SSL functionality can be installed with a new package, or with an update, or it can be added to an existing non-SSL enabled site. The following steps give a quick outline for support of SSL. (NUMBERED) If using the HP SSL for OpenVMS Alpha/Itanium/VAX product or an already installed OpenSSL toolkit go directly to step 2. To install the WASD OpenSSL package the ZIP archive needs to be restored. (UNNUMBERED) The ZIP archive will contain brief installation instructions. Use the following command to read this and any other information provided. $ UNZIP -z device:[dir]archive.ZIP (Either) UNZIP the WASD SSL package into a new installation $ SET DEFAULT [.WASD_ROOT] $ UNZIP device:[dir]archive.ZIP (OR) into an existing installation $ SET DEFAULT WASD_ROOT:[000000] $ UNZIP device:[dir]archive.ZIP It is then necessary to build the HTTPd SSL executables. This can be done in either of two ways. (UNNUMBERED) During an original INSTALL or subsequent UPDATE of the entire package. As of v8.1 these procedures detect a suitable SSL toolkit and prompt the user whether an SSL enabled server should be built. To to add SSL functionality to an existing but non-SSL site just the SSL components can be built using the following procedure. $ @WASD_ROOT:[INSTALL]UPDATE SSL Once linked the UPDATE.COM procedure will prompt for permission to execute the demonstration/check procedure.

It is also possible to check the SSL package at any other time using the server demonstration procedure. It is necessary to specify that it is to use the SSL executable. Follow the displayed instructions. $ @WASD_ROOT:[INSTALL]DEMO.COM SSL Modification of server startup procedures should not be necessary. If an SSL image is detected during startup it will be used in preference to the standard image. Modify the WASD_CONFIG_global configuration file to specify an SSL service. For example the following creates both a standard HTTP service on the default port 80 and an SSL service on the default port 443 [Service] the.example.com https://the.example.com Shutdown the server completely, then restart. $ HTTPD /DO=EXIT $ @WASD_ROOT:[STARTUP]STARTUP To check the functionality (on default ports) access the server via (SIMPLE) Standard HTTP http://the.example.com/

SSL HTTP https://the.example.com/ Once the server has been proved functional with the example certificate it is recommended that a server-specific certificate be created using the tools described in (hd_ssl_cert). This may then be used by placing it in the appropriate local directory, assigning the WASD_SSL_CERT symbol appropriately before startup. (--------------------------------------------------------------------) (SSL Version Support\hd_ssl_version)

As WASD uses the OpenSSL package in one distribution or another it largely supports all of the capability of that underlying package. By default the server supports the SSLv3 and TLSv1 version variants of the protocol. The older, vulnerable and deprecated SSLv2 is no longer accepted by default.

Some older clients employing SSL(v2) may fail. Symptoms are dropped connection establishment and WATCH [x]SSL showing (SSL routines SSL3_GET_RECORD wrong version number). It is generally considered SSL best-practice not to have SSLv2 enabled but if required may be supported using the /SSL=(SSLv2,SSLv3) command line parameter during server startup. (--------------------------------------------------------------------) (SSL Configuration\hd_ssl_config)

The example HTTPd startup procedure already contains support for the SSL executable. If this has been used as the basis for startup then an SSL executable will be started automatically, rather than the standard executable. The SSL executable supports both standard HTTP services (ports) and HTTPS services (ports). These must be configured using the [service] parameter. SSL services are distinguished by specifying (https:) in the parameter. The default port for an SSL service is 443.

WASD can configure services using the WASD_CONFIG_global [service] directive, the WASD_CONFIG_SERVICE configuration file, or even the /SERVICE= qualifier. (WASD_CONFIG_SERVICE\hd_ssl_config_service)

SSL service configuration using the WASD_CONFIG_SERVICE configuration is slightly simpler, with a specific configuration directive for each aspect. (see (HREF=[-.config]config.sdml!../config/#cr_service_directives)([-.CONFIG]DOC_config.sdml)). This example illustrates configuring the same services as used in the previous section. [[http://alpha.example.com:80]] [[https://alpha.example.com:443]] [ServiceSSLcert] WASD_ROOT:[local]alpha.pem [[https://beta.example.com:443]] [ServiceSSLcert] WASD_ROOT:[local]beta.pem (SSL Server Certificate\hd_ssl_server_cert)

The server certificate is used by the browser to authenticate the server against the server certificate Certificate Authority (CA), in making a secure connection, and in establishing a trust relationship between the browser and server. By default this is located using the WASD_CONFIG_SSL_CERT logical name during startup, however if required, each SSL service can have an individual certificate configured against it as shown above.

