Certificate Authority using OpenSSL and PKI implementation, Checkpoint FW-1 PKI

Last Updated: Jun/02/2003
Comments/Errors To: rajeev@rajeevnet.com

OpenSSL Based PKI Implementation in Real World :: A Cookbook

Keywords: Openssl, PKI, Checkpoint FW-1, Digital certificates, Public/private keys, SSL based web server, Browser Certificates, Securemote PKCS#12 certificates, Freeswan X.509 certificates, Certificate revocation list (CRL).

General Introduction:
PKI (Public Key Infrastructure) is widely accepted standard for encryption and authentication. Many applications such as SSL based webserver, Checkpoint FW-1 IKE setup, B2B applications, E-mails, S/MIME etc can use PKI based solutions. Actual discussion and generic implementation details are beyond the scope of this document. But a good overview can be found from Sun's Blueprint: Public Key Infrastructure Overview by Joel Weise and Open Source PKI Book.

For scalable encryption systems usually two kind of encryption keys are used. Symmetric keys such as DES, 3DES, AES those are used for bulk encryption and Asymmetric keys such as Diffie-Hallman, RSA keys for greater protection and perfect forward secrecy. Although asymmetric keys are better and scalable but they are slow for encrypt and decrypt process. Symmetric keys are fast for encrypt/decrypt process but if hacker was able to guess your symmetric keys than data stream can be deciphered. Most encryption system these days deploy hybrid of Asymmetric and Symmetric keys for encryption. First authentication and initial session is setup based on asymmetric keys and then symmetric keys are exchanged over this initial encrypted channel and used for bulk data encryption. Most implementation re-negotiate symmetric keys after some time to avoid any hack attempt. Example of such applications are ssh, SSL based browser/Server communication, Checkpoint FW-1, Freeswan etc.

Asymmetric keys (RSA, Diffie-Hellman [DH]) has two part, private key and public key. Any entity such as user, host etc can have asymmetric key pair (by using program like Openssl). It is user's responsibility to safeguard private key, this the basis for all security here. Public key can be distributed openly and anybody can have your public key. Encryption/Digital signature based on Asymmetric key uses one key (public/private) at a time to encrypt/sign and use other key (private/public respectively) to decrypt/sign verification. As these keys are correlated with mathematical function which can calculate one way hash of data using keys. See for more details RFC2631:: Diffie-Hellman Key agreement Method.
Since public keys are openly available hence there are chances that remote entity advertising its public key is a spoofed public key. A typical example is Alice and Bob wants to exchange secret message based on DH key. Alice can use Bob's public key to encrypt message which only Bob can decrypt since Bob has its corresponding private key. Similarly Bob can encrypt message with Alice's public key which only Alice can decrypt since Alice has its corresponding keys.

Alice --->(message)+Bob's Public Key---->[ENCRYPTED]====>Bob's private key --->(message)-->Bob

There are two issues in above.
1. What if Bob looses his private key?
==> All bets are off in this case. So it is very important to safeguard private key.
2. What if third person Joe, spoof as Bob and present his public key to Alice saying this is really Bob's public key
==> Since Joe has corresponding private key, so if Alice is convinced that public key given by Joe is really Bob's public key, Any message encrypted by this key can now be decrypted by Joe. (Man in the middle attack).

In order to solve this last issue, PKI (Public Key infrastructure) is used. Where public keys are Digitally signed and issued in form of Digital Certificates. Digital certificates are like Passport which typically includes Entity name (CN:), Organization(O:), Country(C:), public key, Certificate authority signature etc. in X509 format (ASN.1 DER{Abstract Syntax Notation #1 - Distinguished Encoding Rule} or PEM {Privacy Enhanced Mail} format). Digital certificate are issued and signed by Trusted Certificate Authority (CA) by using its (CA) private key.

In above example in order to avoid man in the middle attack. Alice and Bob can use PKI i.e use some Trusted CA roughly following process below.

