Tuesday Jan 12, 2010

Request an Object Signing certificate from SunPKI Store with an Aladdin eToken Pro on Windows OS

Request an Object Signing certificate from SunPKI Store with an Aladdin eToken Pro on Windows OS


Hardware Security Module(HSM): Aladdin eToken Pro 72K
Software environment: Windows XP SP2 + eToken PKI Client 5.1 + JDK 1.6

Part 1: select Aladdin eToken Pro as the HSM device

An Object Signing certificate request can only be approved if the request was submitted using an HSM device. A HSM device is a specialized hardware cryptographic component that is used to generate and protect the private keys during any operations that involve that key.

For object signing, especially for signing objects in the form of JAR files (using jarsigner), the cryptographic hardware devices of choice are:
(i) Sun Crypto Accelerator 6000 PCIe Adapter (SCA 6000), and
(ii) SafeNet/Aladdin eToken (USB connected cryptographic device).

Considering the first one is too expensive (about $1300), we choose the Aladdin eToken Pro 72K (about $60).

Part 2: Prepare the Aladdin eToken Pro

2.1 Install Aladdin eToken PKI Client which could be downloaded from Aladdin web site or just require it from your Aladdin agent.

2.2 Plug the eToken into the USB slot of the system and select the "Initialization" function of the PKI Client to initialize the eToken.

2.3 Input a personal password (referred as <pin> as below) for the eToken.

Part 3: Request an Object Signing Certificate from SunPKI Store

3.1 Create (in current dir) file 'eToken-pkcs11.cfg' with the two lines

name = eToken
library = c:\\WINDOWS\\system32\\eTPKCS11.dll

3.2 Generate the key pair with following command

keytool -genkey -alias <alias> -validity 365 -keyalg RSA -keysize 2048 -sigalg SHA1withRSA -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ./eToken-pkcs11.cfg -storepass <pin>


What is your first and last name?
Unknown: <your object name & version> (e.g. Sun Device Detection Tool)
What is the name of your organizational unit?
Unknown: <whatever> (e.g. Sun Microsystems Inc System)
What is the name of your organization?
Unknown: Sun Microsystems Inc (e.g. Sun Microsystems Inc)
What is the name of your City or Locality?
Unknown: <whatever> (e.g. Menlo Park)
What is the name of your State or Province?
Unknown: <whatever> (e.g. California)
What is the two-letter country code for this unit?
Unknown: US
Is CN=..., OU=..., O="Sun Microsystems Inc", L=..., ST=..., C=US correct?
no: yes

NOTE:

[1] Make sure JDK 1.6 is installed.
[2]
In Special Publication SP 800-57 Part 1 [SP800-57], NIST recommends using at least 2048-bit public keys for securing information beyond 2010 (and 3072-bit keys for securing information beyond 2030). So we use the '-keysize 2048' to generate the key pair.

[3]
The country code must be "US". Otherwise the next step would fail.

[4]
The generated key pair could be checked with following command:

keytool -list -v -alias <alias> -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ./eToken-pkcs11.cfg -storepass <pin>


3.3 Generate the CSR with following command

keytool -certreq -alias <alias> -file ./certreq.csr -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ./eToken-pkcs11.cfg -storepass <pin>

3.4 Submit CSR

Reference to https://wikis.sun.com/display/SunPKIstore/Corp+Object+Signing

3.5 Receive the certificate

You would receive an email from pkiadm@sun.com containing the certificate chain. The email will contain the certificates in two forms, ASCII/Base64 encoded and a binary PKCS7 attachment. You should import the ASCII/Base64 encoded form (not the PKCS7) because the import of the PKCS7 chain may not work due to bug 6731685 (fixed in JDK 7, but not earlier releases).

The ASCII/Base64 encoded form is a paragraph ascii characters embraced with
-----BEGIN CERTIFICATE-----
and
-----END CERTIFICATE-----

Copy the ASCII/Base64 encoded form certificate (those ascii characters including the two lines of -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) and paste them into a single text file to save as 'cert.ascii'.

3.6 Import the certificate with following command

keytool -importcert -v -trustcacerts -file cert.ascii -alias <alias> -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ./eToken-pkcs11.cfg -storepass <pin>

3.7 Verify the installed certificate chain with following command

keytool -list -v -alias <alias> -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ./eToken-pkcs11.cfg -storepass <pin>

3.8 Signed jar files with following command

jarsigner -verbose -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ./eToken-pkcs11.cfg -storepass <pin> <a jarfile name> <alias>

NOTE:

In step 2, 3, 6, 7 and 8, the eToken must be pluged in.


Reference:

PKI Store for Object Signing certificates
PKI Store FAQs


About

Ye Julia Li

Search

Archives
« July 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today