Loading Known Certificates¶
The FWD server uses two kinds of certificate: the root certificate associated with certificate authorities (CAs) and peer certificates. Each peer certificate is associated with a specific account (a user, process or server). When that entity connects to the FWD server, the certificate sent will be matched and if it is valid, a FWD session will be started with the security context set to the associated account. Each root CA certificate is used to verify and establish trust for peer certificates, since each peer certificate must have been issued and signed by a trusted CA.
The directory contains a list of each type of certificate. The root CA certificates are enumerated as child elements of the /security/certificates/cas/
branch. The peer certificates are enumerated as child elements of the /security/certificates/peers/
branch.
The administration client has a simple interface to load (import) certificates into the proper location of the directory. This avoids using the LoadCert
class documented in the Certificate Authority and Key-Stores and Trust-Stores chapters of Part 2.
[CA] If the FWD cryptography tool is used to automatically generate the root CA and associated peer certificates, then the instructions described in this chapter need to be followed only when additional peer certificates need to be added. Details about how to automatically generate the self-signed root CA and the peer certificates can be found in the Cryptography Setup Helper chapter of this book. [/CA]
To access this interface, choose Accounts
then Certificates
from the main menu.
This will bring up the main Certificates Management screen similar to the following:
By default, the CA Certificates
radio button will be selected. This means that the screen is currently used to manage root CA certificates. To switch into the mode of managing peer certificates, select the Peer Certificates
radio button. The Defined Certificates
and Certificate Hierarchy
portions of the screen will change to reflect a different list of certificates each time one of these radio buttons is selected.
The following image depicts the selection of the Peer Certificates
radio button:
Once the proper list of certificates is selected, press the Add Certificate
button to bring up the following Certificate Definition
dialog:
Enter the name of the certificate in the Alias
field. Use the clipboard to copy and paste the entire contents of the certificate into the PEM data
field. The following is an example of the certificate contents to be pasted:
-----BEGIN CERTIFICATE----- MIID6zCCA1SgAwIBAgIBFzANBgkqhkiG9w0BAQUFADCBpDELMAkGA1UEBhMCVVMx FzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRMwEQYDVQQHEwpHcmVlbnNib3JvMSYw JAYDVQQKEx1UaW1jbyBBdmlhdGlvbiBTZXJ2aWNlcywgSW5jLjEfMB0GA1UECxMW SW5mb3JtYXRpb24gVGVjaG5vbG9neTEeMBasdaDHF/fpo2VydGlmaWNhdGUgQXV0 c8MeJtaDLp8tNlwWx3hvsQIDAQABo4IBMDCCASwwCQYDVR0TBAIwADAsBglghkgB hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE Ym9ybzEmMCQGA1UEChMdVGltY28gQXZpYXRpb24gU2VydmljZXMsIEluYy4xHzAd BQADgYEATS+EFiNhdU3o26a7JGp2aPAblexWDfhQ1J+qCTwdbTJkMFRafsOKZeyT MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDx9E66DgEzZUZESyDP5sEYDNnFuTUW B5PN9QTPI5WDOAasQ8zVAGHf/XCiFZOBHXvyIffpc+QCsmJU+H7jJ20UFt/IbbVv kxnYZ1lKaPip4KiSDqD6MBCCjMQDlkCu20tMg4THZPYKLBq57rpXHGFDgixK6Cfj DEIgX3IN2gGQFwIDAQABo4IBMDCCASwwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0E HxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFFjt1sPC xRtnYxLIuPkHCJ+R+RQiMIHRBgNVHSMEgckwgcaAFGWanckVijMSIU0g/7rMA2q+ SdS6oYGqpIGnMIGkMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp bmExEzARBgNVBAcTCkdyZWVuc2Jvcm8xJjAkBgNVBAoTHVRpbWNvIEF2aWF0aW9u IFNlcnZpY2VzLCBJbmMuMR8wHQYDVQQLExZJbmZvcm1hdGlvbiBUZWNobm9sb2d5 MR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCAQAwDQYJKoZIhvcNAQEF BQADgYEAU5cMjCVHsMgaPz9jMnRf5bjd1TvAISGY22fYa8A7OhjZFdIxWiyozcnm ltuCj/9y/BlakjciahucasaxNHGKBCLAHbgvyjeZ+f7e6BpNQH2KOhbdw8auvvay jLYKnQE1GjogerYKQiaLEGqKk8V9+KPVA3T7tgal/y9WGc+qvPE= -----END CERTIFICATE-----
Make sure to paste everything including the -----BEGIN CERTIFICATE-----
and the -----END CERTIFICATE-----
text. Use any text editor to copy the text directly from the .pem
certificate file (see the Certificate Authority and Key-Stores and Trust-Stores chapters of Part 2 for details on how to create both types of certificates.
If the CA Certificates
radio button was selected when the Add Certificate button was pressed, the certificate will be added as an additional root CA certificate which will be stored in the /security/certificates/cas/
branch of the directory. If the Peer Certificates
radio button was selected, then the certificate would be added to the /security/certificates/peers/
branch of the directory. Either way, the list is visible on the administration client screen and can be managed from there.
© 2004-2021 Golden Code Development Corporation. ALL RIGHTS RESERVED.