Партнёры:
Хостинг:
NAME
ccreds - create key packages and certificates for users and
hosts
SYNOPSIS
ccreds [-k] [-v] [-c config_file]
AVAILABILITY
SUNWskica
DESCRIPTION
The ccreds utility can be used by a Certification Authority
(CA) to create key packages and certificates for users,
hosts, or subordinate CA's in batch mode. The skistore(1)
utility can then be used by a system administrator to
transfer the key packages and certificates to a name service
such as NIS or NIS+. If the -k option has been specified,
only key packages, but no certificates will be created. The
-k option is useful if certificates will be requested from
an "external" or "third-party" CA.
When running the ccreds utility, the CA can supply the con-
figuration parameters for key package and certificate gen-
eration in two different modes: either through a configura-
tion file or interactively. If the -c option has not been
specified, the user will be prompted to select a mode.
If a configuration file, config_file, is used to supply the
key package and certificate parameters, it should contain
the following keywords, each of which has a value separated
by colon. Separate configuration files should be maintained
for users and hosts. If config_file is not provided, the
user will be prompted for each of the values.
SKI_ENTITIES_TYPE
Type of entities for which credentials are generated.
Must be set to either "user" (for users and CAs) or
"host" (for hosts). Defaults to "user".
SKI_DN_SUFFIX
X.500 Distinguished Name suffix. This suffix, which
should be quoted, is appended to the user's (or host's)
common name (see below) to form the user's (or host's)
X.500 Distinguished Name. This field must be specified
for "users", and is optional for "hosts".
SKI_HOST_DOMAIN
DNS domain name of the host(s) for which credentials
are to be generated. This field is only relevant if
SKI_ENTITIES_TYPE is set to "host". This field is used
to build the distinguished name of the host(s).
SKI_VALIDITY
Certificate validity timeframe (in number of days from
the current date). Defaults to 3 years (3 * 365 days).
This field is relevant for both "users" and "hosts",
and will be evaluated only if the -k option has not
been specified.
SKI_KEYSIZE
RSA keysize in number of bits. Defaults to 768.
The security of RSA depends on the difficulty of fac-
toring large numbers that are the product of two large
primes. The larger the key size, the greater the secu-
rity, but also the slower the RSA operations. To
determine how long your key should be, you have to con-
sider both the intended security and lifetime of the
key, and the current state-of-the-art factoring tech-
niques. Currently, the following RSA key sizes are sup-
ported: 512, 768, and 1024 bits. CAs should choose the
highest available key size when generating keys for
subordinate CAs, since the validity of so many other
key pairs depends on the security of a CA key. A key
size of 768 or 1024 bits is recommended for users. The
default keysize is 768 bits. Note that a larger key
size has some performance impact: doubling the key
size would, on average, increase the time required for
public-key operations (encryption and signature verifi-
cation) by a factor of 4, and increase the time taken
by private-key operations (decryption and signing) by a
factor of 8. Key generation time would increase by a
factor of 16 upon doubling the key size, but this is a
relatively infrequent operation.
This field is relevant for both "users" and "hosts."
SKI_PASSWORD
Generation mode of the key package encryption password.
The key package encryption password is used to generate
an encryption key, under which the private key in the
key package is encrypted (using triple-DES encryption).
If the value is "RANDOM," then a random password will
be generated for each principal. If the value is any
other string, then all principals receive that string
as their password. A list containing the
principal/password pairs is stored encrypted in the
file ski_passwords in the /etc/ski directory (see
below). The /etc/ski directory and the ski_passwords
file are created if they do not exist.
The password generation mode defaults to "RANDOM." This
field is relevant for both "users" and "hosts."
SKI_CRED_DIR
Directory pathname under which the generated key pack-
ages and certificates are stored. The key packages and
certificates are stored as files in the subdirectories
keypkgs and certs, respectively, under SKI_CRED_DIR.
