FAQ:
Troubleshooting:
- F1. What is a PKI?
-
The term PKI stands for Public Key Infrastructure.
It is a technical and organizational infrastructure in charge of
issuing, distributing, and revoking
public-key certificates.
A PKI is composed of one or more entities:
Certification Authorities (CA),
Registration Authorities (RA),
and Revokation Authorities.
- F2. What is a "public-key certificate"?
-
A public-key certificate is a data structure (i.e. a sequence of bits, that can be stored in a file) that securely binds a
public-key to some attributes,
such as
distinguished name (DN)
of certificate holder in most cases.
- F3. What is a X.509?
-
X.509 certificate syntax is the standard by which all digital certificates are to adhere.
These certificates are an encrypted data file that contains at least the following information:
- version number & serial number
- the issuers name (CA)
- the users name
- the certificate purpose flag (allowed to act as CA or not)
- the users public key information:
- signature algorithm ID
- validity period
Later versions of this standard have added additional fields,
most notably version three, which allows for more generalized extensions
containing subject and issuer attributes.
The X.509 standard specifies a certificate using Abstract Syntax Notation (ASN.1),
a language used to describe data types in such a manner as to eliminate ties to
any particular platform.
- F4. What is a "Distinguished Name"?
-
A Distinguished Name (DN) is a name of certificate holder which describes
the belonging of certificate holder to some infrastructure covered by an CA.
- F5. What is a Certification Authority?
-
In X.509 the term "certification authority" is defined as "an authority trusted
by one or more users to create and assign certificates".
X.509 imposes few constraints on CAs, but practical implementation of
a worldwide certification system requires establishment of technical and
procedural conventions by which all CAs are expected to abide.
All CAs are required to maintain a database of the DNs which they have
certified and to take measures to ensure that they do not certify duplicate DNs,
either for users or for subordinate CAs.
In "Marconi's Glossary of Terms" is defined as
"a CA (certificate authority) is an authority in a network that issues
and manages security credentials and public keys for message encryption
and decryption. As part of a public key infrastructure (PKI), a CA checks
with a
registration authority (RA)
to verify information provided by the requestor of a digital certificate. If the RA verifies
the requestor's information, the CA can then issue a certificate. The actual contents of the certificate can vary between different CA's
and different applications".
- F6. What is a Registration Authority?
-
An RA (registration authority) is an authority in a network that verifies
user requests for a digital certificate and tells the certificate authority (CA)
to issue it. RAs are part of a public key infrastructure (PKI),
a networked system that enables companies and users to exchange information and
money safely and securely. The digital certificate contains a public key
that is used to encrypt and decrypt messages and digital signatures.
- F7. What is a Revocation Authority?
-
Revocation Key Problem
A CA must be able to revoke a certificate which is prior to its expiration time. There are many reasons for a CA to revoke a certificate:
- The user's secret key is assumed to be compromised whereby
the corresponding public key is invalidated.
- The CA's secret key is assumed to be compromised whereby all
the certified issued by the CA are invalidated.
- The user's affiliation has changed whereby the fully distinguished name
contained in the certificate's "subject" field is invalidated.
A CA can mark a certificate which is issued as invalid by adding it to
the list of revoked certificates. Information relative to
certificate revocation is propagated by means of revocation list.
The revocation of a user certificate or CA certificate shall be made known by
the CA, and a new certificate shall be made available if appropriate.
The CA may then inform the owner of the certificate about his revocation by
some off-line procedure. The CA shall maintain:
- a time stamped list of the certificates it issued which have been revoked:
the revocation list. The list shall exist even if empty.
A valid certificate remains valid until is expired or is placed into
the revocation list.
Revocation Authority
Who revokes the certificates ?
It is decided to separate issuing and the storage of the certificates from
revoking of the certificates. It can be done because
the revocation problem doesn't involve the use of the CA's secret key. And then
was designed a new entity called Revocation Authority (RA) that manage all
the procedure involved by the revocation certificate problem.
This entity is completely independent and separated by the CA. This choice has two advantages:
- Decentralization of the work.
