Frequently Asked Questions about the CERT Public Key Infrastructure (PKI)

Contents:

General Information

CERT Registration Authority

CERT Certification Authorities

CERT-issued digital certificates

Digital Certificates issued by other Certification Authorities

Troubleshooting


General Information

What is the CERT Public Key Infrastructure (PKI)?

The CERT Public Key Infrastructure (PKI) is a set of components designed to administer and manage issuance of digital certificates to authorized individuals and to manage authorization of such credentials for a given set of restricted resources. The CERT PKI provides a public-facing user interface by which applicants are able to initiate the application process, generate a personal certificate, and activate their user account.

What services and resources are supported by the CERT PKI?

The CERT PKI supports the restricted components of the CERT Knowledgebase. This includes the Special Communications database and the Vulnerability Card Catalog. In order to obtain access to these resources, a user must have an active user account containing a digital certificate that has been authorized to access the given resource.

Who is eligible to submit an application to the CERT PKI?

Access to restricted CERT resources is granted only to approved researchers and collaborators. Accordingly, preliminary measures are taken to ensure that a prospective applicant 1) belongs to an authorized organization or agency and 2) has a legitimate need for access to the data contained in these resources. The CERT PKI also takes certain technical measures to ensure the legitimacy of applications received, thereby mitigating the risk of rogue or bogus requests.

CERT Registration Authority (RA)

What is the CERT Registration Authority?

The CERT Registration Authority is a component of the CERT PKI, comprising both staff and web-based tools. The RA manages the lifecycle of the application process.

What functions/role does the CERT RA serve?

The CERT RA is primarily responsible for managing the registration function, the initial authentication/verification of applicants, approving/denying applicants for certification, and processing user account activation requests.

The CERT RA provides an application web form used by applicants to initiate the application process. In circumstances where the CERT PKI will be issuing the applicant a digital certificate, certain information provided by the applicant in this form will be used for generating the associated personal digital certificate.

The CERT RA also provides applicants with the ability to activate their user account via an account activation web form. Completion of this form requires data provided to the applicant during the process that is unique to their request. Once the applicant successfully completes the activation web form, their user account is activated and access to the restricted CERT resources is granted.

CERT Certification Authorities

What is a Certification Authority (CA)?

The Certification Authority is a trusted authority that implements procedures to verify the identity of an applicant registering for a digital certificate and issues digital certificates that can then be used for accessing the CERT Knowledgebase. The CA also has the ability to revoke the certificate under the terms of its Certificate Policy.

What CAs are managed within the CERT PKI?

The CERT PKI comprises the CERT Root Certification Authority (CERT Root CA) and the CERT Certification Authority (CERT CA). The CERT Root Certification Authority certificate and intermediary CERT Certification Authority certificate have the following attributes:

CERT Root Certification Authority:
CN = CERT Root Certification Authority
OU = CERT Coordination Center
OU = Software Engineering Institute
O = Carnegie Mellon University

Expiration Date: 7/15/2017
Fingerprints:
SHA1: D1:AA:5C:6A:A5:95:B4:35:EC:16:63:AF:96:0A:5E:D4:92:96:A2:E5
MD5: F6:67:8E:75:7A:30:73:AE:F9:CF:73:6C:A9:09:FE:1F

Intermediary CERT Certification Authority:
CN = CERT Certification Authority
OU = CERT Coordination Center
OU = Software Engineering Institute
O = Carnegie Mellon University

Expiration Date: 7/15/2017
Fingerprints:
SHA1: 18:F4:82:20:80:20:E6:4D:03:48:AF:C4:0C:72:9F:1D:9D:A2:46:3F
MD5: 85:E7:35:45:51:05:4E:4F:44:22:AE:BA:4F:FF:80:46

What is the purpose of the two Certification Authorities?

The CERT Root Certification Authority is the top-level CA. This CA has the sole function of issuing intermediary CA certificates. The CERT Root Certification Authority has been created by VeriSign, Inc.

The CERT Certification Authority is an intermediary CA. This CA issues end-user certificates. Authorized individuals with these certificates are able to access the restricted components of the CERT Knowledgebase.

When you access the SSL/TLS-secured links at https://www.kb.cert.org/, the server first presents a certificate to your browser to prove its identity. Your browser then presents your personal certificate to our server to prove your identity.

Should I install both of these CA certificates now?

You do not need to install the certificates until you are obtaining or renewing your CERT-issued digital certificate. As part of that process, you will need to accept the certificates for both the CERT Root CA and the CERT CA into your browser.

Why must I install the CERT CA certificates into my browser?

When you accept the CERT CA into your browser, you are installing a copy of the CA's public key. By accepting the CERT CA, you acknowledge the CERT/CC as an organization that generates and signs certificates. This is necessary to ensure that your end-user certificate is successfully installed and used to authenticate you to our servers.

How do I install the CERT CA certificates into my browser?

Instructions for installing the CERT Root CA certificate are provided within the first step of the application process. The CERT intermediary CA certificate is automatically downloaded during the second step of the process (assuming the applicant has properly set the CERT Root CA as instructed).

For individuals needing to manually download these certificates, follow these steps:

Step 1. Install the CERT Root Certification Authority certificate.

The process for installing the CA certificate is browser dependant. Please refer to the browser instructions below that pertain to you.

Select the link: CERT Root Certification Authority

Microsoft Internet Explorer

  • Select Open from the File Download box.
  • From the Certificate window, select the Details tab.
  • Scroll to the Thumbprint field and compare it with the SHA-1 value listed below.
  • If the values DO NOT match, please contact the CERT Hotline at +1.412.268.7090.
  • If the values DO match, go to the General tab and select Install Certificate.
  • The Certificate Import Wizard will appear. Select Next.
  • Select the radio button for IE's automatic certificate store, then select Next.
  • Select Finish.

Mozilla Firefox

  • Select View from the Downloading Certificate dialog box.
  • Compare the fingerprint values with those listed below.
  • If the values DO NOT match, please contact the CERT Hotline listed below.
  • If the values DO match, select Close to return to the Downloading Certificate dialog box. Select the following options:
  • Trust this CA to identify web sites
  • Trust this CA to identify email users
  • Select OK.

Step 2. Install the CERT Certification Authority certificate.

The process for installing the CA certificate is browser dependant. Please refer to the browser instructions below that pertain to you.

Select the link: CERT Certification Authority

Microsoft Internet Explorer

  • Select Open from the File Download box.
  • From the Certificate window, select the Details tab.
  • Scroll to the Thumbprint field and compare it with the SHA-1 value listed below.
  • If the values DO NOT match, please contact the CERT Hotline at +1.412.268.7090.
  • If the values DO match, go to the General tab and select Install Certificate.
  • The Certificate Import Wizard will appear. Select Next.
  • Select the radio button for IE's automatic certificate store, then select Next.
  • Select Finish.

Mozilla Firefox

  • Select View from the Downloading Certificate dialog box.
  • Compare the fingerprint values with those listed below.
  • If the values DO NOT match, please contact the CERT Hotline at +1.412.268.7090.
  • If the values DO match, select Close to return to the Downloading Certificate dialog box.
  • Select OK.

Be sure to download the CERT Root Certification Authority certificate first. Please verify the fingerprints on the certificates before accepting them into your browser.

My IT department does not allow us to install root certificates. What should I do?

Call the CERT hotline at +1 412 268-7090 for assistance.

How do I remove the CERT CA certificates from my browser?

Certificate Authorities are stored in your web browser, usually under the title of "signers" or "authorities." Most browsers have a command you can use to delete unwanted Certification Authorities. If you are not sure how to use the delete Certification Authority command for your browser, you will need to check your browser's online help.

What do I need to know about the August 21, 2007 rollover of the CERT Certification Authority (CA)?

Beginning August 21, 2007, at 5:00 p.m. EDT, UTC-0400, the CERT Coordination Center will use a new Certification Authority (CA) to issue end-user certificates. VeriSign, Inc. created the new root CA certificate, which issued the intermediary CA certificate. All new CERT-issued personal certificates will be issued by the intermediary CA.

CERT-issued digital certificates

What is a CERT-issued certificate?

This certificate is an X.509 certificate that can be used to access restricted components of the CERT Knowledgebase. The certificate is issued by the CERT Certification Authority.

CERT-issued certificates are not transferable and may not be lent to or shared with others.

Do I need a CERT-issued certificate to access the supported resources?

If you do not have a certificate from a supported Certification Authority will need to obtain a certificate from the CERT CA. However, if you have a certificate from a supported CA, you may register this certificate with the CERT RA for use in accessing the CERT Knowledgebase.

