How to Use KeyManager as Tool for Setting up Personal CA 

Subrata Mazumdar (mazum@avaya.com), Avaya Labs Research

 

 

Acknowledgement: Thanks to Scott Rea for suggesting the 'Personal CA' idea and encouraging me to do this tool.

 

Setup Firefox Profile for CAs:

 

·   set MOZ_NO_REMOTE=1

·   firefox -P

When profile manager comes up, click the "Create Profile" to create  a new profile with name: AvLabsCAProfile

Select the new profile name 'AvLabsCAProfile' and then click 'Start Firefox'

 

Install KeyManager Add-on :

Go to : https://addons.mozilla.org/en-US/firefox/addon/4471, download and install the KeyManager add-on.   

Restart the Firefox browser.

 

Use Case:

·         Create Self-Signed Cert for Root CA

·         Create Self-Signed Cert for Signing CA (Intermediate CA)

·         Sign Intermediate (Signing) CA's cert by Root CA's cert

·         Sign Server's cert using Singing CA's cert

 

 

Create Self-Signed Cert for Root CA :

 

·         Open Key Manager Dialog Window (Tools --> Key Manager Tool Box --> KeyManager)

·         Select the "Your Key" tab

·         Click on the "Generate Self-Signed Cert" button to open dialog window for creating self-signed certificate 

       The dialog window has four tabs and click 'Advance' at the top of the window to display all the tabs:

      

For "Basic certificate profile" tab:

·   Select "Generic CA Cert Profile" from the "Default Certificate Profile" menu list.

·   Enter the common name for Root CA (AvLabsRootCA)

·   Enter org unit : Avaya Labs Research CA

·   Enter org: Avaya

·   Enter Locality: Baskin Ridge

·   Enter State: NJ

·   Enter country : US

·   Use the default value for key type, key size and signing algorithm

      

For "X.509 v1 Attributes" tab: 

·   Select the validity as follows:  use the default value

·   For serial number: use the default value : 'auto generate'

  

For "X.509 v3 Standard Extensions" tab: 

·    use the default values

 

For "X.509 v3 Netscape Extensions" tab: 

·   use the default values

 

Finally, click the 'Generate Self-Signed Cert' button - the dialog window will automatically close after successful generation of the cert. It takes while - at least 30 sec to complete the key-generation task. The new cert will be displayed in the 'Your Keys" and "Your Certificates" tab.

 

Create Self-Signed Cert for Signing CA (Intermediate CA):

 

·         Open Key Manager Dialog Window (Tools --> Key Manager Tool Box --> KeyManager)

·         Select the "Your Key" tab

·         Click on the "Generate Self-Signed Cert" button to open dialog window for creating self-signed certificate 

       The dialog window has four tabs and click 'Advance' at the top of the window to display all the tabs:

       

For "Basic certificate profile" tab:

·   Select "Generic CA Cert Profile" from the "Default Certificate Profile" menu list.

·   Enter the common name for Signing CA for server cert (AvLabsServerCA)

·   Enter org unit : Avaya Labs Research CA

·   Enter org: Avaya

·   Enter Locality: Baskin Ridge

·   Enter State: NJ

·   Enter country : US

·   Use the default value for key type, key size and signing algorithm

     

For "X.509 v1 Attributes" tab: 

·   Select the validity as follows:  use the default value

·   For serial number: use the default value : 'auto generate'

  

For "X.509 v3 Standard Extensions" tab: 

·    use the default values

 

For "X.509 v3 Netscape Extensions" tab: 

·   use the default values

 

Finally, click the 'Generate Self-Signed Cert' button - the dialog window will automatically close after successful generation of the cert. It takes while - at least 30 sec to complete the key-generation task. The new cert will be displayed in the 'Your Keys" and "Your Certificates" tab.

 

Sign Intermediate (Signing) CA's cert by Root CA's cert:

·         Open Key Manager Dialog Window (Tools --> Key Manager Tool Box --> KeyManager)

·         Select the "Your Key" tab

·         Select the Cert for Root CA and then click 'Sign (Proxy) cert' button

Click 'Ok' for the prompt - Certificate signing dialog window will be opened and the cert for signer will be automatically set.

Select the Signing CA's cert as follows:

·         Click the "Cert" radio button for 'CSR Source" - a certificate picker widget will be displayed

·         Select 'Self-signed User Cert' in the certificate type menu list

·         Select the Singing CA's cert from the menu list

·         Click the 'Sign Cert' button at the bottom of the dialog window

·         Then click the 'Close' button - dialog window will close.

The newly created signed cert will be displayed in the 'Your Keys" and "Your Certificates" tabs. You can delete the Self-signed cert for the Signing CA now.

 

 

 

 

Sign Server's cert using Singing CA's cert

 

·         Open Key Manager Dialog Window (Tools --> Key Manager Tool Box --> KeyManager)

·         Select the "Your Key" tab

·         Select the Cert for Root CA and then click 'Sign (Proxy) cert' button

Click 'Ok' for the prompt - Certificate signing dialog window will be opened and the cert for signer will be automatically set.

Select the server's cert as follows:

·         Click the "File" radio button for 'CSR Source" - a file picker widget will be displayed

·         Select previously generated file for the CSR for the server 

·         Click the 'Sign Cert' button at the bottom of the dialog window

·         Then click the 'Close' button - dialog window will close.

·         The newly created signed cert will be displayed in the 'Server Certificates" tab.  Export the server cert in X.509 or PKCS#7 format as follows:

·         Select the “Server” tab

·         Select the newly signed server's certificate

·        Click the 'Export' button. A dialog window opens for choosing type of file and encoding. You can choose either X.509 or PKCS#7 for data type.  Select the file name for exported certificate. 

·               Note: Since the PKCS#7 export does not place the server cert as the first one in the PKCS#7 cert-only package, choose the X.509 format. If you choose X.509 format, make sure that you also exported Signing CA's cert chain in PKCS#7 format or X.509 format (as described below).

·         Finally, go to Firefox window for server profile and import the exported certificate file.

 

Exporting of Siging CA's Cert Chain:

   The instruction for exporting of CA's cert in various formats can be found as follows: "Tools --> Key Manager Tool Box --> Key Manager Usage Document" and a new tab will display the usage document. Click on the "Instructions for PKI Related Tasks" and then scroll down to the "Exporting of X.509 Certificates" section.

Here are the steps that you have to follow to export Keys/certificates: 

1.      Open Key Manager Dialog Window (Tools --> Key Manager Tool Box --> KeyManager)

2.      Select  the "Your Key" tab 

3.      Select the desired Signing CA's certificate in the tab

4.      Click on the "Export" button that opens the dialog for choosing data and encoding format

5.      Select one of the following data format: X.509 or PKCS#7 

6.      For PKCS#7, check the include cert-chain box. 

7.      The browser prompts you for "output file path" to save the exported data - select the file name and directory.

 

Revoke Server's Certificate 

Here are the steps that you have to follow to revoke a certificate: 

1.      Open Key Manager Dialog Window (Tools --> Key Manager Tool Box --> KeyManager)

2.      Select  the "Your Key" tab 

3.      Click on the "CRL Manager" button. 

It will open the browser's CRL manager dialog window. The CRL signing tool overlays a set of buttons on top of browser's existing CRL Manager. In the CRL manager dialog window, you will see a set of buttons within a red rectangular box. These buttons can be used to create, view, modify, export and load CRLs.  

 

 

 

4.      Click the "Create" button to to create a new CRL. It will open up another dialog window for creating the CRL for cert to be revoked. The "Create" dialog will filter and present only those CA certificates that have private key in browser's Cert-DB.

 

 

 

5.      Select the Certificate Issuer of the cert to be revoked using the menu list 

6.      Enter the serial number of the cert to be revoked or choose the certificate using the browse button. You can add more than one serial numbers. 

7.      Pick a revocation reason code from the list

8.      Choose the default for others 

9.      Click the "Create" button. A CRL will be added a to the certificate database and the dialog window will close. The newly created CRL will be displayed as a row in the CRL manager window. 

10.  You can now use the "Export" button to export the newly created CRL. 

 

Setup Firefox Profile for Servers:

·   set MOZ_NO_REMOTE=1

·   firefox -P

When profile manager comes up, click the "Create Profile" to create a new profile with name: AvLabsServerProfile

Select the new profile name AvLabsServerProfile and then click 'Start Firefox'

 

 

Install KeyManager Add-on:

Go to : https://addons.mozilla.org/en-US/firefox/addon/4471, download and install the KeyManager add-on.   

Restart the Firefox browser.

 

Use Case:

·         Create Self-Signed Cert for Server

·         Generate PKCS#10 CSR

·         Import CA Signed Cert

 

Create Self-Signed Cert for Server:

·         Open Key Manager Dialog Window (Tools --> Key Manager Tool Box --> KeyManager)

·         Select the "Your Key" tab

·         Click on the "Generate Self-Signed Cert" button to open dialog window for creating self-signed certificate 

       The dialog window has four tabs and click 'Advance' at the top of the window to display all the tabs:

      

For "Basic certificate profile" tab:

·   Select "Generic Server Cert Profile" from the "Default Certificate Profile" menu list.

·   Enter the common name for Server :  inside.research.avayalabs.com (use dns name)

·   Enter org unit : Avaya Labs Research

·   Enter org: Avaya

·   Enter Locality: Baskin Ridge

·   Enter State: NJ

·   Enter country : US

·   Use the default value for key type, key size and signing algorithm

·   For 'Subject Alternative Name"

·   use the DNS name  of the server - you can add more DNS or IP address in the "X.509 Cert Standard Extension" Tab

·   Optionally, enter the IP address

     

For "X.509 v1 Attributes" tab: 

·   Select the validity as follows:  use the default value

·   For serial number: use the default value : 'auto generate'

  

For "X.509 v3 Standard Extensions" tab: 

·    use the default values

 

For "X.509 v3 Netscape Extensions" tab:  

·   use the default values

 

Finally, click the 'Generate Self-Signed Cert' button - the dialog window will automatically close after successful generation of the cert. It takes while - at least 30 sec to complete the key-generation task. The new cert will be displayed in the 'Your Keys" and "Your Certificates" tab.

 

 

Import CA Certificates:

·   Open Key Manager Dialog Window (Tools --> Key Manager Tool Box --> KeyManager)

·   Select  the "Authorities" tab

·   Click on the "Import" button. When the file selector dialog window is opened, select the X.509 or PKCS#7 file for cert and then click OK. The browser will prompt you for setting the trust for the certificates. Select the checkboxes and click OK.

 

Generate PKCS#10 Certificate Signing Request (CSR):

·   Open Key Manager Dialog Window (Tools --> Key Manager Tool Box --> KeyManager)

·   Select  the "Your Key" tab

·   Select the desired certificate in the tab

·   Click on the "Generate CSR"  button and follow the newly opened dialog  window to generate PKCS# 10 CSR

·   Alternatively, you can click on the "Export" button, then select "PKCS#10" radio button in the newly opened dialog window, click OK, and finally select the file to save the generated CSR.

·   Now, go to the Firefox Window for CA profile  and created a signed X.509 cert using the generated PKCS#10 CSR.

 

Import CA-Signed Server Certificates:

·   Open Key Manager Dialog Window (Tools --> Key Manager Tool Box --> KeyManager)

·   Select  the "Your Key" tab

·   Click on the "Import Cert"  button. When the file selector dialog window is opened, select the CA-signed certificate file and then click OK.

·   You can now delete the self-signed cert that is used to generate the PKCS#10 CSR.

 

Export Server Private Key and Certificate for OpenSSL based Application

Typically, OpenSSL based application/server uses server.key for private key and server.cert for the public key certificate. Sometimes, they are also named as hostkey.pem and hostcert.pem respectively.  The server.key file could be in either encrypted or unecrypted format.

Mozilla NSS, which is the underlying crypto library for Firefox, does not support exporting of unencrypted private key. Also, the KeyManager generated openssl specific encrypted privet key file is incompatible with OpenSSL command line tool. BTW, both of these OpenSSL options do not follow any standard. Best way do this to use standard compliant key file, such as PKCS#12 or PKCS#8 if the OpenSSL based application supports those format.

 

I would suggest that to check if the OpenSSL based application can use PKCS#12 file (which is encrypted) as server.key. If not, check if the server.key file can be in PKCS#8 format. If not then, generate/export the key file either in the PKCS#12 or the PKCS#8 file and then use OpenSSL command line tool to convert it to either unencrypted or OpenSSL specific encrypted key file as needed by the OpenSSL based application.

