Bitcoin Generator Version 5.1.0 serial key or number
Bitcoin Generator Version 5.1.0 serial key or number
Certificate authorities
A certificate authority (CA) is used to sign other server and client certificates. Different CAs can be used for different domains or certificates. For example, if your organization is international you may have a CA for each country, or smaller organizations might have a different CA for each department. The benefits of multiple CAs include redundancy, in case there are problems with one of the well-known trusted authorities.
Once you have created a CA certificate, you can export it to your local computer.
Local CAs
The FortiAuthenticator device can act as a self-signed, or local, CA.
To view the certificate information, go to Certificate Management > Certificate Authorities > Local CAs.
The following information in shown:
Create New | Create a new CA certificate. |
Import | Import a CA certificate. See Importing CA certificates and signing requests. |
Revoke | Revoke the selected CA certificate. |
Delete | Delete the selected CA certificate. |
Export Certificate | Save the selected CA certificate to your computer. |
Export Key and Cert | Save the selected intermediate CA certificate and private key to your computer. |
Search | Enter a search term in the search field, then press Enter to search the CA certificate list. The search will return certificates that match either the subject or issuer. |
Filter | Select to filter the displayed CAs by status. The available selections are: All, Pending, Expired, Revoked, and Active. |
Certificate ID | The CA certificate ID. |
Subject | The CA certificate subject. |
Issuer | The issuer of the CA certificate. |
Status | The status of the CA certificate. |
CA Type | The CA type of the CA certificate. |
To create a CA certificate:
- From the local CA certificate list, select Create New. The Create New Local CA Certificate window opens.
- Enter the following information:
- Root CA certificate: A self-signed CA certificate.
- Intermediate CA certificate: A CA certificate that refers to a different root CA as the authority.
- Intermediate CA certificate signing request (CSR)
- Department (OU)
- Company (O)
- City (L)
- State/Province (ST)
- Country (C) (select from dropdown menu)
- Email address
- Digital Signature
- Non Repudiation
- Key Encipherment
- Data Encipherment
- Key Agreement
- Certificate Sign
- CRL Sign
- Encipher Only
- Decipher Only
- Server Authentication
- Client Authentication
- Code Signing
- Secure Email
- OCSP Signing
- IPSec End System
- IPSec Tunnel Termination
- IPSec User
- IPSec IKE Intermediate (end entity)
- Time Stamping
- Microsoft Individual Code Signing
- Microsoft Commercial Code Signing
- Microsoft Trust List Signing
- Microsoft Server Gated Crypto
- Netscape Server Gated Crypto
- Microsoft Encrypted File System
- Microsoft EFS File Recovery
- Smart Card Logon
- EAP over PPP
- EAP over LAN
- KDC Authentication
- Select OK to create the new CA certificate.
Certificate ID | Enter a unique ID for the CA certificate. | |
Certificate Authority Type | ||
Certificate type | Select one of the following options: | |
Certificate authority | Select one of the available CAs from the dropdown menu. This field is only available when the certificate type is Intermediate CA certificate. | |
Subject Information | ||
Subject input method | Select the subject input method, either Fully distinguished name or Field-by-field. | |
Subject DN | If the subject input method is Fully distinguished name, enter the full distinguished name of the subject. There should be no spaces between attributes. Valid DN attributes are DC, C, ST, L, O, OU, CN, and emailAddress. They are case-sensitive. | |
Name (CN) | If the subject input method is Field-by-field, enter the subject name in the Name (CN) field, and optionally enter the following fields: | |
Key and Signing Options | ||
Validity period | Select the amount of time before this certificate expires. Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires. This option is not available when the certificate type is set to Intermediate CA certificate signing request (CSR). | |
Key type | The key type is set to RSA. | |
Key size | Select the key size from the dropdown menu: 1024, 2048 (set by default), or 4096 bits. | |
Hash algorithm | Select the hash algorithm from the dropdown menu, either SHA-256 (set by default) or SHA-1. | |
Subject Alternative Name | SANs allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard. This section is not available when the certificate type is Intermediate CA certificate signing request (CSR). | |
Enter the email address of a user to map to this certificate. | ||
User Principal Name (UPN) | Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping. | |
Advanced Options: Key Usages | Some certificates require the explicit presence of extended key usage attributes before the certificate can be accepted for use. For detailed information about these attributes, see End entities. | |
Key Usages | ||
Extended Key Usages | ||
Certificate Revocation List (CRL) | Determine the certificate's lifetime before the CA certificate is revoked. | |
Lifetime | Enter the lifetime of the certificate in days, between 1-365 (maximum of one year). The default is 30. | |
Re-generate every | Enter how often the certificate will regenerate. |
Importing CA certificates and signing requests
Four options are available when importing a certificate or signing request: PKCS12 Certificate, Certificate and Private Key, CSR to sign, and Local certificate.
