CAManagement 2 0 English

Manual
CA MANAGEMENT
Version 2.0
SECUDE Sicherheitstechnologie Informationssysteme GmbH Landwehrstrae 50a D-64293 Darmstadt World Wide Web: Support: http://www.secude.com camanagement@secude.com
Copyright SECUDE GmbH 1997-1999 SECUDE Library Version 5.2 CA MANAGEMENT Version 2.0.12 Version 2.0 / Spring 1999
Version 2.0
SECUDE CA MANAGEMENT
Contents
1
1.1 1.2 1.3 1.4 1.5 1.6
INTRODUCTION
Functions of a CA Personal Security Environment (PSE) Issue Certificates for Users Security Guidelines for Operating a CA Distinguished Names Passwords
2
2 3 4 6 6 7
2
2.1 2.2 2.2.1 2.2.2 2.3
CA MANAGEMENT INSTALLATION
Prepare the Installation How to install CA MANAGEMENT Installation via Internet Installation from CD ROM or Network Aborting the installation
9
9 10 10 10 15
3
3.1 3.2 3.2.1 3.2.2 3.2.3 3.3
ORGANISATION OF A SECURITY INFRASTRUCTURE

Basic Information on the Organisation of a Security Infrastructure Create a Root Authority Create a CA-PSE as a File Creating a Smartcard CA-PSE Create a Cryptoboard based CA-PSE Create a Subordinate CA
16
16 18 19 27 30 32
4
4.1 4.1.1 4.1.2 4.1.3 4.1.4 4.2 4.2.1 4.2.2 4.2.3 4.2.4
OPTIONS
User-specific Settings Program Options SECUDE X.500 Warning Periods CA-specific Options Issuer PSE Options User Options Sphinx Pilot
34
34 34 36 38 38 39 39 40 42 43
5
5.1 5.2 5.3 5.3.1 5.3.2 5.3.3 5.3.4 5.3.5 5.3.6 5.3.7 5.3.8
MANAGEMENT OF THE CA
CA MANAGEMENT Overview The Tool Bar The Menu Bar File View CA-PSE User Extras Smartcard Window Help (?)
44
44 45 46 47 48 49 57 61 65 67 67
SECUDE GmbH
Version 2.0
6
6.1 6.1.1 6.1.2 6.2 6.2.1 6.2.2 6.2.3 6.2.4 6.2.5 6.2.6 6.2.7 6.3 6.3.1 6.3.2 6.4 6.5 6.6
MANAGEMENT OF USER DATA

User List and User Form User List User Form Process User Entries Register a New User Enter PSE Data Register Certificate Create Further PSEs for Same User Delete a User Entry Delete a PSE Data Set Delete a Certificate Data Set Create User PSEs Create Individual PSEs Create Several PSEs Certification of Incoming Prototype Certificates Write Again User PSE Subsequent Inclusion of an Existing PSE in a Smartcard
69
69 69 70 73 73 73 75 76 76 76 76 76 77 77 78 79 79
7
7.1 7.2 7.3 7.3.1 7.3.2 7.3.3 7.3.4 7.3.5 7.3.6 7.3.7
REVOCATION LIST MANAGEMENT

List Area Information on the Digital Signature Buttons Add Sign Verify Save in PSE Save in PEM File Save in Directory Save in ldif File
81
81 82 82 82 83 83 83 83 83 84
8
8.1 8.2 8.3
IMPORT AND EXPORT OF USER DATA

Import of SAP R/3 User Data Import of SECUDE Data Inform of Transport Password: Export to Microsoft Word Form Letter
85
85 86 87
9 10 11 12
12.1 12.2
GLOSSARY FIGURES AND TABLES BIBLIOGRAPHY APPENDIX

Fields in the User Form Data Base Specification CA.MDB
88 90 92 93
93 95
ii
SECUDE GmbH
Version 2.0
Preliminary Remarks
Target Group
System administrators.
Preview
Chapter 1 gives an overview of the tasks of a certification authority (CA). It describes the theoretical principles of key distribution and the security guidelines for operating a CA. Chapter 2 describes the installation. The installation program requests all user entries and guides through the installation. Chapters 3 to 8 explain how to use SECUDE CA MANAGEMENT. The organisation of a security infrastructure, the program options, the management of a CA-PSE, and user management are discussed. Key generation and import of external data are explained. Chapter 9 contains a glossary of the most important terminology, Chapter 10 the list of illustrations and the list of tables, Chapter 11 the bibliography. The Appendix is contained in Chapter 12. For quick information on the individual topics the chapters can be read separately. Cross-references to related topics are provided.
Copyright Cryptoflex is a registered trademark of Schlumberger Industries Microsoft is a registered trademark of Microsoft Corporation. R/3 is a registered trademark of SAP AG Walldorf. SECUDE is a registered trademark of GMD German National Research Center for Information Technology. TCOS is a registered trademark of Deutsche Telekom AG
SECUDE GmbH
Version 2.0
Introduction
A certification authority (CA) has the task of issuing certificates for users, i.e. of making a connection between the user and his public key. This is achieved by means of the so-called digital signature. The CA signs with a digital signature a data package consisting of the user's public key, a serial number issued by the CA, a period of validity, and the user's name. The combination of this data package and the CA's signature is called the certificate.
1.1 Functions of a CA
Operating a CA demands a number of organisational steps which at this point will not be further detailed. The following gives a short description of the technical resources that are required to run a CA.
Generate CA keys
For certification operations a CA needs its own asymmetric key pair. SECUDE deposits this key pair in a CA-PSE, which is protected by a password, the same as with a user's PSE. The CA key pair demands special protection. The CA's asymmetric keys should be at least 1024 bits long. Depending on the intended validity period longer keys should be used. SECUDE in the present version supports key lengths between 512 and 2048 bits. An RSA key with less than 512 bits is not advisable, as the probability of it being cracked within a short time (several hours) is very high. The renewal of a CA key involves considerable time and money. As all parties in the security infrastructure require the CA's key to be stored in their PSEs to check other certificates, a new CA key must be supplied to them all, and all the parties' certificates must be re-issued and distributed. It is therefore recommended that the CA key be given a long period of validity (e.g. 5 or 6 years) and that it be given protection by using a lengthy key (1536 bits usually).
Certify users
The function of the CA is to issue certificates for the participants of the security infrastructure. All partners in the communication to be safeguarded (not only persons, but also, for example, printers and application servers) have to be included. When issuing a certificate the CA ties a user's name to his public key. This is achieved with the digital signature of the CA under the user's certificate. This means that the CA guarantees that the name and public key in the certificate belong to one and the same person. The CA has two ways of issuing a certificate. In the first, the user generates his own key pair and gives the public key, as a so-called prototype certificate, to the CA for certification. In this
SECUDE GmbH
Version 2.0
case the CA must ensure that the name in the prototype certificate is correctly assigned before a signature is given, i.e. before the certificate is issued. This may require that the person legitimizes himself with a national or company ID. Checking the name by phone or e-mail is not sufficient. The advantage of this version is that only the user is in possession of his private key and third parties are excluded. The user must now, however, take very good care of his private key so that, should a PSE be lost, it can be re-created. In the second, the CA generates the key pair for the user. With SECUDE this means that a complete PSE is created for the user. When the PSEs are handed over to the users, the CA is obliged to ensure that each PSE goes to the correct user. SECUDE's CA MANAGEMENT safeguards the newly issued PSEs with a transport password. The user is informed of the password by separate means.
Maintain revocation lists

The CA keeps a list of compromised certificates issued by the CA. This list, the revocation list, has to be maintained by the CA. A compromised certificate must remain on the revocation list until its expiry date. With SECUDE for SAP R/3 the updated revocation list must be put at the disposal of the application servers at regular intervals. Only in this way can abuse by attackers who obtain unauthorised possession of others' certificates and their private keys be prevented.
1.2 Personal Security Environment (PSE)

In SECUDE security relevant information is stored in the PSE. This is nothing more than a secure memory. All the participants in the security infrastructure have their own PSE. All information required to participate in the security infrastructure are stored in it.
SECUDE GmbH
Version 2.0
Public Root Key
Forward Certification Path Name Name Name
Smith
Signature Signature Signature
Signature Certificate Private Key Certification Certification Revocation Revocation Lists Lists
Figure 1: Elements of a PSE
SECUDE offers the options either to store the PSE on a smartcard or as an encrypted file on the hard disk of the computer. According to the version of the PSE (file or smartcard) it is more or less difficult to get possession of these sensitive data. With a file PSE it may even happen that the legitimate owner does not notice the loss. An attacker who manages to spy out the password and copy the file PSE has all necessary information at his fingertips. This is different when the PSE is on a smartcard. The loss of the card would normally be noticed by the owner very quickly (not when he is on holiday or in similar cases). However, special terminals are required for smartcards. Should a user notice that someone else has found out his file PSE password, the security administrator must be informed. The latter must decide whether a new PSE should be created or whether changing the password is sufficient. If it is suspected, even without conclusive evidence, that the PSE password is known to third parties, the PSEs should, to be on the safe side, be changed. With smartcards only the card password need be changed.
1.3 Issue Certificates for Users

There are two methods of generating key pairs. With the first method, the CA generates key pairs for the users. With the second, the user generates the key pair himself and has his public key, or rather the prototype certificate, certified by the relevant CA. Both methods have their pros and cons.
CA creates PSE
When the CA generates the keys it is possible to leave either the certificate (i.e. the certified public key), or the whole PSE (i.e. the certified public key plus the private key), in the CA's safekeeping. If the user needs his PSE again in the future, for whatsoever reason, he can have it handed out by the CA. This, however, has as a prerequisite a relationship
SECUDE GmbH
Version 2.0
of trust between the infrastructure participants and the CA as the private key is also in the hands of the CA. When the CA creates the PSEs for the user of the security infrastructure, the user is not responsible for any security measures. A further advantage of this procedure is its simplicity. The CA can create the PSE in a single run. It generates the key pair and certifies the public key. SECUDE CA MANAGEMENT generates a random password for the transport and thus encodes the PSE. The user is informed of the password by separate means.
Security Administrator User
3. Information of Password (offline)
1. Generation of PSE
2. PSE storage (encrypted)
4. Installation of PSE and Change of Password
PSE Memory Figure 2: CA creates PSE
In this way the CA ensures that only the user and the security administrator know the transport password.
User creates PSE

If the user generates his key pair and PSE himself, it is advisable that he keeps a copy of the PSE in a secure place, e.g. a safe, in case, should it be lost, for example in a disk crash, he needs it again. Otherwise he has to generate a new key pair and have the public key again certified by the CA.
SECUDE GmbH
Version 2.0
Security Administrator
User
1. Generate PSE
2.
Prototype Certificate
3. Certify Users Prototype Certificate 4. Certificate to User
5. Insert Certificate into PSE
Figure 3: User creates PSE
This procedure gives the user the certainty that nobody else is in possession of his private key. The user himself must take care of jobs such as making a backup copy of his PSE. The transport of the prototype certificate from the user to the CA and the return of the certificate must also be dealt with. The user has then also to update the PSE with the certificate from the CA. The advantage of this procedure is that the information transmitted, such as the prototype certificate and the certificate, is not security sensitive. All information transported is public anyway. The CA must only make sure that the prototype certificate actually belongs to the user. All sensitive data such as the password of the PSE or the private key remain with the user.
1.4 Security Guidelines for Operating a CA

A CA is comparable to a passport office. Should an unauthorised person get the opportunity to issue documents, big trouble can result. As the security relevant information with which a CA deals is in electronic form precautions must be taken to prevent its being compromised. The computer with which the CA operates should be in a safe environment. This can be a room or workplace to which only authorised persons have access. The computer should not be linked with a network. Access to this computer should be arranged so that only authorised and trained personnel can work with it. The personnel in charge of the CA must also maintain the necessary precautions. Backup copies of the CA may and should be made. They should be kept in a secure place, e.g. a safe.
1.5 Distinguished Names

When operating a security infrastructure the participants are identified by so-called Distinguished Names, abbreviated DN. This is a naming scheme
SECUDE GmbH
Version 2.0
in which persons are unambiguously named world-wide. DNs are defined in the standard ISO / ITU X.500. The certifying authority and its users need such unambiguous names. A Distinguished Name can be composed of several components. The following table gives an overview of the name components supported by SECUDE.
Abbreviation BC C CN D L O OU S SN SP ST T Meaning Business Category Country Common Name Description Location Organisation Organisational Unit Surname Serial Number State or Province Street Address Title
Table 1: Categories of Distinguished Names
The most widely used name components are in bold print. A Distinguished Name is made up of a combination of the above abbreviations and corresponding values.
Examples of Distinguished Names: CN=Bill Bo, OU=R3Administration, O=SECUDE GmbH, L=Darmstadt, C=DE CN=Bill Bo, O=SECUDE GmbH, C=DE O=SECUDE GmbH, C=DE
It is not necessary to use every name component in the name. What is important is the order of the components. First should come, if existent, the common name, then organisational unit, then organisation, location, and finally country. It is advisable to use a short, unambiguous name for a CA. A CA certifies the public key of a user's asymmetric key pair. It is standard procedure that with the certification the user's certificates receive the name of the CA as a suffix to their name. The second and third lines of the above example show how the name of a CA and one of its users can be composed: the participant Bill Bo has the name of the CA integrated i.e. O = SECUDE GmbH, C = DE.
1.6 Passwords
A PSE password is comparable in its function to the PIN of an EC card. It is required for logging on and to allow other programs access to the
SECUDE GmbH
Version 2.0
PSE. It protects the PSE from unauthorized use by third parties. The password should be known only to the owner of the PSE. It should be made up of a combination of letters (upper and lower case), special characters (blanks may also be used) and numerals. The length of the password may be up to 50 places, the exception being that smartcards allow only a password length of eight places. To help users choose their passwords with care the CA can stipulate Password Rules which the users are obliged to observe. In any case, special care should be taken when choosing passwords. It is advisable not to use any common names or terms and nothing that is in any way personally related to the owner of the PSE (e.g. phone no., birthdates of family members, etc.).
Examples of poor passwords are: Bill, clinton, 1234, test, .... Examples of good passwords are: EbTiN97!, or ?d1X3h:Ijk5, ...
It is very difficult to remember a password like ?d1X3h:Ijk5, even AbDiN97! is not much easier. It is, however, easy enough, when behind the apparent random series of letters and numerals, a sentence is hidden, whose first letters are used, e.g. A blue day in November 97! With a memory jogger like this and a minimum length of 6 places the password is reasonably safe.
SECUDE GmbH
Version 2.0
CA MANAGEMENT Installation
When operating a CA it is advisable to use a computer that is not accessible to everybody. Firstly this means that the computer should not be directly linked to a network or should be provided with specific protective features (firewall or similar) to prevent unauthorized access through the network to this one special CA computer. Secondly the CA computer should be located in a secure room where no unauthorized persons can gain access to it. The private key of the CA must remain inviolable, otherwise all previously issued certificates become invalid.
2.1 Prepare the Installation

