You configure server authentication by creating a client
keyring, importing the server's signer certificate, creating
a server keyring and certificate, and exporting the server's
signer certificate.
For information about configuring server authentication from the
command line, see Configuring your SSL server.
Creating a server keyring
The key ring contains
your server certificate, with its associated private key, and several signer certificates.
SSL uses the certificate to identify the server to connecting clients.
- Start iKeyMan.
- Select Key Database File —> New.
- From Key Database Type, select JKS.
- In File name type a name for your key ring,
such as MyServerkeyring.jks.
- In Location, type a suitable location to
store your server key ring.
- Select OK.
- Type a password for the key ring file.
iKeyMan gives
you an indication of the "strength" of your password. You might use a mixture of letters and numbers for your password
which makes the password more resistant to "brute force" dictionary
attacks.
- Select OK.
The generated file
MyServerkeyring.jks contains,
by default, a selection of popular
signer certificates
as follows:
VeriSign Class 3 Public Primary Certificate Authority
VeriSign Class 2 Public Primary Certificate Authority
VeriSign Class 1 Public Primary Certificate Authority
RSA Secure Server Certificate Authority
Thawte Personal Basic CA
VeriSign Test CA Root Certificate
Thawte Personal Premium CA
Thawte Premium Server CA
Thawte Server CA
Thawte Personal Freemail CA
The server can verify clients
with the
VeriSign Class
1 through 3 Public Primary Certificate Authority
signer certificates.
Creating a server certificate
Now you are
ready to create the self-signed Server Certificate and store it along
with its private key in your server
key ring:
- In iKeyMan,
select Create-> New Self-Signed Certificate
- Complete the certificate request. Some fields are optional, but
you must fill in at least the following (examples are shown):
- Key Label
- exampleServerCert
- Version
- select X509 V3
- Key Size
- select 1024
- Common Name
- This defaults to the name of the machine you are using
- Validity Period
- The default is 365 days
- Select OK.
iKeyMan generates
a public/private key pair.
- The self-signed Server Certificate appears in the Personal Certificates
window. The certificate has the name you typed in the Key
Label field, in this example exampleServerCert.
- With exampleServerCert highlighted, select View/Edit.
Notice
that the information in the issued to (certificate
requester) textbox is the same as that in the issued by (signer)
textbox. To establish SSL connections with a server presenting this
certificate, the client must trust the signer. To do this the client
key repository must contain the signer certificate of
the server presenting exampleServerCert.
Exporting the server's signer certificate
- With exampleServerCert highlighted, select Extract
Certificate...
- In the Data type pull-down menu, select Base64-encoded
ASCII.
- Type the name and location of the text file containing your Server
Certificate data. Our example uses exampleServercert.arm
- Select OK.
Store the exported certificate in a safe place. Import
it into any client repository that needs to communicate with this
SSL server.
Creating a client keyring
A
client key ring contains
as a minimum, the
signer certificate of
the SSL server, and a client x.509 certificate, if client authentication
is required. The process for creating a client
key ring is
similar to that for a server:
- Start iKeyMan
- Select Key Database File —> New
- From Key Database Type, select JKS
- In File name type a name for your key ring,
such as MyClientkeyring.jks
- In Location, type a suitable location to
store your client key ring
- Select OK
- Type a password for the key ring file.
- Select OK
Like the server
key ring,
the client
key ring contains
a default selection of popular
signer certificates.
Importing the server's signer certificate
- In iKeyMan select Signer
Certificates.
- Select Add.
- Locate the stored Server Base64-encoded ASCII certificate file.
In our example, this is exampleServercert.arm.
- Give this signer certificate a
unique label, for example, My Self-Signed Server Authority.
- Select OK.
This new signer certificate is
added to the list of default signers.