To import a PKCS12 certificate:
- From the local CA certificate list, select Import. The Import Signing Request or Local CA Certificate window opens.
- Select PKCS12 Certificate in the type field.
- Enter the following:
- Select OK to import the certificate.
Certificate ID | Enter a unique ID for the certificate. |
PKCS12 certificate file (.p12) | Select Choose File to locate the certificate file on your computer. |
Passphrase | Enter the certificate passphrase. |
Initial Serial Number | Select the serial number radix, either Decimal or Hex, and enter the initial serial number in the Initial serial number field. |
To import a certificate with a private key:
- From the local CA certificate list, select Import. The Import Signing Request or Local CA Certificate window opens.
- Select Certificate and Private Key in the type field.
- Enter the following:
- Select OK to import the certificate.
Certificate ID | Enter a unique ID for the certificate. |
Certificate file (.cer) | Select Choose File to locate the certificate file on your computer. |
Private key file | Select Choose File to locate the private key file on your computer. |
Passphrase | Enter the certificate passphrase. |
Initial Serial Number | Select the serial number radix, either Decimal or Hex, and enter the initial serial number in the Initial serial number field. |
To import a CSR to sign:
- From the local CA certificate list, select Import. The Import Signing Request or Local CA Certificate window opens.
- Select CSR to sign in the type field.
- Enter the following:
- Select OK to import the CSR.
Certificate ID | Enter a unique ID for the certificate. | |
CSR file (.csr, .req) | Select Choose File to locate the CSR file on your computer. | |
Certificate Signing Options | ||
Certificate authority | Select one of the available CAs from the dropdown menu. | |
Validity period | Select the amount of time before this certificate expires. Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires. | |
Hash algorithm | Select the hash algorithm from the dropdown menu, either SHA-256 or SHA-1. | |
Subject Alternative Name | SANs allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard. | |
Enter the email address of a user to map to this certificate. | ||
User Principal Name (UPN) | Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping. | |
Advanced Options: Key Usages | Some certificates require the explicit presence of extended key usage attributes before the certificate can be accepted for use. For detailed information about these attributes, see End entities. |
To import a local CA certificate:
- From the local CA certificate list, select Import. The Import Signing Request or Local CA Certificate window opens.
- Select Local certificate in the type field.
- Select Choose File to locate the certificate file on your computer.
- Select OK to import the local CA certificate.
Certificate revocations lists
A certificate revocation list (CRL) is a file that contains a list of revoked certificates, their serial numbers, and their revocation dates. The file also contains the name of the issuer of the CRL, the effective date, and the next update date. By default, the shortest validity period of a CRL is one hour.
Some potential reasons for certificates to be revoked include:
- A CA server was hacked and its certificates are no longer trusted.
- A single certificate was compromised and is no longer trusted.
- A certificate has expired and is not supposed to be used past its lifetime.
Go to Certificate Management > Certificate Authorities > CRLs to view the CRL list.
The following information is shown:
Import | Import a CRL. |
Automatic Downloads | Select to view automatically downloaded CRLs. Select View CRLs to switch back to the regular CRL view. |
Export | Save the selected CRL to your computer. |
CA Type | The CA type of CRL. |
Issuer name | The name of the issuer of the CRL. |
Subject | The CRL’s subject. |
Revoked Certificates | The number of revoked certificates in the CRL. |
To import a CRL:
- Download the most recent CRL from a CDP. One or more CDPs are usually listed in a certificate under the Details tab.
- From the CRL list, select Import.
- Select Choose File to locate the file on your computer, then select OK to import the list.
Note: Before importing a CRL file, make sure that either a local CA certificate or a trusted CA certificate for this CRL has first been imported.
When successful, the CRL will be displayed in the CRL list on the FortiAuthenticator. You can select it to see the details (see To view certificate details:).
Locally created CRLs
When you import a CRL, it is from another authority. If you are creating your own CA certificates, you can also create your own CRL to accompany them.
As a CA, you sign user certificates. If for any reason you need to revoke one of those certificates, it will go on a local CRL. When this happens you must export the CRL to all your certificate users so they are aware of the revoked certificate.
To create a local CRL:
- Create a local CA certificate. See Local CAs.
- Create one or more user certificates. See End entities.
- Go to Certificate Management > End Entities > Users, select one or more certificates, and select Revoke. See To revoke a certificate:.
