Chapter 5. eAIP Security - How to sign an eAIP with x509
Prev   Next

Chapter 5. eAIP Security - How to sign an eAIP with x509

Introduction

This chapter describes the procedure to sign an eAIP package using x509. See also the eAIP Security Risks and Mitigation Strategies in the eAIP Specification.

Necessary software and prerequisites

You need software to create Zip packages. The most widely used is WinZip.

You also need to have a CA set up, as described in How to setup up a x509 signing environment.

Procedure

The steps are:

  1. Setup the signing environment

  2. Generate a Zip package containing the eAIP

  3. Sign the Zip package

  4. Distribute the signed Zip package to end-users

Setup the signing environment

The eAIP Signing tool is provided by EUROCONTROL and is part of the full eAIP package (in the tools\Security\Sign directory), also available on the eAIP Web site. It is also available as a separate download package; in this case, download this package and unpack it in the [eAIP package directory]\tools\Security\Sign directory.

Export the private key and certificate from XCA and import them in eAIPSign

Open the XCA application.

Click on the Certificate tab on top, then expand the certificate list in order to display the signer's certificate.

Right-click on the signer's certificate and choose the Export / File option.

In the Filename field, type [eAIP package directory]\tools\Security\Sign\Certificate, followed by the certificate filename. The name must not contain spaces and should end with the suffix .crt.

Select PEM as Export Format. Click OK to export the certificate.

Click on the RSA Keys tab on top. Right-click on the signer's private key and choose the Export option.

In the Filename field, type [eAIP package directory]\tools\Security\Sign\PrivateKey, followed by the private key filename. The name must not contain spaces and should end with the suffix .pem.

Select PEM as Export Format.

Make sure Export the private part of the Key too is checked, and Encrypt the key with a password is not checked.

Click OK to export the private key.

Generate a Zip package containing the eAIP

Generate a single Zip package containing the eAIP. Save this file in the [eAIP package directory]\tools\Security\Sign directory. For example, name this file EC-eAIP.zip.

Sign the Zip package

Open a command-prompt window and change the current directory to [eAIP package directory]\tools\Security\Sign.

Type sign EC-eAIP.zip. You will find, in the same directory, a new file EC-eAIP.zip.sig, which is the signed package you can distribute.

Distribute the signed Zip package to end-users

Steps for distribution

  1. Send the CA certificate to end-users who request it. Steps to export the certificate are described in How to setup up a x509 signing environment

  2. Send the signed package

Prev Up Next
Chapter 4. Amendment Procedures Home Chapter 6. eAIP Security - How to sign an eAIP with PGP