Entrust Certificate Services Support Knowledge Base

Audience: Administrator
Last Modified: 2009-09-17 11:41:29.0

TN 5927 - How do I create a keypair/CSR and install an Entrust SSL Certificate with Sybase EASever?

Sybase EAServer 4.2.2 on Windows 2000 Server

Before You Begin

It is strongly recommended that you take the following precautions to ensure that you will be able to install your Entrust SSL Certificate:

 

- If you are renewing your certificate you MUST create a new key pair and CSR, you cannot use the existing key pair and CSR.

- Do not use commas in any of the fields when creating your Certificate Signing Request (CSR). Commas are interpreted as the end of the field and will cause an invalid CSR to be generated.

- Do not use any of the following characters in the Web server Distinguished Name: ! @ # $ % ^ * ( ) ~ ? > < & / \.,/;’!

- When you generate your Certificate Signing Request, make sure you are logged in as an Administrator to the computer that hosts your Web server.

- The default SSL ports that Sybase EAServer uses are 8081 and 8082.

- The SSL management application that you will be using is incorporated into Jaguar Manager and Security Manager, and is found by launching the Sybase Central Java console.

 

Generating the Key pair and Certificate Signing Request (CSR)

 

During the online enrollment process you will be required to provide Entrust with a Certificate Signing Request (CSR).

This encrypted data is generated from your web server, and contains information about your company and web server.

 

It is important to review this guideline, as Entrust will use this information to generate your certificate.

If you are renewing your certificate, you MUST create a new key pair, you cannot use the existing key pair.

 

 

Using Security Manager:

The default password is "sybase".

  

1. Right-click on Private Keys and select Key/Cert Wizard.

2. Select 1024 and give the key pair a label. This label is later used to identify this certificate for your security profile setup.

3. Enter your Distinguised Name information as shown in the Certificate Information screenshot below. 

Attention: Do not use the following fields: UserID, Server Admin, Email.

 

The code produced is your Certificate Signing Request (PKCS#10).

 

Installing the Server Certificate

To install a certificate:

 

1. Select the folder (Private Keys) that corresponds to the type of certificate you are installing.

2. Select File > Install Certificate.

Either paste the entire contents of the certificate into the box (base64 encoded certificates only), or click Import from File. If you select Import from File, the cut and paste area is grayed out. Click Browse to locate the certificate.

3. Click Install. If the certificate is of type .crt or .p7c it is installed. If the file is a PKCS #12 type (has either a .p12 or .pfx extension) the PKCS #12 Certificate/Private Key window appears.

4. Enter the password that allows access to the file. This is the password that you entered when you exported the certificate and private key.

5. To export the certificate and its private key at a later time, select Mark private key as exportable, (selected by default).

6. Click Done.

 

The certificate is assigned to a folder based on its type:

User - Your certificates and other user certificates, including certificates signed by the test CA used to authenticate EAServer. These are the certificates that have a matching private key stored in the PKCS #11 token.

 

Once installed, you can assign a user certificate to an EAServer security profile. For more information, refer to Security Profiles in the Sybase EAServer help section or Assigning the Certificate section in this document.

 

 

 

 

Installing the Entrust CA certificate

 

1. Right click on the folder for CA certificates.

2. Select Install.

3. Import the Entrust root CA from a file. This root is provided either from the pickup URL or from http://www.entrust.net/downloads/root_index.cfm.

 

CA - Certificates obtained from CAs. These identify the signers of certificates that EAServer recognizes.

Trusted - A subset of the CA certificates. These are the signers of certificates that EAServer trusts. EAServer accepts the certificates from clients that have been signed by trusted CAs. You must mark a CA as trusted before it appears in the Trusted folder. See Trust information in the Sybase EAServer help files for more information.

4. After installing a signer's certificate, mark it as trusted if you want to accept certificates signed by that signer. Refer to Trust information in the Sybase EAServer help files for more information.

 

 

 

 

 

 

5. To trust the Entrust CA certificate, right-click on the certificate and select Certificate Info. Ensure that Trusted Certificate is selected. 

Once the Root is trusted, it will automatically appear in the Trusted folder.

For further information regarding SSL management, see the application help files accessed by launching the product and selecting Help.

 

Assigning the Certificate

 

Using Security Profiles:

 

Security profiles define the security characteristics of a client-EAServer session. You assign a security profile to a listener, which is a port that accepts client connection requests of various protocols. EAServer supports multiple listeners. Clients that support the same characteristics can communicate to EAServer via the port defined in the listener.

EAServer comes with preconfigured security profiles. You can modify these predefined profiles or create new ones to meet your specific security needs.

 

Refer to the Listeners for information about assigning security profiles to listeners.

 

AServer comes with two predefined security profiles:

Sample1 - Uses the sybpks_intl security characteristic.

Sample1 is used here in our Entrust SSL Server certificate demo guide.

You can create or edit a security profile and assign it the certification.

Then make sure your Listener for https (one way ssl) uses that specific security profile.

 

 

 

As in the screenshot below, you can edit the information and choose an existing or new security profile, if desired.

 

 

 

 

Disaster recovery

It is highly recommended that you back up the Private Key for your Web Server and store the file in a secure location.

Having a backup of the Private Key ensures the ability to restore the security for your Web Site in the event of a disaster.

 

1. Navigate to the Users folder, and locate the certificate key pair.

2. Right-click on the certificate, and select Export Certificate.

3. Select PKCS12 and proceed through the wizard to export and save your file.

 

 

 

Affected Products:

• Entrust Certificate Services 1 Year SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
• Entrust Certificate Services 2 Year SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
• Entrust Certificate Services Enhanced Service Account Version Not Applicable Language Not Applicable Platform Not Applicable
• Entrust Certificate Services Web Hoster Service Account Version Not Applicable English Platform Not Applicable