The selected certificates will be removed from the user certificate list and a CRL will be created with those certificates as entries in the list. If there is already a CRL for the CA that signed the user certificates, the certificates will be added to the current CRL.
If later one or more CAs are deleted, their corresponding CRLs will also be deleted, along with any user certificates that they signed. |
Configuring OCSP
FortiAuthenticator also supports Online Certificate Status Protocol (OCSP), defined in RFC 2560. To use OCSP, configure the FortiGate unit to use TCP port 2560 on the FortiAuthenticator IP address.
For example, enter the following to configure OCSP on the FortiGate's CLI Console, where the url is the IP address of the FortiAuthenticator:
config vpn certificate ocsp-server
edit FortiAuthenticator_ocsp
set cert "REMOTE_Cert_1"
set url "http://172.20.120.16:2560"
end
Trusted CAs
Trusted CA certificates can be used to validate certificates signed by an external CA.
To view the trusted CA certificate list, go to Certificate Management > Certificate Authorities > Trusted CAs.
The certificate ID, subject, issuer, and status are shown. Certificates can be imported, exported, deleted, and searched.
To import a trusted CA certificate:
- From the trusted CA certificate list, select Import.
- Enter a certificate ID in the Certificate ID field.
- Select Choose File to locate the certificate file on your computer, and select OK to import the list.
When successful, the trusted CA certificate will be displayed in the list on the FortiAuthenticator device. You can select it to see the details (see To view certificate details:).
EJBCADS
EJBCA has support for several Hardware Security Modules (HSMs) and each HSM has its own specific interface for key generation and maintenance, independent of EJBCA. Make sure you are familiar with how your HSM works.
This section provides information on Hardware Security Modules (HSMs) in the following sections:
You can manage crypto tokens fully in the EJBCA Admin GUI or CLI. and the Admin GUI automatically displays the HSMs available in your system.
When creating a new Crypto Token (Crypto Tokens>Create New) you can select between Soft and PKCS#11 crypto tokens.
The PKCS#11 option is only available if EJBCA is able to find any known PKCS#11 modules in the file system.
If EJBCA finds known PKCS#11 modules in the file system, you can select PKCS#11 as Type. As PKCS#11 Library there is a list of the available known HSMs found in the file system.
If the PKCS#11 option is not available or your desired HSM is not in the list of available Libraries, there are a few options to configure:
If you are using JBoss 7 you must make the java PKCS#11 classes exportable. For more information, see Application Servers.
You can configure PKCS#11 modules that are not already known to EJBCA in conf/web.properties. See conf/web.properties.sample how to add new known modules and override existing (overriding should not be needed since you can add new locations with the same name).
For more information on creating and using Crypto Tokens for HSMs, see Managing Crypto Tokens and Managing CAs.
The following sections describe the underlying operations and technical features of using HSMs and PKCS#11.
The GUI configuration of CAs is backed by a properties field where properties unique to a particular CAs usage of the HSM is specified. All implemented HSM modules are using the same property keywords to define the identity and the purpose of the keys to be used. These keywords are:
certSignKey: Key used when signing certificates, can be RSA or ECDSA.
crlSignKey: Key used when signing CLSs, can be RSA or ECDSA.
keyEncryptKey: Key used for key encryption and decryption, this must be an RSA key.
testKey: Key used by HSM status checks, can be RSA or ECDSA.
hardTokenEncrypt: Key used for hardtoken encryption and decryption. PUK will be decrypted by this key.
defaultKey: Key used when no other key is defined for a purpose. If this is the only definition, then this key will be used for all purposes.
pin: Optional pin code used for auto-activation of CA token, see below. Not recommended for high security set-ups, but very useful in some cases.
You may omit defaultKey if you want to be sure that the right key is used, but then all the other keys must be specified. It is recommended that the certificate and CRL signing keys are linked to the same key since different keys are rarely supported by verifying applications.
When implementing support for a new HSM the KeyStrings class could be used to manage the key properties described above. When it is an JCA/JCE API for the HSM it could also be wise to extend the BaseCAToken class.
The same activation code must be used for all keys used by a CA.
There are four additional key properties that can (optionally) be used when renewing CA keys and to produce roll-over certificates. Some of these (in particular the next
Packages included in Anaconda 5.1.0 for macOS with Python 3.6¶
What’s New in the Bitcoin Generator Version 5.1.0 serial key or number?
Screen Shot
System Requirements for Bitcoin Generator Version 5.1.0 serial key or number
- First, download the Bitcoin Generator Version 5.1.0 serial key or number
-
You can download its setup from given links: