Documente Academic
Documente Profesional
Documente Cultură
CA MANAGEMENT
Version 2.0
SECUDE Sicherheitstechnologie Informationssysteme GmbH Landwehrstrae 50a D-64293 Darmstadt World Wide Web: Support: http://www.secude.com camanagement@secude.com
Copyright SECUDE GmbH 1997-1999 SECUDE Library Version 5.2 CA MANAGEMENT Version 2.0.12 Version 2.0 / Spring 1999
Version 2.0
SECUDE CA MANAGEMENT
Contents
1
1.1 1.2 1.3 1.4 1.5 1.6
INTRODUCTION
Functions of a CA Personal Security Environment (PSE) Issue Certificates for Users Security Guidelines for Operating a CA Distinguished Names Passwords
2
2 3 4 6 6 7
2
2.1 2.2 2.2.1 2.2.2 2.3
CA MANAGEMENT INSTALLATION
Prepare the Installation How to install CA MANAGEMENT Installation via Internet Installation from CD ROM or Network Aborting the installation
9
9 10 10 10 15
3
3.1 3.2 3.2.1 3.2.2 3.2.3 3.3
16
16 18 19 27 30 32
4
4.1 4.1.1 4.1.2 4.1.3 4.1.4 4.2 4.2.1 4.2.2 4.2.3 4.2.4
OPTIONS
User-specific Settings Program Options SECUDE X.500 Warning Periods CA-specific Options Issuer PSE Options User Options Sphinx Pilot
34
34 34 36 38 38 39 39 40 42 43
5
5.1 5.2 5.3 5.3.1 5.3.2 5.3.3 5.3.4 5.3.5 5.3.6 5.3.7 5.3.8
MANAGEMENT OF THE CA
CA MANAGEMENT Overview The Tool Bar The Menu Bar File View CA-PSE User Extras Smartcard Window Help (?)
44
44 45 46 47 48 49 57 61 65 67 67
SECUDE GmbH
SECUDE CA MANAGEMENT
Version 2.0
6
6.1 6.1.1 6.1.2 6.2 6.2.1 6.2.2 6.2.3 6.2.4 6.2.5 6.2.6 6.2.7 6.3 6.3.1 6.3.2 6.4 6.5 6.6
69
69 69 70 73 73 73 75 76 76 76 76 76 77 77 78 79 79
7
7.1 7.2 7.3 7.3.1 7.3.2 7.3.3 7.3.4 7.3.5 7.3.6 7.3.7
81
81 82 82 82 83 83 83 83 83 84
8
8.1 8.2 8.3
85
85 86 87
9 10 11 12
12.1 12.2
88 90 92 93
93 95
ii
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
Preliminary Remarks
Target Group
System administrators.
Preview
Chapter 1 gives an overview of the tasks of a certification authority (CA). It describes the theoretical principles of key distribution and the security guidelines for operating a CA. Chapter 2 describes the installation. The installation program requests all user entries and guides through the installation. Chapters 3 to 8 explain how to use SECUDE CA MANAGEMENT. The organisation of a security infrastructure, the program options, the management of a CA-PSE, and user management are discussed. Key generation and import of external data are explained. Chapter 9 contains a glossary of the most important terminology, Chapter 10 the list of illustrations and the list of tables, Chapter 11 the bibliography. The Appendix is contained in Chapter 12. For quick information on the individual topics the chapters can be read separately. Cross-references to related topics are provided.
Copyright Cryptoflex is a registered trademark of Schlumberger Industries Microsoft is a registered trademark of Microsoft Corporation. R/3 is a registered trademark of SAP AG Walldorf. SECUDE is a registered trademark of GMD German National Research Center for Information Technology. TCOS is a registered trademark of Deutsche Telekom AG
SECUDE GmbH
SECUDE CA MANAGEMENT
Version 2.0
Introduction
A certification authority (CA) has the task of issuing certificates for users, i.e. of making a connection between the user and his public key. This is achieved by means of the so-called digital signature. The CA signs with a digital signature a data package consisting of the user's public key, a serial number issued by the CA, a period of validity, and the user's name. The combination of this data package and the CA's signature is called the certificate.
1.1 Functions of a CA
Operating a CA demands a number of organisational steps which at this point will not be further detailed. The following gives a short description of the technical resources that are required to run a CA.
Generate CA keys
For certification operations a CA needs its own asymmetric key pair. SECUDE deposits this key pair in a CA-PSE, which is protected by a password, the same as with a user's PSE. The CA key pair demands special protection. The CA's asymmetric keys should be at least 1024 bits long. Depending on the intended validity period longer keys should be used. SECUDE in the present version supports key lengths between 512 and 2048 bits. An RSA key with less than 512 bits is not advisable, as the probability of it being cracked within a short time (several hours) is very high. The renewal of a CA key involves considerable time and money. As all parties in the security infrastructure require the CA's key to be stored in their PSEs to check other certificates, a new CA key must be supplied to them all, and all the parties' certificates must be re-issued and distributed. It is therefore recommended that the CA key be given a long period of validity (e.g. 5 or 6 years) and that it be given protection by using a lengthy key (1536 bits usually).
Certify users
The function of the CA is to issue certificates for the participants of the security infrastructure. All partners in the communication to be safeguarded (not only persons, but also, for example, printers and application servers) have to be included. When issuing a certificate the CA ties a user's name to his public key. This is achieved with the digital signature of the CA under the user's certificate. This means that the CA guarantees that the name and public key in the certificate belong to one and the same person. The CA has two ways of issuing a certificate. In the first, the user generates his own key pair and gives the public key, as a so-called prototype certificate, to the CA for certification. In this
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
case the CA must ensure that the name in the prototype certificate is correctly assigned before a signature is given, i.e. before the certificate is issued. This may require that the person legitimizes himself with a national or company ID. Checking the name by phone or e-mail is not sufficient. The advantage of this version is that only the user is in possession of his private key and third parties are excluded. The user must now, however, take very good care of his private key so that, should a PSE be lost, it can be re-created. In the second, the CA generates the key pair for the user. With SECUDE this means that a complete PSE is created for the user. When the PSEs are handed over to the users, the CA is obliged to ensure that each PSE goes to the correct user. SECUDE's CA MANAGEMENT safeguards the newly issued PSEs with a transport password. The user is informed of the password by separate means.
SECUDE GmbH
SECUDE CA MANAGEMENT
Version 2.0
Smith
Signature Certificate Private Key Certification Certification Revocation Revocation Lists Lists
SECUDE offers the options either to store the PSE on a smartcard or as an encrypted file on the hard disk of the computer. According to the version of the PSE (file or smartcard) it is more or less difficult to get possession of these sensitive data. With a file PSE it may even happen that the legitimate owner does not notice the loss. An attacker who manages to spy out the password and copy the file PSE has all necessary information at his fingertips. This is different when the PSE is on a smartcard. The loss of the card would normally be noticed by the owner very quickly (not when he is on holiday or in similar cases). However, special terminals are required for smartcards. Should a user notice that someone else has found out his file PSE password, the security administrator must be informed. The latter must decide whether a new PSE should be created or whether changing the password is sufficient. If it is suspected, even without conclusive evidence, that the PSE password is known to third parties, the PSEs should, to be on the safe side, be changed. With smartcards only the card password need be changed.
CA creates PSE
When the CA generates the keys it is possible to leave either the certificate (i.e. the certified public key), or the whole PSE (i.e. the certified public key plus the private key), in the CA's safekeeping. If the user needs his PSE again in the future, for whatsoever reason, he can have it handed out by the CA. This, however, has as a prerequisite a relationship
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
of trust between the infrastructure participants and the CA as the private key is also in the hands of the CA. When the CA creates the PSEs for the user of the security infrastructure, the user is not responsible for any security measures. A further advantage of this procedure is its simplicity. The CA can create the PSE in a single run. It generates the key pair and certifies the public key. SECUDE CA MANAGEMENT generates a random password for the transport and thus encodes the PSE. The user is informed of the password by separate means.
Security Administrator User
1. Generation of PSE
In this way the CA ensures that only the user and the security administrator know the transport password.
SECUDE GmbH
SECUDE CA MANAGEMENT
Version 2.0
Security Administrator
User
1. Generate PSE
2.
Prototype Certificate
This procedure gives the user the certainty that nobody else is in possession of his private key. The user himself must take care of jobs such as making a backup copy of his PSE. The transport of the prototype certificate from the user to the CA and the return of the certificate must also be dealt with. The user has then also to update the PSE with the certificate from the CA. The advantage of this procedure is that the information transmitted, such as the prototype certificate and the certificate, is not security sensitive. All information transported is public anyway. The CA must only make sure that the prototype certificate actually belongs to the user. All sensitive data such as the password of the PSE or the private key remain with the user.
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
in which persons are unambiguously named world-wide. DNs are defined in the standard ISO / ITU X.500. The certifying authority and its users need such unambiguous names. A Distinguished Name can be composed of several components. The following table gives an overview of the name components supported by SECUDE.
Abbreviation BC C CN D L O OU S SN SP ST T Meaning Business Category Country Common Name Description Location Organisation Organisational Unit Surname Serial Number State or Province Street Address Title
The most widely used name components are in bold print. A Distinguished Name is made up of a combination of the above abbreviations and corresponding values.
Examples of Distinguished Names: CN=Bill Bo, OU=R3Administration, O=SECUDE GmbH, L=Darmstadt, C=DE CN=Bill Bo, O=SECUDE GmbH, C=DE O=SECUDE GmbH, C=DE
It is not necessary to use every name component in the name. What is important is the order of the components. First should come, if existent, the common name, then organisational unit, then organisation, location, and finally country. It is advisable to use a short, unambiguous name for a CA. A CA certifies the public key of a user's asymmetric key pair. It is standard procedure that with the certification the user's certificates receive the name of the CA as a suffix to their name. The second and third lines of the above example show how the name of a CA and one of its users can be composed: the participant Bill Bo has the name of the CA integrated i.e. O = SECUDE GmbH, C = DE.
1.6 Passwords
A PSE password is comparable in its function to the PIN of an EC card. It is required for logging on and to allow other programs access to the
SECUDE GmbH
SECUDE CA MANAGEMENT
Version 2.0
PSE. It protects the PSE from unauthorized use by third parties. The password should be known only to the owner of the PSE. It should be made up of a combination of letters (upper and lower case), special characters (blanks may also be used) and numerals. The length of the password may be up to 50 places, the exception being that smartcards allow only a password length of eight places. To help users choose their passwords with care the CA can stipulate Password Rules which the users are obliged to observe. In any case, special care should be taken when choosing passwords. It is advisable not to use any common names or terms and nothing that is in any way personally related to the owner of the PSE (e.g. phone no., birthdates of family members, etc.).
Examples of poor passwords are: Bill, clinton, 1234, test, .... Examples of good passwords are: EbTiN97!, or ?d1X3h:Ijk5, ...
It is very difficult to remember a password like ?d1X3h:Ijk5, even AbDiN97! is not much easier. It is, however, easy enough, when behind the apparent random series of letters and numerals, a sentence is hidden, whose first letters are used, e.g. A blue day in November 97! With a memory jogger like this and a minimum length of 6 places the password is reasonably safe.
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
CA MANAGEMENT Installation
When operating a CA it is advisable to use a computer that is not accessible to everybody. Firstly this means that the computer should not be directly linked to a network or should be provided with specific protective features (firewall or similar) to prevent unauthorized access through the network to this one special CA computer. Secondly the CA computer should be located in a secure room where no unauthorized persons can gain access to it. The private key of the CA must remain inviolable, otherwise all previously issued certificates become invalid.
used.
To operate SECUDE CA MANAGEMENT a data base driver (DAO, consisting of several DLLs) is required. This driver is automatically installed by CA MANAGEMENT. SECUDE PSE MANAGEMENT and UPDATE CADB are also automatically installed with SECUDE CA MANAGEMENT.
SECUDE GmbH
SECUDE CA MANAGEMENT
Version 2.0
Figure 5: Unpacking
10
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
In the Welcome window of the setup program you are requested to end all other active applications. This is required as, otherwise, the setup program may not be able to carry out all the necessary steps for an error-free installation of CA MANAGEMENT.
Please read the software license agreement. If all conditions of the agreement are acceptable, the button Yes is clicked, otherwise the button No. (Note that clicking No stops the installation.)
SECUDE GmbH
11
SECUDE CA MANAGEMENT
Version 2.0
The names of the user and her/his company are required for the installation.
Windows 95 and Windows NT from version 4.0 provide for the installation of application programs the directory Program Files. It is recommended for the installation of CA MANAGEMENT to make a subdirectory SECUDE there. A change in the destination of the installation can be made via the button Browse. If the path for the installation is accepted, the button Next can be clicked.
12
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
Here the name of the folder is entered under which the setup program creates the icon to call CA MANAGEMENT. SECUDE is used as the standard proposal. Next is clicked to confirm the entry.
The directions of the installation program can be followed. After the button OK is clicked the installation program starts the setup.
To use secude.dll you need a valid license ticket. This generally comes with the software package.
SECUDE GmbH
13
SECUDE CA MANAGEMENT
Version 2.0
When the setup is finished an information window appears showing the installed components.
After CA MANAGEMENT is installed, it can be used immediately. The computer does not need rebooting. If you have already been working with an older version of CA MANAGEMENT, it may be necessary to update the database. From version 1.3.5 please run the installed program UpdateCADB.exe for all existing CAs. If it is an earlier version, please ask the SECUDE hotline.
14
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
To abort the installation, Exit Setup in the above window must be clicked or the key ESC pressed.
SECUDE GmbH
15
SECUDE CA MANAGEMENT
Version 2.0
After the program has been loaded the dialog box appears for log-on. When CA MANAGEMENT is started for the first time, no CA-PSE is available for log-on.
A new security infrastructure must be organised, i.e. a CA-PSE created. First the so-called root authority is created by clicking the button Create in the dialog box Log On (see Chapter 3.2 Create a Root Authority).
The following sections lead the way through the Organization of a Security Infrastructure.
16
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
SECUDE GmbH
17
SECUDE CA MANAGEMENT
Version 2.0
Certification Structure
Before creating the root authority the structure of the certification process should have been planned. Is the root authority to certify all users (flat, simple structure) or is a hierarchic structure with several certification centers planned? With a hierarchic structure it is possible, for example, to have the users certified by different authorities according to the work they are doing. When a company has branches in different locations, it would be possible to have one certification authority per branch. In a hierarchic structure the root authority certifies CAs which then certify the users. The hierarchy can be organised on several levels, according to local requirements (see Chapter 3.3 Create a Subordinate CA).
Create CA-PSE
A CA-PSE can be created either with the menu item File/Create root CA or with the button Log On... and the button Create....
This calls the PSE Wizard. Here all parameters needed for the creation of the CA-PSE can be set. The parameters are valid for the whole life of the CA, which means that once the CA is created no changes can be made to the settings. It is therefore advisable to give the settings a great deal of forethought. While the parameters are being entered it is still possible to make changes. For this purpose each of the dialog boxes of the PSE Wizard described below is provided with three buttons. With the button Back the previous mask can be returned to (perhaps to look something up or to make a change), with Next the next dialog box is reached, and with Cancel the procedure can be cancelled. A choice between a smartcard PSE, a file PSE on the hard disk or a PSE stored on a RACAL cryptoboard can be made. Pros and cons of the three versions can be found in Chapter 1.2 Personal Security Environment (PSE) and in Chapter 3.1 Basic Information on the Organisation of a Security Infrastructure. The following chapter describes the creation of a PSE as file. It should be read even if a smartcard PSE is to be created, since Chapter 3.2.2 Creating a Smartcard CA-PSE only deals with the differences that occur when creating PSEs on smartcards.
18
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
Type of PSE
Distinguished Name
A Distinguished Name is entered here. This DN identifies the CA unambiguously. It is also called the Distinguished Name of the Owner and appears in every certificate issued by the CA. The structure of the Distinguished Name can be seen in Chapter 1.5 Distinguished Names. Special care must be taken when entering the Distinguished Name. All characters from which
SECUDE GmbH
19
SECUDE CA MANAGEMENT
Version 2.0
the Distinguished Name is made up, such as blanks, commas, etc., are important for later operations.
Name of PSE
The complete data path, including the name under which the PSE is to be stored, is entered here. By clicking the drive button the required directory can be found in the dialog box Select PSE. If the directory selected does not yet exist, a query appears whether this directory is to be created. Each CA should be provided with its own directory. In the example it is the directory C:\Certification Authority, which also contains the file capse.cse. This file capse.cse. (the suffix cse stands for CA Security Environment) contains all relevant information on and keys of the CA.
CA Data
20
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
In the field CA Directory the directory which has been entered in the dialog box PSE Name is shown again. All files concerning the CA are stored in this directory, especially the CA database. It should be noted that in a directory there exists only one database per CA, as it might otherwise come to undesirable side effects. Serial Number is a number automatically and uniquely assigned to a certificate by the CA, with which the CA unambiguously identifies its own created certificates. This number should not be changed.
Version of Certificate
The standard which the certificate is to meet is entered here. It is advisable to create an X.509v3 certificate. Version X.509v1 is an older version from 1988 and is being replaced more and more by version 3 from 1996. Version 3 contains several additional fields in which, among other things, alternative names for the DN can be entered.
SECUDE GmbH
21
SECUDE CA MANAGEMENT
Version 2.0
Here the entry is made whether the same key pair is to be used for signing and encrypting then One pair of keys is to be entered or whether separate pairs are to be used for signing and encrypting then Two pairs of keys is to be entered. As the certificate of a CA is used mainly only to sign and not for encryption One pair of keys can be selected here.
Signature Certificate
The algorithm and key length for the signature key are determined here. If One pair of keys was selected, the key pair is used for both the signature and encryption. Hence the data in this dialog box are relevant for both tasks of the key pair that is to be generated.
