| Author |
Message
|
| sjclark1 |
 Posted: Tue Jun 28, 2011 6:33 am Post subject: Why do IBM call a Signer Certificate a "CA" certif |
 |
|
Apprentice
Joined: 06 Jan 2003
Posts: 35
Location: Scotland
|
From this redbook:
http://www.redbooks.ibm.com/redpapers/pdfs/redp4140.pdf
Section 2.5
| Code: |
To set up client authentication, we need to perform the following steps:
1. Create a self-signed certificate for the client.
2. Add the certification authority certificate to the queue manager.
3. Change the server connection channel to request client authentication.
4. Re-test.
|
Then 2.5.1:
| Code: |
Now the WebSphere MQ client has a certificate, which it presents to the queue manager when the client connects. To validate the client's certificate, the queue manager needs the certification authority (CA) certificate.
|
Then 2.5.2:
| Code: |
2.5.2 Installing the CA part in the queue manager's key repository
This task consists of the following steps, executed on the queue manager
machine:
1. Copy or transfer the CA (<user ID>.arm) file to the client.
2. Add the CA file to the queue manager's key repository.
|
I assume I have misunderstood 'CA' which I took to mean a certificate from some external third party like Verisign. Does CA therefore mean any 'signer' certificate containing a public key? I'm a little confused. |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Tue Jun 28, 2011 6:38 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
There's a difference between CA signed certificates and self-signed certificates.
In general, the signer of a certificate is the entity that asserts that the certificate is valid and represents a known trusted entity. |
|
| Back to top |
|
|
| sjclark1 |
| Posted: Tue Jun 28, 2011 6:43 am Post subject: |
|
|
Apprentice
Joined: 06 Jan 2003
Posts: 35
Location: Scotland
|
In the example above:
1. Create a self-signed certificate for the client.
2. Add the certification authority certificate to the queue manager.
Are the certificates in #1 and #2 based on the same thing, i.e. the CA version is just the public key part of #1? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Jun 28, 2011 6:47 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| sjclark1 wrote: |
In the example above:
1. Create a self-signed certificate for the client.
2. Add the certification authority certificate to the queue manager.
Are the certificates in #1 and #2 based on the same thing, i.e. the CA version is just the public key part of #1? |
Yes.
That's what self-signed means. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Jun 28, 2011 6:47 am Post subject: Re: Why do IBM call a Signer Certificate a "CA" ce |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| sjclark1 wrote: |
| I assume I have misunderstood 'CA' which I took to mean a certificate from some external third party like Verisign. |
You can use an external 3rd party; many sites use an internal CA as well as or instead of to produce certificates for internal use cheaply.
Basically a CA is someone you trust that signs a certificate saying they believe the owner of the certificate is who they are. If all you're trying to prove is that the Billing application really is what's trying to connect to the Ledger system, a certificate signed by a CA under the control of Mr. Smith in the Security deptartment is probably good enough.
If you're trying to prove to the NYSE that it's your Trading application trying to sell $1,000,000 of IBM stock, they may not trust Mr. Smith.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| sjclark1 |
| Posted: Tue Jun 28, 2011 6:48 am Post subject: |
|
|
Apprentice
Joined: 06 Jan 2003
Posts: 35
Location: Scotland
|
| mqjeff wrote: |
Yes.
That's what self-signed means. |
Great, thanks. Another question answered by the MQ Jedi Council. |
|
| Back to top |
|
|
| sjclark1 |
| Posted: Tue Jun 28, 2011 7:00 am Post subject: Re: Why do IBM call a Signer Certificate a "CA" ce |
|
|
Apprentice
Joined: 06 Jan 2003
Posts: 35
Location: Scotland
|
| Vitor wrote: |
Basically a CA is someone you trust that signs a certificate saying they believe the owner of the certificate is who they are.
|
Got it, thanks. So anyone can be a CA in theory. I do think the name "Certification Authority" is a little bit misleading as it implies they are some important "authority" but who am I to argue with 15 years of MQ SSL convention?
Thanks all!
Last edited by sjclark1 on Tue Jun 28, 2011 11:21 am; edited 1 time in total |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Jun 28, 2011 7:09 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
A self-signed certificate is its own "CA". IBM documentation has a bit of a reputation on this site for being sometimes a little...confusing?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Jun 28, 2011 7:11 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
A certificate authority is not an MQ term. It's an SSL term.
