Digital certificates have been getting a lot of attention in the press recently, as have extranets. There are lots of good reasons to be excited about these technologies individually. More exciting is the fact that when we bring them together, we have a platform for secure, distributed collaborative commerce. Organizations around the world are going to learn to use that platform to reduce their costs, increase security and productivity, and enhance the quality of life for their employees and partners. Let's start with the basics about digital certificates. A digital certificate, or cert for short, is like an identity document that contains a name and a cryptographic key. It can be used in three ways.
- First, it allows the owner to sign documents and data transmissions. The certificate is attached to the document or data along with the signature. A recipient or reader of the transmission can verify the validity of the signature using the cryptographic key in the cert, and establish the identity of the sender by looking at the name information in the cert.
- Second, a cert can be used to send somebody confidential information. If you hold the certificate for a person to whom you wish to send an encrypted transmission, you simply use the cryptographic key embedded in that certificate when you do the data encryption. The owner of the certificate, who holds a counterpart to the key embedded in the certificate, uses that counterpart key to decrypt the data that you have sent. I have a list of people's certificates in my electronic address book, and when I need to send confidential e-mail I simply tell Outlook Express or Netscape Communicator Messenger to use the appropriate certificate when it encrypts and sends that e-mail.
- Third, a cert can be used to authenticate somebody, just as a username and password can be used for authentication purposes. Authentication means that a cert could be used to control access to different portions of a Web site, or even different portions of an extranet.
So how can we combine certificates and extranet technologies? We can use the digital certificate to authenticate someone when they want to log in to a server, and we can use the cert to establish encrypted communications with the other party. Most companies are already looking at issuing digital certificates to their employees to encrypt their e-mail, using the S/MIME standard for secure messaging. Wouldn't it be great if the same certificates could control their access to corporate information on the extranet? At Thawte, we think it's only a matter of time before we see convergence in the use of certificates for multiple purposes.
Issuing and managing certificates used to be a black art. Five years ago there were probably less than a few hundred people worldwide with a good understanding of digital certificate technology and international standards. If you wanted to use certificates, you paid a fortune for the technology to understand them, and you paid even more for somebody to issue them on your behalf. Fortunately, today the technology is widely available at low cost, and any corporation can act as its own certifying authority (a certifying authority or CA is a company that specializes in issuing digital certificates). You can set up a certificate server free of charge if you run Windows NT and install the Option Pack from Microsoft. Netscape will sell you an excellent certificate server that integrates with their suite of server products. Independent vendors such as Xcert and Certco specialize in the certification technology marketplace. Whichever platform you choose, you will be assured of compliance with the basic standards and complete control of your certification requirements.
If you do have to choose such a platform, there are a number of things you should look for. Most important is support for hardware cryptographic devices so that you can have confidence that your own corporate keys are physically protected. Next, look for full support for X.509 version 3, the standard that defines current practices in the certification industry. If the IETF has ratified its certificate profiles, called PKIX, by the time you read this, then look for support for PKIX. Make sure that your certification platform can deliver certificates to Netscape and Microsoft browsers for client authentication and mail encryption functionality, and that the certificates inter-operate across those platforms. Next, look for support for chained certificates, so that you can get a public CA such as Thawte to certify your own operation and thereby make your certificates recognized globally. Last, be price conscious. The emergence of strong standards such as PKIX makes it much less important to pay a fortune. That said: penny wise, pound-foolish. The certification technology industry is well enough diversified that you'll be able to find a perfect match for your requirements.
At this stage, I don't believe it's possible to use the same certificate for Web access control, extranet authentication, and e-mail encryption. But there is hope on the horizon! Microsoft's CryptoAPI 2.0 gives users of Windows95 and Windows98 along with Windows NT 4.0 and later, a stable platform for managing keys and certificates. Applications can share certificates, which is going to become very important. I picture a world where one obtains a set of certificates from a public CA or one's employer, and then uses those certificates from multiple applications for email, Web and extranet access.
Are digital certificates perfect? No. They can be brittle, highly dependent on the management of cryptographic keys, and ultimately dependent upon pass phrases and PINs used to lock up private keys. But they are the best technology around today, and there is a tremendous momentum behind them to make them easier to use. Technology like the Thawte Strong Extranet continues to bring us closer to a common platform for mail and extranet authentication through a single digital certificate. The consensus opinion among all leading vendors is that certificates hold the key to secure electronic commerce. If you plan to be part of the global secure workplace, now is the time to be gaining the necessary experience for your own certification requirements.Reprinted with permission from The Aventail Corporation
How to Obtain a Server SSL Certificate from Verisign November 1999
Verisign is a leading vendor of digital certificates, which are used to secure Web servers that are used by companies to sell products/services online or support an intranet or extranet. Digital certificates provide proof of identity, activate encyrptoin, and ensure peace of mind through a protection plan. For server certificates, Verisign issues a unique Secure Server ID that a company can use to assure their visitors that the company is who it says it is.
SSL certificates can be obtained from several vendors for use with a secure extranet. Many vendors, including VerSign, have the ability to generate a test certificate, which can be used during the evaluation process of an extranet solution.
The following is a typical step-by-step process to create a certified server certificate from VeriSign:
- 1.Generate a Key Pair using the extranet's built-in wizard, if there is one.
- 2.Go to VeriSign's homepage at www.verisign.com.
- 3.Go to the Server IDs page at digitalid.verisign.com/server/index.html.
- 4.Choose the desired extranet vendor.
- 5.Submit a certificate request.
- 6.Enter the portion "Begin Certificate .... End Certificate" into the online certificate request form. (This is taken from the Certificate Request file generated in step one.)
- 7.Wait for a response from VeriSign. (Note: You will get a PIN number from them immediately, which can be used to check the status of the certificate processing.)
- 8.Once the response is received, restart the extranet's key generation process.
- 9.The Certificate Authority will send an e-mail message from which you should copy the portion that reads: "Begin Certificate" "End Certificate."
- 10.Continue to follow the directions as specified by the particular extranet solution you are using.
- 11.Verisign will send a trusted roots file that shows Verisign as the CA.
Reprinted with permission from The Aventail Corporation