22
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
The longer the key is, the better it is. SECUDE CA MANAGEMENT allows key lengths from 512 bits to 2048 bits. A key length of 1024 bits must be regarded as the minimum for a CA. The length of the key with which the CA signs the user certificates is defined here. The length of the key is also dependent on the validity period of the certificate and where it is to be used. In general it can be said that the longer the period is during which the CA issues certificates with this key, the longer the key must be. With a key length of 1024 bits it is realistic to perform certification work securely for at least two to three years. If the key pair is to be used for five years or more, the key should be at least 1280 bits long. If you have selected X.509v3-1996, you reach, using the button V3 Extensions, another wizard where the certificate extensions specified in the X.509v3 standard (see [X.509 v3] Chapter 12.4.2, Certificate extension fields) can be entered. Additionally the V3 Extensions wizard allows the entry of Netscape specified certificate extensions (see also [Netscape Certificates]).
Encryption Certificate
This dialog box appears only when Two pairs of keys has been selected. The algorithm and key length for the encryption certificate are determined here. Entries are similar to those made in the signature dialog box.
Validity Period
In the fields Valid from and Valid until the period is entered in which the CA's certificate is valid. The format for validity is determined by the Windows system settings. The standard format is MM.DD.YY (date) and hh:mm:ss (time). The abbreviations are as follows:
Abbreviation Meaning
SECUDE GmbH
23
SECUDE CA MANAGEMENT
Version 2.0
Abbreviation MM DD YY hh mm ss
Meaning Month, Range 1 .. 12 Day, Range 1 .. 31 Year, Range80 .. 38 (i.e. 1980 2038) Hour, Range 0 .. 24 Minute, Range 0 .. 59 Second, Range 0 .. 59
The validity period of user certificates issued should lie within the validity period of the issuing CA.
The algorithm with which the prototype certificate is signed is chosen here. It is advisable not to change the setting. Certificates are designated as prototype certificates when they are self signed. As a root certificate is the highest certificate in the hierarchy, it cannot be signed by any other superordinate certificate.
24
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
Password
The password which will be used in future for log-on is entered here. The PSE file and the CA database are encrypted with the password. In this way no unauthorized person can gain access to the private key of the CA or the database. Information on passwords can be found in Chapter 1.6 Passwords.
Log-on Profiles
You enter here a symbolic name with which you can later identify this PSE when logging on.
SECUDE GmbH
25
SECUDE CA MANAGEMENT
Version 2.0
Settings Overview
An overview of the settings that have been made is given. If you wish to make any changes to them this can be still done by clicking Back to the appropriate dialog box. When all parameters are in order the button Finish is clicked to create the PSE. Then the key generation, the creation of the certificates and of the whole PSE begins. This process takes depending on the length of the key and the speed of the computer several seconds to several minutes. The following table gives an overview of how long it takes to create, depending on the selected key length, a file PSE. The times were taken, on the one hand, on a PC with AMD K6 2; 300Mhz processor, and on the other, the key generation took place in the RACAL cryptoboard.
2048 Key length (bit) 1792 1536 1280 1024 896 768 0 5 10 15 20 25 30 35 40 45
26
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
The increase in computing time for longer keys is not linear. In general a longer key means that the time taken for the generation increases overproportionately to the length of the key. The processor speed has no influence on this general behaviour. The generation process is shown step by step. CA MANAGEMENT confirms its completion. This window can be closed by clicking OK
After creating the CA-PSE all data should be checked again. If an error has slipped in and not been discovered before creating the CA-PSE, CA MANAGEMENT should be closed and the files created in the selected CA Directory deleted. Delete also, using the menu option Tools/Log-on profiles... the relevant log-on profiles. After this the CA can be re-created with the correct settings. Only after all data has been checked for correctness, can the certification of users be started. If certificates have already been issued with the CA-PSE, this PSE must not be deleted. It is advisable, before starting to create user PSEs, to enter the general settings in the dialog box Options (see Chapter 4 Options).
Type of PSE
When a smartcard PSE is to be created, select Smartcard.
Distinguished Name
The Distinguished Name of the CA is entered here. For the structure of a Distinguished Name see Chapter 1.5 Distinguished Names.
SECUDE GmbH
27
SECUDE CA MANAGEMENT
Version 2.0
Smartcard
As a smartcard does not have very much memory it is necessary for large elements to have an extension of the PSE in form of an external file. For this so-called software extension of the PSE the file must be established. By clicking the drive button in the dialog box Select PSE you can navigate to the required directory. When this dialog box is left by clicking on Next a check is made whether an empty smartcard has been inserted in the smartcard terminal.
CA Data
Enter the directory for the CA database and the first serial number for user certificates.
Signature Certificate
Algorithm and key length of the certificate signature.
Encryption Certificate
If you have selected Two pairs of keys, you determine here the algorithm and key length for the encryption certificate.
28
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
Validity Period
In the fields Valid from and Valid until the period is entered in which the PSE is valid. The format for validity is determined by Windows system settings. The standard format is MM.DD.YY (date) and hh:mm:ss (time). The abbreviations used can be found in Table 2: Format of the Validity Fields
Password
The password for future log-ons is entered here. This password protects the smartcard from access by unauthorized parties. Information on passwords can be found in Chapter 1.6 Passwords.
With the PUK a card which has been blocked because of too many false password entries can be unblocked. As it is not displayed when typed it must be entered twice to ensure its correctness. With the Error Limit the number of password tries is set after which the card is blocked. Which values are permitted is dependent on the type of card used. When exiting the dialog box, however, the number entered is checked for correctness. Note: There also exists an error counter for the PUK it is fixed, its value is 3.
SECUDE GmbH
29
SECUDE CA MANAGEMENT
Version 2.0
Take good note of your PUK. It allows you access to your smartcard when this is blocked after too many false entries of the password.
Log-on Profiles
You enter here a symbolic name with which you can later identify this PSE when logging on.
Settings Overview
An overview of the settings that have been made is given. If changes are required, this can be done by clicking Back to the appropriate dialog box. When all parameters are in order the button Finish is clicked to create the PSE. Then the key generation for the PSE begins. The time taken to generate the key depends on its length. Older cards support a mere 512 bits (e.g. the TCOS 1.2 card), the newer ones (e.g. the TCOS 2.0 card) 1024 bits. The process can be followed in the window. After it is completed a confirmation comes from CA MANAGEMENT. This window can be closed by clicking OK.
Type of PSE
If you want to create a cryptoboard based CA-PSE, select here RACAL RG 700.
Distinguished Name
The Distinguished Name of the CA is entered here. For the structure of a Distinguished Name see Chapter 1.5 Distinguished Names.
30
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
RACAL RG 700
Only the private key is stored in the RACAL cryptoboard, all other elements are stored in a file PSE. The file PSE has a reference to the relevant private key in the RACAL cryptoboard. For this so-called software extension of the PSE the file must be established. By clicking the drive button in the dialog box Select PSE you can navigate to the required directory.
CA Data
Enter the directory for the CA database and the first serial number for user certificates.
Signature Certificate
Algorithm and key length of the signature certificate.
Encryption Certificate
If you have selected Two pairs of keys, you determine here the algorithm and key length for the encryption certificate.
SECUDE GmbH
31
SECUDE CA MANAGEMENT
Version 2.0
Validity Period
In the fields Valid from and Valid until the period is entered in which the PSE is valid. The format for validity is determined by the Windows system settings. The standard format is MM.DD.YY (date) and hh:mm:ss (time). The abbreviations used can be found in Table 2: Format of the Validity Fields
Password
The password for future log-ons is entered here. This password protects the smartcard from unauthorized access. Information on passwords can be found in Chapter 1.6 Passwords.
Log-on Profiles
You enter here a symbolic name with which you can later identify this PSE when logging on.
Settings Overview
An overview of the settings that have been made is given. If changes are required, this can be done by clicking Back to the appropriate dialog box. When all parameters are in order the button Finish is clicked to create the PSE. Then the key generation for the PSE begins. The time taken to generate the key depends on its length.
32
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
Here you select the appropriate issuer algorithm for the logged on CAPSE. When all settings have been made the OK button is clicked. Depending on the length of the key the creation of the subordinate CA-PSE may take a few minutes. After the CA-PSE has been created, it can be selected via the Log On dialog box in the same way as the root authority CA. Moving between various CAs can be done by logging on and off.
SECUDE GmbH
33
SECUDE CA MANAGEMENT
Version 2.0
Options
With the menu item Tools/Options the Options dialog box can be opened. The options that can be set here concern the presettings for the creation of PSEs and general settings for CA MANAGEMENT. It is advisable to make these settings as early as possible. The dialog box Options is made up of a number of areas that are arranged as index cards. The settings under Program Settings, Secude, X.500 and Warning Times are common to all certification authorities operated by one user. The settings under Issuer, PSE Options and Sphinx Pilot [Sphinx] can be set individually for each certification authority and are therefore only shown when you are logged on to a CA-PSE.
Button Apply
When a change has been made in the Options dialog box, the change is saved by clicking the button Apply. When OK is clicked the change is executed and the Options dialog box is closed. With the button Cancel the change is rejected and the Options dialog box closed. The change can, of course, only be rejected if it has not previously been saved with Apply.
34
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
General Options
With the field Verbose Level the degree of detail of error messages is controlled. A 0 means a short text, a 3 causes the most detailed explanation to be shown. If problems occur in the execution of the program it is advisable to set the more detailed Verbose Level and then to re-run the function that has caused the error. The complete error message should be sent by e-mail to support@secude.com or by ordinary mail to SECUDE GmbH.
