CertAgent. Certificate Authority Guide

Transcription

1 CertAgent Certificate Authority Guide Version December 12, 2013

2 Information in this document is subject to change without notice and does not represent a commitment on the part of Information Security Corporation. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of the agreement. No part of this manual may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, for any purpose other than the purchaser s personal use without the prior written permission of Information Security Corp. CertAgent is commercial computer software and, together with any related documentation, is subject to the restrictions on U.S. Government use as set forth below. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software Clause at DFARS Contractor/manufacturer is Information Security Corporation, 1011 W. Lake Street, Suite 425, Oak Park, IL The U.S. International Traffic in Arms Regulations (ITARs) (22 CFR ) prohibits the dissemination of certain types of technical data to foreign nationals. Protected by U.S. Patent No. 5,699,431. CertAgent is a trademark of Information Security Corp. Other product and company names mentioned in this document may be the trademarks of their respective owners. The cryptographic functionality of CertAgent is provided by CDK 7.0, ISC s FIPS validated cryptographic module, via a Java JNI and/or an RMI interface. In addition, CertAgent uses code extracted or derived from the following open source software packages redistributable under the terms of the GPL: Log4j, Version : Copyright The Apache Software Foundation. All rights reserved. CertAgent Certificate Authority Guide, Version (December 2013) Information Security Corporation. All rights reserved. Information Security Corporation 1011 W. Lake Street, Suite 425 Oak Park, IL Phone: Fax: Website: sales@infoseccorp.com 2

3 Table of Contents 1 Introduction CertAgent Architecture About this Guide Technical Support Certificate Authorities Overview Communicating with the Server Access Control and Permissions Using a Master Account Logging In Using a Profile Creating Credential for a CA Generating Credential for a Root CA Generating Credential for Subordinate CA Using Existing Credentials Installing Credentials Installing a Certificate Issued by an Internal CA Installing a Certificate Issued by an External CA Exporting Credentials Renewing Certificates Renewing a Root Certificate Renewing Subordinate CA Certificates Publishing CA Certificates Publishing Certificates to a Remote LDAP Directory Viewing Account Status Managing Certificate Requests Searching Certificate Requests Issuing Certificates Rejecting a Certificate Request Reinstating Rejected Certificate Requests Viewing Processed Certificate Requests Changing the Assigned Profile Updating a User s Contact Address Exporting Certificate Requests Managing Certificates Searching Certificates Viewing Certificates Revoking Certificates Changing the Revocation Status of a Certificate Viewing Revoked Certificates Viewing Expired Certificates Changing the Assigned CA Account

4 Sending Certificate Retrieval Notifications Managing Certificates in an External LDAP Repository Updating a User s Contact Address Viewing Certificate Properties Managing CRLs Issuing a CRL Viewing CRLs Setting Account Preferences Managing Credentials Managing Certificate Enrollment Managing Certificate Profiles Managing Certificate Issuance Managing Revocation Policy Managing CRL Issuance Managing LDAP Repository Settings Managing Notifications Managing Public Site Configuration Settings Viewing the Audit Trail Using Help Logging Out Administrative Site Logging In As the Site Administrator Public Site Viewing the Public Site Glossary References

5 1 Introduction CertAgent is an easily managed, web-based certificate authority (CA) intended to be used as the core component of an enterprise s public key infrastructure (PKI). Designed to meet the needs of a wide variety of organizations, the current release offers: enhanced enrollment services (browser-, and file-based, as well as a remotely accessible RA Management Interface (RAMI) for the support of one or more properly authorized registration authorities (RAs) remote administration capabilities (HSM-based protection of critical system keys) CertAgent supports an unlimited number of root and intermediate CAs, providing support for as complex a certificate hierarchy as the size of your enterprise warrants. HSM External LDAP Repository (optional) CertAgent ISC CDK (FIPS 140-2) JNI CertAgent Server Database RMI DBAccess TLS w/ auth. (ACL) Report Generator CACLI Admin Interface Java Servlet/JSP Container Administration Module Certificate Authority Interface RA Management Interface Public Module (enrollment, certificate retrieval, etc.) TLS w/ auth. (ACL) TLS w/ client auth. (ACL) TLS w/o client auth. SQL query (via secure RMI) Administrator CAs RAs End-users The CertAgent 6 System Architecture 5

6 1.1 CertAgent Architecture The diagram on the preceding page illustrates the basic layout of the CertAgent system. 1.2 About this Guide This guide explains how to configure, manage, and use CertAgent from the point of view of a certificate authority (CA) on the system. CA accounts are used to: implement and enforce one or more (formal or informal) certificate practice statement profiles issue certificates and CRLs conformant with those profiles view audit trail logs, and perform other critical tasks in the process of certificate lifecycle management. This guide is divided into chapters as follows: Chapter 1 provides an overview of the organization and contents of this guide and explains its stylistic conventions. Chapter 2 explains how to configure, manage, and use CA accounts and profiles Chapters 3 and 4 briefly discuss the system administrator role and use of the public site (for details, consult the separate CertAgent guides on those topics) Chapters 5 and 6 provide a glossary and list of useful references The remainder of this introduction provides an overview of the organization of the CertAgent system, provides contact information for technical support, and explains the stylistic conventions used in this manual. 1.3 Technical Support Information Security Corporation provides technical support for CertAgent during the following business hours: 8:30 a.m. to 5:00 p.m. Central Time Please contact us in one of the following ways: Voice: (708) Fax: (708) Web: techsupport@infoseccorp.com 6

