail" and the Certificate Distinguished Name (formal notation describing the holder of a particular certificate) contains my email address, not my name. That's because the CA can't confirm whether someone was impersonating me or not.

So in order for Thawte to really associate my name with the email address, I have to physically present my picture ID's to someone trusted by Thawte.

Thawte uses a "web of trust" -- a transitive trust based on the reputation of individuals.

Thawte required that I get at least 2 notaries to verify my ID. I could use two highly trusted notaries or several less trusted ones. Thawte uses a point system based on the number of identities a notary verifies.

Step 10: Add Another Email

I also wanted to get a certificate for my work email. Certificates could be issued containing multiple emails, but Thawte provides this caution:

"many mail clients will only recognize the FIRST email address in the certificate. The best strategy is thus to obtain different certificates for your different email accounts."

Step 11: Employment and Extranet Membership Verification

Now I can "graduate" from username/password access control to certificate-based access control on Apache and Netscape. Web applications (such as corporate extranets) must be programmed to look for client certificates. Perhaps by using certificate extensions such as this.

This would allow single sign-on capability to access several websites with mutual trusts.

Signing Documents

With an X.509, I could use the PrivaSeal product from Aliroo.com or Docutouch.com to sign an entire document or paragraphs in a document. Multiple users can sign the same paragraph (to provide non-repudiation of them personally reading it). The product can also maintain an extensive audit log. To validate a document signed by PrivaSeal, double-click on the signature to evoke a green "Valid" or a red "Invalid" notation. A right-button mouse click leads to the signer's digital certificate information for identity verification purposes.

Organizational Membership

To access corporate extranets, I need to positively identify myself and obtain a certificate from a Corporate CA.

PKI Data/Work Flow

Root Certificate Authorities

Clients can trust a CA only if a copy of the CA root certificate is in the trusted root certificate store.

Import DoD Root Certificates from dodpki.c3pki.chamb.disa.mil

• Class 3 PKI Root CA Certificate.
• Root CA 2 Certificate.
• External Certification Authority (ECA) Root CA Certificate.

These are by default created in the more common PEM (Privacy Enhanced Mail) format or between these two lines:

-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
Alternately, output in the base64-encoded ASN.1 DER (Distinguished Encoding Rule) format. for compatibility with PKCS#1 RSAPriaveKey or SubjectPublicKeyInfo format.

NOTE: There is also a NET format for older Netscape and IIS servers which uses unsalted ARC4 for its encryption, which is not secure. So its used is avoided.

To convert a PEM-format key to a DER-format one within Unix:

# openssl rsa -in host.key -outform DER -out host.der

DoD Configuration Firefox3 add-on does all this for you.

Import DoD Certificate Revocation Lists (in binary form) from
ca-10.c3pki.den.disa.mil/ca

CA Signature

In order to establish whether the CA behind a certificate is genuine, a hash of that CA's own Private Key -- the CA Signature -- accompanies the cipher text as part of encrypted envelopes sent.

CA Signature Hash

• But before you accept a CA's signature, make sure that it's legitimate by getting the CA fingerprints (hash) from your security administrator (preferrably using a different communication channel than the one you used to obtain the cert) and compare it by clicking "View Cert". Examples in hex and binary formats:

SHA1: 135CEC36 F49CB8E9 3B1AB270 CD808846 76CE8F33
MD5:  A61B375E 390D9C36 54EEBD20 31461F6B

SHA1: BC:89:78:19:8C:3D:2B:2D:3B:58:5F:0C:A3:A5:86:3C:5C:E3:AE:18
MD5:  52:A5:D3:C9:19:84:FE:CF:A4:AD:AE:69:33:36:95:6D

CA Signature Verification

The receiver of a CA Signature can verify its authenticity by going to that CA's public website.

The SignTool utility verify command determines whether the signing certificate was issued by a trusted authority, whether the signing certificate has been revoked, and, optionally, whether the signing certificate is valid for a specific policy.

