NCSA CyberSecurity


Note: For printing purposes, you can SHOW ALL or HIDE ALL instructions and images.

Author: Terry Fleury (tfleury@ncsa.uiuc.edu)
Last Update: March 8, 2006

Implementation

This document gives specific configuration instructions for using Windows XP's Internet Explorer with proxy certificates. This will allow you to verify that your server is correctly set up to perform both server and client verification with the appropriate certificates.

Client Setup

Most web browsers can be configured to handle 'normal' user certificates, but from the testing we have done so far, only Windows XP's "Internet Options" control panel correctly handles proxy certificates. We hope to continue testing various clients to find other proxy certificate compatible solutions.

Creating and installing (proxy) user certificates is more difficult than creating a server certificate because the user must generate a key-pair, keep the private key to himself, and send the public key to a Certificate Authority (CA) to be incorporated into a certificate request. Once a signed user certificate has been created using a CA, the certificate must be installed in a client application so that the client may present it when needed. As the proxy certificate is based on the user certificate, the first step is obtaining a user certificate.

  1. Obtain a user certificate.
    Similar to a server certificate, a user certificate is issued by a Certificate Authority, but is for use by an individual to verify his identity to the server. If the server is configured with a self-signed certificate, then there is no CA involved and thus creating a user certificate is difficult. If the server is configured with its own local CA (which is beyond the scope of this document), then it could authorize user certificate requests. Instead, let's assume that the server was configured with a third-party CA. You need to obtain a client (user) certificate from the same CA.
    Instructions For NCSA's CA...
    Instructions For CAcert.org...
    Instructions For Commercial CAs...

  2. Create a proxy certificate based on your user certificate.
    A proxy certificate is similar to a user certificate. Actually it is a client certificate, however rather than having a Certificate Authority (CA) sign the Certificate Signing Request (CSR), YOU become the CA and use your user certificate to sign the CSR. At NCSA and at other sites using the CoG Kit or Globus Toolkit, this process is simplified by some provided utilities. In other circumstances, you will need to use OpenSSL to create and sign the CSR.
    Instructions For NCSA And CoG Kit/Globus Installations...
    Instructions Using OpenSSL For Other Situations...

  3. Convert the proxy certificate into PKCS12 form.
    Many applications, including Java KeyStore and Internet Explorer, require that client certificates (which includes proxy certificates) be in the PKCS12 format rather than the X509 PEM format. Since the proxy certificate you just created is in PEM format, you need to convert your PEM formatted proxy certificate to PKCS12 format. Note that your proxy certficate contains both the certificate AND the key, so you will use the same filename for the command line options for "input certificate" (-in) and "input key" (-inkey).

  4. Import the Root Certificate Authority file into Windows Internet Options.
    For Internet Explorer to connect to the server via SSL without any warning messages, the server's root certificate must be in the list of trusted CAs.
    Step By Step Instructions With Screen Captures...

  5. Import your PKCS12 User Credential into Windows Internet Options.
    For the server to allow Interet Explorer to connect, the proxy certificate must be in the list of Personal certificates.
    Step By Step Instructions With Screen Captures...

  6. Disable the use of SSL2 in Windows Internet Options.
    This step is important if you are connecting to Tomcat. By default, Tomcat will attempt to connect using SSL2 protocols first and Internet Explorer will fail to connect since SSL2 doesn't support proxy certificates. Fortunately, you can disable SSL2 in Internet Options.
    Step By Step Instructions With Screen Captures...

  7. Test your https connection.
    Now when you use any browser that uses Windows' Internet Preferences (Internet Explorer, Avant Browser, Slim Browser) and connect to your https://... site, it will use your user's proxy certificate correctly.

Note that the proxy certificate has a short life, so you'll have to remove/import a new proxy certificate every time the old one expires.