Chapter 3: Tutorial: Checking, Exporting and Importing Certificates

This tutorial talks through the certificates already installed on your machine, regardless of the Micro Focus Security Pack.

Viewing Certificates

There are probably some certificates already installed on your machine. Applications that use SSL, such as a Web browser, usually come with certificates for well-known Web sites and CAs. New certificates for Web sites with newly established reputations are often included in the regular updates that are published for the applications.

With Internet Explorer

If your browser is Internet Explorer:

1. Click Tools > Internet Options > Content.
2. Click Certificates and then the Trusted Root Certification Authorities tab on the far right.

   This lists the root CAs known and trusted by your Web browser - that is, the CAs whose certificates have been installed in the SSL software in your Web browser. A default set of these, consisting of many of the world's best known ones, is installed when Internet Explorer is installed.

   The terminology used in Internet Explorer is slightly different from that used in this book, as follows:

   Internet Explorer	This book
   Personal certificate	Your client certificate
   Other people's	Client or server certificate of some other entity
   Intermediate CA	Subordinate CA
   Trusted root CA	Root CA

3. Double-click any one of the certificates shown. This displays the certificate on the screen. In many cases the "Issued To" and "Issued by" names are the same, indicating a self-signed certificate - one issued by a root CA to itself.
4. Double-click one of the certificates. This displays the certificate. Notice that the "Issued To" and "Issued by" names are the same. This is what you would expect from a self-signed certificate - one issued by a root CA to itself.
5. Click the Certification Path tab. This lists the chain of CAs from the certificate back to the root CA. Because this certificate is for a root CA, there is just one entry.
6. Click OK to close the certificate.
7. Click the Intermediate Certification Authorities tab. This shows a list of subordinate CAs whose certificates have been installed in your Internet Explorer.
8. Double-click one of the certificates.
9. Click Certification Path. You now see the chain of CAs, from the subordinate CA that issued this certificate, back up through the hierarchy to the root CA.
10. Close the dialog boxes.

With Mozilla Firefox

If your browser is Mozilla Firefox:

1. Click Tools > Options > Advanced. Then, depending on your version, either scroll down and click Manage Certificates, or click the Security tab and then View Certificates.
2. Click the Authorities tab. This lists the CAs known and trusted by your Web browser - that is, whose certificates have been installed in the SSL software in your Web browser. A default set of these, consisting of many of the world's best known ones, is installed when Firefox is installed.
3. Double-click any one of the certificates shown. This displays the certificate on the screen. In many cases the "Issued To" and "Issued by" names are the same, indicating a self-signed certificate - one issued by a root CA to itself.
4. Click the Certification Path tab. This lists the chain of CAs from the certificate back to the root CA. If this certificate is for a root CA, there is just one entry.
5. Click OK to close the certificate.
6. Look at some other certificates in the same way. You may find that all the certificates are for root CAs. If you find one for a subordinate CA, you can see the chain of CAs, from the subordinate CA that issued this certificate, back up through the hierarchy to the root CA.
7. Close the dialog boxes.

Checking a Certificate

Frauds have sometimes been perpetrated in which fake Web sites masquerade as genuine sites - when you think you are connecting to the genuine site, for example your online bank, you are in fact diverted to a fraudulent one designed to look like it, and trick you into revealing your confidential details. This kind of fraud is called "phishing".

As a safeguard against this, you can view the certificate of the site you are connecting to.

With Internet Explorer

If your browser is Internet Explorer:

1. Go to the Web site for any online entity that needs secure communications, such as an online bank.
2. Follow the links to the first logon page. You do not need to logon.
3. Look at the URL. You should find that it begins with https instead of http. HTTPS is Secure HTTP, the version of HTTP that uses SSL.
4. Look at your Web browser's status line. You should see a symbol like a padlock. This shows that communications on this page use SSL.

   Some pages contain both secure (that is, encrypted) and insecure (unencrypted) information. If you view such a page, your browser might display a warning to this effect, and ask you if you want to continue. If you choose to continue, the padlock symbol disappears, because Internet Explorer does not treat such pages as secure. You will need to try some other HTTPS page to continue with this tutorial.

5. Double-click the padlock symbol. This displays the entity's certificate.

   Click the Certification Path to show the hierarchy of CAs from the one that issued the certificate up to the root CA.

   A Web site that was masquerading as the one you believe you've contacted could not fake a certificate, because no reputable CA, having checked up on them, would sign a certificate for them. And since the list of CAs in your browser includes only genuine, reputable CAs, there will be no match and your browser will reject their certificate.

   However, even for the most respectable organizations, you will sometimes find warning messages on the General tab saying that in some respects the certificate is faulty. This is because some detail on the certificate is incorrect - for example, the expiry date may have passed. It is up to you to look at the details on the certificate, and decide whether you trust the Web site despite this flaw.

With Mozilla Firefox

If your browser is Mozilla Firefox:

1. Go to the Web site for any online entity that needs secure communications, such as an online bank.
2. Follow the links to the first logon page. You do not need to logon.
3. Look at the URL. You should find that it begins with https instead of http. HTTPS is Secure HTTP, the version of HTTP that uses SSL.
4. Look at your Web browser's status line. You should see a symbol like a padlock. This shows that communications on this page use SSL.

   Some pages contain both secure (that is, encrypted) and insecure (unencrypted) information. If you view such a page, your browser should display a warning to this effect, and ask you if you want to continue. If you choose to continue, the padlock symbol appears with a line through it, because Firefox does not treat such pages as secure. You can still view the certificate though.

5. Double-click the padlock symbol.
6. On the Page Info dialog box that appears, click View. This displays the entity's certificate. If you click the Details tab, you will see the hierarchy of CAs from the one that issued the certificate up to the root CA.

   A Web site that was masquerading as the one you believe you've contacted could not fake a certificate, because no reputable CA, having checked up on them, would sign a certificate for them. And since the list of CAs in your browser includes only genuine, reputable CAs, there will be no match and your browser will reject their certificate.

   However, even for the most respectable organizations, you will sometimes find warning messages on the General tab saying that in some respects the certificate is faulty. This is because some detail on the certificate is incorrect - for example, the expiry date may have passed. It is up to you to look at the details on the certificate, and decide whether you trust the Web site despite this flaw.

Exporting a Certificate from Internet Explorer

To export a certificate from Internet Explorer in the appropriate format, ready for importing into Firefox:

1. In Internet Explorer click Tools > Internet Options.
2. Go to the Content tab and double-click Certificates.
3. Go to the Trusted Root Certificate tab and find the certificates marked Verisign Trust Network. There are several notable features of these certificates:
   1. There are multiple certificates and each one is unique.
   2. These different types of certificates are used to confirm the trust of different types of identification certificates.
   3. Some of these certificates have passed their expiry date. However they are still valid and should be present to prove the trust path for certificates that were signed during their working life span.
   4. Some of these certificates are direct replacements for expired or about-to-expire certificates.
   5. The life of the replacement certificates is typically far longer than that of the original certificates. Replacing certificates is problematic as it involves a significant amount of manual work and therefore distribution that is not often undertaken. To avoid the distribution complication it is in the interest of all identification certificate users to use certificates with a long life.
4. Select a certificate and click Export.
5. In Certificate Export Wizard, click Next.
6. You choose the format required by your target browser. If you don't know the format required, you can generate a few of the most common formats and save them to different files, so that the correct format is available.

   Select DER encoded binary X.509 and click Next.

7. Specify the <path>\DemoCA\Verisign as the name of the file to export to and click Next.
8. On the final screen notice:
   • Export Keys is always "No” when handling CA root certificates.
   • Include all certificates in the certification path is always “No” when using file formats that cannot support multiple certificates. When using a server certificate signed by an intermediate CA you would usually export the complete chain of trust back to the fully trusted CARoot. In this case we would have chosen a different format at step 6.
   • File Format should match the filename extension in most cases,. Although there are times when various subformats such as .p7b and .p7c are interchanged to aid portability of the generated output file.
9. Click Finish > OK and the file appears in the chosen directory.
10. Close all the open IE dialog boxes.

Importing a Certificate into Mozilla Firefox

1. In Firefox, go to Tools > Options.
2. Go to the Advanced tab and the Security sub-tab and click View Certificates.
3. Go to the Authorities tab and click Import. Note that different tabs show different files without an extension indicating that they are native format
   • Files with a .p12 extension are shown without the extension when you import from the Your Certificates tab
   • Files with a .cer are shown without the extension when you import from the other certificate type tabs

   This emphasises the value of understanding how the different types of certificate usage affect the type of file being used to transport a certificate. Other certificate stores may have different rules about formats. It is worth investigating they destination locations requirements before attempting to create certificate files for their use.

4. Specify the file that you exported from Internet Explorer.

   A message should popup telling you that this certificate already exists. This confirms that file was correctly formatted and read by the import tool.

Copyright © 2009 Micro Focus (IP) Ltd. All rights reserved.