P. 1
CAManagement 2 0 English

CAManagement 2 0 English

|Views: 150|Likes:
Published by Daniela Ionita

More info:

Published by: Daniela Ionita on Jul 04, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

07/04/2011

pdf

text

original

Sections

  • 1 Introduction
  • 1.1 Functions of a CA
  • 1.2 Personal Security Environment (PSE)
  • 1.3 Issue Certificates for Users
  • 1.4 Security Guidelines for Operating a CA
  • 1.5 Distinguished Names
  • 1.6 Passwords
  • 2 CA MANAGEMENT Installation
  • 2.1 Prepare the Installation
  • 2.2 How to install CA MANAGEMENT
  • 2.2.1 Installation via Internet
  • 2.2.2 Installation from CD ROM or Network
  • 2.3 Aborting the installation
  • 3 Organisation of a Security Infrastructure
  • 3.1 Basic Information on the Organisation of a Security Infrastructure
  • 3.2 Create a Root Authority
  • 3.2.1 Create a CA-PSE as a File
  • Figure 25: PSE-Wizard – Sign Own Prototype Certificate
  • Figure 27: PSE-Wizard – Log-on Profiles
  • 3.2.2 Creating a Smartcard CA-PSE
  • Figure 31: PSE-Wizard – Password Unblocking Key – PUK
  • 3.2.3 Create a Cryptoboard based CA-PSE
  • Figure 32: PSE-Wizard – RACAL RG 700
  • 3.3 Create a Subordinate CA
  • 4 Options
  • 4.1 User-specific Settings
  • 4.1.1 Program Options
  • 4.1.2 SECUDE
  • 4.1.3 X.500
  • 4.1.4 Warning Periods
  • 4.2 CA-specific Options
  • 4.2.1 Issuer
  • 4.2.2 PSE Options
  • 4.2.3 User Options
  • 4.2.4 Sphinx Pilot
  • 5 Management of the CA
  • 5.1 CA MANAGEMENT Overview
  • 5.2 The Tool Bar
  • 5.3 The Menu Bar
  • 5.3.1 File
  • 5.3.2 View
  • 5.3.3 CA-PSE
  • 5.3.4 User
  • Figure 58: Save LDIF File – Insert Certificates
  • Figure 59: Save LDIF File – Delete Certificates
  • 5.3.5 Extras
  • 5.3.5.3 Extras / Log-on Profiles…
  • 5.3.6 Smartcard
  • 5.3.7 Window
  • 5.3.8 Help – (?)
  • 6 Management of User Data
  • 6.1 User List and User Form
  • 6.1.1 User List
  • 6.1.2 User Form
  • 6.2 Process User Entries
  • 6.2.1 Register a New User
  • 6.2.2 Enter PSE Data
  • 6.2.3 Register Certificate
  • 6.2.4 Create Further PSEs for Same User
  • 6.2.5 Delete a User Entry
  • 6.2.6 Delete a PSE Data Set
  • 6.2.7 Delete a Certificate Data Set
  • 6.3 Create User PSEs
  • 6.3.1 Create Individual PSEs
  • 6.3.2 Create Several PSEs
  • 6.4 Certification of Incoming Prototype Certificates
  • 6.5 Write Again User PSE
  • 6.6 Subsequent Inclusion of an Existing PSE in a Smartcard
  • 7 Revocation List Management
  • 7.1 List Area
  • 7.2 Information on the Digital Signature
  • 7.3 Buttons
  • 7.3.1 Add
  • 7.3.2 Sign
  • 7.3.3 Verify
  • 7.3.4 Save in PSE
  • 7.3.5 Save in PEM File
  • 7.3.6 Save in Directory
  • 7.3.7 Save in ldif File
  • 8 Import and Export of User Data
  • 8.1 Import of SAP R/3 User Data
  • 8.2 Import of SECUDE Data
  • 9 Glossary
  • 10 Figures and Tables
  • 11 Bibliography
  • [PKCS#7]
  • [PKCS#10]
  • [RFC 1422]
  • [Sphinx]
  • [X.509 v3]
  • 12 Appendix
  • 12.1 Fields in the User Form
  • User Form – Signature / Encryption Certificates
  • 12.2 Data Base Specification CA.MDB

Manual

CA MANAGEMENT
Version 2.0

SECUDE Sicherheitstechnologie Informationssysteme GmbH Landwehrstraße 50a D-64293 Darmstadt World Wide Web: Support: http://www.secude.com camanagement@secude.com

Copyright SECUDE GmbH 1997-1999 SECUDE Library Version 5.2 CA MANAGEMENT Version 2.0.12 Version 2.0 / Spring 1999

Version 2.0

SECUDE CA MANAGEMENT

Contents
1
1.1 1.2 1.3 1.4 1.5 1.6

INTRODUCTION
Functions of a CA Personal Security Environment (PSE) Issue Certificates for Users Security Guidelines for Operating a CA Distinguished Names Passwords

2
2 3 4 6 6 7

2
2.1 2.2 2.2.1 2.2.2 2.3

CA MANAGEMENT INSTALLATION
Prepare the Installation How to install CA MANAGEMENT Installation via Internet Installation from CD ROM or Network Aborting the installation

9
9 10 10 10 15

3
3.1 3.2 3.2.1 3.2.2 3.2.3 3.3

ORGANISATION OF A SECURITY INFRASTRUCTURE
Basic Information on the Organisation of a Security Infrastructure Create a Root Authority Create a CA-PSE as a File Creating a Smartcard CA-PSE Create a Cryptoboard based CA-PSE Create a Subordinate CA

16
16 18 19 27 30 32

4
4.1 4.1.1 4.1.2 4.1.3 4.1.4 4.2 4.2.1 4.2.2 4.2.3 4.2.4

OPTIONS
User-specific Settings Program Options SECUDE X.500 Warning Periods CA-specific Options Issuer PSE Options User Options Sphinx Pilot

34
34 34 36 38 38 39 39 40 42 43

5
5.1 5.2 5.3 5.3.1 5.3.2 5.3.3 5.3.4 5.3.5 5.3.6 5.3.7 5.3.8

MANAGEMENT OF THE CA
CA MANAGEMENT Overview The Tool Bar The Menu Bar File View CA-PSE User Extras Smartcard Window Help – (?)

44
44 45 46 47 48 49 57 61 65 67 67

SECUDE GmbH

i

3.2.2.4 6.6 7.5 6.1 6.2 6.2.4 6.7 6.1 6.5 7.1 6.3.0 6 6.2.2 GLOSSARY FIGURES AND TABLES BIBLIOGRAPHY APPENDIX Fields in the User Form Data Base Specification CA.1 8.1.3.2 6.3.2 7.2.2.3 7.1 7.3.2.1.6 6.3 7.5 6.3.1 12.7 REVOCATION LIST MANAGEMENT List Area Information on the Digital Signature Buttons Add Sign Verify Save in PSE Save in PEM File Save in Directory Save in ldif File 81 81 82 82 82 83 83 83 83 83 84 8 8.3.6 MANAGEMENT OF USER DATA User List and User Form User List User Form Process User Entries Register a New User Enter PSE Data Register Certificate Create Further PSEs for Same User Delete a User Entry Delete a PSE Data Set Delete a Certificate Data Set Create User PSEs Create Individual PSEs Create Several PSEs Certification of Incoming Prototype Certificates Write Again User PSE Subsequent Inclusion of an Existing PSE in a Smartcard 69 69 69 70 73 73 73 75 76 76 76 76 76 77 77 78 79 79 7 7.SECUDE CA MANAGEMENT Version 2.3.3 IMPORT AND EXPORT OF USER DATA Import of SAP R/3 User Data Import of SECUDE Data Inform of Transport Password: Export to Microsoft Word – Form Letter 85 85 86 87 9 10 11 12 12.2 7.1 6.2 8.3.2 6.2 6.1 7.4 7.3 6.MDB 88 90 92 93 93 95 ii SECUDE GmbH .3 6.

It describes the theoretical principles of key distribution and the security guidelines for operating a CA. Preview Chapter 1 gives an overview of the tasks of a certification authority (CA).0 SECUDE CA MANAGEMENT Preliminary Remarks Target Group System administrators. Chapter 11 the bibliography. Cross-references to related topics are provided. Chapters 3 to 8 explain how to use SECUDE CA MANAGEMENT. the management of a CA-PSE. SECUDE is a registered trademark of GMD – German National Research Center for Information Technology. Chapter 10 the list of illustrations and the list of tables. Key generation and import of external data are explained. Chapter 2 describes the installation. and user management are discussed. For quick information on the individual topics the chapters can be read separately. Copyright Cryptoflex is a registered trademark of Schlumberger Industries Microsoft is a registered trademark of Microsoft Corporation. Chapter 9 contains a glossary of the most important terminology.Version 2. R/3 is a registered trademark of SAP AG Walldorf. The Appendix is contained in Chapter 12. the program options. The organisation of a security infrastructure. The installation program requests all user entries and guides through the installation. TCOS is a registered trademark of Deutsche Telekom AG SECUDE GmbH 1 .

Depending on the intended validity period longer keys should be used. The CA's asymmetric keys should be at least 1024 bits long. Generate CA keys For certification operations a CA needs its own asymmetric key pair. Certify users The function of the CA is to issue certificates for the participants of the security infrastructure. In the first. The CA signs – with a digital signature – a data package consisting of the user's public key.e. This means that the CA guarantees that the name and public key in the certificate belong to one and the same person. a period of validity. In this 2 SECUDE GmbH . the user generates his own key pair and gives the public key. An RSA key with less than 512 bits is not advisable. and the user's name. to the CA for certification. the same as with a user's PSE. and all the parties' certificates must be re-issued and distributed.0 1 Introduction A certification authority (CA) has the task of issuing certificates for users. 1. as a so-called prototype certificate. When issuing a certificate the CA ties a user's name to his public key. As all parties in the security infrastructure require the CA's key to be stored in their PSEs to check other certificates. a serial number issued by the CA. SECUDE in the present version supports key lengths between 512 and 2048 bits. but also. of making a connection between the user and his public key. printers and application servers) have to be included. SECUDE deposits this key pair in a CA-PSE. for example.SECUDE CA MANAGEMENT Version 2. The CA has two ways of issuing a certificate. The following gives a short description of the technical resources that are required to run a CA. a new CA key must be supplied to them all. The renewal of a CA key involves considerable time and money. This is achieved with the digital signature of the CA under the user's certificate. The CA key pair demands special protection. It is therefore recommended that the CA key be given a long period of validity (e. This is achieved by means of the so-called digital signature. 5 or 6 years) and that it be given protection by using a lengthy key (1536 bits usually). as the probability of it being cracked within a short time (several hours) is very high. which is protected by a password.1 Functions of a CA Operating a CA demands a number of organisational steps which at this point will not be further detailed. All partners in the communication to be safeguarded (not only persons. The combination of this data package and the CA's signature is called the certificate.g. i.

The advantage of this version is that only the user is in possession of his private key and third parties are excluded. This is nothing more than a secure memory. All the participants in the security infrastructure have their own PSE. Checking the name by phone or e-mail is not sufficient. The user is informed of the password by separate means. take very good care of his private key so that. Maintain revocation lists The CA keeps a list of compromised certificates issued by the CA. Only in this way can abuse by attackers who obtain unauthorised possession of others' certificates and their private keys be prevented.2 Personal Security Environment (PSE) In SECUDE security relevant information is stored in the PSE. SECUDE GmbH 3 . should a PSE be lost. All information required to participate in the security infrastructure are stored in it. the revocation list. This list. With SECUDE for SAP R/3 the updated revocation list must be put at the disposal of the application servers at regular intervals. In the second. With SECUDE this means that a complete PSE is created for the user.0 SECUDE CA MANAGEMENT case the CA must ensure that the name in the prototype certificate is correctly assigned before a signature is given. it can be re-created. This may require that the person legitimizes himself with a national or company ID. SECUDE's CA MANAGEMENT safeguards the newly issued PSEs with a transport password. A compromised certificate must remain on the revocation list until its expiry date. has to be maintained by the CA.Version 2. before the certificate is issued. however. the CA is obliged to ensure that each PSE goes to the correct user. When the PSEs are handed over to the users. The user must now. 1. the CA generates the key pair for the user. i.e.

e. CA creates PSE When the CA generates the keys it is possible to leave either the certificate (i. This is different when the PSE is on a smartcard. he can have it handed out by the CA. An attacker who manages to spy out the password and copy the file PSE has all necessary information at his fingertips. certified by the relevant CA. in the CA's safekeeping. With the second. According to the version of the PSE (file or smartcard) it is more or less difficult to get possession of these sensitive data. With smartcards only the card password need be changed. has as a prerequisite a relationship 4 SECUDE GmbH . the user generates the key pair himself and has his public key. If it is suspected. The latter must decide whether a new PSE should be created or whether changing the password is sufficient. If the user needs his PSE again in the future. for whatsoever reason. to be on the safe side. or rather the prototype certificate. the certified public key). With the first method. However. Should a user notice that someone else has found out his file PSE password. 1. the security administrator must be informed. the CA generates key pairs for the users. the certified public key plus the private key). The loss of the card would normally be noticed by the owner very quickly (not when he is on holiday or in similar cases).SECUDE CA MANAGEMENT Version 2. With a file PSE it may even happen that the legitimate owner does not notice the loss.0 Public Root Key Forward Certification Path Name Name Name Smith Signature Signature Signature Signature Certificate Private Key Certification Certification Revocation Revocation Lists Lists Figure 1: Elements of a PSE SECUDE offers the options either to store the PSE on a smartcard or as an encrypted file on the hard disk of the computer. or the whole PSE (i. however. This. Both methods have their pros and cons.e. be changed.3 Issue Certificates for Users There are two methods of generating key pairs. special terminals are required for smartcards. even without conclusive evidence. the PSEs should. that the PSE password is known to third parties.

User creates PSE If the user generates his key pair and PSE himself. Information of Password (offline) 1.0 SECUDE CA MANAGEMENT of trust between the infrastructure participants and the CA as the private key is also in the hands of the CA. The CA can create the PSE in a single run. the user is not responsible for any security measures. SECUDE GmbH 5 . Generation of PSE 2. PSE storage (encrypted) 4. e. A further advantage of this procedure is its simplicity. should it be lost. Security Administrator User 3. The user is informed of the password by separate means. for example in a disk crash. Installation of PSE and Change of Password PSE Memory Figure 2: CA creates PSE In this way the CA ensures that only the user and the security administrator know the transport password. When the CA creates the PSEs for the user of the security infrastructure. SECUDE CA MANAGEMENT generates a random password for the transport and thus encodes the PSE. Otherwise he has to generate a new key pair and have the public key again certified by the CA. It generates the key pair and certifies the public key.Version 2. in case. he needs it again. a safe.g. it is advisable that he keeps a copy of the PSE in a secure place.