1. Alice create her public/private key pair. Safeguard private key.
2. Alice send Certificate creation request (CSR) to Trusted Certificate Authority (CA), sending public key etc. usually in PKCS#10 {Public Key Cryptography Standard #10} format.
3. CA will sign and issue digital certificate and send back to Alice. Like public key Alice can share this digital certificate to public.
4. Bob will download Trusted CA's digital certificate, which include public key information of Trusted CA for verification of signed certificates issued by CA to others (example: Alice's certificate)
5. Alice first present her Digital certificate to Bob containing Alice's public key. This digital certificate has been signed by trusted CA (using CA's private key) which can only be verified by CA's corresponding public key. Bob will verify public key (certificate) of Alice using CA's Digital certificate obtained earlier (which contained CA's public key).
6. In a similar way Bob sends his Digital certificate and verified by Alice.
7. Once agreed Alice can now use Bob's public key to encrypt data and send it to Bob which only Bob can decipher as he is the only owner of corresponding private key and vice versa.
8. In this case Joe can not spoof Bob's entity since Alice can always verify (Using Trusted CA's Certificate) whose public key Joe is presenting in form of certificate. So if Joe is trying to present fake certificate not signed by trusted CA, then Alice can always discard those.

In this document we will setup our own Certificate Authority (CA) and then sign certificates using that. Which can be used for Checkpoint FW-1, Freeswan, Securemote, SSL based web server etc. There are many Trusted CA available from where you can get digital certificates such Baltimore , RSA , VeriSign and, Thawte These CA will probably change money to issue certificates.

Setting up Openssl based CA using CSP:
Openssl is a command based utility available on most UNIX based machines we will be using Linux (RedHat 7.x) with opessl-0.9.6. Command line based perl package CSP can be downloaded from http://devel.it.su.se/projects/CSP and read its document http://devel.it.su.se/projects/CSP/cspguide.pdf about how to setup. Here quick setup hints as we setup.
Using plain Openssl commands are too arcane and difficult to manage. Package like CSP eases the management of certificate authority. For your reference Openssl commands used in background are also shown in this document also.

Entities used in this setup example:
caserver.mydomain.com: Certificate Authority Public Server
myCA: Name for Trusted Certificate Authority (CA)
checkpoint-fw: Checkpoint FW-1 firewall
freeswan-fw: Linux based Freeswan IPSec server.

Installation of CSP:

Pickup any Redhat 7.x (or any Linux/Unix box) with perl installed.
Make sure you have following Perl module

Date::Calc
Term::Prompt
Most perl distribution has CPAN module so you can directly install these module. As a root type and install module.

perl -MCPAN -e shell
>install Date::Calc
>install Term::Prompt

Create unix user 'ca' with /home/ca as $HOME
su - ca
cd $HOME; mkdir CSP
cd CSP; mkdir src;
cd src; Download latest version CSP (as of this writing CSP-0.26.tar.gz) in src/ area.
tar zxvf CSP-0.26.tar.gz ; cd CSP-0.26
perl Makefile.PL; make
(As a root): make install (This will install perl module CSP.pm in perl distribution and script csp in /usr/bin area)
Type csp --help to verify its installation.

Configuring CSP for Trusted CA: (Version 0.26, replace 0.26 with your version number of CSP-<version> )

Login as user 'ca'
cd $HOME/CSP/; mkdir 0.26
cd 0.26
cp -r $HOME/CSP/src/CSP-0.26/ca ca
cd ca; (pwd will show: /home/ca/CSP/0.26/ca here)
Define following ENV variable: (in your .cshrc if using csh)

setenv CSPHOME $HOME/CSP/0.26/ca
setenv OPENSSL /usr/bin/openssl

Logout and login as user 'ca' again so that these ENV variables are available.
Before you proceed. Edit all configuration templates in $CSPHOME/etc directory. We modified following file for our setup

extensions.conf: (Below is diff patch which shows what is modified as compared to original). Note we have added additional type TYPE_FIREWALL (for Firewalls {Checkpoint, Freeswan etc.} certificates), and changes in URI/URLs. Mainly we kept all URI/URLs going to public caserver.mydomain.com (actual caserver) for CA certificate download and CRL (Certification Revocation List) publication.

[ca@dolphin etc]$ diff -uNr extensions.conf.ORIG extensions.conf

--- extensions.conf.ORIG        Fri Nov 1 13:43:25 2002
+++ extensions.conf     Fri Nov 1 13:50:47 2002
@@ -36,17 +36,24 @@
extendedKeyUsage        = serverAuth
%endif

+## Good for Firewalls (FW-1{Checkpoint}, Freeswan etc.)
+%ifdef TYPE_FIREWALL
+nsCertType              = client, server, email, objsign
+keyUsage                = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
+extendedKeyUsage        = clientAuth,emailProtection,codeSigning,serverAuth
+%endif
+
##
## These extensions are always present
##

-nsCaRevocationUrl      = http://ca.example.com/crl-v1.crl
+nsCaRevocationUrl      = http://caserver.mydomain.com/myCA/crl-v1.crl
subjectKeyIdentifier    = hash
authorityKeyIdentifier = keyid,issuer:always
-authorityInfoAccess    = caIssuers;URI:http://ca.example.com/ca.crt
-crlDistributionPoints   = URI:http://ca.example.com/crl-v2.crl
+authorityInfoAccess    = caIssuers;URI:http://caserver.mydomain.com/myCA/ca.crt
+crlDistributionPoints   = URI:http://caserver.mydomain.com/myCA/crl-v2.crl
certificatePolicies     = ia5org,@certpolicy
-issuerAltName          = email:ca@example.com,URI:http://ca.example.com
+issuerAltName          = email:ca@Mycompany.com,URI:http://caserver.mydomain.com/myCA
subjectAltName          = @altnames

[ altnames ]
@@ -68,10 +75,10 @@

policyIdentifier       = 1.1.1.1.1
## Map this to a real document in your webserver configuration
-CPS.1                  = http://ca.example.com/CPS
+CPS.1                  = http://caserver.mydomain.com/myCA/CPS
userNotice.1           = @notice

[notice]

-explicitText="Limited Liability, see http://ca.example.com/CP"
+explicitText="Limited Liability, see http://caserver.mydomain.com/myCA/CP"

types.txt: Corresponding entry for TYPE_FIREWALL are defined in this file. diff shown below .

[ca@dolphin etc]$ diff -uNr types.txt.ORIG types.txt
--- types.txt.ORIG Wed Mar 13 16:44:34 2002
+++ types.txt Wed Mar 13 16:44:53 2002
@@ -3,3 +3,4 @@
objsign:Object Signing Certificate
ca:CA Certificate
root:Self-Signed Root Certificate
+cpfw1:Firewall Certificate

public_html/: Change all template files here to reflect your site.
All these file are base template files, in next step we will create CA and these files will be copied over there. Those are the real files used for CA operations.

Creating Certificate Authority (You can create multiple here. But use one at a time only:

Note: CSP will run all openSSL command based on selected --type (by creating appropriate configuration file for openssl -config option) entry for you automatically in background. For only reference purpose corresponding openSSL commands are listed here. You need not run those commands for CA operations. They are just shown here for example.

myCA: Certificate Authority name.

cd $CSPHOME
csp myCA create (Will create CA name myCA now. directory $CSPHOME/csp/myCA created here)
cd $CSPHOME/csp/myCA; mkdir csr (Create directory for storing certificate requests)

csp myCA init --keysize=2048 --days=7300 'CN=caserver.mydomain.com,O=Mycompany Inc., C=US'

(Create CA keys{$CSPHOME/csp/myCA/private/ca.key, and CA certificate {$CSPHOME/csp/myCA/ca.crt} here, for given DN: , 2048 size and 20 years, remember password given here, This will create ca.crt (CA certificate) and private/ca.key is private CA key ). You can also setup subordinate CA which is defined in CSP package document.Below is corresponding openSSL command for above csp command (only for reference)

/usr/bin/openssl genrsa -des3 -passout stdin -out /home/ca/CSP/0.25/ca/csp/myCA/private/ca.key 2048

/usr/bin/openssl req -config /home/ca/CSP/0.25/ca/csp/myCA/tmp/csp-21098.conf -x509 -sha1 -days 7300 -key /home/ca/CSP/0.25/ca/csp/myCA/private/ca.key -passin stdin -new -out /home/ca/CSP/0.25/ca/csp/myCA/ca.crt

This is it. Your CA is now ready to issue certificates. Whenever you issue/sign certificates they will be serial numbered (<nn>.pem, where nn is serial number) and put in $CSPHOME/csp/myCA/certs/ directory.

