HP 250m Print Server for Fast Ethernet manual SSL/TLS Client Understanding Certificate Chains

Page 77

SSL/TLS Client: Understanding Certificate Chains

In the previous section, we described a situation where the wrong CA certificate was configured on Jetdirect. Let’s explain this more thoroughly because it is a common issue reported on Jetdirect. Remember, Jetdirect is an embedded system and has limited flash space. Therefore, it cannot store a multitude of certificates on its flash file system. What Jetdirect needs to do is “Walk the Certificate Chain”. Let’s explain by reviewing our CA Hierarchy.

Figure 31 - CA Hierarchy

In this example, RootCA is the top level CA, which is also called the Root. What usually happens at customer sites is that the Root CA is created and it issues one or more certificates to Subordinate CAs, also known as Intermediate CAs, and they do the dirty work of issuing certificates to various entities in the customer’s network. The Root CA is then shutdown and locked up in a secure room with this information backed up in several places. The Root CA establishes the trust of the whole environment and is very well protected.

We can see that RootCA issues a certificate to R2, which grants R2 the capability to issue certificates to other entities. R2’s certificate is signed by the Root CA. R2 then can issue certificates to other devices.

77

Image 77

Contents Introduction WhitepaperHttp Application What is SSL/TLS?Application Changes Https DecodedHttp Session More Info Https Session Lock Icon Certificate Details IE6 Security Alert Digital CertificatesIE7 Certificate Error IE7 Certificate Error Certificate Information Public Key Infrastructure and Public Key Certificate BasicsSymmetric Cryptography Asymmetric Cryptography Digital Signature Digital Signature Verification Certificate Authority Public Key Certificates Self-Signed Certificate SSL/TLS Protocol Structures SSL/TLS Protocol BasicsClient Hello Server Hello Server Certificate Verification Keying Material Client Finished Server Finished Using Https with HP JetdirectCA Heirarchy Network Diagram Page Page Under the heading Jetdirect Certificate, press Configure… Page Page Page Page Page Page Page Page Page Page Page Save it Go to Tools and click Internet Options Click Certificates Click Import… Click Next Select the file Click Next Page Page Page Page Page Detailed Look at the SSL/TLS Connection Page Page Page Page Check for server certificate revocation is not selected Page Page SSL/TLS Server Settings HP Jetdirect as an SSL/TLS Client Page Page Page Page Select R2 and hit Export… Click Next Select DER. Click Next Save it Save it Click Finish Page Select the file. Click Finish Click OK Page Same message. What did we do wrong? Page Page We use the DNS name and try again Success Page CA Hierarchy SSL/TLS Client Understanding Certificate ChainsPage RootCA Incorrect HP Jetdirect CA Configuration Correct HP Jetdirect CA Configuration Walking the Chain SSL/TLS Client Certificates and Name Verification Subject SubjectAltName Page Page Page IPP over SSL/TLS Click Next Select a network printer… Page Page Print a test Yep we have our print data protected by SSL/TLS Embedded Devices and Digital Certificates HP Jetdirect Certificate GuidelinesSummary Which HP Jetdirect Products Support SSL/TLS?