24.1 Creating Certificates

This task involves creating a certificate to be signed locally, or creating one that generates the CSR to be signed externally, which you later import after signing.

24.1.1 Creating a Locally Signed Certificate

By default, the Access Manager installation process creates the local CA for you. eDirectory contains a CA that can issue and sign certificates, and a certificate server that generates or imports certificates and keys, and generate CSRs

  1. In the Administration Console, click Certificates.

    Certificates page
  2. Click New.

    Creating a new certificate
  3. Select the following option:

    Use local certificate authority: Creates a certificate signed by the local CA (or Organizational CA), and creates the private key. For information about creating a CSR, see Section 24.1.2, Generating a Certificate Signing Request.

  4. Fill in the following fields:

    Certificate name: The name of the certificate. Pick a unique, system-wide name for the certificate that you can easily associate with the certificate’s purpose. The name must contain only alphanumeric characters and no spaces.

    1. For Subject, click the Edit button to display a dialog box that lets you add the appropriate locality information types for the subject name.

      Edit subject

      The subject is an X.500 formatted distinguished name that identifies the entity that is bound to the public key in an X.509 certificate. Choose the subject name that the browser expects to find in the certificate. The name you enter must be fully distinguished. Completing all the fields creates a fully distinguished name that includes the appropriate types (such as C for country, ST for state, L for location, O for organization, OU for organizational unit, and CN for common name). For example, cn=AcmeWebServer.ou=Sales.o=Acme.c=US.

      The following attributes are the most common ones used in certificate subjects:

      Common name: The name or IP of the Web server.

      Enter just the value, for example AcmeWebServer. Do not include the type (cn=). The UI adds that for you.

      For the Identity Server, this is the domain name of the base URL of the Identity Server configuration. This value cannot be an IP address or begin with a number, in order to ensure that trust does not fail between providers

      Organizational unit: Describes departments or divisions.

      Organization: Differentiates between organizational divisions.

      City or town: Commonly referred to as the Locality.

      State or province: Commonly referred to as the State.

      Country: The country, such as US.

      Use the Additional Attributes drop-down menus to add additional attributes. For more information about these attributes, see Additional Attributes.

  5. Click OK, then fill in the following fields:

    Signature algorithm: The algorithm you want to use (SHA-1, MD-2, or MD-5). SHA-1 is currently recommended.

    Valid from: The date from which the certificate is valid. For externally signed certificates, the external certificate authority sets the validity period.

    Months valid: The number of months that the certificate is valid.

    Key size: The size of the key. Select 512, 1024, or 2048. 2048 bit is recommended. For 4096 key information, see Section 24.8, Enabling 4096k Keys.

  6. (Optional) To configure advanced options, click Advanced Options.

    Certificate advanced settings
  7. Configure the following options as necessary for your organization:

    Critical: Specifies that an application should reject the certificate if the application does not understand the key usage extensions.

    Encrypt other keys: Specifies that the certificate is used to encrypt keys.

    Encrypt data directly: Encrypts data for private transmission to the key pair owner. Only the intended receiver can read the data.

    Create digital signatures: Specifies that the certificate is used to create digital signatures.

    Non-repudiation: Links a digital signature to the signer and the data. This prevents others from duplicating the signature because no one else has the signer’s private key. Additionally, the signer cannot deny having signed the data.

  8. If you are creating a key for a Certificate Authority, configure the following options:

    This key is for a Certificate Authority: Specifies that this certificate is for the local configuration (eDirectory) certificate authority.

    If you create a new CA, all the keys signed by the CA being replaced no longer have a trusted CA. Thus, you might also need to reassign the new CA to all the trust stores that contained the old CA.

    Critical: Enforces the basic constraints you specify. Select one of the following:

    • Unlimited: Specifies no restriction on the number of subordinate certificates that the CA can verify.

    • Do not allow intermediate signing certificates in certificate chain: Prevents the CA from creating other CAs, but it can create server or user certificates.

    • Number of allowable intermediate signing certificates in signing chain: Specifies how many subordinate certificates are allowed in the certificate chain. Values must be 1 or more. Entering 0 creates only entity objects.

  9. (Optional) To create subject alternative names used by the certificate, click the Edit Subject Alternate Names button.

    Alternate names can represent the entity identified by the certificate. The certificate can identify the subject CN=www.OU=novell.O=com, but the subject can also be known by an IP address, such as 222.111.100.101, or a URI, such as www.novell.com, for example.

    Critical: Specifies that if an application does not understand the alternate name extensions, it should reject the certificate.