SECUDE CA MANAGEMENT is supplied on a CD ROM. The CD ROM contains all programs and libraries required for the installation. Installation of SECUDE CA MANAGEMENT is started from the CDROM. For Windows 95 and Windows NT the job is done by the installation program Setup.Exe. This can be found on the CD-ROM in the directory \CAManagement.
What is installed where

SECUDE CA MANAGEMENT consists of an executable program CAManagement and the dynamic link libraries (DLL) guihlp.dll, psegui.dll, psewiz.dll, scsctgui.dll, passwordgui.dll, v3extensionsgui.dll and secude.dll. When operating with smartcards further libraries, i.e. for the terminal and the smartcard being used, are required e.g. ct32.dll, snsct.dll, tcos.dll. If an LDAP directory server is also to be addressed directly, then the library ldap32.dll is required too. All the above mentioned libraries are installed automatically with SECUDE CA MANAGEMENT. Standard procedure is for SECUDE CA MANAGEMENT to be installed in the directory \Programs\SECUDE.
\Programs\SECUDE\CA Management. To store configuration files, e.g. the ticket file and the sct_rc file, which configure the access to a possibly connected terminal, the directory %HOMEDRIVE%-\%HOMEPATH%\secude is
The program and the DLLs are installed in the directory
used.
To operate SECUDE CA MANAGEMENT a data base driver (DAO, consisting of several DLLs) is required. This driver is automatically installed by CA MANAGEMENT. SECUDE PSE MANAGEMENT and UPDATE CADB are also automatically installed with SECUDE CA MANAGEMENT.
SECUDE GmbH
Version 2.0
2.2 How to install CA MANAGEMENT

The installation under both Windows NT and Windows 95 should be done by someone familiar with the operating system. With Windows NT only an administrator is authorized to carry out the installation.
2.2.1 Installation via Internet

If you are going to install from CD oder via a network, skip this section and proceed with section 2.2.2. If you install via Internet, start SECUDE20CAManagement.exe. The following dialog is displayed.
Figure 4: Internet Installation
Click Finish to unpack the actual installation program.
Figure 5: Unpacking
Wait until unpacking is done and proceed as described in section 2.2.2.
2.2.2 Installation from CD ROM or Network

The installation is started by double clicking the program Setup. The installation program can alternatively be started via the Start menu and Run. To do this enter the CD ROM drive letter, the path and the program name in the field Open of the window Run. With a mouse click on the button OK the setup of CA MANAGEMENT is started.
10
SECUDE GmbH
Version 2.0
In the Welcome window of the setup program you are requested to end all other active applications. This is required as, otherwise, the setup program may not be able to carry out all the necessary steps for an error-free installation of CA MANAGEMENT.
Figure 6: Welcome Window of the Installation
By clicking Next the installation is continued.
Figure 7: Software License Agreement
Please read the software license agreement. If all conditions of the agreement are acceptable, the button Yes is clicked, otherwise the button No. (Note that clicking No stops the installation.)
SECUDE GmbH
11
Version 2.0
Figure 8: User Information
The names of the user and her/his company are required for the installation.
Figure 9: Set Destination Directory
Windows 95 and Windows NT from version 4.0 provide for the installation of application programs the directory Program Files. It is recommended for the installation of CA MANAGEMENT to make a subdirectory SECUDE there. A change in the destination of the installation can be made via the button Browse. If the path for the installation is accepted, the button Next can be clicked.
12
SECUDE GmbH
Version 2.0
Figure 10: Select Program Folder
Here the name of the folder is entered under which the setup program creates the icon to call CA MANAGEMENT. SECUDE is used as the standard proposal. Next is clicked to confirm the entry.
Figure 11: Start of Installation
The directions of the installation program can be followed. After the button OK is clicked the installation program starts the setup.
Figure 12: Install SECUDE Ticket
To use secude.dll you need a valid license ticket. This generally comes with the software package.
SECUDE GmbH
13
Version 2.0
After clicking Next, the progress of the installation is shown.
When the setup is finished an information window appears showing the installed components.
Figure 13: Information on Installed Components
The window is closed by clicking on OK.
Figure 14: Setup complete
After CA MANAGEMENT is installed, it can be used immediately. The computer does not need rebooting. If you have already been working with an older version of CA MANAGEMENT, it may be necessary to update the database. From version 1.3.5 please run the installed program UpdateCADB.exe for all existing CAs. If it is an earlier version, please ask the SECUDE hotline.
14
SECUDE GmbH
Version 2.0
2.3 Aborting the installation

The installation program can be aborted at any time by pressing the key Escape ESC or with a mouse click on the button Cancel in any installation window.
Figure 15: Exit Setup
To abort the installation, Exit Setup in the above window must be clicked or the key ESC pressed.
SECUDE GmbH
15
Version 2.0
Organisation of a Security Infrastructure

CA MANAGEMENT can be started from the icon on the left. In the Windows start menu the entry is under
c:\Program Files\SECUDE\CA Management
After the program has been loaded the dialog box appears for log-on. When CA MANAGEMENT is started for the first time, no CA-PSE is available for log-on.
A new security infrastructure must be organised, i.e. a CA-PSE created. First the so-called root authority is created by clicking the button Create in the dialog box Log On (see Chapter 3.2 Create a Root Authority).
Figure 16: Log On
The following sections lead the way through the Organization of a Security Infrastructure.
3.1 Basic Information on the Organisation of a Security Infrastructure

SECUDE CA MANAGEMENT allows the generation of several independent certification trees. A certification tree always begins with a CA which performs the functions of the root authority. A root authority is the top level certification authority, it is not certified by any other authority. Subordinate CAs can be inserted into a certification structure either by having them created by the appropriate higher CA (cf. Chapter 3.3 Create a Subordinate CA), or by generating themselves a so-called prototype certificate that is sent to the intended higher CA and is then certified by this (cf. Chapter 5.3.3 CA-PSE under the item Write Certification Request).
16
SECUDE GmbH
Version 2.0
Personal Security Environment as File or Smartcard?

A CA has the function of issuing certificates for users. SECUDE CA MANAGEMENT stores these certificates in a personal security environment (PSE). The PSE is stored either in a file or on a smartcard (see Chapter 1.2 Personal Security Environment (PSE)). It should be noted that smartcards have limited storage capacity. One's own certificate and the certificate from the root authority can be comfortably accommodated on today's smartcards. SECUDE, however, stores further elements in the PSE. These elements are, therefore, stored externally in a file the so-called software extension of a smartcard PSE. This, of course, puts limits on the interchangeability of workplaces when using a smartcard. The size of a certificate is determined in part by the length of the key and the Distinguished Names of the owner and issuer. With a key length of 1024 bits and a DN of 70 characters the resultant PSE has a total size of approx. 1.5 Kbyte. A smartcard PSE cannot be copied. From the security point of view this is an advantage; on the other hand it can lead to problems when a card is lost. A new PSE with a new key pair and a new certificate must then be created. Decisive for the choice between file and smartcard PSEs will be the individual evaluation of the pros and cons.
The CA PSE based on the RACAL Cryptoboard?

Besides storing the PSE as a file or on a smartcard CA MANAGEMENT also offers a third possibility. The CA can be created based on a cryptoboard. This version of SECUDE CA MANAGEMENT has integrated the RACAL cryptoboard RG700. The use of the cryptoboard offers a CA the following two advantages: When the CA creates user PSEs (see Chapter 1.3 Issue Certificates for Users), it needs for the generation of the keys good random numbers. A good random number generator is integrated in the cryptoboard and this is used by secude.dll when the cryptoboard is properly installed. The second advantage is the secure storage of the CA's private key. This is generated on the cryptoboard, from where it cannot be read. When data requires signing with the private key, the data are sent to the cryptoboard, which carries out the signature. The cryptoboard has various physical security features built in, so that the usual attacks on hardware components such as radioactive radiation, changing the input current or exposing the chip to an electronic microscope examination do not lead to the discovery of the private key. On the contrary, the chip self-destroys when the cryptoboard is opened. For more information on the cryptoboard please contact SECUDE GmbH.
SECUDE GmbH
17
Version 2.0
Certification Structure
Before creating the root authority the structure of the certification process should have been planned. Is the root authority to certify all users (flat, simple structure) or is a hierarchic structure with several certification centers planned? With a hierarchic structure it is possible, for example, to have the users certified by different authorities according to the work they are doing. When a company has branches in different locations, it would be possible to have one certification authority per branch. In a hierarchic structure the root authority certifies CAs which then certify the users. The hierarchy can be organised on several levels, according to local requirements (see Chapter 3.3 Create a Subordinate CA).
3.2 Create a Root Authority

A root authority is the top level certification authority and can only be created by CA MANAGEMENT when logged off (no CA-PSE opened). Additionally, a directory must be selected in which there is no CA-PSE.
Create CA-PSE
A CA-PSE can be created either with the menu item File/Create root CA or with the button Log On... and the button Create....
This calls the PSE Wizard. Here all parameters needed for the creation of the CA-PSE can be set. The parameters are valid for the whole life of the CA, which means that once the CA is created no changes can be made to the settings. It is therefore advisable to give the settings a great deal of forethought. While the parameters are being entered it is still possible to make changes. For this purpose each of the dialog boxes of the PSE Wizard described below is provided with three buttons. With the button Back the previous mask can be returned to (perhaps to look something up or to make a change), with Next the next dialog box is reached, and with Cancel the procedure can be cancelled. A choice between a smartcard PSE, a file PSE on the hard disk or a PSE stored on a RACAL cryptoboard can be made. Pros and cons of the three versions can be found in Chapter 1.2 Personal Security Environment (PSE) and in Chapter 3.1 Basic Information on the Organisation of a Security Infrastructure. The following chapter describes the creation of a PSE as file. It should be read even if a smartcard PSE is to be created, since Chapter 3.2.2 Creating a Smartcard CA-PSE only deals with the differences that occur when creating PSEs on smartcards.
18
SECUDE GmbH
Version 2.0
3.2.1 Create a CA-PSE as a File

The first PSE Wizard dialog box requests the type of CA-PSE.
Type of PSE
Figure 17: PSE-Wizard Type of PSE
When a file PSE is to be created, File is chosen.
Distinguished Name
Figure 18: PSE-Wizard Distinguished Name
A Distinguished Name is entered here. This DN identifies the CA unambiguously. It is also called the Distinguished Name of the Owner and appears in every certificate issued by the CA. The structure of the Distinguished Name can be seen in Chapter 1.5 Distinguished Names. Special care must be taken when entering the Distinguished Name. All characters from which
SECUDE GmbH
19
Version 2.0
the Distinguished Name is made up, such as blanks, commas, etc., are important for later operations.
Name of PSE
Figure 19: PSE-Wizard Name of PSE
The complete data path, including the name under which the PSE is to be stored, is entered here. By clicking the drive button the required directory can be found in the dialog box Select PSE. If the directory selected does not yet exist, a query appears whether this directory is to be created. Each CA should be provided with its own directory. In the example it is the directory C:\Certification Authority, which also contains the file capse.cse. This file capse.cse. (the suffix cse stands for CA Security Environment) contains all relevant information on and keys of the CA.
CA Data
Figure 20: PSE-Wizard CA Data
20
SECUDE GmbH
Version 2.0
In the field CA Directory the directory which has been entered in the dialog box PSE Name is shown again. All files concerning the CA are stored in this directory, especially the CA database. It should be noted that in a directory there exists only one database per CA, as it might otherwise come to undesirable side effects. Serial Number is a number automatically and uniquely assigned to a certificate by the CA, with which the CA unambiguously identifies its own created certificates. This number should not be changed.
Version of Certificate
Figure 21: PSE-Wizard Version of Certificate
The standard which the certificate is to meet is entered here. It is advisable to create an X.509v3 certificate. Version X.509v1 is an older version from 1988 and is being replaced more and more by version 3 from 1996. Version 3 contains several additional fields in which, among other things, alternative names for the DN can be entered.
SECUDE GmbH
21
Version 2.0
Number of Key Pairs
Figure 22: PSE-Wizard Number of Key Pairs
Here the entry is made whether the same key pair is to be used for signing and encrypting then One pair of keys is to be entered or whether separate pairs are to be used for signing and encrypting then Two pairs of keys is to be entered. As the certificate of a CA is used mainly only to sign and not for encryption One pair of keys can be selected here.
Signature Certificate
Figure 23: PSE-Wizard Signature
The algorithm and key length for the signature key are determined here. If One pair of keys was selected, the key pair is used for both the signature and encryption. Hence the data in this dialog box are relevant for both tasks of the key pair that is to be generated.
22
SECUDE GmbH
Version 2.0
The longer the key is, the better it is. SECUDE CA MANAGEMENT allows key lengths from 512 bits to 2048 bits. A key length of 1024 bits must be regarded as the minimum for a CA. The length of the key with which the CA signs the user certificates is defined here. The length of the key is also dependent on the validity period of the certificate and where it is to be used. In general it can be said that the longer the period is during which the CA issues certificates with this key, the longer the key must be. With a key length of 1024 bits it is realistic to perform certification work securely for at least two to three years. If the key pair is to be used for five years or more, the key should be at least 1280 bits long. If you have selected X.509v3-1996, you reach, using the button V3 Extensions, another wizard where the certificate extensions specified in the X.509v3 standard (see [X.509 v3] Chapter 12.4.2, Certificate extension fields) can be entered. Additionally the V3 Extensions wizard allows the entry of Netscape specified certificate extensions (see also [Netscape Certificates]).
Encryption Certificate
This dialog box appears only when Two pairs of keys has been selected. The algorithm and key length for the encryption certificate are determined here. Entries are similar to those made in the signature dialog box.
Validity Period
Figure 24: PSE-Wizard Validity Period
In the fields Valid from and Valid until the period is entered in which the CA's certificate is valid. The format for validity is determined by the Windows system settings. The standard format is MM.DD.YY (date) and hh:mm:ss (time). The abbreviations are as follows:
Abbreviation Meaning
SECUDE GmbH
23
Version 2.0
Abbreviation MM DD YY hh mm ss
Meaning Month, Range 1 .. 12 Day, Range 1 .. 31 Year, Range80 .. 38 (i.e. 1980 2038) Hour, Range 0 .. 24 Minute, Range 0 .. 59 Second, Range 0 .. 59
Table 2: Format of the Validity Fields
The validity period of user certificates issued should lie within the validity period of the issuing CA.
Sign Own Prototype Certificate
Figure 25: PSE-Wizard Sign Own Prototype Certificate
The algorithm with which the prototype certificate is signed is chosen here. It is advisable not to change the setting. Certificates are designated as prototype certificates when they are self signed. As a root certificate is the highest certificate in the hierarchy, it cannot be signed by any other superordinate certificate.
24
SECUDE GmbH
Version 2.0
Password
Figure 26: PSE-Wizard Password
The password which will be used in future for log-on is entered here. The PSE file and the CA database are encrypted with the password. In this way no unauthorized person can gain access to the private key of the CA or the database. Information on passwords can be found in Chapter 1.6 Passwords.
Log-on Profiles
Figure 27: PSE-Wizard Log-on Profiles
You enter here a symbolic name with which you can later identify this PSE when logging on.
SECUDE GmbH
25
Version 2.0
Settings Overview
Figure 28: PSE-Wizard Settings Overview
An overview of the settings that have been made is given. If you wish to make any changes to them this can be still done by clicking Back to the appropriate dialog box. When all parameters are in order the button Finish is clicked to create the PSE. Then the key generation, the creation of the certificates and of the whole PSE begins. This process takes depending on the length of the key and the speed of the computer several seconds to several minutes. The following table gives an overview of how long it takes to create, depending on the selected key length, a file PSE. The times were taken, on the one hand, on a PC with AMD K6 2; 300Mhz processor, and on the other, the key generation took place in the RACAL cryptoboard.
2048 Key length (bit) 1792 1536 1280 1024 896 768 0 5 10 15 20 25 30 35 40 45
Creation time of one PSE (sec)
AMD K6 2; 300Mhz RACAL RG 700
Figure 29: Time Comparison (1)
26
SECUDE GmbH
Version 2.0
The increase in computing time for longer keys is not linear. In general a longer key means that the time taken for the generation increases overproportionately to the length of the key. The processor speed has no influence on this general behaviour. The generation process is shown step by step. CA MANAGEMENT confirms its completion. This window can be closed by clicking OK
After creating the CA-PSE all data should be checked again. If an error has slipped in and not been discovered before creating the CA-PSE, CA MANAGEMENT should be closed and the files created in the selected CA Directory deleted. Delete also, using the menu option Tools/Log-on profiles... the relevant log-on profiles. After this the CA can be re-created with the correct settings. Only after all data has been checked for correctness, can the certification of users be started. If certificates have already been issued with the CA-PSE, this PSE must not be deleted. It is advisable, before starting to create user PSEs, to enter the general settings in the dialog box Options (see Chapter 4 Options).
3.2.2 Creating a Smartcard CA-PSE

