This tutorial talks through the certificates already installed on your machine, regardless of the Micro Focus Security Pack.
Viewing Certificates
There are probably some certificates already installed on your machine. Applications that use SSL, such as a Web browser, usually come with certificates for well-known Web sites and CAs. New certificates for Web siteswith newly established reputations are often included in the regular updates that are published for theapplications.
With Internet Explorer
If your browser is Internet Explorer:
- Click Tools > Internet Options > Content.
- Click Certificates and then the Trusted Root Certification Authorities tab on the far right.
This lists the root CAs known and trusted by your Webbrowser - that is, the CAs whose certificates have been installed in the SSL softwarein your Web browser. A default set of these, consisting of many of the world'sbest known ones, is installed when Internet Explorer is installed.
The terminology used in Internet Explorer is slightly different from that used in this book, as follows:
Internet Explorer This book Personal certificate Your client certificate Other people's Client or server certificate of some other entity Intermediate CA Subordinate CA Trusted root CA Root CA - Double-click any one of the certificates shown. This displays the certificate on the screen. In many cases the"Issued To" and "Issued by" names are the same, indicating a self-signed certificate- one issued by a root CA to itself.
- Double-click one of the certificates. This displays the certificate. Notice that the"Issued To" and "Issued by" names are the same. This is what you would expect from aself-signed certificate - one issued by a root CA to itself.
- Click the Certification Path tab. This lists the chain of CAs from the certificate back to the rootCA. Because this certificate is for a root CA, there is just one entry.
- Click OK to close the certificate.
- Click the Intermediate Certification Authorities tab. This shows a list of subordinate CAs whose certificates have beeninstalled in your Internet Explorer.
- Double-click one of the certificates.
- Click Certification Path. You now see the chain of CAs, from the subordinate CA that issuedthis certificate, back up through the hierarchy to the root CA.
- Close the dialog boxes.
With Mozilla Firefox
If your browser is Mozilla Firefox:
- Click Tools > Options > Advanced. Then, depending on your version, either scroll down and click Manage Certificates, or click the Security tab and then View Certificates.
- Click the Authorities tab. This lists the CAs known and trusted by your Web browser- that is, whose certificates have been installed in the SSL software in yourWeb browser. A default set of these, consisting of many of the world's bestknown ones, is installed when Firefox is installed.
- Double-click any one of the certificates shown. This displays the certificate on the screen. In many cases the"Issued To" and "Issued by" names are the same, indicating a self-signed certificate- one issued by a root CA to itself.
- Click the Certification Path tab. This lists the chain of CAs from the certificate back to the rootCA. If this certificate is for a root CA, there is just one entry.
- Click OK to close the certificate.
- Look at some other certificates in the same way. You may find that all the certificates are for root CAs. If you find one for a subordinate CA, you can see the chain of CAs, from the subordinate CA that issued this certificate, back up through the hierarchy to the root CA.
- Close the dialog boxes.
Checking a Certificate
Frauds have sometimes been perpetrated in which fake Web sitesmasquerade as genuine sites - when you think you are connecting to the genuinesite, for example your online bank, you are in fact diverted to a fraudulentone designed to look like it, and trick you into revealing your confidentialdetails. This kind of fraud is called "phishing".
As a safeguard against this, you can view the certificate of the siteyou are connecting to.
With Internet Explorer
If your browser is Internet Explorer:
- Go to the Web site for any online entity that needs secure communications, such as an online bank.
- Follow the links to the first logon page. You do not need to logon.
- Look at the URL. You should find that it begins with https instead of http. HTTPS is Secure HTTP, the version of HTTP that uses SSL.
- Look at your Web browser's status line. You should see a symbol like a padlock. This shows that communications on this page use SSL.
Some pages contain both secure (that is, encrypted) and insecure(unencrypted) information. If you view such a page, your browser might displaya warning to this effect, and ask you if you want to continue. If you choose tocontinue, the padlock symbol disappears, because Internet Explorer does nottreat such pages as secure. You will need to try some other HTTPS page tocontinue with this tutorial.
- Double-click the padlock symbol. This displays the entity's certificate.
Click theCertification Path to show the hierarchy of CAsfrom the one that issued the certificate up to the root CA.
A Web site that was masquerading as the one you believe you've contacted could not fake a certificate, because no reputable CA, having checked up on them, would sign a certificate for them. And since the list of CAs in your browser includes only genuine, reputable CAs, there will be no match and your browser will reject their certificate.