  10. Click New.

    Subject alternative names

    Name Type: Names as specified by RFC 2459. Use the drop-down list to specify a name type, such as:

    • Directory name: An X.500 directory name. The required format for the name is .<attribute name>=<attribute value>. For example:

      .O=novell.C=US
      

      Access Manager supports the following attributes:

      • Country (C)
      • Organization (O)
      • Organizational Unit (OU)
      • State or Province (S or ST)
      • Locality (L)
      • Common Name (CN)
    • IP Address: An IP address such as 222.123.123.123

    • URI: A URI such as www.novell.com.

    • Registered ID: An ASN.1 object identifier.

    • DNS Name: A domain name such as novell.com.

    • RFC822 Name: An e-mail address.

    • X400 Name: The messaging and e-mail standard specified by the ITU-TS (International Telecommunications Union - Telecommunication Standard Sector). It is an alternative to the more prevalent Simple Mail Transfer Protocol (SMTP) e-mail protocol. X.400 is common in Europe and Canada.

    • EDI Party: EDI (Electronic Data Interchange) is a standard format for exchanging business data.

    • Other: A user-defined name.

    Name: The display alternative name.

  11. Click OK.

Additional Attributes

Use the drop-down menus to add additional attributes. These values allow you to specify additional fields that are supported by eDirectory, and you can include them as part of the subject to further identify the entity represented by the certificate.

CN: The Common name attribute in the list of Commonly used attributes (OID: 2.5.4.3)

C: The Country attribute in the list of Commonly used attributes (OID: 2.5.4.6)

SN: The surname attribute (OID: 2.5.4.4)

L: The locality attribute, which is the City or town attribute in the list of Commonly used attributes (OID: 2.5.4.7)

ST: The State or province attribute in the list of Commonly used attributes (OID: 2.5.4.8)

S: The State or province attribute in the list of Commonly used attributes (OID: 2.5.4.8)

O: The Organization attribute in the list of Commonly used attributes (OID: 2.5.4.10)

OU: The Organizational unit attribute in the list of Commonly used attributes (OID: 2.5.4.11)

street: Text that the describes the street address (OID: 2.5.4.9)

serialNumber: Text that specifies the serial number of a device (OID: 2.5.4.5)

title: Text that describes the position or function of an object (OID: 2.5.4.12)

description: Text that describes the associated object (OID: 2.5.4.13)

searchGuide: Specifies a search filter (OID: 2.5.4.14)

businessCategory: Text that describes the kind of business performed by an organization (OID: 2.5.4.15)

postalAddress: Specifies address information required for the physical delivery of postal messages (OID: 2.5.4.16)

postalCode: Text that specifies the postal code of an object (OID: 2.5.4.17)

postOfficeBox: Text that specifies the post office box for the physical delivery of mail (OID: 2.5.4.18)

physicalDeliveryOfficeName: Text that specifies the name of the city or place where a physical delivery office is located (OID: 2.5.4.19)

telephoneNumber: Specifies a telephone number (OID: 2.5.4.20)

telexNumber: Specifies a telex number (OID: 2.5.4.21)

teletexTerminalIdentifier: Specifies an identifier for a telex terminal (OID: 2.5.4.22)

facsimileTelephoneNumber: Specifies the telephone number for a facsimile terminal (OID: 2.5.4.23)

x121Address: Specifies the address used in electronic data exchange (OID: 2.5.4.24)

internationalISDNNumber: Specifies an international ISDN number used in voice, video, and data transmission (OID: 2.5.4.25)

registeredAddress: Text that specifies the postal address for the delivery of telegrams or expedited documents (OID: 2.5.4.26)

destinationIndicator: Specifies an attribute used in telegram services (OID: 2.5.4.27)

preferredDeliveryMethod: Specifies the preferred delivery method for a message (OID: 2.5.4.28)

presentationAddress: Specifies an OSI presentation layer address (OID: 2.5.4.29)

supportedApplicationContext: Text that specifies the identifiers for the OSI application contexts in the application layer (OID: 2.5.4.30)

member: Specifies the distinguished name of an object associated with a group or a list (OID: 2.5.4.31)

owner: Text that specifies the name of an object that has responsibility for another object (OID: 2.5.4.32)

roleOccupant: Specifies the distinguished name of an object that fulfills an organizational role (OID: 2.5.4.33)

seeAlso: Specifies the distinguished name of an object that contains additional information about the same real world object (OID: 2.5.4.34)

userPassword: Specifies the object's password (OID: 2.5.4.35)

name: Text that specifies a name that is in the UTF-8 form of the ISO 10646 character set (OID: 2.5.4.41)

givenName: Text that specifies the given, or first name of an object (OID: 2.5.4.42)

initials: Text that specifies the initials of an object (OID: 2.5.4.43)

generationQualifier: Text that specifies the generation of an object, which is usually a suffix (OID: 2.5.4.44)

x500UniqueIdentifier: Specifies an identifier which distinguishes between objects when a DN has been reused (OID: 2.5.4.45)

dnQualifier: Specifies information which makes an object unique when information is being merged from multiple sources and objects could have the same RDNs (OID: 2.5.4.46)

enhancedSearchGuide: Specifies a search filter used by X.500 users (OID: 2.5.4.47)

protocolInformation: Specifies information which is used with the presentationAddress attribute (OID: 2.5.4.48)

distinguishedName: Specifies the distinguished name of an object (OID: 2.5.4.49)

uniqueMember: Specifies the distinguished name of an object associated with a group or a list (OID: 2.5.4.50)

houseIdentifier: Text that identifies a building within a location (OID: 2.5.4.51)

dmdName: Text that specifies a directory management domain (OID: 2.5.4.54)

E: Text that specifies an email address.

EM: Text that specifies an email address.

DC: Text that specifies the domain name for an object (OID: 0.9.2342.19200300.100.1.25)

uniqueID: Text that contains an RDN-type name that can be used to create a unique name in the tree (OID: 0.9.2342.19200300.100.1.1)

T: Text that specifies the name of the tree root object (OID: 2.16.840.1.113719.1.1.4.1.181)

OID: Text that specifies an object identifier in dot notation.

24.1.2 Generating a Certificate Signing Request

  1. In the Administration Console, click Certificates, then click New.

  2. Select the following option:

    Use external certificate authority: Generates a Certificate Signing Request (CSR) for you to send to the CA for signing. A third-party CA is managed by a third party outside of the eDirectory tree. An example of a third party CA is VeriSign*. After the signed certificate is received, you need to import the certificate. See Section 24.1.3, Importing a Signed Certificate.

  3. Fill in the following fields:

    Certificate name: The name of the certificate. Pick a name unique, system-wide name for the certificate that you can easily associate with the certificate’s purpose. The name must contain only alphanumeric characters and no spaces.

    Subject: An X.500 formatted distinguished name that identifies the entity that is bound to the public key in an X.509 certificate. Choose the subject name that the browser expects to find in the certificate. The name you enter must be fully distinguished. Completing all the fields creates a fully distinguished name that includes the appropriate types (such as C for country, ST for state, L for location, O for organization, OU for organizational unit, and CN for common name). For example, cn=AcmeWebServer.ou=Sales.o=Acme.c=US

  4. Click the Edit button to display a dialog box that lets you add appropriate locality information types for the subject name.

    The following attributes are the most common ones used in certificate subjects:

    Common name: The name or IP of the Web server. Enter just the value. Do not enter the type (cn=). The UI adds it for you.

    Organizational unit: Describes departments or divisions.

    Organization: Differentiates between organizational divisions.

    City or town: Commonly referred to as the Locality.

    State or province: Commonly referred to as the State.

    Country: The country, such as US.

    Use the Additional Attributes drop-down lists to add additional attributes. These values allow you to specify additional fields that are supported by eDirectory, and you can include them as part of the subject to further identify the entity represented by the certificate.

  5. Click OK, then fill in the following fields:

    Signature algorithm: The algorithm you want to use (SHA-1, MD-2, or MD-5). SHA-1 is currently recommended.

    Valid from: The date from which the certificate is valid. For externally signed certificates, the external certificate authority sets the validity period.

    Months valid: The number of months that the certificate is valid.

    Key size: The size of the key. Select 512, 1024, or 2048. 2048 bit is recommended. For 4096 key information, see Section 24.8, Enabling 4096k Keys.

  6. If necessary, fill in the certificate fields, which are described in Section 24.1.1, Creating a Locally Signed Certificate.

  7. Click OK.

  8. On the Certificate Details page, copy the CSR data and send the information to the external CA.

    The certificate status is CSR Pending until you import the signed certificate.

  9. Click Close.

Continue with Section 24.1.3, Importing a Signed Certificate after you receive the signed certificate and the trusted root (CA chain).

24.1.3 Importing a Signed Certificate

After you receive the signed certificate and the CA chain, you must import it. There are several ways in which the CA can return the certificate. Typically, the CA either returns one or more files each containing one certificate, or returns a file with multiple certificates in it.

  1. In the Administration Console, click Certificates, then click the certificate name.

  2. Click Import Signed Certificate.

  3. In the Import Signed Certificate dialog box, browse to locate the certificate data file, or paste the certificate data text into the Certificate data text field.

  4. To import the CA chain, click Add trusted root, then locate the certificate data.

  5. Click Add intermediate certificate if you need to continue adding certificates to the chain.

  6. Click OK, then click Close on the Certificate Details page.

The certificate is now available for use by Access Manager devices.

If you receive an error when attempting to import the certificate, see Section 44.0, Troubleshooting Certificate Issues.