7 2 Certificate Authorities 2.1 Overview An X.509 certificate authority issues certificates to various entities, revokes those certificates when the situation warrants, and periodically issues certificate revocation lists (CRLs) that can be used by client applications to determine if a given certificate has been revoked or placed on hold. CertAgent supports a hierarchical organization of CAs, having one or more root CAs at the top level with any number of subordinate CAs underneath one of the roots. Each subordinate CA can, in turn, have additional subordinate CAs underneath it. End-users are typically leaf nodes in these (inverted) trees. Each node in a tree has its certificate signed by the CA immediately above it, while a root CA, having no CA above it, has a self-signed certificate. A complete certificate validation path is a path in one of these trees starting at an end-user certificate and chaining up to the self-signed certificate at its root. Normally any CertAgent CA has the ability to process certificate requests passed to it by individual endusers and potential subordinate CAs. Certificate requests can either be rejected or processed by issuing a certificate. A CertAgent CA, if permitted by the key usage extensions in its certificate, can also issue Certificate Revocation Lists (CRLs.) A CRL consists of a list of serial numbers of those certificates issued by that CA that are not currently to be considered as valid, either because they have been permanently revoked or because they have been put on hold for one reason or another. Client applications that employ certificates typically check each individual certificate in a certificate path against the CRL of its respective issuer to verify that they are indeed to be considered valid at time of use. 2.2 Communicating with the Server The CA account pages of the CertAgent website are secured. Your web browser must communicate with the CertAgent server over a TLS connection using strong, certificate-based, client authentication. In particular, this means that all command processes and data transfers between your computer and the web server are encrypted. 2.3 Access Control and Permissions The following table describes the administrative permissions available for a CA account and the corresponding responsibilities: Permission Description of Role admin certify revoke manage CA accounts and jobs issue certificates and reject invalid certificate requests revoke certificates and issue CRLs 7

8 audit RAMI view and export audit trails submit requests via the RA management interface (RAMI) 2.4 Using a Master Account Every master CA account hosted by a particular CertAgent website has its account ID and access control list (ACL) managed by the site administrator. To log in to such an account, your personal certificate must appear in its ACL directory. The master account supports all the permissions Logging In To log in to a CA account: 1. Launch Internet Explorer and enter the following URL in its address bar: port]/certagentadmin/ca/login.jsp Be sure to replace [host] and [SSL port] with the appropriate system name (or IP address) and SSL port of your CertAgent webserver. 2. Select your certificate in the Windows Security dialog to authenticate yourself to the webserver, and then click OK. Note: If your certificate does not appear in the Windows Security dialog, make sure that the appropriate administrative credentials have been imported into the Internet Explorer Personal certificates store and the trust anchor (root certificate) for your certificate has been imported into the Java trust store of your servlet container. Use the Java Key Tool to manage the Java trust store; then restart the servlet container. 3. Once you have been successfully authenticated to the server, the following login page will appear: 8

9 If you are authorized to access multiple accounts, select an account from the dropdown list. Otherwise, you will be logged in to your account automatically. Depending on the permissions of an authorized user, the set of pages and tasks available are appropriately limited. 9

10 2.4.2 Using a Profile A master CA account can have one or more profiles with their own account IDs and access control lists (which can be only be modified by an authorized user of the master account). All profiles share the master account s signing key, but each can have a different stored profile, i.e., default settings for certificate and CRL management. Using profiles, a master CA can easily issue certificates complying with different pre-configured settings, but using the same signing key. (For example, a master CA may wish to establish one profile for issuing end-user S/MIME encryption and signing certificates and another profile for SSL server certificates. These profiles would have different certificate issuance settings, but would share the same signing key.) Logging into a profile is similar to logging into a master account. A profile account only supports certify and revoke permissions. 2.5 Creating Credential for a CA 1 Log in to a master CA account, navigate to the Account Status page, and follow the link labeled Click here to obtain a certificate. Alternatively, you can click Preferences, Credentials, then click New Credential. CertAgent s New Credential wizard guides you through the process of establishing the X.509 credentials for your CA account. The first page of the wizard asks if you wish to generate a new key pair or import an existing one. You must also indicate whether this account will be operating as a root or subordinate CA and where the credentials for the account will be stored. Enter the required HSM access settings. To view the slots and labels available on your HSM, enter the path of the vendor-provided access library and click View Slots/Labels. The remainder of this section explains in greater detail how to use the wizard Generating Credential for a Root CA To create new credential for a root CA: 1 Requires the admin permission. 10

11 1. In the New Credential page, select Generate a new key pair and A Root CA, with a self-signed certificate. Then, click Next. You will be presented with the following form: Specify the RDNs. If necessary, change the validity period, key type, message digest, or certificate extensions, and then click Generate. Click OK to confirm your intentions. CertAgent will generate a new key pair of the type you specified. Once your new certificate has been installed, its properties will be displayed Generating Credential for Subordinate CA To create new credential for a subordinate CA: 1. In the New Credential page, select Generate a new key pair and A subordinate CA, with a PKCS#10 certificate request. Then, click Next. 2. If the superior CA that is to issue your certificate resides on the same system, select to be submitted to a CA on this system and click Next; otherwise skip to step 3. 11

12 a. Select the superior CA who is to issue your certificate and complete the Certificate Request Information part of the form. b. Enter your address so that the issuing CA can notify you once your request has been processed, then click Generate. c. Click OK in the confirmation dialog. CertAgent will: generate a new key pair of the type you specified, create a certificate request containing the public key, and store the HSM access information with the HSM PIN encrypted under the system certificate, and certificate request into the database Your request will then be forwarded the specified superior CA and confirmation of the success of this process will be displayed to you in on a Results page. 3. If the superior CA that is to issue your certificate does not reside on the same system, select to be submitted to an external CA and click Next. a. Enter the required Certificate Request Information and click Generate. b. Click OK in the confirmation dialog. CertAgent will: generate a new key pair of the type you specified, create a certificate request containing the public key, and store the HSM access information with the HSM PIN encrypted under the system certificate, and certificate request into the database It will then display the properties of the certificate request. c. Click Export Request (and select either the Binary or Base64-encoded output formats) to save your certificate request to a file that you may manually submit to a superior CA. d. Once the superior CA has issued your certificate, click Install Certificate to install it in place of your certificate request. See the next section for details. 2.6 Using Existing Credentials 2 If you would like to install an existing key pair as your CA credentials or migrate an external certificate authority account to this CertAgent account, follow the instructions below. 2 Requires the admin permission. 12

13 1. In the New Credential page, enter the required HSM access information and select Use an existing key pair. Then click Next. All available CA credentials (certificates with either the ca bit asserted in its basicconstraints extension or those without a basicconstraints extension) on the HSM will be listed. 2. Select the CA certificate you wish to use. (To view detailed information about any of the available certificates, click its DN.) If you are acting as a subordinate CA, you must import the certificates of your superior CA and its chain. Click Browse, select the certificate file for your superior CA and its chain. Then, click Next. 3. Click OK in the confirmation dialog. 4. Properties of the new credentials will be displayed to confirm that they have been successfully imported and assigned to your account. 13