Certificate Stores

Microsoft Windows stores each user's certificates in its Windows system registry with Name Blob (REG_BINARY data type) under the keys

HKEY_CURRENT_USER \Software\Microsoft\SystemCertificates and
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates
The ROOT store contains certificates of the most trusted certification authorities.
The CA store contains less frequently used certification authorities.
The My store contains the CURRENT USER's personal certificates.
The AddressBook store contains Trusted People and Trusted Publisher (other people's) certificates.

PKI provides for five standard certificate stores:

• CA,
• MY (user's personal certificates),
• ROOT which store intermediate CA certs,
• TRUSTS which store CTLs (Certificate Trust Lists) to control which certificates will be accepted; and
• UserDS - a logical view of the certificate respository in the AD.

Windows Server by default store certificates provided by CAAuths in folder

%systemroot%\system32\certlog\

OpenBSD machine by default store SSL private keys in a directory readable only by root:

/etc/ssl/private
/etc/ssl containing public keys should theoretically be world readable (but writeable only by root)

PKI (Public Key Infrastructure)

Passwords are stored in a digital certificate, which is a container for one or more digital signatures -- forms of ID such as a birth certificate, drivers license, or passport -- bound to a public key. Extensible fields in the certificate delineate group memberships and object permissions.

A digital signature which meets ITU (International Telecommunications Union) Telecommunication Standardization (ITU-T) PKIX X.509 version 3 [RFC 2459] standard is generated based on

• detailed information about the key holder
• an expiration date, after which the certificate is expired
• (with v3), a Compromised Key List (CKL)

PKI automates the process of verifying whether certificates are valid. It provides the capability to easily publish, manage, and use public keys.

Digital certificates are usually from Entrust.com, Thawte, or other Certifying Authority (CA) which vouches for the authenticity of their public keys.

Getting a digital certificate from a trusted CA is like getting a passport, drivers license, or identification card from a governmental entity or some trusted third party (TTP). Like a Notary Public, the CA verifies that you are who you say you are.

Each CA has its own CA Public Key which is used to determine the CA's own identity.

Glossary of Security Terms from the SANS Institute

Mathematicians use

• S to represent the plaintext to be protected.
• T to represent the ciphertext coming out
• f_k to represent the enciphering function (algorithm)
• f_g to represent the deciphering function (algorithm)
• k to represent the enciphering key and
• k' to represent the deciphering key.

The terms "encipher" and "encrypt" are synonymous, as are the terms "decipher" and "decrypt".

Hear Microsoft Seminar audio on Fundamental Cryptography and Certificates on the Internet

CIO.org Briefing on PKI

Intro to What Is PKI?

Windows 2000 Public Key Infrastructure Overview

Make a Digital Signature for Code Signing

Microsoft Office applications such as Excel by default operates in "Medium" setting for Tools -> Macros -> Security. A setting of "Low" trusts all macros and add-ins, which is not recommended but useful during initial development of macros.

In shared production usage of a macro, scripts should be signed. We don't want anyone getting access to the scripts and altering them, so the execution policy is set to Allsigned so that whenever a signed script is changed it will not be allowed to be executed until it is signed again.

An authenticode is a digital signature that verify software origin, authenticity, and integrity for "code signing".

To digitally sign Excel macros (to keep them from triggering security messages), Microsoft provides its

• SignTool.exe is used for the .NET platform (with CAPICOM 2.0 redistributable installed on the local computer).
1. From Start -> Run -> type CMD and click OK to open a command prompt
2. Change directory to the \bin folder where signtool.exe is located.
   • The Windows Platform SDK for 32 & 64-bit Windows Server 2008/2003, Vista SP1/XP and .NET Framework 3.5 (Setup.exe dated 2/5/2008, which retrieves the 1,394,618,368 contents of the ISO CD) This obsoletes:
   • Windows 2003/XP/2000 R2 Platform SDK Web Install - March 2006 Edition which installs to folder
     C:\Program Files\Microsoft Platform SDK for Windows Server 2003 R2\Bin
   • Windows Vista Platform SDK does not support use of the Digital ID file (generally called MyCredentials.spc) and private key (MyPrivateKey.pvk). This is explained in KB SO5820. This is installed to
     C:\Program Files\Microsoft SDKs\Windows\v6.0\Bin
3. Run SIGNTOOL signwizard
4. Click Next when the wizard appears.
5. Browse to find the file you would like to digitally sign and click Next.
6. Click Typical > Next for use of PFX files (selected from the certificate store) for Vista/Windows 2008
   Click Custom > Next for use of SPC/PVK files with SHA1 for Windows 2003/2000/XP

