How I may help
LinkedIn Profile Email me!
Call me using Skype client on your machine

Reload this page Certificates Authorities PKI

Here is how to create and use digital certificates to protect software application data. This is a companion page on private key architecture kerberos using Cryptography, a superset of what Amazon AWS uses.

wav sound “Badges? We don't need no stinking badges!” —from "BLAZING SADDLES" movie


Topics this page:

  • Who Needs It?
  • PKI Infrastructure
  • PKI Flowchart
  • Cert. Authorities
  • Cert. Stores
  • S/MIME Setup Steps
  • Crypto Service Providers
  • Limitations
  • Database Certs
  • Your comments???

    Site Map List all pages on this site 
    About this site About this site 
    Go to first topic Go to Bottom of this page

    Go to top of page Who Needs Digital Certificates?


    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen Setup Email Encryption with S/MIME Certificate - Step 1

      How do I encrpyt an email?

      First, Who's Your Certificate Authority?

      Each CA presents its own Certification Practice Statement (CPS). Make sure you reference the correct version and update:

      Exchange of Bodily Information

      The first step in Thawte's process was to create an ID number containing a country code and the national identifcation code (a Social Security Number in the US).

      I hesitated about giving out my social security number to yet another organization. I thought about what I was trusting:

      • I trust that, enroute to the CA, HTTPS is protecting my data.

      • I trust that the CA isn't a front for the Russian mafia or other nefarious organization. I trust that the CA won't distribute the list or let it fall in enemy hands (like our FBI and CIA manage to do).

        It turns out Thawte is owned by VeriSign, the “big daddy” of Certificate Authories. Thawte is one of only two global Certificate Authorities trusted by all leading S/MIME X.509 secure messaging software, such as Microsoft Outlook Express and Netscape Communicator. (Talk about monopolies!)

      • I trust that someone can't somehow derive the number from the digital signature (a hash of my private key) or the public key.

      So I opted to give them my drivers license instead of my social security number. That's actually a state identity number, not a national number. But that didn't occur to me until after I pressed the send button.

      I'll use a real number the next time.

      Email Identity & Client

      What ever identity number I gave Thawte, that number is associated with the email account in the certificate.

      This can't be a web-based mail account such as hotmail or Yahoo mail. The email I use must be a POP3 mail account such as Earthlink. (I don't know about AOL)

      The bottom line is that I must use a mail client which does S/MIME processing, such as Outlook or Eudora Pro. I don't like Outlook 2000 because it's too slow and (by default) makes me go down 3 levels of pull down menus to select the action I use 99% of the time.

    Go to Top of this page.
    Previous topic this page
    Next topic this page

      Set screen Choice of Strong Passwords

      Example of passphrases in movies:

      • In “Aladdin“, to get into the castle, say "open sesame".
      • In “Tron”, to get into the MCP, say “raindeer flotilla”.

      I think that one of the weakest aspect of consumer password security is that people habitually use the same passwords everywhere. As a creatures of habit, many get used to simply incrementing numbers or letters when they are required to change their password. If someone ever gets my password (reading a database at the many websites where I've given it out), ALL of my accounts would be compromised. (This, by the way, is the problem with Microsoft's Passport authentication service).

      So I keep a list of where I've signed up, and encrypt it with a password I haven't used on anything else.

      I've gone to using programs to generate password generation passwords and passphrases.

      Copy of Certificate In a Safe Place

      In case I'm hit by that perverbial truck, I printed out a screen image, wrote down the password, and filed the paper in the portable box where I keep unused credit cards, my passport, birth certificate, diplomas, Prometric score reports, and other valuables.

      BTW, I should keep originals in a bank safe deposit box in case my home burns down, and only keep copies in the house.

    Step 2: First Time Entry Into Personal Certification Home Page

      After Thawte made sure that no one else was using the identity information I supplied, they made sure that I could remember what I entered.

      I could use this link from Thawte to access my account (given that I can remember my email address and password).

      To access a Windows 2000 server (for example, “Certx”) hosting Web Enrollment Support:


    Step 3: Confirm Ownership with Email Pong

      I waited a few minutes and checked my email. I then clicked the “pong.exe" with a single-use magic number. This proves to Thawte that I am really in control of the email account I supplied them.