14 2.7 Installing Credentials 3 Every CA account must have its certificate and private key installed before it can be used to issue certificates or CRLs. If you are setting up an account for a subordinate CA and you just generated a new certificate request, you should replace the request with an actual certificate as soon as you receive it from the superior CA Installing a Certificate Issued by an Internal CA Once an internal CA has issued your certificate, you may install it as the credentials for your account as follows: 1. Log in to your account, navigate to the Account Status page, and follow the link labeled Click here to check status of your certificate request. Alternatively, you can click Preferences, Credentials, then click Check Status. If your certificate has not yet been issued, you will need to try again later. Contact your superior CA if necessary. If your certificate has been issued, its properties will be displayed. Click Install to install your certificate in place of the certificate request Installing a Certificate Issued by an External CA To install a certificate issued by an external CA: 1. Log in to your account and follow the link Click here to install your certificate and remove the request on the Account Status page. Alternatively, you can click Preferences, Credentials, then click the Install Certificate. 2. Click Browse and locate the appropriate PKCS#7 certificate file that includes the issued CA certificate and its chain, then click Install. Once your certificate has been installed, a confirmation message and your certificate properties will be displayed. 3 Requires the admin permission. 14

15 2.8 Exporting Credentials 4 Once your CA credentials have been installed, you can export them to a file. To export the CA credentials: 1. Click Preferences, Credentials, then click Export. 2. Click one of the available certificate file formats: binary, base64-encoded X.509 certificate (.der), or PKCS#7 certificates (.p7b). For cross certification, select binary or base64-encoded PKCS#10 format. Submit the saved certificate request to a desired Certificate Authority for cross certification. 3. Click [X] to close this dialog. 2.9 Renewing Certificates 5 CertAgent makes the renewal of CA credentials quite straightforward. Even after a particular CA certificate has expired, the renewal process can produce a new certificate for that CA s existing key pair. However, before performing any of the tasks described in this section, you should be sure that your organization s security policy permits it. WARNING: There is a known issue regarding the use of renewed CA certificates with browsers (other than Internet Explorer) and other applications that build certificate validation paths by matching the authority key identifier extension in a subject s certificate with the subject key identifier in the issuer s certificate. Such applications may regard as invalid any certificate issued by a CertAgent CA whose certificate has been renewed since the authority key identifier value in the issuer certificate will have changed. While recent releases of Internet Explorer do not suffer from this problem, it may be best to avoid using the certificate renewal process for CAs issuing certificates that may be used with other browsers Renewing a Root Certificate To renew the self-signed certificate for a root CA: 1. Click Preferences, Credentials, then click Renew. You will be presented with the Identifying Information for Renewed Root CA form. 2. Change the validity period and certificate extensions, if needed, then click Generate. 4 Requires the admin permission. 5 Requires the admin permission. 15

16 CertAgent will generate a new self-signed certificate containing the current certificate s public key signed with the corresponding private key. 3. Once the new certificate has been created, its properties will be displayed Renewing Subordinate CA Certificates To renew the certificate of a subordinate CA: 1. Click Preferences, Credentials, then click Renew to launch the Renew Certificate wizard. 2. If the superior CA that is to process your renewal request resides on the same system, select a CA on the same system and click Next; otherwise skip to step 3. a. Select the superior CA who is to issue your certificate and complete the form. b. Enter your address (so that the issuing CA can notify you once your request has been processed), then click Next. CertAgent will generate a certificate request from your current certificate. Your request will then be forwarded to the specified superior CA and confirmation of the success of this process will be displayed to you on a Results page. c. To check the status of your request, click Check Status. If your certificate has not yet been issued, you will need to try again later. Contact your superior CA if necessary. If your certificate has been issued, its properties will be displayed. d. Click Install to install this certificate in place of your certificate request. 3. If the superior CA that is to issue your certificate does not reside on the same system, select an external CA manually. Then, click Next. CertAgent will generate a certificate request from your current certificate. It will then display the properties of the certificate request. a. Click Export Request (and select either the Binary or Base64-encoded output formats) to save your certificate request to a file that you may manually submit to a superior CA. b. Once the superior CA has issued your certificate, click Install Certificate to install it in place of your certificate request. 16

17 2.10 Publishing CA Certificates Publishing Certificates to a Remote LDAP Directory To manually publish a CA certificate to an external LDAP repository, you must have the publish CA certificate option set to manually on the Preferences, LDAP Repositories configuration page and have entered the appropriate access information for the remote LDAP repository. (For details on the configuration of this option, see Managing LDAP Repository Settings.) Assuming that this is the case: 1. Click Preferences, Credentials, then click Publish. 2. If needed, edit the DN and certificate attribute in the form, then click Publish. The CA certificate will be published as requested to the external LDAP directory and the status message will be displayed. 3. Click Close to close this page Viewing Account Status To view the status of your account: 1. Click Account Status to display the following page of information about your account. Critical error messages and warnings, as well as reminders to issue a CRL, may appear here Managing Certificate Requests Searching Certificate Requests To view the pending certificate requests matching some search criteria: 1. Click Search in the Certificate Requests section of the navigation panel for your account: 6 Requires the admin permission. 7 Requires the certify permission. 17

18 2. Specify the desired search criteria (request ID, RDN, status, contact address, requests assigned to any profiles, last modified date and sort order) to be matched. You may use an asterisk (*) as a wildcard in the search string. If there are additional profiles associated with your master account, you may allow the query to include all the profiles by checking the Requests assigned to any profile. Otherwise, only certificate requests assigned to the active profile will be returned. 3. Check the fields to include in the report in the right-hand column, and then click Search. Once the system has listed the certificate requests matching your search criteria, you may click one to open an Advanced functions page; the functions you may perform on a given request will depend upon its current status. 4. To refine your search, select the link labeled Click here to modify your search. 5. Optionally, check Save result to option to export the results to a CSV or text file Issuing Certificates To issue certificates for one or more pending certificate requests: 1. First view the pending certificate requests that have been submitted to your account by clicking Pending in the Certificate Requests section of the navigation panel. 18

