Acknowledgement: Thanks to Scott Rea for suggesting the 'Personal CA' idea and encouraging me to do this tool.
· set MOZ_NO_REMOTE=1
· firefox -P
When profile manager comes up, click the "Create Profile" to create a new profile with name: AvLabsCAProfile
Select the new profile name 'AvLabsCAProfile'
and then click 'Start Firefox'
Go to : https://addons.mozilla.org/en-US/firefox/addon/4471,
download and install the KeyManager add-on.
Restart
the Firefox browser.
·
Create
Self-Signed Cert for
·
Create
Self-Signed Cert for Signing CA (Intermediate CA)
·
Sign
Intermediate (Signing) CA's cert by
·
Sign
Server's cert using
·
Open
Key Manager Dialog Window (Tools --> Key Manager Tool Box --> KeyManager)
·
Select
the "Your
Key" tab
·
Click
on the "Generate
Self-Signed Cert" button
to open dialog window for creating self-signed certificate
The dialog window has four tabs and
click 'Advance'
at the top of the
window to display all the tabs:
For
"Basic
certificate profile"
tab:
· Select "Generic CA Cert Profile" from the "Default Certificate Profile" menu list.
· Enter the common name for
· Enter org unit : Avaya Labs Research CA
· Enter org: Avaya
· Enter Locality: Baskin Ridge
· Enter State: NJ
· Enter country : US
· Use the default value for key type, key size and
signing algorithm
For
"X.509 v1
Attributes"
tab:
· Select the validity as follows: use the default value
· For serial number: use the default
value : 'auto
generate'
For
"X.509 v3
Standard Extensions"
tab:
· use the default values
For
"X.509 v3
Netscape Extensions"
tab:
· use the default values
Finally,
click the 'Generate
Self-Signed Cert'
button - the dialog window will automatically close after successful generation
of the cert. It takes while - at least 30 sec to complete the key-generation
task. The new cert will be displayed in the 'Your Keys" and "Your Certificates" tab.
·
Open
Key Manager Dialog Window (Tools --> Key Manager Tool Box --> KeyManager)
·
Select
the "Your
Key" tab
·
Click
on the "Generate
Self-Signed Cert"
button to open dialog window for creating self-signed certificate
The dialog window has four tabs and
click 'Advance'
at the top of the
window to display all the tabs:
For
"Basic
certificate profile"
tab:
· Select "Generic CA Cert Profile" from the "Default Certificate Profile" menu list.
· Enter the common name for
· Enter org unit : Avaya Labs Research CA
· Enter org: Avaya
· Enter Locality: Baskin Ridge
· Enter State: NJ
· Enter country : US
· Use the default value for key type, key size and
signing algorithm
For
"X.509 v1
Attributes"
tab:
· Select the validity as follows: use the default value
· For serial number: use the default
value : 'auto
generate'
For
"X.509 v3
Standard Extensions"
tab:
· use the default values
For
"X.509 v3
Netscape Extensions"
tab:
· use the default values
Finally,
click the 'Generate
Self-Signed Cert'
button - the dialog window will automatically close after successful generation
of the cert. It takes while - at least 30 sec to complete the key-generation
task. The new cert will be displayed in the 'Your Keys" and "Your Certificates" tab.
·
Open
Key Manager Dialog Window (Tools --> Key Manager Tool Box --> KeyManager)
·
Select
the "Your
Key" tab
·
Select
the Cert for
Click 'Ok' for the prompt - Certificate signing dialog window will be
opened and the cert for signer will be automatically set.
Select the Signing CA's cert as follows:
·
Click
the "Cert" radio button for 'CSR Source" - a certificate picker widget
will be displayed
·
Select
'Self-signed
User Cert' in the
certificate type menu list
·
Select
the Singing CA's cert from the menu list
·
Click
the 'Sign Cert'
button at the bottom of
the dialog window
·
Then
click the 'Close'
button - dialog window
will close.
The newly created signed cert will be displayed in
the 'Your Keys" and "Your Certificates" tabs. You can delete the
Self-signed cert for the Signing CA now.
·
Open
Key Manager Dialog Window (Tools --> Key Manager Tool Box --> KeyManager)
·
Select
the "Your
Key" tab
·
Select
the Cert for
Click 'Ok' for the prompt - Certificate signing dialog window will be
opened and the cert for signer will be automatically set.
Select the server's cert as follows:
·
Click
the "File" radio button for 'CSR Source" - a file picker widget will
be displayed
·
Select
previously generated file for the CSR for the server
·
Click
the 'Sign Cert'
button at the bottom of
the dialog window
·
Then
click the 'Close'
button - dialog window
will close.
