Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

crypto_certs(4) [opensolaris man page]

crypto_certs(4) 						   File Formats 						   crypto_certs(4)

NAME

       crypto_certs - directory for certificate files for Solaris Cryptographic Framework

SYNOPSIS

       /etc/crypto/certs/CA

       /etc/crypto/certs/SUNWobjectCA

       /etc/crypto/certs/*

DESCRIPTION

       The /etc/crypto/certs directory contains ASN.1 BER or PEM encoded certificate files for use by the Solaris Cryptographic Framework.

       A  default  installation contains root anchors and signing certificates. The CA and SUNWobjectCA certificates are the trust anchors for all
       other certificates. Other certificates contain the certificates used to sign and verify the Solaris user and kernel cryptographic plug-ins

       Additional signing certificates may be installed by third-party cryptographic providers. They should either be copied to  /etc/crypto/certs
       or included in the package that delivers the provider.

       Only  certificates  that  are issued by the CA or SUNWobjectCA certificates and include the organization unit "Solaris Cryptographic Frame-
       work" in their subject distinguished names are accepted by the Solaris Cryptographic Framework. This restriction is  in	place  due  to	US
       Export Law on the export of open cryptographic interfaces at the time of shipping this revision of the product.

ATTRIBUTES

       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |SUNWcsr			   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Evolving			   |
       +-----------------------------+-----------------------------+

SEE ALSO

       elfsign(1), libpkcs11(3LIB), attributes(5)

SunOS 5.11							    23 Feb 2007 						   crypto_certs(4)

Check Out this Related Man Page

elfsign(1)                                                         User Commands                                                        elfsign(1)

NAME

       elfsign - sign binaries for the Solaris Cryptographic Framework

SYNOPSIS

       /usr/bin/elfsign sign [-a] -k private_key -c certificate_file -e elf_object

       /usr/bin/elfsign verify [-c certificate_file] -e elf_object

       /usr/bin/elfsign request -k private_key -r certificate_request_file

DESCRIPTION

       sign            Signs the elf object for use with the Solaris Cryptographic Framework, using the given private key and certificate file.

       verify          Verifies  an  existing  signed  object.  Uses  the  certificate  given  or  searches  for  an  appropriate  certificate  in
                       /etc/crypto/certs if -c is not given.

       request         Generates a private key and a PKCS#10 certificate request. The PKCS#10 certificate request should  be  sent  to  the  email
                       address solaris-crypto-req@sun.com to obtain a Certificate.

                       Users of elfsign must first generate a certificate request and obtain a certificate before using the other sub-commands.

OPTIONS

       The following options are supported:

       -a

           Generates a signed ELF Sign Activation (.esa) file. This option is used when a cryptographic provider has nonretail export approval for
           unrestricted use and desires retail approval by restricting which export sensitive callers (for example, IPsec) may use  the  provider.
           This option assumes that the provider binary has previously been signed with a restricted certificate.

       -c certificate_file

           Specifies the path to an X.509 certificate in PEM/PKCS#7 or ASN.1 BER format.

       -e elf_object

           Specifies the path to the object to be signed or verified.

       -k private_key

           Specifies  the  location of the private key file when not using a PKCS#11 token. This file is an RSA Private key file in a Solaris spe-
           cific format. When used with the request subcommand, this is the ouput file for the newly generated key.

       -r certificate_request_file

           Specifies the path to the certificate request file, which is in PKCS#10 format.

EXAMPLES

       Example 1: Signing an ELF object using a key/certificate in a file

       example$ elfsign sign -k myprivatekey -c mycert -e lib/libmylib.so.1

       Example 2: Verifying an elf object's signature

       example$ elfsign verify -c mycert -e lib/libmylib.so.1
       elfsign: verification of lib/libmylib.so.1 passed

       Example 3: Generating a certificate request

       example$ elfsign request -k mykey -r req.pkcs10
       Enter Company Name / Stock Symbol or some other globally unique identifier.
       This will be the prefix of the Certificate DN: SUNW

       The government of the United States of America restricts the export of
       "open cryptographic interfaces", also known as "crypto-with-a-hole".
       Due to this restriction, all providers for the Solaris cryptographic
       framework must be signed, regardless of the country of origin.

       The terms "retail" and "non-retail" refer to export classifications for
       products manufactured in the USA. These terms define the portion of the
       world where the product may be shipped.) Roughly speaking, "retail" is
       worldwide (minus certain excluded nations) and "non-retail" is domestic
       only (plus some highly favored nations). If your provider is subject to USA
       export control, then you must obtain an export approval (classification)
       from the government of the USA before exporting your provider. It is
       critical that you specify the obtained (or expected, when used during
       development) classification to the following questions so that your provider
       will be appropriately signed.

       Do you have retail export approval for use without restrictions based
       on the caller (for example, IPsec)? [Yes/No] No

       If you have non-retail export approval for unrestricted use of your
       provider by callers, are you also planning to receive retail approval by
       restricting which export sensitive callers (for example, IPsec) may
       use your provider? [Yes/No] No

       [...]

EXIT STATUS

       The following exit values are returned:

       VALUE        MEANING                          SUB-COMMAND
       0            Operation successful             sign/verify/request
       1            Invalid arguments
       2            Failed to verify ELF object      verify
       3            Unable to open ELF object        sign/verify
       4            Unable to load or invalid cer-   sign/verify
                    tificate
       5            Unable to load or invalid pri-   sign
                    vate key
       6            Failed to add signature          sign
       7            Attempt  to  verify   unsigned   verify
                    object  or  object  not an ELF
                    file

FILES

       /etc/crypto/certs       The /etc/crypto/certs directory is searched for the verify subcommand if the -c flag is not used.

ATTRIBUTES

       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE         |      ATTRIBUTE VALUE        |
       +-----------------------------+-----------------------------+
       |Availability                 |SUNWtoo                      |
       +-----------------------------+-----------------------------+
       |Interface Stability          |Evolving                     |
       +-----------------------------+-----------------------------+

SEE ALSO

       libpkcs11(3LIB), attributes(5)

SunOS 5.10                                                          19 Mar 2004                                                         elfsign(1)
Man Page