19 If there are additional profiles associated with your master account, you may filter the pending requests by profile using the Active Profile drop-down list at the top of the page. To view the properties of any request, click the certificate request icon immediately to the right of the corresponding check box. Check Show details to view the properties of all displayed requests. 2. If you wish to process one or more certificate requests using the default certificate issuance settings for your account, check the selection boxes next to those you wish to process and click Issue Selected at the bottom of the page. To process a single request, click the Issue button adjacent to that request. To issue a certificate with customized properties: 1. If you wish to customize the properties of the certificate that will be issued for a given request, click on the DN link for the request to open the Advanced page. 2. (Optional) To view the certificate request s properties and extensions, click [View Request]. (Note: this feature is only available if the request is in a PKCS#10 format. Displaying the properties of CRMF requests and those of requests generated by browsers other than Internet Explorer are not supported.) 3. The properties and extensions displayed on this page are populated using the default extension and certificate request rules. To add more extensions, select Issue certificate with customized settings in the Action drop-down list, and click Add Extensions. 19

20 Select the desired extensions and click Add Checked. The selected extensions will be added. Fill in all the required information for each newly added extension. For details on the configuration of each extension, see Managing Certificate Issuance section. 4. To remove an extension, simply click the [x] to the right of the extension name. 5. Click Submit to issue the request. (If you change your mind about settings changes you have made, just select the Issue certificate with default settings option in the Action drop-down list.) 6. Click OK to confirm your desire to process the selected certificate requests. Once the results of the request processing have been displayed, you may click the link View certificate details on the Results page to view the properties of that certificate Rejecting a Certificate Request To reject a pending certificate request: 1. View the pending certificate requests that have been submitted to your account by clicking Pending in the Certificate Requests section of the navigation panel. 20

21 If there are additional profiles associated with your master account, you may view the pending requests for them by selecting the appropriate profile name in the Active Profile drop-down list at the top of the page. To view the properties of any request, click the certificate request icon immediately to the right of the corresponding check box. Click Show details to view the properties of all displayed requests. 2. You can reject multiple requests simultaneously by checking the boxes next to those requests and clicking the Reject Selected button at the bottom of the page. To reject a single request, click the Reject button adjacent to that request. Alternatively, you can click on the request s DN link to open the Advanced page. In this dialog, select Reject request from the drop-down list and enter a Reason code. Then, click Submit. Click OK to confirm the operation, then click Close to close the Advanced page. If you re not using the Advanced page, enter the reason for rejecting the selected request(s) and click OK. 3. The selected certificate request(s) will be processed and the results will be displayed. Notification will be sent to the submitter if the notify submitter after rejecting a certificate request option is enabled in Preferences, Settings and a contact address is provided by the submitter. Note that rejected certificates requests are not discarded; they are simply moved to the Rejected requests list. If necessary, they may be reinstated as explained in the next section Reinstating Rejected Certificate Requests To reinstate one or more rejected certificate requests: 1. View the certificate requests that have been rejected by clicking Rejected in the Certificate Requests section of the navigation panel for your account. A list of all rejected certificate requests will be displayed. If there are additional profiles associated with your master account, you may view the rejected requests for them by selecting the appropriate profile name in the Active Profile drop-down list at the top of the page. To view the properties of any request, click the certificate request icon immediately to the right of the corresponding check box. Click Show details to view the properties of all displayed requests. 21

22 2. You can reinstate multiple requests simultaneously by checking the boxes next to those requests and clicking the Reconsider Selected button at the bottom of the page. To reconsider a single request, click the Reconsider button adjacent to that request. Alternatively, you can click on a request s DN link to open the Advanced page. In this dialog, select Reconsider request from the drop-down list, then click Submit. Click OK to confirm the operation, then click Close to close the Advanced page. If you are not using the Advanced page, click OK in the confirmation dialog. 3. The selected request(s) will be reinstated (i.e., moved back to the Pending certificate request list for your account) and the results will be displayed Viewing Processed Certificate Requests To view processed requests: 1. Click Processed in the Certificate Requests section of the navigation panel for your account. A list of all processed certificate requests will be displayed. 2. You may click on any request s DN link to open the Advanced page Changing the Assigned Profile If there are additional profiles associated with your master account, you can change the account to which a request is assigned as follows: 1. Open the Advanced page by clicking the pending certificate request s DN. 2. Select Assign to another profile as the Action. 3. Specify the account to which you wish to assign this request by selecting it in the Assign this request to drop-down list. 4. Click Submit, and then click OK to confirm your intentions. 5. Finally, click Close to close the Advanced page Updating a User s Contact Address To update user s contact address: 22

23 1. Open the Advanced page by clicking the pending certificate request s DN. 2. Select Update contact address as the Action and modify the data in the address field. To remove the address, leave the field blank. 3. Click Submit, and then click OK to confirm your intentions. 4. Finally, click Close to close the Advanced page Exporting Certificate Requests To export a certificate request: 1. Open the Advanced page by clicking the pending certificate request s DN. 2. Select Export certificate request as the Action. 3. Click Submit, then click Save. 4. Enter a filename and click Save in the Save As dialog. 5. Finally, click Close to close the Advanced page Managing Certificates Searching Certificates To search the local database for certificates matching certain criteria: 1. Click Search in the Certificates section of the navigation panel for your account: 8 Requires the certify or revoke permission. 23

24 2. Specify the desired search criteria (serial number, request ID, RDN, status, contact address, certificates assigned to any profile, revocation date, not before date, not after date, retrieval status, and sort order). You may use an asterisk (*) as a wildcard in the search string. If there are additional profiles associated with your master account, you may allow the query to include all the profiles by checking the Certificates assigned to any profile. Otherwise, only the certificates assigned to the active profile will be returned. 3. Check the fields to include in the report in the right-hand column, and then click Search. Once the system has listed the certificates matching your search criteria, you may click one of them to open the Advanced page and perform various functions with that certificate; which functions are available will depend on the certificates current status. 4. To refine your search, select Click here to modify your search. 5. Optionally, check Save result to option to export the results to a CSV or text file Viewing Certificates To view valid certificates: 1. Click Valid in the Certificates section of the navigation panel for your account. A list of all valid certificates issued by the current account will be displayed. If there are additional profiles associated with your master account, you may view the certificates issued by them by selecting the appropriate profile name in the Active Profile drop-down list at the top of the page. 24

