Home

User Guide - TheGreenBow

1. CO TheGreenBow IPSec VPN Client User Guide Using Certificates WebSite http www thegreenbow com Contact support thegreenbow com Certificates User Guide Property of TheGreenBow Sistech SA Sistech 2001 2005 0 28 THEGREENBOW a Table of contents E 0007 E 3 ME i e asked ecu tomo 4 A MEME ND J MET o Eee ERR 4 A Imporing PKCS 12 le 6 2A Importing EM TE 8 29 Reading smart CANS RERO 10 2 6 Configuration options cccecccecssesseecsscsssecsecseeecsecassessessecesseseesassessesaesesseseesausaseesausasseseesatsasersansaterseeeass 12 o Using Microsoft Certificates ENEE sees Eeer 14 3 1 Installing Microsoft Certificate Server c ccccccssssssssssssssssssessessseessseessseesessessesasseeaeseeseeseeaesaeseeseseseass 14 3 2 Generating Certificates sesenta inni 16 SS NEE Ee SSC RE lec ROREM 16 3 2 2 Signing a Certificate Request nennen tenente nnn nnne nnn testas 19 3 3 COMITNGALE EXD i E 20 d Hind ODE Ree mee eee ane nen eto MUN ee ee eee M ee ee A 22 4 1 Generating Certificates E 22 4 1 1 Generating a self signed Certificate ccccccsccesscssscsscscsscsecsseessecsecesessecsesasessecasseseesaesaseasanes 22 4 1 2 Generating a User Certificate E 23 4 2 Additional TgbSmallPKI TEE 29 4 2 1 Displaying Certificate information sse nnns 29 So eo l
2. TgbClient p12 User Certificate at TgbClient TgbClient pem User Private Key at TgbClient local key User Certificate Subject is subject C FR ST France L Paris O TheGreenBow OU VPN CN TheGreenBow VPN Client Email TgbClient thegreenbow fr The most relevant files in the TgbClient folder are Certificates User Guide Property of TheGreenBow Sistech SA Sistech 2001 2005 24 28 THEGREENBOW a TgbClient pem The User Certificate Local key the User Certificate private key Subject txt the User Certificate subject TgbClient p12 a PKCS12 file format containing user and root Certificates and the user certificare private key nul 4 2 Additional TgbSmallPKI tools In the following section we will show how to display Certificate information and how to extract Certificates and private keys from a PKCS12 format file o Pkcs12 bat It Converts a P12 file into PEM files o CAinfo bat It displays a PEM Certificate information 4 2 1 Displaying Certificate information Displaying Certificate information can be useful to retrieve several fields such as the Issuer the Validity date and the Subject The CAinfo script displays a User Certificate information It requires Certificate file as a parameter To display more information about TgbClient pem TheGreenBow User Certificate generated in section 4 1 2 run CAinfo TgbClient TgbClient pem Certificate TgbClient TgbClient pem information Certificate Data Ver
3. Sistech 2001 2005 21 28 THEGREENBOW a 4 Using OpenSSL OpenSSL is a free non commercial toolkit that provides a wide range of cryptographic operations It also includes utilities for Certificate management More details about building and using OpenSSL can be found at http Awww openssl org Since the openssl program is a command line tool we have written several batch scripts for Certificate generation and management Unzip TgbSmallPKl zip into C TgbSmallPKI for instance in the following sections we will assume that this path is our working folder The working folder contains e RootCA bat It generates a self signed root Certificate e UserCA bat It generates an user certificate signed by the root Certificate e Pkcs12 bat It Converts a P12 file into PEM files e CAinfo bat It displays a PEM Certificate information e CAsign bat It signs a Certificate Request e The Bin forlder contains o openssl cnf A large part of what goes into a Certificate depends on the contents of this configuration file It is divided into sections which helps to make the configuration more modular You can customize this file depending on your needs see OpenSSL documentation for more details o openssl exe libeay32 dll and ssleay32 dll are the toolkit core for Windows platforms e ReadME txt A documentation file 4 1 Generating Certificates In the following section we will show how to generate a self signed root Certificate an User
4. Welcome page Certificates User Guide Property of TheGreenBow Sistech SA Sistech 2001 2005 16 28 2 0 Nov 2006 THEGREENBOW o Click Advanced Certificate Request on the Request a Certificate page o Click Create and submit a request to this CA on the Advanced Certificate Request page o Fill the Advanced Certificate Request page a sample is shown below You must check Mark keys as exportable as TheGreenBow VPN IPSec Client needs the Certificate private key to establish a tunnel Click Submit Microsoft Certificate Services Home Advanced Certificate Request Identifying Information Name TheGreenBow VPN Client E Mail TgbClient thegreenbow fr Company TheGreenBow Department VPN City Paris State France Country Region ER Type of Certificate Needed Client Authentication Certificate v Key Options 9 Create new key set O Use existing key set CSP Microsoft Enhanced Cryptographic Provider v1 0 J Key Usage O Exchange Signature 9 Both Key Size 1024 bie common key sizes 512 1024 2048 4096 8192 16384 9 Automatic key container name O User specified key container name v Mark keys as exportable Cl Export keys to file Enable strong private key protection Store certificate in the local computer certificate store Stores the certificate in the local computer store instead of in the user s certificate
5. store Does not install the root CA s certificate You must be an administrator to generate or use a key in the local machine store Additional Options Request Format CMC OPKCS10 Hash Algorithm SHA 1 Only used to sign request Save request to a file Attributes Friendly Name TgbClient After processing the Certificate Pending page appears You have to wait until your request is accepted and validated by your Microsoft Certificate Server administrator Certificates User Guide Property of TheGreenBow Sistech SA Sistech 2001 2005 17 28 THEGREENBOW fes Certification Authority File Action View Help e gt EUR ES 2 Certification Authority Local ELO ToCA o 20033ERVERMU BEGIN CERTIFICATE MIIEBDCCAZ 152c458c000 21 04 2005 16 33 LC Revoked Certificates Issued Certificates Pending Requests 1g Failed Requests o To retrieve your Certificate return back to Microsoft Certificate Server s home page and click View the status of a pending Certificate Request u Inthe View the Status of a Pending Certificate Request page select the request you want to view o The Certificate Issued page appears as shown below Microsoft Certificate Certificate Issued The certificate you requested was issued to you To add the current Certificate to your local Certificates Store click the Install this Certificate Microsoft Certificate Services obt A Home Cer
6. 001 2005 19 28 THEGREENBOW Lae E Certificate Issued The certificate you requested was issued to you DER encoded or O Base 64 encoded Download certificate Download certificate chain o Click Download Certificate A file download would pop out press Save button The default file name is certnew cer 3 3 Certificate Export Installed Certificates in Internet Explorer Certificate store can be exported using the PKCS12 file format To export Certificates from Internet Explorer Certificate store do o Run Internet Explorer o Open Internet Options in Tools menu o Select Content tab then click Certificates button o Inthe Certificates dialog box open Personal tab Select the Certificate to export as shown below Certificates Intended purpose sals MI Personal Other People Intermediate Certification Authorities Trusted Root Certificatior Issued Ta Issued By Expiratio Friendly Mame ES The amp reenBow VPN Tabc4 4121 2006 Tabclient Certificate intended purposes Client Authentication o Click Export o Inthe Certificate Export Wizard click Next o Inthe Export Private Key select Yes export private key as need by TheGreenBow VPN IPSec Client Certificates User Guide Property of TheGreenBow Sistech SA Sistech 2001 2005 20 28 THEGREENBOW Certificate Export Wizard Export Private Key You can choose to export the private key with the certificate Private keys are password pro
7. 05 25 44 d9 Certificates User Guide Property of TheGreenBow Sistech SA Sistech 2001 2005 26 28 2 0 Nov 2006 THEGREENBOW 2 0 Nov2006 5 Troubleshootings You will be able to find all troubleshooting issues listed in a TroubleShooting Document pdf on our website The document is available at www thegreenbow com vpn doc html Certificates User Guide Property of TheGreenBow Sistech SA Sistech 2001 2005 27 28 2 0 Nov 2006 THEGREENBOW 2 0 Nov2006 6 Contacts Information and update are available at http www thegreenbow com Technical support by email at support thegreenbow com Sales at 33 1 43 12 39 37 or by email at sales thegreenbow com Certificates User Guide Property of TheGreenBow Sistech SA Sistech 2001 2005 28 28
8. Certificate and sign a Certificate Request using OpenSSL for Windows 4 1 1 Generating a self signed Certificate A self signed Certificate is a Certificate that is not signed by a recognized Certificate Authority A self signed Certificate can be used to act as a Certificate authority issuing renewing and revoking Certificates To create a self signed Certificate run RootCA Below a sample output Creating Root CA folders Root CA folder set to RootCA Root CA key length is 1024 bits Root CA validity is 3650 days The system cannot find the file specified Creating CA private key 1024 bits 3650 days Loading screen into random state done Generating RSA private key 1024 bit long modulus Certificates User Guide Property of TheGreenBow Sistech SA Sistech 2001 2005 22 28 THEGREENBOW Lae E e is 65537 0x10001 CA autosigning 1024 bits 3650 days Using configuration from Bin openssl cnf You are about to be asked to enter information that will be incorporated into your Certificate Request What you are about to enter is what is called a Distinguished Name or a DN There are quite a few fields but you can leave some blank For some fields there will be a default value If you enter the field will be left blank Country Name 2 letter code FR FR State or Province Name full name France France Locality Name eg city Paris Organization Name eg compa
9. EENBOW Em Creating User CA private key 1024 bits Loading screen into random state done Generating RSA private key 1024 bit long modulus DES t t t t t e is 65537 0x10001 Signing User CA Using configuration from ABinlopenssl cnf You are about to be asked to enter information that will be incorporated into your Certificate Request What you are about to enter is what is called a Distinguished Name or a DN There are quite a few fields but you can leave some blank For some fields there will be a default value If you enter the field will be left blank Country Name 2 letter code FR FR State or Province Name full name France France Locality Name eg city Paris Organization Name eg company TheGreenBow TheGreenBow Organizational Unit Name eg section VPN Common Name eg YOUR name TheGreenBow VPN Client Email Address TgbClient thegreenbow fr Please enter the following extra attributes to be sent with your Certificate Request A challenge password tgobcapwd An optional company name TheGreenBow Loading screen into random state done Signature ok subject C FR ST France L Paris O TheGreenBow OU VPN CN TheGreenBow VPN Client Email TgbClient thegreenbow fr Getting CA Private Key User CA in P12 Format Loading screen into random state done Enter Export Password Verifying password Enter Export Password TgbClient p12 created in
10. Sistech SA Sistech 2001 2005 9 28 THEGREENBOW Lae E 2 4 Reading smart cards In the certificate management window select Certificate from a smart card Root Certificate User Certificate Ge User Private Rey Choose below the Certificate location and type Certificate from a SmartCard Select a Smart Card Header E OMNIKEY Larchan 3221 0 rea Select in the smart card list the smart card reader Smartcard PIN code TA Flease enter the Smart Card FIM code Cancel Enter the smart card PIN code Certificates User Guide Property of TheGreenBow Sistech SA Sistech 2001 2005 10 28 inum DOE d NUS VETERA n Root Certificate C FR L Paris 0 TheGreenBow CN T heGreenBow 04 emaild User Certificate C FR O helreenBow LH tgbl User Private Kep Choose below the Certificate location and type Certificate from a SmartCard Select a Smart Card Header ATH 3B 7B 18 00 ODE ODE 31 COE B4 77 E 3 03 O0 82 90 00 Using IDE ne Lite PECS 11 middleware found Cancel If the PIN is correct the subject of the certificate is displayed in the window Certificates User Guide Property of TheGreenBow Sistech SA Sistech 2001 2005 11 28 THEGREENBOW 2 0 Nov 2006 If the smart card is not supported an error message is displayed Root Certificate User Certificate eae O User Private Kep Choose below the Certificate location and t
11. Windows Components Mizard CA Type Select the type of CA you want to set up C Enterprise root EA ES Enterprise subardinate EA C Stand alone subordinate CA Description of CA type The most trusted CA in a CA hierarchy To install an enterprise CA Active Directory is required you must also be a member of the Enterprise Admins group l M Use custom settings to generate the key pair and CA certificate Back Cancel Help o Update customize the Public and Private Key Pair page as shown below Click Next Windows Components Wizard Public and Private Key Pair Select a crptographic service provider CSP hash algorithm and settings Far the key pair CSP Hash algorithrn Microsoft Base D55 Cryptographic Provider Microsoft Enhanced Cryptographic Provider v1 0 Microsoft Strang Crptographic Provider Schlumberger Cryptographic Service Provider Allow this CSP to interact with the desktop Kev lenath 1024 sl Import View lertiticate Usean existing ken Use the cettiticate associated with Has kep Back Next gt Cancel Help Certificates User Guide Property of TheGreenBow Sistech SA Sistech 2001 2005 15 28 inum o Update customize the CA Identifying Information page as shown below Click Next Windows Components Wizard CA Identifying Information Enter information to identity this CA Common name for this Ca Tobra Distinguishe
12. ch SA Sistech 2001 2005 3 28 inum 2 Managing certificates 2 1 Using certificates X509 certificates and smart cards are managed in phase 1 settings A phase 1 must be created ZS TheGreenBow VPN Client File VPN Configuration View Tools 7 AE Console s MENTRE faa Parameters Mame Phase 1 SS Connections Interface Any e Remote Gateway vaurgateway dyndns arg Iz Configuration Jet Phase 1 ei Phase 2 C Preshared Key Confirm ee Ce Certificate Certificates Import a 1 Ad d Encryption AES 128 F vanced SHA Authentication Key Group DHi1024 v Save amp Apply Click on Certificate and then on Certificates Import Certificates User Guide Property of TheGreenBow Sistech SA Sistech 2001 2005 4 28 inum In the Certificates import window the user can import certificates files in the VPN configuration or read them from a smart card Root Certificate a a User Certificate User Private Rey Choose below the Certificate location and type Certificate from a PECSHI Z file Certificate from a PECS 12 file Certificate from a PEM file Certificate from a SmartCard Import Certificates from a PEL S17 file Import cancel TheGreenBow VPN client supports the following certificates format file PKCS 12 files PEM files CRT files Certificates User Guide Property of TheGreenBow Sistech SA Sis
13. d name suffix pa Preview of distinguished name CN T gbCA DC TheGreenBow DC fr Validity period Expiration date o vem e 20 04 2015 14 48 x Back ext gt Cancel Help o On the Certificate Database Settings page use the default locations for the Certificate Database and Certificate Database Log You do not need to specify a shared folder to store configuration information because this information will be stored in the Active Directory Click Next o Click Yes on the Microsoft Certificate Services dialog box that informs you that Internet Information Services must be stopped temporarily o Click Yes on the Microsoft Certificate Services dialog box that informs you that Active Server Pages must be enabled on IIS if you wish to use the Certificate Services Web enrollment site o Click Finish on the Completing the Windows Components Wizard page o Close the Add or Remove Programs window 3 2 Generating Certificates In the section we provide full steps to generate an user certificate and sign a Certificate Request 3 2 1 Generating an user certificate This section describes the generation of User certificate for TheGreenBow VPN IPSec Client This section applies to any other VPN IPSec end point like a VPN router To generate generated an user certificate do o Connect to your Certificate Server http ServerName CertSrv where ServerName is the name of the CA issuing machine u Click Request a Certificate on the
14. k Add or Remove Programs o Click the Add Remove Windows Components button in the Add or Remove Programs window o On the Windows Components window click on the Application Server entry and click the Details button o On the Application Server page click on the Internet Information Services IIS entry and click the Details button o In the Internet Information Service IIS dialog box put a checkmark in the World Wide Web Service checkbox and click OK Click OK on the Application Server dialog box Click Next on the Windows Components dialog box o Click Finish on the Completing the Windows Components Wizard page Oo Ln Microsoft Certificate Server with a stand alone root CA installation steps o Click Start point to Control Panel and click Add Remove Programs In the Add or Remove Programs window click the Add Remove Windows Components button o In the Windows Components dialog box click on the Certificate Services entry and click the Details button o Inthe Certificate Services dialog box put a checkmark in the Certificate Services CA checkbox Ll Certificates User Guide Property of TheGreenBow Sistech SA Sistech 2001 2005 14 28 THEGREENBOW Lae E o Both the Certificate Services CA and Certificate Services Web Enrollment Support checkboxes are checked Click OK in the Certificate Services dialog box o Click Next in the Windows Components dialog box o Update the CA Type page as shown below Click Next
15. le u Click Browse for a file to insert and browse to the certificate request file then Read Button The Submit a Certificate Request or Renewal Request page looks like Li Microsoft Certificate Serices TgbCaA submit a Certificate Request or Renewal Request To submit a saved request to the CA paste a base b4 encoded CMC or PKCS 10 certificate request or PACS 7 renewal request generated by an external source such as a Web server in the saved Request box Saved Request UE BEGIM CERTIFICATE REQUEST Base 64 encoded MIIBpDCCAQOUCAQAwIjEgMBAGAIUEAwwXenl4ZWux certificate request gzawDOYJEOoZIhvcNAQEBBQADgYOAMIGJIAOGBAM7C CMC or 44igKllOZW3Y CVmSuigDlIXS3vB8yyWqBigwCqnpT PKCS 10 or yOmfEwORKvPNWkBktSEKHpbuilyD ligWHsiJTbi3Lr PICS 37 XXCYAROWtdecFmwDAgMBAAGgQjBABgkqhkicOwOB w 4 Ii l gt Browse far a file ta insert Additional Attributes Attributes Click Submit After processing the Certificate Pending page appears You have to wait until your request is accepted and validated by your Microsoft Certificate Server administrator o To retrieve your Certificate return back to Microsoft Certificate Server s home page and click View the status of a pending Certificate Request u Inthe View the Status of a Pending Certificate Request page select the request you want to view o The Certificate Issued page appears as shown below Certificates User Guide Property of TheGreenBow Sistech SA Sistech 2
16. ny TheGreenBow TheGreenBow Organizational Unit Name eg section Authority Certificate Common Name eg YOUR name TheGreenBow CA Email Address TgobCA thegreenbow fr Please enter the following extra attributes to be sent with your Certificate Request A challenge password capassword An optional company name TheGreenBow Loading screen into random state done Signature ok subject C FR ST France L Paris O TheGreenBow OU Authority Certificate CN TheGreenBow CA Email TgbCA Qthegreenbow fr Getting Private key Root Certificate at RootCA RootCA pem Root Private Key at RootCA CAKey key The root Certificate RootCA pem and its private key CAKey key are located in RootCA folder 4 1 2 Generating an user certificate When X 509 Certificate authentication is chosen within IKE a User certificate is used to identify a VPN IPSec end point and to perform signatures verification operations The UserCA script generates an user Certificate its private key and a PKCS12 file It requires an intermediate folder as a parameter It can be used to generate Certificates for all VPN IPSec end points To generate all required files for TheGreenBow VPN IPSec Client run UserCA TgbClient Creating User CA folder Creating User Certificate folder at ATgbClient User CA key length is 1024 bits User CA validity is 3650 days Certificates User Guide Property of TheGreenBow Sistech SA Sistech 2001 2005 23 28 THEGR
17. rtificates using Microsoft Certificate Server 3 1 Installing Microsoft Certificate Server Microsoft Certificate server comes as a part of the Windows NT 2000 2003 server option packs The Certificate server needs Microsoft Internet Information server IIS and Microsoft Internet explorer IE before it can be used The enrollment Web pages provided by Certificate Services allow you to connect to the service with a Web browser and to do common tasks such as requesting the certification authority processing a Certificate Request file or processing a Smart Card enrollment file The Web pages will be located on http ServerName CertSrv where ServerName is the name of the CA issuing machine For information on configuring Microsoft Certificate Services on Windows 2000 server see the following URLs o On Setting up a Certificate Authority http www microsoft com windows2000 techinfo planning security casetupsteps asp o On Microsoft Certificate Services Web Pages http www microsoft com windows2000 techinfo planning security cawebsteps asp o On Administering Microsoft Certificate Services http www microsoft com windows2000 techinfo planning security adminca asp Below we provide required steps to install Internet Information Server IIS 6 0 and Microsoft Certificate Server MCS with a stand alone root CA on Windows 2003 Server Microsoft Internet Information Server installation steps o Click Start point to Control Panel and clic
18. s indicate that the data is now stored in TheGreenBow VPN Client configuration file Certificates User Guide Property of TheGreenBow Sistech SA Sistech 2001 2005 7 28 THEGREENBOW Lae E 2 3 Importing PEM files In the certificate management window select Certificate from a PEM file in the drop down list Root Certificate User Certificate eg User Private Key Choose below the Certificate location and type Import a FEM Root Certificate Import a PEM User Certificate Import a Private Fey Click on each button Import for importing the Certificate Authority CA public key the user public key and the user private key Look in E Desktop e amp ck EZ STEM Documents E My Computer omy Network Places clientCerk Pem root 4 Dem Files of type Certificates PEM P pem Cancel Open as read only Select the file and click on Open Certificates User Guide Property of TheGreenBow Sistech SA Sistech 2001 2005 8 28 inum DOE d NUS VETERA n Root Certificate JE L Pars O TheGreenBowsCN T heGreenBow LC A emal E User Certificate C FR fO TheGreenBow CN tgbI 5 User Private Key Choose below the Certificate location and type Import a PEM Root Certificate Impart a PEM User Certificate Import a Private Key Once the files are imported the subjects of the user certificate and its issuer are displayed Certificates User Guide Property of TheGreenBow
19. sion 1 0x0 Serial Number 1 0x1 Signature Algorithm md5WithRSAEncryption Issuer C FR ST France L Paris O TheGreenBow OU Authority Certificate CN TheGreenBow CA Email TgbCA thegreenbow fr Validity Not Before Apr 19 12 44 03 2005 GMT Not After Apr 17 12 44 03 2015 GMT Subject C FR ST France L Paris O0 TheGreenBow OU VPN CN TheGreenBow VPN Client Email Tg bClient thegreenbow fr Subject Public Key Info Public Key Algorithm rsaEncryption RSA Public Key 1024 bit Modulus 1024 bit 00 ac 00 2c 1b 82 6d 32 2e 17 09 9f 13 8d b9 Of 9b db d7 3f f7 45 9b f2 73 6d 8b 3d 9b b1 14 99 25 22 fb a8 56 30 9d 68 43 e9 14 84 6f 4c 24 fa e2 36 84 56 2d b2 5c 11 fd be b9 9e ed 49 c8 c1 08 29 d0 17 ca b8 12 41 41 55 4d 48 01 57 bc 22 9a c9 48 ca e2 c2 59 2c 78 8d 6d cc 89 09 3a 97 15 14 b7 96 ea da 82 0e 8c 87 49 37 45 24 74 45 31 8e ac be 9a a2 8c a1 16 be f7 46 4a 94 78 31 73 Exponent 65537 0x10001 Certificates User Guide Property of TheGreenBow Sistech SA Sistech 2001 2005 25 28 THEGREENBOW Lae E Signature Algorithm md5WithRSAEncryption b2 ba 7c 92 9c eb 59 c2 7e d9 95 af 7 1 8b 06 2f b8 44 b3 b5 2a b7 98 0b 16 08 97 85 c7 bc 21 1c cf df 15 97 d9 4f 65 ec 31 14 6f 9e b1 8a 47 37 ad 6b 4b c8 15 bf cd 8a 1b ed a5 f7 3e ac 72 73 b9 bc f6 22 b3 05 15 26 40 dd f8 4c 83 3f 25 da 68 32 8b bd 1b 68 24 68 df 31 83 5b 74 91 10 1f 6a d0 b9 3c 13 04 50 4c 6e ce c9 de 38 38 fe 2d ad 6c 6b e6 74 38 51 00 5b c5 bb 6b
20. t lt ele E 21 Maec sco r 28 Certificates User Guide Property of TheGreenBow Sistech SA Sistech 2001 2005 2 28 THEGREENBOW a 1 Introduction 1 1 Goal of the document This document explains how to use certificates with TheGreenBow IPSec VPN Client Theses certificates can be stored on a smart card or imported from a PKCS 12 file This document explains also how to use a third party Certification Authority in order to be able to generate X509 Certificates and to open a VPN tunnel securely There are many options to generate Certificates like using Microsoft Certificates server i e Microsoft Certificate Service available under Windows 2000 2003 Server OpenSSL or some VPN Router themselves 1 2 Features Two kinds of certificates can be imported to TheGreenBow VPN Client PKCS 12 PEM certificates Certificates can be stored in a smart card whose access is protected by a PIN code TheGreenBow VPN Client uses them dynamically while establishing a tunnel A certificate has three parts certificate authority public key user certificate public key user certificate private key Once imported these keys are stored in the configuration file One certificate is bound to one tunnel All configuration elements can be easily exported to another computer In the case of smart card the configuration file contains no one of the three keys Certificates User Guide Property of TheGreenBow Siste
21. tech 2001 2005 5 20 THEGREENBOW Lae E 2 2 Importing PACS 12 certificate From the drop down list select Certificate from a PKCS 12 file Root Certificate User Certificate User Prizate Rey Choose below the Certificate location and type Certihcate from a PECS 1 2 file Import Certificates from a PECS72 file Import Cancel And click on Import Look in be Desktop dn Es E EZ alt Documents d Mv Computer my Network Places se bgbl piz File name tab plz Files of type Certificates P12 p12 Cancel Open as read only Select the PKCS 12 file and click on Open Certificates User Guide Property of TheGreenBow Sistech SA Sistech 2001 2005 6 28 THEGRE mazim DOE d NUS VETERA n PKCS12 file password Please enter the file password below DN DE DE E A E The file can be protected by a password If not the edit box can be let empty Click on OK for importing the file Root Certificate C FR L Parns O T heGreenBowsCN T heGreenBow DA email ES User Certificate C FR UszTheareenBow LM tabl E User Private Key Choose below the Certificate location and type Certificate from a PKCS 12 file Import Certificates from a PECS12 file Ok Cancel If the password is correct and the file not corrupted the subject of the certificate and the subject of the issuer of the certificates are displayed The key icon
22. tected IF vou want to export Ehe private key with the certificate vou must type a password on a later page Do you want Eo export the private key with Ehe certificate 9 Yes export the private key CO Na da not export the private key o Inthe Export File Format page select Include all Certificates in the certification path if possible The Root CA is also exported as needed by TheGreenBow VPN IPSec Client Certificate Export Wizard Export File Format Certificates can be exported in a variety of File Formats Select the Format you want En use DER encoded finery 4 509 ER Base 54 gneaded x 509 CER Cryptographic Message Syntax Standard PECS 7 Certificates FB Include all certificates in the certification path IF possible 5 Personal Information Exchange PKCS 12 PE Include all certificates in the certification path if possible Enable strong protection requires IE 5 0 NT 4 0 SP4 or above Delete the private key if Ehe export is successful Click Next In the Password page type and confirm your password then click Next In the File to Export page specify destination file path then click Next In the Completing the Certificate Export Wizard Click Finish Dod Certificates User Guide Property of TheGreenBow Sistech SA
23. tificate Issued The certificate you requested was issued to you Install this certificate Root Certificate Store A Do you want to ADD the following certificate to the Root Store Subject TgbCA TheGreenBow fr Issuer Self Issued Time Validity Wednesday April 20 2005 through Monday April 20 2015 Serial Number 744F234C 526E4484 471E41B5 F0949521 Thumbprint sha1 DBADC900 7C741292 E0837DFO EE18B26D D5D97F21 Thumbprint md5 E418FC22 A00B2FFF 19F8FBF5 71A97FF8 After processing the Certificate Installed page appears confirming the Certificate successful installation in Internet Explorer Certificate store Certificates User Guide Property of TheGreenBow Sistech SA Sistech 2001 2005 18 28 THEGREENBOW Lae E Microsoft Certificate Serices TqbCA Certificate Installed Your new certificate has been successfully installed To export a Certificate from Internet Explorer Certificate store check 3 3 section 3 2 2 Signing a Certificate Request To sign the Certificate Request using Microsoft Certificate Server do o Connect to your Certificate Server http ServerName CertSrv where ServerName is the name of the CA issuing machine o Click Request a Certificate on the Welcome page Click Advanced Certificate Request on the Request a Certificate page o Click Submit a Certificate Request by using a base 64 encoded CMC or PKCS 10 file or submit a renewal request by using a base 64 encoded PKCS 7 fi
24. ype Certificate from a SmartCard Select a Smart Card Reader OMNIKEY Card an 3221 0 e ATH 3B 7B 18 00 OCDE OCDE 31 CD B4 77 E 3 03 UD HA 90 00 Unknown ATR this smart card may not be supported No PELS511 middleware for this smart card was found You can set PCSHT1 middleware with the command line vpriconf exe addmiddleware path to the d Cancel Read next section for details about making your smart card supported 2 5 Configuration options Several smart card options are available for IT managers It is possible to force use of a specific PKCS 11 middleware for example Administrative rights are required for using these options o addmiddleware path_to_middleware dll Set manually the path to the PKCS 11 DLL that must be used by the client o checkkeyusage yes no By default TheGreenBow VPN client does not check X509 key usage extensions If yes is used the VPN client will only look for certificates that have digital signature DIGITAL_SIGNATURE key usage This parameter is only used for certificates read from smart cards Certificates User Guide Property of TheGreenBow Sistech SA Sistech 2001 2005 12 28 THEGREENBOW ae Certificates User Guide Property of TheGreenBow Sistech SA Sistech 2001 2005 13 28 THEGREENBOW a 3 Using Microsoft Certificates Server In the section we provide full steps to generate an user certificate sign a Certificate Request and export Ce

User Guide - TheGreenBow

Contents

Download Pdf Manuals

Related Search

Related Contents