CA Operations (Creating/issuing Digital Certificates):

Case [1] : Issuing Certificate for Checkpoint FW-1 network objects :
(As if this writing latest released version is Checkpoint FW-1 NG FP2)

IMPORTANT NOTE: While writing this document and playing with Checkpoint FW-, I found important observation for FW-1(module) certificates. When Checkpoint FW-1 module present certificate to its peer (Another Checkpoint FW-1, Freeswan Gateway (X509 patched), PIX firewall etc) with which IKE to be established. FW-1 always present firewall module external IP address as its Certificate ID method instead of DER_ASN1 DN(Distinguished Name) ID such as (CN=checkpoint-fw,O=Mycompany Inc.,U=US). Even if you issue/sign FW-1 certificate without "subjectAltName: of type(:IP address)". Hence it is *MUST* to sign/issue FW-1 certificate using "subjectAltName: <IP address of FW-1 module>". If you fail to do so, FW-1 to FW-1 IKE may work, but FW-1 to others(Freeswan{X509 patched}, Cisco PIX) etc will fail. So to be safe always sign FW-1 module certificate using "subjectAltName: <IP address of FW-1 module>" as shown below.

Let's say we have firewall(FW-1) module named 'checkpoint-fw' Network Object for which certificate is to be created. These certificates can be used in IKE setup for site to site and client to site (Securemote) encryption.

First define your CA server in FW-1 management gui. Servers->New->CA-> [Name: caserver.mydomain.com], [CA Type: OPSEC PKI], Under (OPSEC PKI) button select [HTTP SERVER] for CRLs. Refer Checkpoint's document for how to create CA server.
Obtain ca.crt file from your trusted CA (myCA). ($CSPHOME/csp/myCA/ca.crt) and Supply this file after pressing [Get] button under (OPSEC PKI). This will load Certificate for Certificate Authority defined in FW-1 GUI.
Now you can attach certificate to network objects/firewall objects those are distributed by this management station. Let's say we need to create certificate for firewall object 'checkpoint-fw'
Click 'checkpoint-fw' network object, click on Certificate -> Add -> [Give any Nick Name: lebabon-fw-crt] , select CA server as 'caserver.mydomain.com'. Click on [Generate], that will generate key pairs and Certificate Creation request (CSR). Give DN:(Distinguished name): (example: CN=checkpoint-fw,O=Mycompany Inc.,C=US).
Click on [VIEW] that will show PEM encoded csr. Cut and paste that PEM text on CA server (myCA) under directory $CSPHOME/csp/myCA/csr/checkpoint-fw.csr (Typical .csr looks like)

-----BEGIN CERTIFICATE REQUEST-----
MIIBdzCB4QIBADA4MQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRmx1ZW50IEluYy4x
EzARBgNVBAMTCmxlYmFub24tZncwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
AM6LYFwWYRMkdZPeRpYKe70Ds3KnbE9cyGKca7TK7N0MZ4WkdHCUhHRNP5L4vQIs
++Yt37VI8FZ7OlgbXC0ZEoOPzoJVh0MpqJblV9Y9Lm4Dl5pgYma18JNoiV4fgF2F
P2g/mCATkv+qJSybV9/zupZ1LFRh2ARP7YboocdMGlIDAgMBAAGgADANBgkqhkiG
9w0BAQUFAAOBgQC39TTsVgZ5RLh30V5Um6XmrvPZ/whl9p2j7FpsNswChlAqw7FC
PN+vRwXiDHImn+fUb8BMsN6MtD3IjJGtDAf2TrFYHXjGv2coH3fsj7Lygg4OEDbq
Xw7N0hmHh8ITonwZOU0eEfBuQxrZxDsa2qrL9ZDCWtyAYR9ltY9kvjyVQg==
-----END CERTIFICATE REQUEST-----