Creating a PSE on a smartcard is, apart from a few settings, identical to creating a software PSE. For this reason only the differences will be treated in detail in the following description. Before creating a smartcard CA-PSE it is important to configure the smartcard terminal under the menu option Configure smartcard/terminal (see Section 5.3.6 Smartcard).
Type of PSE
When a smartcard PSE is to be created, select Smartcard.
Distinguished Name
The Distinguished Name of the CA is entered here. For the structure of a Distinguished Name see Chapter 1.5 Distinguished Names.
SECUDE GmbH
27
Version 2.0
Smartcard
Figure 30: PSE-Wizard Smartcard
As a smartcard does not have very much memory it is necessary for large elements to have an extension of the PSE in form of an external file. For this so-called software extension of the PSE the file must be established. By clicking the drive button in the dialog box Select PSE you can navigate to the required directory. When this dialog box is left by clicking on Next a check is made whether an empty smartcard has been inserted in the smartcard terminal.
CA Data
Enter the directory for the CA database and the first serial number for user certificates.
Version of the Certificate

The standard which the certificate is to meet is entered here.
Number of Key Pairs

Here the entry is made whether the same key pair is to be used for signing and encrypting (One pair of keys) or whether separate pairs are to be used (Two pairs of keys).
Algorithm and key length of the certificate signature.
If you have selected Two pairs of keys, you determine here the algorithm and key length for the encryption certificate.
28
SECUDE GmbH
Version 2.0
Validity Period
In the fields Valid from and Valid until the period is entered in which the PSE is valid. The format for validity is determined by Windows system settings. The standard format is MM.DD.YY (date) and hh:mm:ss (time). The abbreviations used can be found in Table 2: Format of the Validity Fields

The algorithm with which the root certificate is signed is chosen here. It is advisable not to change the setting.
Password
The password for future log-ons is entered here. This password protects the smartcard from access by unauthorized parties. Information on passwords can be found in Chapter 1.6 Passwords.
Password Unblocking Key PUK
Figure 31: PSE-Wizard Password Unblocking Key PUK
With the PUK a card which has been blocked because of too many false password entries can be unblocked. As it is not displayed when typed it must be entered twice to ensure its correctness. With the Error Limit the number of password tries is set after which the card is blocked. Which values are permitted is dependent on the type of card used. When exiting the dialog box, however, the number entered is checked for correctness. Note: There also exists an error counter for the PUK it is fixed, its value is 3.
SECUDE GmbH
29
Version 2.0
Take good note of your PUK. It allows you access to your smartcard when this is blocked after too many false entries of the password.
Log-on Profiles
Settings Overview
An overview of the settings that have been made is given. If changes are required, this can be done by clicking Back to the appropriate dialog box. When all parameters are in order the button Finish is clicked to create the PSE. Then the key generation for the PSE begins. The time taken to generate the key depends on its length. Older cards support a mere 512 bits (e.g. the TCOS 1.2 card), the newer ones (e.g. the TCOS 2.0 card) 1024 bits. The process can be followed in the window. After it is completed a confirmation comes from CA MANAGEMENT. This window can be closed by clicking OK.
3.2.3 Create a Cryptoboard based CA-PSE

Creating a CA-PSE on a RACAL cryptoboard is essentially identical to creating one on a smartcard. As only the private key of the CA is stored on the cryptoboard, a software extension, analog to a smartcard, is necessary. To create a CA-PSE based on a RACAL cryptoboard it is important that the cryptoboard is installed and configured in your PC according to the manufacturer's instructions. Additionally the two SECUDE libraries pcsm.dll and pcsmgen.dll must be present in the installation directory. Normally these two libraries are installed automatically with SECUDE CA MANAGEMENT.
Type of PSE
If you want to create a cryptoboard based CA-PSE, select here RACAL RG 700.
Distinguished Name
The Distinguished Name of the CA is entered here. For the structure of a Distinguished Name see Chapter 1.5 Distinguished Names.
30
SECUDE GmbH
Version 2.0
RACAL RG 700
Figure 32: PSE-Wizard RACAL RG 700
Only the private key is stored in the RACAL cryptoboard, all other elements are stored in a file PSE. The file PSE has a reference to the relevant private key in the RACAL cryptoboard. For this so-called software extension of the PSE the file must be established. By clicking the drive button in the dialog box Select PSE you can navigate to the required directory.
CA Data
Enter the directory for the CA database and the first serial number for user certificates.
Version of the Certificate

The standard which the certificate is to meet is entered here.
Number of Key Pairs

Here the entry is made whether the same key pair is to be used for signing and encrypting (One pair of keys) or whether separate pairs are to be used (Two pairs of keys).
Algorithm and key length of the signature certificate.
If you have selected Two pairs of keys, you determine here the algorithm and key length for the encryption certificate.
SECUDE GmbH
31
Version 2.0
Validity Period
In the fields Valid from and Valid until the period is entered in which the PSE is valid. The format for validity is determined by the Windows system settings. The standard format is MM.DD.YY (date) and hh:mm:ss (time). The abbreviations used can be found in Table 2: Format of the Validity Fields

The algorithm with which the root certificate is signed is chosen here. It is advisable not to change the setting.
Password
The password for future log-ons is entered here. This password protects the smartcard from unauthorized access. Information on passwords can be found in Chapter 1.6 Passwords.
Log-on Profiles
Settings Overview
An overview of the settings that have been made is given. If changes are required, this can be done by clicking Back to the appropriate dialog box. When all parameters are in order the button Finish is clicked to create the PSE. Then the key generation for the PSE begins. The time taken to generate the key depends on its length.
3.3 Create a Subordinate CA

A flat certification structure (i.e. one CA certifies all users) is not always appropriate. For such cases SECUDE CA MANAGEMENT offers the possibility of creating subordinate CAs. A subordinate CA can only be created after logging on as a CA-PSE. The subordinate CA is certified by the CA-PSE which is currently logged on. The dialog box Create CA-PSE is found under the menu item File/Create subordinate CA... . The dialog box, i.e. the parameters, to create a subordinate CA is analogous to the one in Chapter 3.2 Create a Root Authority. Please refer to this chapter if you want to create a subordinate CA. The only difference is that the issued CA does not certify itself (prototype certificate or root certificate), but that the certificate of the logged on CA-PSE is used.
32
SECUDE GmbH
Version 2.0
Figure 33: PSE-Wizard Issue PSE
Here you select the appropriate issuer algorithm for the logged on CAPSE. When all settings have been made the OK button is clicked. Depending on the length of the key the creation of the subordinate CA-PSE may take a few minutes. After the CA-PSE has been created, it can be selected via the Log On dialog box in the same way as the root authority CA. Moving between various CAs can be done by logging on and off.
SECUDE GmbH
33
Version 2.0
Options
With the menu item Tools/Options the Options dialog box can be opened. The options that can be set here concern the presettings for the creation of PSEs and general settings for CA MANAGEMENT. It is advisable to make these settings as early as possible. The dialog box Options is made up of a number of areas that are arranged as index cards. The settings under Program Settings, Secude, X.500 and Warning Times are common to all certification authorities operated by one user. The settings under Issuer, PSE Options and Sphinx Pilot [Sphinx] can be set individually for each certification authority and are therefore only shown when you are logged on to a CA-PSE.
Button Apply
When a change has been made in the Options dialog box, the change is saved by clicking the button Apply. When OK is clicked the change is executed and the Options dialog box is closed. With the button Cancel the change is rejected and the Options dialog box closed. The change can, of course, only be rejected if it has not previously been saved with Apply.
4.1 User-specific Settings

4.1.1 Program Options
With Program Options the following options can be set:
34
SECUDE GmbH
Version 2.0
Figure 34: Options Program Options
General Options
With the field Verbose Level the degree of detail of error messages is controlled. A 0 means a short text, a 3 causes the most detailed explanation to be shown. If problems occur in the execution of the program it is advisable to set the more detailed Verbose Level and then to re-run the function that has caused the error. The complete error message should be sent by e-mail to support@secude.com or by ordinary mail to SECUDE GmbH.
Import SAP Report

In the Import SAP-Report area the configuration can be made whether CA MANAGEMENT tests for duplicate names while importing the SAP report RSUSR402. With a tick in the check box No Duplicate User Names the function is activated. If, e.g., a user Miller already exists, CA MANAGEMENT ignores all users with this name when importing the SAP report. The crucial point is the user name entered in the field User in the user administration of SAP R/3. If the option Random Password has been selected, the user entries imported get the attribute Random Password, and when the PSE is created, a random password is generated. When this option is not selected the Username from the SAP report is automatically taken as a password. The option User Distinguished Name Scheme determines how the data from the SAP report or the Distinguished Name of the CA is organized to create the Distinguished Names of the users. If, for example, the CA has the Distinguished Name "O=SECUDE GmbH, C=DE" and the user
SECUDE GmbH
35
Version 2.0
the SAP user name "SMITH001, the setting "<SAPUsername>, <IssuerDName>" results in the following Distinguished Name of the user:
CN=SMITH001, O=SECUDE GmbH, C=DE
Create PSE
When the option Add List of Public Keys is set, a file can be selected from the field below which contains a list of certificates, or rather the public keys (for example, in PEM format) included in them. With the drive button in the file dialog box a file can easily be selected. The list entered here is included as a further element in the PSE when PSEs are later created. This option is advisable when, for example, all users of one's own CA should trust an outside CA. By storing the outside CA's certificate in a user PSE, the former is considered trustworthy.
4.1.2 SECUDE
Presettings for the SECUDE security library are made here for CA MANAGEMENT. Their purpose is to define the parameters of the checks carried out on digital signatures.
Figure 35: Options SECUDE
Trust your own Forward Certification Path

A CA-PSE can be embedded in a hierarchic certification structure (it is then called a subordinate CA). The path between the root authority and CA-PSE is called the certification path. This path is checked when logging on or as soon as the button for checking the CA-PSE is clicked. The longer the path, the longer the check takes. By selecting this option the check is deactivated.
36
SECUDE GmbH
Version 2.0
Verification includes Validity Verification

Checking the validity period of certificates is activated or deactivated here.
Verify Certificates against Revocation List

When a CA wishes to revoke a certificate, this latter is entered into a revocation list (see Chapter 5.3.3 CA-PSE under item Add Revocation List). A certificate posted in this list has thus become invalid. The CA is obliged to distribute the list to all its participants . When a certificate, in course of checking the signature, is to be verified this option can be used to control whether the revocation list is to be consulted to check the validity. SECUDE uses different methods to make the consultation of valid revocation lists possible: The first possibility is to include the revocation list as an element in your own PSE; If the check is to be made on an X.509v3 certificate, this may contain as an extension a URL, through which a search for revocation lists can be made; The third possibility is that access to an LDAP directory has been configured in CA MANAGEMENT. In this case a search for a valid revocation list is made in the directory. When no valid revocation list of the certificate issuer can be found, the verification fails.
Verify your own Certificate when Signing

Before generating a signature a check is made whether the certificate of the CA-PSE is still valid.
Use aliases
For the resolution or finding of certificates related to Distinguished Names the alias list is accessed.
Verify according to "PEM subordination rule"

The PEM subordination rule is defined in RFC 1422 ([RFC 1422], Chapter 3.4.2.2 Ensuring the Uniqueness of Distinguished Names). The rule ensures that the name of the issuer is a component of the name of the person being certified.
ETC Directory
In the etc-directory you can store, for example, the smartcard configuration file. The setting depends on the PC and caution should be exercised when changing it.
SECUDE GmbH
37
Version 2.0
4.1.3 X.500
With this index card the access to a directory service is determined. If, for example, when checking a certificate, one certificate out of the certification path is missing in the PSE, the automatic search for the missing certificate can be activated with this option. SECUDE supports two directory services: X.500 based on an LDAP server and AFDB (abbreviation for Authentication Framework Data Base; a SECUDE-developed substitute for an X.500 Directory). When both services are selected AFDB has the higher priority when reading. If access to LDAP is also required, the appropriate entries (ask your LDAP administrator for them) must be made in the fields Server, Port and Tailor. An entry in the field Library is only necessary when access to a library other than the standard library installed with SECUDE CA MANAGEMENT is required. With the button Test LDAP-LIB a check can be made whether the selected library exists. Your LDAP administrator will be able to inform you of the X.500 password.
Figure 36: Options X.500
4.1.4 Warning Periods

