CertAgent. Certificate Authority Guide

Transcription

1 CertAgent Certificate Authority Guide Version 7.0 July 5, 2018

2 Information in this document is subject to change without notice and does not represent a commitment on the part of Information Security Corporation. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of the agreement. No part of this manual may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, for any purpose other than the purchaser s personal use without the prior written permission of Information Security Corporation. CertAgent is commercial computer software and, together with any related documentation, is subject to the restrictions on U.S. Government use as set forth below. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software Clause at DFARS Contractor/manufacturer is Information Security Corporation, 1011 W. Lake Street, Suite 425, Oak Park, IL 6030 The U.S. International Traffic in Arms Regulations (ITARs) (22 CFR ) prohibits the dissemination of certain types of technical data to foreign nationals. Protected by U.S. Patent No. 5,699,43 CertAgent is a trademark of Information Security Corporation. Other product and company names mentioned in this document may be the trademarks of their respective owners. The cryptographic functionality of CertAgent is provided by CDK 7.0, ISC s FIPS validated cryptographic module, via a Java JNI and/or an RMI interface. In addition, CertAgent uses code extracted or derived from the following open source software packages redistributable under the terms of the GPL: Log4j, Version 16: Copyright The Apache Software Foundation. All Rights Reserved. jquery, Version 10: Copyright The jquery Foundation, Inc. JSON-RPC, Version 0: Copyright by the JSON-RPC Working Group CertAgent Certificate Authority Guide, Version 7.0 (Revision 6, July 2018) Information Security Corporation. All Rights Reserved. Information Security Corporation 1011 W. Lake Street, Suite 425 Oak Park, IL Phone: Fax: Website: tech@infoseccorp.com 2

3 Table of Contents 1 Introduction CertAgent Architecture About this Guide Technical Support Certificate Authorities (CAs) Overview Communicating with the Server Access Control and Permissions Using a Master Account Using a Profile Logging in as an Authorized User Importing Administrator Credentials into Browsers Logging In Viewing Account Status Manage CA Credentials Creating Credential for a CA Using Existing Credentials Installing Credentials Exporting Credentials Renewing Certificates Publishing CA Certificates Managing Certificate Requests Searching Certificate Requests Issuing Certificates Rejecting a Certificate Request Reinstating Rejected Certificate Requests Viewing Processed Certificate Requests Changing the Assigned Profile Updating a User s Contact Address Exporting Certificate Requests Managing Certificates Searching Certificates Viewing Certificates Revoking Certificates Changing the Revocation Status of a Certificate Viewing Revoked Certificates Viewing Expired Certificates Changing the Assigned CA Account Sending Certificate Retrieval Notifications Managing Certificates in External LDAP Repositories Updating a User s Contact Address Viewing Certificate Properties Managing CRLs Issuing a CRL

4 7.2 Viewing CRLs Setting Account Preferences Managing Credentials Managing Certificate Enrollment Managing RAMI (Registration Authority Management Interface) Managing Certificate Profiles Managing Certificate Issuance Managing Revocation Policy Managing CRL Issuance Managing OCSP Responder Settings Managing LDAP Repository Settings Managing Notifications Managing Public Site Configuration Settings Managing Self-Service Settings Managing the Audit Trail Audit Table Format and Description Searching the Audit Trail Viewing the About Page Using Help Logging Out Administrative Site Logging In As the Site Administrator Public Site Viewing the Public Site Glossary References

5 1 Introduction CertAgent is an X.509-compliant certificate authority (CA). It is an easily managed, web-based certificate authority (CA) intended to be used as the core component of an enterprise public key infrastructure (PKI). Designed to meet the needs of a wide variety of organizations, the current release offers enhanced enrollment services (EST), remote administration, integrated certificate and CRL databases, and an OCSP responder. It supports an unlimited number of root and intermediate CAs, providing support for as complex a certificate hierarchy as the size of your enterprise warrants. 1 CertAgent Architecture The following diagram illustrates the basic layout of the CertAgent system. HSM Database External LDAP Repository (optional) CertAgent ISC CDK (FIPS 140-2) JNI CertAgent Server RMI CACLI Report Generator Administration Web App Java Servlet/JSP Container Public Web App PIN Entry Interface Admin Site CA Account Site RA Management Interface DBAccess Interface Public Site OCSP Responder EST Web App TLS TLS w/ client auth. (ACL) TLS TLS basic/client auth. Local admin Local admin from localhost or authorized IP address Authorized Admin RA Audit Server or Certificate Query Users OCSP Client EST Client The CertAgent 7 System Architecture 2 About this Guide This guide explains how to configure, manage, and use CertAgent from the point of view of a certificate authority (CA) on the system. CA accounts are used to: implement and enforce one or more (formal or informal) certificate practice statement profiles; 5

