Eureka OL-8880-01 Server User Manual


 
CHAPTER
2-1
WLSE Express AAA Server Certificate Configuration Guide
OL-8880-01
2
Generating Certificates
Revised: March 27, 2006, OL-8880-01
Overview
This chapter provides a general overview of the steps involved in generating RSA keys and certificates
without reference to specific tools. Following the overview, the sections Generating Certificates with
OpenSSL, page 2-2 and Certificate Generation with Windows CA, page 2-6 provide examples based on
OpenSSL and Windows Certificate Authority.
The actual mechanics of certificate generation are highly dependent on the tools used as well as the local
security policies in effect. Some tools and policies might condense the three steps shown below into
fewer (possibly one) steps or expand them into more steps. The degree of automation and direct user
involvement also varies greatly and can range from a simple web form-based model with automatic
certificate distribution to a more complicated procedure with multiple user interactions. Some CAs are
set up to support online operations including certificate production while others might operate strictly
offline and require more manual involvement.
RSA Key Generation
RSA keys have certain mathematical and cryptographic properties that require special software tools for
the generation. Some tools will ask you to type on the keyboard during generation to create a source of
randomness. This is because RSA keys are based on large random numbers.
RSA key pairs have two essential parameters that must be specified during creation. The first parameter
is the key type which is always RSA. The second parameter is the key length in bits which can vary from
512 to 4096 bits (or even more). The key length is usually specified as part of the customers’ security
policy and it is difficult to give a generally applicable recommendation for it.
Certificate Request Creation
A Certificate Request (CR) is information packaged with the public key that specifies the type and
general content of the desired certificate. It is usually packaged in a format based on PKCS#10 (one of
the PKCS standards documented by RFC 2986) or Certificate Request Message Format (CRMF), an
emerging standard from the IETF. The format of the CR is usually not important as long as the tools used
to create and process it are compatible.