Verifying fields in certificate chains  Using transport-layer security for web services

Chapter 13: Transport-Layer Security

Using a globally-signed certificate as an enterprise certificate

Instead of using a global certificate as a server certificate, it is possible to instead use it to sign other certificates, as you would an enterprise certificate. This setup lets you combine the benefits of a global certificate and an enterprise certificate. The most important advantage is that you need not store the private key for your global certificate on the computer running the Sybase IQ server.

To create such a setup, generate a unique certificate for each Sybase IQ server. When you do so, sign them with your global certificate.

The following example displays how two server certificates can be generated and signed by the global certificate:

>gencert -s Certificate Generation Tool Choose certificate type ((R)SA or (E)CC): E Generating key pair... Country: CA State/Province: Ontario Locality: Waterloo Organization: Sybase Organizational Unit: IAS Common Name: MobiLink Serial Number: 2003.07.29.06 Certificate valid for how many years: 1 Enter file path of signer's certificate: global.crt Enter file path of signer's private key: global.pri Enter password for signer's private key: password5 Enter password to protect private key: password6 Enter file path to save server identity: serv6.crt >gencert -s Certificate Generation Tool Choose certificate type ((R)SA or (E)CC): E Generating key pair... Country: CA State/Province: Ontario Locality: Waterloo Organization: Sybase Organizational Unit: IAS Common Name: MobiLink Serial Number: 2003.07.29.07 Certificate valid for how many years: 1 Enter file path of signer's certificate: global.crt Enter file path of signer's private key: global.pri Enter password for signer's private key: password5 Enter password to protect private key: password7 Enter file path to save server identity: serv7.crt

The above commands generate two server identity certificates, intended for use with two Sybase IQ servers.

Both certificates are signed by global.crt, which in turn is signed by your certificate authority’s root certificate.

You can start these two Sybase IQ servers with the following commands, entered one command per line.

start_asiq -c "dsn=Adaptive Server IQ Demo;uid=DBA;pwd=SQL" -x tcpip ( port=3333;security=rsa_tls ( certificate=serv6.crt; certificate_password=password6 ) ) start_asiq -c "dsn=Adaptive Server IQ Demo;uid=DBA;pwd=SQL" -x tcpip ( port=4444;security=rsa_tls ( certificate=serv7.crt; certificate_password=password7 ) )

You can hide the contents of the command line using the File Hiding utility, dbfhide. For more information, see the Adaptive Server Anywhere Database Administration Guide.

In addition, you must ensure that each client trusts your certificate authority’s root certificate.




Copyright © 2006. Sybase Inc. All rights reserved. Using transport-layer security for web services

View this document as PDF