6 issue certificates and CRLs conformant with those profiles; view audit trail logs, and perform other critical tasks in the process of certificate lifecycle management. This guide is divided into chapters as follows: Chapter 1 provides an overview of the organization and contents of this guide and explains its stylistic conventions. Chapter 2 explains how to configure, manage, and use CA accounts and profiles. Chapters 3 and 4 briefly discuss the system administrator role and use of the public site (for details, consult the separate CertAgent guides on those topics). Chapters 5 and 6 provide a glossary and list of useful references. The remainder of this introduction provides an overview of the organization of the CertAgent system, provides contact information for technical support, and explains the stylistic conventions used in this manual. 3 Technical Support Information Security Corporation provides technical support for CertAgent during normal business working days, Monday through Friday, 8:00 a.m. to 5:00 p.m. Central Standard Time. Phone: (708) Fax: (708) Web: tech@infoseccorp.com 6

7 2 Certificate Authorities (CAs) 1 Overview An X.509 certificate authority issues certificates to various entities, revokes those certificates when the situation warrants, and periodically issues certificate revocation lists (CRLs) that can be used by client applications to determine if a given certificate has been revoked or placed on hold. CertAgent supports a hierarchical organization of CAs, having one or more root CAs at the top level with any number of subordinate CAs underneath one of the roots. Each subordinate CA can, in turn, have additional subordinate CAs underneath it. End-users are typically leaf nodes in these (inverted) trees. Each node in a tree has its certificate signed by the CA immediately above it, while a root CA (having no CA above it) has a self-signed certificate. A complete certificate validation path is a path in one of these trees starting at an end-user certificate and chaining up to the self-signed certificate at its root. Normally any CertAgent CA has the ability to process certificate requests passed to it by individual endusers and potential subordinate CAs. Certificate requests can either be rejected or processed by issuing a certificate. A CertAgent CA, if permitted by the key usage extensions in its certificate, can also issue Certificate Revocation Lists (CRLs). A CRL consists of a list of serial numbers of those certificates issued by that CA that are not currently considered valid, either because they have been permanently revoked or because they have been put on hold for one reason or another. Client applications that employ certificates typically check each individual certificate in a certificate path against the CRL of its respective issuer to verify that they are indeed to be considered valid at time of use. 1 Communicating with the Server The CA account pages of the CertAgent website are secured. Your web browser must communicate with the CertAgent server over a TLS connection using strong, certificate-based, client authentication. In particular, this means that all command processes and data transfers between your computer and the web server are encrypted. 2 Access Control and Permissions The following table describes the administrative permissions available for a CA account and the corresponding responsibilities: Role Permission Responsibility administrator admin manage account configurations auditor audit view and export audit trails CA operations staff certify revoke RAMI DBAccess issue certificates and reject invalid certificate requests revoke certificates and issue CRLs submit requests via the RA management interface (RAMI) submit queries via the DBAcess service 7

8 3 Using a Master Account Every master CA account hosted by a particular CertAgent website has its account ID and access control list (ACL) managed by the site administrator. To log in to such an account, your personal certificate must appear in its ACL directory. The master account supports all the permissions. 4 Using a Profile A master CA account can have one or more profiles with their own account IDs and access control lists (which can be only be modified by an authorized user of the master account). All profiles share the master account s signing key, but each can have a different stored profile, i.e., default settings for certificate and CRL management. Using profiles, a master CA can easily issue certificates complying with different pre-configured settings, but using the same signing key. (For example, a master CA may wish to establish one profile for issuing end-user S/MIME encryption and signing certificates and another profile for SSL server certificates. These profiles would have different certificate issuance settings, but would share the same signing key.) Logging into a profile is similar to logging into a master account. A profile account only supports certify revoke and RAMI permissions. 2 Logging in as an Authorized User In order for a user to access the CA Account Site, the user s certificate must be added to the CA account s access control list (ACL) with at least one permission ( admin, audit, certify, and revoke ). The ACL is managed by the administrator of the Admin Site. An initial CA account named ca7 is automatically created during installation. The administrator, CA operators staff, and auditor certificates (<ca home>/keystore/ca-admin.der, ca-operationsstaff.der, and ca-auditor.der) are added to the account s ACL with administrator, CA operations staff, and auditor roles respectively. You can import these temporary credentials (<ca home>/keystore/ca-admin.p12, ca-operations-staff.p12 and ca-auditor.p12 with password <p12 pass>) into your web browser s certificate store in order to gain access to the ca7 account of the CA Account site. 1 Importing Administrator Credentials into Browsers If you have selected NIAP compliance option during the installation, AES-256 will be used to encrypt your private key. The PKCS#12 files generated by the installer can only be imported to compatible browsers (e.g., Firefox 56+ and Internet Explorer on Windows 10). 1 Firefox To import the administrator s credentials into Firefox 45 ESR: Select the Menu button. Select Preferences on UNIX or Options on Windows. 8