7. Optionally, enter a description of your file and a web site address where more information can be located, then click Next.
8. Select "Add a timestamp to the data"
9. On the Timestamp Service URL field enter http://timestamp.verisign.com/scripts/timstamp.dll
   (Note: "timstamp.dll" does not contain the letter "e")
10. Click Next
11. Click Finish after verifying that all of the information is correct.
12. Test Your Signature: At the command prompt,
13. Enter the directory where signtool exists
14. Run signtool verify /pa /v <your-file-name>

makecert.exe, Microsoft's Certificate Creation Tool (invoked from Windows console command utility) should be used to code sign executable files larger than 300 megabytes. This is according to KB 922225.

To use Makecert to create a self-signed certificate for development:

 makecert -r -pe -n "CN=Wilson Mar" -eku 1.3.6.1.5.5.7.3.3 -ss My

Version	Bytes	Location
-	34,576
-	39,936
(VS 2008)	42,256	C:\Program Files\Microsoft Visual Studio 9.0\SmartDevices\SDK\SDKTools
(.NET 3.5)	57,704	C:\Program Files\Microsoft SDKs\Windows\v6.0A\bin

-r = Create a self-signed certificate.
• A self-signed certificate is a public key that has been signed by its own private key.
• Self-signed certs are only recognized on the machine on which it was created.

-pe = Mark generated private key as exportable
• The -pe option is supported since .NET Framework SDK 2.0 and the October 2002 version of the Platform SDK (build 3718.1). It is not supported by older versions such as the 5.131 version distributed with .NET Framework SDKs 1.0 and 1.1.

-n "CN=Wilson Mar" = Issuer's certificate common name
-eku 1.3.6.1.5.5.7.3.3 = enhanced key usage OIDs that enable programs to determine whether a certificate is valid for a particular use. The set of numbers here is for a self-signed cert.
-ss My = The MY Certificate Store

The example above assumes these defaults:

-b = Start of the [NotBefore] validity period; default to now.
-e 01/01/2039 = End of [NotAfter] validity period; defaults to 2039
-a <algorithm> = The signature algorithm <md5|sha1> defaults to 'md5'

Self-Sign Unix Using openssl

On Unix platforms, self-signing can be accomplished by using a command such as:

# openssl x509 -req -days 365         -in /etc/ssl/private/host.csr \
  -signkey /etc/ssl/private/host.key -out /etc/ssl/host.crt

x509 is the type of output (a signed X.509 public-key certificate)
-days 365 specifies the number of days the cert is valid.
-in is the certificate request csr file.
-signkey specifies self-signing using the server's own private key as the signing (RSA) key in place of the production CA's private key.
-out is the signed X.509 public-key certificate crt file.

Using Certs on Windows

Either way, to start Excel and open the Excel workbook that contains a VBA macro. Press Alt-F11 or click menu item "Tools" -> "Macro" -> "Visual Basic Editor".

In the Project Explorer window (by default on the upper right), select the VBA macro project that you want to digitally sign.

In the VBA menu bar, open menu item "Tools" --> "Digital Signature"

Simply select your own certificate and sign your macro.

Close Excel. When Excel opens again, choose "Always trust this publisher".

To export your certificate from your first computer and import it onto each of the other computers. Save the file to your other computers (email it maybe). Then on the other computers, go to the control panel, same location, and select "Import certificate".

Web Client Certificates

On Firfox browsers, select menu Tools > Options > Advanced > Encryption tab > View Certificates. On IE7 browsers, select menu Tools > Internet Options > Content tab > Certificates.

SSL Server Certificates

SSL Certificates

IIS Certificates

• Only Commercial CAs are known by internet browsers Browsers who encounter an Enterprise CA would require user acceptance.

