000027230 - Can RCM issue Cookie encryption key (CEK) certificates ?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000027230
Applies ToRSA Certificate Manager 6.7
Microsoft Windows 2003 Server SP1
IssueCan RCM issue Cookie encryption key (CEK) certificates ?

This topic covers the process involved in obtaining the cookie encryption key (CEK) and data encryption key (DEK) digital certificates. For more information about the types of certificates that Relying Party Suite (RPS) uses, see Introduction to Certificates.

Determining the types of certificates your site needs depends on the following factors:

  • Sites that have to write authentication cookies need a cookie encryption key (CEK) to encrypt those cookies. Sites in the Live.com domain do not have to have a CEK because the login server writes the cookies directly.
  • Sites that use HTTP for the return URL from the login server need a data encryption key (DEK). The DEK is used to encrypt tickets from the login server when they are passed over nonsecure channels. Sites that use the Low Business Impact (LBI) and Medium Business Impact (MBI) authentication policies and use HTTP for the return URL must use a DEK. For more information, see Choosing an Authentication Policy.
  • When multiple RPS-enabled sites exist within the same domain, they can also choose to share the CEK and DEK. This lets the sites behave as a single site with regard to authentication and eliminates the need for each site to obtain their own certificates. For more information, see Sharing Authentication State.
  • Sites in the LBI and MBI categories which also reside in the Live.com and MSN.com domains will share common encryption certificates. If your site falls into this category, you can request the shared certificate by using the Shared Encryption Key Request form at the internal Windows Live ID Partner Portal. To determine certificate requirements for your site, see the following table.

Certificate Requirements

Authentication Policy

Live.com

MSN.com

Others

LBI / MBI

DEK: Windows Live Shared DEK**

CEK: MSN Shared CEK
DEK: MSN Shared DEK**

CEK: Generate New Certificate
DEK: Generate New Certificate

LBI / MBI
Overriding to LBI_SSL / MBI_SSL

CEK: Windows Live Shared CEK
DEK: Windows Live Shared DEK**

CEK: MSN Shared CEK
DEK: MSN Shared DEK**

CEK: Generate New Certificate
DEK: Generate New Certificate

HBI

CEK: Generate New Certificate*
DEK: Not Applicable

CEK: Generate New Certificate*
DEK: Not Applicable

CEK: Generate New Certificate* DEK: Not Applicable

* When using your own private CEK (not shared), make sure that your cookies are scoped to your own application's fully qualified domain name and your cookie names are unique (MySiteRPSAuth, MySiteRPSSecAuth). **To obtain shared certificates for MSN.com or Live.com sites, use the Shared Encryption Key Request form at the internal Windows Live ID Partner Portal. After obtaining the shared DEK certificate, you must upload the public key to the Microsoft Services Manager (https://msm.live.com) Web site.

Important  Private keys that are used for authentication in the Production environment have a high value and should be handled and stored by using appropriate security measures.

Certificate Requirements

Certificates to be used with RPS must meet the following requirements. The certificate:

  • Must be an RSA key pair. RPS does not read Digital Signature Algorithm (DSA) key pairs.
  • Can be either Distinguished Encoding Rules (DER) or base64 encoded.
  • Must have a Subject Key Identifier (SKI) property.
  • Must have a minimum key length of 1,024 bits. We recommend 2,048 bit keys.
  • Both a CEK and DEK may be self-signed certificates. They do not have to be issued by a publicly recognized certification authority (CA)

The CEK and DEK certificates are both obtained in the following ways:

Resolution

Based on the "Certificate Requirements" section, it appears cookie encryption key (CEK) and data encryption key (DEK) digital certificates to be a normal certificate. They can be normal self signed certificates or can be issued by CA.

* With RCM, you are able to generate these certificates.

Legacy Article IDa42918

Attachments

    Outcomes