For information on our support for external PKI's, please read "Digital Certificates issued by other Certification Authorities"

What hardware and software do I need to generate a certificate?

To create and install your X.509 certificate, your web browser must

    • be either Mozilla Firefox 2.0.0.12 (or greater) or Internet Explorer 6.0 (or greater)
    • support 128-bit encryption and SSL 3.0
    • have the CERT Root Certification Authority and CERT Certification Authority certificates installed in your browser's certificate storage facility (see "How do I install the CERT CA certificates?")

Please note that if you are using a Macintosh computer, you must use Mozilla Firefox to correctly create and use your CERT-issued certificate.

The digital certificate created is specifically configured for the web browser you are using. So, if you create your certificate using Mozilla Firefox, you must continue to use that software to perform any action with your certificate. The same is true for Internet Explorer. The only way to use a certificate in a browser other than the one in which it was created is to create a backup certificate and then import it into the desired browser. Please see "How do I move my certificate to another computer."

What hardware and software do I need to use my certificate?

You will need a web browser that supports

  • X.509 certificates
  • 128-bit encryption
  • SSL 3.0 (Secure Sockets Layer)

Where is my certificate stored?

Once you have requested a certificate, a public and private key are generated. The private key is automatically installed on your personal computer. The public key is sent to the CERT Certification Authority for signing. The CERT CA then signs your public key, and installs the resulting certificate into the Personal certificate storage facility of your browser.

Certificates also have passphrases attached to them.

  • In Internet Explorer, you can set a passphrase on each certificate you create. Each time you use your certificate you must enter the certificate passphrase.
  • In Mozilla Firefox, there is one certificate database on which you set a passphrase. Each time you use your certificate, you must enter the certificate database passphrase.

The CERT/CC has a copy of your public key only. If you lose your private key or passphrase, it cannot be retrieved. You have to request a new certificate.

What happens to the private key I generate?

Your private key is installed on the computer you are using to submit the request. You can use the private key to access the restricted CERT resources for which you have been authorized. Each time you use your private key, you will be prompted to enter the passphrase for your certificate.

What does the key size signify?

The key size is the number of bits in the key; the larger the number of bits the stronger the key. The CERT/CC recommends choosing a key size of at least 1024.

How do I use my CERT-issued certificate?

You need to present your certificate for authentication whenever you connect to any of the CERT resources that require secure access, such as the Vulnerability Cards Catalog.

Generally, once you enter the web address (URL) for any secure page, your browser will present you with a dialog screen to select a certificate to be used for this authentication. Make sure you select the certificate you used when activating your CERT account. You will then be prompted to enter the passphrase of your certificate (or certificate database).

This sequence of actions usually happens once per web session. However, if you leave these restricted CERT resources to visit other web sites and then return, you may be prompted to re-authenticate.

Remember, you need to use a browser that has a copy of your certificate installed to access any secure data. If you are using a browser on a different computer, you need to make sure that you have copied your certificate to that computer and installed it in the browser, as described in the question "How do I move my certificate to another computer" listed below.

What are my responsibilities regarding my CERT-issued certificate?

During the application process, you are required to agree to the terms and conditions of the CERT Knowledgebase Usage Agreement. This document defines what you can and cannot do with the information contained in the CERT Knowledgebase.

If you are obtaining a digital certificate from the CERT Certification Authority, you will also be required to agree to the terms and conditions of the CERT Digital Certificate Usage Agreement. This document states what you can and cannot do with the digital certificate issued to you by the CERT Certification Authority.

How do I make a backup of my certificate?

You can make another copy of your certificate by using the Export Certificate command in your web browser. Your browser will save the certificate into a file. Be prepared to select a location where this file can be saved. For example, you could save it to portable media so that you can store a copy of the certificate in a safe.

Different browsers, and even versions of the same browser, may have a different procedure for exporting a certificate. If you are not sure how to use the export command for your browser, please check your browser's online help.

Some browsers will prompt you to create a backup of your certificate during the certificate creation process. If you receive this prompt, we encourage you to follow the instructions and create the backup at that time. Store your backup in a secure area.

How do I move my certificate to another computer?

You may need to use your certificate on more than one computer. To do this, you need to make a copy of the certificate and install the copy into the web browser of any other computer you will be using to access the CERT Knowledgebase.

Follow the instructions in the previous section to export your certificate to file to portable media. Insert the diskette into the drive of the computer where you would like to install the certificate. Use your browser's Import Certificate command to copy the certificate into the browser.

If you are not sure how to use the import command for your browser, please check your browser's online Help.

CERT-issued certificates are not transferable and may not be shared with anyone else.

What security precautions should I take to protect my certificate?

Make sure that the computer your certificate is installed on is secure. If possible, use a computer that you have continued and preferably sole access to. Do not use a computer that is in a public location or has multiple users. This will help you protect the security of your certificate at all times.

Use a password to prevent access to the computer that houses your certificate. You should also ensure the physical safety of the computer by shutting down or locking the computer when you are away from it and physically locking the room where the computer is located.

Don't let anyone else use your certificate. Always protect certificate passphrases and never share them.

How long will my certificate grant me access to the CERT Knowledgebase?

Your certificate will grant you access to the CERT Knowledgebase until either the expiration date on your certificate passes or the term of your contract ends. You can view the expiration date of your certificate in your browser. For information about the term of your contract, please contact the POC (point of contact) in your organization. If you do not have or do not know who your POC is, please contact us for information regarding your access status.

If your certificate expires and you would like to retain access to the CERT Knowledgebase, please contact cert@cert.org. If we determine that your access should be extended, we will ask you to request a new certificate.

What do I do when my CERT-issued certificate expires?

If you need to continue accessing the restricted components of the CERT Knowledgebase after your certificate expires, you will need to request a new certificate. You do this by sending your request in an email to cert@cert.org. You should identify yourself as a previous CERT-issued certificate owner.

Once the CERT/CC receives your request, we will verify that you are still an appropriate candidate. If your request is approved, you will receive a new set of instructions on how to create a new certificate.

Digital Certificates issued by other Certification Authorities

Can I use the certificate that my own organization has issued to me instead of getting another one from the CERT Certification Authority?

If your certificate has been issued from a Certification Authority within an authorized PKI, then you are eligible to enlist your certificate with the CERT PKI.

What external Certification Authorities does CERT support?

The CERT PKI supports the use of digital certificates from a select collection of external PKIs. The following PKIs are supported:

  • U.S. Federal Civilian PKI
  • U.S. Department of Defense PKI
  • Select Certification Authorities operated by CSIRTs with National Responsibility (CNR)

This means that individuals with certificates that have been issued from Certification Authorities within one of these PKIs may submit their certificates to CERT for use in accessing the CERT Knowledgebase. Individuals within one of these PKIs should consult their Certificate Policy or PKI Administrator prior to enlisting their certificate with the CERT PKI.

What do I need to do to enlist the certificate I have from my organization?

After you have confirmed that your certificate is supported and that your Certificate Policy does not define any constraints, you will be able to enlist your certificate with the CERT PKI.

The application process is slightly different for individuals enlisting a certificate.

My organization meets the criteria defined above. What are the requirements and procedures for establishing our CA as one of the CAs supported by the CERT PKI?

After you have confirmed that your certificate is supported and that your Certificate Policy does not define any constraints, you will be able to enlist your certificate with the CERT PKI. Because individuals who desire to use their certificates from

Troubleshooting

My computer was rebuilt and I lost my certificate.

The certificate you use to access the CERT Knowledgebase is stored on your personal computer the CERT/CC does not have a copy. If your computer is rebuilt, and you do not have a backup copy of your certificate, you will need to request a new one.

You may want to store a backup copy of your certificate in a secure location such as a safe.

I forgot my passphrase.

The passphrase you use to access your CERT-issued certificate is stored on your personal computer. The CERT/CC has no access to your private key or passphrase. If you forget your passphrase, you will not be able to use your certificate or access any web site that requires the certificate. You will need to request a new certificate. It is vitally important that you remember your passphrase.

I have a certificate, but am unable to access the CERT Knowledgebase.

Make sure you are using the same browser that you created your certificate with. You cannot create a certificate in Internet Explorer and then use Mozilla Firefox to access the CERT Knowledgebase without first transferring the certificate into Mozilla Firefox.

Check your browser to be sure that it supports 128-bit encryption. If it does not, you will need to upgrade your browser.

Verify that SSL 3.0 is enabled.

CERT Contact Point: CERT PKI Administrator
CERT Hotline: +1-412-268-7090
CERT Email: cert@cert.org