on CA server, cd $CSPHOME/csp/myCA/csr and run command below. Note we are using --type=cpfw1, which will add all attributes and key extension mentioned in config files before for TYPE_CPFW1. Here you can also define Subject-Alt-Names (such as --ip=<ip address of FW-1 module> etc. (THIS IS VERY IMPORTANT if you planning to setup IKE between FW-1 and other type of VPN devices such as Freeswan (X509 patched), PIX etc.)

csp myCA sign --type=cpfw1 --days=3650 --ip=192.168.0.1 --csrfile=checkpoint-fw.csr

This will create/sign certificate for checkpoint-fw for 10 years, with [subjectAltname: (IP:192.169.0.1) ] certs are placed in certs/<nn>.pem file where <nn> is serial number. Corresponding openSSL command here (only for reference)

/usr/bin/openssl ca -config /home/ca/CSP/0.26/ca/csp/myCA/tmp/csp-21131.conf -batch -md sha1 -days 3650 -passin stdin -preserveDN -outdir /home/ca/CSP/0.26/ca/csp/myCA/certs -in checkpoint-fw.csr

So suppose we get this cert as certs/01.pem copy this on Firewall management GUI (say checkpoint-fw.crt) and for network object 'checkpoint-fw', Certificates -> [GET] read this file now. Firewall validate this certificate against caserver.mydomain.com and Accept this certificate now. Click on [View] which will show this certificate. Typical Certificate view in FW gui reads like: (Depending upon FW-1 version this may look different)

Subject: CN=checkpoint-fw,O=Mycompany Inc.,C=US
Issuer: C=US,O=Mycompany Inc.,CN=caserver.mydomain.com
Not Valid Before: Wed Mar 13 18:37:01 2002 Local Time
Not Valid After: Sat Mar 10 18:37:01 2012 Local Time
Serial No.: 1
Subject Alternate Names -
CRL distribution points::
    http://caserver.Mycompany.com/myCA/crl-v2.crl
Key Usage:
    digitalSignature
    nonRepudiation
    keyEncipherment
    dataEncipherment
Fingerprint: FE:28:45:2F:39:F4:5E:E7:3E:DE:C2:79:93:DF:25:88

Once certificate is defined for checkpoint-fw, click on [VPN] tab and define IKE properties. Make sure you define following VERY CAREFULLY:

[Support Key Exchange Encryption with]: (DES, CAST, 3DES). Select only what is supported by this firewall module. Uncheck any options if this Firewall doesn't support or have license for. Suppose 'checkpoint-fw' is a DES version (not 3DES or strong) then check only [DES] option and uncheck all others. THIS IS VERY IMPORTANT OTHERWISE IKE MAY FAIL TO ESTABLISH.
[Support Authentication Method]: If [Pre Shared Secrets] and [Public Key signatures] both are defined then Pre-Shared Secrets are tried first. For [Public Key Signature], select [configure] and attach certificate nickname which you have created earlier as checkpoint-fw-crt. (You may have more than one certificate per object with different Nick names and DN:)
Define other options as per your needs.