    Step 4: Request Certificate

      Now that Thawte considers my email address "trusted", I could request, view, and revoke my certificates from Thawte's Certificate Manager page at

      A different X.509 certificate is needed for each email client. The options:

      • Netscape Communicator or Messenger
      • Microsoft Internet Explorer, Outlook and Outlook Express
      • Lotus Notes R5
      • OperaSoftware Browser
      • C2Net SafePassage Web Proxy

      Cryptographic Service Provider

      I had to choose a CSP (Cryptographic Service Provider):
      • Microsoft Base Cryptographic Provider v1.0 (the default)
      • Gemplus GemSAFE Card CSP v1.0
      • Schlumberger Cryptographic Service Provider
      • Microsoft Base DSS Cryptographic Provider
      • Microsoft Exchange Cryptographic Provider v1.0
      • Microsoft RSA SChannel Cryptographic Provider
      • Microsoft Base DSS and Diffie-Hellman Cryptographic Provider

      By US export regulations webpage article U.S. Department of Justice FAQ on Encryption Policy April 24, 1998 the “Base DSS and Diffie-Hellman Cryptographic Provider” and Microsoft Enhanced Cryptographic Provider can only be used in the United States. In the US, export controls on commercial encryption products are administered by the Bureau of Export Administration (BXA) in the U.S. Department of Commerce.

      Next, I clicked OK to this pop-up window:

    Step 5: Install Certificates

      After I clicked OK, an email from Thawte notified me:

      “You need to be running the same browser, on the same machine, logged in as the same user, as you were when you made the request."

      To confirm that the certificate was really installed in MSIE 5, select Tools -> Internet Options... -> Content tab -> Certificates... button.

      Clicking on the "View" button, I notice in the Details section that the Public key is 1024 bits and the thumbprint (hash) algorithm is SHA1another page on this site.

    Step 6: Backup, Export, and Restore PFX file via CER DER

      If (when) my computer (eventually) crashes, I will need to be able to restore the keys. I also want to prevent access to my private key by deleting the .pfx file from the computer's hard disk, and importing the keys to the recovery agent account from a USB thumb drive or diskette I can take away with me.

      Key Export Formats

      But first I must export the certificate to that a removeable media and store it somewhere safe (in my lockbox or on a physically secure stand-alone computer for recovery operations) so that I don't have to go through the hassle of requesting another from the CA (Thawte).

      Different export formats can be specified during drag-and-drop copy (in the MSIE "Advanced Options" window):

      Importing Certificates

      Importing a certificate into my certificate store is easy. (Maybe too easy?) On my Windows machine, I just double click on (or a link to) a .cer file, such as download GlobalSign's root CA certificate for this pop-up to select type of Trust. (When prompted, click "Open this file from its current location", then the "Install Certificate..." button)

      Root CA on Microsoft IE7 browsers include:

    • Secure Server Certification Authority
    • Equifax Secure Global eBusiness CA-1
    • Go Daddy Class 2 Certification Authority
    • Microsoft Authenticode(tm)
    • Network Solutions
    • Starfield Class 2
    • Symantec Root CA
    • Thawte
    • UTN - DataCorp User Trust Network
    • VeriSign Commercial Software Publishers, VeriSign Trust Network,
    • Root CA on Firefox browsers include:

    • America OnLine
    • AOL Time Warner
    • Baltimore
    • beTRUSTed
    • CertPlus
    • DigiCert
    • Digital Signature Trust
    • Earthlink
    • GeoTrust
    • GlobalSign
    • GTE
    • IPS Internet Publishing
    • QuoVadis
    • RSA
    • SECOM
    • VISA
    • Wells Fargo
    • XRamp Security Services
    • Note: Windows 2000 SP2 added several CA root certificates.

        .cer files have MIME type of

      Import the Certificate as a Trusted Certificate from a Java .jar file.

    Step 7: Configure Email Client

      Next, I went into Outlook 2000 client Tools -> Options -> "Security" tab -> Secure email settings.

      Notice that I left the default selections of SHA and DES based on my earlier observations.

      I chose not to sign all my emails. That would seem rather pretentious and a bit too nerdly for internet dating emails.

    Step 8: Send Signed Email to someone

      As a test, I signed a message to my mom's hotmail account. A few days later, I got a call from her. "Part of your message was all scrambled. Did you send me a virus? Are you practicing high-risk activities?"

