3.2 Creating Certificates

Access Manager comes with certificates for testing purposes. The test certificates are called test-signing, test-encryption, test-provider, test-consumer, and test-connector. At a minimum, you must create two SSL certificates: one for Identity Server test-connector and one for the Access Gateway reverse proxy. Then you replace the predefined certificates with the new ones.

If you install a secondary Administration Console, the certificate authority (CA) is installed with the first instance of eDirectory, and the secondary consoles have eDirectory replicas and therefore no CA software. All certificate management must be done from the primary Administration Console. Certificate management commands issued from a secondary Administration Console can work only if the primary console is also running properly. Other commands can work independently of the primary console.

IMPORTANT:Before generating any certificates with the Administration Console CA, make sure time is synchronized within one minute among all of your Access Manager devices. If the time of the Administration Console is ahead of the device for which you are creating the certificate, the device rejects the certificate.

  1. In the Administration Console, click Security > Certificates.

    Certificates page
  2. Select from the following actions:

    New: To create a new certificate, click New. For information about the fields you need to fill in, see Section 3.2.1, Creating a Locally Signed Certificate and Section 3.2.4, Generating a Certificate Signing Request.

    Delete: To delete a certificate, select the certificate, then click Delete. If the certificate is assigned to a keystore, a warning message appears. You must remove a certificate from all keystores before it can be deleted.

    Import Private/Public Keypair: To import a key pair, click Actions > Import Private/Public Keypair. For more information, see Section 3.3.6, Importing a Private/Public Key Pair.

    Add Certificate to Keystores: To add a certificate to a keystore, click Actions > Add Certificate to Keystore. For more information, see Section 3.3.2, Adding a Certificate to a Keystore.

    View Certificate Details: To view certificate details, renew a certificate, or export keys, click the name of the certificate. For more information, see Section 3.3.1, Viewing Certificate Details.

3.2.1 Creating a Locally Signed Certificate

By default, the Access Manager installation process creates the local CA that can issue and sign certificates and installs a certificate server that generates certificates, keys, and CSRs (certificate signing requests) and imports certificates and keys.

  1. In the Administration Console, click Security > Certificates.

    Certificates page
  2. Click New.

    Creating a new certificate
  3. Select the following option:

    Use local certificate authority: Creates a certificate signed by the local CA (or Organizational CA), and creates the private key. For information about creating a CSR, see Generating a Certificate Signing Request.

  4. Provide a certificate name:

    Certificate name: The name of the certificate. Pick a unique, system-wide name for the certificate that you can easily associate with the certificate’s purpose. The name must contain only alphanumeric characters and no spaces.

  5. For Subject, click the Edit button to display a dialog box that lets you add the appropriate attributes for the subject name.

    Edit subject

    The subject is an X.500 formatted distinguished name that identifies the entity that is bound to the public key in an X.509 certificate. Choose the subject name that the browser expects to find in the certificate. The name you enter must be fully distinguished. Completing all the fields creates a fully distinguished name that includes the appropriate types (such as C for country, ST for state, L for location, O for organization, OU for organizational unit, and CN for common name). For example, cn=AcmeWebServer.ou=Sales.o=Acme.c=US.

    Common name: If you are creating a certificate for an Identity Server, specify the DNS name of the Identity Server. If you are creating a certificate for an Access Gateway, specify the published DNS name of the proxy service. Specifying values for the other attributes is optional.

    For more information about the other attributes, see Section 3.2.2, Editing the Subject Name.

  6. Click OK, then fill in the following fields:

    Signature algorithm: The algorithm you want to use (SHA-1, MD-2, or MD-5). SHA-1 is currently recommended.

    Valid from: The date from which the certificate is valid. For externally signed certificates, the external certificate authority sets the validity period.

    Months valid: The number of months that the certificate is valid.

    Key size: The size of the key. Select 512, 1024, 2048, or 4096.

  7. (Optional) To configure advanced options, click Advanced Options.