However, even for the most respectable organizations, you will sometimesfind warning messages on the General tab saying that in somerespects the certificate is faulty. This is because some detail on the certificate is incorrect - for example, the expiry date may have passed. It is up to you to look at the details on the certificate, and decide whether you trust the Web site despite this flaw.
With Mozilla Firefox
If your browser is Mozilla Firefox:
- Go to the Web site for any online entity that needs secure communications, such as an online bank.
- Follow the links to the first logon page. You do not need to logon.
- Look at the URL. You should find that it begins with https instead of http. HTTPS is Secure HTTP, the version of HTTP that uses SSL.
- Look at your Web browser's status line. You should see a symbol like a padlock. This shows that communications on this page use SSL.
Some pages contain both secure (that is, encrypted) and insecure(unencrypted) information. If you view such a page, your browser should displaya warning to this effect, and ask you if you want to continue. If you choose tocontinue, the padlock symbol appears with a line through it, because Firefoxdoes not treat such pages as secure. You can still view the certificatethough.
- Double-click the padlock symbol.
- On the Page Info dialog box that appears, click View. This displays the entity's certificate. If you click theDetails tab, you will see the hierarchy of CAs from the onethat issued the certificate up to the root CA.
A Web site that was masquerading as the one you believe you've contacted could not fake a certificate, because no reputable CA, having checked up on them, would sign a certificate for them. And since the list of CAs in your browser includes only genuine, reputable CAs, there will be no match and your browser will reject their certificate.
However, even for the most respectable organizations, you will sometimesfind warning messages on the General tab saying that in somerespects the certificate is faulty. This is because some detail on the certificate is incorrect - for example, the expiry date may have passed. It is up to you to look at the details on the certificate, and decide whether you trust the Web site despite this flaw.
Exporting a Certificate from Internet Explorer
To export a certificate from Internet Explorer in the appropriate format, ready for importing into Firefox:
- In Internet Explorer click Tools > Internet Options.
- Go to the Content tab and double-click Certificates.
- Go to the Trusted Root Certificate tab and find the certificates marked Verisign Trust Network. There are several notable features of these certificates:
- There are multiple certificates and each one is unique.
- These different types of certificates are used to confirm the trust of different types of identification certificates.
- Some of these certificates have passed their expiry date. However they are still valid and should be present to prove the trust path for certificates that were signed during their working life span.
- Some of these certificates are direct replacements for expired or about-to-expire certificates.
- The life of the replacement certificates is typically far longer than that of the original certificates. Replacing certificates is problematic as it involves a significant amount of manual work and therefore distribution that is not often undertaken. To avoid the distribution complication it is in the interest of all identification certificate users to use certificates with a long life.
- Select a certificate and click Export.
- In Certificate Export Wizard, click Next.
- You choose the format required by your target browser. If you don't know the format required, you can generate a few of the most common formats and save them to different files, so that the correct format is available.
Select DER encoded binary X.509 and click Next.
- Specify the <path>\DemoCA\Verisign as the name of the file to export to and click Next.
- On the final screen notice:
- Export Keys is always "No” when handling CA root certificates.
- Include all certificates in the certification path is always “No” when using file formats that cannot support multiple certificates. When using a server certificate signed by an intermediate CA you would usually export the complete chain of trust back to the fully trusted CARoot. In this case we would have chosen a different format at step 6.
- File Format should match the filename extension in most cases,. Although there are times when various subformats such as .p7b and .p7c are interchanged to aid portability of the generated output file.
- Click Finish > OK and the file appears in the chosen directory.
- Close all the open IE dialog boxes.
Importing a Certificate into Mozilla Firefox
- In Firefox, go to Tools > Options.
- Go to the Advanced tab and the Security sub-tab and click View Certificates.
- Go to the Authorities tab and click Import.Note that different tabs show different files without an extension indicating that they are native format
- Files with a .p12 extension are shown without the extension when you import from the Your Certificates tab
- Files with a .cer are shown without the extension when you import from the other certificate type tabs
This emphasises the value of understanding how the different types of certificate usage affect the type of file being used to transport a certificate. Other certificate stores may have different rules about formats. It is worth investigating they destination locations requirements before attempting to create certificate files for their use.
- Specify the file that you exported from Internet Explorer.
A message should popup telling you that this certificate already exists. This confirms that file was correctly formatted and read by the import tool.
Copyright © 2007 Micro Focus (IP) Ltd. All rights reserved.