9 From the left-side menu, select Advanced. Select the Certificates tab and click View Certificates. In the Certificate Manage dialog, select the Your Certificates tab and click Import. Browse to the PKCS#12 file (e.g., <ca home>/keystore/ca-admin.der) and click Open. Enter the password that was used to encrypt the private key and click OK. Firefox will alert you when the certificate has been installed successfully. Select the Authorities tab, select the root certificate (e.g., CertAgent Root CA) which listed under the organization you have entered during the installation. Click Edit Trust, click all three checkboxes in the Edit CA certificate trust settings dialog and click OK. Click OK to close the Certificate Manage dialog. 2 Internet Explorer To import the administrator s credentials into Internet Explorer 11: 4. Select the Tools, Internet Options from the menu bar. Select the Content tab and click Certificates. Select the Personal tab and click Import. In the Certificate Import Wizard: a. Click Next. b. Click Browse.., locate the PKCS#12 file (e.g., <ca home>/keystore/ca-admin.der) and click Open. c. Click Next, enter the password that was used to encrypt the private key and click Next. d. Select Automatically select the certificate store based on the type of certificate option, browse the store to Personal and click Next. Then, click Finish. e. When the Security Warning dialog appears with the Root CA information (e.g., CertAgent Root CA), click Yes to trust this certificate. f. It will alert you when the certificate has been installed successfully. 2 Logging In 1 To log in to a CA account: 1 Requires the admin, audit, certify, or revoke permission. 9

10 Launch Internet Explorer and enter the following URL in its address bar: port>/certagentadmin/ca/login.jsp Be sure to replace <host> and <admin port> with the appropriate system name (or IP address) and SSL port of your CertAgent webserver. Select your certificate in the Windows Security dialog to authenticate yourself to the webserver, and then click OK. NOTE: If your certificate does not appear in the Windows Security dialog, make sure that the appropriate administrative credentials have been imported into the Internet Explorer Personal certificates store and the trust anchor (root certificate) for your certificate has been imported into the trust store of your servlet container. Once you have been successfully authenticated to the server, the following login page will appear: NOTE: If access banner is enabled from the Admin site, a page with advisory notice and consent warning message will appear. Click the Login button to continue. The above login page will appear. If you are authorized to access multiple accounts, select an account from the drop-down list. Otherwise, you will be logged in to your account automatically. 10

11 Depending on the permissions of an authorized user, the set of pages and tasks available are appropriately limited. 3 Viewing Account Status 2 To view the status of your account, click Account Status to display the following page of information about your account. Critical error messages and warnings, as well as reminders to issue a CRL, may appear here. 4 Manage CA Credentials Creating Credential for a CA Log in to a master CA account, navigate to the Account Status page, and follow the link labeled Click here to obtain a certificate. Alternatively, you can click Preferences, Credentials, then click New Credential. 2 Requires the admin, audit, certify, or revoke permission. 3 Requires the admin permission. 11

12 CertAgent s New Credential wizard guides you through the process of establishing the X.509 credentials for your CA account. The first page of the wizard asks if you wish to generate a new key pair or use an existing one. You must also indicate whether this account will be operating as a root or subordinate CA and where the credentials for the account will be stored. Select Use default to use the existing HSM access settings. Otherwise, select Use custom and specify the required HSM access settings. To view the slots and labels available on your HSM, enter the path of the vendor-provided access library and click View Slots/Labels. The remainder of this section explains in greater detail how to use the wizard. 4.1 Generating Credential for a Root CA To create new credential for a root CA: In the New Credential page, select Generate a new key pair and A Root CA, with a self-signed certificate. Then, click Next. 12