Should an unauthorised person get the opportunity to issue documents. is not security sensitive.5 Distinguished Names When operating a security infrastructure the participants are identified by so-called Distinguished Names.4 Security Guidelines for Operating a CA A CA is comparable to a passport office. Generate PSE 2. All information transported is public anyway. big trouble can result. The personnel in charge of the CA must also maintain the necessary precautions. The user has then also to update the PSE with the certificate from the CA. The CA must only make sure that the prototype certificate actually belongs to the user. The computer with which the CA operates should be in a safe environment. 1. such as the prototype certificate and the certificate. They should be kept in a secure place. Access to this computer should be arranged so that only authorised and trained personnel can work with it. As the security relevant information with which a CA deals is in electronic form precautions must be taken to prevent its being compromised. The transport of the prototype certificate from the user to the CA and the return of the certificate must also be dealt with. e. The advantage of this procedure is that the information transmitted. Backup copies of the CA may and should be made. Certificate to User 5. Prototype Certificate 3. The computer should not be linked with a network. The user himself must take care of jobs such as making a backup copy of his PSE.g.SECUDE CA MANAGEMENT Version 2. a safe. This can be a room or workplace to which only authorised persons have access. All sensitive data such as the password of the PSE or the private key remain with the user.0 Security Administrator User 1. 1. This is a naming scheme 6 SECUDE GmbH . abbreviated DN. Insert Certificate into PSE Figure 3: User creates PSE This procedure gives the user the certainty that nobody else is in possession of his private key. Certify User’s Prototype Certificate 4.

Version 2.0

SECUDE CA MANAGEMENT

in which persons are unambiguously named world-wide. DNs are defined in the standard ISO / ITU X.500. The certifying authority and its users need such unambiguous names. A Distinguished Name can be composed of several components. The following table gives an overview of the name components supported by SECUDE.
Abbreviation BC C CN D L O OU S SN SP ST T Meaning Business Category Country Common Name Description Location Organisation Organisational Unit Surname Serial Number State or Province Street Address Title

Table 1: Categories of Distinguished Names

The most widely used name components are in bold print. A Distinguished Name is made up of a combination of the above abbreviations and corresponding values.
Examples of Distinguished Names: CN=Bill Bo, OU=R3Administration, O=SECUDE GmbH, L=Darmstadt, C=DE CN=Bill Bo, O=SECUDE GmbH, C=DE O=SECUDE GmbH, C=DE

It is not necessary to use every name component in the name. What is important is the order of the components. First should come, if existent, the common name, then organisational unit, then organisation, location, and finally country. It is advisable to use a short, unambiguous name for a CA. A CA certifies the public key of a user's asymmetric key pair. It is standard procedure that with the certification the user's certificates receive the name of the CA as a suffix to their name. The second and third lines of the above example show how the name of a CA and one of its users can be composed: the participant Bill Bo has the name of the CA integrated – i.e. O = SECUDE GmbH, C = DE.

1.6 Passwords
A PSE password is comparable in its function to the PIN of an EC card. It is required for logging on and to allow other programs access to the

SECUDE GmbH

7

SECUDE CA MANAGEMENT

Version 2.0

PSE. It protects the PSE from unauthorized use by third parties. The password should be known only to the owner of the PSE. It should be made up of a combination of letters (upper and lower case), special characters (blanks may also be used) and numerals. The length of the password may be up to 50 places, the exception being that smartcards allow only a password length of eight places. To help users choose their passwords with care the CA can stipulate Password Rules which the users are obliged to observe. In any case, special care should be taken when choosing passwords. It is advisable not to use any common names or terms and nothing that is in any way personally related to the owner of the PSE (e.g. phone no., birthdates of family members, etc.).
Examples of poor passwords are: Bill, clinton, 1234, test, .... Examples of good passwords are: EbTiN97!, or ?d1X3h:Ijk5, ...

It is very difficult to remember a password like ?d1X3h:Ijk5, even AbDiN97! is not much easier. It is, however, easy enough, when behind the apparent random series of letters and numerals, a sentence is hidden, whose first letters are used, e.g. “ A blue day in November 97!“ With a memory jogger like this and a minimum length of 6 places the password is reasonably safe.

8

SECUDE GmbH

Version 2.0

SECUDE CA MANAGEMENT

2

CA MANAGEMENT Installation
When operating a CA it is advisable to use a computer that is not accessible to everybody. Firstly this means that the computer should not be directly linked to a network or should be provided with specific protective features (firewall or similar) to prevent unauthorized access through the network to this one special CA computer. Secondly the CA computer should be located in a secure room where no unauthorized persons can gain access to it. The private key of the CA must remain inviolable, otherwise all previously issued certificates become invalid.

2.1 Prepare the Installation
SECUDE CA MANAGEMENT is supplied on a CD ROM. The CD ROM contains all programs and libraries required for the installation. Installation of SECUDE CA MANAGEMENT is started from the CDROM. For Windows 95 and Windows NT the job is done by the installation program Setup.Exe. This can be found on the CD-ROM in the directory \CAManagement.

What is installed where
SECUDE CA MANAGEMENT consists of an executable program – CAManagement – and the dynamic link libraries (DLL) guihlp.dll, psegui.dll, psewiz.dll, scsctgui.dll, passwordgui.dll, v3extensionsgui.dll and secude.dll. When operating with smartcards further libraries, i.e. for the terminal and the smartcard being used, are required e.g. ct32.dll, snsct.dll, tcos.dll. If an LDAP directory server is also to be addressed directly, then the library ldap32.dll is required too. All the above mentioned libraries are installed automatically with SECUDE CA MANAGEMENT. Standard procedure is for SECUDE CA MANAGEMENT to be installed in the directory \Programs\SECUDE.
\Programs\SECUDE\CA Management. To store configuration files, e.g. the ticket file and the sct_rc file, which configure the access to a possibly connected terminal, the directory %HOMEDRIVE%-\%HOMEPATH%\secude is

The program and the DLLs are installed in the directory

used.

To operate SECUDE CA MANAGEMENT a data base driver (DAO, consisting of several DLLs) is required. This driver is automatically installed by CA MANAGEMENT. SECUDE PSE MANAGEMENT and UPDATE CADB are also automatically installed with SECUDE CA MANAGEMENT.

SECUDE GmbH

9

The following dialog is displayed.2. 10 SECUDE GmbH . 2.2 Installation from CD ROM or Network The installation is started by double clicking the program Setup. skip this section and proceed with section 2. The installation program can alternatively be started via the Start menu and Run. With a mouse click on the button OK the setup of CA MANAGEMENT is started.0 2.1 Installation via Internet If you are going to install from CD oder via a network. To do this enter the CD ROM drive letter.exe. 2.2 How to install CA MANAGEMENT The installation under both Windows NT and Windows 95 should be done by someone familiar with the operating system.SECUDE CA MANAGEMENT Version 2.2.2.2. the path and the program name in the field Open of the window Run.2. If you install via Internet.2. Figure 5: Unpacking Wait until unpacking is done and proceed as described in section 2. start SECUDE20CAManagement. With Windows NT only an administrator is authorized to carry out the installation. Figure 4: Internet Installation Click Finish to unpack the actual installation program.

otherwise the button No. This is required as. Figure 6: Welcome Window of the Installation By clicking Next the installation is continued.0 SECUDE CA MANAGEMENT In the Welcome window of the setup program you are requested to end all other active applications.Version 2. otherwise. (Note that clicking No stops the installation. If all conditions of the agreement are acceptable. the setup program may not be able to carry out all the necessary steps for an error-free installation of CA MANAGEMENT. the button Yes is clicked.) SECUDE GmbH 11 . Figure 7: Software License Agreement Please read the software license agreement.

A change in the destination of the installation can be made via the button Browse.0 provide for the installation of application programs the directory Program Files. the button Next can be clicked. Figure 9: Set Destination Directory Windows 95 and Windows NT from version 4. 12 SECUDE GmbH .SECUDE CA MANAGEMENT Version 2. It is recommended for the installation of CA MANAGEMENT to make a subdirectory SECUDE there. If the path for the installation is accepted.0 Figure 8: User Information The names of the user and her/his company are required for the installation.

Figure 11: Start of Installation The directions of the installation program can be followed.Version 2.0 SECUDE CA MANAGEMENT Figure 10: Select Program Folder Here the name of the folder is entered under which the setup program creates the icon to call CA MANAGEMENT. After the button OK is clicked the installation program starts the setup. Figure 12: Install SECUDE Ticket To use secude. Next is clicked to confirm the entry. SECUDE GmbH 13 . This generally comes with the software package.dll you need a valid license ticket. SECUDE is used as the standard proposal.

0 After clicking Next.5 please run the installed program UpdateCADB. When the setup is finished an information window appears showing the installed components. The computer does not need rebooting.3.exe for all existing CAs. 14 SECUDE GmbH . Figure 14: Setup complete After CA MANAGEMENT is installed. If you have already been working with an older version of CA MANAGEMENT.SECUDE CA MANAGEMENT Version 2. Figure 13: Information on Installed Components The window is closed by clicking on OK. From version 1. If it is an earlier version. please ask the SECUDE hotline. the progress of the installation is shown. it may be necessary to update the database. it can be used immediately.

0 SECUDE CA MANAGEMENT 2. SECUDE GmbH 15 .Version 2. Figure 15: Exit Setup To abort the installation.3 Aborting the installation The installation program can be aborted at any time by pressing the key Escape – ESC or with a mouse click on the button Cancel in any installation window. Exit Setup in the above window must be clicked or the key ESC pressed.

it is not certified by any other authority.0 3 Organisation of a Security Infrastructure CA MANAGEMENT can be started from the icon on the left. 16 SECUDE GmbH . A new security infrastructure must be organised.1 Basic Information on the Organisation of a Security Infrastructure SECUDE CA MANAGEMENT allows the generation of several independent certification trees. Chapter 3.e. A root authority is the top level certification authority. Chapter 5. i.SECUDE CA MANAGEMENT Version 2. In the Windows start menu the entry is under c:\Program Files\SECUDE\CA Management After the program has been loaded the dialog box appears for log-on. First the so-called root authority is created by clicking the button Create in the dialog box Log On (see Chapter 3. Figure 16: Log On The following sections lead the way through the Organization of a Security Infrastructure.3 CA-PSE under the item Write Certification Request). When CA MANAGEMENT is started for the first time. Subordinate CAs can be inserted into a certification structure either by having them created by the appropriate higher CA (cf.2 Create a Root Authority). 3. A certification tree always begins with a CA which performs the functions of the root authority.3 Create a Subordinate CA). or by generating themselves a so-called prototype certificate that is sent to the intended higher CA and is then certified by this (cf. a CA-PSE created.3. no CA-PSE is available for log-on.

When data requires signing with the private key. The CA PSE based on the RACAL Cryptoboard? Besides storing the PSE as a file or on a smartcard CA MANAGEMENT also offers a third possibility. stored externally in a file – the so-called software extension of a smartcard PSE. it needs for the generation of the keys good random numbers. however. The CA can be created based on a cryptoboard. A good random number generator is integrated in the cryptoboard and this is used by secude.2 Personal Security Environment (PSE)). the chip self-destroys when the cryptoboard is opened. The PSE is stored either in a file or on a smartcard (see Chapter 1. changing the input current or exposing the chip to an electronic microscope examination do not lead to the discovery of the private key.5 Kbyte. The cryptoboard has various physical security features built in. therefore.dll when the cryptoboard is properly installed. SECUDE GmbH 17 . A new PSE with a new key pair and a new certificate must then be created. It should be noted that smartcards have limited storage capacity. which carries out the signature. This. from where it cannot be read. the data are sent to the cryptoboard. stores further elements in the PSE. These elements are.3 Issue Certificates for Users). This version of SECUDE CA MANAGEMENT has integrated the RACAL cryptoboard RG700. On the contrary. For more information on the cryptoboard please contact SECUDE GmbH. on the other hand it can lead to problems when a card is lost. This is generated on the cryptoboard. From the security point of view this is an advantage. SECUDE. The second advantage is the secure storage of the CA's private key.Version 2. With a key length of 1024 bits and a DN of 70 characters the resultant PSE has a total size of approx.0 SECUDE CA MANAGEMENT Personal Security Environment as File or Smartcard? A CA has the function of issuing certificates for users. The use of the cryptoboard offers a CA the following two advantages: When the CA creates user PSEs (see Chapter 1. so that the usual attacks on hardware components such as radioactive radiation. The size of a certificate is determined in part by the length of the key and the Distinguished Names of the owner and issuer. 1. Decisive for the choice between file and smartcard PSEs will be the individual evaluation of the pros and cons. SECUDE CA MANAGEMENT stores these certificates in a personal security environment (PSE). A smartcard PSE cannot be copied. of course. puts limits on the interchangeability of workplaces when using a smartcard. One's own certificate and the certificate from the root authority can be comfortably accommodated on today's smartcards.

18 SECUDE GmbH .. since Chapter 3. according to local requirements (see Chapter 3. In a hierarchic structure the root authority certifies CAs which then certify the users.2 Personal Security Environment (PSE) and in Chapter 3. With the button Back the previous mask can be returned to (perhaps to look something up or to make a change). It is therefore advisable to give the settings a great deal of forethought. The hierarchy can be organised on several levels. A choice between a smartcard PSE. which means that once the CA is created no changes can be made to the settings. Pros and cons of the three versions can be found in Chapter 1. The following chapter describes the creation of a PSE as file. and the button Create. The parameters are valid for the whole life of the CA. a file PSE on the hard disk or a PSE stored on a RACAL cryptoboard can be made. Here all parameters needed for the creation of the CA-PSE can be set.SECUDE CA MANAGEMENT Version 2. Additionally. with Next the next dialog box is reached. to have the users certified by different authorities according to the work they are doing. Create CA-PSE A CA-PSE can be created either with the menu item File/Create root CA or with the button Log On. While the parameters are being entered it is still possible to make changes. for example.. This calls the PSE Wizard.2 Creating a Smartcard CA-PSE only deals with the differences that occur when creating PSEs on smartcards.3 Create a Subordinate CA)..1 Basic Information on the Organisation of a Security Infrastructure. it would be possible to have one certification authority per branch. and with Cancel the procedure can be cancelled..0 Certification Structure Before creating the root authority the structure of the certification process should have been planned. 3. simple structure) or is a hierarchic structure with several certification centers planned? With a hierarchic structure it is possible.. For this purpose each of the dialog boxes of the PSE Wizard described below is provided with three buttons. It should be read even if a smartcard PSE is to be created.2.2 Create a Root Authority A root authority is the top level certification authority and can only be created by CA MANAGEMENT when logged off (no CA-PSE opened). Is the root authority to certify all users (flat. a directory must be selected in which there is no CA-PSE. When a company has branches in different locations.

1 Create a CA-PSE as a File The first PSE Wizard dialog box requests the type of CA-PSE. The structure of the Distinguished Name can be seen in Chapter 1. File is chosen. All characters from which SECUDE GmbH 19 . It is also called the Distinguished Name of the Owner and appears in every certificate issued by the CA. This DN identifies the CA unambiguously. Special care must be taken when entering the Distinguished Name. Distinguished Name Figure 18: PSE-Wizard – Distinguished Name A Distinguished Name is entered here. Type of PSE Figure 17: PSE-Wizard – Type of PSE When a file PSE is to be created.Version 2.2.0 SECUDE CA MANAGEMENT 3.5 Distinguished Names.

a query appears whether this directory is to be created. In the example it is the directory C:\Certification Authority.cse.0 the Distinguished Name is made up. (the suffix cse stands for CA Security Environment) contains all relevant information on and keys of the CA. including the name under which the PSE is to be stored. such as blanks.cse.. CA Data Figure 20: PSE-Wizard – CA Data 20 SECUDE GmbH . Each CA should be provided with its own directory. is entered here. are important for later operations. Name of PSE Figure 19: PSE-Wizard – Name of PSE The complete data path. which also contains the file capse. If the directory selected does not yet exist.SECUDE CA MANAGEMENT Version 2. etc. commas. This file capse. By clicking the drive button the required directory can be found in the dialog box Select PSE.