WASD SSL implements (Server Name Indication\BOLD) (SNI), an extension to the TLS protocol that indicates what hostname the client is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and port number and hence allows multiple secure (HTTPS) websites (or any other Service over TLS) to be served off the same IP address without requiring all those sites to use the same certificate.

When the client presents an SNI server name during SSL connection establishment, WASD searches the list of services it is offering for an SSL service (the first hit) operating with a name matching the SNI server name. If matched, the SSL context (certificate, etc.) of that service is used to establish the connection. If not matched, the service the TCP/IP connection originally arrived at is used. (SSL Private key\hd_ssl_private_key)

The (private key) is used to validate and enable the server certificate. A private key is enabled using a (secret), a password. It is common practice to embed this (encrypted) password within the private key data. This private key can be appended to the server certificate file, or it can be supplied separately. If provided separately it is by default located using the WASD_CONFIG_SSL_KEY logical, though can be specified on a per-service basis. When the password is embedded in the private key information it becomes vulnerable to being stolen as an enabled key. For this reason it is possible to provide the password separately and manually.

If the password key is not found with the key during startup the server will request that it be entered at the command-line. This request is made via the HTTPDMON (STATUS:) line (see (HREF=[-.config]config.sdml!../config/#hd_opcom)([-.CONFIG]DOC_config.sdml)), and if any OPCOM category is enabled via an operator message. If the private key password is not available with the key it is recommended that OPCOM be configured, enabled and monitored at all times.

When a private key password is requested by the server it is supplied using the /DO=SSL=KEY=PASSWORD directive ((hd_admin_do_cli)). This must be used at the command line on the same system as the server is executing. The server then prompts for the password. Enter private key password []: The password is not echoed. When entered the password is securely supplied to the server and startup progresses. An incorrect password will be reprompted for twice (i.e. up to three attempts are allowed) before the startup continues with the particular service not configured and unavailable. Entering a password consisting of all spaces will cause the server to abort the full startup and exit from the system. (SSL Virtual Services\hd_ssl_config_virtual)

Multiple virtual SSL services (https:) sharing the same certificate (and other characteristics) can essentially be configured against any host name (unique IP address or host name alias) and/or port in the same way as standard services (http:). Services requiring unique certificates can only be configured for the same port number against individual and unique IP addresses (i.e. not against aliases).

This is not a WASD restriction, it applies to all servers for significant technical reasons. Secure Sockets Layer is designed to (wrap) an entire application protocol (in this case HTTP). HTTP virtual services use the (Host:) field of the request header to determine which service the client intended to use. This requires the network connection established and at least the request header transfered and processed. For an SSL service establishing the connection requires a complex transaction involving, amongst other things, certificate exchange. Hence, the certificate (and all other SSL parameters) must be determined at the time the server accepts the initial connection request. At that point the only defining characteristics can be IP address and port, and therefore services requiring unique certificates must be unique either by address or port. Services sharing certificates do not have this restriction and so may be configured against host name aliases.

For example, unique certificates for https://www.company1.com:443/ and (HTML/OFF) (HTML/ON) https://www.company2.com:443/ can be configured only if COMPANY1 and COMPANY2 have unique IP addresses. If COMPANY2 is an host name alias for COMPANY1 they must share the same certificate. During startup service configuration the server checks for such conditions, forces subsequent services to use the same SSL characteristsics as the first configured, and issues a warning about this (sharing). (SSL Access Control\hd_ssl_access_control)

