7 18 6 PKI Editor Configuration

LANSA Integrator

7.18.6 PKI Editor Configuration

Select the encryption algorithm and key size

Your selection really depends on your application:

  • How long does the data need to be secure?
  • How much does it cost and how much is it worth?

Recent standards currently recommend RSA key sizes of 1024 bits for corporate use and 2048 bits for extremely valuable keys like the root key pair used by a certifying authority.

Longer key sizes are more secure but this increased security comes at the cost of performance.

A doubling of the RSA module increases processing time requirements by a factor of 4 (public key operations - Signature Verification, Encryption) and 8 (private key operations - Signature Generation, Decryption).

Set the encryption algorithm and key size

Edit the project file and modify the algorithm and strength properties.

 

strength=1024

algorithm=*RSA | *DSA

certificate.signing.algorithm=*MD5RSA | *SHA1RSA | *SHA1DSA

 

When the algorithm is *RSA, choose certificate signing algorithm *MD5RSA or *SHA1RSA.

When the algorithm is *DSA, choose certificate signing algorithm *SHA1DSA.

The default key algorithm is *RSA.

The default signature algorithm is *SHA1RSA or *SHA1DSA depending on the key algorithm.

Set extended key usage

Additional key usage extensions can be added to the certificate request and client certificate by including 'extended.purpose' properties. A maximum of 20 properties can be included, starting from the sequence number of 1 and ending with the number 20.

To add the following extended key usages:

  • Server Authentication (1.3.6.1.5.5.7.3.1)
  • Client Authentication (1.3.6.1.5.5.7.3.2)
  • Code Signing (1.3.6.1.5.5.7.3.3)
  • Secure Email (1.3.6.1.5.5.7.3.4)
  • Time Stamping (1.3.6.1.5.5.7.3.8)
  • OCSP Signing (1.3.6.1.5.5.7.3.9)

 

extended.purpose.1=1.3.6.1.5.5.7.3.1

extended.purpose.2=1.3.6.1.5.5.7.3.2

extended.purpose.3=1.3.6.1.5.5.7.3.3

extended.purpose.4=1.3.6.1.5.5.7.3.4

extended.purpose.5=1.3.6.1.5.5.7.3.8

extended.purpose.6=1.3.6.1.5.5.7.3.9

 

Set CRL distribution

A CRL distribution extension can be included with each certificate.

 

crl.distribution=http://www.mycompany.com/CRLList.crl

crl.distribution=http://www.mycompany.com/crllist.html

 

Set Subject Alternative Names for SSL authentication

A list of SSL authentication Subject Alternative Names can be included with each certificate.

As part of the SSL trust process an SSL client program can compare the connection domain host with the domains listed in the subject alternative fields of the received SSL certificate.

Use the 'ssl.addresses' property to specify a list of IP addresses.

Use the 'ssl.domains' property to specify a list of host domain names.

 

ssl.addresses=10.2.0.173,10.2.0.174

ssl.domains=*.mycompany.com,support.mycompany.com,account.mycompany.com

 

Example PKI Editor project file

 

#JSFPKIEditor last values

#Sun Nov 02 22:34:20 GMT 2003

ca.keystore=ca-key.der

ca.keystore.password=

ca.certificate=ca-cert.der

ca.expiry=1/1/2005

request.keystore=request-key.der

request.keystore.password=

request.certificate=request-cert.der

certificate=certificate.der

blank.password=*yes

algorithm=*RSA

strength=1024

certificate.signing.algorithm=*SHA1RSA

serial=75

days=365

location.organization=ACME Corporation

location.unit=Rocket Powered Systems

location.locality=Nevada Desert

location.state=NV

location.country=US

location.name=Road Runner

[email protected]

extended.purpose.1=1.3.6.1.5.5.7.3.2

extended.purpose.2=1.3.6.1.5.5.7.3.1

 

You need to use a text editor to set the following properties

 

strength=1024

algorithm=*RSA | *DSA

certificate.signing.algorithm=*MD5RSA | *SHA1RSA | *SHA1DSA

blank.password=*YES | *NO