13 You will be presented with the following form: Specify the RDNs. If necessary, change the validity period, key type and size, message digest, or certificate extensions, and then click Generate. Click OK to confirm your intentions. NOTE: The available key types and sizes are determined by the selected HSM provider. If ISC Tara Software HSM is used, the available key types are sizes are RSA 1024, 1536, 2048, 3072, 4096, and 8192, NIST B-163, 233, 283, 409, and 571, and NIST P-192, 224, 256, 384, and 52 NOTE: CertAgent supports SHA1, SHA-224, SHA-256, SHA-384, and SHA-51 The available message digest is determined by the selected key type and size. CertAgent will generate a new key pair of the type you specified. Once your new certificate has been installed, its properties will be displayed. 4.2 Generating Credential for Subordinate CA To create new credential for a subordinate CA: In the New Credential page, select Generate a new key pair and A subordinate CA, with a PKCS#10 certificate request. Then, click Next. If the superior CA that is to issue your certificate resides on the same system, select to be submitted to a CA on this system and click Next; otherwise skip to step 13

14 Select the superior CA who is to issue your certificate and complete the Certificate Request Information part of the form. a. Specify the RDNs. If necessary, change the key type and size, and message digest. NOTE: The available key types and sizes are determined by the selected HSM provider and the acceptable key type and size settings configured by the superior CA. NOTE: CertAgent supports SHA1, SHA-224, SHA-256, SHA-384, and SHA-51 The available message digest is determined by the selected key type and size. b. Enter your address so that the issuing CA can notify you once your request has been processed, then click Generate. c. Click OK in the confirmation dialog. CertAgent will: generate a new key pair of the type you specified, create a certificate request containing the public key, and store the HSM access information with the HSM PIN encrypted under the system certificate, and certificate request into the database Your request will then be forwarded to the specified superior CA and confirmation of the success of this process will be displayed to you on a Results page If the superior CA that is to issue your certificate does not reside on the same system, select to be submitted to an external CA and click Next. a. Enter the required Certificate Request Information and click Generate. b. Click OK in the confirmation dialog. CertAgent will: generate a new key pair of the type you specified, create a certificate request containing the public key, and store the HSM access information with the HSM PIN encrypted under the system certificate and certificate request into the database It will then display the properties of the certificate request. a. Click Export Request (and select either the Binary or Base64-encoded output formats) to save your certificate request to a file that you may manually submit to a superior CA. b. Once the superior CA has issued your certificate, click Install Certificate to install it in place of your certificate request. See the next section for details. 4.2 Using Existing Credentials If you would like to install an existing key pair as your CA credentials or migrate an external certificate authority account to this CertAgent account, follow the instructions below. In the New Credential page, enter the required HSM access information and select Use an existing key pair. Then click Next. 14

15 All available CA credentials (certificates with either the ca bit asserted in its basicconstraints extension or those without a basicconstraints extension) on the HSM will be listed. 4. Select the CA certificate you wish to use. (To view detailed information about any of the available certificates, click its DN.) If you are acting as a subordinate CA, you must import the certificates of your superior CA and its chain. Click Browse, select the certificate file for your superior CA and its chain. Then, click Next. Click OK in the confirmation dialog. Properties of the new credentials will be displayed to confirm that they have been successfully imported and assigned to your account. 4.3 Installing Credentials Every CA account must have its certificate and private key installed before it can be used to issue certificates or CRLs. If you are setting up an account for a subordinate CA and you just generated a new certificate request, you should replace the request with an actual certificate as soon as you receive it from the superior CA. 4.1 Installing a Certificate Issued by an Internal CA Once an internal CA has issued your certificate, you may install it as the credentials for your account as follows: Log in to your account, navigate to the Account Status page, and follow the link labeled Click here to check status of your certificate request. Alternatively, you can click Preferences, Credentials, then click Check Status. If your certificate has not yet been issued, you will need to try again later. Contact your superior CA if necessary. If your certificate has been issued, its properties will be displayed. Click Install to install your certificate in place of the certificate request. 4.2 Installing a Certificate Issued by an External CA To install a certificate issued by an external CA: Log in to your account and follow the link Click here to install your certificate and remove the request on the Account Status page. Alternatively, you can click Preferences, Credentials, then click the Install Certificate. Click Browse and locate the appropriate PKCS#7 certificate file that includes the issued CA certificate and its chain, then click Install. Once your certificate has been installed, a confirmation message and your certificate properties will be displayed. 15