·
The
newly created signed cert will be displayed in the 'Server Certificates" tab. Export the server cert in X.509 or PKCS#7
format as follows:
·
Select
the “Server” tab
·
Select
the newly signed server's certificate
· Click the 'Export' button. A dialog window opens for choosing type of file and encoding. You can choose either X.509 or PKCS#7 for data type. Select the file name for exported certificate.
·
Note: Since the PKCS#7 export does not place the server cert as the first one in
the PKCS#7 cert-only package, choose the X.509 format. If you choose X.509
format, make sure that you also exported Signing CA's cert chain in PKCS#7
format or X.509 format (as described below).
·
Finally,
go to Firefox window for server profile and import the exported
certificate file.
The instruction for exporting of CA's cert
in various formats can be found as follows: "Tools --> Key Manager
Tool Box --> Key Manager Usage Document" and a new tab will display the usage document. Click
on the "Instructions
for PKI Related Tasks"
and then scroll down to the "Exporting of X.509 Certificates" section.
Here are the steps that you have to follow to export Keys/certificates:
1. Open Key Manager Dialog Window (Tools --> Key Manager Tool Box --> KeyManager)
2. Select the "Your Key" tab
3. Select the desired Signing CA's certificate in the tab
4. Click on the "Export" button that opens the dialog for choosing data and encoding format
5. Select one of the following data format: X.509 or PKCS#7
6. For PKCS#7, check the include cert-chain box.
7. The browser prompts you for "output file path" to save the exported data - select the file name and directory.
Here are the steps that you have to follow to revoke a certificate:
1. Open Key Manager Dialog Window (Tools --> Key Manager Tool Box --> KeyManager)
2. Select the "Your Key" tab
3. Click on the "CRL Manager" button.
It will open the browser's CRL manager dialog window. The CRL signing tool overlays a set of buttons on top of browser's existing CRL Manager. In the CRL manager dialog window, you will see a set of buttons within a red rectangular box. These buttons can be used to create, view, modify, export and load CRLs.
|
4. Click the "Create" button to to create a new CRL. It will open up another dialog window for creating the CRL for cert to be revoked. The "Create" dialog will filter and present only those CA certificates that have private key in browser's Cert-DB.
|
5. Select the Certificate Issuer of the cert to be revoked using the menu list
6. Enter the serial number of the cert to be revoked or choose the certificate using the browse button. You can add more than one serial numbers.
7. Pick a revocation reason code from the list
8. Choose the default for others
9. Click the "Create" button. A CRL will be added a to the certificate database and the dialog window will close. The newly created CRL will be displayed as a row in the CRL manager window.
10. You can now use the "Export" button to export the newly created CRL.
· set MOZ_NO_REMOTE=1
· firefox -P
When profile manager comes up, click the "Create Profile" to create a new profile with
name: AvLabsServerProfile
Select the new profile name AvLabsServerProfile and then click 'Start Firefox'
Go to : https://addons.mozilla.org/en-US/firefox/addon/4471,
download and install the KeyManager add-on.
Restart
the Firefox browser.
·
Create
Self-Signed Cert for Server
·
Generate
PKCS#10 CSR
·
·
Open
Key Manager Dialog Window (Tools --> Key Manager Tool Box --> KeyManager)
·
Select
the "Your
Key" tab
·
Click
on the "Generate
Self-Signed Cert" button
to open dialog window for creating self-signed certificate
The dialog window has four tabs and
click 'Advance'
at the top of the
window to display all the tabs:
For
"Basic
certificate profile"
tab:
· Select "Generic Server Cert Profile" from the "Default Certificate Profile" menu list.
· Enter the common name for Server
: inside.research.avayalabs.com (use
dns name)
· Enter org unit : Avaya Labs Research
· Enter org: Avaya
· Enter Locality: Baskin Ridge
· Enter State: NJ
· Enter country : US
· Use the default value for key type, key size and
signing algorithm
· For 'Subject Alternative Name"
· use the DNS name of the server - you can add more DNS or IP
address in the "X.509 Cert Standard Extension" Tab
· Optionally, enter the IP address
For
"X.509 v1
Attributes"
tab:
· Select the validity as follows: use the default value
· For serial number: use the default
value : 'auto
generate'
For
"X.509 v3
Standard Extensions"
tab:
· use the default values
For
"X.509 v3
Netscape Extensions"
tab:
· use the default values
Finally,
click the 'Generate
Self-Signed Cert'
button - the dialog window will automatically close after successful generation
of the cert. It takes while - at least 30 sec to complete the key-generation
task. The new cert will be displayed in the 'Your Keys" and "Your Certificates" tab.