0 SECUDE CA MANAGEMENT In the field CA Directory the directory which has been entered in the dialog box PSE Name is shown again. as it might otherwise come to undesirable side effects. Serial Number is a number automatically and uniquely assigned to a certificate by the CA. All files concerning the CA are stored in this directory.509v3 certificate. especially the CA database. Version of Certificate Figure 21: PSE-Wizard – Version of Certificate The standard which the certificate is to meet is entered here. This number should not be changed. It should be noted that in a directory there exists only one database per CA. Version 3 contains several additional fields in which.509v1 is an older version from 1988 and is being replaced more and more by version 3 from 1996. alternative names for the DN can be entered. among other things. It is advisable to create an X. SECUDE GmbH 21 .Version 2. with which the CA unambiguously identifies its own created certificates. Version X.

the key pair is used for both the signature and encryption. Hence the data in this dialog box are relevant for both tasks of the key pair that is to be generated.SECUDE CA MANAGEMENT Version 2.0 Number of Key Pairs Figure 22: PSE-Wizard – Number of Key Pairs Here the entry is made whether the same key pair is to be used for signing and encrypting – then One pair of keys is to be entered – or whether separate pairs are to be used for signing and encrypting – then Two pairs of keys is to be entered. If One pair of keys was selected. Signature Certificate Figure 23: PSE-Wizard – Signature The algorithm and key length for the signature key are determined here. 22 SECUDE GmbH . As the certificate of a CA is used mainly only to sign and not for encryption One pair of keys can be selected here.

Version 2. Additionally the V3 Extensions wizard allows the entry of Netscape specified certificate extensions (see also [Netscape Certificates]). The format for validity is determined by the Windows system settings. Certificate extension fields) can be entered.DD. In general it can be said that the longer the period is during which the CA issues certificates with this key. Validity Period Figure 24: PSE-Wizard – Validity Period In the fields Valid from and Valid until the period is entered in which the CA's certificate is valid. you reach. If you have selected X. The abbreviations are as follows: Abbreviation Meaning SECUDE GmbH 23 . With a key length of 1024 bits it is realistic to perform certification work securely for at least two to three years.YY (date) and hh:mm:ss (time). another wizard where the certificate extensions specified in the X.0 SECUDE CA MANAGEMENT The longer the key is. Encryption Certificate This dialog box appears only when Two pairs of keys has been selected. The algorithm and key length for the encryption certificate are determined here. The length of the key is also dependent on the validity period of the certificate and where it is to be used. the key should be at least 1280 bits long.509v3 standard (see [X. The standard format is MM.4. A key length of 1024 bits must be regarded as the minimum for a CA.509v3-1996. The length of the key with which the CA signs the user certificates is defined here. using the button V3 Extensions. the longer the key must be. SECUDE CA MANAGEMENT allows key lengths from 512 bits to 2048 bits. If the key pair is to be used for five years or more. the better it is.2.509 v3] Chapter 12. Entries are similar to those made in the signature dialog box.

Range80 . As a root certificate is the highest certificate in the hierarchy.SECUDE CA MANAGEMENT Version 2. Range 0 . 59 Second.e. it cannot be signed by any other superordinate certificate. Range 0 .... Range 1 . Certificates are designated as prototype certificates when they are self signed. 12 Day. 1980 – 2038) Hour. Range 0 . Sign Own Prototype Certificate Figure 25: PSE-Wizard – Sign Own Prototype Certificate The algorithm with which the prototype certificate is signed is chosen here. 59 Table 2: Format of the Validity Fields The validity period of user certificates issued should lie within the validity period of the issuing CA. 31 Year.. Range 1 . 24 Minute. 24 SECUDE GmbH ..0 Abbreviation MM DD YY hh mm ss Meaning Month.. It is advisable not to change the setting. 38 (i.

6 Passwords. In this way no unauthorized person can gain access to the private key of the CA or the database.0 SECUDE CA MANAGEMENT Password Figure 26: PSE-Wizard – Password The password which will be used in future for log-on is entered here. SECUDE GmbH 25 . Log-on Profiles Figure 27: PSE-Wizard – Log-on Profiles You enter here a symbolic name with which you can later identify this PSE when logging on. Information on passwords can be found in Chapter 1. The PSE file and the CA database are encrypted with the password.Version 2.

0 Settings – Overview Figure 28: PSE-Wizard – Settings – Overview An overview of the settings that have been made is given. on a PC with AMD K6 2. on the one hand. and on the other. If you wish to make any changes to them this can be still done by clicking Back to the appropriate dialog box. When all parameters are in order the button Finish is clicked to create the PSE. depending on the selected key length. The times were taken.SECUDE CA MANAGEMENT Version 2. 2048 Key length (bit) 1792 1536 1280 1024 896 768 0 5 10 15 20 25 30 35 40 45 Creation time of one PSE (sec) AMD K6 2. This process takes – depending on the length of the key and the speed of the computer – several seconds to several minutes. the creation of the certificates and of the whole PSE begins. 300Mhz processor. The following table gives an overview of how long it takes to create. 300Mhz RACAL RG 700 Figure 29: Time Comparison (1) 26 SECUDE GmbH . Then the key generation. a file PSE. the key generation took place in the RACAL cryptoboard.

6 Smartcard). In general a longer key means that the time taken for the generation increases overproportionately to the length of the key.3. can the certification of users be started. select Smartcard. The processor speed has no influence on this general behaviour. CA MANAGEMENT should be closed and the files created in the selected CA Directory deleted. If an error has slipped in and not been discovered before creating the CA-PSE. to enter the general settings in the dialog box Options (see Chapter 4 Options). The generation process is shown step by step. SECUDE GmbH 27 . before starting to create user PSEs.. Type of PSE When a smartcard PSE is to be created. If certificates have already been issued with the CA-PSE. Only after all data has been checked for correctness.Version 2. This window can be closed by clicking OK After creating the CA-PSE all data should be checked again. Distinguished Name The Distinguished Name of the CA is entered here.. For the structure of a Distinguished Name see Chapter 1. 3.2 Creating a Smartcard CA-PSE Creating a PSE on a smartcard is. Before creating a smartcard CA-PSE it is important to configure the smartcard terminal under the menu option Configure smartcard/terminal… (see Section 5. the relevant log-on profiles. After this the CA can be re-created with the correct settings. CA MANAGEMENT confirms its completion. using the menu option Tools/Log-on profiles. this PSE must not be deleted. It is advisable. For this reason only the differences will be treated in detail in the following description.5 Distinguished Names.2. identical to creating a software PSE.0 SECUDE CA MANAGEMENT The increase in computing time for longer keys is not linear. apart from a few settings. Delete also.

Signature Certificate Algorithm and key length of the certificate signature. For this so-called software extension of the PSE the file must be established. you determine here the algorithm and key length for the encryption certificate. Encryption Certificate If you have selected Two pairs of keys. CA Data Enter the directory for the CA database and the first serial number for user certificates.0 Smartcard Figure 30: PSE-Wizard – Smartcard As a smartcard does not have very much memory it is necessary for large elements to have an extension of the PSE in form of an external file. 28 SECUDE GmbH . By clicking the drive button in the dialog box Select PSE you can navigate to the required directory. When this dialog box is left by clicking on Next a check is made whether an empty smartcard has been inserted in the smartcard terminal. Version of the Certificate The standard which the certificate is to meet is entered here.SECUDE CA MANAGEMENT Version 2. Number of Key Pairs Here the entry is made whether the same key pair is to be used for signing and encrypting (One pair of keys) or whether separate pairs are to be used (Two pairs of keys).

however. the number entered is checked for correctness. When exiting the dialog box. Password The password for future log-ons is entered here.YY (date) and hh:mm:ss (time).Version 2. its value is 3. This password protects the smartcard from access by unauthorized parties. As it is not displayed when typed it must be entered twice to ensure its correctness. Which values are permitted is dependent on the type of card used. Information on passwords can be found in Chapter 1. With the Error Limit the number of password tries is set after which the card is blocked.6 Passwords. Note: There also exists an error counter for the PUK – it is fixed. The standard format is MM. The abbreviations used can be found in Table 2: Format of the Validity Fields Sign Own Prototype Certificate The algorithm with which the root certificate is signed is chosen here. The format for validity is determined by Windows system settings. It is advisable not to change the setting.DD. Password Unblocking Key – PUK Figure 31: PSE-Wizard – Password Unblocking Key – PUK With the PUK a card which has been blocked because of too many false password entries can be unblocked. SECUDE GmbH 29 .0 SECUDE CA MANAGEMENT Validity Period In the fields Valid from and Valid until the period is entered in which the PSE is valid.

Log-on Profiles You enter here a symbolic name with which you can later identify this PSE when logging on. is necessary.2 card).0 card) 1024 bits. Normally these two libraries are installed automatically with SECUDE CA MANAGEMENT. Type of PSE If you want to create a cryptoboard based CA-PSE. a software extension.0 Take good note of your PUK. If changes are required. After it is completed a confirmation comes from CA MANAGEMENT. the TCOS 2. Then the key generation for the PSE begins.dll’ and ‘pcsmgen. The process can be followed in the window. select here RACAL RG 700. the TCOS 1. This window can be closed by clicking OK. the newer ones (e.g. It allows you access to your smartcard when this is blocked after too many false entries of the password. As only the private key of the CA is stored on the cryptoboard.2. analog to a smartcard. Settings – Overview An overview of the settings that have been made is given. Older cards support a mere 512 bits (e.g. Additionally the two SECUDE libraries ‘pcsm. To create a CA-PSE based on a RACAL cryptoboard it is important that the cryptoboard is installed and configured in your PC according to the manufacturer's instructions.SECUDE CA MANAGEMENT Version 2.3 Create a Cryptoboard based CA-PSE Creating a CA-PSE on a RACAL cryptoboard is essentially identical to creating one on a smartcard. For the structure of a Distinguished Name see Chapter 1. 30 SECUDE GmbH . this can be done by clicking Back to the appropriate dialog box. When all parameters are in order the button Finish is clicked to create the PSE.dll’ must be present in the installation directory. The time taken to generate the key depends on its length.5 Distinguished Names. Distinguished Name The Distinguished Name of the CA is entered here. 3.

By clicking the drive button in the dialog box Select PSE you can navigate to the required directory. Encryption Certificate If you have selected Two pairs of keys. Version of the Certificate The standard which the certificate is to meet is entered here. Number of Key Pairs Here the entry is made whether the same key pair is to be used for signing and encrypting (One pair of keys) or whether separate pairs are to be used (Two pairs of keys). SECUDE GmbH 31 . all other elements are stored in a file PSE. you determine here the algorithm and key length for the encryption certificate.0 SECUDE CA MANAGEMENT RACAL RG 700 Figure 32: PSE-Wizard – RACAL RG 700 Only the private key is stored in the RACAL cryptoboard. Signature Certificate Algorithm and key length of the signature certificate. CA Data Enter the directory for the CA database and the first serial number for user certificates. For this so-called software extension of the PSE the file must be established.Version 2. The file PSE has a reference to the relevant private key in the RACAL cryptoboard.

The only difference is that the issued CA does not certify itself (prototype certificate or root certificate). Then the key generation for the PSE begins. one CA certifies all users) is not always appropriate. The subordinate CA is certified by the CA-PSE which is currently logged on. Log-on Profiles You enter here a symbolic name with which you can later identify this PSE when logging on.YY (date) and hh:mm:ss (time).2 Create a Root Authority. Please refer to this chapter if you want to create a subordinate CA. When all parameters are in order the button Finish is clicked to create the PSE. 32 SECUDE GmbH . The abbreviations used can be found in Table 2: Format of the Validity Fields Sign Own Prototype Certificate The algorithm with which the root certificate is signed is chosen here.e.. It is advisable not to change the setting.6 Passwords. The dialog box. 3. Settings – Overview An overview of the settings that have been made is given. but that the certificate of the logged on CA-PSE is used.0 Validity Period In the fields Valid from and Valid until the period is entered in which the PSE is valid. Information on passwords can be found in Chapter 1. . this can be done by clicking Back to the appropriate dialog box. The format for validity is determined by the Windows system settings. For such cases SECUDE CA MANAGEMENT offers the possibility of creating subordinate CAs. The time taken to generate the key depends on its length. The standard format is MM. This password protects the smartcard from unauthorized access.. i. to create a subordinate CA is analogous to the one in Chapter 3. The dialog box Create CA-PSE is found under the menu item File/Create subordinate CA.3 Create a Subordinate CA A flat certification structure (i.e. If changes are required.SECUDE CA MANAGEMENT Version 2. the parameters. A subordinate CA can only be created after logging on as a CA-PSE. Password The password for future log-ons is entered here.DD.

Version 2. SECUDE GmbH 33 . Depending on the length of the key the creation of the subordinate CA-PSE may take a few minutes.0 SECUDE CA MANAGEMENT Figure 33: PSE-Wizard – Issue PSE Here you select the appropriate issuer algorithm for the logged on CAPSE. Moving between various CAs can be done by logging on and off. After the CA-PSE has been created. When all settings have been made the OK button is clicked. it can be selected via the Log On dialog box in the same way as the root authority CA.

The settings under Program Settings. Button Apply When a change has been made in the Options dialog box.1 Program Options With Program Options the following options can be set: 34 SECUDE GmbH .500 and Warning Times are common to all certification authorities operated by one user.0 4 Options With the menu item Tools/Options the Options dialog box can be opened. The dialog box Options is made up of a number of areas that are arranged as index cards.SECUDE CA MANAGEMENT Version 2. the change is saved by clicking the button Apply. 4. It is advisable to make these settings as early as possible. PSE Options and Sphinx Pilot [Sphinx] can be set individually for each certification authority and are therefore only shown when you are logged on to a CA-PSE.1. The settings under Issuer. The options that can be set here concern the presettings for the creation of PSEs and general settings for CA MANAGEMENT. With the button Cancel the change is rejected and the Options dialog box closed. of course. only be rejected if it has not previously been saved with Apply. When OK is clicked the change is executed and the Options dialog box is closed.1 User-specific Settings 4. X. Secude. The change can.

g. If. CA MANAGEMENT ignores all users with this name when importing the SAP report. a random password is generated. If. a user Miller already exists. and when the PSE is created. The crucial point is the user name entered in the field User in the user administration of SAP R/3. If problems occur in the execution of the program it is advisable to set the more detailed Verbose Level and then to re-run the function that has caused the error. Import SAP Report In the Import SAP-Report area the configuration can be made whether CA MANAGEMENT tests for duplicate names while importing the SAP report RSUSR402. The option User Distinguished Name Scheme determines how the data from the SAP report or the Distinguished Name of the CA is organized to create the Distinguished Names of the users. the user entries imported get the attribute Random Password. The complete error message should be sent by e-mail to support@secude.. for example. the CA has the Distinguished Name "O=SECUDE GmbH.com or by ordinary mail to SECUDE GmbH. e. If the option Random Password has been selected.0 SECUDE CA MANAGEMENT Figure 34: Options – Program Options General Options With the field Verbose Level the degree of detail of error messages is controlled. With a tick in the check box No Duplicate User Names the function is activated. C=DE" and the user SECUDE GmbH 35 . When this option is not selected the Username from the SAP report is automatically taken as a password.Version 2. a 3 causes the most detailed explanation to be shown. A 0 means a short text.

