How to distribute root certificates as exe files

We start by creating a folder. We call it cer_as_exe and here we put our root certificate that we want to distribute and a small installation script.


 Our installation script is not that big. ;)


@echo off
certutil -addstore -f -enterprise -user root %tmp%\root_ca.cer > NUL
del /F %tmp%\root_ca.cer > NUL
del /F %tmp%\install.bat > NUL

 This is a very small script that installs a root certificate from a file to the root certificate container in the certificate store for the computer and the user. Then it does a quick cleanup by removing the original root certificate file and installation script that is unpacked in to the %tmp% folder by our installer. Now we need to pack everything as an .exe file that will install our root certificate automatically. ;) Continue reading “How to distribute root certificates as exe files” »


Using an Aladdin eToken with firefox

A very easy method for importing (or removing) keys in your eToken is to add the eToken as a Security Device in Firefox. The procedure for Thunderbird and Mozilla/Seamonkey is nearly identical. To add your eToken as a security device , follow these steps

  • Start Firefox
  • (Linux) Go to Edit->Preferences->Advanced->Tab "Encryption"
  • (Windows) Go to Tools->Options->Advanced->Tab "Encryption"
  • Click on 'Security Devices'

You should see a screen similar to



Setting up an Apache Web Server as a proxy in front of EJBCA

This section will show you how to use an Apache Web Server Proxy in front of EJBCA. The resulting server will

  • Display EJBCA public web at
  • Redirect all HTTP-requests to HTTPS, except for OCSP and CRL.
  • Require a client SSL certificate when accessing
  • Be able to loadbalance requests
  • Still answer to requests on*

This example was created on Ubuntu 64-bit Server 7.10 using the Apache Web Server 2.2 package, but should be easy to adapt to any system able to run Apache.

Start by installing EJBCA as normal. If you intend to have the CA on the same machine as the proxy you should modify $EJBCA_HOME/conf/ to only listen to localhost Continue reading “Setting up an Apache Web Server as a proxy in front of EJBCA” »


EJBCA Custom OID DN and altName oids

EJBCA supports custom (your own) OIDs in DN components.

In order to add such a DN you can simply call the DN for example:


Where is your custom OID.

Custom OIDs are always encoded as UTF8String in the DN.

To get support for custom OIDs in the Admin GUI you must edit the file src/java/ and add your new OID in the end. Just follow the example in the file, and you will get the possibility to add you oid in the End Entity Profile, and following that also when adding new users. If you edit, you should also add an entry in src/adminweb/languages/ (where XX is you language). Otherwise your new field will be displayed as the key that you entered (which is probably ok also) in the admin-GUI. The new field you must add in the language file is the last field in, i.e. the LanguageConstant. Continue reading “EJBCA Custom OID DN and altName oids” »


Neighbour table overflow

If you have a big network with the hundreds of hosts you can expect “Neighbour table overflow” error which occurs in large networks when there are two many ARP requests which the server is not able to reply. For example you’re using server as a DHCP server, cable modems provisioning, etc.

Nov 10 03:18:17 myhost Neighbour table overflow.
Nov 10 03:18:23 myhost printk: 12 messages suppressed.

To check the present threshold level 1

cat /proc/sys/net/ipv4/neigh/default/gc_thresh1

It will give some value as 128 or 256 or 512.

This can be increased to the next level.Like if the value is 128 then

make the thresh1 value as 256 and thresh2 as 512 and thresh3 as 1024. Continue reading “Neighbour table overflow” »


Connecting openvpn server using openvpn gui client for windows

Assuming that you have a openVPN server ready to allow vpn connectivity from its clients. It is also assumed that CA Certificate (.pem) is also obtained from a valid CA and signed with the openVPN server.

Because the large number of parameters you can define either in the configuration file or in the command line, you could configure OpenVPN in many different manners. In any case, to obtain a connection with a opnVPN server, you only need to define a small number of them in your client's configuration file. In order to further simplify the configuration of the OpenVPN client, you could use an example of configuration as below:  

Continue reading “Connecting openvpn server using openvpn gui client for windows” »


Install Server Certificate for IIS 6 or 5

The following document is partly based on this Microsoft document: How to Import a Server Certificate for Use in Internet Information Services 5.0 (Q232137)

  1. Add Certificates snap-in to MMC
    1. Click Start, and then click Run.
    2. Type "MMC.EXE" (without the quotation marks) and click OK.
    3. Click Console in the new MMC you created, and then click Add/Remove Snap-in.
    4. In the new window, click Add.
    5. Highlight the Certificates snap-in, and then click Add.
    6. Choose the Computer account option and click Next.
    7. Select Local Computer on the next screen, and then click Finish.
    8. Click Close, and then click OK.
    9. You have now added the Certificates snap-in, which will allow you to work with any certificates in your computer's certificate store. You may want to save this MMC for later use. Continue reading “Install Server Certificate for IIS 6 or 5” »

Difference between CP and CPS

Definitions, Acronyms and Abbreviations

Certificate Policy (CP) – a document listing the rules to be abided by when issuing and managing Certificates.
Certificate Practice Statement (CPS) – lists the procedures to be followed when issuing and managing Certificates.

Certificate Policy (CP)

A Certificate Policy [ 4 ] describes the rules under which a particular certificate is issued. These include the rules governing generation, distribution, and administration of the Digital Certificates, and the policies to be followed in the event of any possible Key compromises.

A CA may define a different CP for each different type of Certificate it issues. This is quite common practice – especially where a CA applies different rules in checking the credentials of different classes of Certificate Holders.

Certificate Policies often make explicit statements on the CA’s liability to a Relying Party in the event that information in a certificate is shown to be wrong.

Relying Parties should check the CP before deciding whether or not to trust the Certificate.

It is important to note that, many commercially available PKI enabled products do not allow users to configure a list of trusted Certificate Policies in the same way that they allow users to configure a list of trusted CAs. For this reason some organisations such as Verisign typically use different sub-CAs to issue certificates under different policies (in effect having one sub-CA per policy).

Certification Practice Statement (CPS)

The CPS contains a more detailed description of the practices and procedures a CA follows when issuing and managing Digital Certificates. It is tailored to the organisation's PKI operating environment and organisational structure.

Where a CP defines what the rules are, the CPS describes how to implement those rules.

Appendix [ A.1 ] provides more information on the legal difference between a PC and CPS. Continue reading “Difference between CP and CPS” »