16 4.4 Exporting Credentials Once your CA credentials have been installed, you can export them to a file. To export the CA credentials: Click Preferences, Credentials, then click Export. Click one of the available certificate file formats: binary, base64-encoded X.509 certificate (.der), or PKCS#7 certificates (.p7b). For cross certification, select binary or base64-encoded PKCS#10 format. Submit the saved certificate request to a desired Certificate Authority for cross certification. Click [X] to close this dialog. 4.5 Renewing Certificates CertAgent makes the renewal of CA credentials quite straightforward. Even after a particular CA certificate has expired, the renewal process can produce a new certificate for that CA s existing key pair. However, before performing any of the tasks described in this section, you should be sure that your organization s security policy permits it. WARNING: There is a known issue regarding the use of renewed CA certificates with browsers (other than Internet Explorer) and other applications that build certificate validation paths by matching the authority key identifier extension in a subject s certificate with the subject key identifier in the issuer s certificate. Such applications may regard as invalid any certificate issued by a CertAgent CA whose certificate has been renewed since the authority key identifier value in the issuer certificate will have changed. While recent releases of Internet Explorer do not suffer from this problem, it may be best to avoid using the certificate renewal process for CAs issuing certificates that may be used with other browsers Renewing a Root Certificate To renew the self-signed certificate for a root CA: Click Preferences, Credentials, then click Renew. You will be presented with the Identifying Information for Renewed Root CA form. Change the validity period and certificate extensions, if needed, then click Generate. CertAgent will generate a new self-signed certificate containing the current certificate s public key signed with the corresponding private key. Once the new certificate has been created, its properties will be displayed Renewing Subordinate CA Certificates To renew the certificate of a subordinate CA: Click Preferences, Credentials, then click Renew to launch the Renew Certificate wizard. 16

17 If the superior CA that is to process your renewal request resides on the same system, select a CA on the same system and click Next; otherwise skip to step a. Select the superior CA who is to issue your certificate and complete the form. b. Enter your address (so that the issuing CA can notify you once your request has been processed), then click Next. c. CertAgent will generate a certificate request from your current certificate. Your request will then be forwarded to the specified superior CA and confirmation of the success of this process will be displayed to you on a Results page. d. To check the status of your request, click Check Status. If your certificate has not yet been issued, you will need to try again later. Contact your superior CA if necessary. If your certificate has been issued, its properties will be displayed. e. Click Install to install this certificate in place of your certificate request. If the superior CA that is to issue your certificate does not reside on the same system, select an external CA manually. Then, click Next. CertAgent will generate a certificate request from your current certificate. It will then display the properties of the certificate request. a. Click Export Request (and select either the Binary or Base64-encoded output formats) to save your certificate request to a file that you may manually submit to a superior CA. b. Once the superior CA has issued your certificate, click Install Certificate to install it in place of your certificate request. 4.6 Publishing CA Certificates Publishing Certificates to a Remote LDAP Directory To manually publish a CA certificate to an external LDAP repository, you must have the publish CA certificate option set to manually on the Preferences, LDAP Repositories configuration page and have entered the appropriate access information for the remote LDAP repository. (For details on the configuration of this option, see the section entitled Managing LDAP Repository Settings) Assuming that this is the case: Click Preferences, Credentials, then click Publish. If needed, edit the DN and certificate attribute in the form, then click Publish. The CA certificate will be published as requested to the external LDAP directory and the status message will be displayed. Click Close to close this page. 17

18 5 Managing Certificate Requests Searching Certificate Requests 5.1 Searching Pending Certificate Requests To view the pending certificate requests matching some search criteria. Click Search in the Certificate Requests section of the navigation panel for your account: a. Specify the desired search criteria (request ID, RDN, status, contact address, requests assigned to any profiles, and last modified date) to be matched. You may use an asterisk (*) as a wildcard in the search string. b. If there are additional profiles associated with your master account, you may allow the query to include all the profiles by checking the Requests assigned to any profile. Otherwise, only certificate requests assigned to the active profile will be returned. c. Check the fields to include in the report in the right-hand column. d. Specify the report format (sort order, and save option). Click Search. Once the system has listed the certificate requests matching your search criteria, you may click one to open an Advanced functions page; the functions you may perform on a given request will depend upon its current status. To refine your search, select the Search tab. 5.2 Tracing a Submitted Request to an Issued Certificate Each certificate request is identified by a unique request ID which is linked to the issued certificate. To trace a request to an issued certificate: 4 Requires the certify permission. 18

