Streamline Certificate Request Processes. Certificate Enrollment

Transcription

1 Streamline Certificate Request Processes Certificate Enrollment

2 Contents At the end of this section, you will be able to: Configure TPP to allow users to request new certificates through Aperture Policy Settings CA Templates Workflows Notifications Request, approve, and download a certificate from the Venafi TPP Aperture interface

3 Configure Certificate Policies 1 Best Practice: Configure and lock policies for certificates at the highest level of the policy tree possible Note: Set and Lock defaults for Contact / Approver at the top-level (\VED\Policy) Note: Each Line of Business assumes responsibility and authority over certificates at the LOB level of the policy tree Note: Each Line of Business can configure and lock unique policies at the LOB level of the policy tree

4 Configure Certificate Policies 2 Set and Lock policies such as Key Strength, Allow Private Key Reuse, CSR Signature Algorithm, Key Generation, Encryption Key, Allowed Domains, etc. at the top-level Set and Lock Subject DN information (except OU) at the top level City and Locality must reflect the headquarters of the organization (not server location) Organization, City and Locality must be exact to satisfy external CAs

5 Certificate Policies Best Practices Configuration Item Key Strength Allow Private Key Reuse CSR Signature Algorithm Recommended Configuration 2048 No SHA-256 Notes Locked at the highest policy level possible. All RSA key lengths should be 2048 or higher in accordance with NIST guidance Lock at the highest policy level possible. Best practice is to rotate cryptographic key material on a regular basis; for SSL certificates with a 1-3 year lifetime rotating private keys when the certificate is renewed is sufficient Locked at the top level policy. All secure hash algorithms ( signature algorithms ) used with RSA keys should be a minimum of 256 bits in length. Key Generation Method DPAPI Locked at the top level policy Encryption Key Allowed Domains DPAPI (or HSM if installed) Enterprise Domains Locked at the highest policy level possible. Lock policy to allow issuance of approved enterprise domains per policy if required.

6 Configure CA Template(s) The CA Template object defines the information TPP needs to connect to a CA to: Define the template used to post the certificate CSR. Submit a certificate signing request (CSR) Retrieve certificates from the CA during enrollment and installation operations. It s common for TPP to issue several types of certificates. For example: Internal CA 1 Year Server Certificate External CA EV High Assurance External CA Standard SSL/TLS A unique CA Template is required for each type of certificate to be issued

7 Set CA Template Set and lock the CA Template appropriate for each type of certificate to be issued

8 Create CA Specific Policies Separate by individual CA if either: Internal and External Cas are managed by different groups TPP will be used for chargeback logs Permissions View, Read, Write, Create, Associate, Read Private Key, Write Private Key

9 Policy Tree Structure Create a policy folder for each group that owns certificates Repeat for each CA Permissions: View, Read, Write, Create, Associate, Read Private Key, Write Private Key

10 Best Practice: Permissions Place Permissions at the lowest possible folder in the policy tree. Restrict access to ensure that certificates are created in the desired folders only.

11 Configure TrustAuthority Workflow Distributed Management deployment model: Configure Stage 500 Workflow for approval by the Security / PKI team Stage 500 Stage 1400 Registration Authority (RA) Process (Stage 500): This workflow is sent to the PKI administrator or designated RA for additional vetting of the CSR to ensure that the certificates are in keeping with current policies prior to issuance. Certificate Revocation (Stage 1400): This workflow prevents the systematic revocation of certificates. Send these workflow notifications to the certificate owner or trusted administrator for further review and approval before revocation actually occurs.

12 Configure TrustForce Workflow Workflows to be set up with TrustForce all deployment models Stage 800 Certificate Installation (Stage 800): This workflow pauses the process to allow the installation team to schedule the start of the Provisioning process. When this workflow is approved, TPP will begin installation of the certificate and private key onto the system at the scheduled time Stage 1100 Command Injection (Stage 1100): This workflow pauses the process to allow cleanup tasks or application restarts after a certificate renewal event. Venafi TPP can be called on to perform restarts, SSH or even CLI via the MS CAPI driver.

13 Configure Alternate Workflows Alternate workflows: Stage 0 Budgetary Approval (Stage 0): This workflow sends an notification requesting approval to (re)issue a specific Certificate object. The message is sent to the Contact identities assigned to the corresponding Certificate object and the applications that consume the certificate. If Stage 0 is approved, TPP continues processing the certificate renewal. If Stage 0 is rejected, TPP stops processing the certificate. Since it is applied at the Policy level, approval will be required for new certificates as well. Stage 1500 Command Injection (Stage 1500): This workflow can be called to perform cleanup tasks or application restarts after a whitelisting event. It is used for application restarts, SSH or even CLI via the MS CAPI driver.

14 Required Enrollment Notifications Certificate Ready to Download Workflow Approval Pending Workflow Ticket Rejected

15 Testing TrustAuthority (Enrollment) Use a user account that has the same permissions as the requestor Create a local account and assign permissions if necessary Ensure naming conventions used for policy folders are user friendly Look for opportunities to lock policy values to simplify the enrollment process

16 Lab Complete Lab VTIS Configure Enrollment Time: 30 Minutes View labs, slides, and other resources: