102 • SSL Reference HP NonStop SSL Reference Manual
If you want to secure access to an application for internal users only, you would probably prefer using your own root CA
to issue the server certificate. As your users know your organization already, they can choose to trust your root CA that
issued the server certificate.
The Public/Private Key Pair
Regardless of how you choose to obtain a certificate, you will need to generate a private/public key pair. The private key
is stored in encrypted format protected by a pass phrase in a file complying to the PKCS#8 standard. This file is later
passed to a secure HP NonStop SSL process with the SERVKEY/CLIENTKEY parameter. For HP NonStop SSL to be
able to decrypt the private key, the password must be specified by the SERVKEYPASS/CLIENTKEYPASS parameter.
Warning: Do not give other users access to your private key! In general, private keys should be encrypted for security.
The longer your pass-phrase is, the better the protection of your keys.
The public key matching the private key is incorporated into the certificate along with your identification data (the
server's X.509 "distinguished name").
The Certificate Signing Request
To obtain a certificate you submit your public key along with some identification data to a Certificate Authority. This so
called Certificate Signing Request (CSR) is used by the CA to generate your certificate and sign it with the CA's own
private key. CA's expect the CSR to adhere to a certain format. The most widely used format is specified by the
PKCS#10 standard.
Obtaining a Certificate from a Third Party CA
In case you choose to obtain a certificate from an internal or external (commercial) CA, you would generate a private
key and a PKCS#10 CSR. You will then submit the CSR to the CA, typically by pasting it in BASE64-encoded format to
the CA's web site, or sending it via email. The CA will then return the signed certificate to you, typically also in BASE64
encoded format attached to an email. The BASE64-encoded certificate can then be converted to binary certificate file,
which is passed to HP NonStop SSL with the SERVCERT/CLIENTCERT parameter.
HP NonStop SSL needs to send the root CA certificate along with the server/client certificate to SSL clients/server for
validation. Typically, the third party CA will provide their public root certificate that was used to sign the certificate. To
be able to pass the root CA certificate to HP NonStop SSL with the CACERTS parameter, the root CA certificate file
need to be uploaded to the system you have HP NonStop SSL installed on. If you received the root CA certificate in
BASE64-encoded format, you may convert for HP NonStop SSL usage just like the BASE64-encoded server certificate.
Acting As Your Own CA
If you choose to issue a certificate as your own CA, you would need to generate a root CA certificate and private key.
The root CA certificate is a "self-signed" certificate as it is signed with the root CA's own private key.
Warning: Do not give other users access to your root CA private key! If this key is compromised, malicious users can
create certificates that will appear to be signed by your CA certificate. In general, private keys should be encrypted for
security. The longer your pass-phrase is, the better the protection of your keys. The root CA's private key should also be
stored at a secure place. For example, you could store it on a removable disk that you can lock away.
Using the root CA private key and certificate you would then generate a certificate from a previously created CSR. In
other words, you would perform the same task as a third party CA.
To Next Page
Loading...