This field is relevant for both "users" and "hosts". No
default value is provided. The value "/etc/ski" is not
allowed.
SKI_ENTITIES_FILE
File containing a list of users (or hosts) for which a
key package and certificate shall be generated. This
file has the same format as the system /etc/passwd or
/etc/hosts file, respectively, and is supplied to the
CA by a system administrator. If a list of users is
provided, the username field in the password file is
appended to the gecos field in the password file to
form the user's X.500 common name (CN) attribute.
Brackets ([]) surround the username to separate it from
the gecos information. The user's CN attribute is con-
catenated with the SKI_DN_SUFFIX specified by the CA,
in order to form the user's X.500 Distinguished Name
(DN). If a list of hosts is provided, the hostname,
suffixed by the domain name specified under
SKI_HOST_DOMAIN, is used as the value of the host's
X.500 common name (CN) attribute, which is concatenated
with the SKI_DN_SUFFIX to form the host's DN. An
entity's DN appears in its key package and certificate.
No default value is provided. Only one list of users
(or hosts) can be processed at a time.
This field is relevant for both "users" and "hosts".
SKI_ROOT_CA_DN
The Root Certification Authority's (Root CA's) Dis-
tinguished Name (DN). No default value is provided.
This field is relevant for both "users" and "hosts".
SKI_TRUSTED_KEYS
File containing a list of certificates whose public
keys will be added as trusted public keys to the key
packages being generated. This file must not contain
any duplicate public keys. Each certificate must be
provided in printable encoding format as defined by the
Internet RFC1421 standard, and may be created using the
skicert (1) utility. Each certificate must be bounded
at the beginning by
"-----BEGIN CERTIFICATE-----"
and bounded at the end by
"-----END CERTIFICATE-----".
Each of the boundaries must be followed by a NEWLINE.
Please refer to the example below. This field is
relevant for both "users" and "hosts".
If a configuration file is not provided, the CA will be
prompted to enter the above information. When prompted for
the above information, the CA has the option to provide
values for SKI_DN_SUFFIX (or SKI_HOST_DOMAIN) and
SKI_ENTITIES_FILE. In this case, ccreds generates key pack-
ages and certificates for all users (or hosts) listed in the
SKI_ENTITIES_FILE. If no value for SKI_ENTITIES_FILE is pro-
vided, the CA will be prompted for a Distinguished Name and
username for each user, or a hostname and IP address for
each host, depending on the mode of operation.
If SKI_TRUSTED_KEYS is provided, the trusted key list of
each newly generated key package is initialized with the
public key of the key package owner and the trusted public
keys contained in SKI_TRUSTED_KEYS. Otherwise, the trusted
key list of each newly generated key package is initialized
with the public keys of the key package owner, the issuing
CA, and the Root CA ( SKI_ROOT_CA_DN). If the issuing CA is
the same as the Root CA, its public key will appear in each
trusted key list only once.
Upon completion, the newly generated key packages and certi-
ficates in the keypkgs and certs subdirectories must be
transferred to a system administrator for storage into a
name service such as NIS/NIS+. See skistore(1) for more
details.
Certification Authority Operations
Operations performed by a CA, including the execution of
ccreds, are sensitive operations and should be performed on
a standalone machine without any network access. Security is
important because of the sensitivity of the CA's private
key. A compromised CA's private key allows others to imper-
sonate that CA.
OPTIONS
-k Create key packages only. Do not create any certifi-
cates.
-v Give verbose output.
-c config_file
File containing key package and certificate confi-
guration parameters.
FILES
SKI_CRED_DIR/keypkgs/*
Newly created key packages
SKI_CRED_DIR/certs/*
Newly created certificates
SKI_CRED_DIR/new_cred_list
List of new users (or hosts) and their associated
Distinguished Names. This file is read by ski-
store(1).