19 4. Click Search in the Certificate Requests section of the navigation panel for your account. Check the Request ID matches checkbox, specify a request ID in the associated field, uncheck the Status checkbox, and click Search. If a matching certificate request is found, its information will be displayed. Click the certificate icon to open an Advanced function page. If a certificate has been issued for your certificate request, click the Subject DN of the certificate in the Details section. Your certificate details will be displayed in a pop-up page. 5.2 Issuing Certificates To issue certificates for one or more pending certificate requests: First view the pending certificate requests that have been submitted to your account by clicking Pending in the Certificate Requests section of the navigation panel. If there are additional profiles associated with your master account, you may filter the pending requests by profile using the Active Profile drop-down list at the top of the page. To view the properties of any request, click the certificate request icon immediately to the right of the corresponding check box. Check Show details to view the properties of all displayed requests. If you wish to process one or more certificate requests using the default certificate issuance settings for your account, check the selection boxes next to those you wish to process and click Issue Selected at the bottom of the page. To process a single request, click the Issue button adjacent to that request. NOTE: If subject alternative names are submitted by the user in the public enrollment page, these values will automatically be included in the issued certificate. To issue a certificate with customized properties: If you wish to customize the properties of the certificate that will be issued for a given request, click on the DN link for the request to open the Advanced page. 19

20 4. (Optional) To view the certificate request s properties and extensions, click View Request. NOTE: This feature is only available if the request is in a PKCS#10 format. Displaying the properties of CRMF requests and those of requests generated by browsers other than Internet Explorer are not supported.) (Optional) If user has submitted subject alternative names from the enrollment page, Submitted Subject Alternative Names section will appear. Click View to view the submitted information. These names will automatically be included in subject alternative name extension of the issued certificate. The properties and extensions displayed on this page are populated using the default extension and certificate request rules. To add more extensions, select Issue certificate with customized settings in the Action drop-down list, and click Add Extensions. 20

21 Select the desired extensions and click Add Checked. The selected extensions will be added. Fill in all the required information for each newly added extension. For details on the configuration of each extension, see Managing Certificate Issuance section To remove an extension, simply click the [x] to the right of the extension name. Click Submit to issue the request. (If you change your mind about settings changes you have made, just select the Issue certificate with default settings option in the Action drop-down list.) Click OK to confirm your desire to process the selected certificate requests. Once the results of the request processing have been displayed, you may click the link View certificate details on the Results page to view the properties of that certificate. 5.3 Rejecting a Certificate Request To reject a pending certificate request: View the pending certificate requests that have been submitted to your account by clicking Pending in the Certificate Requests section of the navigation panel. If there are additional profiles associated with your master account, you may view the pending requests for them by selecting the appropriate profile name in the Active Profile drop-down list at the top of the page. To view the properties of any request, click the certificate request icon immediately to the right of the corresponding check box. Click Show details to view the properties of all displayed requests. 21

22 You can reject multiple requests simultaneously by checking the boxes next to those requests and clicking the Reject Selected button at the bottom of the page. To reject a single request, click the Reject button adjacent to that request. Alternatively, you can click on the request s DN link to open the Advanced page. In this dialog, select Reject request from the drop-down list and enter a Reason code. Then, click Submit. Click OK to confirm the operation, then click Close to close the Advanced page. If you re not using the Advanced page, enter the reason for rejecting the selected request(s) and click OK. The selected certificate request(s) will be processed and the results will be displayed. Notification will be sent to the submitter if the notify submitter after rejecting a certificate request option is enabled in Preferences, Settings and a contact address is provided by the submitter. Note that rejected certificates requests are not discarded; they are simply moved to the Rejected requests list. If necessary, they may be reinstated as explained in the next section. 5.4 Reinstating Rejected Certificate Requests To reinstate one or more rejected certificate requests: View the certificate requests that have been rejected by clicking Rejected in the Certificate Requests section of the navigation panel for your account. A list of all rejected certificate requests will be displayed. If there are additional profiles associated with your master account, you may view the rejected requests for them by selecting the appropriate profile name in the Active Profile drop-down list at the top of the page. To view the properties of any request, click the certificate request icon immediately to the right of the corresponding check box. Click Show details to view the properties of all displayed requests. You can reinstate multiple requests simultaneously by checking the boxes next to those requests and clicking the Reconsider Selected button at the bottom of the page. To reconsider a single request, click the Reconsider button adjacent to that request. Alternatively, you can click on a request s DN link to open the Advanced page. In this dialog, select Reconsider request from the drop-down list, then click Submit. Click OK to confirm the operation, then click Close to close the Advanced page. If you are not using the Advanced page, click OK in the confirmation dialog. The selected request(s) will be reinstated (i.e., moved back to the Pending certificate request list for your account) and the results will be displayed. 5.5 Viewing Processed Certificate Requests To view processed requests: 22

