CERT
 
Vulnerability Notes Vulnerability Card Catalog Special Communications
 

Frequently Asked Questions about Accessing the CERT Knowledgebase



Contents:

General Information
Obtaining a CERT-issued certificate
Using a CERT-issued certificate
Troubleshooting

General Information

What is the CERT Knowledgebase?
The CERT Knowledgebase (KB) is a collection of Internet security information compiled by the CERTŪ Coordination Center (CERT/CC). The CERT/CC has become a major reporting center for incidents and vulnerabilities since its inception in 1988. The CERT/CC collects information related to network survivability and security. The KB is a subset of this information that has been extracted and structured in a manner that will allow information to be easily searched, analyzed, and shared.

Many components within the KB are available to the public with little or no access restrictions. However, some of these components contain sensitive data and therefore require strict access controls. To view these restricted-access components, you must install a CERT-issued certificate into your web browser. This certificate is used to authenticate you, thereby granting you access to specific information in the KB.

The certificate will give you access to the following restricted components of the CERT Knowledgebase:
    • Vulnerability Card Catalog - This restricted-access catalog contains descriptive and referential information regarding vulnerabilities reported to the CERT Coordination Center. Vulnerability reports are handled according to our Vulnerability Disclosure Policy. Access to this component requires prior approval and a certificate from a trusted Certification Authority.
    • Special Communications Database - This restricted-access database contains briefs providing important information about vulnerabilities, intruder activity, or other security problems. The briefs give network and security managers advance warning of critical security threats. Access to this component requires prior approval and a certificate from a trusted Certification Authority.
Who is eligible for access to the secure components of the CERT Knowledgebase?
Access to the restricted, secure components of the CERT Knowledgebase can be given to approved researchers and collaborators.

If you are interested in obtaining access to the restricted portions of the CERT Knowledgebase, please send mail to cert@cert.org. Please include your organization and proposed use of the knowledgebase. A CERT/CC staff member will contact you to discuss your request.

If approved, you will receive a set of instructions from the CERT/CC explaining the process for creating and picking up your CERT-issued certificate. Once you install the certificate in your browser, you will be able to access the restricted part of the knowledgebase.

What is a CERT-issued certificate?
This certificate is an X.509 certificate that can be used to access restricted components of the CERT Knowledgebase. The certificate is issued by the CERT Certification Authority.

CERT-issued certificates are not transferable and may not be lent to or shared with others.

What do I need to know about the August 21, 2007 rollover of the CERT Certification Authority (CA)?
Beginning August 21, 2007, at 5:00 p.m. EDT, UTC-0400, the CERT Coordination Center will use a new Certification Authority (CA) to issue end-user certificates. VeriSign, Inc. created the new root CA certificate, which issued the intermediary CA certificate. All new CERT-issued personal certificates will be issued by the intermediary CA. For more information, please read our Frequently Asked Questions about the New CERT Certification Authority.




Obtaining a CERT-issued certificate

What hardware and software do I need to use my certificate?

    You will need a web browser that supports
    • X.509 certificates
    • 128-bit encryption
    • SSL 3.0 (Secure Sockets Layer)

What hardware and software do I need to generate a certificate?

    To create your X.509 certificate, your web browser must
    • be either Mozilla 1.7.12 (or greater), Mozilla Firefox 2.0.0.4 (or greater) or Internet Explorer 5.5 (or greater)
    • support 128-bit encryption and SSL 3.0
    • have scripting enabled
      • For Mozilla and Mozilla Firefox, you must enable JavaScript
      • For Internet Explorer, you must enable Active scripting and allow the scripting of ActiveX controls that are marked safe-for-scripting
    The scripting configurations can be disabled after you have created and picked up your certificate.

    Please note that if you are using a Macintosh computer, you must use Netscape Communicator to correctly create and use your CERT/CC Knowledgebase Certificate.

    The digital certificate created is specifically configured for the web browser you are using. So, if you create your certificate using Netscape Communicator, you must continue to use that software to perform any action with your certificate. The same is true for Internet Explorer. The only way to use a certificate in a browser other than the one it was created in, is to export it and import it into that browser. Please see "How do I move my certificate to another computer".

    NOTE: You should check your organization's security policies before enabling JavaScript or Active scripting to ensure such a change does not violate your site's policies. The CERT/CC encourages you to be aware of the risks associated with enabling scripting in web browsers before activating this preference. You can read more about some of these risks in "CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests" and the corresponding FAQ for Web Users.

    More information on the risks associated with enabling scripting in web browsers can be read in the document "Results of the Security in ActiveX Workshop". Please note this document is a .pdf file.

Why must I enable scripting to generate and pickup my certificate?

    You must enable scripting in your browser because the commands used to generate the certificate request are handled by your browser. The interface your browser uses to perform these commands requires scripting to be enabled.

What is a Certification Authority?

    The organization issuing the certificate to you is called a Certification Authority. Each Certification Authority has its own process for issuing the certificate and for verifying the authenticity of the person to whom they are giving the certificate. A Certification Authority basically generates and distributes certificates. It signs these certificates with its own private key.

Why must I accept the CERT Certification Authority into my browser?

    By accepting the CERT Certification Authority, you acknowledge the CERT/CC as an organization that generates and signs certificates. This enables your browser to recognize other certificates signed by the CERT Certification Authority.

    When you accept the CERT Certification Authority into your browser, you are installing a copy of the Certification Authority's public key. This public key will be used to recognize the CERT Knowledgebase server when you connect to it. If you do not install the Certification Authority, then your browser will not be able to validate the public key (site certificate) sent to you by the knowledgebase server as part of the authentication process.

How do I delete this CERT Certification Authority from my browser?

    Certificate Authorities are stored in your web browser, usually under the title of "signers" or "authorities". Most browsers have a command that you can use to delete unwanted Certificate Authorities. If you are not sure how to use the delete Certification Authority command for your browser, you will need to check your browser's online help.

What happens to the private key I generate?

    Your private key is installed on the computer you are using to submit the request. You can use the private key to digitally sign documents, encrypt information, and decrypt information sent by others who encrypted it using your public key. Each time you use your private key, you will be prompted to enter the passphrase for your certificate.

What does the key size signify?

    The key size is the number of bits in the key; the larger the number of bits the stronger the key. The CERT/CC recommends choosing a key size of at least 1024.




Using a CERT-issued certificate

How do I use my CERT-issued certificate?

    You need to present your certificate for authentication whenever you connect to any part of the CERT Knowledgebase that requires secure access, such as the Vulnerability Reports Catalog.

    Generally, once you type in the web address (URL) for any secure page in the knowledgebase, your browser will present you with a dialog screen to select a certificate to be used for this authentication. Make sure you select your CERT-issued certificate. You will then be prompted to enter the passphrase of your certificate (or certificate database).

    This sequence of actions usually happens once per web session. However, if you leave the knowledgbase and go to other web sites and then return to the knowledgebase, you may be prompted to re-authenticate. Sometimes, you may even be prompted to re-select your certificate as you navigate through the knowledgebase, but you will not be prompted to enter your certificate passphrase.

    Remember that you need to use a browser that has a copy of your certificate installed to access any secure data in the CERT Knowledgebase. If you are using a browser on a different computer, you need to make sure that you have copied your certificate to that computer and installed it in the browser, as described in the question "How do I move my certificate to another computer" listed below.

Where is my certificate stored?

    Once you have requested a certificate, a public and private key are generated. The private key is automatically installed on your personal computer. The public key is sent to the CERT Certification Authority for signing. When you pick up your signed public key, it will contain your certificate, which will also need to be installed on your personal computer.

    To pick up your approved certificate and successfully install it in your browser, you must connect to the pickup site using a browser that has your private key installed in it. You should normally use the same computer/browser that you used to request the certificate to also pick up the certificate. If you want to use another computer, you need to ensure that the private key has been moved to this other computer.

    Certificates also have passphrases attached to them.
    • In Internet Explorer, you can set a passphrase on each certificate you create. Each time you use your certificate you must enter the certificate passphrase.
    • In Mozilla, there is one certificate database, and you set a passphrase on that database. Each time you use your certificate, you must enter the certificate database passphrase.
    The CERT/CC has a copy of your public key only. If you lose your private key or passphrase, it cannot be retrieved. You have to request a new certificate.

How do I make a backup of my certificate?

    You can make another copy of your certificate by using the Export Certificate command in your web browser. Your browser will save the certificate into a file. Be prepared to select a location where this file can be saved. For example, you could save it to a diskette so that you can store a copy of the certificate in a safe.

    Different browsers, and even versions of the same browser, may have a different procedure for exporting a certificate. If you are not sure how to use the export command for your browser, please check your browser's online help.

    Some browsers will prompt you to create a backup of your certificate during the certificate creation process. If you receive this prompt, we encourage you to follow the instructions and create the backup at that time. Store your backup in a secure area.

How do I move my certificate to another computer?