To create or change a Certificate Trust List:

1. Log on to a Web server with Administrator Privileges.
2. In the Internet Information Services snap-in, open the Web site's Properties sheet.
3. On the Directory Security property sheet, under Secure Communications, click Edit.
4. In the Secure Communications dialog box, select the CTL you want to modify and click Edit. The CTL Wizard will begin and guide you through the process of modifying a CTL.

   Alternately, use MakeCTL (from the Windows Platform SDK CryptoAPI Tools).

Hierarchy of Certificates on Microsoft Certificate Service CAAuth

Subbordinate CAs are under (certified by) root CAs or another subordinate CA.

• Self-signed Enterprise root CAAuth (at the top) issues certs for smart cards. Enterprise root CAs use (require) Active Directory services because they request identification from requestors and then publish their certificates (and CRLs) in the Active Directory.
• Enterprise Subbordinate Intermediate CAAuth (in the middle of the hierarchy do not issue certs to users)
• Enterprise Subbordinate Issuing CAAuth
• Stand-alone CAAuth issue certs to other organizations (perhaps over the Internet). They don't require Active Directory because stand-alone CAs publish their certificates and CRLs to folder
  %systemroot%\System32\CertSrv\Certenroll
  By default, Administrators have to approve all requests.

Request Certificate from Microsoft IIS

My annotations on generating a PKCS #10 compliant Certificate Request File Using the Certificate Wizard in IIS 5.0:

1. Select the Internet Information Services console from within the Administrative Tools menu.
2. Expand the list and right mouse-click to select Properties for the computer and web site (host) to be secured (such as "Default Web Site").
3. Click the Directory Security tab.
4. Click the "Server Certificate..." button in the "Secure Communications" section.
5. Click Next to "Welcome to the Web Server Certificate Wizard".
6. Select "Create a new certificate", then click Next.
7. Click Next to select "Prepare the request now, but send it later"
8. At the "Name and Security Settings" screen, change the default [friendly] name field for the new certificate. When selecting bit length, 1024 is recommended. Click Next. Do not use commas or these characters: < > ~ ! @ # $ % ^ * / \ ( ) ? &.
9. At "Your Site's Common Name", replace the default NETBIOS machine name with a fully qualified domain name. For example, "www.amazon.com"
10. In the "State/province" field, avoid using abbreviations (such as AZ for Arizona) because some CAs don't recognize them.
11. Enter your Administrator contact information.
12. Change the default output file path and name from "c:\certreq.txt" holding the CSR. This file (the CSR) essentially public key and the distinguished name (DN) of your Web server.
13. At the "Request File Summary" screen, remember that you can't make changes, only resubmit (and pay for another cert).
14. At the "Completing the Web Server" screen, select Finish. The "Click here" sends you to Microsoft's Security home page maze which you're left on your own to navigate to Microsoft "Secure Network Connectivity" pages.
    To use Microsoft's ActiveX Xenroll.dll on Microsoft browsers to automate certificate generation and digital certificate status validation in real time, you need to first download and run the August 28, 2002 (Q323172) patch for the "Microsoft Certificate Enrollment CAB".

15. If you are applying as a company, have your company's Dun & Bradstreet identification number, which is used to trace the identity of actual corporations. Most CAs also request a copy of the company's Articles of Incorporation submitted with a letter on company letterhead.

Certificate requests can also be created and installed using Microsoft's

• Certreq.exe command-line utility in Windows/syste32. Different versions for Windows 2000 & Windows XP & 2003).
  The version in Windows 2003 is 123,904 bytes.
  The version in Vista 32 is 215,040 bytes.
  The version in C:\Windows\winsxs\x86_microsoft-windows-certificaterequesttool_31bf3856ad364e35_6.0.6001.18000_none_6810938417684464 is 215,040 bytes.

  Installing a New Certificate with Certificate Wizard for Use in SSL/TLS

  MS article

  Certificate Administration

  To view all CA names in the Windows 2000 Active Directory:
  cerutil.exe -v -ds

  To enable revocation-checking through web browsers executing .Asp tasks, go to a CLI command prompt on the CA and use this:

  certutil -SetReg Policy\RevocationType +AspEnable

  Windows 200x uses xenroll.dll for certificate enrollment.