25 2. Click the small certificate icon immediately to the right of a certificate s selection box to view its properties. Alternatively, click Show details to view all certificate details Revoking Certificates 9 To place a certificate on hold or to revoke it: 1. Start by viewing the valid certificates that you have issued by clicking Valid in the Certificates section of the navigation panel for your account. 2. You can revoke multiple certificates simultaneously by checking the boxes next to those certificates and clicking the Revoke Selected button at the bottom of the page. To revoke a single certificate, click the Revoke button adjacent to it. Alternatively, you can click on a certificate s DN link to open the Advanced page. In this dialog, select Revoke as the Action, specify a Status and Reason code (see below), then click Submit. If you are not using the Advanced page, specify a Status and Reason code (see below), then click Revoke. To place the selected certificate(s) on hold, select the On Hold option and choose one of the following reasons: None Call Issuer Reject Pick-up Token No reason specified. (Subject s certificate should be rejected until it is removed from this issuer s CRL.) This value has application-dependent semantics. (Subject s certificate should be rejected until it is removed from this issuer s CRL.) Subject s certificate should be rejected until it is removed from this issuer s CRL. Physically seize the token containing the private key for this certificate, if possible. (Subject s certificate should be rejected and is probably pending permanent revocation.) 9 Requires the revoke permission. 25

26 To revoke the selected certificate(s), select Revoke and choose one of the following reasons: Unspecified Key Compromise CA Compromise Affiliation Changed Superseded Cessation of Operation Remove from CRL Privilege Withdrawn AA Compromise No reason specified. Use of this value is deprecated; choosing No Reason to omit a reason code is preferred in most applications. The subject s private key is known, or suspected, to have been compromised. The subject CA s private key is known, or suspected, to have been compromised. Some subject information in the certificate has changed. The certificate has been superseded, perhaps by another certificate containing the same public key, but with a later expiration date. The certificate is no longer needed for the purpose for which it is originally issued. The entry appears on a previous CRL with reason certificatehold but is now valid. The privilege contained in the certificate has been withdrawn. Aspects of the AA validated in the attribute certificate have been compromised. 3. The certificate(s) will be placed on hold, revoked, or merely marked for revocation, and the results displayed. If the Support pending revocation as a separate certificate status value option is disabled (as it is by default), certificates, when initially designated as revoked by a CA, are immediately moved to a revoked certificates list. If, however, Support pending revocation as a separate certificate status value is enabled, certificates are first moved to a list of certificates pending revocation. Certificates pending revocation can be reinstated at any time prior to issuance of a CRL (in which they appear), but once such a CRL has been issued, they are moved to the revoked certificates list. NOTE: Only certificates with a status of on hold can be reinstated from the revoked certificates list. 26

27 Changing the Revocation Status of a Certificate 10 If the Support pending revocation as a separate certificate status value option is disabled, only certificates with on hold status can be reinstated. To change the status of such certificates: 1. Start by viewing the revoked certificates: click Revoked in the Certificates section of the navigation panel for your account. If the Support pending revocation as a separate certificate status value option is enabled, a certificate that has been placed on hold or one that has been marked for revocation but has not yet appeared on a CRL, is considered to be pending revocation. The status of such certificates may be changed as follows: 1. Start by viewing the certificates pending revocation by clicking Pending Revocation in the Certificates section of the navigation panel for your account. 2. If there are additional profiles associated with your master account, you may filter the certificates pending revocation by profile using the Active Profile drop-down list at the top of the page. 3. To simultaneously change the status of several certificates, check the box next to the selected certificates and click the Change Status button at the bottom of the page. To change the status of a single certificate, click the Change Status button adjacent to it. Alternatively, you can click on a DN link to open the Advanced page. 4. If you are using the Advanced page, select Revoke as the Action, specify the new Status and a Reason code, then click Submit. Otherwise, select Reinstate as the Action to reinstate the certificate. Click OK to confirm your intentions. 5. If you aren t using the Advanced page, select a new status (On Hold, Revoked, Valid), and choose a Reason code, then click OK: 6. The status of the selected certificate(s) will be changed and results will be displayed: Viewing Revoked Certificates To view the certificates that have been revoked, click Revoked in the Certificates section of the navigation panel for your account. You may view the properties of a particular certificate in this list by clicking its DN link to open the Advanced properties page. 10 Requires the revoke permission. 27

28 Viewing Expired Certificates To view expired certificates, click Expired in the Certificates section of the navigation panel for your account. You may view the properties of a particular certificate in this list by clicking its DN link to open the Advanced properties page Changing the Assigned CA Account If there are additional profiles associated with your master account, you may change the profile to which a certificate is assigned: 1. Locate the certificate you wish to assign to a different account and click its DN link to open the Advanced page. 2. Select Assign to another profile from the Action drop-down list and select the new account. Click Submit, then click OK to confirm your intentions. 3. Click Close when you are ready to close the Advanced page Sending Certificate Retrieval Notifications If the notify submitter after issuing a certificate request option is enabled in Preferences, Settings and a contact address is provided by the submitter, certificate retrieval notice can be resent to a user. To send a certificate retrieval notice to a user: 1. In any of the certificate pages, click on a certificate s DN link to open the Advanced page. 2. If the certificate has not yet been retrieved by its owner, Send retrieve certificate notification to user will appear in the Action drop-down list. Select this action, click Submit, then click OK to confirm your intentions. 3. Click Close when you are ready to close the Advanced page Managing Certificates in an External LDAP Repository To manually publish a certificate to, or remove a certificate from, an external LDAP repository, you must have the publish issued certificates option set to manually on the Preferences, LDAP Repositories configuration page and have entered the appropriate access information for the remote LDAP repository. 28

29 (For details on the relevant configuration settings, see section Managing LDAP Repository Settings.) Assuming this is the case: 1. Open the Advanced function page by clicking the DN for the certificate you wish to manage wherever it might appear. 2. In the Action list, select either Publish to an external LDAP repository or Remove from an external LDAP repository depending on which action you wish to perform. If necessary, modify the DN of the corresponding LDAP entry. Click Submit and then click OK to confirm your intentions. 3. Click Close when you are ready to close the Advanced page Updating a User s Contact Address To update user s contact addresses: 1. In any of the certificate pages, click on a certificate s DN link to open the Advanced page. 2. Select Update contact address as the Action and modify the data in the address field. To remove the address, leave the field blank. 3. Click Submit, then click OK to confirm your intentions. 4. Click Close when you are ready to close the Advanced page Viewing Certificate Properties To inspect a certificate: 1. In any of the certificate pages, click on a certificate s DN link to open the Advanced page. 2. Click the link containing the certificate s Subject DN to view detailed properties of the certificate. The Certificate Inspection dialog displays the current status of the certificate along with its most important attributes and extensions. 3. You can save the certificate to a local disk file by clicking one of the download links. 4. Click Close to close the detailed properties dialog. 29

