Certificates, Getting started, Certificate management in mac os x – equinux VPN Tracker 6.4.6 User Manual

Certificates

This chapter describes how VPN Tracker can be integrated in
a PKI (Public Key Infrastructure) using digital certificates or
smart cards.

Getting Started

To use certificates with VPN Tracker, you will need certificates and a VPN
gateway that can authenticate users through X.509 certificates (RSA signa-
tures).

Obtaining Certificates

If you have an existing Public Key Infrastructure (PKI) that uses certificates:
‣ Certificates (and private keys for the client/user certificates) need to be

available in a format supported by the Mac OS X keychain. If your users al-
ready have their certificates in their Mac OS X keychain, there’s nothing that
needs to be done.

If you have an existing Public Key Infrastructure (PKI) that uses smart cards:
‣ Software is required to make your smart card certificates available in Mac

OS X through the keychain. If you have already installed your vendor’s
driver or software, you can easily determine if it satisfies this requirement
by checking if your smart card appears as a keychain in the Mac OS X Key-
chain Access application (Applications > Utilities > Keychain Access)

‣ If your vendor does not provide the necessary software, there may be a

third party solution available

If you do not have an existing Public Key Infrastructure (PKI) in place:
‣ Use the Certificate Assistant built into the Mac OS X Keychain Access appli-

cation to create certificates (Keychain Access > Certificate Assistant). Some
VPN gateways also can create and export certificates.

VPN Gateway Prerequisites

‣ Your VPN gateway must support the use of authentication based on digital

certificates (X.509 certificates)

‣ Configure your VPN gateway for certificate-based authentication. Refer to

your vendor’s documentation for details.

What about Tokens?

We are using the term “smart card” to describe both an actual smart card
that is placed into a card reader, and a USB token with a non-removable
smart card chip that plugs directly into your Mac. From VPN Tracker’s per-
spective, there is no difference if the smart card chip is accessed through a
card reader, or built into a USB token.

There is also a another type of token on the market: These tokens generate
a one-time code (e.g. RSA SecurID). When using such tokens, the VPN gate-
way usually request the code through Extended Authentication (XAUTH). To
use such tokens in VPN Tracker, simply set up your VPN gateway according
to your vendor’s instructions and enable XAUTH in VPN Tracker.

Certificate Management in Mac OS X

To use certificates with VPN Tracker, the certificates must be
available in a keychain. This chapter therefore will first cover
the basics of certificate management using the keychain on
Mac OS X, before showing how to include certificates in
VPN Tracker.

In Mac OS X, certificates (and their private keys) are stored in keychains. Key-
chains are managed using the Keychain Access application (found in Applica-
tions > Utilities).

A keychain protects the private key by only permitting access if the keychain
has been unlocked using the appropriate password. Also, if applications at-
tempt to access a private key in a keychain for the first time, the user is asked
to permit access, even if the keychain is unlocked. By default, a user has a sin-
gle keychain, the login keychain, protected with their password. It is possible
to change the login keychain’s password to a different one, and to create ad-
ditional keychains.

70