certificates

Internet certificates

Internet use certificates to authenticate servers and users.

Company Certificate Authority (CA certificate)
Server certificates
User certificates
How to manage user certificates

Company Certificate Authority (CA certificate).

Intranet Certificates are digitally signed by a Company Certificate Authority (CA) (internal or external). Like a passport, for a certificate to be accepted, the signing authority (CA) must be recognized. Your browser bust know the CA Authority. This Authority will sign the most part of certificates presented by the company servers (including e-Sentry). We suggest to install the CA Authority certificate on your browser using the link 'CA certificate' located on top of the authentication page.

Installation under Netscape Communicator.
With Netcape Navigator you will go through a sequence of windows which may depend on your country, navigator release... so here are the principles to answer to the questions:

The Certificate Authority offers to certify Web sites on the network. You need to accept the certification for sites but there is no need to accept today the email user certification option.
Netscape proposes to warn you each time a site will request to your browser Certification data. The simplest thing is not to be warned.
If a nickname is requested enter 'My signing CA' and finally "finish" this sequence to store this Authority on the list of authorities recognised by the browser.

Installation under MS-Explorer.
The operation is today more complex. We suggest to validate individually each certificate presented by an application server. This operation is detailled in next paragraph.

Server certificates.

With a connection through SSL, servers are authentified by the browser. Each server must present a certificate, this will guaranty the identity of the server. The browser can use two methods to control this certificate :

Either control that the certificate as been signed by a well known Certificate Authority (case already explained).
Or request the user to accept or not the certificate (and the server).

Server certificate acceptation.
Netscape and Microsoft propose several windows of options and information before the acceptation of the server certificate. You will be asked to accept the e-Sentry certificate by clicking several times on buttons "Next" and once on "Finish". If you want to accept the certificate for ever, you can make this choice in one of the windows.
Click "Continue" on the Permanent or temporary certificate panel presented by your Browser.
Again, we suggest you to install the CA Authority on your Browser, Certificate Authority.

User certificates.

Users too can use certificates to authenticate to a server, thanks the SSL mechanism. This mode of authentication is supported by e-Sentry. See all explanations in chapter Login.

How to manage user certificates

How to manage user certificates.

The certificates Database.
This Certificates Database store the user certificates and secret keys. Thus, this Database MUST be protected.
Warning: the protection of your private key and your certificate: in fact this database, is your responsability.
Using Netscape, the database must be protected by a password, 5 characters lenght minimum and not too easy to discover.
Using Microsoft, protect your workstation by a password with the same characteristics.

Netscape Communicator.
The certificates Database is protected by a local password. If you forget this password, you must clear this Database by deleting the key3.db file corresponding to your entry. Cette initialization delete all your certificates and Secret private keys. Using Communicator 4.7, the file is located under c:/Users/Netscape/default/. If you have defined user profiles, it is located under c:/Users/Netscape/
When a workstation is shared by different users, you must create a specific access profile for each user. A specif password is association to each user, the user will administrate (replace) is own password. A Netscape profile is created/deleted using the 'Profile manager' : follow "Start", "Programs", "Netscape communicator", "Utilities", "User profile manager".

MS-Explorer.
The acces to the Database is not protected. On the Windows 95 or 98 environment it is neccsary to protected the access to the workstation : workstation password, screen saver with password, ...
IN case of share of this workstation between different users, it is impossible to create separate certificates Databases. All Secret private keys and certificates are located on the same database. Dont forget to remove your private keys/certificates when you leave this workstation.

Save your Secret private keys and certificates.
It is strongly suggested to save (export) your permanent certificate on a floppy disk and to keep this floppy with you. This will allows you to install the private key/certificate on another station (home, other office room, ...), or when you must update you workstation.
This operation is done using the certificate export/import offered by your browser.

Netscape Communicator
Clic "Security", "Your certificates". To export, select a certificate and et clic "Export". If you want to import clic "Import a certificate".

MS-Explorer.
Clic "Tools", "Internet options", "Content", "Certificates". If you want to export, select a certificate and "Export". If you want to import, clic "Import".
Warning.It seems that the export of certificates from Explorer to Communicator does not work.

Temporary user certificates.
They must be authorized by your administrator. They are requested by the used on the authentication form, but only when the permanent certificate is not available. Temporary user certificates are delivered by e-Sentry throught the authentication with Id and password, plus the option 'I need a temporary user certificate'.
The validity period of a temporary certificate is 24 hours.
Only last delivered temporary certificate is valid for authentication.
If your Database contains more than one certificate: Check that the browser presents the last delivered certificate. If not, remove old certificates from the certificates Database, retains only the certificate with the uppest serial number.

Netscape Communicator
Clic "Security", "Your certificates", select and remove the oldest.

MS-Explorer.
Clic "Tools", "Internet Options", "Content", "Certificates", select a certificate then "Display", "Detail". After control of serial numbers, select and 'Delete' old certificates.

Automatization of certificate presentation.

Netscape Communicator.
You can automatically present a specific certificate to web servers (e-Sentry or others) when this mode of authentication is supported Clic "Security", "Navigator", in "Certificate for authentication on Web sites" select "Automatic selection".

MS-Explorer.
In release upto 5.5, there is no option for automatic certificate presentation. But it is only necessary to clic 'OK' on the windows 'Client authentication' used to select the certificat in the list. This selection will remain active for all the Explorer session.