Using a globally-signed certificate as an enterprise certificate

Tutorial: Synchronizing Adaptive Server Anywhere Databases

MobiLink Synchronization User's Guide
Transport-Layer Security
Verifying certificate fields

Using a globally-signed certificate as an enterprise certificate

Instead of using a global certificate as a server certificate, it is possible to instead use it to sign other certificates, as you would an enterprise certificate. This setup lets you combine the benefits of a global certificate and an enterprise certificate. The most important advantage is that you need not store the private key for your global certificate on the computer running the MobiLink synchronization server.

To create such a setup, generate a unique certificate for each MobiLink synchronization server. When you do so, sign them with your global certificate.

The following example displays how two server certificates can be generated and signed by the global certificate:

>gencert -s
Certificate Generation Tool
Choose certificate type ((R)SA or (E)CC): E
Generating key pair...
Country: CA
State/Province: Ontario
Locality: Waterloo
Organization: Sybase
Organizational Unit: IAS
Common Name: MobiLink
Serial Number: 2003.07.29.06
Certificate valid for how many years: 1
Enter file path of signer's certificate: global.crt
Enter file path of signer's private key: global.pri
Enter password for signer's private key: password5
Enter password to protect private key: password6
Enter file path to save server identity: serv6.crt
>gencert -s
Certificate Generation Tool
Choose certificate type ((R)SA or (E)CC): E
Generating key pair...
Country: CA
State/Province: Ontario
Locality: Waterloo
Organization: Sybase
Organizational Unit: IAS
Common Name: MobiLink
Serial Number: 2003.07.29.07
Certificate valid for how many years: 1
Enter file path of signer's certificate: global.crt
Enter file path of signer's private key: global.pri
Enter password for signer's private key: password5
Enter password to protect private key: password7
Enter file path to save server identity: serv7.crt

The above commands generate two server identity certificates, intended for use with two MobiLink synchronization servers.

serv6.crt The server identity certificate for MobiLink synchronization server #1.
serv7.crt The server identity certificate for MobiLink synchronization server #2.

Both certificates are signed by global.crt, which in turn is signed by your certificate authority's root certificate.

You can start these two MobiLink synchronization servers with the following commands, entered one command per line.

dbmlsrv9 -c "dsn=UltraLite 9.0 Sample;uid=DBA;pwd=SQL" -x tcpip ( port=3333;security=ecc_tls ( certificate=serv6.crt;
certificate_password=password6 ) )
dbmlsrv9 -c "dsn=UltraLite 9.0 Sample;uid=DBA;pwd=SQL" -x tcpip ( port=4444;security=ecc_tls ( certificate=serv7.crt;
certificate_password=password7 ) )

You can hide the contents of the command line using the File Hiding utility, dbfhide. For more information, see The File Hiding utility.

In addition, you must ensure that each client trusts your certificate authority's root certificate.