You can specify with this index card how much warning the program gives you before an event occurs.
38
SECUDE GmbH
Version 2.0
Figure 37: Options Warning Periods
CA-PSE Warning Period in Days

The area CA-PSE Warning Period in days refers to the progress of the validity period of elements of the CA-PSE. When the program is started the PSE elements Certificate, Certification Path, Root Certificate and Revocation List (if existent) are checked for correctness and validity. When the remaining period of validity lies within the warning period the appropriate message is shown. When the CA certificate or that of a higher CA expires, all users of the CA must be informed and the elements updated.
User Certificate Warning Period in Days

In the field User Certificate Warning Period in Days you specify how many days prior to a user certificate's expiry you should receive a warning message. The user might need a new certificate then. When the event occurs the corresponding symbol in the user list changes its appearance: the user entry is marked with a red exclamation mark (see 6.1.1 User List).
4.2 CA-specific Options

4.2.1 Issuer Issuer Options
In the area Issuer the issuer algorithm and the period of validity for certificates and revocation lists are entered. The presetting here is 365 days, i.e. one year, and for revocation lists 30 days. By entering the period of
SECUDE GmbH
39
Version 2.0
validity in days it is possible to issue certificates for very short as well as long periods. The values set here are proposed as default values when signing, but can be changed.
Figure 38: Options Issuer
Revocation List Directory

This is the default directory where revocation lists issued by the CA are stored. More information on the creation and distribution of revocation lists can be found in Chapter 7 Revocation List Management.
Store PSEs and Certificates in Database

When this option is selected, on creation of a file PSE for a user the complete PSE is saved in a database. Should the user lose his PSE, this backup can be handed over to him. This option is not provided for smartcard PSEs as the private key must not leave the smartcard.
4.2.2 PSE Options

The index card PSE Options shows options which are used as the basis for the creation of user PSEs. The index card is divided into the areas Owner Options, Password Options and PUK Options.
40
SECUDE GmbH
Version 2.0
Figure 39: Options PSE Options
PSE Directory
Here the directory is entered in which the users' PSEs created by CA MANAGEMENT are stored. With the button a dialog box is opened to select a directory. The directory is selected by a mouse click. If a directory is entered that does not yet exist, it is created.
Owner Options
In the area Owner Options the type of PSE can be set, either a PSE with one key pair or a PSE with two key pairs. This refers to the number of asymmetric key pairs to be created, and their functions. When a PSE is created with a single key pair this is used for both signature and encryption. With two key pairs each function has its own key pair. The value which is entered in the field Key length depends on the validity period given to the certificate. For certificates with a validity period of two to three years a 1024 bit key length is sufficient.
Password Options
In the area Password Options either a standard initial password can be entered or the generation of a password can be left to the program. If the check box is not ticked and the second field remains empty, this option has to be set or a password entered every time a PSE is created. That means every time a PSE is created it must be decided how the password is generated.
SECUDE GmbH
41
Version 2.0
PUK Options
The area PUK Options is important when creating smartcard PSEs. The PUK is used to unblock a smartcard after too many retries have been made. For the PUK the same applies as for Password Options.
4.2.3 User Options

Here you can specify the defaults for the user form.
Figure 40: Options User Form
Default User Distinguished Name

This determines how from the entries under User Data in the User Form the Distinguished Name for the corresponding certificate is formed. If e.g. in the user form the mail address smith@company.com is entered, the setting <Mail Address> produces the default Distinguished Name CN=smith@company.com for that user.
Distinguished Name is Prefix

If this checkbox is ticked, the issuing CA's Distinguished Name is added to the user's Distinguished Name. Thus it is possible to use the Distinguished name for illustrating the certification hierarchy.
Default PSE Name

This determins how from the entries under User Data in the User Form the PSE name for the corresponding PSE is formed. If e.g. in the user form the identification (Id) jbond007 is entered, the setting <Id> pro-
42
SECUDE GmbH
Version 2.0
duces the following default PSE name for the corresponding user: jbond007.pse.
4.2.4 Sphinx Pilot

These options have been introduced in connection with SECUDE GmbH's participation in the Sphinx project of the German Federal Office for Security Technology (see [Sphinx]). Before drawing up a revocation list a special format can be determined with this option so that the list is compatible with those of other participants in the Sphinx project. This option should not be set in any other case.
Figure 41: Options Sphinx Pilot
SECUDE GmbH
43
Version 2.0
Management of the CA
The program can be started from the icon on the left. In the Windows start menu the entry can be found under:
\Program Files\SECUDE\CA Management
After the program has been loaded the dialog box for log-on appears. If SECUDE CA MANAGEMENT is being started for the first time, no CA-PSE is present with which log-on can be started. Chapter 3 Organisation of a Security Infrastructure describes how a new CA-PSE is created. If a CA-PSE has already been created, the symbolic name that you have given to address your CA-PSE is entered in the text bar Log-on Profiles of the Log-on dialog box (see Figure 27: PSE-Wizard Log-on Profiles). The password is then entered in the text bar Password and OK is clicked.
With the button you reach the dialog box Log-on Profiles (see Chapter 5.3.5.3 Extras / Log-on Profiles).
5.1 CA MANAGEMENT Overview

The main window of CA MANAGEMENT displays some important items of information after log-on. The status bar at the bottom of the screen shows Ready, i.e. the program is ready for input. The Distinguished Name of the certification authority currently logged on also appears.
44
SECUDE GmbH
Version 2.0
Figure 42: Empty User List
The two buttons on the left of the tool bar allow a fast log-on or log-off. Log-on and -off can also be made via the menu item File. Via the drop-down menu View the tool bar and status bar can be hidden or displayed.
Figure 43: Tool Bar Hidden
CA MANAGEMENT is designed according to Windows Style Guide and can be operated accordingly.
5.2 The Tool Bar

The tool bar consists of eight buttons. All buttons that are not greyed out are active, i.e. by clicking a button an action in the program is launched. The greyed out buttons do not become active until certain actions have been taken. For example the button to change the password is not activated until after log-on.
Figure 44: Tool Bar Active
By clicking the left mouse button on the side of the tool bar and holding, the bar can be dragged to another position in the main window, e.g. to the left side. It is also possible to drop it outside the main window.
SECUDE GmbH
45
Version 2.0
Button
Button Function
Log on to your CA-PSE CA-PSE. The Log-on dialog box is opened. Only active when logged off. Log off from the active CA-PSE. Only active when logged on. Edit or create a User entry. The User form is opened. Only active when logged on. Create a list of user PSEs. The PSE Creation dialog box is opened. Only active when entries in user list have been selected. Change the CA-PSE Password. The Change Password dialog box is opened. Only active when logged on. Verification of the CA-PSE. Only active when logged on. Display Signature certificate. The Display Certificate dialog box is opened. Only active when logged on. View all elements stored in the CA-PSE such as revocation lists, root certificate, own certificates, etc. The PSE Contents dialog box is opened. Only active when logged on.
Table 3: Toolbar
5.3 The Menu Bar

