X.509 Certificate Management
Use this window to create, import, or reuse a web certificate for Server Administrator.
User Privileges
Selection | View | Manage |
X.509 Certificate Management | Administrator | Administrator |
X.509 Certificate Management
Web certificates ensure the identity of a remote system and ensure that information exchanged with the remote system cannot be viewed or changed by others. To ensure system security for Server Administrator, it is strongly recommended that you either generate a new X.509 certificate, reuse an existing X.509 certificate or import certificate chain from a Certificate Authority (CA).
You can apply for a certificate to authenticate user privileges for access to the system over a network, or for accessing a storage device attached to the system.
X.509 Certificate Option Menu
Generate a new certificate | Generates a new self-signed certificate used for the
SSL communication between the server running Server Administrator
and the browser. NOTE: Most web browsers generate an untrusted warning as this certificate
is not signed by a Certificate Authority (CA) trusted by the operating
system. Some secure browser settings block the self-signed SSL certificates.
So, Server Administrator web GUI requires a CA-signed certificate
for such secure browsers. |
---|---|
Certificate Maintenance | Allows you to generate a Certificate Signing Request
(CSR) containing all the certificate information about the host for
the CA to automate the creation of a trusted SSL web certificate.
You can retrieve the necessary CSR file either from the specified
path at the top of the page or by copying the entire text in the text
box and pasting it in the CA submit form. The text format must be
Base 64-encoded format. NOTE: You also have an option
to view the certificate information and to export the certificate
that is being used to universal Base 64-encoded format, which can
be imported to other web services. |
Import certificate chain | Allows you to import the certificate chain (in PKCS#7 format) singed by a trusted CA. The certificate can be in DER or Base 64-encoded format. |
Import a PKCS12 Keystore | Allows you to import a PKCS#12 keystore that replaces
the key and certificate used in Server Administrator Webserver. . NOTE: An error message is
displayed if you select an invalid PKCS file or when an incorrect
password is typed. |
X.509 Certificate Generation Menu: Generate a New Certificate
Alias | An alias is a shortened, keystore-specific name for an entity that has a certificate in the keystore. A user can assign any alias name for the public and the private key in the keystore. |
---|---|
Key Signing Algorithm | Displays the supported signing algorithms. Select
an algorithm from the drop down list. NOTE: If you select either
SHA 512 or SHA 256 ensure that the operating system/browser supports
this algorithm. If you select one of these options without the requisite
operating system/browser support, server administrator will display
a cannot display the webpage error. |
Key Generation Algorithm | Describes the algorithm to be used to generate the certificate. Commonly used algorithms are RSA and DSA. |
Key Size | Encryption strength for the private key. The default value is 2048. |
Validity Period | Length of time the certificate is to be valid, expressed in days. |
Common Name (CN) | Exact name of the host or domain to be secured, for example, xyzcompany.com . |
Organization (O) | Full company name as it appears in the company's certificate of incorporation, or as it is registered with the state government. |
Organization Unit (OU) | Division of this company applying for the certificate, for example, E-Commerce Department. |
Locality (L) | The city or place name where the organization is registered or incorporated. |
State (ST) | The state or province where the organization is registered or incorporated. Spell out the name. |
Country (C) | Two-letter country code, for example, US for United States and UK for United Kingdom. |
X.509 Certificate Generation Menu: Certificate Maintenance
Certificates | This is the name of the X.509 certificate that is currently being used. |
---|---|
Select appropriate action |
|
When you select CSR, Server Administrator makes a .csr file. Server Administrator displays the path where you can retrieve the .csr file.
Server Administrator also prompts you to copy and save the text of the certificate.
When you select Export, Server Administrator enables you to download the certificate as a .cer file and save the file to a directory that you select.
X.509 Self-Signed Certificate Contents
Values for the following fields are collected at the time that the certificate is first created:
Alias | An alias is a shortened, keystore-specific name for an entity that has a certificate in the keystore. A user can assign any alias name for the public and the private key in the keystore. |
---|---|
Creation Date | Date the existing certificate was originally created. |
Provider | The default certificate provider is the Sun Microsystems security provider. Sun has one certificate factory that works with certificates of type X509. |
Certificate Chain | Complete certificate which has the root certificate as well as the response associated with it. |
Chain Element 1:
If a user views the certificate contents and finds Chain Element 1: but not Chain Element 2: in the description, the existing certificate is a self-signed certificate. If the certificate contents refer to Chain Element 2:, the certificate has one or more CAs associated with it.
Type | X.509. |
---|---|
Version | Version of X.509. |
IsValid | Whether Server Administrator considers the certificate to be valid (Yes or No). |
Subject | Name of the entity for whom the certificate has been issued. This entity is referred to as the subject of the certificate. |
Issuer | Name of the certificate authority who signed the certificate. |
Valid From | First date the certificate is good for first use. |
Valid To | Last date the certificate is good for use. |
Serial Number | Unique number that identifies this certificate. |
Public Key | Public Key of the certificate, that is, the key that belongs to the subject the certificate vouches for. |
Public Key Algorithm | RSA or DSA. |
Key Usage | Key usage extension, which defines the purpose of the key. You can use a key for digital signing, key agreement, certificate signing, and more. The key usage is an extension to the X.509 specification and need not be present in all X.509 certificates. |
Signature | Certificate authority's identifying digest that confers validity on a certificate. |
Signature Algorithm Name | Algorithm used to generate the signature. |
Signature Algorithm OID | Object ID of the signature algorithm. |
Signature Algorithm Parameters | Algorithm used to generate the signature that uses the TBS certificate as input. |
TBS Certificate | Body of the actual certificate. It contains all the naming and the key information held in the certificate. The TBS certificate is used as an input data to the signature algorithm when the certificate is signed or verified. |
Basic Constraints | An X.509 certificate may contain an optional extension that identifies whether the subject of the certificate is a certificate authority (CA). If the subject is a CA, this extension returns the number of certificates that may follow this certificate in a certification chain. |
Subject Unique ID | String that identifies the applicant for the certificate. |
Issuer Unique ID | String that identifies the issuer of the certificate. |
MD5 Fingerprints | Digital signature algorithm that verifies data integrity by creating a 128-bit message digest or fingerprint. The fingerprint is as unique to the input data as a person's fingerprint is to only one individual person. |
SHA1 Fingerprints | Secure hashing algorithm, a cryptographic message digest algorithm used to verify data integrity by making replication of the digest or fingerprint computationally expensive, that is, not worth the effort. |
Encoded Certificate | Content of the certificate in binary form. |
Certificate Import: Import certificate chain
To import a certificate chain that you obtain from a CA:
- Type the name of the certificate file you want to import, or click Browse to search for the file.
- Select the file and click Import.
Import PKCS#12
To import the PKCS#12 certificate:
- Browse the name of PKCS#12 file that contains the key and certificate of the web server.
- Enter the key store password.
- Click Import.