SECUDE GmbH
35
SECUDE CA MANAGEMENT
Version 2.0
the SAP user name "SMITH001, the setting "<SAPUsername>, <IssuerDName>" results in the following Distinguished Name of the user:
CN=SMITH001, O=SECUDE GmbH, C=DE
Create PSE
When the option Add List of Public Keys is set, a file can be selected from the field below which contains a list of certificates, or rather the public keys (for example, in PEM format) included in them. With the drive button in the file dialog box a file can easily be selected. The list entered here is included as a further element in the PSE when PSEs are later created. This option is advisable when, for example, all users of one's own CA should trust an outside CA. By storing the outside CA's certificate in a user PSE, the former is considered trustworthy.
4.1.2 SECUDE
Presettings for the SECUDE security library are made here for CA MANAGEMENT. Their purpose is to define the parameters of the checks carried out on digital signatures.
36
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
Use aliases
For the resolution or finding of certificates related to Distinguished Names the alias list is accessed.
ETC Directory
In the etc-directory you can store, for example, the smartcard configuration file. The setting depends on the PC and caution should be exercised when changing it.
SECUDE GmbH
37
SECUDE CA MANAGEMENT
Version 2.0
4.1.3 X.500
With this index card the access to a directory service is determined. If, for example, when checking a certificate, one certificate out of the certification path is missing in the PSE, the automatic search for the missing certificate can be activated with this option. SECUDE supports two directory services: X.500 based on an LDAP server and AFDB (abbreviation for Authentication Framework Data Base; a SECUDE-developed substitute for an X.500 Directory). When both services are selected AFDB has the higher priority when reading. If access to LDAP is also required, the appropriate entries (ask your LDAP administrator for them) must be made in the fields Server, Port and Tailor. An entry in the field Library is only necessary when access to a library other than the standard library installed with SECUDE CA MANAGEMENT is required. With the button Test LDAP-LIB a check can be made whether the selected library exists. Your LDAP administrator will be able to inform you of the X.500 password.
38
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
SECUDE GmbH
39
SECUDE CA MANAGEMENT
Version 2.0
validity in days it is possible to issue certificates for very short as well as long periods. The values set here are proposed as default values when signing, but can be changed.
40
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
PSE Directory
Here the directory is entered in which the users' PSEs created by CA MANAGEMENT are stored. With the button a dialog box is opened to select a directory. The directory is selected by a mouse click. If a directory is entered that does not yet exist, it is created.
Owner Options
In the area Owner Options the type of PSE can be set, either a PSE with one key pair or a PSE with two key pairs. This refers to the number of asymmetric key pairs to be created, and their functions. When a PSE is created with a single key pair this is used for both signature and encryption. With two key pairs each function has its own key pair. The value which is entered in the field Key length depends on the validity period given to the certificate. For certificates with a validity period of two to three years a 1024 bit key length is sufficient.
Password Options
In the area Password Options either a standard initial password can be entered or the generation of a password can be left to the program. If the check box is not ticked and the second field remains empty, this option has to be set or a password entered every time a PSE is created. That means every time a PSE is created it must be decided how the password is generated.
SECUDE GmbH
41
SECUDE CA MANAGEMENT
Version 2.0
PUK Options
The area PUK Options is important when creating smartcard PSEs. The PUK is used to unblock a smartcard after too many retries have been made. For the PUK the same applies as for Password Options.
42
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
duces the following default PSE name for the corresponding user: jbond007.pse.
SECUDE GmbH
43
SECUDE CA MANAGEMENT
Version 2.0
Management of the CA
The program can be started from the icon on the left. In the Windows start menu the entry can be found under:
\Program Files\SECUDE\CA Management
After the program has been loaded the dialog box for log-on appears. If SECUDE CA MANAGEMENT is being started for the first time, no CA-PSE is present with which log-on can be started. Chapter 3 Organisation of a Security Infrastructure describes how a new CA-PSE is created. If a CA-PSE has already been created, the symbolic name that you have given to address your CA-PSE is entered in the text bar Log-on Profiles of the Log-on dialog box (see Figure 27: PSE-Wizard Log-on Profiles). The password is then entered in the text bar Password and OK is clicked.
With the button you reach the dialog box Log-on Profiles (see Chapter 5.3.5.3 Extras / Log-on Profiles).
44
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
The two buttons on the left of the tool bar allow a fast log-on or log-off. Log-on and -off can also be made via the menu item File. Via the drop-down menu View the tool bar and status bar can be hidden or displayed.
CA MANAGEMENT is designed according to Windows Style Guide and can be operated accordingly.
By clicking the left mouse button on the side of the tool bar and holding, the bar can be dragged to another position in the main window, e.g. to the left side. It is also possible to drop it outside the main window.
SECUDE GmbH
45
SECUDE CA MANAGEMENT
Version 2.0
Button
Button Function
Log on to your CA-PSE CA-PSE. The Log-on dialog box is opened. Only active when logged off. Log off from the active CA-PSE. Only active when logged on. Edit or create a User entry. The User form is opened. Only active when logged on. Create a list of user PSEs. The PSE Creation dialog box is opened. Only active when entries in user list have been selected. Change the CA-PSE Password. The Change Password dialog box is opened. Only active when logged on. Verification of the CA-PSE. Only active when logged on. Display Signature certificate. The Display Certificate dialog box is opened. Only active when logged on. View all elements stored in the CA-PSE such as revocation lists, root certificate, own certificates, etc. The PSE Contents dialog box is opened. Only active when logged on.
Table 3: Toolbar
The menu consists of the standard components File, View, Tool, Window, and ? (for Help), and of CA MANAGEMENT-specific parts such as PSE, User, and Smartcard.
46
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
A menu item can be opened by a left mouse click or with the key combination Alt and the underlined letter in the menu item, e.g. the letter F in File. In the Status Bar of CA MANAGEMENT a short explanatory text for each menu item is displayed. For the menu item File/Log On the status bar (provided it is active) contains the explanatory text Log On as a CA.
5.3.1 File
The menu File contains functions for log-on and -off as a CA, for generating a CA-PSE, import functions for external data and for exiting CA MANAGEMENT, plus a list of the existing CAs.
5.3.1.1 File / Log On The menu item File/Log On is active only when not logged on. The dialog box Log On is opened. With this dialog box a CA-PSE can be chosen and the password entered. In this way the CA-PSE is opened and work with it can be started. Creation of a CA-PSE can be started too with the Log on dialog box.
Note:
5.3.1.2 File / Log Off The menu item File/Log Off is active only when logged on. Use this menu item to close the CA-PSE, to log off. Log-off does not involve exiting the program.
Note:
5.3.1.3 File / Create CA The menu item File/Create CA is active when logged off. The dialog box for entering and generating a CA-PSE is opened with this menu item. For details see Chapter 3.2 Create a Root Authority. 5.3.1.4 File / Create Subordinate CA The menu item File/Create Subordinate CA is active when logged on. The dialog box for entering and generating a subordinate CA is opened with this menu item. For details see Chapter 3.3 Create a Subordinate CA.
SECUDE GmbH
47
SECUDE CA MANAGEMENT
Version 2.0
5.3.1.5 File / Import / SAP Report The menu item for importing external data into an existing CA-PSE is active only when logged on. With this menu item, user data from SAP R/3 (from version 3.1G) can be imported. All data required for the creation of a PSE are transmitted from R/3 (see Chapter 8.1 Import of SAP R/3 User Data). 5.3.1.6 File / Import / SECUDE The menu item for importing external data into an existing CA-PSE is active only when logged on. Existing CA-PSE data created with SECUDE command line tools can be imported with this menu item. 5.3.1.7 File / Recent Log List When SECUDE CA MANAGEMENT is called up for the first time this line is empty. Later you can, with this menu item, circumvent the Log-on dialog box by logging on with a previously opened CA-PSE. You need only enter the password. If you are already logged on with a CA-PSE, you are logged off from this without any check-back. 5.3.1.8 File / Quit The program is exited immediately with this menu item. If logged on as a CA-PSE, this will be closed first and then the program exited.
5.3.2 View
The drop-down menu View consists of the menu items to show or hide the tool bar and the status bar. The revocation lists of the CA and the user list can be displayed.
5.3.2.1 View / Tool Bar or Status Bar When the tool bar or the status bar is active the respective menu item is marked by a tick. When there is no tick the bar is hidden. 5.3.2.2 View / User List or Revocation List With the menu item View/User List the user list of the CA is displayed. Information on the CA revocation lists can be found under the menu item View/Revocation List. The revocation lists can also be processed here. With the menu item View/User List the user list of the CA is displayed. Information on the CA revocation lists can be found under the menu item View/Revocation List. The revocation lists can also be processed here.
48
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
This menu item allows switching between User List and Revocation list. To bring up the Revocation list choose the option View/Revocation list, to bring up the user list choose View/User List. Note: Switching is also possible via the key combination <Ctrl+F6>. The title bar of the program window of CA MANAGEMENT changes accordingly: or In the view Revocation List the displayed revocation list can be processed. For details see Chapter 7 Revocation List Management.