      "No. Now you can tell whether a email is really from me." I explained.

      "I can always tell it's from you. It's got your name at the top." she said rather impatiently.

      "But what if someone forged my name?"

      "I'll still know because no one is as disrespectful to his mother as you are." ;)

      Anyway, Hotmail and other web-based email cannot accept certificates. A client program such as Microsoft Outlook, Outlook Express, or Eudora is required. Gmail can accept certs.

    Step 9: What Was Your Name Again?

      I noticed on Thawte page that the trust level is marked "Freemail" and the Certificate Distinguished Name (formal notation describing the holder of a particular certificate) contains my email address, not my name. That's because the CA can't confirm whether someone was impersonating me or not.

      So in order for Thawte to really associate my name with the email address, I have to physically present my picture ID's to someone trusted by Thawte.

      Thawte uses a "web of trust" -- a transitive trust based on the reputation of individuals.

      Thawte required that I get at least 2 notaries to verify my ID. I could use two highly trusted notaries or several less trusted ones. Thawte uses a point system based on the number of identities a notary verifies.

    Step 10: Add Another Email

      I also wanted to get a certificate for my work email. Certificates could be issued containing multiple emails, but Thawte provides this caution:
      "many mail clients will only recognize the FIRST email address in the certificate. The best strategy is thus to obtain different certificates for your different email accounts."

    Step 11: Employment and Extranet Membership Verification

      Now I can "graduate" from username/password access control to certificate-based access control on Apache and Netscape. Web applications (such as corporate extranets) must be programmed to look for client certificates. Perhaps by using certificate extensions such as this.

      This would allow single sign-on capability to access several websites with mutual trusts.

      Signing Documents

      tool With an X.509, I could use the PrivaSeal product from or to sign an entire document or paragraphs in a document. Multiple users can sign the same paragraph (to provide non-repudiation of them personally reading it). The product can also maintain an extensive audit log. To validate a document signed by PrivaSeal, double-click on the signature to evoke a green "Valid" or a red "Invalid" notation. A right-button mouse click leads to the signer's digital certificate information for identity verification purposes.

      Organizational Membership

      To access corporate extranets, I need to positively identify myself and obtain a certificate from a Corporate CA.

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen PKI Data/Work Flow

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen Root Certificate Authorities

      Clients can trust a CA only if a copy of the CA root certificate is in the trusted root certificate store.

      Import DoD Root Certificates from

      • Class 3 PKI Root CA Certificate.
      • Root CA 2 Certificate.
      • External Certification Authority (ECA) Root CA Certificate.

      These are by default created in the more common PEM (Privacy Enhanced Mail) format or between these two lines:

        -----BEGIN RSA PRIVATE KEY-----
        -----END RSA PRIVATE KEY-----
      Alternately, output in the base64-encoded ASN.1 DER (Distinguished Encoding Rule) format. for compatibility with PKCS#1 RSAPriaveKey or SubjectPublicKeyInfo format.

      NOTE: There is also a NET format for older Netscape and IIS servers which uses unsalted ARC4 for its encryption, which is not secure. So its used is avoided.

      To convert a PEM-format key to a DER-format one within Unix:

        # openssl rsa -in host.key -outform DER -out host.der

      DoD Configuration Firefox3 add-on does all this for you.

      Import DoD Certificate Revocation Lists (in binary form) from

      CA Signature

      In order to establish whether the CA behind a certificate is genuine, a hash of that CA's own Private Key -- the CA Signature -- accompanies the cipher text as part of encrypted envelopes sent.

      CA Signature Hash

    • But before you accept a CA's signature, make sure that it's legitimate by getting the CA fingerprints (hash) from your security administrator (preferrably using a different communication channel than the one you used to obtain the cert) and compare it by clicking "View Cert". Examples in hex and binary formats:
      • SHA1: 135CEC36 F49CB8E9 3B1AB270 CD808846 76CE8F33
        MD5:  A61B375E 390D9C36 54EEBD20 31461F6B
        SHA1: BC:89:78:19:8C:3D:2B:2D:3B:58:5F:0C:A3:A5:86:3C:5C:E3:AE:18
        MD5:  52:A5:D3:C9:19:84:FE:CF:A4:AD:AE:69:33:36:95:6D

      Set screen CA Signature Verification

        The receiver of a CA Signature can verify its authenticity by going to that CA's public website.

        The SignTool utility verify command determines whether the signing certificate was issued by a trusted authority, whether the signing certificate has been revoked, and, optionally, whether the signing certificate is valid for a specific policy.

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen Certificate Stores

      Microsoft Windows stores each user's certificates in its Windows system registry with Name Blob (REG_BINARY data type) under the keys

        HKEY_CURRENT_USER \Software\Microsoft\SystemCertificates and

          The ROOT store contains certificates of the most trusted certification authorities.
          The CA store contains less frequently used certification authorities.
          The My store contains the CURRENT USER's personal certificates.
          The AddressBook store contains Trusted People and Trusted Publisher (other people's) certificates.

      PKI provides for five standard certificate stores:

      • CA,
      • MY (user's personal certificates),
      • ROOT which store intermediate CA certs,
      • TRUSTS which store CTLs (Certificate Trust Lists) to control which certificates will be accepted; and
      • UserDS - a logical view of the certificate respository in the AD.

      Windows Server by default store certificates provided by CAAuths in folder

      OpenBSD machine by default store SSL private keys in a directory readable only by root:

        /etc/ssl containing public keys should theoretically be world readable (but writeable only by root)


    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Go to top of page PKI (Public Key Infrastructure)

      Passwords are stored in a digital certificate, which is a container for one or more digital signatures -- forms of ID such as a birth certificate, drivers license, or passport -- bound to a public key. Extensible fields in the certificate delineate group memberships and object permissions.

      A digital signature which meets ITU (International Telecommunications Union) Telecommunication Standardization (ITU-T) PKIX X.509 version 3 [RFC 2459] standard is generated based on

      • detailed information about the key holder
      • an expiration date, after which the certificate is expired
      • (with v3), a Compromised Key List (CKL)

      PKI automates the process of verifying whether certificates are valid. It provides the capability to easily publish, manage, and use public keys.

      Digital certificates are usually from, Thawte, or other Certifying Authority (CA) which vouches for the authenticity of their public keys.

      Getting a digital certificate from a trusted CA is like getting a passport, drivers license, or identification card from a governmental entity or some trusted third party (TTP). Like a Notary Public, the CA verifies that you are who you say you are.

      Each CA has its own CA Public Key which is used to determine the CA's own identity.


    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Go to top of page Make a Digital Signature for Code Signing

      Microsoft Office applications such as Excel by default operates in "Medium" setting for Tools -> Macros -> Security. A setting of "Low" trusts all macros and add-ins, which is not recommended but useful during initial development of macros.

      In shared production usage of a macro, scripts should be signed. We don't want anyone getting access to the scripts and altering them, so the execution policy is set to Allsigned so that whenever a signed script is changed it will not be allowed to be executed until it is signed again.

      An authenticode is a digital signature that verify software origin, authenticity, and integrity for "code signing".

      To digitally sign Excel macros (to keep them from triggering security messages), Microsoft provides its

    • SignTool.exe is used for the .NET platform (with CAPICOM 2.0 redistributable installed on the local computer).
      1. From Start -> Run -> type CMD and click OK to open a command prompt
      2. Change directory to the \bin folder where signtool.exe is located.
      3. Run SIGNTOOL signwizard
      4. Click Next when the wizard appears.
      5. Browse to find the file you would like to digitally sign and click Next.
      6. Click Typical > Next for use of PFX files (selected from the certificate store) for Vista/Windows 2008
        Click Custom > Next for use of SPC/PVK files with SHA1 for Windows 2003/2000/XP

      7. Optionally, enter a description of your file and a web site address where more information can be located, then click Next.
      8. Select "Add a timestamp to the data"
      9. On the Timestamp Service URL field enter
        (Note: "timstamp.dll" does not contain the letter "e")
      10. Click Next
      11. Click Finish after verifying that all of the information is correct.
      12. Test Your Signature: At the command prompt,
      13. Enter the directory where signtool exists
      14. Run signtool verify /pa /v <your-file-name>

      makecert.exe, Microsoft's Certificate Creation Tool (invoked from Windows console command utility) should be used to code sign executable files larger than 300 megabytes. This is according to KB 922225.

      To use Makecert to create a self-signed certificate for development:

       makecert -r -pe -n "CN=Wilson Mar" -eku -ss My

        Version Bytes Location
        - 34,576
        - 39,936
        (VS 2008) 42,256 C:\Program Files\Microsoft Visual Studio 9.0\SmartDevices\SDK\SDKTools
        (.NET 3.5) 57,704 C:\Program Files\Microsoft SDKs\Windows\v6.0A\bin
        -r = Create a self-signed certificate.
        • A self-signed certificate is a public key that has been signed by its own private key.
        • Self-signed certs are only recognized on the machine on which it was created.

        -pe = Mark generated private key as exportable
        • The -pe option is supported since .NET Framework SDK 2.0 and the October 2002 version of the Platform SDK (build 3718.1). It is not supported by older versions such as the 5.131 version distributed with .NET Framework SDKs 1.0 and 1.1.

        -n "CN=Wilson Mar" = Issuer's certificate common name
        -eku = enhanced key usage OIDs that enable programs to determine whether a certificate is valid for a particular use. The set of numbers here is for a self-signed cert.
        -ss My = The MY Certificate Store

      The example above assumes these defaults:

        -b = Start of the [NotBefore] validity period; default to now.
        -e 01/01/2039 = End of [NotAfter] validity period; defaults to 2039
        -a <algorithm> = The signature algorithm <md5|sha1> defaults to 'md5'

      Set screen Self-Sign Unix Using openssl

      On Unix platforms, self-signing can be accomplished by using a command such as:

      # openssl x509 -req -days 365         -in /etc/ssl/private/host.csr \
        -signkey /etc/ssl/private/host.key -out /etc/ssl/host.crt

      x509 is the type of output (a signed X.509 public-key certificate)
      -days 365 specifies the number of days the cert is valid.
      -in is the certificate request csr file.
      -signkey specifies self-signing using the server's own private key as the signing (RSA) key in place of the production CA's private key.
      -out is the signed X.509 public-key certificate crt file.

      Set screen Using Certs on Windows

      Either way, to start Excel and open the Excel workbook that contains a VBA macro. Press Alt-F11 or click menu item "Tools" -> "Macro" -> "Visual Basic Editor".

      In the Project Explorer window (by default on the upper right), select the VBA macro project that you want to digitally sign.

      In the VBA menu bar, open menu item "Tools" --> "Digital Signature"

      Simply select your own certificate and sign your macro.

      Close Excel. When Excel opens again, choose "Always trust this publisher".

      To export your certificate from your first computer and import it onto each of the other computers. Save the file to your other computers (email it maybe). Then on the other computers, go to the control panel, same location, and select "Import certificate".

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen Web Client Certificates

      On Firfox browsers, select menu Tools > Options > Advanced > Encryption tab > View Certificates. On IE7 browsers, select menu Tools > Internet Options > Content tab > Certificates.

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen SSL Server Certificates

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen IIS Certificates

    • Only Commercial CAs are known by internet browsersanother page on this site Browsers who encounter an Enterprise CA would require user acceptance.
    • Do this! To create or change a Certificate Trust List:

      1. Log on to a Web server with Administrator Privileges.
      2. In the Internet Information Services snap-in, open the Web site's Properties sheet.
      3. On the Directory Security property sheet, under Secure Communications, click Edit.
      4. In the Secure Communications dialog box, select the CTL you want to modify and click Edit. The CTL Wizard will begin and guide you through the process of modifying a CTL.

        tool Alternately, use MakeCTL (from the Windows Platform SDK CryptoAPI Tools).

      Set screen Hierarchy of Certificates on Microsoft Certificate Service CAAuth

      Subbordinate CAs are under (certified by) root CAs or another subordinate CA.

      • Self-signed Enterprise root CAAuth (at the top) issues certs for smart cards. Enterprise root CAs use (require) Active Directory servicesanother page on this site because they request identification from requestors and then publish their certificates (and CRLs) in the Active Directory.
      • Enterprise Subbordinate Intermediate CAAuth (in the middle of the hierarchy do not issue certs to users)
      • Enterprise Subbordinate Issuing CAAuth
      • Stand-alone CAAuth issue certs to other organizations (perhaps over the Internet). They don't require Active Directoryanother page on this site because stand-alone CAs publish their certificates and CRLs to folder
        By default, Administrators have to approve all requests.

      Set screen Request Certificate from Microsoft IIS

      My annotations on generating a PKCS #10 compliant Certificate Request File Using the Certificate Wizard in IIS 5.0:

      1. Select the Internet Information Services console from within the Administrative Tools menu.
      2. Expand the list and right mouse-click to select Properties for the computer and web site (host) to be secured (such as "Default Web Site").
      3. Click the Directory Security tab.
      4. Click the "Server Certificate..." button in the "Secure Communications" section.
      5. Click Next to "Welcome to the Web Server Certificate Wizard".
      6. Select "Create a new certificate", then click Next.
      7. Click Next to select "Prepare the request now, but send it later"
      8. At the "Name and Security Settings" screen, change the default [friendly] name field for the new certificate. When selecting bit length, 1024 is recommended. Click Next. Reminder Do not use commas or these characters: < > ~ ! @ # $ % ^ * / \ ( ) ? &.
      9. At "Your Site's Common Name", replace the default NETBIOS machine name with a fully qualified domain name. For example, ""
      10. In the "State/province" field, avoid using abbreviations (such as AZ for Arizona) because some CAs don't recognize them.
      11. Enter your Administrator contact information.
      12. Change the default output file path and name from "c:\certreq.txt" holding the CSR. This file (the CSR) essentially public key and the distinguished name (DN) of your Web server.
      13. At the "Request File Summary" screen, remember that you can't make changes, only resubmit (and pay for another cert).
      14. At the "Completing the Web Server" screen, select Finish. The "Click here" sends you to Microsoft's Security home page maze which you're left on your own to navigate to Microsoft "Secure Network Connectivity" pages.
        To use Microsoft's ActiveX Xenroll.dll on Microsoft browsers to automate certificate generation and digital certificate status validation in real time, you need to first download and run the August 28, 2002 (Q323172) patch for the "Microsoft Certificate Enrollment CAB".

      15. If you are applying as a company, have your company's Dun & Bradstreet identification number, which is used to trace the identity of actual corporations. Most CAs also request a copy of the company's Articles of Incorporation submitted with a letter on company letterhead.

      Certificate requests can also be created and installed using Microsoft's

    • Certreq.exe command-line utility in Windows/syste32. Different versions for Windows 2000 & Windows XP & 2003).
      The version in Windows 2003 is 123,904 bytes.
      The version in Vista 32 is 215,040 bytes.
      The version in C:\Windows\winsxs\x86_microsoft-windows-certificaterequesttool_31bf3856ad364e35_6.0.6001.18000_none_6810938417684464 is 215,040 bytes.

      Installing a New Certificate with Certificate Wizard for Use in SSL/TLS

      MS article

      Set screen Certificate Administration

      To view all CA names in the Windows 2000 Active Directory:

        cerutil.exe -v -ds

      To enable revocation-checking through web browsers executing .Asp tasks, go to a CLI command prompt on the CA and use this:

        certutil -SetReg Policy\RevocationType +AspEnable

      tool Windows 200x uses xenroll.dll for certificate enrollment.

      CA enrollment uses transport-independent message formats that support PKCS (Public Key Cryptographic Standards):

      1. CA accepts PCKS #10 request package
      2. CA issues a X.509v3 certificate (signed public key) in a PKCS #7 digital envelope
      3. An exported certificate and key pair is encrypted as a PKCS #12 blob in a .pfx file, which is supported by Vista and Win2008.

      Legal information about certificates from a CA is described in that CA's Issuer Policy statement.
      Windows servers store them in a CAPolicy.inf file.

      In Windows 200x, Kerberos is the default SSP and SNEGO (IETF's Security Negotiation Mechanism) for GSS-API [RFC 2478] extend SSP interoperability. SSPI uses the Negotiate SSP to match security levels within a security provider exchange.

      Windows 200x uses Active Directory to map information about users to digital certificates based on X.500.

      Updating CA root cert on IBM Workplace Collaboration Services makes use of keytool.


    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen Server Gated Cryptography Protocol

      To enable any browser to (without local configuration) use 128-bit encryption, use the SGC protocol, which is an extension of SSL. So, to enable SGC on a web server, the Schannel.dll file on IIS5 needs to be updated.