    Certificate advanced settings
  8. Configure the following options as necessary for your organization:

    Critical: Specifies that an application should reject the certificate if the application does not understand the key usage extensions.

    Encrypt other keys: Specifies that the certificate is used to encrypt keys.

    Encrypt data directly: Encrypts data for private transmission to the key pair owner. Only the intended receiver can read the data.

    Create digital signatures: Specifies that the certificate is used to create digital signatures.

    Non-repudiation: Links a digital signature to the signer and the data. This prevents others from duplicating the signature because no one else has the signer’s private key. Additionally, the signer cannot deny having signed the data.

  9. (Conditional) If you are creating a key for a certificate authority, configure the following options:

    This key is for a Certificate Authority: Specifies that this certificate is for the local configuration (eDirectory) certificate authority.

    If you create a new CA, all the keys signed by the CA being replaced no longer have a trusted CA. You might also need to reassign the new CA to all the trust stores that contained the old CA.

    Critical: Enforces the basic constraints you specify. Select one of the following:

    • Unlimited: Specifies no restriction on the number of subordinate certificates that the CA can verify.

    • Do not allow intermediate signing certificates in certificate chain: Prevents the CA from creating other CAs, but it can create server or user certificates.

    • Number of allowable intermediate signing certificates in signing chain: Specifies how many subordinate certificates are allowed in the certificate chain. Values must be 1 or more. Entering 0 creates only entity objects.

  10. (Optional) To create subject alternative names used by the certificate, click the Edit Subject Alternate Names button, then click New.

    Subject alternative names

    Alternate names can represent the entity identified by the certificate. The certificate can identify the subject CN=www.OU=novell.O=com, but the subject can also be known by an IP address, such as 222.111.100.101, or a URI, such as www.novell.com, for example. For more information, see Section 3.2.3, Assigning Alternate Subject Names.

  11. Click OK.

  12. (Conditional) If you assigned alternate names, determine how you want applications to handle the alternate names. Select Critical if you want an application that does not understand the alternate name extensions to reject the certificate.

  13. Click OK.

3.2.2 Editing the Subject Name

  1. Fill in one or more of the following attributes.

    The following attributes are the most common ones used in certificate subjects:

    Common name: The DNS name of the server.

    Specify the value, for example AcmeWebServer.provo.com. Do not include the type (cn=). The UI adds that for you.

    For the Identity Server, this is the domain name of the base URL of the Identity Server configuration. This value cannot be an IP address or begin with a number, in order to ensure that trust does not fail between providers.

    For the Access Gateway, this is the published DNS name of the proxy service.

    Organizational unit: Describes departments or divisions.

    Organization: Differentiates between organizational divisions.

    City or town: Commonly referred to as the Locality.

    State or province: Commonly referred to as the State. Do not abbreviate the name.

    Country: The country, such as US.

  2. Use the drop-down menus to add additional attributes.

    These values allow you to specify additional fields that are supported by eDirectory, and you can include them as part of the subject to further identify the entity represented by the certificate.

    CN: The Common name attribute in the list of Commonly used attributes (OID: 2.5.4.3)

    C: The Country attribute in the list of Commonly used attributes (OID: 2.5.4.6)

    SN: The surname attribute (OID: 2.5.4.4)

    L: The locality attribute, which is the City or town attribute in the list of Commonly used attributes (OID: 2.5.4.7)

    ST: The State or province attribute in the list of Commonly used attributes (OID: 2.5.4.8)

    S: The State or province attribute in the list of Commonly used attributes (OID: 2.5.4.8)

    O: The Organization attribute in the list of Commonly used attributes (OID: 2.5.4.10)