5.3.3 CA-PSE
The menu CA-PSE displays information on the CA-PSE, and the PSE can be processed. Furthermore it is used to write requests for certification of prototype certificates and to add revocation lists into the CA-PSE.
SECUDE GmbH
49
SECUDE CA MANAGEMENT
Version 2.0
5.3.3.1 CA-PSE / Show Signature Certificate With the menu item CA-PSE/Show Signature Certificate... the signature certificate can be displayed. The certificate information is shown clearly in it. In the index card Owner the most important certificate data can be found the Distinguished Name of the CA (owner), the Distinguished Name of the issuing CA (issuer), the period of validity, the serial number and the version number. If the CA is a root authority, the Distinguished Names of owner and issuer are identical.
On the other index cards the remaining information on the certificate can be found.
Note:
The menu item is only active when logged on. 5.3.3.2 CA-PSE / Show Encryption Certificate If the PSE has two key pairs, the encryption certificate can be displayed with CA-PSE/Show Encryption Certificate... The encryption certificate window is structured analog to the one for the signature certificate. This menu item is only active when logged on and with a PSE with two key pairs. When the PSE has one key pair the menu item is grayed out. 5.3.3.3 CA-PSE / Write Certificate Request With this menu item a request for certification can be written to the superior CA. In the dialog box Write Certification Request the name of the file (including the path) is entered in which the request is to be saved. The superior CA should have access to this file. After asking the superior CA which formats it supports, you can determine in the field Type of File whether the file is to be saved in pem format or in PKCS#10 format
50
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
[PKCS#10]. If the file has been stored on a server accessible for other people, the issuing CA should be asked for an unambiguous file name, so that no confusion can occur. The superior CA must now be informed where the request for certification is to be found or whether it will be sent by e-mail or by floppy disk.
The menu item is only active when logged on. 5.3.3.4 CA-PSE / Read Certificate Response After the request for certification has been processed by the superior CA the signed certificate can be inserted into your PSE with the menu item CA-PSE/Read Certificate Response. In the dialog box that is then opened the appropriate directory and file are selected where the response is located. The two formats pem and PKCS#7 (see [PKCS#7]) are supported.
If you have selected a certification response in pem format, you get information on it in the window Process Certification Response. You can read if the certification response fits your certificate. This means the response also includes your public key. In the following line you get information on the validity of the digital signature. If you are being certified for the first time or if you have changed the CA, the certification response will contain a new root certificate not yet
SECUDE GmbH
51
SECUDE CA MANAGEMENT
Version 2.0
included in your PSE. It is therefore essential to check the checksum (fingerprint) of the root certificate's public key. Only in this way can you make certain that your certification response has been processed by the right CA. The checksum (fingerprint) of the root certificate's public key should be published by the root authority this can be done e.g. in a company publication or in the daily newspapers. Checking the checksum (fingerprint) is an important measure. A potential attacker who tries to foist a false certificate (and thus his own public key) onto you can be identified by an incorrect checksum (fingerprint). Only after the automatic verification of the certification response has turned out positive, should you insert it by clicking on the button Add.
Besides Add the dialog box has two other buttons. Clicking on Message displays the pertaining (coded) PEM messages; Print... prints the contents of the window. If the certification response is in PKCS#7 format, the dialog box contains essentially the same information. Only the button Message is omitted because the response is not an ASCII file. 5.3.3.5 CA-PSE / Update Revocation List If new revocation lists (from superior CAs) are to be inserted into the PSE, this is done by selecting in the menu CA-PSE the item Update Revocation List. This opens the dialog box PSE Revocation Lists, which displays the revocation lists in the PSE.
52
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
To insert a new revocation list in the CA-PSE Insert from File is clicked and the file in which the new revocation list is located is selected from the window Read Revocation List from File. The administrator responsible for the revocation list will inform you which file it is.
It is also possible to request with Insert from Directory revocation lists from an LDAP/X.500 directory service. To do this the Distinguished Name of the CA from which the revocation list is requested must be entered into the dialog box.
After a revocation list has been selected the following dialog box appears. In this dialog box you can check the validity of the revocation list before actually inserting it. For this the button Verify is clicked.
SECUDE GmbH
53
SECUDE CA MANAGEMENT
Version 2.0
When the check is positive the revocation list can be inserted into the PSE by clicking the button Insert. When revocation lists are used to verify a digital signature the check box "Verify Certificates against Revocation List" in the menu Tools/ Options/SECUDE must be ticked. It must also be ensured that a valid revocation list from the superior CAs is available. 5.3.3.6 CA-PSE / Change Password When creating the CA-PSE a password is established. This protects not only your CA-PSE, but also the CA database. For safety reasons it should be changed regularly. Should a third party come into possession of the password, he is able to work with the CA, whether legitimately or not. Great care should be taken when choosing the password. For details see Chapter 1.6 Passwords. With the menu item CA-PSE/Change Password the dialog box Change Password is opened. In this box first the current password of the opened CA-PSE is entered.
The old password is requested so that no unauthorised person can change it in the owner's absence. The new password must be entered in the field New Password and repeated in Re-enter Password. When the CA-PSE is on a smartcard, the password length is restricted to eight characters. Otherwise it is restricted to 14 characters, as this is the maximum length for a Microsoft Access database. Then the OK button is clicked.
54
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
If the old password is entered incorrectly, the message on the left is shown.
If, when entering the new password, a typing error occurs in either of the fields, the message on the left appears. The OK button must be clicked and the entries retyped. If no errors were made with either the old password or the entry and repetition of the new one the program changes the password of the PSE and confirms it with the message on the left.
Note:
5.3.3.7 CA-PSE / Verify A CA-PSE consists of a number of elements such as one's own certificates, root certificate, certification path, or revocation list. These elements are valid for a limited time and are subject to dependencies. With the menu item CA-PSE /Verify all necessary verification checks for the CA-PSE are made.
The following checks are made: current validity of the CA certificate, certificate path, current validity of the root certificate, revocation list, and all signatures. CA MANAGEMENT automatically verifies the elements whenever the CA-PSE is opened. If a period of validity is about to ex-
SECUDE GmbH
55
SECUDE CA MANAGEMENT
Version 2.0
pire, a warning is given. Warning periods are stipulated under Extras/Options/ Warning Periods.
Note:
5.3.3.8 CA-PSE / Write Certification Path This menu item is used to make the certificate path of the CA available to other products (e.g. www-Server or Browser from Netscape or Microsoft). After clicking CA-PSE/Write Certification Path a dialog box appears in which the file name is entered under which the certificate path is to be saved, and the appropriate file format for the product is selected.
CA MANAGEMENT saves the certificates belonging to the certificate path each in its own file which leads to a chain of related files, e.g. CApath.root.crt, CApath.path1.crt, ...., CApath.path5.crt. The last certificate in the chain is from one's own CA. 5.3.3.9 CA-PSE / Display Contents The PSE of a CA consists of several elements. All the elements are listed and displayed in the dialog box CA-PSE/Display Contents. The number of index cards varies according to the number of PSE elements included. Note: Function exists as a button.
The information shown varies according to the element. The display of a certificate contains the name of the issuer, the serial number, the period of validity, the checksum (fingerprint) of the public key, and data concerning the signature algorithm and the algorithm for which the key pair can be used. The key length is also shown. Under Revocation List the revocation lists received from the superior CAs are listed. Serial Number contains the serial number last issued by the CA.
56
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
5.3.4 User
With the drop-down menu User the dialog box to enter and to change user data and to create PSEs is opened. Certificates in LDAP directories can also be made available and be deleted from them.
5.3.4.1 User / Create User Entry The menu item is active only when logged on. With User/Create User Entry the dialog box to enter and change user data is opened. This function is described in detail in Chapter 6 Management of User Data. Note: Function exists as a button.
5.3.4.2 User / Create List of PSEs The menu item is active only when logged on and when at least one user entry in the user list is selected. The selection of a user is made with the left mouse button. Using the left mouse button together with the shift key a block of entries can be selected. Using the left mouse button together with the control key individual entries can be selected or deselected out of this block. By clicking User/Create
SECUDE GmbH
57
SECUDE CA MANAGEMENT
Version 2.0
List of PSEs the selected PSEs are immediately created. Entries can also be selected for which a PSE has already been created. These entries are ignored when new PSEs are created. This function is described in detail in Chapter 6.3 Create User PSEs. Note:
5.3.4.3 User / Write Certificates for LDAP The CA can put its certificates at the disposal of other users in an LDAP directory. To do this the certificates concerned are marked in the user list and the menu item User/Write Certificates for LDAP... clicked. This opens the window below:
The appropriate directory is selected and the name of an LDIF file is entered in the field File Name. CA MANAGEMENT then saves the marked certificates in this file. The LDAP administrator can now update his LDAP directory with this file. 5.3.4.4 User / Remove Certificates from LDAP Certificates can also be deleted from the LDAP directory. The certificates to be deleted are marked in the user list and the menu item User/Remove Certificate from LDAP clicked. The dialog box below is opened:
58
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
The appropriate directory is selected and the name of an LDIF file is entered in the field File Name. CA MANAGEMENT then saves the marked certificates in this file. The LDAP administrator can now update his LDAP directory with this file. 5.3.4.5 User / Write List of Public Keys This function is intended for users who cannot get certificates from the participants in the certification infrastructure through a directory service such as LDAP. In this case the CA writes all public keys into a file (pem format), which it also digitally signs. This file must be distributed to the users who can then copy it into their PSE using SECUDE PSE MANAGEMENT.
A choice can be made whether all certificates that the CA has ever issued are copied into the file, or only the current ones. After clicking OK a dialog box opens in which directory and file name have to be entered. 5.3.4.6 User / Write Certificates as ASN.1 With this function the CA can write issued certificates as an ASN.1 structure. To do this the required certificates are marked in the user list and the menu item User / Write Certificates as ASN.1 is clicked. The dialog box below is opened:
SECUDE GmbH
59
SECUDE CA MANAGEMENT
Version 2.0
Each certificate is written as its own ASN.1 file. Under Directory the directory can be found in which the files are saved. With a click on the disk button a dialog box is opened in which you can navigate to the appropriate directory. The file names are composed of the value entered under Prefix and a unique number. In this version only the format ASN.1 can be set. 5.3.4.7 User / Genereate Password Form Letter This function is used to select entries from the CA database for generating an export file which in turn is used as a database for the Microsoft Word form letter function (see section 8.3 Inform of Transport Password: Export to Microsoft Word Form Letter). Thus it is very easy to inform the PSE recipients about their transport passwords via password form letters. To do this, the respective certificates in the user list are selected and marked. Clicking User / Generate password form letter opens the following dialog.
The list Available fields contains the fields that can be exported from the CA database. The list Export fields contains the fields actually to be exported. Using the left/right buttons, entries can be moved from one list to the other. In most cases it is neither necessary nor useful to export all fields. Using the up/down buttons, the order of the fields within the list can be stipulated. With Delete the list is emptied.
60
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
If the fields to be exported and their order are determined, click OK. A file dialog opens where directory and name for the export file are set. The export file is in CSV file format (i.e. a list with entries separated by semicolons). Each data set has its own line; fields within one data set are separated by semicolon. The first line of the CSV file contains the names of the exported fields. Often the export file will contain security sensitive data, e.g. the passwords of the generated PSE files. For this reason the export file must always be kept in a secure environment and deleted as soon as it is no longer needed.
5.3.5 Extras
In the menu Extras special functions concerning the CA can be found. Via the item Password Policy rules can be established which the CA can oblige the users to follow. With the menu item Options global settings for CA MANAGEMENT are made. Via the item Log-on Profiles... the log-on profiles can be administered. 5.3.5.1 Extras / Password Rules To support the choice of good passwords (cf. Chapter 1.6 Passwords) of the users for whom the CA creates PSEs, the CA can prescribe Password Rules which the users' passwords have to meet. The dialog box for this is opened with the menu item Extras/Password Rules.
SECUDE GmbH
61
SECUDE CA MANAGEMENT
Version 2.0
In the Rules Editor norms can be set which the users' passwords must meet. With Length Restrictions the upper and lower limits for the length of the password are defined. In Character Set it is determined whether certain kinds of characters are required in the passwords. With Contents certain passwords are totally excluded, e.g. names known to the system such as user, group, computer and domain names, previous passwords, entries from a referential file (to which the user has reading rights but only the CA writing rights) containing undesirable passwords, or entries from a referential list to be compiled in this dialog box (one entry per line). Furthermore the validity period of the user password and how many times the user can log on after the validity has expired can be defined. The latter is necessary so that the password can be changed after its expiry. Before insertion in the CA database the rules can be checked with Preview.
62
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
With Insert the rules are entered into the CA database. Sets of rules already in the database can be modified with Change and deleted with Delete. New cancels all entries in the Rules Editor to allow a new set of rules to be entered. When creating user PSEs a definition for each individual user can be given in the user form as to which set of rules his password must meet (cf. Chapter 6.3 Create User PSEs). The password rules are only available to users working with the program SECUDE PSE MANAGEMENT. 5.3.5.2 Extras / Options The menu item Extras/Options is active both when logged on and off. The options that can be set with this item are the presettings for the creation of PSEs and general settings for CA MANAGEMENT. The settings in the dialog box Options have been treated in detail in Chapter 4 Options. 5.3.5.3 Extras / Log-on Profiles A CA is unambiguously addressed when a log-on profile is used. The name of the log-on profile appears in the log-on dialog box of CA MANAGEMENT. If you are operating the CA on the same PC on which
SECUDE GmbH
63
SECUDE CA MANAGEMENT
Version 2.0
you have created the log-on profile, you already have a log-on profile for this CA. If you want to operate the CA from another PC, however, you must first enter a log-on profile before you can log on. After selecting the menu item Extras/Log-on Profiles the dialog box below opens:
The list shows all known log-on profiles. When you click Add, the following dialog box opens:
Under Log-on Profile Name you enter the name by which you later want to address this profile. Under PSE Type you enter whether the PSE is saved in a file system, on a smartcard, or on a RACAL cryptoboard. If you click File, you must complete the text bars PSE Name and CA Directory; with Smartcard you must complete the text bars Card Type, Software Extension and CA Directory; and with RACAL RG 700 the text bars Software Extension and CA Directory.
64
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
With a file PSE you must enter the complete path and the name of your PSE in the text bar PSE Name. With a smartcard PSE you must enter the operating system of the smartcard in the text bar Card Type. With smartcard and RACAL based PSEs you must enter the extension of the PSE in the file system in the text bar Software Extension. In the text bar CA Directory you must enter the directory in which the CA database is to be found. Each disk button opens a file dialog box where you can navigate to the appropriate directory.
5.3.6 Smartcard
With SECUDE CA MANAGEMENT smartcards can be used instead of a file PSE. Both the CAPSE and the user PSEs can be stored on a smartcard. The required settings can be made with the drop-down menu item Smartcard.
5.3.6.1 Smartcard / Terminal Setup With the menu item Smartcard/ Terminal Setup it is possible to configure smartcard terminals for both the CA and the user. The software supports the simultaneous operation of two terminals. The CA-PSE on a smartcard can be in the first terminal, whilst the user PSEs are being created on smartcards in the second terminal.
Different types of smartcard terminals can be configured. It is important that the terminal in use be chosen from the list, otherwise no guarantee can be given for correct functioning. The settings can be tested with the button Test.
SECUDE GmbH
65
SECUDE CA MANAGEMENT
Version 2.0
If the terminal is not correctly configured or cannot be accessed, the message on the left appears. There are various reasons why a smartcard terminal cannot be addressed: The terminal is not supported by the software. The terminal is not connected to a power supply. The terminal is not connected to the specified port. The terminal is defective.
If the test is successful, the settings can be saved with Apply or OK. With OK the window is also exited. CA MANAGEMENT signals the successful installation. The dialog box to set up smartcard terminals for user PSEs is identical to the one for CA-PSEs. 5.3.6.2 Smartcard / Info User Smartcard To get information on the smartcard plugin being used, the terminal, and the card, insert the user smartcard in the terminal and use the menu item Smartcard/Info User Card... . The main point of interest is the entry under Card. If the entry is "with application", a PSE is already existing on the card, otherwise the entry is "without application".
5.3.6.3 Smartcard / Unblock Password When a smartcard has been blocked because of too many retries it can be unblocked here by entering the PUK.
66
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
5.3.6.4 Smartcard / Delete User Card A smartcard that has been personalised by SECUDE can be deleted using this dialog box. All information stored on the card is irrevocably deleted. Deleting a smartcard can only be done when the password or depending on the type of card the PUK is known. When the password has been entered the program ensures before deleting that this action is really desired. Only when the button Yes is clicked, is the information on the card deleted. A smartcard can thus be provided with new PSEs several times.
5.3.7 Window
With the drop-down menu Window several windows within CA MANAGEMENT can be arranged. Switching between the user list and revocation list can also be made here. See also Chapter 5.3.2 View.
5.3.8.1 ? / Info The dialog box Info shows among other things the current version number of CA MANAGEMENT. Additionally, all addresses of SECUDE GmbH can be found here.
SECUDE GmbH
67
SECUDE CA MANAGEMENT
Version 2.0
5.3.8.2 ? / Info on SECUDE In the dialog box Info on SECUDE, information about the library used by SECUDE is shown. Included are the version number, the options that have been set in the SECUDE library, and the supported plugins.
When making queries to SECUDE GmbH, the information from this dialog box should be included.
68
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
Column width
The width of a column can be changed by positioning the cursor between the field names. The cursor changes its appearance in this position. By double clicking the mouse here the optimum width is achieved. The width can also be changed by dragging and dropping the dividing line.
Sorting
After log-on the user list is automatically sorted by the column Distinguished Name. By clicking on the field buttons Distinguished Name, Valid from, Valid to, Serial number or Name the table can be sorted as required. Sorting is done in ascending order.
SECUDE GmbH
69
SECUDE CA MANAGEMENT
Version 2.0
Symbols
The user list displays a number of symbols in different colors on the left of the window. The symbols are a quick way of showing the state of certificates already issued and those being processed. (blue question mark) Data to issue a certificate have been transferred to the database but the certificate has not yet been issued or the PSE not yet created. (green tick) The certificate is still valid and will not expire within the set warning period (see Chapter 4.1.4 Warning Periods). (red exclamation mark) The certificate is still valid but will expire within the set warning period (see Chapter 4.1.4 Warning Periods). (red cross) The certificate has either already expired or its validity period has not yet begun. (black lightning) The certificate is revoked (see Chapter 7 Revocation List Management).
Behavior
Double clicking the left mouse button opens the user form (see Chapter 6.1.2 User Form). Once the user form is open a single left mouse click displays the selected data set in the user form. When the view of the revocation list is also open, a selected certificate can be dragged and dropped into the revocation list.
70
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
well be hidden behind the window User Form. Both windows can be viewed simultaneously by repositioning the window User Form.
SECUDE GmbH
71
SECUDE CA MANAGEMENT
Version 2.0
User Data
In the area User Data general information can be entered. These data are optional and have no significance for the creation of the PSE but can help to identify a user more quickly.
Certificate
This index card is visible when it is a PSE created by the user himself and certified by the CA. The number behind the word "Certificate" in the title bar is the serial number issued on certification. For further details on the individual field please see Chapter 6.4 Certification of Incoming Prototype Certificates.
PSE
This index card shows a user PSE created or still to be created by the CA. When a date is shown in the title bar it means that the PSE was created at that time. When no date is shown it means that the PSE is not yet created. Details on the individual fields can be found in Chapter 6.2.2 Enter PSE Data.
72
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
SECUDE GmbH
73
SECUDE CA MANAGEMENT
Version 2.0
then get a new PSE index card. Please remember to give each new PSE a new PSE name. All fields should be filled with default values. These can be determined with Options (see chapters 4.2.1 Issuer and 4.2.2 PSE Options). The meaning of the individual fields in the area PSE will be dealt with in detail in the following section. When all entries have been made the button Update is clicked to enter the record into the data base.
74
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
SECUDE GmbH
75
SECUDE CA MANAGEMENT
Version 2.0
76
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
After the PSE has been created the message on the left is shown. It is confirmed by clicking OK.
SECUDE GmbH
77
SECUDE CA MANAGEMENT
Version 2.0
After the PSEs have been created the above dialog box must be quit with OK. If a user entry for which a PSE has already been created is selected, this entry is ignored by CA MANAGEMENT. The certificates of the created PSEs can be regarded in detail by clicking the button Display Certificate which is located at the bottom of the relevant index card. In particular, the user's public key and the serial number of the certificate can be found there.
78
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
Once the certificate has been issued, it can be copied into a file accessible to the user with the button Export. Please note that the certificates can only be issued as PEM files if the certificate request was written in a PEM file.
The user must then only be informed where to find this file. As all data in the prototype certificate and the certificate itself are public this procedure constitutes no security risk. For this reason no encryption or password is required.
SECUDE GmbH
79
SECUDE CA MANAGEMENT
Version 2.0
The meaning of these fields can be seen in Chapter 6.2.3 Register Certificate. After clicking OK the PSE is written on the inserted empty smartcard. While this is happening you get a Wait message. Once the PSE has been written on the smartcard the user gets a new PSE index card with the corresponding entries.
80
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
The dialog box is split up into three areas. The list with the revoked certificates, below that information on the last given digital signature, and on the right the buttons.
SECUDE GmbH
81
SECUDE CA MANAGEMENT
Version 2.0
7.3 Buttons
With the buttons the revocation list can be processed.
7.3.1 Add
With Add new entries can be made in the revocation list.
In the field Serial Number you can enter one or more (separate with commas) serial numbers of certificates to be revoked. After clicking Search CA MANAGEMENT searches for the relevant certificates in the certificate database and enters the corresponding Distinguished Names in the lower field. If the serial number does not originate from the CA or if the relevant certificate is already revoked, this is, of course, not entered in the field. You can now check the details you have entered. When you click Add the entries are included in the revocation list. In the view of the revocation list these entries are provided with a tick, as the amplified list has not been signed. At this point of time you can still delete certificates from the list that have been erroneously included.
82
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
7.3.2 Sign
Before a revocation list can be distributed to the users, it must be digitally signed so that the user is assured of its authenticity. By clicking Sign... the following dialog box is opened:
Here the Issuer Algorithm and the date of the Next Update can be set. Further information on the bar Next Update can be found in Chapter 7.2 Information on the Digital Signature.
7.3.3 Verify
With Verify the validity of the revocation list signature can be verified.
SECUDE GmbH
83
SECUDE CA MANAGEMENT
Version 2.0
be automatically applied during the verification process when the users have configured this correspondingly in PSE Management.
84
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
Before importing external data it is advisable to make a backup copy of the current state of the CA data base.
Import/SAP-Report
After selecting SAP Report a dialog box appears with which the file to be imported can be selected.
SECUDE GmbH
85
SECUDE CA MANAGEMENT
Version 2.0
The file RSUSR402 is selected and then the button Open clicked which starts a check of the file contents. If the contents and structure of the file correspond with those of the report RSUSR402, the query on the left appears and is confirmed with OK. The data are then read into CA MANAGEMENT.
86
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
With Insert Merge Field the merge fields can be inserted into the Word document. If you click the button , Word fills the merge fields with the corresponding data; after this, the form letters are ready for print. If you want to modify the CSV file generated by CA Management, select in the Mail Merge Helper dialog the item Data source / Edit / <CSV file>. Details about writing form letters in Word can be read in the Word manual. Help for Word is displayed after clicking the function key F1. All necessary information can be found under the term Mail Merge. Never process the CA database via Access it will become unusable for SECUDE. In particular, never change the CA password via Access!
SECUDE GmbH
87
SECUDE CA MANAGEMENT
Version 2.0
9
CA
Glossary
See Certification Authority.
A Certification Authority (CA) issues certificates for users of a security infrastructure and maintains revocation lists.
Certification Authority
DES
DES stands for Data Encryption Standard and is an encryption procedure in which the same key is used both for encryption and decryption. (Such procedures are called symmetrical.)
GSS-API
Generic Security Service Application Programming Interface. An interface developed by the Internet Engineering Task Force (IETF) which allows applications to be provided with security functionality.
Hybrid Process
A combination of symmetric and asymmetric cryptography is called Hybrid process.
Password
A series of characters consisting of letters, signs and numerals with which protection, e.g. for a PSE, against unauthorised access is given.
PIN
Personal Identification Number; a password consisting of figures only, e.g. for card terminals with their own key pads.
Prototype Certificate
A prototype certificate is a certificate that has a signature created by its own private key. Only when the prototype certificate has been certified by a certification authority does it become a certificate.
PSE
The PSE is a personal security environment which every SECUDE user needs. In the PSE security relevant information is stored. This includes the certificate and the corresponding secret key. The PSE can be stored as a DES encrypted file or on a smartcard.
88
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
Revocation List
A revocation list is a list of certificates that have been declared invalid by the issuing certification authority before their expiry date. The certification authority maintains this list and must publish it, i.e. keep it up to date and at regular intervals make it available to all participants.
Root Authority
The root authority is a certification authority which is not certified by any other CA. Its certificate is signed by its own private key.
RSA
A cryptographic algorithm named after Rivest, Shamir, and Adleman. It is based on the presence of pairs of keys that have a special relationship to each other. Anything that has been encrypted with one of the two keys can only be decrypted with the other. (Such procedures are called asymmetrical.)
SAPlpd
SAPlpd denotes software from SAP AG which allows spooling for print jobs in the R/3 environment.
SNC
Secure Network Communications denotes the module which deals with the communication to an external library in the SAP R/3 system. The library is addressed by means of GSS-API functions and allows R/3 access to security functions as realised by SECUDE.
Transport Password
A new PSE is encrypted by CA MANAGEMENT with a Transport Password. This password ensures the security of the PSE on its way from the CA to the user. The user is informed of the password by the CA (e.g. by post) and is advised to change it immediately.
SECUDE GmbH
89
SECUDE CA MANAGEMENT
Version 2.0
90
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
Figure 56: Save Certification Path.................................................................56 Figure 57: PSE Contents...............................................................................57 Figure 58: Save LDIF File Insert Certificates .............................................58 Figure 59: Save LDIF File Delete Certificates ............................................59 Figure 60: Write PK List ................................................................................59 Figure 61: Write Certificates..........................................................................60 Figure 62: Generate Password Form Letter..................................................60 Figure 63: Password Rules Rules Editor....................................................62 Figure 64: Password Rules Preview...........................................................63 Figure 65: Log-on Profiles .............................................................................64 Figure 66: Log-on Profile...............................................................................64 Figure 67: Smartcard Terminal Setup ...........................................................65 Figure 68: Info User Card..............................................................................66 Figure 69: Unblock Password .......................................................................67 Figure 70: Info on CA MANAGEMENT .........................................................68 Figure 71: Info on SECUDE ..........................................................................68 Figure 72: User List .......................................................................................69 Figure 73: User List and User Form ..............................................................71 Figure 74: User Form ....................................................................................72 Figure 75: PSE is being created....................................................................77 Figure 76: PSE Creation................................................................................78 Figure 77: Export Certificate..........................................................................79 Figure 78: Write PSE on Smartcard..............................................................80 Figure 79: CA Revocation List.......................................................................81 Figure 80: Add Entries to Revocation List .....................................................82 Figure 81: Sign Revocation List.....................................................................83 Figure 82: View of RSUSR402 ......................................................................85 Figure 83: Import SAP Report .......................................................................86 Figure 84: Form Letter Icon Bar of Word ......................................................87
Table 1: Categories of Distinguished Names ..................................................7 Table 2: Format of the Validity Fields............................................................24 Table 3: Toolbar ............................................................................................46 Table 4: User Form User Data ...................................................................93 Table 5: User Form PSE ............................................................................94 Table 6: User Form Signature / Encryption Certificates .............................94
SECUDE GmbH
91
SECUDE CA MANAGEMENT
Version 2.0
11 Bibliography
[LDAP]
http://www.umich.edu/~dirsvcs/ldap/index.html; Description and software-downloads (development toolkit, client- and server software) for LDAP (Lightweight Directory Access Protocol).