When authorization is in place ((cr_authorization)) access to username/password controlled data/functionality benefits enormously from the privacy of an authorization environment inherently secured via the encrypted communications of SSL. In addition there is the possibility of authentication via client X.509 certification ((hd_ssl_x509_auth)). SSL may be used as part of the site's access control policy, as whole-of-site, see (hd_auth_policy), or on a per-path basis (see (HREF=[-.config]config.sdml!../config/#cr_mapping_rule)([-.CONFIG]DOC_config.sdml)). (--------------------------------------------------------------------) (Authorization Using X.509 Certification\hd_ssl_x509_auth)

The server access control functionality (authentication and authorization) allows the use of (public key infrastructure) (PKI) X.509 v3 client certificates for establishing identity and based on that apply authorization constraints. See (cr_authorization) for general information on WASD authorization and (hd_auth_file) for configuring a X509 realm. (hd_ssl_ref) provides introductory references on public-key cryptography and PKI.

A client certificate is stored by the browser. During an SSL transaction the server can request that such a certificate be provided. For the initial instance of such a request the browser activates a dialog requesting the user select one of any certificates it has installed. If selected it is transmitted securely to the server which will usually (though optionally not) authenticate its Certificate Authority to establish its integrity. If accepted it can then be used as an authenticated identity. This obviates the use of username/password dialogs. (Important) Neither username/password nor certificate-based authentication addresses security issues related to access to individual machines and stored certificates, or to password confidentiality. Public-key cryptography only verifies that a private key used to sign some data corresponds to the public key in a certificate. It is a user responsibility to protect a machine's physical security and to keep private-key passwords secret.

The initial negotiation and verification of a client certificate is a relatively resource intensive process. Once established however, OpenSSL sessions are stored in a cache, reducing subsequent request overheads significantly. Each cache entry has a specified expiry period after which the client is forced to negotiate a new session. This period is adjustable using the ([LT:integer]) and ([TO:integer]) directives described below. (Features\hd_ssl_x509_features)

WASD provides a range of capabilities when using X.509 client certificates. (UNNUMBERED) (By Service - \BOLD) all SSL connections to such a service will be requested to supply a client certificate during the initial SSL handshake. This is more efficient than requesting later in the transaction, as happens with per-resource authorization. A client cannot connect successfully to this type of service without supplying an acceptable certificate. (By Resource - \BOLD) using authorization rules in the WASD_CONFIG_AUTH file specifying a path against an [X509] realm causes the server to suspend request processing and renegotiate with the client to supply a certificate. If a suitable certificate is supplied the request authorization continues with normal processing. This obviously incurs an additional network transaction. (Optional access control - \BOLD) once an acceptable certificate is supplied it can be subject to further access control by matching against its contents. The (Issuer) (CA) and the (Subject) (client) (Distinguished Name) (DN) has various components including the name of the organization providing the certificate (e.g. (VeriSign), (Thawte)), location, common name, email address, etc. Those certificates matching or not matching the parameters are allowed or denied access. (Certificate verification - \BOLD) by default supplied certificates have their CA verified by comparing to a list of recognised CA certificates stored in a server configuration file. If the CA component of the client certificate cannot be verified the connection is terminated before the HTTP request can begin. Although this is obviously required behaviour for authentication there may be other circumstances where verification is not required, a certificate content display service for instance. WASD optionally allows non-verified certificates to be used on a per-resource basis. ((Fingerprint) REMOTE_USER - \BOLD) when a certificate is accepted by the server it generates a unique (fingerprint) of the certificate. By default, this 32 digit hexadecimal number is used by the server as an (effective username), one that would normally be supplied via a username/password dialog (as an alternative see the section immediately below). This effective username becomes that available via the CGI variable REMOTE_USER. Although a 32 digit number is not particularly site-administrator friendly it is a (unique) representation (MD5 digest) of the individual certificate and can be used in WASD_CONFIG_AUTH access-restriction directives and included in group lists and databases for full WASD authorization control. (CN/DN record REMOTE_USER - \BOLD) provides an alternative to using a (fingerprint) REMOTE_USER. Using the [RU:/(record)=] conditional (see below) is becomes possible to specify that the remote-user string be obtained from the specified record of the client certificate subject field. Note that there is a (fairly generous) size limitation on the user name and that any white-space in such a record is converted to underscores. Although any record can be used the more obvious candidates are /O=, /OU=, /CN=, /S=, /UID= and /EMAIL=. Note that (even with the default CA verfication) the certificate CAs that this is possible against should be further constrained through the use of a [IS:/(record)=(string)] conditional (see example below). (X509 Configuration\hd_ssl_x509_config)

