Certificates and private keys

X.509 certificates and their corresponding private keys are central to TLS. If you are involved in Enterprise Server administration, it is important that you understand at least the basics of certificates and private keys.

There are official standards for certificates and keys. The major ones are described here. Many of these (the RFCs and the CA/BF Baseline Requirements) are freely available online. ITU standards such as X.509 typically must be purchased from a standards organization, but summaries and discussions can generally be found online to answer most questions.

X.509
This is the ITU standard for the digital certificates used with TLS. The current version is 3, and all modern systems should use X.509v3 certificates, which provide a number of important features for security and interoperability. X.509 draws on a number of other standards, such as X.400 (which defines the distinguished name syntax used for subject and issuer names in certificates); X.500 (online directories, the precursor of LDAP); and ASN.1 (data representation and encoding). Regarding the last, you might see references to certificates in DER encoding; this stands for Distinguished Encoding Representation, a serialization format for ASN.1. Sometimes you might see a file described as being in "DER format". This typically means the file is the raw binary DER, as opposed to the Base64-encoded DER found in PEM-formatted certificate files.
PEM
The Privacy-Enhanced Mail standards were an early specification for encrypted email. While PEM as an email system was eclipsed by PGP and S/MIME, the PEM file and data formats (including Base64 encoding) are often used with certificates and private keys. PEM is defined in various RFCs, and the PEM file format in particular was most recently updated by RFC 7468.
PKCS
The Public Key Cryptography Standards, PKCS#1 through PKCS#15, were published by RSA Security. For users and administrators working with TLS, the PKCS standards most commonly encountered are PKCS#7, sometimes used as a certificate file format (typically with a .p7 or .p7b extension); PKCS#8, a format for private-key files (.p8 or .p8b); PKCS#10, used for Certificate Signing Requests to a CA, among other things; and PKCS#12, a file format for holding multiple pieces of information. PKCS#12 is the standardized version of Microsoft's PFX format, and most .pfx files are actually PKCS#12. (The .p12 extension is also used.) PKCS#12 files can hold multiple certificates and keys, and can be partly or entirely encrypted, so they are often used to carry both a certificate (or certificate chain) and its associated private key.
PKIX
The Public Key Infrastructure (X.509) specification, RFC 5280 (as updated by its errata and some succeeding RFCs), is the Internet standard for using X.509 certificates with TCP/IP protocols, including TLS. PKIX imposes a number of requirements on the contents and use of certificates. Some of these are noted below.
CA/BF Baseline Requirements
The CA / Browser Forum is an industry group of representatives from commercial CAs and browser makers who meet to discuss and specify additional requirements for the use of TLS on the public Internet. The Baseline Requirements (at version 1.7.3 as of this writing) documents their standard. In principle, the Baseline Requirements do not apply to organizational CAs and TLS used within an organization, or between private parties; but since browsers typically enforce the requirements, even in private use some of them might need to be observed at least for HTTPS. Below we note some of the consequences of the Baseline Requirements for certificates.

Certificate Authorities

Do not use the DemoCA certificate authority shipped with Enterprise Server in production. DemoCA is not supported for production use. Use an organizational or commercial CA.

For organizational CAs, Microsoft Windows Server includes a CA role which can be used to create suitable certificates and to distribute the required root and intermediate certificates to Windows client systems using Group Policy. This is a straightforward choice for organizations using Windows extensively, though configuring it to create suitable certificates takes some research. For Linux and UNIX, there are various open-source CA packages available.

Certificate validation types

When certificates are issued by a CA, the identity of the party requesting the certificate can be validated in one of three ways:

Organization Validation (OV)
An OV certificate is issued either within an organization, so (in theory) the request is authenticated using organizational channels; or it is issued by a commercial CA based on an official statement from the requesting organization that offers some proof of identity and authorization.
Domain Validation (DV)
A DV certificate is generated, usually through an automated process, for a specific fully-qualified domain name, and the request is validated by checking for certain DNS entries in the domain. The theory of DV certificates is that if someone controls DNS for a domain, they effectively own that domain and so it is appropriate to grant them DV certificates for systems in it. This is the approach used by Let's Encrypt.
Extended Validation (EV)
An EV certificate implies additional steps were taken to validate the certificate request. Typically these include additional paperwork and confirmation by staff at the issuing CA. EV certificates are also substantially more expensive, and are controversial in the industry, with some commentators suggesting they add little additional security. Browsers used to indicate to users when a site offered an EV certificate, but Chrome at least has stopped doing so.

The type of certificate validation does not matter to any Enterprise Server component. There is probably no significant benefit to using EV certificates with Enterprise Server.

Certificate properties

If an organization is generating its own certificates, it is important to ensure they follow best practices for their contents and options. Even with an external CA, the Certificate Signing Request (CSR) or other material provided to the CA should be sure to specify the appropriate parameters. Micro Focus recommends:

Names
Server certificates, and other certificates which identify computers by their network names — such as hostnames, fully-qualified domain names (FQDNs), and IP addresses — should list those names in Subject Alternative Name (SAN) extensions. Certificates which identify other entities such as people and applications should use a Subject Distinguished Name (Subject DN) with appropriate components.

At one time certificates for computers put the hostname or FQDN in the Common Name (CN) component of the Subject DN, but PKIX and CA/BF Baseline Requirements now require the use of SANs, and conforming implementations are not permitted to use the CN when validating a certificate they receive from a peer. The use of CN in a Subject or Issuer name is deprecated by CA/BF.

When generating a certificate or CSR for a server, specify a SAN for each name you might use to contact the server. Often that means a SAN for both the FQDN and bare-hostname forms of the server's canonical name, and if the server has aliases that clients might use, SANs for those (in both FQDN and bare-hostname forms) as well. If the system has a fixed IP address and clients can contact it using that address directly rather than resolving a hostname, you might want to have a SAN for the address as well.

For example, assume an enterprise server instance running on a system named corpserv, in the domain corpdom.com. For convenience, the organization has given this system the alias esserv. It has been permanently assigned the IPv4 address 10.2.5.18 and the IPv6 address fd0f:14d7:e62c:1234::0005:0012. For such a server we might want to request a certificate with the following Subject Alternative Names:
  • DNS:corpserv
  • DNS:corpserv.corpdom.com
  • DNS:esserv
  • DNS:esserv.corpdom.com
  • IP:10.2.5.18
  • IP:fd0f:14d7:e62c:1234::0005:0012
The idea is to create a certificate which adequately and uniquely identifies this computer, but accommodates all the names that a client might reasonably use in trying to connect to it using TLS.
Note: Some clients, such as the Chrome browser, now require a SAN when validating a server certificate.
Wildcards
Micro Focus recommends against the use of wildcard certificates for use with Enterprise Server, because of the risks associated with losing control of the private key for such a certificate.
Algorithms and key sizes
Each certificate has a signing algorithm and a public key. The signing algorithm must be a modern, strong algorithm; for example, signing algorithms using the MD5 hash are no longer allowed by many implementations. Keys should be adequately strong. The CA/BF requirements currently specify a minimum of 2048 bits for an RSA key, for example.
Validity dates
Every certificate contains two validity date-and-time fields: a not-valid-before and a not-valid-after. Currently the CA/BF requirements limit the total validity period for entity (server, client, user, and so forth) certificates to 398 days. Some browsers and other peers might enforce this. Currently, Chrome ignores this requirement for certificates which are issued by organizational CAs, but best practice is probably to issue certificates good for slightly more than one year, and schedule renewing them annually.
Serial number
Every certificate issued by a CA should have a unique serial number. CA/BF requires the serial number be positive and have at least 64 bits, which is why serial numbers for certificates issued by commercial CAs are very long (for example, 09:4a:51:9b:32:a5:b4:00:38:14:c5:ef:29:bf:8d:48 for the current certificate for www.microfocus.com). Sufficiently recent CA software should be able to generate serial numbers of this form. Some browsers and other peers may insist on serial numbers that meet this requirement.
Basic constraints
All entity certificates (server certificates, and other certificates which are not CA root or intermediate certificates) should have the Basic Constraints extension with the CA flag set to false. This is optional under the standards but good practice.
Key usage and extended key usage
Best practice is to issue each certificate for as narrow a use case as is feasible, and to set these appropriately for that use case. For example, a server certificate should have its Key Usage set to Digital Signature and Key Encipherment, and its Extended Key Usage to TLS Web Server Authentication.

Under the CA/BF rules, key usage is optional and extended key usage is required.

CRL distribution points and authority information access
These extensions deal with certificate revocation information. Certificate revocation is a fraught practice with numerous problems, and neither of the available mechanisms (Certificate Revocation Lists or CRLs, and the Online Certificate Status Protocol or OCSP) work very well, so many organizational CAs do not implement or make use of revocation, and many applications skip revocation checks. Currently no Enterprise Server components make revocation checks.

However, revocation still has a role in the industry, and the CA/BF have certain requirements regarding it.

CA/BF baseline requirements make the CRL Distribution Points extension optional, so it can be omitted.

CA/BF baseline requirements make the Authority Information Access extension mandatory, and require that it include an OCSP responder URL. They also note that the AIA extension should include a URL for retrieving the root certificate of the certificate chain. Currently it seems all browsers will ignore violations of this requirement, at least for organizational CAs, but that could change.

Authority key identifier (AKID) and subject key identifier (SKID)
The AKID and SKID extensions uniquely identify the public key of the certificate (SKID) and the certificate that signed it (AKID). They make it easier for an application which is validating a certificate to construct the certificate chain back to a trust anchor (typically a root certificate). CA/BF requires the AKID extension; best practice is to provide both.
Certificate policies extension
CA/BF requires the Certificate Policies extension. Micro Focus is unaware of any browsers or other clients which currently enforce this requirement.

Key hygiene

Key hygiene refers to good practices with private keys. Private keys are highly sensitive data, even when they are only used for testing purposes.

Consider the following scenario:

  • An organization creates a key pair for a test system, and a certificate for the system, so they can test with TLS.
  • For convenience, they use their organizational CA to issue the certificate. This way browsers within the organization (which have the appropriate trust anchors) will trust this certificate.
  • An attacker penetrates the internal network, obtains the certificate (from the server), and obtains the private key (because it was not adequately protected).
  • The attacker sets up a hostile server, and uses DNS cache poisoning or another technique to redirect traffic to the hostile server.
  • Now the attacker can use social engineering or other techniques to trick employees into connecting to the hostile server and submitting sensitive data such as credentials. Because the certificate is signed by the organizational CA, the browsers will not show any warnings.

Currently, Enterprise Server only supports storing private keys in key files, so protecting the private key is a matter of protecting the contents of those files and the files themselves.

Micro Focus recommends using an encrypted key file. Most key file formats, including PEM, PKCS#8, and PKCS#12 support encrypting the key data. Encrypting the file means the attacker must guess (including by brute force) the passphrase needed to unlock the key, or get the passphrase from another source. That increases the attacker's work factor.

Set permissions on the key file restrictively. Ideally, as discussed in the topic on filesystem permissions, Enterprise Server should run under a dedicated user account, and only that account should have read access to the private-key file. This is particularly important if the key is not encrypted, but a good practice in any case.

Restrict access to the private key to only those employees who have a business requirement for it. Do not share it with Micro Focus. Micro Focus Support, Professional Services, or Pre-Sales might ask for copies of your certificates; providing those is safe. Do not include the private keys. Micro Focus might occasionally ask for information about the private key, such as the modulus of an RSA key, in order to confirm that a private key matches the public key in a certificate; providing that is safe. Micro Focus will not ask for the private key itself.

Private keys corresponding to CA root and intermediate certificates are particularly sensitive. Industry best practice is to never store the private key for a CA root on non-removable media; keep it only on removable media or in a Hardware Security Module (HSM) and attach it only in order to generate new root or intermediate certificates.

Managing keys and supplying passphrases

If a private key is compromised, all certificates which use that key pair must immediately be revoked. A new key pair should be generated and the certificates re-issued and replaced.

A given key pair can be used for more than one certificate. Each customer will have to determine whether they prefer to manage a larger set of keys, or risk having to revoke and re-issue more certificates if a key is compromised.

In the previous section, Micro Focus recommended encrypting keys in key files. The disadvantage of encrypting the key is that the passphrase to unlock the key must be supplied when the key is first used by a process. For Enterprise Server that typically means supplying it at region startup. MFDS, ESCWA, and other cases are discussed below.

Note: Currently Enterprise Server also requests a certificate passphrase. In practice certificates are almost never encrypted, and so this passphrase is usually empty, but it needs to be supplied. Certificate passphrases can be provided in the same manner as key passphrases. See your product Help for more information.

There are various ways of providing the key passphrase:

  • Enter it manually after the enterprise server region has started. When a TLS-enabled listener is asked to start but the keyfile passphrase is not supplied in any other manner, the listener is put into a "start pending" state. Then a web form, linked to by ESCWA and MFDS, can be used to enter the passphrases and complete startup. This avoids having the passphrase stored for an attacker to find, but means that server startup requires this manual step.
  • Put it in the mf-server.dat file. In this case it is important to set restrictive file permissions on mf-server.dat. Beginning with release 8.0, the mf-server.dat file can also be used to specify passphrases contained in the Enterprise Server Vault facility.
    Note: You can use the Micro Focus Vault Facility to store a secret for the certificate and keyfile pass phrases. This can be specified in the mf-server.dat file and takes the following form:
    mfsecret:configuration-name:secret-path

    or:

    mfsecret::secret-path

    or:

    mfsecret:secret-path
  • Use the ESCERTPAS user exit to supply the passphrase. ESCERTPAS is documented for supplying passphrases for the CICS Web Interface feature, but it can also be used for regular Enterprise Server listeners. An advantage of ESCERTPAS is that the exit can, in principle, do anything to get the passphrase. The sample exit program just hard-codes passphrases, but an implementation could retrieve them using some more-secure mechanism.

In future releases, Enterprise Server will likely support other passphrase and key storage options, such as the increased use of the Enterprise Server Vault facility, the Windows certificate and key store, and HSMs using the OpenSSL PKCS#11 interface.

For MFDS and ESCWA, the key passphrase is specified in the configuration or kept in the Vault Facility.

For clients using MFCC, key passphrases can be supplied programmatically, but few clients support this option. Instead, keys can be specified in mf-client.dat files, either directly or using the Vault.

Clients and servers that use CCI directly, such as Fileshare and the Mainframe Access client, can supply passphrases as part of the CCI machinename string.

See your product Help for more information.