Obtaining certificates for client authentication
Certificates can be obtained from one of the following:
- Certificate Authority (CA) Create a client certificate request. After receiving the certificate, export it to a password-protected JKS file and send the password and the file to the user. Make sure the file is securely sent. If a non-secure protocol such as e-mail, http, or ftp is used to send the file over the Internet, the certificate's security can be compromised.
-
Self-signed certificate
You can do this while you are waiting for a CA's certificate, which can take some time. If you think the self-signed
certificate provides adequate security, you can use it permanently.
For performance reasons, limit the use of this option. Validation of self-signed certificates can significantly degrade a server's performance.
Any open source certificate management tool can be used that creates certificate requests and self-signed certificates, and stores certificates in a client key database.
Using a browser certificate
Users who currently have a certificate for their browsers can use it directly, or they can export the certificate into a JKS file format and save it on their workstations to be used for client authentication. Optionally, the certificate can be stored on specialized external media, such as a smart card.
Certificates exported from an older browser are usually weakly encrypted. Use strong encryption when accessing certificates over the Internet with an unsecure protocol, such as http or ftp. To change the encryption strength:
- Click Communication > Security.
- Click Show Client Certificate.
- Locate the certificate and enter the current password.
- Click View Certificate.
- Click Settings.
- Type the current password, and choose Strong for Encryption Strength.
- Click OK.
Sending the certificate request to the CA
Access the CA's Web site and then follow the instructions to request the certificate. Here are the URLs of two CAs:
- VeriSign: http://www.verisign.com/
- Thawte: http://www.thawte.com/
Depending on the CA you choose, you can either e-mail the certificate request or incorporate the request into the form or file provided by the CA. If you need the CA's root certificate, you can often get it directly from the Web site.
While you are waiting for the CA to process your certificate request, you can create a self-signed certificate to use.
Receiving the certificate
When you receive the certificate, make sure that it is in armored-64 or binary DER format. Only certificates in these formats can be stored in the key database. The Certificate Management program can only accept simple certificates. It cannot accept certificate chains or PKCS7 data. The armored-64 form of a simple certificate starts with "----BEGIN CERTIFICATE----" and ends with "----END CERTIFICATE----".
To receive the certificate:
- Add the certificate to the key database, ServerKeyStore.jks.
- Export the certificate into a password-protected JKS file. Send the certificate and password to the user.
Make sure the certificate is securely sent. If a non-secure protocol such as e-mail, http or ftp is used to send the file over the Internet, the certificate's security can be compromised.
A certificate can be stored anywhere on the client's computer, on a diskette, or on a Web server.