ODSGenerateX509Certificate Generating WebID-watermarked X.509 Certificates for Use with ODS Generating WebID-watermarked X.509 Certificates for Use with ODS Why use X.509 Certificates for Authentication? Password-based authentication is inherently difficult to maintain, and presents an awkward option in the context of RESTful client/server interactions over local and wide area networks (LANs and WANs). X.509 Certificates provide an elegant alternative which is more easily maintained, with a more streamlined user experience overall. How are X.509 Certificates generated? Thanks to its Virtuoso underpinnings, ODS possesses built-in functionality for generating X.509 Certificates with WebID watermarks. With ODS, certificate generation is typically done through a web browser. The specific process varies because each browser vendor has chosen their own approach to manage Certificates and their associated Private Keys. Below, we cover certificate generation for several browsers, with keystore persistence handled variously by the host operating system or the Browser. Certificate Generation & Keystore Management <tgroup><thead /><tbody> <row /> <row><entry> <emphasis>Chrome</emphasis> </entry><entry> <keygen/> </entry><entry> Y </entry><entry> N </entry><entry> </entry></row> <row><entry> <emphasis>Firefox</emphasis> </entry><entry> .NET-based browser plug-in </entry><entry> Y </entry><entry> N </entry><entry> </entry></row> <row><entry> <emphasis>Firefox</emphasis> </entry><entry> <keygen/> </entry><entry> N </entry><entry> Y </entry><entry> </entry></row> <row><entry> <emphasis>IE</emphasis> </entry><entry> OpenLink X.509 Certificate Generator plug-in </entry><entry> Y </entry><entry> N </entry><entry> When using the user-friendly, Wizard-style interface of this plug-in, you (the issuer) must create a root CA certificate before generating any <ulink url="WebID">WebID</ulink>-watermarked certificates. </entry></row> <row><entry> <emphasis>IE</emphasis> </entry><entry> Windows-native generator </entry><entry> Y (Windows only) </entry><entry> N </entry><entry> Best reserved for advanced users. </entry></row> <row><entry> <emphasis>Opera</emphasis> </entry><entry> <keygen/> </entry><entry> N </entry><entry> Y </entry><entry> </entry></row> <row><entry> <emphasis>Safari</emphasis> </entry><entry> <keygen/> </entry><entry> Y </entry><entry> N </entry><entry> </entry></row> </tbody></tgroup></table> <bridgehead class="http://www.w3.org/1999/xhtml:h2"> X.509 Certificate Generation Methods</bridgehead> <bridgehead class="http://www.w3.org/1999/xhtml:h3"> Using ODS</bridgehead> <itemizedlist mark="bullet" spacing="compact"><listitem><ulink url="ODSGenerateWebIDX509CertBrsKeystore">Generate an X.509 Certificate with a WebID watermark that's stored by browser keystore</ulink></listitem> </itemizedlist><bridgehead class="http://www.w3.org/1999/xhtml:h3"> Using Virtuoso Certificate Generation Wizard (Windows only)</bridgehead> <itemizedlist mark="bullet" spacing="compact"><listitem><ulink url="ODSGenerateWebIDX509CertOSKeystore">Generate an X.509 Certificate with a WebID watermark that's stored by OS keystore</ulink></listitem> </itemizedlist><bridgehead class="http://www.w3.org/1999/xhtml:h3"> Using Windows-Native Keystore</bridgehead> <orderedlist spacing="compact"><listitem><ulink url="http://swimmingpooldotnet.wordpress.com/2009/12/15/how-to-view-local-machine-keystore-windows-xp/">View Local Machine KeyStore and enable a snap-in</ulink>. </listitem> <listitem><ulink url="http://technet.microsoft.com/en-us/library/bb727068.aspx">Generate Certificate Guide</ulink>. </listitem> <listitem>Import the generated Cert in ODS by pasting its content in the X.509 Certificate text-area presented at <emphasis><emphasis>User Profile -> Edit -> Security -> X.509 Certificates</emphasis></emphasis> tab page.</listitem> </orderedlist><bridgehead class="http://www.w3.org/1999/xhtml:h3"> Using openssl</bridgehead> <para>You can manually use <ulink url="OpenSSL">OpenSSL</ulink> to generate the certificate, and then import that Certificate to ODS through its PEM Import UI. Then, both Certificate and Private Key must be imported into the OS- and/or browser-based keystore. Finally, the Cert results in Public Key and <ulink url="WebID">WebID</ulink> relation in Profile Graph.