This chapter explains the functions which can be carried out via the menu. All CA MANAGEMENT functions, including those from the tool bar, can be started from the menu.
Figure 45: Menu Bar
The menu consists of the standard components File, View, Tool, Window, and ? (for Help), and of CA MANAGEMENT-specific parts such as PSE, User, and Smartcard.
46
SECUDE GmbH
Version 2.0
A menu item can be opened by a left mouse click or with the key combination Alt and the underlined letter in the menu item, e.g. the letter F in File. In the Status Bar of CA MANAGEMENT a short explanatory text for each menu item is displayed. For the menu item File/Log On the status bar (provided it is active) contains the explanatory text Log On as a CA.
5.3.1 File
The menu File contains functions for log-on and -off as a CA, for generating a CA-PSE, import functions for external data and for exiting CA MANAGEMENT, plus a list of the existing CAs.
5.3.1.1 File / Log On The menu item File/Log On is active only when not logged on. The dialog box Log On is opened. With this dialog box a CA-PSE can be chosen and the password entered. In this way the CA-PSE is opened and work with it can be started. Creation of a CA-PSE can be started too with the Log on dialog box.
Note:
Function exists as a button.
5.3.1.2 File / Log Off The menu item File/Log Off is active only when logged on. Use this menu item to close the CA-PSE, to log off. Log-off does not involve exiting the program.
Note:
Function exists as button.
5.3.1.3 File / Create CA The menu item File/Create CA is active when logged off. The dialog box for entering and generating a CA-PSE is opened with this menu item. For details see Chapter 3.2 Create a Root Authority. 5.3.1.4 File / Create Subordinate CA The menu item File/Create Subordinate CA is active when logged on. The dialog box for entering and generating a subordinate CA is opened with this menu item. For details see Chapter 3.3 Create a Subordinate CA.
SECUDE GmbH
47
Version 2.0
5.3.1.5 File / Import / SAP Report The menu item for importing external data into an existing CA-PSE is active only when logged on. With this menu item, user data from SAP R/3 (from version 3.1G) can be imported. All data required for the creation of a PSE are transmitted from R/3 (see Chapter 8.1 Import of SAP R/3 User Data). 5.3.1.6 File / Import / SECUDE The menu item for importing external data into an existing CA-PSE is active only when logged on. Existing CA-PSE data created with SECUDE command line tools can be imported with this menu item. 5.3.1.7 File / Recent Log List When SECUDE CA MANAGEMENT is called up for the first time this line is empty. Later you can, with this menu item, circumvent the Log-on dialog box by logging on with a previously opened CA-PSE. You need only enter the password. If you are already logged on with a CA-PSE, you are logged off from this without any check-back. 5.3.1.8 File / Quit The program is exited immediately with this menu item. If logged on as a CA-PSE, this will be closed first and then the program exited.
5.3.2 View
The drop-down menu View consists of the menu items to show or hide the tool bar and the status bar. The revocation lists of the CA and the user list can be displayed.
5.3.2.1 View / Tool Bar or Status Bar When the tool bar or the status bar is active the respective menu item is marked by a tick. When there is no tick the bar is hidden. 5.3.2.2 View / User List or Revocation List With the menu item View/User List the user list of the CA is displayed. Information on the CA revocation lists can be found under the menu item View/Revocation List. The revocation lists can also be processed here. With the menu item View/User List the user list of the CA is displayed. Information on the CA revocation lists can be found under the menu item View/Revocation List. The revocation lists can also be processed here.
48
SECUDE GmbH
Version 2.0
This menu item allows switching between User List and Revocation list. To bring up the Revocation list choose the option View/Revocation list, to bring up the user list choose View/User List. Note: Switching is also possible via the key combination <Ctrl+F6>. The title bar of the program window of CA MANAGEMENT changes accordingly: or In the view Revocation List the displayed revocation list can be processed. For details see Chapter 7 Revocation List Management.
Figure 46: Revocation List
The view User List is treated in Chapter 6 Management of User Data.
5.3.3 CA-PSE
The menu CA-PSE displays information on the CA-PSE, and the PSE can be processed. Furthermore it is used to write requests for certification of prototype certificates and to add revocation lists into the CA-PSE.
SECUDE GmbH
49
Version 2.0
5.3.3.1 CA-PSE / Show Signature Certificate With the menu item CA-PSE/Show Signature Certificate... the signature certificate can be displayed. The certificate information is shown clearly in it. In the index card Owner the most important certificate data can be found the Distinguished Name of the CA (owner), the Distinguished Name of the issuing CA (issuer), the period of validity, the serial number and the version number. If the CA is a root authority, the Distinguished Names of owner and issuer are identical.
Figure 47: Signature Certificate Owner
On the other index cards the remaining information on the certificate can be found.
Note:
The menu item is only active when logged on. 5.3.3.2 CA-PSE / Show Encryption Certificate If the PSE has two key pairs, the encryption certificate can be displayed with CA-PSE/Show Encryption Certificate... The encryption certificate window is structured analog to the one for the signature certificate. This menu item is only active when logged on and with a PSE with two key pairs. When the PSE has one key pair the menu item is grayed out. 5.3.3.3 CA-PSE / Write Certificate Request With this menu item a request for certification can be written to the superior CA. In the dialog box Write Certification Request the name of the file (including the path) is entered in which the request is to be saved. The superior CA should have access to this file. After asking the superior CA which formats it supports, you can determine in the field Type of File whether the file is to be saved in pem format or in PKCS#10 format
50
SECUDE GmbH
Version 2.0
[PKCS#10]. If the file has been stored on a server accessible for other people, the issuing CA should be asked for an unambiguous file name, so that no confusion can occur. The superior CA must now be informed where the request for certification is to be found or whether it will be sent by e-mail or by floppy disk.
Figure 48: Write Certification Request
The menu item is only active when logged on. 5.3.3.4 CA-PSE / Read Certificate Response After the request for certification has been processed by the superior CA the signed certificate can be inserted into your PSE with the menu item CA-PSE/Read Certificate Response. In the dialog box that is then opened the appropriate directory and file are selected where the response is located. The two formats pem and PKCS#7 (see [PKCS#7]) are supported.
Figure 49: Read Certification Response
If you have selected a certification response in pem format, you get information on it in the window Process Certification Response. You can read if the certification response fits your certificate. This means the response also includes your public key. In the following line you get information on the validity of the digital signature. If you are being certified for the first time or if you have changed the CA, the certification response will contain a new root certificate not yet
SECUDE GmbH
51
Version 2.0
included in your PSE. It is therefore essential to check the checksum (fingerprint) of the root certificate's public key. Only in this way can you make certain that your certification response has been processed by the right CA. The checksum (fingerprint) of the root certificate's public key should be published by the root authority this can be done e.g. in a company publication or in the daily newspapers. Checking the checksum (fingerprint) is an important measure. A potential attacker who tries to foist a false certificate (and thus his own public key) onto you can be identified by an incorrect checksum (fingerprint). Only after the automatic verification of the certification response has turned out positive, should you insert it by clicking on the button Add.
Figure 50: Process Certificate Response
Besides Add the dialog box has two other buttons. Clicking on Message displays the pertaining (coded) PEM messages; Print... prints the contents of the window. If the certification response is in PKCS#7 format, the dialog box contains essentially the same information. Only the button Message is omitted because the response is not an ASCII file. 5.3.3.5 CA-PSE / Update Revocation List If new revocation lists (from superior CAs) are to be inserted into the PSE, this is done by selecting in the menu CA-PSE the item Update Revocation List. This opens the dialog box PSE Revocation Lists, which displays the revocation lists in the PSE.
52
SECUDE GmbH
Version 2.0
Figure 51: PSE Revocation Lists
To insert a new revocation list in the CA-PSE Insert from File is clicked and the file in which the new revocation list is located is selected from the window Read Revocation List from File. The administrator responsible for the revocation list will inform you which file it is.
Figure 52: Read Revocation List from File
It is also possible to request with Insert from Directory revocation lists from an LDAP/X.500 directory service. To do this the Distinguished Name of the CA from which the revocation list is requested must be entered into the dialog box.
After a revocation list has been selected the following dialog box appears. In this dialog box you can check the validity of the revocation list before actually inserting it. For this the button Verify is clicked.
SECUDE GmbH
53
Version 2.0
Figure 53: Insert Revocation Lists in PSE
When the check is positive the revocation list can be inserted into the PSE by clicking the button Insert. When revocation lists are used to verify a digital signature the check box "Verify Certificates against Revocation List" in the menu Tools/ Options/SECUDE must be ticked. It must also be ensured that a valid revocation list from the superior CAs is available. 5.3.3.6 CA-PSE / Change Password When creating the CA-PSE a password is established. This protects not only your CA-PSE, but also the CA database. For safety reasons it should be changed regularly. Should a third party come into possession of the password, he is able to work with the CA, whether legitimately or not. Great care should be taken when choosing the password. For details see Chapter 1.6 Passwords. With the menu item CA-PSE/Change Password the dialog box Change Password is opened. In this box first the current password of the opened CA-PSE is entered.
Figure 54: Change Password
The old password is requested so that no unauthorised person can change it in the owner's absence. The new password must be entered in the field New Password and repeated in Re-enter Password. When the CA-PSE is on a smartcard, the password length is restricted to eight characters. Otherwise it is restricted to 14 characters, as this is the maximum length for a Microsoft Access database. Then the OK button is clicked.
54
SECUDE GmbH
Version 2.0
If the old password is entered incorrectly, the message on the left is shown.
If, when entering the new password, a typing error occurs in either of the fields, the message on the left appears. The OK button must be clicked and the entries retyped. If no errors were made with either the old password or the entry and repetition of the new one the program changes the password of the PSE and confirms it with the message on the left.
Note:
5.3.3.7 CA-PSE / Verify A CA-PSE consists of a number of elements such as one's own certificates, root certificate, certification path, or revocation list. These elements are valid for a limited time and are subject to dependencies. With the menu item CA-PSE /Verify all necessary verification checks for the CA-PSE are made.
Figure 55: Verify PSE
The following checks are made: current validity of the CA certificate, certificate path, current validity of the root certificate, revocation list, and all signatures. CA MANAGEMENT automatically verifies the elements whenever the CA-PSE is opened. If a period of validity is about to ex-
SECUDE GmbH
55
Version 2.0
pire, a warning is given. Warning periods are stipulated under Extras/Options/ Warning Periods.
Note:
5.3.3.8 CA-PSE / Write Certification Path This menu item is used to make the certificate path of the CA available to other products (e.g. www-Server or Browser from Netscape or Microsoft). After clicking CA-PSE/Write Certification Path a dialog box appears in which the file name is entered under which the certificate path is to be saved, and the appropriate file format for the product is selected.
Figure 56: Save Certification Path
CA MANAGEMENT saves the certificates belonging to the certificate path each in its own file which leads to a chain of related files, e.g. CApath.root.crt, CApath.path1.crt, ...., CApath.path5.crt. The last certificate in the chain is from one's own CA. 5.3.3.9 CA-PSE / Display Contents The PSE of a CA consists of several elements. All the elements are listed and displayed in the dialog box CA-PSE/Display Contents. The number of index cards varies according to the number of PSE elements included. Note: Function exists as a button.
The information shown varies according to the element. The display of a certificate contains the name of the issuer, the serial number, the period of validity, the checksum (fingerprint) of the public key, and data concerning the signature algorithm and the algorithm for which the key pair can be used. The key length is also shown. Under Revocation List the revocation lists received from the superior CAs are listed. Serial Number contains the serial number last issued by the CA.
56
SECUDE GmbH
Version 2.0
Figure 57: PSE Contents
5.3.4 User
With the drop-down menu User the dialog box to enter and to change user data and to create PSEs is opened. Certificates in LDAP directories can also be made available and be deleted from them.
5.3.4.1 User / Create User Entry The menu item is active only when logged on. With User/Create User Entry the dialog box to enter and change user data is opened. This function is described in detail in Chapter 6 Management of User Data. Note: Function exists as a button.
5.3.4.2 User / Create List of PSEs The menu item is active only when logged on and when at least one user entry in the user list is selected. The selection of a user is made with the left mouse button. Using the left mouse button together with the shift key a block of entries can be selected. Using the left mouse button together with the control key individual entries can be selected or deselected out of this block. By clicking User/Create
SECUDE GmbH
57
Version 2.0
List of PSEs the selected PSEs are immediately created. Entries can also be selected for which a PSE has already been created. These entries are ignored when new PSEs are created. This function is described in detail in Chapter 6.3 Create User PSEs. Note:
5.3.4.3 User / Write Certificates for LDAP The CA can put its certificates at the disposal of other users in an LDAP directory. To do this the certificates concerned are marked in the user list and the menu item User/Write Certificates for LDAP... clicked. This opens the window below:
Figure 58: Save LDIF File Insert Certificates
The appropriate directory is selected and the name of an LDIF file is entered in the field File Name. CA MANAGEMENT then saves the marked certificates in this file. The LDAP administrator can now update his LDAP directory with this file. 5.3.4.4 User / Remove Certificates from LDAP Certificates can also be deleted from the LDAP directory. The certificates to be deleted are marked in the user list and the menu item User/Remove Certificate from LDAP clicked. The dialog box below is opened:
58
SECUDE GmbH
Version 2.0
Figure 59: Save LDIF File Delete Certificates
The appropriate directory is selected and the name of an LDIF file is entered in the field File Name. CA MANAGEMENT then saves the marked certificates in this file. The LDAP administrator can now update his LDAP directory with this file. 5.3.4.5 User / Write List of Public Keys This function is intended for users who cannot get certificates from the participants in the certification infrastructure through a directory service such as LDAP. In this case the CA writes all public keys into a file (pem format), which it also digitally signs. This file must be distributed to the users who can then copy it into their PSE using SECUDE PSE MANAGEMENT.
Figure 60: Write PK List
A choice can be made whether all certificates that the CA has ever issued are copied into the file, or only the current ones. After clicking OK a dialog box opens in which directory and file name have to be entered. 5.3.4.6 User / Write Certificates as ASN.1 With this function the CA can write issued certificates as an ASN.1 structure. To do this the required certificates are marked in the user list and the menu item User / Write Certificates as ASN.1 is clicked. The dialog box below is opened:
SECUDE GmbH
59
Version 2.0
Figure 61: Write Certificates
Each certificate is written as its own ASN.1 file. Under Directory the directory can be found in which the files are saved. With a click on the disk button a dialog box is opened in which you can navigate to the appropriate directory. The file names are composed of the value entered under Prefix and a unique number. In this version only the format ASN.1 can be set. 5.3.4.7 User / Genereate Password Form Letter This function is used to select entries from the CA database for generating an export file which in turn is used as a database for the Microsoft Word form letter function (see section 8.3 Inform of Transport Password: Export to Microsoft Word Form Letter). Thus it is very easy to inform the PSE recipients about their transport passwords via password form letters. To do this, the respective certificates in the user list are selected and marked. Clicking User / Generate password form letter opens the following dialog.
Figure 62: Generate Password Form Letter
The list Available fields contains the fields that can be exported from the CA database. The list Export fields contains the fields actually to be exported. Using the left/right buttons, entries can be moved from one list to the other. In most cases it is neither necessary nor useful to export all fields. Using the up/down buttons, the order of the fields within the list can be stipulated. With Delete the list is emptied.
60
SECUDE GmbH
Version 2.0
If the fields to be exported and their order are determined, click OK. A file dialog opens where directory and name for the export file are set. The export file is in CSV file format (i.e. a list with entries separated by semicolons). Each data set has its own line; fields within one data set are separated by semicolon. The first line of the CSV file contains the names of the exported fields. Often the export file will contain security sensitive data, e.g. the passwords of the generated PSE files. For this reason the export file must always be kept in a secure environment and deleted as soon as it is no longer needed.
5.3.5 Extras
In the menu Extras special functions concerning the CA can be found. Via the item Password Policy rules can be established which the CA can oblige the users to follow. With the menu item Options global settings for CA MANAGEMENT are made. Via the item Log-on Profiles... the log-on profiles can be administered. 5.3.5.1 Extras / Password Rules To support the choice of good passwords (cf. Chapter 1.6 Passwords) of the users for whom the CA creates PSEs, the CA can prescribe Password Rules which the users' passwords have to meet. The dialog box for this is opened with the menu item Extras/Password Rules.
SECUDE GmbH
61
Version 2.0
Figure 63: Password Rules Rules Editor
In the Rules Editor norms can be set which the users' passwords must meet. With Length Restrictions the upper and lower limits for the length of the password are defined. In Character Set it is determined whether certain kinds of characters are required in the passwords. With Contents certain passwords are totally excluded, e.g. names known to the system such as user, group, computer and domain names, previous passwords, entries from a referential file (to which the user has reading rights but only the CA writing rights) containing undesirable passwords, or entries from a referential list to be compiled in this dialog box (one entry per line). Furthermore the validity period of the user password and how many times the user can log on after the validity has expired can be defined. The latter is necessary so that the password can be changed after its expiry. Before insertion in the CA database the rules can be checked with Preview.
62
SECUDE GmbH
Version 2.0
Figure 64: Password Rules Preview
With Insert the rules are entered into the CA database. Sets of rules already in the database can be modified with Change and deleted with Delete. New cancels all entries in the Rules Editor to allow a new set of rules to be entered. When creating user PSEs a definition for each individual user can be given in the user form as to which set of rules his password must meet (cf. Chapter 6.3 Create User PSEs). The password rules are only available to users working with the program SECUDE PSE MANAGEMENT. 5.3.5.2 Extras / Options The menu item Extras/Options is active both when logged on and off. The options that can be set with this item are the presettings for the creation of PSEs and general settings for CA MANAGEMENT. The settings in the dialog box Options have been treated in detail in Chapter 4 Options. 5.3.5.3 Extras / Log-on Profiles A CA is unambiguously addressed when a log-on profile is used. The name of the log-on profile appears in the log-on dialog box of CA MANAGEMENT. If you are operating the CA on the same PC on which
SECUDE GmbH
63
Version 2.0
you have created the log-on profile, you already have a log-on profile for this CA. If you want to operate the CA from another PC, however, you must first enter a log-on profile before you can log on. After selecting the menu item Extras/Log-on Profiles the dialog box below opens:
Figure 65: Log-on Profiles
The list shows all known log-on profiles. When you click Add, the following dialog box opens:
Figure 66: Log-on Profile
Under Log-on Profile Name you enter the name by which you later want to address this profile. Under PSE Type you enter whether the PSE is saved in a file system, on a smartcard, or on a RACAL cryptoboard. If you click File, you must complete the text bars PSE Name and CA Directory; with Smartcard you must complete the text bars Card Type, Software Extension and CA Directory; and with RACAL RG 700 the text bars Software Extension and CA Directory.
64
SECUDE GmbH
Version 2.0
With a file PSE you must enter the complete path and the name of your PSE in the text bar PSE Name. With a smartcard PSE you must enter the operating system of the smartcard in the text bar Card Type. With smartcard and RACAL based PSEs you must enter the extension of the PSE in the file system in the text bar Software Extension. In the text bar CA Directory you must enter the directory in which the CA database is to be found. Each disk button opens a file dialog box where you can navigate to the appropriate directory.
5.3.6 Smartcard
With SECUDE CA MANAGEMENT smartcards can be used instead of a file PSE. Both the CAPSE and the user PSEs can be stored on a smartcard. The required settings can be made with the drop-down menu item Smartcard.
5.3.6.1 Smartcard / Terminal Setup With the menu item Smartcard/ Terminal Setup it is possible to configure smartcard terminals for both the CA and the user. The software supports the simultaneous operation of two terminals. The CA-PSE on a smartcard can be in the first terminal, whilst the user PSEs are being created on smartcards in the second terminal.
Figure 67: Smartcard Terminal Setup
Different types of smartcard terminals can be configured. It is important that the terminal in use be chosen from the list, otherwise no guarantee can be given for correct functioning. The settings can be tested with the button Test.
SECUDE GmbH
65
Version 2.0
If the terminal is not correctly configured or cannot be accessed, the message on the left appears. There are various reasons why a smartcard terminal cannot be addressed: The terminal is not supported by the software. The terminal is not connected to a power supply. The terminal is not connected to the specified port. The terminal is defective.
If the test is successful, the settings can be saved with Apply or OK. With OK the window is also exited. CA MANAGEMENT signals the successful installation. The dialog box to set up smartcard terminals for user PSEs is identical to the one for CA-PSEs. 5.3.6.2 Smartcard / Info User Smartcard To get information on the smartcard plugin being used, the terminal, and the card, insert the user smartcard in the terminal and use the menu item Smartcard/Info User Card... . The main point of interest is the entry under Card. If the entry is "with application", a PSE is already existing on the card, otherwise the entry is "without application".
Figure 68: Info User Card
5.3.6.3 Smartcard / Unblock Password When a smartcard has been blocked because of too many retries it can be unblocked here by entering the PUK.
66
SECUDE GmbH
Version 2.0
Figure 69: Unblock Password
5.3.6.4 Smartcard / Delete User Card A smartcard that has been personalised by SECUDE can be deleted using this dialog box. All information stored on the card is irrevocably deleted. Deleting a smartcard can only be done when the password or depending on the type of card the PUK is known. When the password has been entered the program ensures before deleting that this action is really desired. Only when the button Yes is clicked, is the information on the card deleted. A smartcard can thus be provided with new PSEs several times.
5.3.7 Window
With the drop-down menu Window several windows within CA MANAGEMENT can be arranged. Switching between the user list and revocation list can also be made here. See also Chapter 5.3.2 View.
5.3.8 Help (?)

With Help or the character ? the dialog boxes Info and Info about SECUDE can be opened.
5.3.8.1 ? / Info The dialog box Info shows among other things the current version number of CA MANAGEMENT. Additionally, all addresses of SECUDE GmbH can be found here.
SECUDE GmbH
67
Version 2.0
Figure 70: Info on CA MANAGEMENT
5.3.8.2 ? / Info on SECUDE In the dialog box Info on SECUDE, information about the library used by SECUDE is shown. Included are the version number, the options that have been set in the SECUDE library, and the supported plugins.
Figure 71: Info on SECUDE
When making queries to SECUDE GmbH, the information from this dialog box should be included.
68
SECUDE GmbH
Version 2.0
Management of User Data

This chapter explains how a CA using SECUDE CA MANAGEMENT fulfills its main task of maintaining user data and issuing certificates for the users. CA MANAGEMENT creates and administers its database using the interfaces Microsoft Data Access Objects (DAO) and Microsoft Jet Database Engine. This database can be opened with, for example, Microsoft Access. It is, however, not advisable to process the database outside CA MANAGEMENT.
6.1 User List and User Form

The user list is opened with the menu item View/User List. After log-on the user list (i.e. the user view in the CA database) is displayed automatically.
6.1.1 User List

The user list shows the most important fields of the user table from the CA data base. Using the scroll bar the fields and records not on the screen can be viewed.
Column width
The width of a column can be changed by positioning the cursor between the field names. The cursor changes its appearance in this position. By double clicking the mouse here the optimum width is achieved. The width can also be changed by dragging and dropping the dividing line.
Sorting
After log-on the user list is automatically sorted by the column Distinguished Name. By clicking on the field buttons Distinguished Name, Valid from, Valid to, Serial number or Name the table can be sorted as required. Sorting is done in ascending order.
Figure 72: User List
SECUDE GmbH
69
Version 2.0
Symbols
The user list displays a number of symbols in different colors on the left of the window. The symbols are a quick way of showing the state of certificates already issued and those being processed. (blue question mark) Data to issue a certificate have been transferred to the database but the certificate has not yet been issued or the PSE not yet created. (green tick) The certificate is still valid and will not expire within the set warning period (see Chapter 4.1.4 Warning Periods). (red exclamation mark) The certificate is still valid but will expire within the set warning period (see Chapter 4.1.4 Warning Periods). (red cross) The certificate has either already expired or its validity period has not yet begun. (black lightning) The certificate is revoked (see Chapter 7 Revocation List Management).
Behavior
Double clicking the left mouse button opens the user form (see Chapter 6.1.2 User Form). Once the user form is open a single left mouse click displays the selected data set in the user form. When the view of the revocation list is also open, a selected certificate can be dragged and dropped into the revocation list.
6.1.2 User Form

The user form shows one user's complete user record. With the user form user data can be added, changed, or deleted. (An outline of the fields can be found in Chapter 12.1 Fields in the User Form.)
Open the User Form

The user form is opened either by a mouse click on the button shown on the left, or with the menu item User/Record, or simply by a double click on a record in the user form. To select an entry with a double click, the field Distinguished Name must be visible in the CA MANAGEMENT window. Once the user form is open, user data records can be viewed by clicking on the required user entry in the user list. The window User List might
70
SECUDE GmbH
Version 2.0
well be hidden behind the window User Form. Both windows can be viewed simultaneously by repositioning the window User Form.
Figure 73: User List and User Form
The user form is closed by clicking the button Close.
The Fields of the User Form

The user form is divided into the areas User Data, and (as index cards) PSE with the subordinate fields Signature Certificate and Encryption Certificate and Certificate. According to which fields are required for the user being regarded, only some of these fields with index cards it might be more than one may be visible.
SECUDE GmbH
71
Version 2.0
Figure 74: User Form
User Data
In the area User Data general information can be entered. These data are optional and have no significance for the creation of the PSE but can help to identify a user more quickly.
Certificate
This index card is visible when it is a PSE created by the user himself and certified by the CA. The number behind the word "Certificate" in the title bar is the serial number issued on certification. For further details on the individual field please see Chapter 6.4 Certification of Incoming Prototype Certificates.
PSE
This index card shows a user PSE created or still to be created by the CA. When a date is shown in the title bar it means that the PSE was created at that time. When no date is shown it means that the PSE is not yet created. Details on the individual fields can be found in Chapter 6.2.2 Enter PSE Data.
72
SECUDE GmbH
Version 2.0
Signature / Encryption Certificate

This field contains all necessary certificate data. For a PSE with a single key pair there is only the field Signature Certificate, for a PSE with two key pairs there are the fields Signature Certificate and Encryption Certificate. Details on the individual fields can be found in Chapter 6.2.2 Enter PSE Data.
6.2 Process User Entries

The user form is used to enter the required data for each user and to create with these data the user's required certificate(s) or PSE. SECUDE CA MANAGEMENT allows the PSE to be created immediately after entering the user's data. It is also possible to enter first a number of user entries, then select all the new user entries in the user view and create the PSEs for these en bloc (see Chapter 6.3 Create User PSEs). Different criteria apply for user entries for which certificates already exist. The data can be processed only to a limited degree and cannot be deleted. A certificate once issued remains valid for the period defined in Valid from and Valid until (unless it must be revoked for some reason). A CA is obliged to give information on the validity of a certificate. Even deleting a user entry from the data base would have no effect on this. Therefore it is not possible to delete such a data entry. When in the user form a user entry is displayed for which no PSE has been created all fields can be processed. When a PSE has already been created for a user entry, all fields with the exception of User Data are blocked. This is shown by the gray-out of the inactive fields.
6.2.1 Register a New User

To register a new user click the menu item User/Register... or click on the appropriate button of the toolbar. An empty user form then appears. If the user form is already open and showing a user entry, a click on the button New will produce an empty form to register the new user. The individual text bars in the field User Data are self-explanatory.
6.2.2 Enter PSE Data

After a new user has been registered the message "No PSE or Certificate data available" can be found in the lower field of the user form. By clicking on New PSE the data set for the creation of a PSE for this user is set up. As more than one PSE can be issued for a single user, New PSE can still be used when PSE data are shown in lower field of the user form. You
SECUDE GmbH
73
Version 2.0
then get a new PSE index card. Please remember to give each new PSE a new PSE name. All fields should be filled with default values. These can be determined with Options (see chapters 4.2.1 Issuer and 4.2.2 PSE Options). The meaning of the individual fields in the area PSE will be dealt with in detail in the following section. When all entries have been made the button Update is clicked to enter the record into the data base.
Meaning of the PSE Fields

The field Profile is not supported in this version of CA MANAGEMENT, it is being reserved for a later version The fields PSE Name and PSE Directory are active when you want to create a File PSE; they contain the directory and file names of file to created. The field Card Type is active when you want to create a Smartcard PSE; you can select the required card type. With the field One Key Pair you control whether you want to create a PSE with one or two key pairs. In a PSE with two key pairs one pair is used to authenticate, i.e. to sign, the other pair to encrypt. In a PSE with only one key pair (one certificate) this pair is used for both tasks. In the field Password you can determine whether the PSE password is to be generated automatically. The password text bar is then blocked. The length of the automatically generated password is set in Options. If the password is not to be generated automatically the selection box is clicked to remove the tick and a password is entered. The password can be up to 50 places long. The exception is the smartcard password, which can only have eight places. If the user has to follow certain rules for passwords, the name of the relevant set of rules is entered in the field Rules. How password rules are entered can be seen in Chapter 5.3.5.1 Extras / Password Rules. It is not possible to stipulate password rules for smartcard PSEs. However, an error limit for the smartcard password is required. The maximum value varies from card to card. The error limit details how often an incorrect password may be entered before the card blocks itself In the area PUK the PUK (password unblocking key) is either generated automatically by ticking the selection box or is entered manually. The PUK is used to unblock smartcards after too many false password entries; the field is therefore grayed out for file PSEs. The PUK also has an error limit which is, however, preset at three by SECUDE CA MANAGEMENT. Card Number is the serial number of the smartcard. This field is completed automatically after the creation of a smartcard PSE.
74
SECUDE GmbH
Version 2.0
Meaning of the Certificate Fields

In the field Distinguished Name the Distinguished Name of the PSE owner (user) is entered. When a tick appears in the field Distinguished Name is Prefix the Distinguished Name of the CA is added to the entry in the field Distinguished Name on issue of the certificate. By this means the certification hierarchy can be illustrated through the Distinguished Name Under Valid from please enter from which date the certificate is valid (default value is the current date) and under Valid until the end of the validity period. The format of the fields is defined by instructions in the system control. In the field Issuer Algorithm the algorithm is entered with which the CA should sign the certificate. The field Algorithm contains the algorithm the user uses for signing and encrypting. The field Key Size contains the length of the relevant keys. Version shows whether it is an X.509v1 or X.509v3 certificate. If you want to create an X.509v3 certificate, with the button V3 Extensions you reach the dialog box in which the certificate extensions supported by SECUDE CA MANAGEMENT can be set. If a PSE with two key pairs is required, the same entries are made in the area Encryption Certificate.
6.2.3 Register Certificate

As described in Chapter 1.3 Issue Certificates for Users under the item User creates PSE it is possible that not the CA, but the user himself creates the PSE. In this case the user must send his public key to the CA for certification. With the button Read Certificate a file dialog box can be opened where the certification request can be read in. The certificate is then displayed so that it can be checked whether the correct information has been read in. The correctness of the data are verified by clicking on the index card Checksums (Fingerprints) and comparing the contents Checksum of the Public Key with the value the user has sent you by other means. The two values must be identical. If not, the suspicion arises that somebody is trying to falsify his identity. When you agree with the data click OK and you get a new certificate index card. All fields that are not blocked can be changed by the CA according to its requirements. The meaning of the individual fields can be found in Chapter 6.2.2 Enter PSE Data under the item Meaning of the Certificate Fields.
SECUDE GmbH
75
Version 2.0
6.2.4 Create Further PSEs for Same User

An entry can be amplified by further PSEs or certificates after clicking the record in the user list and thereby opening the user form. By clicking the button New PSE or Read Certificate a new index card for the additional PSE is created in the user form. When updating, the relevant entry of the data base is added again. Before it is added the entry can, of course, be changed.
6.2.5 Delete a User Entry

As long as no PSE has been issued for a user, the complete entry can be deleted from CA MANAGEMENT with the button Delete in the field User Data. If a PSE has already been issued, the user entry cannot be deleted from the CA database as a protocol must be written.
6.2.6 Delete a PSE Data Set

As long as the PSE data set has been registered but the PSE not yet issued, the PSE data set can be deleted with the button Delete on the PSE index card. After a PSE has been created for a user only the general user data can be changed. All other fields are blocked. A certificate once issued cannot be changed. Should a certificate have to be declared invalid, it must be revoked through the revocation list.
6.2.7 Delete a Certificate Data Set

As long as the certification request has only been read in, but no certificate issued, the certificate data set can be deleted with the button Delete on the certificate index card. A certificate once issued cannot be changed. Should a certificate have to be declared invalid, it must be revoked through the revocation list.
6.3 Create User PSEs

SECUDE CA MANAGEMENT allows the creation of a PSE immediately after the user entry has been registered. Another possibility is to register a number of user entries, to select these in the user list, and to create PSEs for these collectively. Both possibilities will be discussed here.
76
SECUDE GmbH
Version 2.0
6.3.1 Create Individual PSEs

After the PSE data have been registered (see Chapters 6.2.1 Register a New User and 6.2.2 Enter PSE Data), the PSE for the user can be issued. The PSE with the thus entered data is created by clicking the button Create in the relevant index card. CA MANAGEMENT runs a check then on the data entered. The PSE creation process can be followed step by step. Generation of the authentication key takes the longest time.
Figure 75: PSE is being created
After the PSE has been created the message on the left is shown. It is confirmed by clicking OK.
6.3.2 Create Several PSEs

Several PSEs can be generated in one go by marking in the user form those user entries for which a PSE is required. Several entries can be marked by mouse click in combination with the control or shift key. Then the menu item User/Create List of PSEs is selected or the toolbar button shown on the left. All the selected user PSEs are then created. Progress can be followed in the status bar.
SECUDE GmbH
77
Version 2.0
Figure 76: PSE Creation
After the PSEs have been created the above dialog box must be quit with OK. If a user entry for which a PSE has already been created is selected, this entry is ignored by CA MANAGEMENT. The certificates of the created PSEs can be regarded in detail by clicking the button Display Certificate which is located at the bottom of the relevant index card. In particular, the user's public key and the serial number of the certificate can be found there.
6.4 Certification of Incoming Prototype Certificates

PSEs created by the user himself (or rather the relevant prototype certificates) can be certified by the CA to include them in the certification structure. To this end the user sends the prototype certificate he has created to the CA responsible for him. Once the CA has been informed by the user where the file containing the prototype certificate can be found, the certificate request is processed. Please read in Chapter 6.2.3 Register Certificate how the user's certificate request is read in. Further processing of the prototype certificate can be carried out in the user form. The number of certificates depends on the number of key pairs one certificate per key pair. In addition to the user's key all parameters can be modified at this stage. Further, the field User Data can be completed. By clicking the button Issue the certificate is signed by the CA and becomes valid within the certification structure. Now no further changes can be made apart from to the user data all fields are therefore grayed out. The serial number now also appears in the title bar of the index card.
78
SECUDE GmbH
Version 2.0
Once the certificate has been issued, it can be copied into a file accessible to the user with the button Export. Please note that the certificates can only be issued as PEM files if the certificate request was written in a PEM file.
Figure 77: Export Certificate
The user must then only be informed where to find this file. As all data in the prototype certificate and the certificate itself are public this procedure constitutes no security risk. For this reason no encryption or password is required.
6.5 Write Again User PSE

In cases where the user, for whatsoever reason, has failed to install the PSEs issued for him or where he has inadvertently deleted them, the same PSE can, using the button Write again on the PSE index card, be written into a file from which the user can call them. This function can only be used with file PSEs and the option Save Created PSEs and Certificates in Database (see Chapter 4.2.1 Issuer), as the PSE is otherwise not saved in the database.
6.6 Subsequent Inclusion of an Existing PSE in a Smartcard

An issued user PSE can be included in a smartcard at a later date. To do this click the button Smartcard on the PSE index card. However, the following conditions must be fulfilled: The PSE must be of the file type and the option Save Created PSEs and Certificates in Database set (see Chapter 4.2.1 Issuer), as the PSE is otherwise not saved in the database. The following dialog box opens:
SECUDE GmbH
79
Version 2.0
Figure 78: Write PSE on Smartcard
The meaning of these fields can be seen in Chapter 6.2.3 Register Certificate. After clicking OK the PSE is written on the inserted empty smartcard. While this is happening you get a Wait message. Once the PSE has been written on the smartcard the user gets a new PSE index card with the corresponding entries.
80
SECUDE GmbH
Version 2.0
Revocation List Management

One of the main functions of a CA is drawing up and maintaining revocation lists. The revocation list is a digitally signed list of all certificates a CA has issued and later revoked. The updated revocation lists must be regularly put at the disposal of the users. To process a revocation list, Revocation List in the menu View must be clicked. The dialog box below appears:
Figure 79: CA Revocation List
The dialog box is split up into three areas. The list with the revoked certificates, below that information on the last given digital signature, and on the right the buttons.
7.1 List Area

In the list area the serial number, the date the certificate was revoked, and the Distinguished Name of the certificate owner are shown. The actual structure, which later as the revocation list is put at the disposal of the users, does not contain the Distinguished Names any more, since the revoked certificate is unambiguously identified by the serial number. The first column contains symbols, either a tick or a lightning flash . The tick means that the certificate has been added to the revocation list after the last digital signature to this. It is thus not yet visible for the user before the revocation list is distributed to the users it must be digitally signed. At this moment the certificate can be removed from the list by using the button Delete. The lightning shows that the certificate is in a valid signed list. It cannot be deleted from the list any more a certificate once revoked cannot be made valid again.
SECUDE GmbH
81
Version 2.0
7.2 Information on the Digital Signature

In the lower area of the dialog window you can find information on the revocation list's digital signature, i.e. the Distinguished Name of the Issuer of the revocation list (the CA), the Issuer Algorithm used, the validity period. The bar Last Update shows the date the last signature was performed, the bar Next Update shows the expiry date of the list. When this date has been passed, the user may no longer use this list to verify a digital signature or rather the verification fails because an invalid revocation list was used.
7.3 Buttons
With the buttons the revocation list can be processed.
7.3.1 Add
With Add new entries can be made in the revocation list.
Figure 80: Add Entries to Revocation List
In the field Serial Number you can enter one or more (separate with commas) serial numbers of certificates to be revoked. After clicking Search CA MANAGEMENT searches for the relevant certificates in the certificate database and enters the corresponding Distinguished Names in the lower field. If the serial number does not originate from the CA or if the relevant certificate is already revoked, this is, of course, not entered in the field. You can now check the details you have entered. When you click Add the entries are included in the revocation list. In the view of the revocation list these entries are provided with a tick, as the amplified list has not been signed. At this point of time you can still delete certificates from the list that have been erroneously included.
82
SECUDE GmbH
Version 2.0
7.3.2 Sign
Before a revocation list can be distributed to the users, it must be digitally signed so that the user is assured of its authenticity. By clicking Sign... the following dialog box is opened:
Figure 81: Sign Revocation List
Here the Issuer Algorithm and the date of the Next Update can be set. Further information on the bar Next Update can be found in Chapter 7.2 Information on the Digital Signature.
7.3.3 Verify
With Verify the validity of the revocation list signature can be verified.
7.3.4 Save in PSE

With the button Save in PSE the revocation list is saved in one's own CA-PSE.
7.3.5 Save in PEM File

This and the next two buttons are concerned with the distribution of the revocation list to the users. With Save in PEM file you can save the list in PEM format. After clicking the button a file dialog box is opened in which the directory can be selected and the file name entered. The PEM file can then be distributed to the users by mail or by file server. Further information on revocation lists in PEM format can be found in [RFC 1422], Chapter 3.5.2 PEM CRL Format.
7.3.6 Save in Directory

Under the Options index card X.500 (see Chapter 4.1.3) you have configured the directory service to be used. When you click on Save in Directory the revocation list is saved in the appropriate directory. The participants in the certification infrastructure can now retrieve the list there or it will
SECUDE GmbH
83
Version 2.0
be automatically applied during the verification process when the users have configured this correspondingly in PSE Management.
7.3.7 Save in ldif File

If no direct access to the LDAP directory is possible from CA MANAGEMENT, because, for example, CA MANAGEMENT is running on a PC not linked to a network, the revocation list can be saved as an ldif file. The ldif file is then given to the LDAP administrator who copies it into the LDAP directory.
84
SECUDE GmbH
Version 2.0
Import and Export of User Data

SECUDE CA MANAGEMENT allows the import of data. The dialog box for importing data is to be found in the menu File/Import. Data from SAP R/3 (from Version 3.1G) and CA data created under Windows by the command line version of SECUDE can be imported.
8.1 Import of SAP R/3 User Data

The function File/Import/SAP-Report allows the transfer of user data from R/3 to CA MANAGEMENT. In R/3 the report RSUSR402 is produced which generates an ASCII file with the same name, a file that is readable with any text editor. The file RSUSR402 contains user data such as name, first name, or the validity period of the SAP R/3 account. A section of the contents of the file RSUSR402 can be seen below.
Figure 82: View of RSUSR402
Before importing external data it is advisable to make a backup copy of the current state of the CA data base.
Options for Copying RSUSR402

Before copying the SAP report you should turn to the Program Options of CA MANAGEMENT and check the following settings and if, necessary, adapt them to your requirements: Copy SAP Report (see Chapter 4.1.1 Program Options) Issuer Options (see Chapter 4.2.1 Issuer) Owner Options (See Chapter 4.2.2 PSE Options)
Import/SAP-Report
After selecting SAP Report a dialog box appears with which the file to be imported can be selected.
SECUDE GmbH
85
Version 2.0
Figure 83: Import SAP Report
The file RSUSR402 is selected and then the button Open clicked which starts a check of the file contents. If the contents and structure of the file correspond with those of the report RSUSR402, the query on the left appears and is confirmed with OK. The data are then read into CA MANAGEMENT.
8.2 Import of SECUDE Data

In rare cases it might be necessary to import data from a CA generated by a previous version (command line version) of SECUDE. Before the actual import or transfer of CA data from a previous SECUDE version the related CA-PSE must be opened. To do this the Log On button is clicked and the CA-PSE selected (see Chapter 5 Management of the CA). When the menu item File/Import/SECUDE is selected the query appears whether the data are really to be imported. When the query is confirmed with Yes the data is read. For each certificate created with the previous SECUDE version a user entry is filed. CA MANAGEMENT does not distinguish between two certificates from two different PSEs or one PSE with two key pairs. In either case two user entries are created. The successful execution of the import is acknowledged. CA MANAGEMENT does not check whether the data sets that are to be loaded are already present in the data base. Before carrying out this function, therefore, a backup should be made.
86
SECUDE GmbH
Version 2.0
8.3 Inform of Transport Password: Export to Microsoft Word Form Letter

When Microsoft Office 95 (or higher) is installed, the Microsoft Word Mail Merge function can be used, for example, to inform users of their transport password. After having generated an export file from the CA database via User / Generate Password Form Letter (see section 5.3.4.7) the password form letters can be written using the Mail Merge function of Microsoft Word. As an example we describe here how to proceed when using Microsoft Word 97. 1. Open Microsoft Word and generate an empty document. 2. Click Tools / Mail Merge. 3. In the Mail Merge Helper dialog select Main document / Create / Form Letters and then click Active Window. 4. In the Mail Merge Helper dialog select Data source / Get Data / Open Data Source. In the file dialog set file type to All Files (*.*) and select your export file. 5. The toolbar for forms should now be displayed in the Word document window. If this is not the case, select View / Toolbars / Forms.
Figure 84: Form Letter Icon Bar of Word
With Insert Merge Field the merge fields can be inserted into the Word document. If you click the button , Word fills the merge fields with the corresponding data; after this, the form letters are ready for print. If you want to modify the CSV file generated by CA Management, select in the Mail Merge Helper dialog the item Data source / Edit / <CSV file>. Details about writing form letters in Word can be read in the Word manual. Help for Word is displayed after clicking the function key F1. All necessary information can be found under the term Mail Merge. Never process the CA database via Access it will become unusable for SECUDE. In particular, never change the CA password via Access!
SECUDE GmbH
87
Version 2.0
9
CA
Glossary
See Certification Authority.
A Certification Authority (CA) issues certificates for users of a security infrastructure and maintains revocation lists.
Certification Authority
DES
DES stands for Data Encryption Standard and is an encryption procedure in which the same key is used both for encryption and decryption. (Such procedures are called symmetrical.)
GSS-API
Generic Security Service Application Programming Interface. An interface developed by the Internet Engineering Task Force (IETF) which allows applications to be provided with security functionality.
Hybrid Process
A combination of symmetric and asymmetric cryptography is called Hybrid process.
Password
A series of characters consisting of letters, signs and numerals with which protection, e.g. for a PSE, against unauthorised access is given.
PIN
Personal Identification Number; a password consisting of figures only, e.g. for card terminals with their own key pads.
Prototype Certificate
A prototype certificate is a certificate that has a signature created by its own private key. Only when the prototype certificate has been certified by a certification authority does it become a certificate.
PSE
The PSE is a personal security environment which every SECUDE user needs. In the PSE security relevant information is stored. This includes the certificate and the corresponding secret key. The PSE can be stored as a DES encrypted file or on a smartcard.
88
SECUDE GmbH
Version 2.0
Revocation List
A revocation list is a list of certificates that have been declared invalid by the issuing certification authority before their expiry date. The certification authority maintains this list and must publish it, i.e. keep it up to date and at regular intervals make it available to all participants.
Root Authority
The root authority is a certification authority which is not certified by any other CA. Its certificate is signed by its own private key.
RSA
A cryptographic algorithm named after Rivest, Shamir, and Adleman. It is based on the presence of pairs of keys that have a special relationship to each other. Anything that has been encrypted with one of the two keys can only be decrypted with the other. (Such procedures are called asymmetrical.)
SAPlpd
SAPlpd denotes software from SAP AG which allows spooling for print jobs in the R/3 environment.
SNC
Secure Network Communications denotes the module which deals with the communication to an external library in the SAP R/3 system. The library is addressed by means of GSS-API functions and allows R/3 access to security functions as realised by SECUDE.
Transport Password
A new PSE is encrypted by CA MANAGEMENT with a Transport Password. This password ensures the security of the PSE on its way from the CA to the user. The user is informed of the password by the CA (e.g. by post) and is advised to change it immediately.
SECUDE GmbH
89
Version 2.0
10 Figures and Tables

Figure 1: Elements of a PSE ...........................................................................4 Figure 2: CA creates PSE................................................................................5 Figure 3: User creates PSE.............................................................................6 Figure 4: Internet Installation .........................................................................10 Figure 5: Unpacking ......................................................................................10 Figure 6: Welcome Window of the Installation ..............................................11 Figure 7: Software License Agreement .........................................................11 Figure 8: User Information.............................................................................12 Figure 9: Set Destination Directory................................................................12 Figure 10: Select Program Folder .................................................................13 Figure 11: Start of Installation........................................................................13 Figure 12: Install SECUDE Ticket .................................................................13 Figure 13: Information on Installed Components...........................................14 Figure 14: Setup complete ............................................................................14 Figure 15: Exit Setup .....................................................................................15 Figure 16: Log On..........................................................................................16 Figure 17: PSE-Wizard Type of PSE..........................................................19 Figure 18: PSE-Wizard Distinguished Name..............................................19 Figure 19: PSE-Wizard Name of PSE ........................................................20 Figure 20: PSE-Wizard CA Data ................................................................20 Figure 21: PSE-Wizard Version of Certificate ............................................21 Figure 22: PSE-Wizard Number of Key Pairs.............................................22 Figure 23: PSE-Wizard Signature ..............................................................22 Figure 24: PSE-Wizard Validity Period .......................................................23 Figure 25: PSE-Wizard Sign Own Prototype Certificate.............................24 Figure 26: PSE-Wizard Password ..............................................................25 Figure 27: PSE-Wizard Log-on Profiles......................................................25 Figure 28: PSE-Wizard Settings Overview..............................................26 Figure 29: Time Comparison (1) ...................................................................26 Figure 30: PSE-Wizard Smartcard .............................................................28 Figure 31: PSE-Wizard Password Unblocking Key PUK.........................29 Figure 32: PSE-Wizard RACAL RG 700 ....................................................31 Figure 33: PSE-Wizard Issue PSE .............................................................33 Figure 34: Options Program Options..........................................................35 Figure 35: Options SECUDE ......................................................................36 Figure 36: Options X.500............................................................................38 Figure 37: Options Warning Periods ..........................................................39 Figure 38: Options Issuer ...........................................................................40 Figure 39: Options PSE Options.................................................................41 Figure 40: Options User Form ....................................................................42 Figure 41: Options Sphinx Pilot ..................................................................43 Figure 42: Empty User List ............................................................................45 Figure 43: Tool Bar Hidden............................................................................45 Figure 44: Tool Bar Active .............................................................................45 Figure 45: Menu Bar ......................................................................................46 Figure 46: Revocation List .............................................................................49 Figure 47: Signature Certificate Owner ......................................................50 Figure 48: Write Certification Request ..........................................................51 Figure 49: Read Certification Response........................................................51 Figure 50: Process Certificate Response ......................................................52 Figure 51: PSE Revocation Lists ...................................................................53 Figure 52: Read Revocation List from File ....................................................53 Figure 53: Insert Revocation Lists in PSE .....................................................54 Figure 54: Change Password ........................................................................54 Figure 55: Verify PSE ....................................................................................55
90
SECUDE GmbH
Version 2.0
Figure 56: Save Certification Path.................................................................56 Figure 57: PSE Contents...............................................................................57 Figure 58: Save LDIF File Insert Certificates .............................................58 Figure 59: Save LDIF File Delete Certificates ............................................59 Figure 60: Write PK List ................................................................................59 Figure 61: Write Certificates..........................................................................60 Figure 62: Generate Password Form Letter..................................................60 Figure 63: Password Rules Rules Editor....................................................62 Figure 64: Password Rules Preview...........................................................63 Figure 65: Log-on Profiles .............................................................................64 Figure 66: Log-on Profile...............................................................................64 Figure 67: Smartcard Terminal Setup ...........................................................65 Figure 68: Info User Card..............................................................................66 Figure 69: Unblock Password .......................................................................67 Figure 70: Info on CA MANAGEMENT .........................................................68 Figure 71: Info on SECUDE ..........................................................................68 Figure 72: User List .......................................................................................69 Figure 73: User List and User Form ..............................................................71 Figure 74: User Form ....................................................................................72 Figure 75: PSE is being created....................................................................77 Figure 76: PSE Creation................................................................................78 Figure 77: Export Certificate..........................................................................79 Figure 78: Write PSE on Smartcard..............................................................80 Figure 79: CA Revocation List.......................................................................81 Figure 80: Add Entries to Revocation List .....................................................82 Figure 81: Sign Revocation List.....................................................................83 Figure 82: View of RSUSR402 ......................................................................85 Figure 83: Import SAP Report .......................................................................86 Figure 84: Form Letter Icon Bar of Word ......................................................87
Table 1: Categories of Distinguished Names ..................................................7 Table 2: Format of the Validity Fields............................................................24 Table 3: Toolbar ............................................................................................46 Table 4: User Form User Data ...................................................................93 Table 5: User Form PSE ............................................................................94 Table 6: User Form Signature / Encryption Certificates .............................94
SECUDE GmbH
91
Version 2.0
11 Bibliography
[LDAP]
http://www.umich.edu/~dirsvcs/ldap/index.html; Description and software-downloads (development toolkit, client- and server software) for LDAP (Lightweight Directory Access Protocol).
[Netscape Certificates]
http://home.netscape.com/eng/security/comm4-cert-exts.html; Draft from 13.8.1997, where the certificate extensions introduced by Netscape Communicator are described.
[PKCS#7]
PKCS#7: Cryptographic Message Syntax Standard; An RSA Laboratories Technical Note; Version 1.5; November 1, 1993
[PKCS#10]
PKCS#10: Certification Request Syntax Standard; An RSA Laboratories Technical Note; Version 1.0; November 1, 1993
[RFC 1422]
Privacy Enhancement for Internet Electronic Mail - Part II: Certificate-Based Key Management; Network Working Group, Request for Comments: 1422, Obsoletes: 1114; S.Kent; BBN, IAB IRTF PSRG, IETF PEM; February 1993
[Sphinx]
http://www.bsi.bund.de/aufgaben/projekte/sphinx/index.htm; Pilotprojekt der Koordinierungs- und Beratungsstelle der Bundesregierung fr Informationstechnik in der Bundesverwaltung in Zusammenarbeit mit den Bundesamt fr Sicherheit in der Informationstechnik. Inhalt ist die Erprobung produktbergreifender Interoperabilitt der Sicherheitslsungen verschiedener Anbieter.
[X.509 v3]
ITU-T Recommendation X.509; DATA NETWORKS AND OPEN SYSTEMS COMMUNICATIONS DIRECTORY; Information Technology, Open Systems Interconnection, The Directory: Authentication Framework; (06/97)
92
SECUDE GmbH
Version 2.0
12 Appendix
12.1 Fields in the User Form
The following user data are registered with the user form (cf. Chapter 6.1.2 User Form) and administered by CA MANAGEMENT in the database:
User Form User Data