This firewall 'checkpoint-fw' object is now ready to use IKE with PKI based Certificates.
YOU MUST CREATE CRL LIST AND PUBLISH ON WEBSERVER AS MENTIONED IN CONFIGURATION FILE ( http://caserver.mydomain.com/myCA/crl-v2.crl and http://caserver.mydomain.com/myCA/crl-v1.crl ). Make sure your firewall module will be able to access these files. OTHERWISE FW-1 IKE WON'T BE ABLE TO START ANY COMMUNICATION. Obtaining correct CRL is very crucial for IKE operation in FW-1 module. Even if there is no revoked certificates you *MUST* create CRL list and publish to the web. See section below for creating and publishing CRL list.
When you load Firewall policy from GUI or fwstop;fwstart from FW-1 module, it may try to download CRL list from mentioned CRL location. You can verify this in your Web server access log files. If you don't see any such logs make sure FW-1 is actually able to get to this webserver. There may be DNS issues, FW-1 rulebase issue etc if you don't see logs. You *MUST* fix this before you proceed for any IKE operation in FW-1. Once CRL successfully downloaded firewall may try to download again after CRL expiration period (typically 30 days or so)
Special Note for FW-1: For firewall object VPN IKE properties as well as Encryption properties in any firewall rule using IKE as encryption protocol, Select only those encryption that is supported (licensed) on this FW-1 module. So if FW-1 module supports only DES, uncheck all 3DES, AES, CAST etc options. If you fail to do so Firewall may not setup IKE encryption.

Case [2]: Issuing Certificate for Apache SSL server:
If you setup mod_ssl based apache server, apache will do most job for you like key pair creation, Certificate request generation. Simply obtain certificate request in PKCS#10 format from apache server say 'apache-server.csr' file and sign using command below.

csp myCA sign --type=server --days=3650 --csrfile=apache-server.csr

copy resultant certificate from $CSPHOME/csp/myCA/certs/<nn>.pem to apache server and optionally send your CA key $CSPHOME/csp/myCA/ca.key if server intends to do client authentication based on certificates signed by this CA.
Corresponding openSSL command (just for reference)

/usr/bin/openssl ca -config /home/ca/CSP/0.26/ca/csp/myCA/tmp/csp-21140.conf -batch -md sha1 -days 3650 -passin stdin -preserveDN -outdir /home/ca/CSP/0.26/ca/csp/myCA/certs -in apache-server.csr

Case [3]: Creating Freeswan certificate:
Freeswan (http://www.freeswan.org) won't have X509 certificate support out of the box. Rather it uses secureDNS and opportunistic encryption to verify public keys. If you want to inter operate Freeswan with firewalls such as FW-1 either you can use "Pre Shared Secret" which is easy to setup, otherwise you need to patch Freeswan distribution with X509 patch (as of this writing Freeswan-1.97 and X509 patch 0.9.9) from http://www.strongsec.com/freeswan/. Read site document on how to setup Freeswan with X509 support, this is beyond the scope of this document. This section quickly explain about how to create Digital Certificate for Freeswan gateway.

Generate private key and issue digital certificate on CA (myCA) itself. This is easier to follow. (You can generate key pair of Freeswan gateway also, send CSR to myCA and sign, it is your choice). Let's say Freeswan gateway is 'freeswan-fw'. Command below will generate private key for 'freeswan-fw' in $CSPHOME/csp/myCA/private/keys/<nn.key> and digital certificate in $CSPHOME/csp/myCA/certs/<nn.pem>. It is good idea to protect private keys with password here. Note --type=freeswan used here, which is defined earlier in CA setup steps.

csp myCA issue --type=freeswan --days=3650 'CN=freeswan-fw,O=Mycompany Inc.,C=US'

READ Freeswan(X509) patch document for detailed instruction. Below is specific case study.

copy private key $CSPHOME/csp/myCA/private/keys/<nn.key> to Freeswan(X509 patched) gateway as file /etc/ipsec.d/private/freeswan-fw.key
copy certificate $CSPHOME/csp/myCA/certs/<nn.pem> to Freeswan(X509 patched) gateway as file /etc/ipsec.d/certs/freeswan-fw. pem
If freeswan(X509 patched) gateway is also expecting certificate in DER format. Convert it using following command, on Freeswan(X509patched) gateway.

openssl x509 -in /etc/ipsec.d/certs/freeswan-fw.pem -outform DER -out /etc/x509cert.der

Copy CA certificate $CSPHOME/csp/myCA/ca.crt to Freeswan(X509 patched) gateway as file /etc/ipsec.d/cacerts/ca.crt
Copy CRLs $CSPHOME/csp/myCA/{crl-v1.crl,crl-v2.crl} to Freeswan(X509 patched) gateway in directory /etc/ipsec.d/crls/
Copy certificates for all Gateways/Firewalls with which Freeswan(X509 patched) gateway wants to establish IKE(IPSEC) in directory /etc/ipsec.d/* (including its own certificate)
Edit /etc/ipsec.conf to define authentication by certificates. See another documents.
Define RSA private key location in /etc/ipsec.secrets.

: RSA /etc/ipsec.d/private/freeswan-fw.key "<optional-pass phrase>"

You may prefer to remove password on private key by running following command on Freeswan(X509 patched) gateway.

openssl rsa -in passworded-key.pem -out /etc/ipsec.d/private/freeswan-fw.key

Case [4]: Creating PKCS#12 object (For use of client authentication in netscape, Internet Explorer, Microsoft Outlook etc.)

Netscape and Internet explorer can accept PKCS#12 object. PKCS#12 contains private keys and certificates generated on CA itself. This is useful for browser's client authentication with SSL based web server. For example if you want to protect directory DocumentRoot/protect such that client who can verify themselves based on certificates are allowed in, then under apache you can define config files (under SSL section)

<Location /protect>
     SSLVerifyClient require
     SSLVerifyDepth  1
</Location>

In this case client will use Digital certificate and private key to authenticate with SSL based web server. PKCS#12 object can be created by using following command. Since PKCS#12 contains private keys so if possible transfer this object to user using out of band method such as floppy etc and atleast protect password and PKCS#12 object itself by password.

First issue certificate, i.e create private key and sign certificate on CA itself. Let's say it creates Certificate serial number 01. If you are planning to use such certs for S/MIME based mailers then use Subject-Alt-Name --email also as mentioned below.

csp myCA issue --type=user --days=365 --email='myemail@mydomain' 'CN=userid,O=Mycompany Inc.,C=US'

Corresponding openSSL command (only for reference)

/usr/bin/openssl genrsa -des3 -passout stdin -out /home/ca/CSP/0.26/ca/csp/myCA/tmp/request-21148.key 1024

|/usr/bin/openssl req -config /home/ca/CSP/0.26/ca/csp/myCA/tmp/csp-21148.conf -new -sha1 -key /home/ca/CSP/0.26/ca/csp/myCA/tmp/request-21148.key -out /home/ca/CSP/0.26/ca/csp/myCA/tmp/request-21148.csr -passin stdin

|/usr/bin/openssl ca -config /home/ca/CSP/0.26/ca/csp/myCA/tmp/csp-21158.conf -batch -md sha1 -days 365 -passin stdin -preserveDN -outdir /home/ca/CSP/0.26/ca/csp/myCA/certs -in /home/ca/CSP/0.26/ca/csp/myCA/tmp/request-21158.csr

Now bundle both private key and certificate in PKCS#12 object using command below for Certificate serial # 01 as created in last step.

csp myCA p12 01

This will put PKCS#12 object in $CSPHOME/csp/myCA/p12/ directory, send this file to client now and import in netscape, Internet explorer or Microsoft outlook etc. Make sure you protect private keys with password. Corresponding openSSL command (only for reference)

/usr/bin/openssl pkcs12 -export -des3 -certfile /home/ca/CSP/0.26/ca/csp/myCA/ca.crt -inkey /home/ca/CSP/0.26/ca/csp/myCA/private/keys/01.key -in /home/ca/CSP/0.26/ca/csp/myCA/certs/01.pem -out /home/ca/CSP/0.26/ca/csp/myCA/p12/01.p12 -passout stdin -passin stdin

Case [5]: Generating/Issuing Certificate for Checkpoint's Securemote/Secureclient (SR/SC) Users as PKCS#12 object.
If you are using Checkpoint's VPN client (Securemote/Secureclient) on PC. You can use authentication method as Public Key/Certificate for IKE method. For which you need to generate and send PKCS#12 object to Securemote/Secureclient user. Generate PKCS#12 object as described in above step (Case 1D) and send it to SR/SC user. So on CA, Run these two commands.

csp myCA issue --type=user --days=365 'CN=userid,O=Mycompany Inc.,C=US'

See Case[4] for sample openSSL commands for above. Do not give private key password here. SR/SC user will setup this password later on SR/SC desktop.

csp myCA p12 01

Give password here which will protect PKCS#12 object itself. Let this password know to end user also by some out of band method.