</para> <bridgehead class="http://www.w3.org/1999/xhtml:h4">Basic Steps</bridgehead> <orderedlist spacing="compact"><listitem><ulink url="http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtGenerateX509Cert">Generate x.509 Certificate</ulink>. </listitem> <listitem><ulink url="http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtSetupSSLFileSystem">Set up HTTPS Support in Virtuoso</ulink>. </listitem> <listitem><ulink url="http://ods.openlinksw.com/wiki/ODS/VirtODSSecurityWebID#Configure%20your%20ODS%20Account%20to%20use%20the%20WebID%20Protocol">Configure your ODS Account to use the WebID Protocol</ulink>. </listitem> <listitem><ulink url="http://ods.openlinksw.com/wiki/ODS/VirtODSSecurityWebID#Test%20the%20setup">Test the setup</ulink>.</listitem> </orderedlist><bridgehead class="http://www.w3.org/1999/xhtml:h4"> Browser-Specific Notes</bridgehead> <itemizedlist mark="bullet" spacing="compact"><listitem><emphasis>Firefox:</emphasis> You must import the Private Key into the OS- and/or Browser-based keystore(s) using the relevant import mechanism. </listitem> <listitem><emphasis>Opera:</emphasis> You must import the Private Key into the OS- and/or Browser-based keystore(s) using the relevant import mechanism.</listitem> </itemizedlist><bridgehead class="http://www.w3.org/1999/xhtml:h4"> OS-Specific Notes</bridgehead> <itemizedlist mark="bullet" spacing="compact"><listitem><emphasis>Mac OS X:</emphasis> <ulink url="OpenSSL">OpenSSL</ulink> is not needed. The Mac-native keystore lets you create certificates, based on Apple's root CA. </listitem> <listitem><emphasis>Windows:</emphasis> <ulink url="OpenSSL">OpenSSL</ulink> is not needed. The Windows-native keystore lets you create certificates, based on Microsoft's root CA.</listitem> </itemizedlist><para> </para> <bridgehead class="http://www.w3.org/1999/xhtml:h2">Related</bridgehead> <itemizedlist mark="bullet" spacing="compact"><listitem><ulink url="http://www.youtube.com/watch?v=gzqHVUb3qrw&feature=share">Power of WebID + OpenID Hybrid Protocol via Internet Explorer & Windows</ulink> </listitem> <listitem><ulink url="http://www.youtube.com/watch?v=eXoxUo7Py4M&feature=share">Using Safari to Demonstrate WebID + OpenID Hybrid Protocol Power!</ulink> </listitem> <listitem><ulink url="http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtSPARQLEndpointProtection">Safeguarding your Virtuoso-hosted SPARQL Endpoint</ulink> </listitem> <listitem><ulink url="http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtTipsAndTricksGuideSPARQLEndpointProtection">SPARQL Endpoint Protection Methods Collection</ulink> </listitem> <listitem><ulink url="http://docs.openlinksw.com/virtuoso/">Virtuoso documentation</ulink> <itemizedlist mark="bullet" spacing="compact"><listitem><ulink url="http://docs.openlinksw.com/virtuoso/rdfsparql.html#rdfsupportedprotocolendpoint">SPARQL Service Endpoint</ulink> </listitem> <listitem><ulink url="http://docs.openlinksw.com/virtuoso/rdfsparql.html#rdfsupportedprotocolendpointuri">Service Endpoint Security</ulink> </listitem> <listitem><ulink url="http://docs.openlinksw.com/virtuoso/rdfsparql.html#sparqwebservicetbl">Managing a SPARQL Web Service Endpoint</ulink> </listitem> <listitem><ulink url="http://docs.openlinksw.com/virtuoso/rdfsparql.html">SPARQL</ulink> </listitem> </itemizedlist></listitem> <listitem><ulink url="http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtTipsAndTricksGuide">Virtuoso Tips and Tricks Collection</ulink> <itemizedlist mark="bullet" spacing="compact"><listitem><ulink url="http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtSPARQLDET">SPARQL Endpoint DET Configuration Guide</ulink> </listitem> <listitem><ulink url="http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtSPARQLSecurityWebID">WebID Protocol & SPARQL Endpoint ACLs Tutorial</ulink> </listitem> <listitem><ulink url="http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtOAuthSPARQL">SPARQL OAuth Tutorial</ulink> </listitem> <listitem><ulink url="http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtTipsAndTricksGuideSPARQLEndpoints">Securing SPARQL endpoints</ulink> </listitem> </itemizedlist></listitem> <listitem><ulink url="OdsSPARQLAuth">SPARUL over SPARQL using the http://cname:port/sparql-auth endpoint</ulink> </listitem> <listitem><ulink url="http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtAuthServerUI">Virtuoso Authentication Server UI</ulink> </listitem> <listitem><ulink url="http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtSPARQLSSL">Manage a SPARQL-WebID based Endpoint</ulink> </listitem> <listitem><ulink url="VirtODSSecurityWebID">WebID Protocol Support in OpenLink Data Spaces</ulink>. </listitem> <listitem>Manage ODS Datadspaces Objects <ulink url="WebID">WebID</ulink> Access Control Lists (ACLs): <itemizedlist mark="bullet" spacing="compact"><listitem><ulink url="ODSBriefcaseWebID">ODS Briefcase WebID based ACL Guide</ulink> <itemizedlist mark="bullet" spacing="compact"><listitem><ulink url="ODSBriefcaseWebIDPerson">Person Entity WebID based ACL Guide</ulink> </listitem> <listitem><ulink url="ODSBriefcaseWebIDGroup">Group Entity WebID based ACL Guide</ulink> </listitem> <listitem><ulink url="ODSBriefcaseWebIDPublic">Public WebID based ACL Guide</ulink> </listitem> </itemizedlist></listitem> <listitem><ulink url="ODSFeedManagerWebIDACL">ODS Feed Manager WebID based ACL Guide</ulink> <itemizedlist mark="bullet" spacing="compact"><listitem><ulink url="ODSFeedManagerWebIDACLPerson">Person Entity Specific ACL</ulink> </listitem> <listitem><ulink url="ODSFeedManagerWebIDACLGroup">Group Entity Specific ACL</ulink> </listitem> <listitem><ulink url="ODSFeedManagerWebIDACLPublic">Public Specific ACL for anyone with a WebID</ulink> </listitem> </itemizedlist></listitem> <listitem><ulink url="ODSCalendarWebIDACL">ODS Calendar WebID based ACL Guide</ulink> <itemizedlist mark="bullet" spacing="compact"><listitem><ulink url="ODSCalendarWebIDACLPerson">Person Entity Specific ACL</ulink> </listitem> <listitem><ulink url="ODSCalendarWebIDACLGroup">Group Entity Specific ACL</ulink> </listitem> <listitem><ulink url="ODSCalendarWebIDACLPublic">Public Specific ACL for anyone with a WebID</ulink> </listitem> </itemizedlist></listitem> <listitem><ulink url="ODSBookmarksWebIDACL">ODS Bookmark Manager WebID based ACL Guide</ulink> <itemizedlist mark="bullet" spacing="compact"><listitem><ulink url="ODSBookmarksWebIDACLPerson">Person Entity Specific ACL</ulink> </listitem> <listitem><ulink url="ODSBookmarksWebIDACLGroup">Group Entity Specific ACL</ulink> </listitem> <listitem><ulink url="ODSBookmarksWebIDACLPublic">Public Specific ACL for anyone with a WebID</ulink> </listitem> </itemizedlist></listitem> <listitem><ulink url="ODSAddressBookWebIDACL">ODS Addressbook WebID based ACL Guide</ulink> <itemizedlist mark="bullet" spacing="compact"><listitem><ulink url="ODSAddressBookWebIDACLPerson">Person Entity Specific ACL</ulink> </listitem> <listitem><ulink url="ODSAddressBookWebIDACLGroup">Group Entity Specific ACL</ulink> </listitem> <listitem><ulink url="ODSAddressBookWebIDACLPublic">Public Specific ACL for anyone with a WebID</ulink> </listitem> </itemizedlist></listitem> </itemizedlist></listitem> <listitem><ulink url="ODSPkiSetup">Guide for Set up a X.509 certificate issuer and HTTPS listener and generate ODS user certificates</ulink> </listitem> <listitem><ulink url="ODSSetupSSL">Configure Virtuoso+ODS instance as an X.509 Certificate Authority and HTTPS listener</ulink> </listitem> <listitem><ulink url="http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtSetupSSL">Configure Virtuoso instance as an X.509 Certificate Authority and HTTPS listener</ulink> </listitem> <listitem><ulink url="VirtODSPubSubHub">Setting up PubSubHub in ODS</ulink> </listitem> <listitem><ulink url="VirtPubSubHub">PubSubHubBub Demo Client Example</ulink> </listitem> <listitem><ulink url="VirtFeedPubSubHub">Feed subscription via PubSubHub protocol Example</ulink> </listitem> <listitem><ulink url="VirtPubSubHubACL">Setting Up PubSubHub to use WebID Protocol or IP based control lists</ulink> </listitem> <listitem><ulink url="OdsKeyImport">CA Keys Import using Conductor</ulink> </listitem> <listitem><ulink url="ODSGenerateWebIDX509CertOSKeystore">Generate an X.509 Certificate (with a WebID watermark) to be managed by host operating system keystore</ulink> </listitem> <listitem><ulink url="ODSGenerateWebIDX509CertBrsKeystore">Generate an X.509 Certificate (with a WebID watermark) to be managed by a browser-based keystore</ulink> </listitem> <listitem><ulink url="ODSWebIDIdP">Using Virtuoso's WebID Verification Proxy Service with a WebID-bearing X.509 certificate</ulink> </listitem> <listitem><ulink url="ODSWebIDIdpProxy">Using Virtuoso's WebID Identity Provider (IdP) Proxy Service with an X.509 certificate</ulink> </listitem> <listitem><ulink url="ODSBriefcaseWebIDShareFile">ODS Briefcase WebID Protocol Share File Guide</ulink> </listitem> <listitem><ulink url="http://esw.w3.org/topic/foaf+ssl">WebID Protocol Specification</ulink> </listitem> <listitem><ulink url="https://foaf.me/simpleLogin.php">Test WebID Protocol Certificate page</ulink> </listitem> <listitem><ulink url="http://test.foafssl.org/cert/">WebID Protocol Certificate Generation page</ulink> </listitem> </itemizedlist></section></docbook>