User Data Name First name Mail address Personnel number Department Description Name of person to be certified First name of person to be certified E-mail address of person to be certified Personnel number of person to be certified Name of department in which person to be certified works.
Table 4: User Form User Data
User form PSE

User Form PSE Profile PSE Name PSE Directory Description A preset profile can be selected. Name of file that PSE is to receive. The directory in which the PSE is to be stored; with a smartcard PSE: the directory for a possible extension. It is decided here whether the PSE is created as a file or on a smartcard. When a smartcard PSE is to be created the make of card is selected here. As options there are the cards TCOS and Cryptoflex. If the box is ticked, one key pair is generated signature certificate. When both signature and encryption certificates are to be created the box must remain unticked. When this box is ticked an automatically generated password is given. If the box remains unticked, a transport password for the PSE to be created must be given manually in the field on the right. If the user is to be obliged to follow certain password rules, the relevant set of rules are
Smartcard/File Card Type
One key pair
Automatic password generation
Rules
SECUDE GmbH
93
Version 2.0
User Form PSE Automatic PUK generation
Card number
Description entered here (only for file PSEs). The PUK is important for the unblocking of smartcards. When a smartcard PSE is created a PUK should be given which is known only to the administrator. If the option is activated, the PUK is generated automatically. Otherwise it should be entered in the field on the right. When a smartcard PSE is created, the card number is contained here.
Table 5: User Form PSE
User Form Signature / Encryption Certificates

In the following table the explanation of the fields of the user form for signature and encryption certificates is continued. Signature / Encryption Certificates Distinguished Name: Distinguished Name is prefix Valid from Description Distinguished Name for the user When this box is ticked, the user's Distinguished Name includes the issuing CA's Distinguished Name. Date and time in the currently set format (e.g. MM.DD.YY hh.mm.ss). From this point the certificate is valid. Date and time in the currently set format (e.g. MM.DD.YY hh.mm.ss). The certificate is valid up to this time. Algorithm the certificate is signed with. Here the algorithm is determined that can be used with the key pair (for smartcards: depending on the card). Selection of key length (from 512 bits to 2048 bits, for smartcards: depending on the card). Selection between X.509v1 or X.509v3 certificates.
Valid to
Issuer algorithm Algorithm
Key length
Version
Table 6: User Form Signature / Encryption Certificates
The numbers in the third column have the following meanings: The field must be filled out when a PSE is to be created. The field is set by CA MANAGEMENT.
94
SECUDE GmbH
Version 2.0
The field depends on the configuration. For the field Password automatic password generation can be activated with the menu item Extras/Options and then PSE Options. When a new user is certified the program fills the field with a value. When a user certificate is created for a smartcard the field Card number gets a 20-place number. On the card itself, however, 21 places are printed. The last place of the number on the smartcard does not appear in this field as it is a check number and is not forwarded to CA MANAGEMENT when read.
12.2 Data Base Specification CA.MDB Table Users

In the table "Users" general user information is stored. This information is not relevant to creating a certificate.
Field name
UserNo
Type
dbLong, dbAutoI ncrField
Size
Commentary
Unambiguous number of a user: is not displayed in CA MANAGEMENT. An association takes place into the tables 'PSE' and 'Certificate'. Between the tables there are 1 to n relationships.
Name Firstname Mailaddress Id Division TransportPin
dbText dbText dbText dbText dbText dbText
30 30 50 10 20 50
Surname of user First name of user Mail address of user Personnel number of user Division (Dept.) of user This field is completed only to provide information. It can be used to print PIN letters with serial letter option of MS Word. Middle initial of user (taken from American). Company of user
Middlename Company
dbText dbText
1 50
Table PSE
In the table "PSE" the data for creating PSEs is stored.
Field name
PSENo
Type
dbLong, dbAutoIncrField
Size
Commentary
Unambiguous number of a PSE: is not displayed in CA Management. An association takes place into the table 'PSE'. Between the tables there is a 1 to 1 or a 1 to 2 relationship (A PSE can contain up to two certificates). Assigns the PSE to a user.
UserNo
dbLong
SECUDE GmbH
95
Version 2.0
Field name
PSE PSEName IsSC IssueDate NoOfKP TransportPin PUK Cardnumber PSEDir RandomPin RandomPUK ProfileName PinPolicy Cardtype
Type
dbLongBinary dbText dbBoolea n dbDate dbInteger dbText dbText dbText dbText dbBoolea n dbBoolea n dbText dbText dbInteger
Size
Commentary
Copy of a software PSE.
25
File name of the PSE. TRUE if smartcard PSE, FALSE if software PSE. Date when created. Number of key pairs of the PSE (1 or 2).
50 8 20 255
Password with which the created PSE is encrypted. Password Unblocking Key for smartcard PSEs. Card number of the smartcard. Directory in which the PSE is stored. TRUE if the password is generated randomly, otherwise FALSE. TRUE if the PUK is generated randomly, otherwise FALSE.
20 30
Reference to the table Profile. Is not used. Reference to the table PinPolicy. Make of a smartcard (0 for TCOS, 1 for Cryptoflex). Is not used when smartcard is not created. Number of tries for password entry Number of tries for PUK entry TRUE if PSE created, otherwise FALSE Creation date of PSE
PinErrorLimit PukErrorLimit Created CreationDate
dbInteger dbInteger dbBoolea n dbDate
Table Certificate
In the table "Certificate" data for the issuing of certificates is stored.
Field name
CertificateNo
Type
dbLong, dbAutoI ncrField dbLong dbLong dbText dbDate dbDate dbText dbLong Binary
Size
Commentary
Unambiguous number of a certificate: is not displayed in CA Management. Assigns the certificate to a PSE. Assigns the certificate to a user.
PSENo UserNo DN ValidFrom ValidUntil SerialNo Certificate
255
Distinguished Name of the certificate. Validity of the certificate. Validity of the certificate
32
Serial number of the certificate, is given automatically. Copy of the certificate or prototype certificate (for file PSEs only).
96
SECUDE GmbH
Version 2.0
Field name
IsRevoked Usage
Type
dbBoole an dbInteger
Size
Commentary
TRUE if certificate was revoked, otherwise FALSE. 1 if the certificate is used with two key pairs to encrypt PSEs, otherwise 0. Is used only when the CA generates the keys.
IssuerAlg Algorithm Keysize DNPrefix
dbText dbText dbInteger dbBoole an
30 30
Issuer algorithm. Signature/Encryption algorithm Key length TRUE if the Distinguished Name of the CA is to be appended to the Distinguished Name of the user when being certified, otherwise FALSE.
Version RequestType Request IsCA
dbText dbInteger dbLong Binary dbBoole an dbBoole an dbLong Binary dbLong Binary dbLongBinary dbBoole an dbDate dbInteger dbDate dbLongBinary
10
X.509v1 or X.509v3. Format of the request type; proprietary. Proprietary. TRUE if the certificate is issued for a CA, otherwise FALSE. Is only used with version=X.509v3. Proprietary. Proprietary. Proprietary Proprietary TRUE if certificate issue, FALSE if still changeable. Date of issue of certificate Reserved for later use Reserved for later use Reserved for later use.
Base64 Boundary1 Boundary2 Extensions Created CreationDate CertifyState CertifyDate VSsigEnrInfo
Table CRL
In the table "CRL" revocation lists are stored.
Field name
StringDName
Type
dbText
Size
255
Commentary
Readable depiction of the Distinguished Names of CA, from which the revocation list comes. Binary depiction of the Distinguished Names. TRUE = current signed revocation list of
OctetStringDName IsDelta
dbLong Binary dbBoole
SECUDE GmbH
97
Version 2.0
Field name
Type
an
Size
Commentary
CA; FALSE = certificates added since last signing Date of the last signature in the revocation list. The revocation list itself.
LastUpdate CRLWithCerts
dbDate dbLong Binary
Table Log
In the table "Log" protocol information is stored.
Field name
DateTime Type
Type
dbDate dbInteger
Size
Commentary
Date and time of the protocol entry. 0 = Log on; 1 = Log off; 2 = Create a CA; 3 = Create a PSE; 4 = Issue a certificate; 5 = Revoke a certificate; 6 = Issue a revocation list
Data
dbText
80
PSE.PSENo if Type=2 or Type=3. Certificate.CertificateNo if Type=4. Certificate.SerialNo if Type=5. Is not used.
SerialNo
dbText
25
Table PINPolicy
The table "PINPolicy" stores password rules.
Field name
Name PINPolicy
Type
dbText dbLong Binary
Size
30
Commentary
Reference to table PSE. Proprietary.
Table Profiles
The table "Profiles" is not yet used.
Field name
ProfileNo
Type
dbLong, dbAutoIncrField dbText dbText dbInteger dbDate dbDate dbText dbInteger dbText dbInteger dbBoolea
Size
Commentary
ProfileName PSEDir NoOfKP ValidFrom ValidUntil EncAlg EncKeysize SignAlg SignKeysize RandomPin
20 255
30 30
98
SECUDE GmbH
Version 2.0
Field name
PinLength DefaultPin DNIsPrefix RandomPUK PUKLength DefaultPUK
Type
n dbInteger dbText dbBoolea n dbBoolea n dbInteger dbText
Size
Commentary
50
Table ACL
The table "ACL" is not yet used.
Field name
SerialNo
Type
dbLong Binary
Size
Commentary
SECUDE GmbH
99

CAManagement 2 0 English

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

CAManagement 2 0 English

Enviado por

Direitos autorais:

Formatos disponíveis

Manual

ORGANISATION OF A SECURITY INFRASTRUCTURE

MANAGEMENT OF USER DATA

REVOCATION LIST MANAGEMENT

IMPORT AND EXPORT OF USER DATA

GLOSSARY FIGURES AND TABLES BIBLIOGRAPHY APPENDIX

Maintain revocation lists

1.2 Personal Security Environment (PSE)

Public Root Key

Forward Certification Path Name Name Name

Signature Signature Signature

Figure 1: Elements of a PSE

1.3 Issue Certificates for Users

3. Information of Password (offline)

2. PSE storage (encrypted)

4. Installation of PSE and Change of Password

PSE Memory Figure 2: CA creates PSE

User creates PSE

3. Certify Users Prototype Certificate 4. Certificate to User

5. Insert Certificate into PSE

Figure 3: User creates PSE

1.4 Security Guidelines for Operating a CA

1.5 Distinguished Names

Table 1: Categories of Distinguished Names

2.1 Prepare the Installation

What is installed where

The program and the DLLs are installed in the directory

2.2 How to install CA MANAGEMENT

2.2.1 Installation via Internet

Figure 4: Internet Installation

Click Finish to unpack the actual installation program.

Wait until unpacking is done and proceed as described in section 2.2.2.

2.2.2 Installation from CD ROM or Network

Figure 6: Welcome Window of the Installation

By clicking Next the installation is continued.

Figure 7: Software License Agreement

Figure 8: User Information

Figure 9: Set Destination Directory

Figure 10: Select Program Folder

Figure 11: Start of Installation

Figure 12: Install SECUDE Ticket

After clicking Next, the progress of the installation is shown.

Figure 13: Information on Installed Components

The window is closed by clicking on OK.

Figure 14: Setup complete

2.3 Aborting the installation

Figure 15: Exit Setup

Organisation of a Security Infrastructure

Figure 16: Log On

3.1 Basic Information on the Organisation of a Security Infrastructure

Personal Security Environment as File or Smartcard?

The CA PSE based on the RACAL Cryptoboard?

3.2 Create a Root Authority

3.2.1 Create a CA-PSE as a File

Figure 17: PSE-Wizard Type of PSE

When a file PSE is to be created, File is chosen.

Figure 18: PSE-Wizard Distinguished Name

Figure 19: PSE-Wizard Name of PSE

Figure 20: PSE-Wizard CA Data

Figure 21: PSE-Wizard Version of Certificate

Number of Key Pairs

Figure 22: PSE-Wizard Number of Key Pairs

Figure 23: PSE-Wizard Signature

Figure 24: PSE-Wizard Validity Period