Of course, the WASD SSL component must be installed and in use to apply client X.509 certificate authorization. There is general server setup, then per-service and per-resource configuration. (General Setup\hd_ssl_x509_config_general)

Client certificate authorization has reasonable defaults. If some aspect requires site refinement the following /SSL= qualifier parameters can provide per-server defaults. (UNNUMBERED) (CACHE=integer) sets the session size (128 entries by default) (CAFILE=file-name) sets the location of the CA verification store file (also can be set via WASD_CONFIG_SSL_CAFILE logical). (TIMEOUT=integer) sets the session expiry period in minutes (5 by default) (VERIFY=integer) sets the depth to which client certificate CAs are verified (default is 2)

The location of the CA verification file can also be determined using the logical name WASD_CONFIG_SSL_CAFILE. The order of precedence for using these specifications is (NUMBERED) per-service configuration using WASD_CONFIG_SERVICE or WASD_CONFIG_global per-server using /SSL=CAFILE=filename per-server using WASD_CONFIG_SSL_CAFILE (By Service\hd_ssl_x509_config_service)

To enable client certification for all requests on a per-service basis the following WASD_CONFIG_global directive may be used. A non-default CA verification file can also optionally be supplied. [Service] https://the.example.com;verify https://the.example.com;cafile=WASD_ROOT:[LOCAL]CA_THE_HOST_NAME.TXT

When WASD_CONFIG_SERVICE is in use a service-specific directive is provided for both per-service verification and per-service CA file specification (allowing different services to accept a different mix of CAs). [[https://the.example.com:443]] [ServiceSSLclientVerifyRequired] enabled [ServiceSSLclientVerifyCAfile] WASD_ROOT:[LOCAL]CA_THE_HOST_NAME.TXT (By Resource\hd_ssl_x509_config_resource)

Client certificate authorization is probably most usefully applied on a per-resource (per-request-path) basis using WASD_CONFIG_AUTH configuration file rules. Of course, per-resource control also applies to services that always require a client certificate (the only difference is the certificate has already been negotiated for during the initial connection handshake). The reserved realm name (X509) activates client certificate authentication when a rule belonging to that realm is triggered. The following example shows such a rule providing read access to those possessing any verified certificate. [X509] /path/requiring/cert/* r

Optional directives may be supplied to the X.509 authenticator controlling what mode the certificate is accepted in, as well a further access-restriction rules on specifically which certificates may or may not be accepted for authorization. Such directives are passed via the (param=) mechanism. The following real-life example shows a script path requiring a mandatory certificate, but not necessarily having the CA verified. This would allow a certificate display service to be established, the ([to:EXPIRED]) directive forcing the client to explicitly select a certificate with each access. [X509] /cgi-bin/client_cert_details r,param="[vf:OPTIONAL][to:EXPIRED]"

A number of such directives are available controlling some aspects of the certificate negotiation and verification. The ([LT:integer]) directive causes a verified certificate selection to continue to be valid for the specified period as long as requests continue during that period (lifetime is reset with each access). (UNNUMBERED) [DP:integer] verify certificate CA chain to this depth (default 10) [LT:integer] verified certificate lifetime in minutes (disabled by default) [RU:/record=] derive the remote-user name from the specified certificate subject field DN record [TO:integer] session cache entry timeout in minutes (default 5) [TO:EXPIRED] session cache entry is forced to expire (initating renegotiation) [VF:NONE] no certificate is required (any existing is cancelled) [VF:OPTIONAL] certificate is required, CA verification is not required [VF:REQUIRED] the certificate must pass CA verification (the default)

Optional (param=) passed conditionals may also be used to provide additional filtering on which certificates may or may not be used against the particular path. This is based on pattern matching against client certificate components. (UNNUMBERED) [CI:string] transaction cipher [IS:/record=string] specified Issuer (CA) DN record only [IS:string] entire Issuer (CA) DN [KS:integer] minimum key size [SU:/record=string] specified Subject (client) DN record only [SU:string] entire Subject (client) DN

These function and can be used in a similar fashion to mapping rule conditionals (see ([-.CONFIG]DOC_config.sdml) document, (Conditional Configuration) section). This includes the logical ORing, ANDing and negating of conditionals. Asterisk wildcards match any zero or more characters, percent characters any single character. Matching is case-insensitive.