Below are quick steps to import PKCS#12 in SR/SC.

Obtain PKCS#12 object from certificate authority, which contains private key and digital certificate. This object may be password protected itself. Let's say this object is 'userid.p12'
Open SR/SC window. Certificate -> Import . Browse and select 'userid.p12' file. If this file (PKCS#12 object) is protected by password, enter password here. (Note: PKCS#12 object password and private key password with in PKCS#12 object are two different thing)
Click on "Save As" save as Entrust profile (.epf). (example userid.epf) Enter new password. This is the password protecting private key/profile now. Tell SR/SC users not to share this password given here with anybody else.
Create a site, download topology and set password as 'using certificate' and point to this userid.epf file for authentication.

CA Operations (Certificate Revocation List):
Case [1]: Revoking Certificate and creating CRL list and Publishing to Web:
Often times you need to revoke certificate. Which can be done by using command.

csp myCA list (Will list Valid certificates under CA: myCA)

csp myCA revoke 01

Will revoke Certificate with Serial# 01, Use correct serial number for you. Corresponding openSSL command here (only for reference).

/usr/bin/openssl ca -config /home/ca/CSP/0.26/ca/csp/myCA/tmp/csp-21205.conf -passin stdin -batch -revoke /home/ca/CSP/0.26/ca/csp/myCA/certs/01.pem

csp myCA list --all (Certificates: Valid, Expired and Revoked)

csp myCA gencrl

(Will generate CRL list. It is always good idea to generate CRL list after every certificate creation/sign/issue request.) Corresponding openSSL commands here (only for reference)

/usr/bin/openssl ca -config /home/ca/CSP/0.26/ca/csp/myCA/tmp/csp-21216.conf -batch -passin stdin -gencrl -crldays 30 -out /home/ca/CSP/0.26/ca/csp/myCA/crl-v1.pem

/usr/bin/openssl crl -outform DER -out /home/ca/CSP/0.26/ca/csp/myCA/crl-v1.crl -in /home/ca/CSP/0.26/ca/csp/myCA/crl-v1.pem

|/usr/bin/openssl ca -config /home/ca/CSP/0.26/ca/csp/myCA/tmp/csp-21216.conf -batch -passin stdin -gencrl -crldays 30 -crlexts crl_extensions -out /home/ca/CSP/0.26/ca/csp/myCA/crl-v2.pem

/usr/bin/openssl crl -outform DER -out /home/ca/CSP/0.26/ca/csp/myCA/crl-v2.crl -in /home/ca/CSP/0.26/ca/csp/myCA/crl-v2.pem

csp myCA genpublic --export=/dev/fd0 (Will generate public website content which contains CA certs, CRL list etc. and put it on floppy /dev/fd0, assuming CA server is disconnected from network) You can export to any directory --export=/home/WWW/htdocs/csp . If you are choosing so then transfer content of /home/WWW/htdocs/csp/* to public webserver. Especially make sure files /home/WWW/htdocs/csp/crl-v1.crl & /home/WWW/htdocs/csp/crl-v2.crl will be copied to caserver.mydomain.com such that they can be accessed as http://caserver.mydomain.com/myCA/crl-v2.crl. Rest can be copied to caserver.mydomain.com where you can see certificate authority status by typing http://caserver.mydomain.com/myCA/index.html

Reference:
[1] Sun's Blueprint: Public Key Infrastructure Overview
[1a]Open Source PKI Book.
[2] RFC2631:: Diffie-Hellman Key agreement Method.
[3] Verisign
[4] CSP: (Certificate Service Provider) web site.
[5] Freeswan: IPSec Solution for Linux.
[6] X509 patch for Freeswan.
[7] OpenSSL :: Secure Socket Layer project.
[8] PKI Resources