    OU: The Organizational unit attribute in the list of Commonly used attributes (OID: 2.5.4.11)

    street: Describes the street address (OID: 2.5.4.9)

    serialNumber: Specifies the serial number of a device (OID: 2.5.4.5)

    title: Describes the position or function of an object (OID: 2.5.4.12)

    description: Describes the associated object (OID: 2.5.4.13)

    searchGuide: Specifies a search filter (OID: 2.5.4.14)

    businessCategory: Describes the kind of business performed by an organization (OID: 2.5.4.15)

    postalAddress: Specifies address information required for the physical delivery of postal messages (OID: 2.5.4.16)

    postalCode: Specifies the postal code of an object (OID: 2.5.4.17)

    postOfficeBox: Specifies the post office box for the physical delivery of mail (OID: 2.5.4.18)

    physicalDeliveryOfficeName: Specifies the name of the city or place where a physical delivery office is located (OID: 2.5.4.19)

    telephoneNumber: Specifies a telephone number (OID: 2.5.4.20)

    telexNumber: Specifies a telex number (OID: 2.5.4.21)

    teletexTerminalIdentifier: Specifies an identifier for a telex terminal (OID: 2.5.4.22)

    facsimileTelephoneNumber: Specifies the telephone number for a facsimile terminal (OID: 2.5.4.23)

    x121Address: Specifies the address used in electronic data exchange (OID: 2.5.4.24)

    internationalISDNNumber: Specifies an international ISDN number used in voice, video, and data transmission (OID: 2.5.4.25)

    registeredAddress: Specifies the postal address for the delivery of telegrams or expedited documents (OID: 2.5.4.26)

    destinationIndicator: Specifies an attribute used in telegram services (OID: 2.5.4.27)

    preferredDeliveryMethod: Specifies the preferred delivery method for a message (OID: 2.5.4.28)

    presentationAddress: Specifies an OSI presentation layer address (OID: 2.5.4.29)

    supportedApplicationContext: Specifies the identifiers for the OSI application contexts in the application layer (OID: 2.5.4.30)

    member: Specifies the distinguished name of an object associated with a group or a list (OID: 2.5.4.31)

    owner: Specifies the name of an object that has responsibility for another object (OID: 2.5.4.32)

    roleOccupant: Specifies the distinguished name of an object that fulfills an organizational role (OID: 2.5.4.33)

    seeAlso: Specifies the distinguished name of an object that contains additional information about the same real-world object (OID: 2.5.4.34)

    userPassword: Specifies the object's password (OID: 2.5.4.35)

    name: Specifies a name that is in the UTF-8 form of the ISO 10646 character set (OID: 2.5.4.41)

    givenName: Specifies the given or first name of an object (OID: 2.5.4.42)

    initials: Specifies the initials of an object (OID: 2.5.4.43)

    generationQualifier: Specifies the generation of an object, which is usually a suffix (OID: 2.5.4.44)

    x500UniqueIdentifier: Specifies an identifier that distinguishes between objects when a DN has been reused (OID: 2.5.4.45)

    dnQualifier: Specifies information that makes an object unique when information is being merged from multiple sources and objects could have the same RDNs (OID: 2.5.4.46)

    enhancedSearchGuide: Specifies a search filter used by X.500 users (OID: 2.5.4.47)

    protocolInformation: Specifies information that is used with the presentationAddress attribute (OID: 2.5.4.48)

    distinguishedName: Specifies the distinguished name of an object (OID: 2.5.4.49)

    uniqueMember: Specifies the distinguished name of an object associated with a group or a list (OID: 2.5.4.50)

    houseIdentifier: Identifies a building within a location (OID: 2.5.4.51)

    dmdName: Specifies a directory management domain (OID: 2.5.4.54)

    E: Specifies an e-mail address.

    EM: Specifies an e-mail address.

    DC: Specifies the domain name for an object (OID: 0.9.2342.19200300.100.1.25)

    uniqueID: Contains an RDN-type name that can be used to create a unique name in the tree (OID: 0.9.2342.19200300.100.1.1)

    T: Specifies the name of the tree root object (OID: 2.16.840.1.113719.1.1.4.1.181)

    OID: Specifies an object identifier in dot notation.

  3. To create a certificate, continue with Step 6, or to create a signing request, continue with Step 5.

3.2.3 Assigning Alternate Subject Names

  1. Fill in the following fields:

    Name Type: Names as specified by RFC 2459. Use the drop-down list to specify a name type, such as:

    • Directory name: An X.500 directory name. The required format for the name is .<attribute name>=<attribute value>. For example:

      .O=novell.C=US
      

      Access Manager supports the following attributes:

      • Country (C)
      • Organization (O)
      • Organizational Unit (OU)
      • State or Province (S or ST)
      • Locality (L)
      • Common Name (CN)
    • IP Address: An IP address such as 222.123.123.123

    • URI: A URI such as www.novell.com.

    • Registered ID: An ASN.1 object identifier.

    • DNS Name: A domain name such as novell.com.

    • Email Address (RFC 822 name): An e-mail address such as ca@novell.com.

    • X400 Name: The messaging and e-mail standard specified by the ITU-TS (International Telecommunications Union - Telecommunication Standard Sector). It is an alternative to the more prevalent Simple Mail Transfer Protocol (SMTP) e-mail protocol. X.400 is common in Europe and Canada.

    • EDI Party: EDI (Electronic Data Interchange) is a standard format for exchanging business data.

    • Other: A user-defined name.

    Name: The display alternative name.

  2. Continue with Step 11.

3.2.4 Generating a Certificate Signing Request

  1. In the Administration Console, click Security > Certificates, then click New.

  2. To create a certificate signing request (CSR), select Use external certificate authority.

    This option generates a CSR for you to send to the CA for signing. A third-party CA is managed by a third party outside of the eDirectory tree. An example of a third party CA is VeriSign. After the signed certificate is received, you need to import the certificate.

  3. Specify a Certificate name.

    Pick a unique, system-wide name for the certificate that you can easily associate with the certificate’s purpose. The name must contain only alphanumeric characters and no spaces.

  4. Click the Edit button to display a dialog box that lets you add appropriate locality information types for the subject name.

    For more information, see Section 3.2.2, Editing the Subject Name.

  5. Click OK, then fill in the following fields:

    Signature algorithm: The algorithm you want to use (SHA-1, MD-2, or MD-5). SHA-1 is currently recommended.

    Valid from: The date from which the certificate is valid. For externally signed certificates, the external certificate authority sets the validity period.

    Months valid: The number of months that the certificate is valid.

    Key size: The size of the key. Select 512, 1024, 2048, or 4096.

  6. (Conditional) If you are creating a key for a certificate authority, click Advanced Options, then configure the following:

    This key is for a Certificate Authority: Select this option.

    Critical: Enforces the basic constraints you specify. Select one of the following:

    • Unlimited: Specifies no restriction on the number of subordinate certificates that the CA can verify.

    • Do not allow intermediate signing certificates in certificate chain: Prevents the CA from creating other CAs, but it can create server or user certificates.

    • Number of allowable intermediate signing certificates in signing chain: Specifies how many subordinate certificates are allowed in the certificate chain. Values must be 1 or more. Entering 0 creates only entity objects.

  7. Click OK.

  8. Click the name of the certificate, copy the CSR data and send the information to the external CA.

    The certificate status is CSR Pending until you import the signed certificate.

  9. Click Close.

  10. When you receive the signed certificate and the trusted root (CA chain), continue with Importing a Signed Certificate.

3.2.5 Importing a Signed Certificate

After you receive the signed certificate and the CA chain, you must import it. There are several ways in which the CA can return the certificate. Typically, the CA either returns one or more files each containing one certificate, or returns a file with multiple certificates in it.

  1. In the Administration Console, click Security > Certificates, then click the name of a certificate that is in a CSR Pending state.

  2. Click Import Signed Certificate.

  3. In the Import Signed Certificate dialog box, browse to locate the certificate data file, or paste the certificate data text into the Certificate data text field.

  4. To import the CA chain, click Add trusted root, then locate the certificate data.

  5. Click Add intermediate certificate if you need to continue adding certificates to the chain.

  6. Click OK, then click Close on the Certificate Details page.

The certificate is now available for use by Access Manager devices.

If you receive an error when attempting to import the certificate, see Section 7.0, Troubleshooting Certificate Issues.