Tài liệu Creating Applications with Mozilla-Chapter 12. Remote Applications-P3 ppt

To become a CA, you need to create two certificates for yourself: a "root certificate" and a "distribution certificate." Once you set up these certificates, you can issue signing certifi

Trang 1

Chapter 12 Remote Applications-P3

12.5.1 Mozilla Network Security Services (NSS)

The Mozilla Network Security Services tools, which are described in detail

at http://www.mozilla.org/projects/security/pki/nss/, allow you to become your own Netscape Object Signing CA By becoming your own Netscape Signing CA, you can distribute signing certificates to Mozilla application developers You can obtain the tools via a simplified distribution of NSS for Windows and Linux at http://certs.mozdev.org These tools allow you to become a CA and to package signed remote Mozilla applications Finally, the commands for CertUtil work the same way on Windows, Linux, and any other OS on which you run CertUtil

12.5.2 CA Certificates, Signing Certificates, and the Certificate Chain

A certificate represents an organization in a official digital form It provides fields for the organization's name, contact information, date of issue, and an expiration date There are also two keys: a private and a public key

To become a CA, you need to create two certificates for yourself: a "root certificate" and a "distribution certificate." Once you set up these

certificates, you can issue signing certificates, which create digital

signatures Figure 12-4 shows the chain of relationships between certificates

Figure 12-4 A Netscape Object Signing certificate chain

Trang 2

The distribution certificate is based on the root certificate's public key You can then create signing certificates from the distribution certificate, using its public key that it handles automatically by NSS Finally, the digital

signatures derived from the signing certificate can sign applications using NSS

12.5.3 Setting Up a Certificate Authority

Using the CertUtil tool that comes with NSS, you need to create a root

certificate and a distribution certificate for yourself to become a CA The CertUtil tool is located in the NSS installation's bin directory and can be run from anywhere in a console window In the next few sections, we walk through the steps necessary to accomplish this process

12.5.3.1 Creating a certificate database

Mozilla comes with a prefilled certificate database that contains information about certificates from Verisign and other CAs (found in the file cert7.db

in the user profile directory), which you can modify However, starting with

a blank database is better because it avoids the possibility of corruption

At the prompt, create a new database by using the -N and -d options for CertUtil:

Trang 3

C:\NSS\bin>certutil -N -d

Enter a password for the database You need to reenter this password every time you issue or change certificates CertUtil creates the files cert7.db, key3.db, and secmod.db in the same directory as CertUtil

12.5.3.2 Creating the root CA certificate

The root certificate is the foundation for the certificate chain and should not

be shared with anyone outside your organization You may want to consider storing the database or exported certificate on a floppy disk for safe keeping

If it gets lost or stolen, you need to make a new one and all your users will need to use new certificates and resign their applications

Once you create cert7.db, CertUtil can process the Root CA Certificate into it, using the following and substituting the name of your CA for

mozdev.org:

C:\NSS\bin>certutil -S -s "CN=mozdev.org,

O=mozdev.org" -n "mozdev.org"

-t ",,C" -x -d -1 -2 -5

Enter a password at the prompt and proceed by making the menu choices shown in Example 12-9

Example 12-9 Creating a root certificate

Generating key This may take a few moments

0 - Digital Signature

1 - Non-repudiation

2 - Key encipherment

Trang 4

3 - Data encipherment

4 - Key agreement

5 - Cert signing key

6 - CRL signing key

Other to finish

5

1 - Non-repudiation

4 - Key agreement

5 - Cert signing key

6 - CRL signing key

Other to finish

9

Is this a critical extension [y/n]?

n

Is this a CA certificate [y/n]?

y

Enter the path length constraint, enter to skip [<0 for unlimited path]:

Trang 5

n

0 - SSL Client

1 - SSL Server

2 - S/MIME

3 - Object Signing

4 - Reserved for futuer use

5 - SSL CA

6 - S/MIME CA

7 - Object Signing CA Other to finish

7

0 - SSL Client

1 - SSL Server

2 - S/MIME

3 - Object Signing

5 - SSL CA

6 - S/MIME CA

Trang 6

9

n

The mozdev.org Root CA Certificate resides in cert7.db You can export

it to a file for safekeeping as follows:

C:\NSS\bin>certutil -L -d -n "mozdev.org" -a -o

mozdev.cacert

This code will yield an ASCII representation of the certificate

12.5.3.3 Creating a distribution CA certificate

Next you must create a distribution certificate This certificate will be

installed into the user's Mozilla web browser so Mozilla can verify related signed remote Mozilla applications Start the certificate by typing the

following code at the prompt and substituting the name of your CA for

"mozdev.org":

C:\NSS\bin>certutil -S -n "certs.mozdev.org"

-s "CN=certs.mozdev.org, O=certs.mozdev.org" -c

"mozdev.org" -v 96

-t ",,C" -d -1 -2 -5

Enter a password at the prompt and make the menu choices shown in

Example 12-10

Example 12-10 Creating a distribution certificate

Trang 7

1 - Non-repudiation

4 - Key agreement

5 - Cert signning key

6 - CRL signning key Other to finish

5

1 - Non-repudiation

4 - Key agreement

6 - CRL signning key Other to finish

9

n

y

Trang 8

n

0 - SSL Client

1 - SSL Server

2 - S/MIME

3 - Object Signing

5 - SSL CA

6 - S/MIME CA

7

0 - SSL Client

1 - SSL Server

2 - S/MIME

3 - Object Signing

5 - SSL CA

Trang 9

6 - S/MIME CA

9

n

Note the differences between this process and that used to create the root certificate The distribution certificate is not self-signed, so to create it, you must reference the mozdev.org Root CA Certificate in the initial command Also, the -v 96 option indicates that the certificate is good for 96 months Once you've created the distribution certificate, export it using the following command (for which "certs.mozdev.org" is the name of your CA):

C:\NSS\bin>certutil L d n "certs.mozdev.org"

-a -o certs_mozdev.c-acert

Keep track of the resulting file because you will need to upload it to your web site later so browsers can install it

12.5.4 Issuing Signing Certificates

Once you create the two root and distribution certificates for your

organization, you are a certificate authority, much like VeriSign You decide who gets the privilege of a signing certificate and issue them accordingly Signing certificates should not be reused for different people When you want to give out a signing certificate, you should create a new one by using CertUtil and make a copy of the exported certificate for yourself to keep and catalog

Trang 10

To create a signing certificate, use the following command and substitute the name of your CA for "mozdev.org":

C:\NSS\bin>certutil -S -n

"certs.mozdev.org/signing"

-s "CN=certs.mozdev.org/signing,

O=certs.mozdev.org" -c "certs.mozdev.org" -v 96 -t

",,C" -d -1 -2 -5

Enter a password at the prompt and make the menu choices shown in

Example 12-11

Example 12-11 Create a signing certificate

1 - Non-repudiation

4 - Key agreement

6 - CRL signning key

Other to finish

0

1 - Non-repudiation

Trang 11

4 - Key agreement

Other to finish

5

1 - Non-repudiation

4 - Key agreement

Other to finish

9

n

Trang 12

n

0 - SSL Client

1 - SSL Server

2 - S/MIME

3 - Object Signing

5 - SSL CA

6 - S/MIME CA

3

0 - SSL Client

1 - SSL Server

2 - S/MIME

3 - Object Signing

5 - SSL CA

6 - S/MIME CA

Trang 13

9

n

In Example 12-11, the certs.mozdev.org/signing certificate

references the certs.mozdev.org CA certificate The Digital Signature option is also set so a signed remote Mozilla application can be compiled from the certificate

Export the signing certificate with the following command:

C:\NSS\bin>certutil -L -d -n

"certs.mozdev.org/signing" -a

-o eric.cacert

You can send the resulting file to the person who requested the Signing Certificate That person can then use it to create signed remote applications,

as described later in this chapter in the Section 12.6.3.1 section

12.5.5 Distributing Distribution Certificates

The distribution certificate (certs_mozdev.cacert in Example 12-10) must be installed into a user's Mozilla web browser before she can use

signed applications that come from certificates you've distributed It's best to state clearly on the web site hosting these signed remote Mozilla

applications that the distribution certificate is needed If you distribute many different signing certificates, and they are used by all signed remote Mozilla applications, then all applications can use that same distribution certificate (as they do with Verisign's and other certificate authorities)

Trang 14

To allow users to install the distribution certificate, create a link to the

certificate file on your web page:

<a href="certs_mozdev.cacert">Install the MozDev CA Certificate</a>

Also make sure that your web server uses the MIME type

application/x-x509-ca-cert for cacert files

If the web server is set up correctly, the user will get a dialog box that looks like Figure 12-5 Tell the user to select the options for "web sites" and

"software developers."

Tiêu đề	Remote Applications
Trường học	Mozilla University
Chuyên ngành	Network Security Services
Thể loại	Tài liệu
Năm xuất bản	2025
Thành phố	Mountain View

Định dạng
Số trang	14
Dung lượng	37,15 KB