Creating Secure Auditing Certificate Files Manually
- 07 Jan 2025
- 2 Minutes à lire
- SombreLumière
- PDF
Creating Secure Auditing Certificate Files Manually
- Mis à jour le 07 Jan 2025
- 2 Minutes à lire
- SombreLumière
- PDF
The content is currently unavailable in French. You are viewing the default English version.
Résumé de l’article
Avez-vous trouvé ce résumé utile ?
Merci pour vos commentaires
Manually created Secure Auditing certificate files must be generated from supported elliptic curve keys. Secure Auditing for OneSpan Authentication Server only supports elliptic curve keys that are:
- ECDSA
- NIST P-256 compliant
- Stored in PKCS #12 format
- Password-protected (i.e. empty password is not valid)
Additionally, the certificate file must meet the following requirements:
It must be in the correct file format:
- If you are installing the certificate file via the Configuration Wizard during installation, it should be in .pem file format
- If you are installing the certificate file via the Configuration Utility, it should be in .p12 file format.
- The elliptic curve must be password-protected (i.e. an empty password is not valid).
- The certificate must be generated from the elliptic curve key.
- The elliptic curve key must be placed in the certificate file.
To manually generate your own secure auditing certificate file, you can use openssl.
OneSpan Authentication Server ships with a specific version of the OpenSSL utility. We recommend that you use this version for any procedures involving the openssl command.
By default, this specific version of OpenSSL is located in %PROGRAMFILES%\VASCO\IDENTIKEY Authentication Server\bin on Windows and in /opt/vasco/ias/bin on Linux, respectively.
Typical steps to manually generate a secure auditing certificate file
- Open a command-line terminal.
Create an elliptic curve key file (in this case, named tmp.pem) via the following command:
openssl ecparam -out tmp.pem -name prime256v1 -genkey
Set the elliptic curve key file as password-protected. To do so, run the following command in a different command-line terminal:
openssl ec -in tmp.pem -des3 -out key.pem -passout pass:password
The output of this command is a valid, password-protected, elliptic curve key file named key.pem.
Generate a certificate file (in this case, named cert.pem) from the password-protected elliptic curve key:
openssl req -new -x509 -key key.pem -sha256 -out cert.pem -days 3650
The next step depends on how you plan to install the certificate file:
If you plan to install the certificate file via the Maintenance Wizard (e.g. during installation), then merge the contents of both password-protected elliptic curve key and the generated certificate file into a third PEM file.
On Linux, you can do so via the cat command:
cat key.pem cert.pem > audit.pem
This command outputs the contents of key.pem and cert.pem into audit.pem, which you can install via the Maintenance Wizard.
If you plan to install the certificate file via the Configuration Utility, import the password-protected elliptic curve key and the generated certificate file into a PKCS#12-formatted certificate file.
To do so, use the following command:
openssl pkcs12 -export -in cert.pem -inkey key.pem -name "Test Certificate" -out testaudit.p12
This command outputs a certificate file named testaudit.p12, which you can then install via the Configuration Utility.
Cet article vous a-t-il été utile ?