 

Server.cert is actually a base-64 X.509 file. You can generate it easily by exporting the cert as X.509 file.

 

You can export the server's private key/cert in one of the following ways:

 

·         Option 1: Use the Export button

·         Open Key Manager Dialog Window (Tools --> Key Manager Tool Box --> KeyManager)

·         Select the “Your Key” tab

·         Select the server's certificate that you want to export for OpenSSL application

·         Export the private key as follows

·         Click the 'Export' button.

·         A dialog window opens for choosing data format and encoding type of private key  

·         Select one of the following data format for key : PKCS#8, OpenSSL EPK, PKCS#12

·         Choose Base64 for PKCS#8. PKCS#12 files are always exported in DER format. OpenSSL EPK are exported in Base64.

·         For Encryption parameters for PKCS#8 or OpenSSL EPK, use the default values

·         Click OK, a file selector for the private key file will open. Provide a file name using the file selector, click Save. 

·         Export the Public Key cert as follows :

·         Click the 'Export' button.

·         A dialog window opens for choosing data format and encoding type of public key  certificate

·         Select one of the following data format for key : X.509 or PKCS#7

·         Choose Base64 for encoding format. 

·        Click OK, a file selector for the output file will open. Provide a file name using the file selector, click Save.  

 

·         Option 2:  Use OpenSSL Key Configurator tool

 

·         Tools --> Key Manager Tool Box --> OpenSSL Key Configurator

·         Select the "Export from Browser cert DB" radio button

·         Select the key/cert you want to export

·         Select the base-directory  where you to export the key/cert

·         Select the key type PKCS#12 or "Private key"

·         Ignore the CA section

·         Click "Export"

 

·         Option 3: Use the NSS/OpenSSL Synchronization Tool

·         Tools --> Key Manager Tool Box --> OpenSSL Key/Cert Sync Tool

·         Select directory for the exported key/cert in the "Key Store" dir row

·         Select  either PKCS#12 or PKCS#8 in the  Soft-token row

·         Select the key/cert you want to export in the "NSS to OpenSSL Sync" row

·         Leave everything else as is

·        Click "Export" button next to the selected cert - a customized version of the "OpenSSL  Key Configurator" dialog window will open, click Export button, close window. 

·         

·         Option 4: Use the Backup button

·         Open Key Manager Dialog Window (Tools --> Key Manager Tool Box --> KeyManager)

·         Select the “Your Key” tab

·         Select the server's certificate that you want to export for OpenSSL application

·         Export the private key as follows

·         Click the 'Backup' button.

·         A dialog window opens for choosing data password for PKCS#12 file  

 

 

Sign Using OpenSSL generated Keys and Certificates

If you already have keys/certificates for OpenSSL, you can also sign with your OpenSSL CA keys as follows:

  1. Mount OpenSSL key/certs as soft-token
    • Enable mounting of external keys/certs as a temporary "Security device" (soft-token)
    • Set the preference for mounting soft-token first: "Tools" à "Add-on" à Select Key Manager à select "key Manager tool" tab
    • check the "Enable External NSS Soft-Token Manager" checkbox --> click ok
  • Click the "Security Device" button on the "Your Key" tab
  • select "NSS Internal PKCS#11 Module" or any node under it, the buttons for mounting soft-token will be displayed on the right
  • Click the "Mount External NSS Soft-Token" button; a dialog window will open for specifying the file path for keys/cert depending on the type of key/cert file you are using. The mounted certs will be displayed on the “Your Key and “your certificate” tabs of  KeyManger.
  1. Use the mounted CA-cert like any another cert to sign the certificate

 

 

How to Generate PKCS#10 CSR for Smart Card for Signing with External CA

:

  1. On "your Key" tab of Key Manager do as follows to generate PKCS#10 CSR file

·        "Generate CSR" --> “Save CSR” as File (A self-signed cert will be automatically created)  or

·        "Generate Self-signed Cert" --> Select newly create cert --> click "Generate CSR" or "Export" button to create as PKCS#10 CSR file

-         During generation of CSR or Self-signed cert, you will prompted to select the token associated with the smart-card

  1. Use PKCS#10 CSR file to create a CA-signed cert using OpenSSL

·        CA signed cert file could be X.59 cert or a PKCS#7 file with signed cert as well as the full CA cert-chain

  1. On "Your Key" tab do as follows:

·        Use "Import User cert" to import the CA-signed cert; do not forget to import the CA cert chain if your signed cert file does not contain the CA-cert chain along with the X.509 cert.