Note that the (IS:) and (SU:) conditionals each have a (specific-record) and an (entire-field) mode. If the conditional string begins with a slash then it is considered to be a match against a specified record contents within the field. If it begins with a wildcard then it is matched against the entire field contents. Certificate DN records recognised by WASD, (SIMPLE) (/C=\BOLD) countryName (/ST=\BOLD) stateOrProvinceName (/SP=\BOLD) stateOrProvinceName (/L=\BOLD) localityName (/O=\BOLD) organizationName (/OU=\BOLD) organizationalUnitName (/CN=\BOLD) commonName (/T=\BOLD) title (/I=\BOLD) initials (/G=\BOLD) givenName (/S=\BOLD) surname (/D=\BOLD) description (/UID=\BOLD) uniqueIdentifier (/Email=\BOLD) pkcs9_emailAddress

The following (fairly contrived) examples provide an illustration of the basics of X509 conditionals. When matching against Issuer and Subject DNs some knowlege of their contents and structure is required (see (hd_ssl_ref) for some basic resources). [X509] # only give (VeriSign)ed ones access /controlled/path1/* r+w,param="[IS:/O=VeriSign\ Inc.]" # only give non-(VeriSign)ed ones access /controlled/path2/* r+w,param="[!IS:/O=VeriSign\ Inc.]" # only allow 128 bit keys using RC4-MD5 access /controlled/path3/* r+w,param="[KS:128][CI:RC4-MD5]" # only give a (Thawte)-signed client based in Australia # with the following email address access /controlled/path4/* r+w,param="\ [IS:*/O=Thawte\ Consulting\ cc/*]\ [SU:*/C=AU/*/Email=mark.daniel@wasd.vsm.com.au*]" # use the subject DN common-name record as the remote-user name # furthermore, restrict the CA's allowed to be used this way /VMS/* r+w,param="[RU:/CN=][IS:/O=WASD\ HTTPd\ CA\ Cert]"

Of course, access control via group membership is also available. The (effective username) for the list is the 32 digit fingerprint of the client certificate (shown as REMOTE_USER IN the first example of (hd_ssl_x509_cgi)), or the Subject DN record as specified using the [RU:/(record)=] directive. This may be entered into simple lists as part of a group of which membership then controls access to the resource. The following examples show the contents of simple list files containing the X.509 fingerprints, derived remote-user names, and the required WASD_CONFIG_AUTH realm entries. # FINGERPRINTS.$HTL # (a file of X.509 fingerprints for access to "/path/requiring/cert/") 106C8342890A1703AAA517317B145BF7 mark.daniel@wasd.vsm.com.au 6ADA07108C20338ADDC3613D6D8B159D just.another@where.ever.com # CERT_CN.$HTL # (a file of X.509 remote-user names derived using [RU:/CN=] Mark_Daniel mark.daniel@wasd.vsm.com.au Just_Another just.another@where.ever.com [X509;FINGERPRINTS=list] /path/requiring/cert/* r+w [X509;CERT_CN=list] /path/requiring/cn/* r+w

In a similar fashion the effective username can be placed in an access restriction list. The following configuration would only allow the user of the certificate access to the specified resources. Other verified certificate holders would be denied access. [X509] /httpd/-/admin/* ~106C8342890A1703AAA517317B145BF7,r+w /wasd_root/local/* ~106C8342890A1703AAA517317B145BF7,r+w /other/path/* ~Mark_Daniel,r+w,param="[ru:/cn=]" /yet/another/path/* ~Just_Another,r+w,param="[ru:/cn=]" (Certificate Authority Verification File\hd_ssl_x509_cafile)

For the CA certificate component of the client certificate to be verified as being what it claims to be (and thus establishing the integrity of the client certificate) a list of such certificates must be provided for comparison purposes. For WASD this list is contained in a single, plain-text file variously specified using either the WASD_CONFIG_SSL_CAFILE logical or per-service (;cafile=) or ([ServiceSSLclientCAfile]) directives.

Copies of CA certificates are available for such purposes. The PEM copies (base-64 encoded versions of the binary certificate) can be placed into this file using any desired text editor. Comments may be inserted by prefixing with the (#) or (!) characters. For WASD this would be best stored in the WASD_ROOT:[LOCAL] directory, or site equivalent.

An example of how such a file appears is provided below (ellipses inserted to reduce the bulk of example). There is one of these per certificate authority. ################################################################ Verisign Class 1 Public Primary Certification Authority ======================================================= MD5 Fingerprint: 97:60:E8:57:5F:D3:50:47:E5:43:0C:94:36:8A:B0:62 PEM Data: -----BEGIN CERTIFICATE----- MIICPTCCAaYCEQDNun9W8N/kvFT+IqyzcqpVMA0GCSqGSIb3DQEBAgUAMF8xCzAJ BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xh c3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05 FvjqBUuUfx3CHMjjt/QQQDwTw18fU+hI5Ia0e6E1sHslurjTjqs/OJ0ANACY89Fx lA== -----END CERTIFICATE----- Certificate Ingredients: Data: Version: 1 (0x0) Serial Number: cd:ba:7f:56:f0:df:e4:bc:54:fe:22:ac:b3:72:aa:55 Signature Algorithm: md2WithRSAEncryption Issuer: C=US, O=VeriSign, Inc., OU=Class 1 Public Primary 35:b0:7b:25:ba:b8:d3:8e:ab:3f:38:9d:00:34:00:98:f3:d1: 71:94 ################################################################

The WASD SSL package provides an example CA verification file constructed from all the certificates provided in Netscape Navigator CERT7.DB file. This has been generated for and obtained from the Apache (mod_ssl) package, being used for the same purpose with that. The WASD file name is CA-BUNDLE_CRT.TXT and is usually located in WASD_ROOT:[LOCAL]. The exact date and (mod_ssl) version it was obtained from can be found in the opening commentary of the file itself. The contents of this file can easily be pared down to the minimum certificates required for any given site. The more certificates in the file the greater the overhead in verifying any given client. (--------------------------------------------------------------------) (X.509 Authorization CGI Variables\hd_ssl_x509_cgi)

CGI variables specific to client certificate authorization are always generated for use by scripts and SSI documents. These along with the general WASD authorization variables are shown in the example below. Note, that due to length of particular items some in this example are displayed wrapped. WWW_AUTH_ACCESS == "READ+WRITE" WWW_AUTH_GROUP == "" WWW_AUTH_REALM == "X509" WWW_AUTH_REALM_DESCRIPTION == "X509 Client Certs" WWW_AUTH_TYPE == "X509" WWW_AUTH_USER == "Mark Daniel, mark.daniel@wasd.vsm.com.au" WWW_AUTH_X509_CIPHER == "RC4-MD5" WWW_AUTH_X509_FINGERPRINT == "10:6C:83:42:89:0A:17:03:AA:A5:17:31:7B:14:5B:F7" WWW_AUTH_X509_ISSUER == "/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)98/CN=VeriSign Class 1 CA Individual Subscriber-Persona Not Validated" WWW_AUTH_X509_KEYSIZE == "128" WWW_AUTH_X509_SUBJECT == "/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98/OU=Persona Not Validated/OU=Digital ID Class 1 - Netscape /CN=Mark Daniel/Email=mark.daniel@wasd.vsm.com.au" WWW_REMOTE_USER == "106C8342890A1703AAA517317B145BF7"

Other CGI variables optionally may be enabled using WASD_CONFIG_MAP mapping rules. See (hd_ssl_cgi). Specific client certificate variables providing the details of such certificates are available with SSLCGI=apache_mod_ssl. These are of course in addition to the more general apache_mod_ssl variables described in the above section. Note that where some ASN.1 records are duplicated (as in SSL_CLIENT_S_DN) some variables will contain newline characters (0x10) between those elements (e.g. SSL_CLIENT_S_DN_OU). The line breaks in this example do not necesarily reflect those characters. WWW_SSL_CLIENT_A_KEY == "rsaEncryption" WWW_SSL_CLIENT_A_SIG == "md5WithRSAEncryption" WWW_SSL_CLIENT_I_DN == "/O=VeriSign, Inc./OU=VeriSign Trust Network /OU=www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)98 /CN=VeriSign Class 1 CA Individual Subscriber-Persona Not Validated" WWW_SSL_CLIENT_I_DN_CN == "VeriSign Class 1 CA Individual Subscriber-Persona Not Validated" WWW_SSL_CLIENT_I_DN_O == "VeriSign, Inc." WWW_SSL_CLIENT_I_DN_OU == "VeriSign Trust Network www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)98" WWW_SSL_CLIENT_M_SERIAL == "0BF233D4FE232A90F3F98B2CE0D7DADA" WWW_SSL_CLIENT_M_VERSION == "3" WWW_SSL_CLIENT_S_DN == "/O=VeriSign, Inc./OU=VeriSign Trust Network /OU=www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98 /OU=Persona Not Validated/OU=Digital ID Class 1 - Netscape /CN=Mark Daniel/Email=mark.daniel@wasd.vsm.com.au" WWW_SSL_CLIENT_S_DN_CN == "Mark Daniel" WWW_SSL_CLIENT_S_DN_EMAIL == "mark.daniel@wasd.vsm.com.au" WWW_SSL_CLIENT_S_DN_O == "VeriSign, Inc." WWW_SSL_CLIENT_S_DN_OU == "VeriSign Trust Network www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98 Persona Not Validated.Digital ID Class 1 - Netscape" WWW_SSL_CLIENT_V_END == "Feb 10 23:59:59 2001 GMT" WWW_SSL_CLIENT_V_START == "Dec 12 00:00:00 2000 GMT" (--------------------------------------------------------------------) (Certificate Management\hd_ssl_cert)

This is not a tutorial on X.509 certificates and their management. Refer to the listed references, (hd_ssl_ref), for further information on this aspect. It does provide some basic guidelines.

Certificates identify something or someone, associating a public cryptographic key with the identity of the certificate holder. It includes a distinguished name, identification and signature of the certificate authority (CA, the issuer and guarantor of the certificate), and the period for which the certificate is valid, possibly with other, additional information.

The three types of certificates of interest here should not be confused. (UNNUMBERED) (CA - \BOLD) The Certificate Authority identifies the (authority), or organization, that issues a certificate. (Server - \BOLD) Identifies a particular end-service. Its value as an guarantee of identity is founded in the (authority) of the organization that issues the certificate. It is the certificate specified to the server at startup. (Client - \BOLD) Identifies a particular client to a server via SSL (client authentication). Typically, the identity of the client is assumed to be the same as the identity of a human being. Again, its value as an guarantee of identity is founded in the (authority) of the organization that issues the certificate.

The various OpenSSL tools are available for management of all of these certificate types in each of the three SSL environments. (UNNUMBERED) The HP SSL for OpenVMS Alpha/Itanium/VAX product provides the (SSL Certificate Tool) procedure can be used to perform most required certificate management tasks from a menu-driven interface. $ @SSL$COM:SSL$CERT_TOOL.COM (S S L C e r t i f i c a t e T o o l\BOLD) Main Menu 1. View a Certificate 2. View a Certificate Signing Request 3. Create a Certificate Signing Request 4. Create a Self-Signed Certificate 5. Create a CA (Certification Authority) Certificate 6. Sign a Certificate Signing Request 7. Revoke a Certificate 8. Create a Certificate Revocation List 9. Hash Certificates 10. Hash Certificate Revocations 11. Exit Enter Option: The WASD OpenSSL kit provides elementary DCL procedures and brief notes in the (....................................................................) (HTML=

WASD_ROOT:[SRC.OPENSSL-n_n_n.WASD]   (look for it here)