  CA enrollment uses transport-independent message formats that support PKCS (Public Key Cryptographic Standards):

  1. CA accepts PCKS #10 request package
  2. CA issues a X.509v3 certificate (signed public key) in a PKCS #7 digital envelope
  3. An exported certificate and key pair is encrypted as a PKCS #12 blob in a .pfx file, which is supported by Vista and Win2008.

  Legal information about certificates from a CA is described in that CA's Issuer Policy statement.
  Windows servers store them in a CAPolicy.inf file.

  In Windows 200x, Kerberos is the default SSP and SNEGO (IETF's Security Negotiation Mechanism) for GSS-API [RFC 2478] extend SSP interoperability. SSPI uses the Negotiate SSP to match security levels within a security provider exchange.

  Windows 200x uses Active Directory to map information about users to digital certificates based on X.500.

  Updating CA root cert on IBM Workplace Collaboration Services makes use of keytool.

Microsoft [Q292569] on Importing and exporting certificates on Windows 2000.

You can import a trusted root certificate from several types of files:

• PKCS #12 file (.pfx, .p12),
• PKCS #7 file (.spc, .p7b),
• certificate file (.cer, .crt), or
• a Microsoft Serialized Certificate Store file (.sst).

  Windows 2000 Exchange Server and X.509 Key Mangement Server Interoperability March 14, 2000

  dsstore.exe
  Directory Services Store CLI [from the Resource Kit] is used to -display enterprise key roots or to add certificate revocation list (.crl) file, a Certificate Authority name (with the -addcrl or -addroot parameters).

  All this is a more complicated encryption approach to the “Secret Decoder Ring” that swaps individual characters. Use this Funcatize webpage to translate text back and forth!

  To verify a digital signature, download the chktrust.exe tool from WMSoftware.com

  X.509v3 added additional data:

• internet email address
• internet domain name
• web url
• IP address
• X.400 emal address
• X.500 directory name
• Registered Identifier
• other name

  X.509v3 also added mechanism to include standard and special extensions in the certificate which specify certificate policies from CAs and key usage constraints on the certificate to limit CA liability. A critical constraint is mandatory. A non-critical constraint is an advisory that is optionally followed.

  On Microsoft .NET servers, use the MakeCert.exe Certificate Creation Tool from .NET Framework Tools to create X.50 public and private digital signature key pairs for certificate testing.

  FreeSSL

  Microsoft How To: Set Up SSL on a Web Server

  A description of the SSL_RSA_WITH_RC4_128_MD5 cipher suite to encrypt web apps use with SSL version 3, or with TLS (RFC2246) with a server digital certificate private key of at least 1024 bits.

  Tumbleweed Desktop Validator enables CA-specific digital certificate validation to client or server applications enabled with MS-CAPI (Microsoft Windows Cryptographic API). It uses native CAPI calls after accessing its proprietary VA server with multiple sources of revocation information.

Server Gated Cryptography Protocol

To enable any browser to (without local configuration) use 128-bit encryption, use the SGC protocol, which is an extension of SSL. So, to enable SGC on a web server, the Schannel.dll file on IIS5 needs to be updated.

SGC certificates are obtained only from a commercial CA (such as Verisign), not from an Enterprise CA or stand-alone CA.

After the SGC certificate has been installed, select the IIS 5.0 SSL “Secure Communications” dialog box.

Limitations and Extensions

To request a certificate using a command line utility:

CERTREQ.EXE

Certificate Traceability

A certificate is only as good as the Certificate Authority behind it. A certificate could be issued by a rogue Certificate Authority (e.g., citibank.biz).

Certificate Expiration and Revocation

The life expectancy of the certificate issued to a Windows 2000 machine is stored in its registry key
HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ CertSvc\ Configuration\ MAIN

Recipients of signed documents should check if the certificate has been revoked by its CA after issuance. This could occur if a certificate was found to have been issued to an imposter. This has occured even with certificates issued to Microsoft.