·        Delete the previously created self-signed cert, if you do not want it.

Note: The self-signed cert is created as marker for the generated key for the CSR (like in Java keytool which requires a self-signed cert to generate CSR) otherwise the key won't be visible until you import a signed cert.

 

If your smart card does not allow more than one cert for each private key , generate the keys and self-signed cert on the “Internal Security device” not on the “Smart Card”. Then export the CSR and sign it using the CA. Once the signed cert is imported in the soft-token, select the signed cert on the "Your Key" tab and do as follows:

  • Click the "Backup"/"Export" button to export the selected CA-signed cert as  PKCS#12 file,
  • Delete the selected CA-signed cert and also the self-signed cert (the generated key-pair will be automatically deleted when all the certs associated with the key-pair are deleted)
  • Click the "Import" button (not the "Import Cert") to import the exported PKCS#12 file. Select the token associated with smart-card when prompted for the selection of the security device

 

 

 

Sign Certificates in Java Key Store using CA profile in Firefox 

This section describes how to use Key Manager to sign certificates in Java key stores. The tool will allow you to select the key/certificates in Java key store using the alias and do all that is necessary to sign the certificate using the CA's key in browser's certificate DB. It will extract a PKCS#10 CSR using, then sign the certificate using Key Manager's certificate signing tool and then import back into the Java key store. 

Note: This feature is only supported on Linux/Mac-OSX platforms. 

 

 

Here are the steps that you have to follow to export Keys/certificates: 

  1. Enable the Java Keystore manger tool options : 

    Tools --> Add-on --> Select the "Key Manager" add-on --> Click "Options/Preferences" -> select "key Manager Tool" tab --> check "Enable Java Keystore Cert" Management check-box

    • Select the "JKS Manage Cert Tool" tab and the provide the path to a  shell command, JAVA_HOME, and the Java version. If the SHELL and JAVA_HOME environment variable is already set, then preference will be automatically set to those values. 

     

  2. Open Java Key store Manger Wizard  

    Tools --> Key Manager Tool Box --> Manage Certs in Java Key store

    Alternatively,

    Toolbar for KeyManager --> Open the menu in "Security Devices" --> select the "Manage certs in JKS" menu item 

  3. Specify  the key store parameter  using the browse button :

    • "Key Store" file path (use the browse button to select an existing file or location of new file"; if you want to create new Keystore, then check the "New" checkbox and then select browse to select the location and name of the file

    • Key store type 

    • Key store password 

    • Type of task - generate a new key-pair and then sign it, sign a certificate for an existing key-pair or import X.509 certificate

    • Click Next (You may have select a different field or click the window after specifying in order for the next button to be activated)

     

     

  4. Select the key using the alias and provide the path to the PKCS#10 CSR. 

    • Select the certificate to be signed from the "Cert Alias" list 

    • Enter/Select the file path for PKCS#10 CSR; The tool will automatically generate a path for the PKCS#10 CSR. 

    • Finally click Next to generate CSR. 

    • Note: If the Next button is not activate then move the cursor to different part of the wizard and click the left button.

     

  5. Select the Signer Cert form the browser's Certificate DB and Provide the path for the Signed X.509 cert 

    • Select the Signer Cert using the Menu provided in the "Signer X.509 Cert" row

    • Use the "Browse' button to select the path for the "Signed X.509 cert" to be generated. The tool will automatically generate file path. 

    • Click Next, The Certificate Signer Dialog window will be displayed 

     

     

     

     

  6. Use the certificate signer dialog window to sign the certificate 

    • Click the Advanced button to modify the certificate extensions in PKCS#10 CSR or add new certificate extensions

    • Click the Sign cert 

     

     

  7. Import the signed cert in the Java Key store 

    • The tool will provide alias for the newly generated cert and the certificate chain for importing into the Java keystore. The Javakestore does not allow importing of the certificate without the signer cert-chain. 

     

  8.    Finally, the imported signed cert will be displayed as shown below.