[Netscape Certificates]
http://home.netscape.com/eng/security/comm4-cert-exts.html; Draft from 13.8.1997, where the certificate extensions introduced by Netscape Communicator are described.
[PKCS#7]
PKCS#7: Cryptographic Message Syntax Standard; An RSA Laboratories Technical Note; Version 1.5; November 1, 1993
[PKCS#10]
PKCS#10: Certification Request Syntax Standard; An RSA Laboratories Technical Note; Version 1.0; November 1, 1993
[RFC 1422]
Privacy Enhancement for Internet Electronic Mail - Part II: Certificate-Based Key Management; Network Working Group, Request for Comments: 1422, Obsoletes: 1114; S.Kent; BBN, IAB IRTF PSRG, IETF PEM; February 1993
[Sphinx]
http://www.bsi.bund.de/aufgaben/projekte/sphinx/index.htm; Pilotprojekt der Koordinierungs- und Beratungsstelle der Bundesregierung fr Informationstechnik in der Bundesverwaltung in Zusammenarbeit mit den Bundesamt fr Sicherheit in der Informationstechnik. Inhalt ist die Erprobung produktbergreifender Interoperabilitt der Sicherheitslsungen verschiedener Anbieter.
[X.509 v3]
ITU-T Recommendation X.509; DATA NETWORKS AND OPEN SYSTEMS COMMUNICATIONS DIRECTORY; Information Technology, Open Systems Interconnection, The Directory: Authentication Framework; (06/97)
92
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
12 Appendix
12.1 Fields in the User Form
The following user data are registered with the user form (cf. Chapter 6.1.2 User Form) and administered by CA MANAGEMENT in the database:
Rules
SECUDE GmbH
93
SECUDE CA MANAGEMENT
Version 2.0
Card number
Description entered here (only for file PSEs). The PUK is important for the unblocking of smartcards. When a smartcard PSE is created a PUK should be given which is known only to the administrator. If the option is activated, the PUK is generated automatically. Otherwise it should be entered in the field on the right. When a smartcard PSE is created, the card number is contained here.
Valid to
Key length
Version
The numbers in the third column have the following meanings: The field must be filled out when a PSE is to be created. The field is set by CA MANAGEMENT.
94
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
The field depends on the configuration. For the field Password automatic password generation can be activated with the menu item Extras/Options and then PSE Options. When a new user is certified the program fills the field with a value. When a user certificate is created for a smartcard the field Card number gets a 20-place number. On the card itself, however, 21 places are printed. The last place of the number on the smartcard does not appear in this field as it is a check number and is not forwarded to CA MANAGEMENT when read.
Type
dbLong, dbAutoI ncrField
Size
Commentary
Unambiguous number of a user: is not displayed in CA MANAGEMENT. An association takes place into the tables 'PSE' and 'Certificate'. Between the tables there are 1 to n relationships.
30 30 50 10 20 50
Surname of user First name of user Mail address of user Personnel number of user Division (Dept.) of user This field is completed only to provide information. It can be used to print PIN letters with serial letter option of MS Word. Middle initial of user (taken from American). Company of user
Middlename Company
dbText dbText
1 50
Table PSE
In the table "PSE" the data for creating PSEs is stored.
Field name
PSENo
Type
dbLong, dbAutoIncrField
Size
Commentary
Unambiguous number of a PSE: is not displayed in CA Management. An association takes place into the table 'PSE'. Between the tables there is a 1 to 1 or a 1 to 2 relationship (A PSE can contain up to two certificates). Assigns the PSE to a user.
UserNo
dbLong
SECUDE GmbH
95
SECUDE CA MANAGEMENT
Version 2.0
Field name
PSE PSEName IsSC IssueDate NoOfKP TransportPin PUK Cardnumber PSEDir RandomPin RandomPUK ProfileName PinPolicy Cardtype
Type
dbLongBinary dbText dbBoolea n dbDate dbInteger dbText dbText dbText dbText dbBoolea n dbBoolea n dbText dbText dbInteger
Size
Commentary
Copy of a software PSE.
25
File name of the PSE. TRUE if smartcard PSE, FALSE if software PSE. Date when created. Number of key pairs of the PSE (1 or 2).
50 8 20 255
Password with which the created PSE is encrypted. Password Unblocking Key for smartcard PSEs. Card number of the smartcard. Directory in which the PSE is stored. TRUE if the password is generated randomly, otherwise FALSE. TRUE if the PUK is generated randomly, otherwise FALSE.
20 30
Reference to the table Profile. Is not used. Reference to the table PinPolicy. Make of a smartcard (0 for TCOS, 1 for Cryptoflex). Is not used when smartcard is not created. Number of tries for password entry Number of tries for PUK entry TRUE if PSE created, otherwise FALSE Creation date of PSE
Table Certificate
In the table "Certificate" data for the issuing of certificates is stored.
Field name
CertificateNo
Type
dbLong, dbAutoI ncrField dbLong dbLong dbText dbDate dbDate dbText dbLong Binary
Size
Commentary
Unambiguous number of a certificate: is not displayed in CA Management. Assigns the certificate to a PSE. Assigns the certificate to a user.
255
Distinguished Name of the certificate. Validity of the certificate. Validity of the certificate
32
Serial number of the certificate, is given automatically. Copy of the certificate or prototype certificate (for file PSEs only).
96
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
Field name
IsRevoked Usage
Type
dbBoole an dbInteger
Size
Commentary
TRUE if certificate was revoked, otherwise FALSE. 1 if the certificate is used with two key pairs to encrypt PSEs, otherwise 0. Is used only when the CA generates the keys.
30 30
Issuer algorithm. Signature/Encryption algorithm Key length TRUE if the Distinguished Name of the CA is to be appended to the Distinguished Name of the user when being certified, otherwise FALSE.
dbText dbInteger dbLong Binary dbBoole an dbBoole an dbLong Binary dbLong Binary dbLongBinary dbBoole an dbDate dbInteger dbDate dbLongBinary
10
X.509v1 or X.509v3. Format of the request type; proprietary. Proprietary. TRUE if the certificate is issued for a CA, otherwise FALSE. Is only used with version=X.509v3. Proprietary. Proprietary. Proprietary Proprietary TRUE if certificate issue, FALSE if still changeable. Date of issue of certificate Reserved for later use Reserved for later use Reserved for later use.
Table CRL
In the table "CRL" revocation lists are stored.
Field name
StringDName
Type
dbText
Size
255
Commentary
Readable depiction of the Distinguished Names of CA, from which the revocation list comes. Binary depiction of the Distinguished Names. TRUE = current signed revocation list of
OctetStringDName IsDelta
SECUDE GmbH
97
SECUDE CA MANAGEMENT
Version 2.0
Field name
Type
an
Size
Commentary
CA; FALSE = certificates added since last signing Date of the last signature in the revocation list. The revocation list itself.
LastUpdate CRLWithCerts
Table Log
In the table "Log" protocol information is stored.
Field name
DateTime Type
Type
dbDate dbInteger
Size
Commentary
Date and time of the protocol entry. 0 = Log on; 1 = Log off; 2 = Create a CA; 3 = Create a PSE; 4 = Issue a certificate; 5 = Revoke a certificate; 6 = Issue a revocation list
Data
dbText
80
SerialNo
dbText
25
Table PINPolicy
The table "PINPolicy" stores password rules.
Field name
Name PINPolicy
Type
dbText dbLong Binary
Size
30
Commentary
Reference to table PSE. Proprietary.
Table Profiles
The table "Profiles" is not yet used.
Field name
ProfileNo
Type
dbLong, dbAutoIncrField dbText dbText dbInteger dbDate dbDate dbText dbInteger dbText dbInteger dbBoolea
Size
Commentary
ProfileName PSEDir NoOfKP ValidFrom ValidUntil EncAlg EncKeysize SignAlg SignKeysize RandomPin
20 255
30 30
98
SECUDE GmbH
Version 2.0
SECUDE CA MANAGEMENT
Field name
PinLength DefaultPin DNIsPrefix RandomPUK PUKLength DefaultPUK
Type
n dbInteger dbText dbBoolea n dbBoolea n dbInteger dbText
Size
Commentary
50
Table ACL
The table "ACL" is not yet used.
Field name
SerialNo
Type
dbLong Binary
Size
Commentary
SECUDE GmbH
99