30 2.14 Managing CRLs Issuing a CRL To issue a new CRL: 1. Click Issue in the CRLs section of the navigation panel for your account. Only certificates with a status of on hold or pending revocation (if that option is enabled) will be displayed; previously revoked certificates will be included in the CRL but not displayed. 2. Click Issue CRL. 3. (Optional) Select Customize to modify the CRL settings; otherwise, your default settings will be used. 4. Click Yes to confirm this operation. A CRL that includes all certificates pending revocation, all on hold certificates, and all previously revoked certificates will be created. Once the operation has been completed, you will be informed of its status. You may click the new CRL s Effective Date to view its properties in detail, or click Download to save the new CRL to a local disk file on your computer. If the publish CRLs configuration option is enabled and set to manual, click Publish to publish the new CRL to the LDAP repository Viewing CRLs To view, inspect, or download an issued CRL: 1. Click View in the CRLs section of the navigation panel for your account. At first only the most recent CRL will be displayed. If you wish to display a list of all CRLs for your account, click Show All CRLs. 2. Click Download to save one of the CRLs to a local disk file on your computer. (Optional) If the publish CRL option is enabled, you may click Publish to publish the latest CRL to the appropriate LDAP directory. 11 Requires the revoke permission. 30

31 3. You may also click a CRL s Effective Date to view its properties in detail. Click Close when you are ready to close the properties dialog Setting Account Preferences Managing Credentials To manage the credentials for your account, click Credentials in the Preferences section of the navigation panel. To generate and install new credentials, click the New Credentials button and follow the directions in the Creating Credential for a CA section. You may export your existing credentials to a file by clicking the Export button and following the directions in the Exporting Credentials section. To renew your current certificate, click the Renew button and follow the directions in the Renewing Certificates section Managing Certificate Enrollment CertAgent supports enrollment of users via a web browser, and from RAs through the Registration Authority Management Interface (RAMI). To manage certificate enrollment settings, click Enrollment in the Preferences section of the navigation panel. Select one of the following tabs to configure its settings and click Apply to save your changes Configuration Tab Acceptable key types and sizes can be configured on this page. By default, only RSA and DSA 2048 or above, and elliptic curves NIST P-256 and NIST P-384 are accepted. If a received certificate request does not meet the specified requirements, it is automatically rejected. Note: As per the NSA Suite B Fact Sheet (and CNSSP-15), use of the 256-bit elliptic curve and SHA-256 are appropriate for protecting classified information up to the SECRET level; use of the 384-bit elliptic curve and SHA-384 are necessary for the protection of TOP SECRET information. Hence for Suite B compliance, the acceptance of RSA and DSA certificate requests should be disabled and the list of acceptable elliptic curves restricted as appropriate. Note: Settings in this page are profile-based. If there are additional profiles associated with your master account, you may manage the profile s settings using the Active Profile drop-down list at the top of the page. 12 Requires the admin permission. 31

32 Web Tab This page controls the settings on the public site s Upload Request and Enroll using Browser pages. The settings you can control on this page are: Enable this profile in enrollment page Internet Explorer options Enable this profile in upload page Comment Field If checked, user can generate a key pair in a browser and submit a certificate request to this account or profile. You can set and/or enforce the choice of CSP, as well as the Strong private key protection and Mark keys as exportable options so that they are suggested to (or forced on) users when they use Internet Explorer to generate and submit a certificate request. If checked, user can submit PKCS#10 request to this account or profile. If enabled, a user comment field will appear on the certificate enrollment or upload form. Note: Settings in this page are profile-based. If there are additional profiles associated with your master account, you may manage the profile s settings using the Active Profile drop-down list at the top of the page RAMI (Registration Authority Management Interface) Tab The CertAgent Registration Authority Management Interface (RAMI) allows a remote or automated client process (acting on behalf of an authorized registration authority) to submit a certificate request for immediate processing and obtain an issued certificate revoke a certificate reinstate a certificate with a status of on-hold or pending revocation issue a CRL over a TLS-secured connection (with client authentication). The settings you can control on this page are: Allow key enrollment Allow POST to override default settings Allow certificate revocation and reinstatement Enabling this option allows an authorized registration authority (RA), possibly an automated process acting on behalf of the CA, to submit certificate requests and obtain certificates over an SSL connection with client authentication. If checked, authorized RAs may use POST parameters to override or append to the default certificate issuance settings. Permits certificate revocation and reinstatement via RAMI when checked. 32

33 Allow CRL issuance Permits CRL issuance via RAMI when checked. For details on submitting RAMI requests, see CertAgent Installation Guide. Note: The access control list for RAMI is managed by the authorized administrator of the System Administrative site. For details, see CertAgent Administrator Guide Managing Certificate Profiles A master CA account can have one or more profiles with their own account IDs and access control lists (administered by a user of the master account with admin permission). While each profile shares its credentials with the master CA account, each profile can have its own default settings for certificate issuance, etc. In this way, a master CA can delegate to subordinates the issuance of certificates (and possibly CRLs) with varying default attributes and extensions, but the same issuer keys. To create a new profile: 1. Click Certificate Profiles in the Preferences section of the navigation panel, then click Create. 2. Enter the Profile ID and display name, then click Create. Profile ID A unique identifier for this profile; may only contain the characters A- Z, a-z, and 0-9. Display Name Copy Setting from The friendly name of the profile; may only contain the characters A-Z, a-z, 0-9, and space. If (none) is selected, default configuration will be assigned to the new profile. Otherwise, configuration of the selected profile will be copied to the new profile. Click OK to confirm the operation. A profile will be created with the specified profile ID. This profile will share credentials with its master account (i.e., the master account and all profiles use the same key pair for issuing certificates and CRLs). However, each profile has its own certificate issuance, enrollment, and settings, and a separate access control list. To remove a profile from the system: 1. Click Certificate Profiles in the Preferences section of the navigation panel. 2. Select the master profile from the Active Profile drop-down list at the top of the page. 3. Check one or more profile you wish to delete from the list, then click Remove. 33

34 4. Click OK to confirm the operation. To modify the settings for a profile: 1. Click Certificate Profiles in the Preferences section of the navigation panel. 2. Select the profile you wish to modify from the Active Profile drop-down list at the top of the page. 3. To change the display name: a. Select the Display Name tab to change the profile name and rights as desired b. Click Apply to save your changes. 4. To manage the profile access control list: a. Select the Access Control List tab. The certificates of all users authorized to use this profile are displayed. b. To add a certificate to the list, click Add. Then upload the certificate by clicking Browse, locating the appropriate certificate file, selecting the desired permissions, and clicking Upload. A confirmation message will be displayed and the certificate will appear in the access control list if the operation is successful. c. To remove a one or more certificates from the ACL, check the box before the certificate you wish to delete and click Remove. Click OK in the confirmation dialog to confirm your intentions to remove the selected certificate from the account ACL. Managing settings for profile enrollment, certificate issuance, and operations are similar to managing these settings for the master account. Select the profile from the Active Profile drop-down list and continue following the steps in the appropriate section below: Managing Certificate Enrollment Managing Certificate Issuance Managing Notifications Managing Certificate Issuance To change the certificate issuance options for an account: 34

35 1. Click Certificate Issuance in the Preferences section of the navigation bar. 2. The Properties tab displays the default settings for issuing certificates. The options you can control on this page are: Class 1 Assurance Automatically issue certificates upon request Message Digest For -based end-user identity proofing. If checked, every certificate request must contain the submitter s address; otherwise, it will be rejected. The requester will not receive a Request ID after enrollment, rather an notification containing a retrieval URL will be sent to him once the certificate request has been processed. Certificates are only considered valid once they have been retrieved via these ed links. To enable automatic certificate issuance, check this box. One or more of the following message digest algorithms are available: MD5, SHA1, SHA-224, SHA-256, SHA-382 and SHA Certificates will be signed using the specified message digest. The most appropriate choice depends on the size and type of the CA s credentials. Note: This setting is managed by the master account only and will apply to all profiles. 35

36 RDNs Each specified RDN has a default value and an inclusion setting: Require: Use the value found in the request; the user must enter a value for this RDN on the public Enrollment page. Allow: Use the value found in the request; the specified default value is displayed on the public Enrollment page, but the user is allowed to change it. Force: Always use the specified value; it displays on the public Enrollment page, and the user cannot change it. When issuing certificates for this account, CertAgent will include the available RDNs in the specified order. Use the RDN. Use the Use the Use the button to add an RDN component below the current button to delete the current RDN. button to move the current RDN up. button to move the current RDN down. If the internal LDAP repository for your CA account is enabled by the site administrator, make sure your default RDN settings agree with the configured LDAP search base. For example, if the search base is set to O=ISC, C=US, the default settings for certificate issuance should include the forced RDNs O=ISC and C=US. All issued certificates must have subject DNs ending with the search base criteria to be returned in response to queries to the internal LDAP server. Set next serial number Validity Period Encoding Serial numbers are generated sequentially (with an increment of one and a specified starting value). To set the value of the next serial number, check this option and specify the serial number in hexadecimal format. Note: This setting is managed by the master account only and will apply to all profiles. Specify the default validity period for issued certificates. Encoding of DNs: PrintableString or UTF8String (default). 3. The Extensions tab displays the default certificate extension settings. To add extensions: a. Click Add Extensions. A list of supported extensions will be displayed: 36

37 b. To add a single extension and close this dialog, just click on its link. To add multiple extensions, check them and click Add Checked. To remove extensions: a. Click the [X] to the right of the extension name. Brief descriptions of all supported extensions are given in the following table. Each of these extensions is flagged as critical if the associated Critical checkbox is set. Extension Authority Information Access Authority Key Identifier Description This extension indicates how to access CA information and services for the issuer of the certificate in which the extension appears. Available access methods are CA Issuer, CA OCSP and user specified OID. This extension provides a means of identifying the public key corresponding to the private key used to sign a certificate. Available identifier types: key ID, CA issuer DN, and issuer serial number. 37

38 Basic Constraints This extension indicates whether the subject can act as a CA or is only an end-user entity. It is added to every certificate issued by CertAgent. This extension is flagged as critical if the Critical checkbox is set. If you are a root CA whose sole (or principal) role is to certify the public keys of subordinate CAs (as opposed to end-users), you should set the CA certificate checkbox (and optionally select a default pathlength value). On the other hand, if you typically issue end-user certificates, leave this box unchecked. The Path length setting, if one is selected, indicates to consumers of the certificate that they should not accept a certificate path whose length exceeds the specified value by more than one. For example, if the pathlength attribute is set to 2, users should not accept as valid chains containing more than three certificates. Certificate Policies Certificate Template Name CRL Distribution Points Custom Extension Extended Key Usage Inhibit Any- Policy Issuer Alternative Name This extension contains a sequence of one or more policy information terms, each of which consists of an object identifier (OID) and optional policy qualifiers (CPS and user notice). This extension contains the certificate template name. This extension identifies how CRL information is obtained. URL (e.g., LDAP and HTTP URL) and DN forms are accepted. To add an extension that is not explicitly supported by CertAgent, enter the base64-encoded extension data into the text box. This extension indicates one or more purposes for which the certified public key may be used in addition to, or in place of, the basic purposes indicated in the key usage extension. See the following table for details. This extension indicates that the special anypolicy OID, is not considered an explicit match for other certificate policies. The value indicates the number of additional certificates that may appear in the path before anypolicy is no longer permitted. This extension allows alternative names to be bound to the issuer of the certificate. Supported name forms include: rfc822name, othername, dnsname, DN, URL, IPAddress, edipartyname, registeredid, and x400address. If Octet String type is selected for othername, its value can be a text string or hex-encoded string starting with 0x ; otherwise, the value can be a text string or UTF8 string. To include an x400address value, enter the desired base64- encoded value into the supplied text box. 38

