The System Security Officer installs server certificates and private keys for Adaptive Server by:
Using third-party tools provided with existing public-key infrastructure already deployed in the customer environment.
Using the Adaptive Server certificate request tool in conjunction with a trusted third-party CA.
To obtain a certificate, you must request a certificate from a CA. If you request a certificate from a third party and that certificate is in PKCS #12 format, use the certpk12 utility to convert the certificate into a format that is understood by Adaptive Server.
To test the Adaptive Server certificate request tool and to verify that the authentication methods are working on your server, Adaptive Server provides a tool, for testing purposes, that allows you to function as a CA and issue CA-signed certificate to yourself.
The main steps to creating a certificate for use with Adaptive Server are:
Generate the public and private key pair.
Securely store the private key.
Generate the certificate request.
Send the certificate request to the CA.
After the CA signs and returns the certificate, store it in a file and append the private key to the certificate.
Store the certificate in the Adaptive Server installation directory.
Most third-party PKI vendors and some browsers have utilities to generate certificates and private keys. These utilities are typically graphical wizards that prompt you through a series of questions to define a distinguished name and a common name for the certificate.
Follow the instructions provided by the wizard to create certificate requests. Once you receive the signed PKCS #12-format certificate, use certpk12 to generate a certificate file and a private key file. Concatenate the two files into a servername.crt file, where servername is the name of the server, and place it in the certificates directory under $SYBASE/$SYBASE_ASE. See the Utility Guide.
Adaptive Server provides two tools for requesting and authorizing certificates. certreq generates public and private key pairs and certificate requests. certauth converts a server certificate request to a CA-signed certificate.
WARNING! Use certauth only for testing purposes. Sybase recommends that you use the services of a commercial CA because it provides protection for the integrity of the root certificate, and because a certificate that is signed by a widely accepted CA facilitates the migration to the use of client certificates for authentication.
Preparing the server’s trusted root certificate is a five-step process. Perform the first two steps to create a test trusted root certificate so you can verify that you are able to create server certificates. Once you have a test CA certificate (trusted roots certificate) repeat steps three through five to sign server certificates.
Use certreq to request a certificate.
Use certauth to convert the certificate request to a CA self-signed certificate (trusted root certificate).
Use certreq to request a server certificate and private key.
Use certauth to convert the certificate request to a CA-signed server certificate.
Append the private key text to the server certificate and store the certificate in the server’s installation directory.
For information about Sybase utilities, certauth, certreq, and certpk12 for requesting, authorizing and converting third-party certificates, see the Utility Guide.
certauth and certreq are dependent on RSA and DSA algorithms. These tools only work with crypto modules that use RSA and DSA algorithms to construct the certificate request.
Adaptive Server supports the Certicom Corp. cryptographic engine, Security Builder™, which supports RSA and DSA algorithms to construct the certificate requests.
Copyright © 2005. Sybase Inc. All rights reserved. |