1. 36 SECUDE GmbH . The longer the path. a file can be selected from the field below which contains a list of certificates. By storing the outside CA's certificate in a user PSE. in PEM format) included in them. all users of one's own CA should trust an outside CA. By selecting this option the check is deactivated.0 the SAP user name "SMITH001“. Figure 35: Options – SECUDE Trust your own Forward Certification Path A CA-PSE can be embedded in a hierarchic certification structure (it is then called a subordinate CA). O=SECUDE GmbH. the setting "<SAPUsername>.SECUDE CA MANAGEMENT Version 2.2 SECUDE Presettings for the SECUDE security library are made here for CA MANAGEMENT. With the drive button in the file dialog box a file can easily be selected. the former is considered trustworthy. This path is checked when logging on or as soon as the button for checking the CA-PSE is clicked. for example. The list entered here is included as a further element in the PSE when PSEs are later created. the longer the check takes. C=DE Create PSE When the option Add List of Public Keys is set. 4. <IssuerDName>" results in the following Distinguished Name of the user: CN=SMITH001. or rather the public keys (for example. The path between the root authority and CA-PSE is called the certification path. Their purpose is to define the parameters of the checks carried out on digital signatures. This option is advisable when.

SECUDE uses different methods to make the consultation of valid revocation lists possible: The first possibility is to include the revocation list as an element in your own PSE.2 Ensuring the Uniqueness of Distinguished Names). In this case a search for a valid revocation list is made in the directory. SECUDE GmbH 37 . Verify according to "PEM subordination rule" The PEM subordination rule is defined in RFC 1422 ([RFC 1422]. this latter is entered into a revocation list (see Chapter 5. The setting depends on the PC and caution should be exercised when changing it. If the check is to be made on an X. A certificate posted in this list has thus become invalid.509v3 certificate.4. in course of checking the signature.Version 2. the smartcard configuration file. for example. When a certificate. Verify Certificates against Revocation List When a CA wishes to revoke a certificate. Chapter 3. The rule ensures that the name of the issuer is a component of the name of the person being certified.3 CA-PSE under item Add Revocation List). through which a search for revocation lists can be made.3. The third possibility is that access to an LDAP directory has been configured in CA MANAGEMENT. is to be verified this option can be used to control whether the revocation list is to be consulted to check the validity. the verification fails. this may contain as an extension a URL. The CA is obliged to distribute the list to all its participants . When no valid revocation list of the certificate issuer can be found. ETC Directory In the etc-directory you can store.0 SECUDE CA MANAGEMENT Verification includes Validity Verification Checking the validity period of certificates is activated or deactivated here.2. Use aliases For the resolution or finding of certificates related to Distinguished Names the alias list is accessed. Verify your own Certificate when Signing Before generating a signature a check is made whether the certificate of the CA-PSE is still valid.

SECUDE supports two directory services: X.500 Directory).500 password. An entry in the field Library is only necessary when access to a library other than the standard library installed with SECUDE CA MANAGEMENT is required. Your LDAP administrator will be able to inform you of the X.500 based on an LDAP server and AFDB (abbreviation for Authentication Framework Data Base.4 Warning Periods You can specify with this index card how much warning the program gives you before an event occurs. for example.0 4.500 With this index card the access to a directory service is determined. Figure 36: Options – X.500 4. With the button Test LDAP-LIB a check can be made whether the selected library exists.SECUDE CA MANAGEMENT Version 2. the automatic search for the missing certificate can be activated with this option. when checking a certificate. the appropriate entries (ask your LDAP administrator for them) must be made in the fields Server. Port and Tailor.1.3 X.1. one certificate out of the certification path is missing in the PSE. If. 38 SECUDE GmbH . a SECUDE-developed substitute for an X. If access to LDAP is also required. When both services are selected AFDB has the higher priority when reading.

When the CA certificate or that of a higher CA expires.1.Version 2. User Certificate Warning Period in Days In the field User Certificate Warning Period in Days you specify how many days prior to a user certificate's expiry you should receive a warning message. The presetting here is 365 days. 4.e. and for revocation lists 30 days. all users of the CA must be informed and the elements updated.2. By entering the period of SECUDE GmbH 39 . one year. When the remaining period of validity lies within the warning period the appropriate message is shown. The user might need a new certificate then.2 CA-specific Options 4.0 SECUDE CA MANAGEMENT Figure 37: Options – Warning Periods CA-PSE Warning Period in Days The area CA-PSE Warning Period in days refers to the progress of the validity period of elements of the CA-PSE.1 Issuer Issuer Options In the area Issuer the issuer algorithm and the period of validity for certificates and revocation lists are entered. When the event occurs the corresponding symbol in the user list changes its appearance: the user entry is marked with a red exclamation mark (see 6. When the program is started the PSE elements Certificate. Certification Path.1 User List). i. Root Certificate and Revocation List (if existent) are checked for correctness and validity.

4. Should the user lose his PSE.2. but can be changed.0 validity in days it is possible to issue certificates for very short as well as long periods.2 PSE Options The index card PSE Options shows options which are used as the basis for the creation of user PSEs. The index card is divided into the areas Owner Options. More information on the creation and distribution of revocation lists can be found in Chapter 7 Revocation List Management. 40 SECUDE GmbH . this backup can be handed over to him. Figure 38: Options – Issuer Revocation List Directory This is the default directory where revocation lists issued by the CA are stored. This option is not provided for smartcard PSEs as the private key must not leave the smartcard. Password Options and PUK Options. The values set here are proposed as default values when signing.SECUDE CA MANAGEMENT Version 2. Store PSEs and Certificates in Database When this option is selected. on creation of a file PSE for a user the complete PSE is saved in a database.

and their functions. This refers to the number of asymmetric key pairs to be created. The directory is selected by a mouse click. this option has to be set or a password entered every time a PSE is created. Password Options In the area Password Options either a standard initial password can be entered or the generation of a password can be left to the program. When a PSE is created with a single key pair this is used for both signature and encryption. With two key pairs each function has its own key pair.0 SECUDE CA MANAGEMENT Figure 39: Options – PSE Options PSE Directory Here the directory is entered in which the users' PSEs created by CA MANAGEMENT are stored. Owner Options In the area Owner Options the type of PSE can be set. That means every time a PSE is created it must be decided how the password is generated. SECUDE GmbH 41 . For certificates with a validity period of two to three years a 1024 bit key length is sufficient. either a PSE with one key pair or a PSE with two key pairs. it is created. If the check box is not ticked and the second field remains empty. The value which is entered in the field Key length depends on the validity period given to the certificate.Version 2. If a directory is entered that does not yet exist. With the button a dialog box is opened to select a directory.

com is entered.2. 4. For the PUK the same applies as for Password Options. in the user form the mail address smith@company.g. Default PSE Name This determins how from the entries under User Data in the User Form the PSE name for the corresponding PSE is formed. the setting <Mail Address> produces the default Distinguished Name CN=smith@company.com for that user. Thus it is possible to use the Distinguished name for illustrating the certification hierarchy.0 PUK Options The area PUK Options is important when creating smartcard PSEs. Distinguished Name is Prefix If this checkbox is ticked. Figure 40: Options – User Form Default User Distinguished Name This determines how from the entries under User Data in the User Form the Distinguished Name for the corresponding certificate is formed. the issuing CA's Distinguished Name is added to the user's Distinguished Name.3 User Options Here you can specify the defaults for the user form.g. in the user form the identification (Id) jbond007 is entered. the setting <Id> pro- 42 SECUDE GmbH . If e. The PUK is used to unblock a smartcard after too many retries have been made.SECUDE CA MANAGEMENT Version 2. If e.

0 SECUDE CA MANAGEMENT duces the following default PSE name for the corresponding user: jbond007. This option should not be set in any other case.Version 2. Figure 41: Options – Sphinx Pilot SECUDE GmbH 43 .4 Sphinx Pilot These options have been introduced in connection with SECUDE GmbH's participation in the Sphinx project of the German Federal Office for Security Technology (see [Sphinx]).2. Before drawing up a revocation list a special format can be determined with this option so that the list is compatible with those of other participants in the Sphinx project.pse. 4.

3 Extras / Log-on Profiles…). If SECUDE CA MANAGEMENT is being started for the first time.0 5 Management of the CA The program can be started from the icon on the left.SECUDE CA MANAGEMENT Version 2.3. With the button you reach the dialog box Log-on Profiles (see Chapter 5. If a CA-PSE has already been created. 44 SECUDE GmbH . The status bar at the bottom of the screen shows Ready. Chapter 3 Organisation of a Security Infrastructure describes how a new CA-PSE is created.5. the program is ready for input. In the Windows start menu the entry can be found under: \Program Files\SECUDE\CA Management After the program has been loaded the dialog box for log-on appears. The password is then entered in the text bar Password and OK is clicked. the symbolic name that you have given to address your CA-PSE is entered in the text bar Log-on Profiles of the Log-on dialog box (see Figure 27: PSE-Wizard – Log-on Profiles). 5.1 CA MANAGEMENT Overview The main window of CA MANAGEMENT displays some important items of information after log-on. no CA-PSE is present with which log-on can be started. i.e. The Distinguished Name of the certification authority currently logged on also appears.

For example the button to change the password is not activated until after log-on. by clicking a button an action in the program is launched. The greyed out buttons do not become active until certain actions have been taken. It is also possible to drop it outside the main window.e. Figure 44: Tool Bar Active By clicking the left mouse button on the side of the tool bar and holding. Via the drop-down menu View the tool bar and status bar can be hidden or displayed. 5. SECUDE GmbH 45 .g.0 SECUDE CA MANAGEMENT Figure 42: Empty User List The two buttons on the left of the tool bar allow a fast log-on or log-off. e. i. Figure 43: Tool Bar Hidden CA MANAGEMENT is designed according to Windows Style Guide and can be operated accordingly. All buttons that are not greyed out are active. Log-on and -off can also be made via the menu item File. the bar can be dragged to another position in the main window.Version 2. to the left side.2 The Tool Bar The tool bar consists of eight buttons.

Only active when entries in user list have been selected. Only active when logged on. User.3 The Menu Bar This chapter explains the functions which can be carried out via the menu. Only active when logged on.0 Button Button Function Log on to your CA-PSE CA-PSE.SECUDE CA MANAGEMENT Version 2. The Change Password dialog box is opened. Create a list of user PSEs. own certificates. Table 3: Toolbar 5. View. can be started from the menu. View all elements stored in the CA-PSE such as revocation lists. Only active when logged on. Tool. Only active when logged on. The PSE Contents dialog box is opened. Display Signature certificate. The Display Certificate dialog box is opened. All CA MANAGEMENT functions. The PSE Creation dialog box is opened. Log off from the active CA-PSE. including those from the tool bar. root certificate. etc. Only active when logged on. The Log-on dialog box is opened. Figure 45: Menu Bar The menu consists of the standard components File. and Smartcard. and of CA MANAGEMENT-specific parts such as PSE. Change the CA-PSE Password. Only active when logged off. Window. Only active when logged on. Verification of the CA-PSE. The User form is opened. Edit or create a User entry. and ? (for Help). 46 SECUDE GmbH .

Version 2.1 File The menu File contains functions for log-on and -off as a CA. 5. For the menu item File/Log On the status bar (provided it is active) contains the explanatory text Log On as a CA. In the Status Bar of CA MANAGEMENT a short explanatory text for each menu item is displayed.3.2 Create a Root Authority. import functions for external data and for exiting CA MANAGEMENT.1. for generating a CA-PSE.g. 5. The dialog box for entering and generating a CA-PSE is opened with this menu item.3.4 File / Create Subordinate CA … The menu item File/Create Subordinate CA… is active when logged on.1 File / Log On … The menu item File/Log On is active only when not logged on. 5. Use this menu item to close the CA-PSE. The dialog box Log On is opened. For details see Chapter 3. Creation of a CA-PSE can be started too with the Log on dialog box.3 File / Create CA … The menu item File/Create CA is active when logged off.3.3.3.2 File / Log Off The menu item File/Log Off is active only when logged on. Note: Function exists as a button. e. For details see Chapter 3.1. SECUDE GmbH 47 .3 Create a Subordinate CA. In this way the CA-PSE is opened and work with it can be started.1. With this dialog box a CA-PSE can be chosen and the password entered. the letter F in File. 5. plus a list of the existing CAs. Note: Function exists as button. 5.0 SECUDE CA MANAGEMENT A menu item can be opened by a left mouse click or with the key combination Alt and the underlined letter in the menu item.1. to log off. Log-off does not involve exiting the program. The dialog box for entering and generating a subordinate CA is opened with this menu item.

5 File / Import / SAP Report The menu item for importing external data into an existing CA-PSE is active only when logged on.3. 5. 5.1 Import of SAP R/3 User Data). you are logged off from this without any check-back. The revocation lists can also be processed here.8 File / Quit The program is exited immediately with this menu item. With the menu item View/User List the user list of the CA is displayed.1. 5.2.2 View / User List or Revocation List With the menu item View/User List the user list of the CA is displayed.1.3.3.3.2.3. With this menu item. Information on the CA revocation lists can be found under the menu item View/Revocation List.2 View The drop-down menu View consists of the menu items to show or hide the tool bar and the status bar. If you are already logged on with a CA-PSE. 48 SECUDE GmbH .0 5. this will be closed first and then the program exited. Information on the CA revocation lists can be found under the menu item View/Revocation List. You need only enter the password. Existing CA-PSE data created with SECUDE command line tools can be imported with this menu item.1.1G) can be imported. Later you can. The revocation lists of the CA and the user list can be displayed. If logged on as a CA-PSE. The revocation lists can also be processed here.7 File / Recent Log List When SECUDE CA MANAGEMENT is called up for the first time this line is empty. circumvent the Log-on dialog box by logging on with a previously opened CA-PSE.SECUDE CA MANAGEMENT Version 2.3. 5. user data from SAP R/3 (from version 3. with this menu item.1. 5.6 File / Import / SECUDE The menu item for importing external data into an existing CA-PSE is active only when logged on.3. 5.1 View / Tool Bar or Status Bar When the tool bar or the status bar is active the respective menu item is marked by a tick. When there is no tick the bar is hidden. All data required for the creation of a PSE are transmitted from R/3 (see Chapter 8.

to bring up the user list choose View/User List. and the PSE can be processed. Figure 46: Revocation List The view User List is treated in Chapter 6 Management of User Data.0 SECUDE CA MANAGEMENT This menu item allows switching between User List and Revocation list. Furthermore it is used to write requests for certification of prototype certificates and to add revocation lists into the CA-PSE. The title bar of the program window of CA MANAGEMENT changes accordingly: or In the view Revocation List the displayed revocation list can be processed.3. SECUDE GmbH 49 . Note: Switching is also possible via the key combination <Ctrl+F6>. To bring up the Revocation list choose the option View/Revocation list.Version 2. 5. For details see Chapter 7 Revocation List Management.3 CA-PSE The menu CA-PSE displays information on the CA-PSE.