· Open Key Manager Dialog Window (Tools --> Key Manager
Tool Box --> KeyManager)
· Select the "Authorities" tab
· Click on the "Import" button. When the file selector
dialog window is opened, select the X.509 or PKCS#7 file for cert and then
click OK. The browser will prompt you for setting the trust for the
certificates. Select the checkboxes and click OK.
· Open Key Manager Dialog Window (Tools --> Key Manager
Tool Box --> KeyManager)
· Select the "Your Key" tab
· Select the desired certificate in
the tab
· Click on the "Generate CSR" button and follow the newly opened
dialog window to generate PKCS# 10 CSR
· Alternatively, you can click on the
"Export" button, then select "PKCS#10" radio button in the newly
opened dialog window, click OK, and finally select the file to save the
generated CSR.
· Now,
go to the Firefox Window for CA profile and created
a signed X.509 cert using the generated PKCS#10 CSR.
· Open Key Manager Dialog Window (Tools --> Key Manager
Tool Box --> KeyManager)
· Select the "Your Key" tab
· Click on the "Import Cert" button. When the file selector dialog window
is opened, select the CA-signed certificate file and then click OK.
· You can now delete the self-signed
cert that is used to generate the PKCS#10 CSR.
Typically,
OpenSSL based application/server uses server.key for private key and server.cert
for the public key
certificate. Sometimes, they are also named as hostkey.pem and hostcert.pem respectively. The server.key file could be in either encrypted
or unecrypted format.
Mozilla NSS, which is the underlying crypto
library for Firefox, does not support exporting of unencrypted private key.
Also, the KeyManager generated openssl specific
encrypted privet key file is incompatible with OpenSSL
command line tool. BTW, both of these OpenSSL options do not follow any
standard. Best way do this to use standard compliant
key file, such as PKCS#12 or PKCS#8 if the OpenSSL based application supports
those format.
I would suggest that to check if the OpenSSL
based application can use PKCS#12 file (which is encrypted) as server.key. If not, check if the server.key file
can be in PKCS#8 format. If not then, generate/export the key file either in
the PKCS#12 or the PKCS#8 file and then use OpenSSL command
line tool to convert it to either unencrypted or
OpenSSL specific encrypted key file as needed by the OpenSSL based application.
Server.cert is actually a base-64 X.509 file. You can generate it
easily by exporting the cert as X.509 file.
You can export the
server's private key/cert in one of the following ways:
·
Option 1: Use the Export
button
·
Open
Key Manager Dialog Window (Tools --> Key Manager Tool Box --> KeyManager)
·
Select
the “Your Key” tab
·
Select
the server's
certificate that you want
to export for OpenSSL application
·
Export
the private key as follows
·
Click
the 'Export' button.
·
A
dialog window opens for choosing data format and encoding type of private key
·
Select
one of the following data
format for key : PKCS#8, OpenSSL EPK, PKCS#12
·
Choose
Base64 for PKCS#8. PKCS#12 files are
always exported in DER format. OpenSSL EPK are
exported in Base64.
·
For
Encryption
parameters for PKCS#8
or OpenSSL EPK, use the default values
·
Click
OK, a file selector for the private key file will open.
Provide a file name using the file selector, click Save.
·
Export
the Public Key cert as follows :
·
Click
the 'Export' button.
·
A
dialog window opens for choosing data format and encoding
type of public key certificate
·
Select
one of the following data format for key : X.509 or PKCS#7
·
Choose
Base64 for encoding format.
· Click OK, a file selector for the output file will open. Provide a file name using the file selector, click Save.
·
Option 2: Use OpenSSL Key Configurator
tool
·
Tools --> Key
Manager Tool Box --> OpenSSL Key Configurator
·
Select the "Export from Browser cert DB" radio button
·
Select the key/cert you
want to export
·
Select the base-directory where you to export the key/cert
·
Select the key type PKCS#12 or
"Private key"
·
Ignore the CA section
·
Click "Export"
·
Option 3: Use the NSS/OpenSSL
Synchronization Tool
·
Tools --> Key
Manager Tool Box --> OpenSSL Key/Cert Sync Tool
·
Select directory for
the exported key/cert in the "Key Store" dir row
·
Select either PKCS#12 or PKCS#8 in the Soft-token row
·
Select the key/cert you
want to export in the "NSS to
OpenSSL Sync" row
·
Leave everything else
as is
· Click "Export" button next to the selected cert - a customized version of the "OpenSSL Key Configurator" dialog window will open, click Export button, close window.
·
·
Option 4: Use the Backup
button
·
Open
Key Manager Dialog Window (Tools --> Key Manager Tool Box --> KeyManager)
·
Select
the “Your Key” tab
·
Select
the server's
certificate that you
want to export for OpenSSL application
·
Export
the private key as follows
·
Click
the 'Backup' button.
·
A
dialog window opens for choosing data password for PKCS#12 file
If you already have keys/certificates for OpenSSL, you can also sign with your
:
· "Generate CSR" --> “Save CSR” as File (A self-signed cert will be automatically created) or
·
"Generate Self-signed Cert" -->
Select newly create cert --> click "Generate CSR" or "Export"
button to create as PKCS#10 CSR file
-
During generation of CSR or Self-signed cert, you will
prompted to select the token associated with the smart-card
·
CA signed cert file could be X.59 cert or a
PKCS#7 file with signed cert as well as the full CA cert-chain
· Use "Import User cert" to import the CA-signed cert; do not forget to import the CA cert chain if your signed cert file does not contain the CA-cert chain along with the X.509 cert.
·
Delete the previously created self-signed cert,
if you do not want it.
Note: The self-signed cert is created as marker for the generated key for the CSR (like in Java keytool which requires a self-signed cert to generate CSR) otherwise the key won't be visible until you import a signed cert.
If your smart card does not allow more than one cert for each private key , generate the keys and self-signed cert on the “Internal Security device” not on the “Smart Card”. Then export the CSR and sign it using the CA. Once the signed cert is imported in the soft-token, select the signed cert on the "Your Key" tab and do as follows:
This section describes how to use Key Manager to sign certificates in Java key stores. The tool will allow you to select the key/certificates in Java key store using the alias and do all that is necessary to sign the certificate using the CA's key in browser's certificate DB. It will extract a PKCS#10 CSR using, then sign the certificate using Key Manager's certificate signing tool and then import back into the Java key store.
Note: This feature is only supported on Linux/Mac-OSX platforms.
Here are the steps that you have to follow to export Keys/certificates:
Enable the Java Keystore manger tool options :
Tools --> Add-on --> Select the "Key Manager" add-on --> Click "Options/Preferences" -> select "key Manager Tool" tab --> check "Enable Java Keystore Cert" Management check-box
Select the "JKS Manage Cert Tool" tab and the provide the path to a shell command, JAVA_HOME, and the Java version. If the SHELL and JAVA_HOME environment variable is already set, then preference will be automatically set to those values.
Open Java Key store Manger Wizard
Tools --> Key Manager Tool Box --> Manage Certs in Java Key store
Alternatively,
Toolbar for KeyManager --> Open the menu in "Security Devices" --> select the "Manage certs in JKS" menu item
Specify the key store parameter using the browse button :
"Key Store" file path (use the browse button to select an existing file or location of new file"; if you want to create new Keystore, then check the "New" checkbox and then select browse to select the location and name of the file
Key store type
Key store password
Type of task - generate a new key-pair and then sign it, sign a certificate for an existing key-pair or import X.509 certificate
Click Next (You may have select a different field or click the window after specifying in order for the next button to be activated)
![]() |
Select the key using the alias and provide the path to the PKCS#10 CSR.
Select the certificate to be signed from the "Cert Alias" list
Enter/Select the file path for PKCS#10 CSR; The tool will automatically generate a path for the PKCS#10 CSR.
Finally click Next to generate CSR.
Note: If the Next button is not activate then move the cursor to different part of the wizard and click the left button.
Select the Signer Cert form the browser's Certificate DB and Provide the path for the Signed X.509 cert
Select the Signer Cert using the Menu provided in the "Signer X.509 Cert" row
Use the "Browse' button to select the path for the "Signed X.509 cert" to be generated. The tool will automatically generate file path.
Click Next, The Certificate Signer Dialog window will be displayed
![]() |
Use the certificate signer dialog window to sign the certificate
Click the Advanced button to modify the certificate extensions in PKCS#10 CSR or add new certificate extensions
Click the Sign cert
Import the signed cert in the Java Key store
The tool will provide alias for the newly generated cert and the certificate chain for importing into the Java keystore. The Javakestore does not allow importing of the certificate without the signer cert-chain.
Finally, the imported signed cert will be displayed as shown below.