      SGC certificates are obtained only from a commercial CA (such as Verisign), not from an Enterprise CA or stand-alone CA.

      After the SGC certificate has been installed, select the IIS 5.0 SSL “Secure Communications” dialog box.

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen Limitations and Extensions

      To request a certificate using a command line utility:


      Certificate Traceability

      A certificate is only as good as the Certificate Authority behind it. A certificate could be issued by a rogue Certificate Authority (e.g.,

      Certificate Expiration and Revocation

      The life expectancy of the certificate issued to a Windows 2000 machine is stored in its registry key
        HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ CertSvc\ Configuration\ MAIN

      Recipients of signed documents should check if the certificate has been revoked by its CA after issuance. This could occur if a certificate was found to have been issued to an imposter. This has occured even with certificates issued to Microsoft.

      To revoke a certificate use the Certification Authority console GUI or a command line utility specify the serial number:

        certutil -revoke 06E472BA000000000023

      To prevent the CA certificate from expiring, you must manually renew the certificate. Stop the Certificate Services service. Enter the Certification Authority console and select the Renew CA Certificate option.

      Additional Decryption Keys (ADKs)

      Pressure from government bodies led to the creation of Additional Decryption Keys (ADKs), which are added to the public key certificate and allow a third party to also decrypt emails that were encrypted by the public key. If a user agrees to an ADK being added to his public key, it is placed within the secure area of the certificate.

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen SSL Coprocessors

      A server accelerator card is also known as an SSL card because it is used to generate encryption keys for secure transactions on e-commerce Web sites.

      webpage article Microsoft TechNet article: Helping to Secure Communication: Client to Front-End Server

      When a secure transaction is initiated, the Web site's server sends its certificate, which has been provided by a certifying authority, to the client machine to verify the Web site's authenticity. After this exchange, a secret key is used to encrypt all data transferred between sender and receiver so that all personal and credit card information is protected. This process can severely overload a server resulting in fewer transactions processed per second, which means fewer sales. The server accelerator card takes over this process, thus reducing the load on the server. Server accelerator cards support a number of security protocols including Secure Sockets Layer (SSL) and Secure Electronic Transaction (set).

      The server accelerator card is installed into a (PCI) slot of a server. A software driver is loaded, and the server is ready to receive orders. This is much easier and more cost-effective than buying additional servers. Additional cards can be installed as the server's secure transactions increase.

      VeriSign charges for a Licensed Certificate Option when a certificate is shared.

      SSL acceleration appliances are external units that have server accelerator cards installed inside them. The unit is then plugged into the server. When a secure transaction is detected, the transaction is routed to the SSL acceleration unit for processing. SSL accelerator appliances can be added together as needed by clustering them together.

      On Sun Solaris 8 machines, Sun offers its Crypto Accelerator 500 Daughterboard, the Crypto Crypto Accelerator 1000 PCI board, and Crypto Accelerator 4000 Board.

      tool The F5 Networks offers its Big-IP FIPS SSL Accelerator.

      Check Point's VPN-1 Accelerator Card III delivers over 400 Mbps 3DES VPN throughput.

      The QuickSafe SSL Accelerator from Cryptographic Appliances outscales any dedicated SSL accelerator on the market with (1024 bit) SSL operations a second. Their appliance is situated behind web servers (and thus less open to attacks). This allows the maintainance of a session cache (for "true" load balancing) and only a single certificate rather than distributing certificate keys on multiple encryption devices.

      tool The HP/Atalla AXL600L SSL Accelerator Card is only for HP's Proliant servers run by Windows or Linux. This 33-MHz 32-bit device incorporates a dual voltage signal bus.

      tool The nCipher's nFast accelerater card

      The CacheFlow card caches what flows through it — a speed-enhancing feature other products do not offer.

      The Alteon Switch Alteon iSD-SSL Accelerator.

      AEP Systems

      SonicWALL SSL Accelerator PCI Card

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen Microsoft Server Database Certs

      -- 1. (done one time) is:

      USE Northwind;
      ALTER TABLE Orders ADD cc_enc nvarchar(40); -- to hold encrypted credit card key.
      ALTER TABLE Orders ADD decrypted_cc nvarchar(40); -- to hold decrypted credit card numbers.
      ALTER TABLE Orders ADD cc nvarchar(40); -- to hold actual credit card number

      -- 2. (done one time) To create a symmetric (open) key (symm_1) -- in MS-SQL's sys.openkeys system table.