. In the index card Owner the most important certificate data can be found – the Distinguished Name of the CA (owner). The certificate information is shown clearly in it. 5. the serial number and the version number. This menu item is only active when logged on and with a PSE with two key pairs. Figure 47: Signature Certificate – Owner On the other index cards the remaining information on the certificate can be found.3. The menu item is only active when logged on. The encryption certificate window is structured analog to the one for the signature certificate. the encryption certificate can be displayed with CA-PSE/Show Encryption Certificate. the Distinguished Name of the issuing CA (issuer). When the PSE has one key pair the menu item is grayed out..3. the Distinguished Names of owner and issuer are identical.1 CA-PSE / Show Signature Certificate … With the menu item CA-PSE/Show Signature Certificate. Note: Function exists as a button. 5. the signature certificate can be displayed.3 CA-PSE / Write Certificate Request … With this menu item a request for certification can be written to the superior CA. the period of validity. you can determine in the field Type of File whether the file is to be saved in pem format or in PKCS#10 format 50 SECUDE GmbH . If the CA is a root authority. The superior CA should have access to this file.2 CA-PSE / Show Encryption Certificate … If the PSE has two key pairs. In the dialog box Write Certification Request the name of the file (including the path) is entered in which the request is to be saved.SECUDE CA MANAGEMENT Version 2. After asking the superior CA which formats it supports.3..3..3.0 5.3.

This means the response also includes your public key. If you are being certified for the first time or if you have changed the CA. the certification response will contain a new root certificate not yet SECUDE GmbH 51 .Version 2. you get information on it in the window Process Certification Response. If the file has been stored on a server accessible for other people. The superior CA must now be informed where the request for certification is to be found or whether it will be sent by e-mail or by floppy disk. You can read if the certification response fits your certificate.3. Figure 48: Write Certification Request The menu item is only active when logged on. The two formats pem and PKCS#7 (see [PKCS#7]) are supported. Figure 49: Read Certification Response If you have selected a certification response in pem format. the issuing CA should be asked for an unambiguous file name.0 SECUDE CA MANAGEMENT [PKCS#10]. In the following line you get information on the validity of the digital signature.4 CA-PSE / Read Certificate Response After the request for certification has been processed by the superior CA the signed certificate can be inserted into your PSE with the menu item CA-PSE/Read Certificate Response. 5. so that no confusion can occur. In the dialog box that is then opened the appropriate directory and file are selected where the response is located.3.

Only in this way can you make certain that your certification response has been processed by the right CA. It is therefore essential to check the checksum (fingerprint) of the root certificate's public key. Print. which displays the revocation lists in the PSE.. the dialog box contains essentially the same information. Figure 50: Process Certificate Response Besides Add the dialog box has two other buttons. If the certification response is in PKCS#7 format. prints the contents of the window. 52 SECUDE GmbH .. Checking the checksum (fingerprint) is an important measure. in a company publication or in the daily newspapers. This opens the dialog box PSE Revocation Lists. this is done by selecting in the menu CA-PSE the item Update Revocation List. Only the button Message is omitted because the response is not an ASCII file. The checksum (fingerprint) of the root certificate's public key should be published by the root authority – this can be done e. A potential attacker who tries to foist a false certificate (and thus his own public key) onto you can be identified by an incorrect checksum (fingerprint).SECUDE CA MANAGEMENT Version 2.3.0 included in your PSE. Clicking on Message displays the pertaining (coded) PEM messages. Only after the automatic verification of the certification response has turned out positive. should you insert it by clicking on the button Add.g.5 CA-PSE / Update Revocation List … If new revocation lists (from superior CAs) are to be inserted into the PSE. 5.3.

The administrator responsible for the revocation list will inform you which file it is. After a revocation list has been selected the following dialog box appears. SECUDE GmbH 53 . Figure 52: Read Revocation List from File It is also possible to request with Insert from Directory revocation lists from an LDAP/X.Version 2. For this the button Verify is clicked.500 directory service. In this dialog box you can check the validity of the revocation list before actually inserting it.0 SECUDE CA MANAGEMENT Figure 51: PSE Revocation Lists To insert a new revocation list in the CA-PSE Insert from File is clicked and the file in which the new revocation list is located is selected from the window Read Revocation List from File. To do this the Distinguished Name of the CA from which the revocation list is requested must be entered into the dialog box.

as this is the maximum length for a Microsoft Access database.6 Passwords. For safety reasons it should be changed regularly. The new password must be entered in the field New Password and repeated in Re-enter Password. Otherwise it is restricted to 14 characters. When the CA-PSE is on a smartcard. whether legitimately or not. 54 SECUDE GmbH . When revocation lists are used to verify a digital signature the check box "Verify Certificates against Revocation List" in the menu Tools/ Options/SECUDE must be ticked.SECUDE CA MANAGEMENT Version 2.0 Figure 53: Insert Revocation Lists in PSE When the check is positive the revocation list can be inserted into the PSE by clicking the button Insert.3. It must also be ensured that a valid revocation list from the superior CAs is available. Should a third party come into possession of the password. With the menu item CA-PSE/Change Password the dialog box Change Password is opened.6 CA-PSE / Change Password When creating the CA-PSE a password is established. Then the OK button is clicked.3. but also the CA database. In this box first the current password of the opened CA-PSE is entered. the password length is restricted to eight characters. Figure 54: Change Password The old password is requested so that no unauthorised person can change it in the owner's absence. 5. For details see Chapter 1. This protects not only your CA-PSE. Great care should be taken when choosing the password. he is able to work with the CA.

5. CA MANAGEMENT automatically verifies the elements whenever the CA-PSE is opened. These elements are valid for a limited time and are subject to dependencies. current validity of the root certificate. If a period of validity is about to ex- SECUDE GmbH 55 .0 SECUDE CA MANAGEMENT If the old password is entered incorrectly. a typing error occurs in either of the fields. the message on the left appears. Note: Function exists as a button. when entering the new password. If no errors were made with either the old password or the entry and repetition of the new one the program changes the password of the PSE and confirms it with the message on the left. Figure 55: Verify PSE The following checks are made: current validity of the CA certificate. or revocation list.Version 2.3. If. certificate path. The OK button must be clicked and the entries retyped.7 CA-PSE / Verify… A CA-PSE consists of a number of elements such as one's own certificates. certification path. With the menu item CA-PSE /Verify all necessary verification checks for the CA-PSE are made. revocation list. and all signatures. the message on the left is shown.3. root certificate.

The key length is also shown..crt. the checksum (fingerprint) of the public key. Note: Function exists as a button. Figure 56: Save Certification Path CA MANAGEMENT saves the certificates belonging to the certificate path each in its own file – which leads to a chain of related files.root.3. CApath..3.g.3. After clicking CA-PSE/Write Certification Path a dialog box appears in which the file name is entered under which the certificate path is to be saved. www-Server or Browser from Netscape or Microsoft).crt.g. Under Revocation List the revocation lists received from the superior CAs are listed. Serial Number contains the serial number last issued by the CA. CApath. and data concerning the signature algorithm and the algorithm for which the key pair can be used. The information shown varies according to the element. 5. All the elements are listed and displayed in the dialog box CA-PSE/Display Contents.8 CA-PSE / Write Certification Path … This menu item is used to make the certificate path of the CA available to other products (e.SECUDE CA MANAGEMENT Version 2. the serial number. e. the period of validity.9 CA-PSE / Display Contents… The PSE of a CA consists of several elements..path1. The last certificate in the chain is from one's own CA. 56 SECUDE GmbH .3.. and the appropriate file format for the product is selected. The display of a certificate contains the name of the issuer.0 pire.path5. CApath. 5.crt. The number of index cards varies according to the number of PSE elements included. Warning periods are stipulated under Extras/Options/ Warning Periods. a warning is given. . Note: Function exists as a button.

4 User With the drop-down menu User the dialog box to enter and to change user data and to create PSEs is opened. Certificates in LDAP directories can also be made available and be deleted from them. 5. This function is described in detail in Chapter 6 Management of User Data. Using the left mouse button together with the shift key a block of entries can be selected.4.3.Version 2.1 User / Create User Entry … The menu item is active only when logged on. 5. Note: Function exists as a button. With User/Create User Entry the dialog box to enter and change user data is opened.2 User / Create List of PSEs The menu item is active only when logged on and when at least one user entry in the user list is selected.3. Using the left mouse button together with the control key individual entries can be selected or deselected out of this block. By clicking User/Create SECUDE GmbH 57 .4.3.0 SECUDE CA MANAGEMENT Figure 57: PSE Contents 5. The selection of a user is made with the left mouse button.

The certificates to be deleted are marked in the user list and the menu item User/Remove Certificate from LDAP clicked.. Entries can also be selected for which a PSE has already been created. CA MANAGEMENT then saves the marked certificates in this file.3 User / Write Certificates for LDAP … The CA can put its certificates at the disposal of other users in an LDAP directory..0 List of PSEs the selected PSEs are immediately created.4 User / Remove Certificates from LDAP … Certificates can also be deleted from the LDAP directory. 5.4. The dialog box below is opened: 58 SECUDE GmbH . The LDAP administrator can now update his LDAP directory with this file. To do this the certificates concerned are marked in the user list and the menu item User/Write Certificates for LDAP.SECUDE CA MANAGEMENT Version 2.3. These entries are ignored when new PSEs are created.3 Create User PSEs. This function is described in detail in Chapter 6. Note: Function exists as a button. clicked.4. This opens the window below: Figure 58: Save LDIF File – Insert Certificates The appropriate directory is selected and the name of an LDIF file is entered in the field File Name. 5.3.

0 SECUDE CA MANAGEMENT Figure 59: Save LDIF File – Delete Certificates The appropriate directory is selected and the name of an LDIF file is entered in the field File Name. In this case the CA writes all public keys into a file (pem format).5 User / Write List of Public Keys … This function is intended for users who cannot get certificates from the participants in the certification infrastructure through a directory service such as LDAP. CA MANAGEMENT then saves the marked certificates in this file.3. 5.Version 2.1 structure.3. The LDAP administrator can now update his LDAP directory with this file. which it also digitally signs.1… With this function the CA can write issued certificates as an ASN.1… is clicked. After clicking OK a dialog box opens in which directory and file name have to be entered. This file must be distributed to the users who can then copy it into their PSE using SECUDE PSE MANAGEMENT. To do this the required certificates are marked in the user list and the menu item User / Write Certificates as ASN.6 User / Write Certificates as ASN. Figure 60: Write PK List A choice can be made whether all certificates that the CA has ever issued are copied into the file. 5. or only the current ones.4. The dialog box below is opened: SECUDE GmbH 59 .4.

entries can be moved from one list to the other.0 Figure 61: Write Certificates Each certificate is written as its own ASN. Under Directory the directory can be found in which the files are saved. To do this. In this version only the format ASN.3. Clicking User / Generate password form letter opens the following dialog.3 Inform of Transport Password: Export to Microsoft Word – Form Letter). Thus it is very easy to inform the PSE recipients about their transport passwords via password form letters. Using the left/right buttons. The list Export fields contains the fields actually to be exported. Figure 62: Generate Password Form Letter The list Available fields contains the fields that can be exported from the CA database. The file names are composed of the value entered under Prefix and a unique number.SECUDE CA MANAGEMENT Version 2. With a click on the disk button a dialog box is opened in which you can navigate to the appropriate directory.1 file. Using the up/down buttons.1 can be set.4. In most cases it is neither necessary nor useful to export all fields. 60 SECUDE GmbH . the order of the fields within the list can be stipulated.7 User / Genereate Password Form Letter… This function is used to select entries from the CA database for generating an export file which in turn is used as a database for the Microsoft Word form letter function (see section 8. With Delete the list is emptied. the respective certificates in the user list are selected and marked. 5.

3. e. 5.1 Extras / Password Rules… To support the choice of good passwords (cf.e. the CA can prescribe Password Rules which the users' passwords have to meet.5. SECUDE GmbH 61 . fields within one data set are separated by semicolon. The export file is in CSV file format (i.g. Chapter 1. the log-on profiles can be administered. A file dialog opens where directory and name for the export file are set. The first line of the CSV file contains the names of the exported fields.3.Version 2.5 Extras In the menu Extras special functions concerning the CA can be found.. The dialog box for this is opened with the menu item Extras/Password Rules. Often the export file will contain security sensitive data. For this reason the export file must always be kept in a secure environment and deleted as soon as it is no longer needed. Each data set has its own line. 5.6 Passwords) of the users for whom the CA creates PSEs. a list with entries separated by semicolons).0 SECUDE CA MANAGEMENT If the fields to be exported and their order are determined.. Via the item Password Policy rules can be established which the CA can oblige the users to follow. Via the item Log-on Profiles. With the menu item Options global settings for CA MANAGEMENT are made. click OK. the passwords of the generated PSE files.

The latter is necessary so that the password can be changed after its expiry. computer and domain names. e. In Character Set it is determined whether certain kinds of characters are required in the passwords.g. 62 SECUDE GmbH . group. With Length Restrictions the upper and lower limits for the length of the password are defined. names known to the system such as user. Before insertion in the CA database the rules can be checked with Preview.SECUDE CA MANAGEMENT Version 2. Furthermore the validity period of the user password and how many times the user can log on after the validity has expired can be defined. previous passwords. With Contents certain passwords are totally excluded. entries from a referential file (to which the user has reading rights but only the CA writing rights) containing undesirable passwords. or entries from a referential list to be compiled in this dialog box (one entry per line).0 Figure 63: Password Rules – Rules Editor In the Rules Editor norms can be set which the users' passwords must meet.

2 Extras / Options… The menu item Extras/Options is active both when logged on and off. Sets of rules already in the database can be modified with Change and deleted with Delete.3 Create User PSEs). Chapter 6. New cancels all entries in the Rules Editor to allow a new set of rules to be entered.0 SECUDE CA MANAGEMENT Figure 64: Password Rules – Preview With Insert the rules are entered into the CA database.3. When creating user PSEs a definition for each individual user can be given in the user form as to which set of rules his password must meet (cf. 5.5.3 Extras / Log-on Profiles… A CA is unambiguously addressed when a log-on profile is used. If you are operating the CA on the same PC on which SECUDE GmbH 63 . The password rules are only available to users working with the program SECUDE PSE MANAGEMENT.5.Version 2. The options that can be set with this item are the presettings for the creation of PSEs and general settings for CA MANAGEMENT. 5.3. The settings in the dialog box Options have been treated in detail in Chapter 4 Options. The name of the log-on profile appears in the log-on dialog box of CA MANAGEMENT.

however. on a smartcard. Software Extension and CA Directory. you already have a log-on profile for this CA. the following dialog box opens: Figure 66: Log-on Profile Under Log-on Profile Name you enter the name by which you later want to address this profile. 64 SECUDE GmbH . you must first enter a log-on profile before you can log on. Under PSE Type you enter whether the PSE is saved in a file system. If you want to operate the CA from another PC.SECUDE CA MANAGEMENT Version 2. When you click Add. or on a RACAL cryptoboard. After selecting the menu item Extras/Log-on Profiles… the dialog box below opens: Figure 65: Log-on Profiles The list shows all known log-on profiles. you must complete the text bars PSE Name and CA Directory. with Smartcard you must complete the text bars Card Type.0 you have created the log-on profile. If you click File. and with RACAL RG 700 the text bars Software Extension and CA Directory.

Figure 67: Smartcard Terminal Setup Different types of smartcard terminals can be configured. SECUDE GmbH 65 . The settings can be tested with the button Test. 5. With a smartcard PSE you must enter the operating system of the smartcard in the text bar Card Type.3. otherwise no guarantee can be given for correct functioning. Both the CAPSE and the user PSEs can be stored on a smartcard. With smartcard and RACAL based PSEs you must enter the extension of the PSE in the file system in the text bar Software Extension.6.0 SECUDE CA MANAGEMENT With a file PSE you must enter the complete path and the name of your PSE in the text bar PSE Name.1 Smartcard / Terminal Setup … With the menu item Smartcard/ Terminal Setup it is possible to configure smartcard terminals for both the CA and the user. The software supports the simultaneous operation of two terminals. 5. In the text bar CA Directory you must enter the directory in which the CA database is to be found. The CA-PSE on a smartcard can be in the first terminal.6 Smartcard With SECUDE CA MANAGEMENT smartcards can be used instead of a file PSE. The required settings can be made with the drop-down menu item Smartcard.3. whilst the user PSEs are being created on smartcards in the second terminal. It is important that the terminal in use be chosen from the list.Version 2. Each disk button opens a file dialog box where you can navigate to the appropriate directory.

0 If the terminal is not correctly configured or cannot be accessed. and the card. With OK the window is also exited. If the test is successful. The terminal is not connected to the specified port. The terminal is not connected to a power supply.3. the terminal. the message on the left appears. Figure 68: Info User Card 5. If the entry is "…with application".6. the settings can be saved with Apply or OK. . The terminal is defective.3. CA MANAGEMENT signals the successful installation. insert the user smartcard in the terminal and use the menu item Smartcard/Info User Card. The dialog box to set up smartcard terminals for user PSEs is identical to the one for CA-PSEs. a PSE is already existing on the card. The main point of interest is the entry under Card.SECUDE CA MANAGEMENT Version 2.3 Smartcard / Unblock Password … When a smartcard has been blocked because of too many retries it can be unblocked here by entering the PUK. There are various reasons why a smartcard terminal cannot be addressed: • • • • The terminal is not supported by the software.. otherwise the entry is "…without application"..6. 5.2 Smartcard / Info User Smartcard … To get information on the smartcard plugin being used. 66 SECUDE GmbH .

A smartcard can thus be provided with new PSEs several times.3.3. 5.Version 2. Switching between the user list and revocation list can also be made here.3. is the information on the card deleted. When the password has been entered the program ensures before deleting that this action is really desired. Additionally. SECUDE GmbH 67 .1 ? / Info… The dialog box Info shows among other things the current version number of CA MANAGEMENT. Deleting a smartcard can only be done when the password or – depending on the type of card – the PUK is known.6. 5.4 Smartcard / Delete User Card … A smartcard that has been personalised by SECUDE can be deleted using this dialog box.8.8 Help – (?) With Help or the character ? the dialog boxes Info and Info about SECUDE can be opened.3.7 Window With the drop-down menu Window several windows within CA MANAGEMENT can be arranged. 5. all addresses of SECUDE GmbH can be found here. All information stored on the card is irrevocably deleted.0 SECUDE CA MANAGEMENT Figure 69: Unblock Password 5.3.2 View. Only when the button Yes is clicked. See also Chapter 5.

Included are the version number.2 ? / Info on SECUDE… In the dialog box Info on SECUDE. and the supported plugins. the options that have been set in the SECUDE library.0 Figure 70: Info on CA MANAGEMENT 5.3. 68 SECUDE GmbH . the information from this dialog box should be included. information about the library used by SECUDE is shown.8.SECUDE CA MANAGEMENT Version 2. Figure 71: Info on SECUDE When making queries to SECUDE GmbH.

6. By clicking on the field buttons Distinguished Name. This database can be opened with. Using the scroll bar the fields and records not on the screen can be viewed.0 SECUDE CA MANAGEMENT 6 Management of User Data This chapter explains how a CA using SECUDE CA MANAGEMENT fulfills its main task of maintaining user data and issuing certificates for the users. 6. By double clicking the mouse here the optimum width is achieved. the user view in the CA database) is displayed automatically. Sorting is done in ascending order. not advisable to process the database outside CA MANAGEMENT. for example. Serial number or Name the table can be sorted as required.Version 2. Sorting After log-on the user list is automatically sorted by the column Distinguished Name. Microsoft Access. Column width The width of a column can be changed by positioning the cursor between the field names. CA MANAGEMENT creates and administers its database using the interfaces Microsoft Data Access Objects (DAO) and Microsoft Jet Database Engine.1. Figure 72: User List SECUDE GmbH 69 . The cursor changes its appearance in this position. Valid to.e.1 User List The user list shows the most important fields of the user table from the CA data base. The width can also be changed by dragging and dropping the dividing line. It is.1 User List and User Form The user list is opened with the menu item View/User List. After log-on the user list (i. however. Valid from.

Behavior Double clicking the left mouse button opens the user form (see Chapter 6. To select an entry with a double click. The symbols are a quick way of showing the state of certificates already issued and those being processed.4 Warning Periods).SECUDE CA MANAGEMENT Version 2. (red exclamation mark) The certificate is still valid but will expire within the set warning period (see Chapter 4. user data records can be viewed by clicking on the required user entry in the user list. When the view of the revocation list is also open. the field Distinguished Name must be visible in the CA MANAGEMENT window. changed. Once the user form is open. or deleted. (blue question mark) Data to issue a certificate have been transferred to the database but the certificate has not yet been issued or the PSE not yet created. 6. Once the user form is open a single left mouse click displays the selected data set in the user form. With the user form user data can be added. (black lightning) The certificate is revoked (see Chapter 7 Revocation List Management).1 Fields in the User Form. The window User List might 70 SECUDE GmbH .1. or simply by a double click on a record in the user form.4 Warning Periods). (An outline of the fields can be found in Chapter 12.0 Symbols The user list displays a number of symbols in different colors on the left of the window.1. or with the menu item User/Record. (red cross) The certificate has either already expired or its validity period has not yet begun.2 User Form).) Open the User Form The user form is opened either by a mouse click on the button shown on the left.1. a selected certificate can be dragged and dropped into the revocation list.2 User Form The user form shows one user's complete user record. (green tick) The certificate is still valid and will not expire within the set warning period (see Chapter 4.1.

Figure 73: User List and User Form The user form is closed by clicking the button Close. SECUDE GmbH 71 . only some of these fields – with index cards it might be more than one – may be visible. According to which fields are required for the user being regarded. and (as index cards) PSE – with the subordinate fields Signature Certificate and Encryption Certificate – and Certificate. Both windows can be viewed simultaneously by repositioning the window User Form.0 SECUDE CA MANAGEMENT well be hidden behind the window User Form.Version 2. The Fields of the User Form The user form is divided into the areas User Data.

These data are optional and have no significance for the creation of the PSE but can help to identify a user more quickly. When no date is shown it means that the PSE is not yet created.4 Certification of Incoming Prototype Certificates.0 Figure 74: User Form User Data In the area User Data general information can be entered. The number behind the word "Certificate" in the title bar is the serial number issued on certification. For further details on the individual field please see Chapter 6. When a date is shown in the title bar it means that the PSE was created at that time.2. 72 SECUDE GmbH .2 Enter PSE Data. PSE This index card shows a user PSE created or still to be created by the CA.SECUDE CA MANAGEMENT Version 2. Certificate This index card is visible when it is a PSE created by the user himself and certified by the CA. Details on the individual fields can be found in Chapter 6.

Version 2.0

SECUDE CA MANAGEMENT

Signature / Encryption Certificate
This field contains all necessary certificate data. For a PSE with a single key pair there is only the field Signature Certificate, for a PSE with two key pairs there are the fields Signature Certificate and Encryption Certificate. Details on the individual fields can be found in Chapter 6.2.2 Enter PSE Data.

6.2 Process User Entries
The user form is used to enter the required data for each user and to create with these data the user's required certificate(s) or PSE. SECUDE CA MANAGEMENT allows the PSE to be created immediately after entering the user's data. It is also possible to enter first a number of user entries, then select all the new user entries in the user view and create the PSEs for these en bloc (see Chapter 6.3 Create User PSEs). Different criteria apply for user entries for which certificates already exist. The data can be processed only to a limited degree and cannot be deleted. A certificate once issued remains valid for the period defined in Valid from and Valid until (unless it must be revoked for some reason). A CA is obliged to give information on the validity of a certificate. Even deleting a user entry from the data base would have no effect on this. Therefore it is not possible to delete such a data entry. When in the user form a user entry is displayed for which no PSE has been created all fields can be processed. When a PSE has already been created for a user entry, all fields with the exception of User Data are blocked. This is shown by the gray-out of the inactive fields.

6.2.1 Register a New User
To register a new user click the menu item User/Register... or click on the appropriate button of the toolbar. An empty user form then appears. If the user form is already open and showing a user entry, a click on the button New will produce an empty form to register the new user. The individual text bars in the field User Data are self-explanatory.

6.2.2 Enter PSE Data
After a new user has been registered the message "No PSE or Certificate data available" can be found in the lower field of the user form. By clicking on New PSE the data set for the creation of a PSE for this user is set up. As more than one PSE can be issued for a single user, New PSE can still be used when PSE data are shown in lower field of the user form. You

SECUDE GmbH

73

SECUDE CA MANAGEMENT

Version 2.0

then get a new PSE index card. Please remember to give each new PSE a new PSE name. All fields should be filled with default values. These can be determined with Options (see chapters 4.2.1 Issuer and 4.2.2 PSE Options). The meaning of the individual fields in the area PSE will be dealt with in detail in the following section. When all entries have been made the button Update is clicked to enter the record into the data base.

Meaning of the PSE Fields
The field Profile is not supported in this version of CA MANAGEMENT, it is being reserved for a later version The fields PSE Name and PSE Directory are active when you want to create a File PSE; they contain the directory and file names of file to created. The field Card Type is active when you want to create a Smartcard PSE; you can select the required card type. With the field One Key Pair you control whether you want to create a PSE with one or two key pairs. In a PSE with two key pairs one pair is used to authenticate, i.e. to sign, the other pair to encrypt. In a PSE with only one key pair (one certificate) this pair is used for both tasks. In the field Password you can determine whether the PSE password is to be generated automatically. The password text bar is then blocked. The length of the automatically generated password is set in Options. If the password is not to be generated automatically the selection box is clicked to remove the tick and a password is entered. The password can be up to 50 places long. The exception is the smartcard password, which can only have eight places. If the user has to follow certain rules for passwords, the name of the relevant set of rules is entered in the field Rules. How password rules are entered can be seen in Chapter 5.3.5.1 Extras / Password Rules…. It is not possible to stipulate password rules for smartcard PSEs. However, an error limit for the smartcard password is required. The maximum value varies from card to card. The error limit details how often an incorrect password may be entered before the card blocks itself In the area PUK the PUK (password unblocking key) is either generated automatically by ticking the selection box or is entered manually. The PUK is used to unblock smartcards after too many false password entries; the field is therefore grayed out for file PSEs. The PUK also has an error limit which is, however, preset at three by SECUDE CA MANAGEMENT. Card Number is the serial number of the smartcard. This field is completed automatically after the creation of a smartcard PSE.

74

SECUDE GmbH

Version 2.0

SECUDE CA MANAGEMENT

Meaning of the Certificate Fields
In the field Distinguished Name the Distinguished Name of the PSE owner (user) is entered. When a tick appears in the field Distinguished Name is Prefix the Distinguished Name of the CA is added to the entry in the field Distinguished Name on issue of the certificate. By this means the certification hierarchy can be illustrated through the Distinguished Name Under Valid from please enter from which date the certificate is valid (default value is the current date) and under Valid until the end of the validity period. The format of the fields is defined by instructions in the system control. In the field Issuer Algorithm the algorithm is entered with which the CA should sign the certificate. The field Algorithm contains the algorithm the user uses for signing and encrypting. The field Key Size contains the length of the relevant keys. Version shows whether it is an X.509v1 or X.509v3 certificate. If you want to create an X.509v3 certificate, with the button V3 Extensions you reach the dialog box in which the certificate extensions supported by SECUDE CA MANAGEMENT can be set. If a PSE with two key pairs is required, the same entries are made in the area Encryption Certificate.

6.2.3 Register Certificate
As described in Chapter 1.3 Issue Certificates for Users under the item User creates PSE it is possible that not the CA, but the user himself creates the PSE. In this case the user must send his public key to the CA for certification. With the button Read Certificate a file dialog box can be opened where the certification request can be read in. The certificate is then displayed so that it can be checked whether the correct information has been read in. The correctness of the data are verified by clicking on the index card Checksums (Fingerprints) and comparing the contents Checksum of the Public Key with the value the user has sent you by other means. The two values must be identical. If not, the suspicion arises that somebody is trying to falsify his identity. When you agree with the data click OK and you get a new certificate index card. All fields that are not blocked can be changed by the CA according to its requirements. The meaning of the individual fields can be found in Chapter 6.2.2 Enter PSE Data under the item Meaning of the Certificate Fields.

SECUDE GmbH

75

of course. to select these in the user list. A certificate once issued cannot be changed.2. Before it is added the entry can. Should a certificate have to be declared invalid.2. the user entry cannot be deleted from the CA database as a protocol must be written. 76 SECUDE GmbH . 6.5 Delete a User Entry As long as no PSE has been issued for a user. it must be revoked through the revocation list. 6. the PSE data set can be deleted with the button Delete on the PSE index card. When updating. A certificate once issued cannot be changed. After a PSE has been created for a user only the general user data can be changed. Should a certificate have to be declared invalid.7 Delete a Certificate Data Set As long as the certification request has only been read in. If a PSE has already been issued. be changed.2. 6. Another possibility is to register a number of user entries. By clicking the button New PSE or Read Certificate a new index card for the additional PSE is created in the user form.4 Create Further PSEs for Same User An entry can be amplified by further PSEs or certificates after clicking the record in the user list and thereby opening the user form.3 Create User PSEs SECUDE CA MANAGEMENT allows the creation of a PSE immediately after the user entry has been registered.0 6. Both possibilities will be discussed here.2. 6. it must be revoked through the revocation list. the certificate data set can be deleted with the button Delete on the certificate index card.6 Delete a PSE Data Set As long as the PSE data set has been registered but the PSE not yet issued. All other fields are blocked. and to create PSEs for these collectively. the relevant entry of the data base is added again. the complete entry can be deleted from CA MANAGEMENT with the button Delete in the field User Data. but no certificate issued.SECUDE CA MANAGEMENT Version 2.

Version 2.0 SECUDE CA MANAGEMENT 6. The PSE creation process can be followed step by step. 6.2. SECUDE GmbH 77 .2 Enter PSE Data).2 Create Several PSEs Several PSEs can be generated in one go by marking in the user form those user entries for which a PSE is required. Figure 75: PSE is being created After the PSE has been created the message on the left is shown. the PSE for the user can be issued. CA MANAGEMENT runs a check then on the data entered.2. The PSE with the thus entered data is created by clicking the button Create in the relevant index card. Then the menu item User/Create List of PSEs is selected or the toolbar button shown on the left. Generation of the authentication key takes the longest time.3. It is confirmed by clicking OK.1 Create Individual PSEs After the PSE data have been registered (see Chapters 6.1 Register a New User and 6. All the selected user PSEs are then created. Progress can be followed in the status bar.3. Several entries can be marked by mouse click in combination with the control or shift key.

the field User Data can be completed. In addition to the user's key all parameters can be modified at this stage. the user's public key and the serial number of the certificate can be found there. If a user entry for which a PSE has already been created is selected. The certificates of the created PSEs can be regarded in detail by clicking the button Display Certificate which is located at the bottom of the relevant index card.2. Further. Further processing of the prototype certificate can be carried out in the user form. Once the CA has been informed by the user where the file containing the prototype certificate can be found. this entry is ignored by CA MANAGEMENT.3 Register Certificate how the user's certificate request is read in. To this end the user sends the prototype certificate he has created to the CA responsible for him. the certificate request is processed.0 Figure 76: PSE Creation After the PSEs have been created the above dialog box must be quit with OK. The number of certificates depends on the number of key pairs – one certificate per key pair. Please read in Chapter 6. The serial number now also appears in the title bar of the index card. Now no further changes can be made apart from to the user data – all fields are therefore grayed out. In particular.SECUDE CA MANAGEMENT Version 2. 78 SECUDE GmbH . By clicking the button Issue the certificate is signed by the CA and becomes valid within the certification structure. 6.4 Certification of Incoming Prototype Certificates PSEs created by the user himself (or rather the relevant prototype certificates) can be certified by the CA to include them in the certification structure.

1 Issuer). The following dialog box opens: SECUDE GmbH 79 . 6. the same PSE can. 6. As all data in the prototype certificate and the certificate itself are public this procedure constitutes no security risk. For this reason no encryption or password is required. However. To do this click the button Smartcard on the PSE index card.2.5 Write Again User PSE In cases where the user.1 Issuer).0 SECUDE CA MANAGEMENT Once the certificate has been issued. be written into a file from which the user can call them. it can be copied into a file accessible to the user with the button Export. as the PSE is otherwise not saved in the database. Please note that the certificates can only be issued as PEM files if the certificate request was written in a PEM file. the following conditions must be fulfilled: The PSE must be of the file type and the option Save Created PSEs and Certificates in Database set (see Chapter 4.6 Subsequent Inclusion of an Existing PSE in a Smartcard An issued user PSE can be included in a smartcard at a later date.2. This function can only be used with file PSEs and the option Save Created PSEs and Certificates in Database (see Chapter 4. for whatsoever reason. as the PSE is otherwise not saved in the database.Version 2. Figure 77: Export Certificate The user must then only be informed where to find this file. has failed to install the PSEs issued for him or where he has inadvertently deleted them. using the button Write again on the PSE index card.

Once the PSE has been written on the smartcard the user gets a new PSE index card with the corresponding entries. After clicking OK the PSE is written on the inserted empty smartcard. 80 SECUDE GmbH .SECUDE CA MANAGEMENT Version 2.0 Figure 78: Write PSE on Smartcard The meaning of these fields can be seen in Chapter 6.3 Register Certificate. While this is happening you get a Wait message.2.

Revocation List in the menu View must be clicked. The list with the revoked certificates. The tick means that the certificate has been added to the revocation list after the last digital signature to this. does not contain the Distinguished Names any more.Version 2. since the revoked certificate is unambiguously identified by the serial number.0 SECUDE CA MANAGEMENT 7 Revocation List Management One of the main functions of a CA is drawing up and maintaining revocation lists. 7. The updated revocation lists must be regularly put at the disposal of the users. The actual structure. It cannot be deleted from the list any more – a certificate once revoked cannot be made valid again. The first column contains symbols. the date the certificate was revoked. below that information on the last given digital signature. To process a revocation list. either a tick or a lightning flash . which later as the revocation list is put at the disposal of the users. The dialog box below appears: Figure 79: CA Revocation List The dialog box is split up into three areas. The lightning shows that the certificate is in a valid signed list. The revocation list is a digitally signed list of all certificates a CA has issued and later revoked. At this moment the certificate can be removed from the list by using the button Delete. It is thus not yet visible for the user – before the revocation list is distributed to the users it must be digitally signed. SECUDE GmbH 81 . and on the right the buttons.1 List Area In the list area the serial number. and the Distinguished Name of the certificate owner are shown.

as the amplified list has not been signed. i. The bar Last Update shows the date the last signature was performed.3 Buttons With the buttons the revocation list can be processed.3. After clicking Search CA MANAGEMENT searches for the relevant certificates in the certificate database and enters the corresponding Distinguished Names in the lower field. Figure 80: Add Entries to Revocation List In the field Serial Number you can enter one or more (separate with commas) serial numbers of certificates to be revoked.1 Add With Add… new entries can be made in the revocation list. 82 SECUDE GmbH .0 7. If the serial number does not originate from the CA or if the relevant certificate is already revoked. the bar Next Update shows the expiry date of the list. not entered in the field. the Distinguished Name of the Issuer of the revocation list (the CA). When you click Add the entries are included in the revocation list.2 Information on the Digital Signature In the lower area of the dialog window you can find information on the revocation list's digital signature. You can now check the details you have entered. In the view of the revocation list these entries are provided with a tick. 7. the validity period. At this point of time you can still delete certificates from the list that have been erroneously included. the Issuer Algorithm used. When this date has been passed. this is. the user may no longer use this list to verify a digital signature or rather the verification fails because an invalid revocation list was used. 7.e. of course.SECUDE CA MANAGEMENT Version 2.

3. it must be digitally signed so that the user is assured of its authenticity.500 (see Chapter 4.3.2 Sign Before a revocation list can be distributed to the users..2 Information on the Digital Signature.3) you have configured the directory service to be used. 7.3.4 Save in PSE With the button Save in PSE the revocation list is saved in one's own CA-PSE. With Save in PEM file… you can save the list in PEM format.3. Chapter 3. 7.3. 7. Further information on revocation lists in PEM format can be found in [RFC 1422].0 SECUDE CA MANAGEMENT 7. 7. the following dialog box is opened: Figure 81: Sign Revocation List Here the Issuer Algorithm and the date of the Next Update can be set.Version 2. Further information on the bar Next Update can be found in Chapter 7. The PEM file can then be distributed to the users by mail or by file server.5 Save in PEM File This and the next two buttons are concerned with the distribution of the revocation list to the users. After clicking the button a file dialog box is opened in which the directory can be selected and the file name entered.5.6 Save in Directory Under the Options index card X.3 Verify With Verify the validity of the revocation list signature can be verified..1. By clicking Sign. When you click on Save in Directory the revocation list is saved in the appropriate directory. The participants in the certification infrastructure can now retrieve the list there or it will SECUDE GmbH 83 .2 PEM CRL Format.

because.7 Save in ldif File If no direct access to the LDAP directory is possible from CA MANAGEMENT.0 be automatically applied during the verification process when the users have configured this correspondingly in PSE Management. for example.3.SECUDE CA MANAGEMENT Version 2. The ldif file is then given to the LDAP administrator who copies it into the LDAP directory. CA MANAGEMENT is running on a PC not linked to a network. 7. the revocation list can be saved as an ldif file. 84 SECUDE GmbH .

1 Import of SAP R/3 User Data The function File/Import/SAP-Report allows the transfer of user data from R/3 to CA MANAGEMENT. In R/3 the report RSUSR402 is produced which generates an ASCII file with the same name.0 SECUDE CA MANAGEMENT 8 Import and Export of User Data SECUDE CA MANAGEMENT allows the import of data.1 Issuer) Owner Options (See Chapter 4.2.2.Version 2. A section of the contents of the file RSUSR402 can be seen below. a file that is readable with any text editor. 8. Figure 82: View of RSUSR402 Before importing external data it is advisable to make a backup copy of the current state of the CA data base. necessary. first name. Options for Copying RSUSR402 Before copying the SAP report you should turn to the Program Options of CA MANAGEMENT and check the following settings and if.2 PSE Options) Import/SAP-Report After selecting SAP Report a dialog box appears with which the file to be imported can be selected. SECUDE GmbH 85 . The dialog box for importing data is to be found in the menu File/Import.1G) and CA data created under Windows by the command line version of SECUDE can be imported. adapt them to your requirements: • • • Copy SAP Report (see Chapter 4. The file RSUSR402 contains user data such as name.1. Data from SAP R/3 (from Version 3. or the validity period of the SAP R/3 account.1 Program Options) Issuer Options (see Chapter 4.

SECUDE CA MANAGEMENT Version 2. 8. To do this the Log On button is clicked and the CA-PSE selected (see Chapter 5 Management of the CA). The successful execution of the import is acknowledged. therefore. CA MANAGEMENT does not check whether the data sets that are to be loaded are already present in the data base. Before the actual import or transfer of CA data from a previous SECUDE version the related CA-PSE must be opened. The data are then read into CA MANAGEMENT. CA MANAGEMENT does not distinguish between two certificates from two different PSEs or one PSE with two key pairs. In either case two user entries are created. the query on the left appears and is confirmed with OK. Before carrying out this function. If the contents and structure of the file correspond with those of the report RSUSR402. When the query is confirmed with Yes the data is read. a backup should be made.0 Figure 83: Import SAP Report The file RSUSR402 is selected and then the button Open clicked which starts a check of the file contents. When the menu item File/Import/SECUDE is selected the query appears whether the data are really to be imported. For each certificate created with the previous SECUDE version a user entry is filed. 86 SECUDE GmbH .2 Import of SECUDE Data In rare cases it might be necessary to import data from a CA generated by a previous version (command line version) of SECUDE.

Help for Word is displayed after clicking the function key F1. select in the Mail Merge Helper dialog the item Data source / Edit / <CSV file>. the form letters are ready for print. The toolbar for forms should now be displayed in the Word document window.*) and select your export file. 3. If this is not the case. 4. In particular. Never process the CA database via Access – it will become unusable for SECUDE.3. Click Tools / Mail Merge. to inform users of their transport password. Word fills the merge fields with the corresponding data. Details about writing form letters in Word can be read in the Word manual. 5. In the file dialog set file type to All Files (*. After having generated an export file from the CA database via User / Generate Password Form Letter (see section 5.3 Inform of Transport Password: Export to Microsoft Word – Form Letter When Microsoft Office 95 (or higher) is installed. As an example we describe here how to proceed when using Microsoft Word 97. Figure 84: Form Letter Icon Bar of Word With Insert Merge Field the merge fields can be inserted into the Word document. after this. never change the CA password via Access! SECUDE GmbH 87 .0 SECUDE CA MANAGEMENT 8. In the Mail Merge Helper dialog select Main document / Create / Form Letters and then click Active Window.Version 2. select View / Toolbars / Forms. the Microsoft Word Mail Merge function can be used.4. 2.7) the password form letters can be written using the Mail Merge function of Microsoft Word. In the Mail Merge Helper dialog select Data source / Get Data / Open Data Source. Open Microsoft Word and generate an empty document. If you click the button . for example. All necessary information can be found under the term Mail Merge. If you want to modify the CSV file generated by CA Management. 1.

signs and numerals with which protection. Prototype Certificate A prototype certificate is a certificate that has a signature created by its own private key.0 9 CA Glossary See Certification Authority. Certification Authority DES DES stands for Data Encryption Standard and is an encryption procedure in which the same key is used both for encryption and decryption. e. against unauthorised access is given. Hybrid Process A combination of symmetric and asymmetric cryptography is called Hybrid process. In the PSE security relevant information is stored.g. e. PSE The PSE is a personal security environment which every SECUDE user needs. An interface developed by the Internet Engineering Task Force (IETF) which allows applications to be provided with security functionality. for card terminals with their own key pads. (Such procedures are called symmetrical. This includes the certificate and the corresponding secret key. Password A series of characters consisting of letters. A Certification Authority (CA) issues certificates for users of a security infrastructure and maintains revocation lists.) GSS-API Generic Security Service Application Programming Interface. The PSE can be stored as a DES encrypted file or on a smartcard.SECUDE CA MANAGEMENT Version 2. PIN Personal Identification Number. for a PSE. 88 SECUDE GmbH . Only when the prototype certificate has been certified by a certification authority does it become a certificate. a password consisting of figures only.g.

Root Authority The root authority is a certification authority which is not certified by any other CA. Shamir. keep it up to date and at regular intervals make it available to all participants. RSA A cryptographic algorithm named after Rivest.Version 2. Its certificate is signed by its own private key. The library is addressed by means of GSS-API functions and allows R/3 access to security functions as realised by SECUDE. by post) and is advised to change it immediately. i. It is based on the presence of pairs of keys that have a special relationship to each other.0 SECUDE CA MANAGEMENT Revocation List A revocation list is a list of certificates that have been declared invalid by the issuing certification authority before their expiry date. (Such procedures are called asymmetrical. This password ensures the security of the PSE on its way from the CA to the user. SECUDE GmbH 89 . and Adleman. Anything that has been encrypted with one of the two keys can only be decrypted with the other.e. Transport Password A new PSE is encrypted by CA MANAGEMENT with a Transport Password. SNC Secure Network Communications denotes the module which deals with the communication to an external library in the SAP R/3 system.g. The certification authority maintains this list and must publish it.) SAPlpd SAPlpd denotes software from SAP AG which allows spooling for print jobs in the R/3 environment. The user is informed of the password by the CA (e.

..........................................19 Figure 18: PSE-Wizard – Distinguished Name...................................................................................................................................31 Figure 33: PSE-Wizard – Issue PSE ................................13 Figure 12: Install SECUDE Ticket .....................................15 Figure 16: Log On...............................................................53 Figure 53: Insert Revocation Lists in PSE ..............................28 Figure 31: PSE-Wizard – Password Unblocking Key – PUK.............................................................................51 Figure 50: Process Certificate Response .....................50 Figure 48: Write Certification Request .........................33 Figure 34: Options – Program Options................................................................................................................................................................................................................................................................................12 Figure 9: Set Destination Directory..............................................................................................................................................0 10 Figures and Tables Figure 1: Elements of a PSE ........................................49 Figure 47: Signature Certificate – Owner ...................................................45 Figure 44: Tool Bar Active ...............45 Figure 45: Menu Bar ......................................13 Figure 13: Information on Installed Components.....................................................20 Figure 21: PSE-Wizard – Version of Certificate ............................36 Figure 36: Options – X...........11 Figure 8: User Information.............................................39 Figure 38: Options – Issuer ........26 Figure 30: PSE-Wizard – Smartcard .......................54 Figure 55: Verify PSE .....................38 Figure 37: Options – Warning Periods ..............................................................................................................................................46 Figure 46: Revocation List ......................................................................................51 Figure 49: Read Certification Response..4 Figure 2: CA creates PSE...............53 Figure 52: Read Revocation List from File ...............................................40 Figure 39: Options – PSE Options...........................................................................................54 Figure 54: Change Password ....19 Figure 19: PSE-Wizard – Name of PSE ............................................................................................................................................................................................................................................20 Figure 20: PSE-Wizard – CA Data .............................................................................12 Figure 10: Select Program Folder ............................................................23 Figure 25: PSE-Wizard – Sign Own Prototype Certificate...............................................................................................................................................11 Figure 7: Software License Agreement .........................................25 Figure 27: PSE-Wizard – Log-on Profiles............52 Figure 51: PSE Revocation Lists ..................................................................................21 Figure 22: PSE-Wizard – Number of Key Pairs.................................................26 Figure 29: Time Comparison (1) .......................................14 Figure 14: Setup complete .......................................500................................................................................................................42 Figure 41: Options – Sphinx Pilot .....................................5 Figure 3: User creates PSE.......13 Figure 11: Start of Installation......................................................................6 Figure 4: Internet Installation ....55 90 SECUDE GmbH .......14 Figure 15: Exit Setup ....................................35 Figure 35: Options – SECUDE ...........................................................................45 Figure 43: Tool Bar Hidden....................................................................................................................22 Figure 23: PSE-Wizard – Signature .................................................................................................................................................................................................................................................................22 Figure 24: PSE-Wizard – Validity Period ........25 Figure 28: PSE-Wizard – Settings – Overview..................................................................16 Figure 17: PSE-Wizard – Type of PSE......10 Figure 5: Unpacking ......41 Figure 40: Options – User Form ..........................43 Figure 42: Empty User List .......................................SECUDE CA MANAGEMENT Version 2..........................................10 Figure 6: Welcome Window of the Installation ..29 Figure 32: PSE-Wizard – RACAL RG 700 ..............................................................................................24 Figure 26: PSE-Wizard – Password .......................................................................................................................

..............94 Table 6: User Form – Signature / Encryption Certificates ............................78 Figure 77: Export Certificate....................................................................86 Figure 84: Form Letter Icon Bar of Word ..............79 Figure 78: Write PSE on Smartcard.................................................................................................................................................................................24 Table 3: Toolbar ............................................................................................71 Figure 74: User Form ..............................................................................................................................................................................................94 SECUDE GmbH 91 ...................................................................................................................................................................................................................................83 Figure 82: View of RSUSR402 .......................................................................................................................................................................62 Figure 64: Password Rules – Preview......................0 SECUDE CA MANAGEMENT Figure 56: Save Certification Path...........................................................................................................................Version 2....................................................................................................................................................................................................7 Table 2: Format of the Validity Fields..69 Figure 73: User List and User Form ..............77 Figure 76: PSE Creation...................................59 Figure 61: Write Certificates...........................................................................................................64 Figure 67: Smartcard Terminal Setup ......................60 Figure 62: Generate Password Form Letter................................................................................................................................................85 Figure 83: Import SAP Report ............................72 Figure 75: PSE is being created.............................87 Table 1: Categories of Distinguished Names .........................................56 Figure 57: PSE Contents............................................................65 Figure 68: Info User Card............................58 Figure 59: Save LDIF File – Delete Certificates .....63 Figure 65: Log-on Profiles ..............................57 Figure 58: Save LDIF File – Insert Certificates ..............................................68 Figure 71: Info on SECUDE .............80 Figure 79: CA Revocation List.....................................81 Figure 80: Add Entries to Revocation List ........67 Figure 70: Info on CA MANAGEMENT .........................................66 Figure 69: Unblock Password ..............................................82 Figure 81: Sign Revocation List.............93 Table 5: User Form – PSE .64 Figure 66: Log-on Profile..............................................................................................................................59 Figure 60: Write PK List .................................68 Figure 72: User List .......60 Figure 63: Password Rules – Rules Editor...........................................................46 Table 4: User Form – User Data ...............................

November 1. Inhalt ist die Erprobung produktübergreifender Interoperabilität der Sicherheitslösungen verschiedener Anbieter. 1993 [RFC 1422] Privacy Enhancement for Internet Electronic Mail .SECUDE CA MANAGEMENT Version 2. Draft from 13.Part II: Certificate-Based Key Management.Kent.html. An RSA Laboratories Technical Note. [PKCS#7] PKCS#7: Cryptographic Message Syntax Standard. IAB IRTF PSRG.1997. client. Pilotprojekt der Koordinierungs.und Beratungsstelle der Bundesregierung für Informationstechnik in der Bundesverwaltung in Zusammenarbeit mit den Bundesamt für Sicherheit in der Informationstechnik.bsi.0.509. IETF PEM.8.and server software) for LDAP (Lightweight Directory Access Protocol).509 v3] ITU-T Recommendation X. DATA NETWORKS AND OPEN SYSTEMS COMMUNICATIONS – DIRECTORY.5. An RSA Laboratories Technical Note.0 11 Bibliography [LDAP] http://www. Request for Comments: 1422. The Directory: Authentication Framework.bund.edu/~dirsvcs/ldap/index.netscape.htm. February 1993 [Sphinx] http://www. Network Working Group. Obsoletes: 1114.html.umich. S. where the certificate extensions introduced by Netscape Communicator are described. (06/97) 92 SECUDE GmbH . Version 1.com/eng/security/comm4-cert-exts. Version 1. BBN. Open Systems Interconnection. 1993 [PKCS#10] PKCS#10: Certification Request Syntax Standard. [Netscape Certificates] http://home. [X. Description and software-downloads (development toolkit.de/aufgaben/projekte/sphinx/index. November 1. Information Technology.

Chapter 6.0 SECUDE CA MANAGEMENT 12 Appendix 12. As options there are the cards TCOS and Cryptoflex. When both signature and encryption certificates are to be created the box must remain unticked. a transport password for the PSE to be created must be given manually in the field on the right. with a smartcard PSE: the directory for a possible extension. The directory in which the PSE is to be stored.Version 2.1. Name of file that PSE is to receive.1 Fields in the User Form The following user data are registered with the user form (cf. If the box is ticked. If the box remains unticked. If the user is to be obliged to follow certain password rules. It is decided here whether the PSE is created as a file or on a smartcard. Table 4: User Form – User Data User form – PSE User Form – PSE Profile PSE Name PSE Directory Description A preset profile can be selected. one key pair is generated – signature certificate. When this box is ticked an automatically generated password is given. the relevant set of rules are Smartcard/File Card Type One key pair Automatic password generation Rules SECUDE GmbH 93 . When a smartcard PSE is to be created the make of card is selected here.2 User Form) and administered by CA MANAGEMENT in the database: User Form – User Data User Data Name First name Mail address Personnel number Department Description Name of person to be certified First name of person to be certified E-mail address of person to be certified Personnel number of person to be certified Name of department in which person to be certified works.

SECUDE CA MANAGEMENT Version 2. Signature / Encryption Certificates Distinguished Name: Distinguished Name is prefix Valid from Description Distinguished Name for the user When this box is ticked. Valid to Issuer algorithm Algorithm Key length Version Table 6: User Form – Signature / Encryption Certificates The numbers in the third column have the following meanings: The field must be filled out when a PSE is to be created.ss). The field is set by CA MANAGEMENT.mm. Date and time in the currently set format (e.DD. Table 5: User Form – PSE User Form – Signature / Encryption Certificates In the following table the explanation of the fields of the user form for signature and encryption certificates is continued. MM.YY hh.g. the PUK is generated automatically.509v3 certificates.DD. If the option is activated.ss). The certificate is valid up to this time.mm. Selection between X. for smartcards: depending on the card). Otherwise it should be entered in the field on the right.YY hh. the user's Distinguished Name includes the issuing CA's Distinguished Name. From this point the certificate is valid. Here the algorithm is determined that can be used with the key pair (for smartcards: depending on the card).509v1 or X. the card number is contained here. 94 SECUDE GmbH . MM.0 User Form – PSE Automatic PUK generation Card number Description entered here (only for file PSEs). Algorithm the certificate is signed with. Date and time in the currently set format (e.g. The PUK is important for the unblocking of smartcards. Selection of key length (from 512 bits to 2048 bits. When a smartcard PSE is created a PUK should be given which is known only to the administrator. When a smartcard PSE is created.

Between the tables there is a 1 to 1 or a 1 to 2 relationship (A PSE can contain up to two certificates). Middle initial of user (taken from American).0 SECUDE CA MANAGEMENT The field depends on the configuration. This information is not relevant to creating a certificate. 21 places are printed. When a user certificate is created for a smartcard the field Card number gets a 20-place number. Name Firstname Mailaddress Id Division TransportPin dbText dbText dbText dbText dbText dbText 30 30 50 10 20 50 Surname of user First name of user Mail address of user Personnel number of user Division (Dept. Field name PSENo Type dbLong. An association takes place into the tables 'PSE' and 'Certificate'.) of user This field is completed only to provide information. For the field Password automatic password generation can be activated with the menu item Extras/Options and then PSE Options. An association takes place into the table 'PSE'.Version 2. Assigns the PSE to a user. dbAutoIncrField Size Commentary Unambiguous number of a PSE: is not displayed in CA Management. It can be used to print PIN letters with serial letter option of MS Word. dbAutoI ncrField Size Commentary Unambiguous number of a user: is not displayed in CA MANAGEMENT. The last place of the number on the smartcard does not appear in this field as it is a check number and is not forwarded to CA MANAGEMENT when read.MDB Table Users In the table "Users" general user information is stored.2 Data Base Specification CA. UserNo dbLong SECUDE GmbH 95 . 12. On the card itself. Field name UserNo Type dbLong. When a new user is certified the program fills the field with a value. however. Company of user Middlename Company dbText dbText 1 50 Table PSE In the table "PSE" the data for creating PSEs is stored. Between the tables there are 1 to n relationships.

Make of a smartcard (0 for TCOS. Number of tries for password entry Number of tries for PUK entry TRUE if PSE created. 25 File name of the PSE. 20 30 Reference to the table “Profile”. Field name CertificateNo Type dbLong. 1 for Cryptoflex). Is not used. TRUE if the PUK is generated randomly. Is not used when smartcard is not created. Password Unblocking Key for smartcard PSEs. TRUE if the password is generated randomly. otherwise FALSE.SECUDE CA MANAGEMENT Version 2. Date when created. Reference to the table “PinPolicy”. otherwise FALSE. Validity of the certificate. TRUE if smartcard PSE. Assigns the certificate to a user. 96 SECUDE GmbH . PSENo UserNo DN ValidFrom ValidUntil SerialNo Certificate 255 Distinguished Name of the certificate. is given automatically. 50 8 20 255 Password with which the created PSE is encrypted. otherwise FALSE Creation date of PSE PinErrorLimit PukErrorLimit Created CreationDate dbInteger dbInteger dbBoolea n dbDate Table Certificate In the table "Certificate" data for the issuing of certificates is stored. Directory in which the PSE is stored. Assigns the certificate to a PSE. Validity of the certificate 32 Serial number of the certificate.0 Field name PSE PSEName IsSC IssueDate NoOfKP TransportPin PUK Cardnumber PSEDir RandomPin RandomPUK ProfileName PinPolicy Cardtype Type dbLongBinary dbText dbBoolea n dbDate dbInteger dbText dbText dbText dbText dbBoolea n dbBoolea n dbText dbText dbInteger Size Commentary Copy of a software PSE. Card number of the smartcard. FALSE if software PSE. dbAutoI ncrField dbLong dbLong dbText dbDate dbDate dbText dbLong Binary Size Commentary Unambiguous number of a certificate: is not displayed in CA Management. Copy of the certificate or prototype certificate (for file PSEs only). Number of key pairs of the PSE (1 or 2).

Format of the request type. otherwise 0.0 SECUDE CA MANAGEMENT Field name IsRevoked Usage Type dbBoole an dbInteger Size Commentary TRUE if certificate was revoked. proprietary. Is used only when the CA generates the keys. TRUE if the certificate is issued for a CA.509v3. Date of issue of certificate Reserved for later use Reserved for later use Reserved for later use. Proprietary. Field name StringDName Type dbText Size 255 Commentary Readable depiction of the Distinguished Names of CA. Proprietary. IssuerAlg Algorithm Keysize DNPrefix dbText dbText dbInteger dbBoole an 30 30 Issuer algorithm. Signature/Encryption algorithm Key length TRUE if the Distinguished Name of the CA is to be appended to the Distinguished Name of the user when being certified. Binary depiction of the Distinguished Names. otherwise FALSE. otherwise FALSE. from which the revocation list comes. TRUE = current signed revocation list of OctetStringDName IsDelta dbLong Binary dbBoole SECUDE GmbH 97 . Proprietary Proprietary TRUE if certificate issue. 1 if the certificate is used with two key pairs to encrypt PSEs.509v3.509v1 or X.Version 2. Proprietary. Base64 Boundary1 Boundary2 Extensions Created CreationDate CertifyState CertifyDate VSsigEnrInfo Table CRL In the table "CRL" revocation lists are stored. Is only used with version=X. FALSE if still changeable. Version RequestType Request IsCA dbText dbInteger dbLong Binary dbBoole an dbBoole an dbLong Binary dbLong Binary dbLongBinary dbBoole an dbDate dbInteger dbDate dbLongBinary 10 X. otherwise FALSE.

Field name ProfileNo Type dbLong. 4 = Issue a certificate. FALSE = certificates added since last signing Date of the last signature in the revocation list.0 Field name Type an Size Commentary CA. The revocation list itself. 2 = Create a CA. Is not used.SerialNo if Type=5. LastUpdate CRLWithCerts dbDate dbLong Binary Table Log In the table "Log" protocol information is stored.SECUDE CA MANAGEMENT Version 2. Certificate. Proprietary. Field name Name PINPolicy Type dbText dbLong Binary Size 30 Commentary Reference to table “PSE”. SerialNo dbText 25 Table PINPolicy The table "PINPolicy" stores password rules. Field name DateTime Type Type dbDate dbInteger Size Commentary Date and time of the protocol entry. 5 = Revoke a certificate. dbAutoIncrField dbText dbText dbInteger dbDate dbDate dbText dbInteger dbText dbInteger dbBoolea Size Commentary ProfileName PSEDir NoOfKP ValidFrom ValidUntil EncAlg EncKeysize SignAlg SignKeysize RandomPin 20 255 30 30 98 SECUDE GmbH . 3 = Create a PSE. Table Profiles The table "Profiles" is not yet used.CertificateNo if Type=4.PSENo if Type=2 or Type=3. Certificate. 6 = Issue a revocation list Data dbText 80 PSE. 0 = Log on. 1 = Log off.

Field name SerialNo Type dbLong Binary Size Commentary SECUDE GmbH 99 .Version 2.0 SECUDE CA MANAGEMENT Field name PinLength DefaultPin DNIsPrefix RandomPUK PUKLength DefaultPUK Type n dbInteger dbText dbBoolea n dbBoolea n dbInteger dbText Size Commentary 50 8 Table ACL The table "ACL" is not yet used.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->