- While the revocation authority must be on-line, the CA doesn't need to be always on-line,
consequently it will be much more difficult for an outside attacker
to find a security breach in the CA. The CA will be on-line just to accept
user certificate requests and to reply them with the issued certificate.
- F8. Why is a PKI needed?
- As far as we have a digital certificate, certification, registration and
revocation authorities, they should be organized into some infrastructure for
flexibility and manageability of whole trust three with one root (top-level)
CA and subordinated leaves. In other words we need an infrastructure. So as we
are speaking about asymmetric nature of a cryptographic model using for
certificate generation, where one key called "public key" can be
known to others, we can speak about the Public Key Infrastructure.
A Public Key Infrastructure (PKI), or trusted network, as it is known, is a formalised set of:
- security services
- digital certificates that provide electronic identification of parties on the Internet (trust)
- rules and processes that determine how the PKI is operated and who can participate in it.
A PKI can be used to secure information transferred over the Internet as well as authenticate the identity of the parties involved in electronic transaction. A PKI enables organisations to carry out real business over the Internet by seamlessly and transparently duplicating the values, and processes that have been the pre-requisites for business for centuries in the physical world - trust, authentication, security and legal status.
- F9. OK, I got my wonderful public-key certificate from EuroPKI. What now?
- Secure connections via SSL or TLS. It is possible to use the personal
certificate to make telnet, ftp, http and other connections to the computers
provided by SSL (Secure Socket Layer) means, they can be established only by
providing some security properties such as non repudiation, authenticity,
integrity of transmitted data.
- Secure messages via S/MIME. It is possibly to use the personal certificate
for e-mail messages signing and encryption. In this case the security
properties mentioned above will be provided by strong cryptographic mechanisms
included into E-Mail (S/MIME enabled) software.
- Secure networking via IPsec. The use of digital certificates enables the
creation of Virtual Private Networks that are governed by PKI and protected by
strong cryptographic algorithms. It is difficult to get the clear data from
such data exchange and to make any attacks on such networks.
- T1. Microsoft Exchange Server 5.5: An user cannot receive the signed part of email message and so is unable to verify the sender's digital signature and sender's certificate
-
Set the checkbox "Client support S/MIME signatures" up for the Internet Mail Connector (IMS) of server Exchange.
- T2. CheckPoint FireWall-1 for WinNT Ver. 4.0 ServicePack 5 and another similar firewall: An external of firewall user loose TCP connection with server located inside of virtual network protected by firewall
-
Increment the TCP Session timeout in Property section of Security Polices to the right value (in seconds).
- T3. Netscape Navigator/Communicator: The Netscape Navigator and Messanger crash on receiving of an signed e-mail or on downloading of a digital certificate
-
Probably you try to use or download an certificate with GeneralizedTime
representation of certificate's
Validity Time instead of UTCTime representation. So use please other software
such as Microsoft's ones or avoid of such certificates.
- T4. Any FireWall: An internal of FireWall user cannot establish a SSL-FTP connection to SSL-FTP sever outside of the FireWall but has no problems with the SSL Telnet
-
So far as the SSL-FTP server after the positive negoziation with the client tries to open other port for dataflow
to an internal of FireWall station the FireWall will block any such request.
So abilitate the passive mode of the SSL-FTP client when the server will communicate
to the client the data port number on negoziation step and after the client will open
the port and establish the connection outgoing from private network protected by the FareWall.
Or, if it is not possible to turn the client in passive mode,
abilitate the FareWall to bypass any requests from the external SSL-FTP server to
the internal client, providing other security means such as IP fileters, access rules and so on.
- T5. Internet Explorer 5 (4.5, 4.01, 4.0) for Macintosh: Error Message: Security Failure. Personal Certificate Required
-
SYMPTOMS:
If you visit a Web site that requests a personal certificate, you may receive the following error message:
Security failure. Personal certificate required.
After you receive this error message, the Web page does not appear. This problem occurs even if the Web site permits but does not require a personal certificate.
Get more information