      SELECT * FROM sys.openkeys
      	UPDATE Orders
      	SET cc_enc = ENCRYPTBYKEY(cc_enc)) as decrypted_cc;
      SELECT *,
      	CONVERT( nvarchar, DECRYPTBYKEY(cc_enc)) as decrypted_cc
      	FROM Orders;
      SELECT * FROM Orders -- to verify

      -- 3. (done one time) To create an asymmetric_keys pair to encrypt the symmetric key -- in MS-SQL's asymmetric_keys system table.

      CREATE ASYMMETRIC KEY asymn_2 WITH ALGORITHM=RAS_1024 -- or RSA_512, RSA_2048
      SELECT * FROM sys.asymmetric_keys;
      CREATE  SYMMETRIC KEY symm_2  
      SELECT * FROM sys.symmetric_keys
      SELECT * FROM Orders; -- to verify

      -- 4. When updating with asymmetric key with one-way password:

      UPDATE Orders -- do one or the other SET:
      	-- SET cc_enc = NULL -- to clear
      	SET cc_enc = ENCRYPTSYSKEY(KEY_GUID('asymn_1'),cc)
      SELECT * FROM Orders; -- to verify

      -- 5. When starting to read symmetric key:

      SELECT * FROM sys.openkeys;

      -- 6. When reading:

      UPDATE Orders
      SET cc_enc = ENCRYPTBYKEY(cc_enc)) as decrypted_cc;

      -- 7. When done with the:


      -- 8. To verify whether sys.openkeys and sys.asymmetric_keys were properly closed:


      -- 9. To create digital certificates "cert_1" in sys.certificates system table:

      SELECT * FROM sys.certificates; -- before picture
      	ENCRYPTION BY PASSWORD = 'P@ssword123'
      	WITH SUBJECT = 'ms sql server certificate test', -- remember the comma here!
      	EXPIRY_DATE = '12/31/2011' -- or one year is default.
      -- OR 
      -- CREATE cert_1 FROM FILE='' -- from VeriSign, Thawte, etc.
      SELECT * FROM sys.certificates; -- after picture

      -- 10. To use certificate during update:

      SELECT * FROM Orders WHERE EmployeeID=5; -- before
      UPDATE Orders
      	SET cc_enc = NULL;
      UPDATE Orders
      	SET cc_enc = ENCRYPTBYCERT( CERT_ID('cert_1',cc) );
      SELECT *,
      	CONVERT( nvarchar, DECRYPTBYCERT(CERT_ID('cert_1',cc_enc,N'P@ssword123')) as decrypted_cc
      	FROM Orders;
      SELECT * FROM Orders WHERE EmployeeID=5; -- after

      -- 9. To re-open, then remove keys in sys.openkeys and sys.asymmetric_keys:

      SELECT * FROM sys.certificates

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen KeyTool for Key Stores

      The keystore is created one time using a command such as:

        keytool -genkey -keystore keystorename -storepass keystorepassword

      To display the complete contents of the keystore, use the command:

        keytool -list -keystore keystorename

      Private certificates are imported into the keystore using this command:

        keytool -alias aliasforprivatekey
        -import -file privatekeyfile.pem -keypass privatekeypassword
        -keystore keystorename -storepass keystorepassword

      CA Certificates are imported into the keystore using this command:

        keytool -alias aliasfortrustedca -trustcacerts
        -import -file privatekeyfile.pem -keypass privatekeypassword
        -keystore keystorename -storepass keystorepassword


    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Related Topics:

  • Emails
  • Security Vulnerabilities
  • Countermeasures
  • Cryptography

  • Go to Top of this page.
    Previous topic this page
    Next topic this page

    Portions ©Copyright 1996-2014 Wilson Mar. All rights reserved. | Privacy Policy |

    How I may help

    Send a message with your email client program

    Your rating of this page:
    Low High

    Your first name:

    Your family name:

    Your location (city, country):

    Your Email address: 

      Top of Page Go to top of page

    Thank you!