39 Key Usage An extension that indicates the intended purpose of the subject public key inside the certificate. Select usage settings in accordance with your current certificate authority policy, taking into account the type of the public keys you will most likely be asked to certify. (See definitions below.) The recommended. keyusage setting for end-user certificates is digital signature + non-repudiation + key encipherment + key agreement. For CA certificates it is certificate signing (mandatory) + CRL signing (mandatory). If the Critical checkbox in this section is set, and this extension is to be added to a certificate, it will be flagged as critical. Turn criticality on if use of the subject s public key for a purpose other than that indicated by the selected keyusage bits would constitute a violation of your certificate authority policy. Name Constraints Netscape Certificate Type OCSP No Revocation Checking Policy Constraints Policy Mapping Qualified Certificate Statements This extension is used only in CA certificates. It indicates a name space within which all subject names in subsequent certificates in a certification path must be located. This is a Netscape specific extension that can be used to limit the applications for a certificate. Available types are: SSL client certificate, SSL CA certificate, SSL server certificate, S/MIME user certificate, S/MIME CA certificate, object signing certificate and object signing CA certificate. This extension is used only in an OCSP signing certificate. If this extension is included, no revocation checking is to be performed on the OCSP signing certificate during OCSP operations. This extension can be used to prohibit policy mapping or require that each certificate in a path contain an acceptable policy identifier. If require explicit policy is set, the value indicates the number of additional certificates that may appear in the path before an explicit policy is required for the entire path. If inhibit policy mapping is set, the value indicates the number of additional certificates that may appear in the path before policy mapping is no longer permitted. This extension is used only in CA certificates. It lists one or more pairs of OIDs; each pair includes an issuerdomainpolicy and a subjectdomainpolicy. The pairing indicates that the issuing CA considers its issuerdomainpolicy equivalent to the subject CA s subjectdomainpolicy. This extension is the inclusion of statements defining explicit properties of the certificate. Available statements are: Financial limit clause (id-etsi-qcs-qclimitvalue), ETSI TS authentic certificate clause (id-etsi-qcs-qccompliance), NES telecommunication agency authentic certificate clause and retention period (id-etsi-qcs-qcretentionperiod). 39

40 Subject Alternative Name Subject Directory Attribute Subject Key Identifier This extension allows alternative names to be bound to the subject of the certificate. Supported name forms include: rfc822name, othername, dnsname, DN, URL, IPAddress, edipartyname, registeredid, and x400address. If the appropriate RFC822 name options are checked and address in the subject DN is set and /or contact addresses are specified, they will be included in this extension. If Octet String type is selected for othername, its value can be a text string or hex-encoded string starting with 0x ; otherwise, the value can be a text string or UTF8 string. To include an x400address value, enter the desired base64- encoded value into the supplied text box. This extension is used to convey identification attributes of the subject. Available attributes are country of citizenship (US DOD), country of citizenship (RFC 3739), employee type and nationality. This extension provides a means of identifying certificates that contain a particular public key. Brief descriptions of the options in the keyusage extension and the X.509 ASN.1 variables to which they correspond are given in the following table: CertAgent Option digital signature nonrepudiation key encipherment data encipherment key agreement certificate signing ASN.1 Variable digitalsignature nonrepudiation keyencipherment dataencipherment KeyAgreement KeyCertSign Description The subject public key may be used to validate signatures used for purposes other than non-repudiation and signing certificates/crls. The subject public key may be used to validate signatures used in non-repudiation services. The subject public key may be used to wrap a (symmetric) session key for the purpose of key transport. The subject public key may be used for bulk data encryption. The subject public key may be used in a key agreement protocol. The subject key may be used to validate signatures on certificates. This bit cannot be set for end-user certificates and must be set for CA certificates. CRL signing CRLSign The subject public key can be used to validate the signature on a certificate revocation list (CRL). This bit can only be set for CA certificates. 40

41 encipher only encipheronly (Rarely used) The subject key can only be used for encryption as part of a key agreement protocol. (Should be used only in conjunction with the key agreement option.) decipheronly Not supported in this release of CertAgent. (The subject key can only be used for decryption as part of a key agreement protocol. Should be used only in conjunction with the key agreement option.) Brief descriptions of the key purpose identifiers and other attributes that may be included in the Extended Key Usage (EKU) extension are given in the following table: Identifier server authentication client authentication code signing protection time stamping Microsoft: encrypted file system PIV Card Authorization Microsoft Smart Card Logon OCSP signing IPSec IKE IPSec end system IPSec tunnel IPSec user Description The subject public key may be used for TLS WWW server authentication. The subject public key may be used for TLS WWW client authentication. The subject public key may be used for signing of downloadable executable code. The subject public key may be used for protection. The subject public key may be used for binding the hash of an object to a time. The subject public key may be used for Microsoft s encrypted file system. This subject public key may be used for PIV Card authorization. This subject public key may be used for Microsoft s smart card logon. This subject public key may be used for signing by an OCSP responder; see RFC This subject public key may be used for IPSec IKE (old OIDs have been deprecated). This subject public key may be used for an IPSec end system. This subject public key may be used for IPSec tunnelling. This subject public key may be used for an IPSec user. 41

42 extensible authentication protocol over LAN extensible authentication protocol over PPP SCVP responder SCVP server SCVP client data validation and certification server user-defined OIDs This subject public key may be used for EAP over LAN. This subject public key may be used for EAP over PPP; see RFC This subject public key may be used for an SCVP responder. This subject public key may be used for an SCVP server. This subject public key may be used for an SCVP client. This subject public key may be used for a data validation and certification server. One or more user-defined OIDs (specified in standard dot notation may be included in a certificate s extendkeyusage extension. 4. The Filter tab displays the rules for processing certificate requests. By default, all extensions in submitted certificate requests are omitted from the issued certificates. To accept and pass through certain extensions, rules for their handling must be explicitly defined. To add rules: a. Click Add Rules. A list of extensions will be displayed. 42

43 b. To add a single extension and close the dialog, click on its link. To add multiple extensions, check them and click Add Checked. To add extensions that are not explicitly supported, check the OIDs checkbox and enter a list of extensions in the text box. c. Modify the handling of each newly added extension by appropriately setting the corresponding action value. Brief descriptions of the available action values appear in the following table: Action Require Allow Omit Flag Reject Description This extension is required. If a submitted request doesn t contain this extension, it is automatically rejected. By default, this extension is included in the certificate and the default value specified in the Extension tab is ignored. This extension is optional. If it appears in a request, it is included in the certificate. Otherwise, the default value specified in the Extension tab is applied. This extension, if present in a request, is ignored. The default value specified in the Extension tab is applied. If this extension is found in a request, the request is flagged with a warning notation. Manual issuance of the certificate is required. If this extension is found in a request, the request is automatically rejected. 43