To revoke a certificate use the Certification Authority console GUI or a command line utility specify the serial number:

certutil -revoke 06E472BA000000000023

To prevent the CA certificate from expiring, you must manually renew the certificate. Stop the Certificate Services service. Enter the Certification Authority console and select the Renew CA Certificate option.

Additional Decryption Keys (ADKs)

Pressure from government bodies led to the creation of Additional Decryption Keys (ADKs), which are added to the public key certificate and allow a third party to also decrypt emails that were encrypted by the public key. If a user agrees to an ADK being added to his public key, it is placed within the secure area of the certificate.

SSL Coprocessors

A server accelerator card is also known as an SSL card because it is used to generate encryption keys for secure transactions on e-commerce Web sites.

Microsoft TechNet article: Helping to Secure Communication: Client to Front-End Server

When a secure transaction is initiated, the Web site's server sends its certificate, which has been provided by a certifying authority, to the client machine to verify the Web site's authenticity. After this exchange, a secret key is used to encrypt all data transferred between sender and receiver so that all personal and credit card information is protected. This process can severely overload a server resulting in fewer transactions processed per second, which means fewer sales. The server accelerator card takes over this process, thus reducing the load on the server. Server accelerator cards support a number of security protocols including Secure Sockets Layer (SSL) and Secure Electronic Transaction (set).

The server accelerator card is installed into a (PCI) slot of a server. A software driver is loaded, and the server is ready to receive orders. This is much easier and more cost-effective than buying additional servers. Additional cards can be installed as the server's secure transactions increase.

VeriSign charges for a Licensed Certificate Option when a certificate is shared.

SSL acceleration appliances are external units that have server accelerator cards installed inside them. The unit is then plugged into the server. When a secure transaction is detected, the transaction is routed to the SSL acceleration unit for processing. SSL accelerator appliances can be added together as needed by clustering them together.

On Sun Solaris 8 machines, Sun offers its Crypto Accelerator 500 Daughterboard, the Crypto Crypto Accelerator 1000 PCI board, and Crypto Accelerator 4000 Board.

The F5 Networks offers its Big-IP FIPS SSL Accelerator.

Check Point's VPN-1 Accelerator Card III delivers over 400 Mbps 3DES VPN throughput.

The QuickSafe SSL Accelerator from Cryptographic Appliances outscales any dedicated SSL accelerator on the market with (1024 bit) SSL operations a second. Their appliance is situated behind web servers (and thus less open to attacks). This allows the maintainance of a session cache (for "true" load balancing) and only a single certificate rather than distributing certificate keys on multiple encryption devices.

The HP/Atalla AXL600L SSL Accelerator Card is only for HP's Proliant servers run by Windows or Linux. This 33-MHz 32-bit device incorporates a dual voltage signal bus.

The nCipher's nFast accelerater card

The CacheFlow card caches what flows through it — a speed-enhancing feature other products do not offer.

The Alteon Switch Alteon iSD-SSL Accelerator.

AEP Systems

SonicWALL SSL Accelerator PCI Card

Microsoft Server Database Certs

-- 1. (done one time) is:

CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'p@$$WORD1';
GO
USE Northwind;
ALTER TABLE Orders ADD cc_enc nvarchar(40); -- to hold encrypted credit card key.
ALTER TABLE Orders ADD decrypted_cc nvarchar(40); -- to hold decrypted credit card numbers.
ALTER TABLE Orders ADD cc nvarchar(40); -- to hold actual credit card number

-- 2. (done one time) To create a symmetric (open) key (symm_1) -- in MS-SQL's sys.openkeys system table.

CREATE SYMMETRIC KEY symm_1 WITH ALGORITHM=DES ENCRYPTION BY PASSWORD='Test1234'
SELECT * FROM sys.openkeys
	OPEN SYMMETRIC KEY symm_1 DECRYPTION BY PASSWORD='Test1234'
	UPDATE Orders
	SET cc_enc = ENCRYPTBYKEY(cc_enc)) as decrypted_cc;
SELECT *,
	CONVERT( nvarchar, DECRYPTBYKEY(cc_enc)) as decrypted_cc
	FROM Orders;
SELECT * FROM Orders -- to verify

-- 3. (done one time) To create an asymmetric_keys pair to encrypt the symmetric key -- in MS-SQL's asymmetric_keys system table.

CREATE ASYMMETRIC KEY asymn_2 WITH ALGORITHM=RAS_1024 -- or RSA_512, RSA_2048
SELECT * FROM sys.asymmetric_keys;
CREATE  SYMMETRIC KEY symm_2  
	WITH ALGORITHM=DES ENCRYPTION BY ASSYMMETRIC KEY asymm_2
SELECT * FROM sys.symmetric_keys
SELECT * FROM Orders; -- to verify

-- 4. When updating with asymmetric key with one-way password:

UPDATE Orders -- do one or the other SET:
	-- SET cc_enc = NULL -- to clear
	SET cc_enc = ENCRYPTSYSKEY(KEY_GUID('asymn_1'),cc)
SELECT * FROM Orders; -- to verify

-- 5. When starting to read symmetric key:

OPEN SYMMETRIC KEY asymm_2 DECRYPTION BY ASYMMETRIC KEY asymm_2;
SELECT * FROM sys.openkeys;

-- 6. When reading:

UPDATE Orders
SET cc_enc = ENCRYPTBYKEY(cc_enc)) as decrypted_cc;

-- 7. When done with the:

CLOSE SYMMETRIC KEY symm_2;
CLOSE ASYMMETRIC KEY asymn_2;

-- 8. To verify whether sys.openkeys and sys.asymmetric_keys were properly closed:

???

-- 9. To create digital certificates "cert_1" in sys.certificates system table:

SELECT * FROM sys.certificates; -- before picture

CREATE CERTIFICATE cert_2
	ENCRYPTION BY PASSWORD = 'P@ssword123'
	WITH SUBJECT = 'ms sql server certificate test', -- remember the comma here!
	EXPIRY_DATE = '12/31/2011' -- or one year is default.
-- OR 
-- CREATE cert_1 FROM FILE='' -- from VeriSign, Thawte, etc.
SELECT * FROM sys.certificates; -- after picture

-- 10. To use certificate during update:

SELECT * FROM Orders WHERE EmployeeID=5; -- before
UPDATE Orders
	SET cc_enc = NULL;
UPDATE Orders
	SET cc_enc = ENCRYPTBYCERT( CERT_ID('cert_1',cc) );
SELECT *,
	CONVERT( nvarchar, DECRYPTBYCERT(CERT_ID('cert_1',cc_enc,N'P@ssword123')) as decrypted_cc
	FROM Orders;
SELECT * FROM Orders WHERE EmployeeID=5; -- after

-- 9. To re-open, then remove keys in sys.openkeys and sys.asymmetric_keys:

SELECT * FROM sys.certificates

KeyTool for Key Stores

The keystore is created one time using a command such as:

keytool -genkey -keystore keystorename -storepass keystorepassword

To display the complete contents of the keystore, use the command:
keytool -list -keystore keystorename

Private certificates are imported into the keystore using this command:

keytool -alias aliasforprivatekey
-import -file privatekeyfile.pem -keypass privatekeypassword
-keystore keystorename -storepass keystorepassword

CA Certificates are imported into the keystore using this command:
keytool -alias aliasfortrustedca -trustcacerts
-import -file privatekeyfile.pem -keypass privatekeypassword
-keystore keystorename -storepass keystorepassword

Introduction to Cryptography With Java Applets (Jones & Bartlett Publishers, Inc., 2003) by David Bishop (a professor Grinnell College) offers online Java applets to demonstrate important concepts to help undergrads learn to program cryptography algorithms from the ground up. Topics include large integer computing, linear cyphers, matrix cyphers, primality testing, and establishing keys and message exchange.

Java Cryptography Extensions : Practical Guide for Programmers (Morgan Kaufmann February 27, 2004) by Jason Weiss

Java Cryptography Extensions : Practical Guide for Programmers by Jason Weiss

Related Topics: