We start by creating a folder. We call it cer_as_exe and here we put our root certificate that we want to distribute and a small installation script.
Our installation script is not that big.
certutil -addstore -f -enterprise -user root %tmp%\root_ca.cer > NUL
del /F %tmp%\root_ca.cer > NUL
del /F %tmp%\install.bat > NUL
This is a very small script that installs a root certificate from a file to the root certificate container in the certificate store for the computer and the user. Then it does a quick cleanup by removing the original root certificate file and installation script that is unpacked in to the %tmp% folder by our installer. Now we need to pack everything as an .exe file that will install our root certificate automatically. Continue reading “How to distribute root certificates as exe files” »
A very easy method for importing (or removing) keys in your eToken is to add the eToken as a Security Device in Firefox. The procedure for Thunderbird and Mozilla/Seamonkey is nearly identical. To add your eToken as a security device , follow these steps
- Start Firefox
- (Linux) Go to Edit->Preferences->Advanced->Tab "Encryption"
- (Windows) Go to Tools->Options->Advanced->Tab "Encryption"
- Click on 'Security Devices'
You should see a screen similar to
This section will show you how to use an Apache Web Server Proxy in front of EJBCA. The resulting server will
- Display EJBCA public web at https://ca-server.company.local/
- Redirect all HTTP-requests to HTTPS, except for OCSP and CRL.
- Require a client SSL certificate when accessing https://ca-server.company.local/adminweb/
- Be able to loadbalance requests
- Still answer to requests on https://ca-server.company.local/ejbca/*
This example was created on Ubuntu 64-bit Server 7.10 using the Apache Web Server 2.2 package, but should be easy to adapt to any system able to run Apache.
Start by installing EJBCA as normal. If you intend to have the CA on the same machine as the proxy you should modify $EJBCA_HOME/conf/web.properties to only listen to localhost Continue reading “Setting up an Apache Web Server as a proxy in front of EJBCA” »
EJBCA supports custom (your own) OIDs in DN components.
In order to add such a DN you can simply call the DN for example:
Where 18.104.22.168 is your custom OID.
Custom OIDs are always encoded as UTF8String in the DN.
To get support for custom OIDs in the Admin GUI you must edit the file src/java/profilemappings.properties and add your new OID in the end. Just follow the example in the file, and you will get the possibility to add you oid in the End Entity Profile, and following that also when adding new users. If you edit profilemappings.properties, you should also add an entry in src/adminweb/languages/languagefile.XX.properties (where XX is you language). Otherwise your new field will be displayed as the key that you entered (which is probably ok also) in the admin-GUI. The new field you must add in the language file is the last field in profilemappings.properties, i.e. the LanguageConstant. Continue reading “EJBCA Custom OID DN and altName oids” »
If you have a big network with the hundreds of hosts you can expect “Neighbour table overflow” error which occurs in large networks when there are two many ARP requests which the server is not able to reply. For example you’re using server as a DHCP server, cable modems provisioning, etc.
Nov 10 03:18:17 myhost Neighbour table overflow.
Nov 10 03:18:23 myhost printk: 12 messages suppressed.
To check the present threshold level 1
It will give some value as 128 or 256 or 512.
This can be increased to the next level.Like if the value is 128 then
make the thresh1 value as 256 and thresh2 as 512 and thresh3 as 1024. Continue reading “Neighbour table overflow” »
Assuming that you have a openVPN server ready to allow vpn connectivity from its clients. It is also assumed that CA Certificate (.pem) is also obtained from a valid CA and signed with the openVPN server.
Because the large number of parameters you can define either in the configuration file or in the command line, you could configure OpenVPN in many different manners. In any case, to obtain a connection with a opnVPN server, you only need to define a small number of them in your client's configuration file. In order to further simplify the configuration of the OpenVPN client, you could use an example of configuration as below:
It's just a single line of code to execute-
openssl req -new -newkey rsa:2048 -nodes -keyout /tmp/csr/csr.mangoca.com.key -out /tmp/csr/csr.mangoca.com.csr
Definitions, Acronyms and Abbreviations
Certificate Policy (CP) – a document listing the rules to be abided by when issuing and managing Certificates.
Certificate Practice Statement (CPS) – lists the procedures to be followed when issuing and managing Certificates.
Certificate Policy (CP)
A Certificate Policy [ 4 ] describes the rules under which a particular certificate is issued. These include the rules governing generation, distribution, and administration of the Digital Certificates, and the policies to be followed in the event of any possible Key compromises.
A CA may define a different CP for each different type of Certificate it issues. This is quite common practice – especially where a CA applies different rules in checking the credentials of different classes of Certificate Holders.
Certificate Policies often make explicit statements on the CA’s liability to a Relying Party in the event that information in a certificate is shown to be wrong.
Relying Parties should check the CP before deciding whether or not to trust the Certificate.
It is important to note that, many commercially available PKI enabled products do not allow users to configure a list of trusted Certificate Policies in the same way that they allow users to configure a list of trusted CAs. For this reason some organisations such as Verisign typically use different sub-CAs to issue certificates under different policies (in effect having one sub-CA per policy).
Certification Practice Statement (CPS)
The CPS contains a more detailed description of the practices and procedures a CA follows when issuing and managing Digital Certificates. It is tailored to the organisation's PKI operating environment and organisational structure.
Where a CP defines what the rules are, the CPS describes how to implement those rules.
Appendix [ A.1 ] provides more information on the legal difference between a PC and CPS. Continue reading “Difference between CP and CPS” »