    You may need to use your certificate on more than one computer. To do this, you need to make a copy of the certificate and install the copy into the web browser of any other computer you will be using to access the CERT Knowledgebase.

    Follow the instructions in the previous section to export your certificate to file on a diskette. Insert the diskette into the drive of the computer where you would like to install the certificate. Use your browser's Import Certificate command to copy the certificate into the browser.

    If you are not sure how to use the import command for your browser, please check your browser's online Help.

    CERT-issued certificates are not transferable and may not be shared with anyone else.

What security precautions should I take to protect my certificate?

    Make sure that the computer your certificate is installed on is secure. If possible, use a computer that you have continued and possibly sole access to. Do not use a computer that is in a public location or has multiple users. This will help you protect the security of your certificate at all times.

    Use a password to prevent access to the computer that houses your certificate. You should also ensure the physical safety of the computer by shutting down or locking the computer when you are away from it and physically locking the room where the computer is located.
    Don't let anyone else use your certificate. Always protect certificate passphrases and never share them.

How long will my certificate grant me access to the CERT Knowledgebase?

    Your certificate will grant you access to the CERT Knowledgebase until either the expiration date on your certificate passes or the term of your contract ends. You can view the expiration date of your certificate in your browser. For information about the term of your contract, please contact the POC (point of contact) in your organization. If you do not have or do not know who your POC is, please contact us for information regarding your access status.

    If your certificate expires and you would like to retain access to the CERT Knowledgebase, please contact cert@cert.org. If we determine that your access should be extended, we will ask you to request a new certificate.

What do I do when my CERT-issued certificate expires?

    If you need to continue accessing the restricted components of the CERT Knowledgebase after your certificate expires, you will need to request a new certificate. You do this by sending your request in an email to cert@cert.org. You should identify yourself as a previous CERT-issued certificate owner.
    Once the CERT/CC receives your request, we will verify that you are still an appropriate candidate. If your request is approved, you will receive a new set of instructions on how to create a new certificate.

What are my responsibilities regarding any CERT-issued certificate I may generate?

    The following are legal responsibilities and agreements that you are to abide by as a user of the CERT Knowledgebase:

    1. You will not share or lend your CERT-issued certificate.
    2. You will use the certificate only for the purpose of accessing the CERT Knowledgebase.
    3. You will use appropriately licensed software to access the CERT Knowledgebase.
    4. You will abide by the terms of the SEI CERT Knowledgebase non-disclosure agreement signed by you or your authorized organizational signature entity (if you were required to sign a non-disclosure to get approval for a certificate). Sometimes a non-disclosure is part of a broader agreement between your organization and the SEI.
    5. You will immediately notify the CERT/CC of any suspected or actual loss, theft, disclosure, modification, compromise, or unauthorized use of the certificate or its associated private key.
    6. Remember - the CERT/CC has the right to revoke access to the CERT Knowledgebase and to publish a revocation for your certificate for any reason whatsoever, including, but not limited to, breach of this agreement, or any loss, theft, disclosure, modification, compromise, or unauthorized use of the certificate and corresponding private key. Revocation of your certificate and access does not affect your obligations under item #4 above.




Troubleshooting


My computer was rebuilt and I lost my certificate.
    The certificate you use to access the CERT Knowledgebase is stored on your personal computer the CERT/CC does not have a copy. If your computer is rebuilt, and you do not have a backup copy of your certificate, you will need to request a new one.
    You may want to store a backup copy of your certificate in a secure location such as a safe.

I forgot my passphrase.

    The passphrase you use to access your CERT-issued certificate is stored on your personal computer. The CERT/CC has no access to your private key or passphrase. If you forget your passphrase, you will not be able to use your certificate or access any web site that requires the certificate. You will need to request a new certificate.
    It is vitally important that you remember your passphrase. You may want to store a backup copy in a secure location such as a safe, along with a copy of your certificate.

After I hit the submit button on the Form in step 2, I receive the error message: “The string contains an invalid X500 name attribute key, oid, value or delimiter.

    Please verify that you are not using any punctuation, special characters, or foreign letters in your submission.

I have a certificate, but am unable to access the CERT Knowledgebase.

    Make sure you are using the same browser that you created your certificate with. You cannot create a certificate in Internet Explorer and then use Mozilla Firefox to access the CERT Knowledgebase without first transferring the certificate into Mozilla Firefox.

    Check your browser to be sure that it supports 128-bit encryption. If it does not, you will need to upgrade your browser.
    Verify that SSL 3.0 is enabled.

    For assistance, send email to cert@cert.org or call the hotline: +1 412 268-7090.