MobiLink Synchronization User's Guide
Transport-Layer Security
Enterprise root certificates
The first step in setting up an enterprise-level system is to generate the common self-signed certificate. To generate this root certificate, start gencert with the -r option.
>gencert -r Certificate Generation Tool Choose certificate type ((R)SA or (E)CC): E Generating key pair... Country: CA State/Province: Ontario Locality: Waterloo Organization: Sybase, Inc. Organizational Unit: IAS Common Name: MobiLink Serial Number: 2003.07.29.02 Certificate valid for how many years: 2 Enter password to protect private key: password2 Enter file path to save certificate: ent_root.crt Enter file path to save private key: ent_root.pri Enter file path to save server identity: ent_serv.crt
The utility creates three files, which in this example are called ent_root.crt, ent_root.pri, and ent_serv.crt.
ent_root.crt This file contains the new certificate. This certificate should be published as all clients require a reliable copy.
ent_root.pri This file contains the private key that matches the public key encoded in the certificate.
ent_serv.crt This file contains the same information as the above two files, combined. It is intended for use with a MobiLink synchronization server.
The first two of these three files can be used to sign additional, new certificates. To generate a signed certificate, start gencert with the -s option. Enter the name of the signing certificate file, the name of the signing private-key file, and the password for the signing private key.
>gencert -s Certificate Generation Tool Choose certificate type ((R)SA or (E)CC): E Generating key pair... Country: CA State/Province: Ontario Locality: Waterloo Organization: Sybase, Inc. Organizational Unit: IAS Common Name: MobiLink Serial Number: 2003.07.29.03 Certificate valid for how many years: 1 Enter file path of signer's certificate: ent_root.crt Enter file path of signer's private key: ent_root.pri Enter password for signer's private key: password2 Enter password to protect private key: password3 Enter file path to save server identity: serv1.crt
This time, gencert creates only one file. This file contains the signed certificate and the private key. It is intended for use with a MobiLink synchronization server.
Repeat this last step as many times as necessary to create a signed certificate for each MobiLink synchronization server.
>gencert -s Certificate Generation Tool Choose certificate type ((R)SA or (E)CC): E Generating key pair... Country: CA State/Province: Ontario Locality: Waterloo Organization: Sybase, Inc. Organizational Unit: IAS Common Name: MobiLink Serial Number: 2003.07.29.04 Certificate valid for how many years: 2 Enter file path of signer's certificate: ent_root.crt Enter file path of signer's private key: ent_root.pri Enter password for signer's private key: password2 Enter password to protect private key: password4 Enter file path to save server identity: serv2.crt
You now have the following files:
ent_root.crt The root certificate.
ent_root.pri The root private key.
ent_serv.crt The root combined certificate.
serv1.crt The combined certificate for the first MobiLink synchronization server.
serv2.crt The combined certificate for the second MobiLink synchronization server.
You do not need the combined root certificate because no MobiLink synchronization server uses it directly. Instead, you created a separate certificate for each MobiLink synchronization server.