It represents a specific entity that issues certificates, and is presumed to have taken steps to validate the identity of the person that the certificate represents.
SSL is all about a web of trust - I don't know you, but you have a certificate that was signed by someone I do trust, so I trust you. This is where the phrase "trust store" comes from - it's the container for certificates that are trusted, rather than the holder for certificates that represents a personal identity.
In the case of a self-signed certificate, the entity that signs the certificate is the same entity that the certificate represents. In the web-of-trust, it's "I do know you and i trust you, so when you present a certificate that you say belongs to you, I believe you.".
In the case of a CA-signed certificate, the entity that signs the certificate is a different entity than the certificate represents.
And, again, Vitor's fine analogy about the trustworthiness of the entity that is acting as a CA applies. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Jun 28, 2011 7:36 am Post subject: Re: Why do IBM call a Signer Certificate a "CA" ce |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9400
Location: US: west coast, almost. Otherwise, enroute.
|
| sjclark1 wrote: |
| So anyone can be a CA in theory. |
As described by my colleagues, in practice (as opposed to theory), there is a big difference between internally-generated certificates, and those from a trusted 3rd-party CA (like VeriSign, for example). The big difference is one of trust.
Please use the terms carefully when working with your security folks, management, auditors.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Jun 28, 2011 7:49 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqjeff wrote: |
| A certificate authority is not an MQ term. It's an SSL term. |
http://en.wikipedia.org/wiki/Certificate_authority
Which I was amused to note come with a tag "This article may be confusing or unclear to readers".
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Jun 28, 2011 8:12 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
| What could possibly be confusing about security? I forced myself to pass the CISSP exam (6 hours) but it's not an experience I am keen to repeat. |
|
| Back to top |
|
|
| sjclark1 |
| Posted: Tue Jun 28, 2011 9:43 am Post subject: |
|
|
Apprentice
Joined: 06 Jan 2003
Posts: 35
Location: Scotland
|
Update -- I know where my confusion came from! This blog which I read last week:
http://hursleyonwmq.wordpress.com/2007/02/05/an-introduction-to-ssl-configuration/
While I have found that blog useful for various things and I don’t like criticising anyone who does a blog to help others, it describes as CA as being the alternative path to a everyone-knows-everyone approach to certificate distribution:
| Code: |
“The way to solve this problem is by using a ‘certificate authority’ (CA). Every queue manager has a copy of the public key of that certificate authority in it’s key repository, and every new queue manager’s certificate is signed by that CA."
|
If you read the blog you’ll get what I mean. Now I fully understand the point being made – it is easier if you get one single trusted signer to sign all future certificates. But the issue is the term ‘certificate authority’ is introduced and implied to mean a signer who signs multiple different certificates, whereas the discussion on this forum confirms that is not necessarily the case. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Jun 28, 2011 9:57 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| sjclark1 wrote: |
| If you read the blog you’ll get what I mean. Now I fully understand the point being made – it is easier if you get one single trusted signer to sign all future certificates. But the issue is the term ‘certificate authority’ is introduced and implied to mean a signer who signs multiple different certificates, whereas the discussion on this forum confirms that is not necessarily the case. |
No, again. CA has a specific, non-mq standard meaning, and MQ uses that meaning.
But you should not think of the trust store as having anything to do with CAs.
It's merely the place that you put the certificates you trust.
Some of those certificates may well be from a CA. Some of them may not be.
When you create a self-signed certificate, you are not creating a CA-signed certificate where the CA happens to also be you. (despite that I said something that implied that earlier).
When you create a self-signed certificate, you are creating a cert and then signing it. If you do this, then the same key is put into both the client keystore and the server trust store.
You can create a CA, for internal or external use, and use that to sign certificates (one or more). If you do this, then the CA signer certificate is put into the server trust store and the signed certificate is put into the client key store.
Again, this is all "standard nomenclature" for SSL in general. |
|
| Back to top |
|
|
| sjclark1 |
| Posted: Tue Jun 28, 2011 11:38 am Post subject: |
|
|
Apprentice
Joined: 06 Jan 2003
Posts: 35
Location: Scotland
|
In general I get the principals being discussed here, but some doubts remain -- for example are the two statements below not contradictory?
| exerk wrote: |
A self-signed certificate is its own "CA".
|
| mqjeff wrote: |
When you create a self-signed certificate, you are not creating a CA-signed certificate where the CA happens to also be you.
|
|
|
| Back to top |
|
|
|
|