/etc/ski/ski_passwords
List of new users (or hosts) and their associated
key package password. This file is created each
time ccreds is run. This file is created even if
the same password has been assigned for each user
(or host). This file is used by the CA to notify its
users about their key package encryption password so
that they can access their private key (see skilo-
gin(1)). The password file is encrypted under the
CA's public key, so that only the CA has access to
it. The CA can decrypt the password file by running
% skidecrypt -i /etc/ski/ski_passwords. It is recom-
mended that the decrypted output not be kept in
cleartext. It is strongly recommended that users
change the password that was assigned to them by the
CA (see keypkg(1)). A system administrator should
change the key package password that was assigned to
the hosts.
Each time ccreds is run, new SKI_CRED_DIR/keypkgs and
SKI_CRED_DIR/certs directories, and new
SKI_CRED_DIR/new_cred_list and /etc/ski/ski_passwords files
are created. If any of these directories or files already
exist, ccreds informs the CA that the existing
directories/files should be archived to another location so
a new version can be stored in the current location. The CA
can either exit from ccreds, or archive the specified
directories/files (from a different shell) and then continue
with ccreds.
EXAMPLES
The following is a sample CA configuration file:
SKI_ENTITIES_TYPE:user
SKI_DN_SUFFIX:"O=Sun, C=US"
SKI_VALIDITY:300
SKI_KEYSIZE:1024
SKI_PASSWORD:RANDOM
SKI_ENTITIES_FILE:/CA/userlist
SKI_CRED_DIR:/CA
SKI_ROOT_CA_DN:"O=Sun, C=US"
SKI_TRUSTED_KEYS:/CA/certlist
In the above example, the file referenced by "/CA/certlist"
should have the following format:
-----BEGIN CERTIFICATE-----
MIIBRDCB7wIEMe0zZzANBgkqhkiG9w0BAQQFADAbMQswCQYDVQQGEwJVUzEMMAoG
A1UEChQDU1VOMB4XDTk2MDcxNzE4MzkzNVoXDTk5MDcxNzE4MzkzNVowPTELMAkG
A1UEBhMCVVMxDDAKBgNVBAoUA1NVTjEPMA0GA1UEDRQGZHVtbXkxMQ8wDQYDVQQD
FAZkdW1teTEwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAt9LgN5oT1WtlCJFXLmhc
SY4kN7OcNkBYq9iT4R8K0uZIrgp9/hSe0DFgQaAZkIUjqB0YkeIFPmy6/K3bp0l9
1QIDAQABMA0GCSqGSIb3DQEBBAUAA0EAdolKCynL2WjOxHmmsRbEg51dwB2u/ExM
2ZMaZvLMXHX5VIsjxfLSCXu3iI/RdMIi5dGfZhrp2XBkg0gkii+Mkw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIBSjCB9QIEMe0zYTANBgkqhkiG9w0BAQQFADAbMQswCQYDVQQGEwJVUzEMMAoG
A1UEChQDU1VOMB4XDTk2MDcxNzE4MzkyOVoXDTk5MDcxNzE4MzkyOVowQzELMAkG
A1UEBhMCVVMxDDAKBgNVBAoUA1NVTjEQMA4GA1UEDRQHY2hhcmxpZTEUMBIGA1UE
AxQLY2hhcmxpZSBsYWkwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxQzeNvx72Dkp
GI9r6hALR3nVBG13PA/2wKrsT25xQGoSp104klnVgRfp4mbeiHEIfKG7Q9Z0bOei
luT4fG5EQQIDAQABMA0GCSqGSIb3DQEBBAUAA0EAUahDuBR5ONKIGvV4wvk2ZfVi
ms2TwKEDhtAkdQe0B3xeZk7e1/h6iK8QrXz2VtSCXde4onRr84Afj8je5gAkoQ==
-----END CERTIFICATE-----
NOTES
For software shipped outside North America, only 512 bit RSA
key sizes are supported.
SEE ALSO
certify(1), certreq(1), crca(1), keypkg(1), skidecrypt(1),
skistore(1)
|
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |