Certification Authorities with the release of NetWare 5

Articles and Tips: qna

01 May 1998

What kinds of Certification Authorities will Novell support with the release of NetWare 5?

The Public Key Infrastructure Services (PKIS) component of NetWare 5 will include (for free!) the capability of acting as a Certification Authority (CA) and issuing certificates. This will be for servers only in the first release; support for end-user certificates will be made available in a subsequent update.

The PKIS certificate generation process is controlled by the network administrator, using NWAdmin. If a certificate is issued by PKIS, the public/private key pair is generated by the Novell International Cryptographic Infrastructure (NICI) component of NetWare. The wrapped (encrypted) private key and the certificate is stored in Novell Directory Services (NDS), ready for use by a NICI-enabled application such as our LDAP/SSL server. Since NICI ensures that the proper international cryptography is available, developers do not need to learn cryptography or deal with import-export issues such as "crypto-with-a-hole." Novell has solved those problems.

Because we recognize that other applications (especially client software such as browsers) consume public key certificates, PKIS is capable of exporting the resulting certificate to a file so that applications such as the Netscape browser can import them. This allows applications that are not yet NICI-enabled and/or NDS-aware to use PKIS-generated certificates.

The primary intent of the initial PKIS offering is to support the use of digital signatures and encryption in an enterprise-wide NetWare environment. However, Novell also recognizes that companies which do business with external users or other companies may require a public CA to issue a certificate, so that the external relying party can have confidence in the organizational name that is assigned in the certificate. While there are various evolving Digital Signature laws, we see that this may soon be a requirement in some cases.

Because of this need, Novell includes the ability to create a certificate signing request in addition to generating the certificate within PKIS. This PKCS #10 certificate signing request can be written to a file or cut and pasted into some other session. Thus, it can be sent to any external public CA, such as VeriSign or (presumably) even GTE CyberTrust which supports a standard PKCS #10 certificate signing request.

However, external CAs currently have rather specialized ways of supporting certificate requests, including clicking on specific sections of their own web page in order to generate certain features that may be needed for a particular browser (Netscape vs. Microsoft Internet Explorer, for example). Right now there are probably about 40 public CAs throughout the world, each with its own unique way of operating. Since Novell does not have the time to test them all for PKIS 1.0, testing for this initial release will be limited to interfacing with VeriSign.

* Originally published in Novell AppNotes

Disclaimer

The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.