23 Click Processed in the Certificate Requests section of the navigation panel for your account. A list of all processed certificate requests will be displayed. You may click on any request s DN link to open the Advanced page. 5.6 Changing the Assigned Profile If there are additional profiles associated with your master account, you can change the account to which a request is assigned as follows: Open the Advanced page by clicking the pending certificate request s DN. Select Assign to another profile as the Action. Specify the account to which you wish to assign this request by selecting it in the Assign this request to drop-down list. Click Submit, and then click OK to confirm your intentions. Finally, click Close to close the Advanced page. 5.7 Updating a User s Contact Address To update user s contact address: 4. Open the Advanced page by clicking the pending certificate request s DN. Select Update contact address as the Action and modify the data in the address field. To remove the address, leave the field blank. Click Submit, and then click OK to confirm your intentions. Finally, click Close to close the Advanced page. 5.8 Exporting Certificate Requests To export a certificate request: Open the Advanced page by clicking the pending certificate request s DN. Select Export certificate request as the Action. Click Submit, then click Save. Enter a filename and click Save in the Save As dialog. Finally, click Close to close the Advanced page. 23

24 6 Managing Certificates Searching Certificates To search the database for certificates matching certain criteria: Click Search in the Certificates section of the navigation panel for your account: Specify the desired search criteria (serial number, request ID, RDN, status, contact address, certificates assigned to any profile, revocation date, not before date, not after date, and admin DN). You may use an asterisk (*) as a wildcard in the search string. If there are additional profiles associated with your master account, you may allow the query to include all the profiles by checking the Certificates assigned to any profile. Otherwise, only the certificates assigned to the active profile will be returned. Check the fields to include in the report in the right-hand column. To count the number of certificates matching the search criteria, check the Count only checkbox and optionally select the group by option to group the result by not before or not after date. Specify the report format (sort order, group by, and save option), and then click Search. Once the system has listed the certificates matching your search criteria, you may click one of them to open the Advanced page and perform various functions with that certificate; which functions are available will depend on the certificates current status. To refine your search, select the Search tab. Optionally, check Save result to option to export the results to a CSV or text file. 5 Requires the certify or revoke permission. 24

25 To trace an issued certificate to a request: Check the Serial number matches checkbox, specify a serial number in the associated field, uncheck the Status checkbox, check the Request ID checkbox in the right column to include the request ID in the report, and click Search. If matching certificate is found, its request ID along with selected information will be displayed. You can use the returned request ID to search for the request details in the Search Certificate Requests page. 6.2 Viewing Certificates To view valid certificates: Click Valid in the Certificates section of the navigation panel for your account. A list of all valid certificates issued by the current account will be displayed. If there are additional profiles associated with your master account, you may view the certificates issued by them by selecting the appropriate profile name in the Active Profile drop-down list at the top of the page. Click the small certificate icon immediately to the right of a certificate s selection box to view its properties. Alternatively, click Show details to view all certificate details. 6.3 Revoking Certificates 6 To place a certificate on hold or to revoke it: Start by viewing the valid certificates that you have issued by clicking Valid in the Certificates section of the navigation panel for your account. You can revoke multiple certificates simultaneously by checking the boxes next to those certificates and clicking the Revoke Selected button at the bottom of the page. To revoke a single certificate, click the Revoke button adjacent to it. Alternatively, you can click on a certificate s DN link to open the Advanced page. In this dialog, select Revoke as the Action, specify a Status and Reason code (see below), then click Submit. If you are not using the Advanced page, specify a Status and Reason code (see below), then click Revoke. To place the selected certificate(s) on hold, select the On Hold option and choose one of the following reasons: 6 Requires the revoke permission. 25

26 None Call Issuer Reject Pick-up Token No reason specified. (Subject s certificate should be rejected until it is removed from this issuer s CRL.) This value has application-dependent semantics. (Subject s certificate should be rejected until it is removed from this issuer s CRL.) Subject s certificate should be rejected until it is removed from this issuer s CRL. Physically seize the token containing the private key for this certificate, if possible. (Subject s certificate should be rejected and is probably pending permanent revocation.) To revoke the selected certificate(s), select Revoke and choose one of the following reasons: Unspecified Key Compromise CA Compromise Affiliation Changed Superseded Cessation of Operation Remove from CRL Privilege Withdrawn AA Compromise No reason specified. Use of this value is deprecated; choosing No Reason to omit a reason code is preferred in most applications. The subject s private key is known, or suspected, to have been compromised. The subject CA s private key is known, or suspected, to have been compromised. Some subject information in the certificate has changed. The certificate has been superseded, perhaps by another certificate containing the same public key, but with a later expiration date. The certificate is no longer needed for the purpose for which it is originally issued. The entry appears on a previous CRL with reason certificatehold but is now valid. The privilege contained in the certificate has been withdrawn. Aspects of the AA validated in the attribute certificate have been compromised. The certificate(s) will be placed on hold, revoked, or merely marked for revocation, and the results displayed. If the Support pending revocation as a separate certificate status value option is disabled (as it is by default), certificates, when initially designated as revoked by a CA, are immediately moved to a revoked certificates list. If, however, Support pending revocation as a separate certificate status value is enabled, certificates are first moved to a list of certificates pending revocation. Certificates pending revocation can be reinstated at any time prior to issuance of a CRL (in which they appear), but once such a CRL has been issued, they are moved to the revoked certificates list. NOTE: Only certificates with a status of on hold can be reinstated from the revoked certificates list. 6.4 Changing the Revocation Status of a Certificate 7 If the Support pending revocation as a separate certificate status value option is disabled, only certificates with on hold status can be reinstated. To change the status of such certificates, start by 7 Requires the revoke permission. 26

27 viewing the revoked certificates, click Revoked in the Certificates section of the navigation panel for your account. If the Support pending revocation as a separate certificate status value option is enabled, a certificate that has been placed on hold or one that has been marked for revocation but has not yet appeared on a CRL, is considered to be pending revocation. The status of such certificates may be changed as follows: Start by viewing the certificates pending revocation by clicking Pending Revocation in the Certificates section of the navigation panel for your account. If there are additional profiles associated with your master account, you may filter the certificates pending revocation by profile using the Active Profile drop-down list at the top of the page. To simultaneously change the status of several certificates, check the box next to the selected certificates and click the Change Status button at the bottom of the page. To change the status of a single certificate, click the Change Status button adjacent to it. Alternatively, you can click on a DN link to open the Advanced page. If you are using the Advanced page, select Revoke as the Action, specify the new Status and a Reason code, then click Submit. Otherwise, select Reinstate as the Action to reinstate the certificate. Click OK. If you aren t using the Advanced page, select a new status (On Hold, Revoked, Valid), and choose a Reason code, then click OK: The status of the selected certificate(s) will be changed and results will be displayed: 6.5 Viewing Revoked Certificates To view the certificates that have been revoked, click Revoked in the Certificates section of the navigation panel for your account. You may view the properties of a particular certificate in this list by clicking its DN link to open the Advanced properties page. 6.6 Viewing Expired Certificates To view expired certificates, click Expired in the Certificates section of the navigation panel for your account. You may view the properties of a particular certificate in this list by clicking its DN link to open the Advanced properties page. 6.7 Changing the Assigned CA Account If there are additional profiles associated with your master account, you may change the profile to which a certificate is assigned: 27

28 Locate the certificate you wish to assign to a different account and click its DN link to open the Advanced page. Select Assign to another profile from the Action drop-down list and select the new account. Click Submit, then click OK. Click Close when you are ready to close the Advanced page. 6.8 Sending Certificate Retrieval Notifications If the notify submitter after issuing a certificate request option is enabled in Preferences, Settings and a contact address is provided by the submitter, certificate retrieval notice can be resent to a user. To send a certificate retrieval notice to a user: In any of the certificate pages, click on a certificate s DN link to open the Advanced page. If the certificate has not yet been retrieved by its owner, Send retrieve certificate notification to user will appear in the Action drop-down list. Select this action, click Submit, then click OK. Click Close when you are ready to close the Advanced page. 6.9 Managing Certificates in External LDAP Repositories To manually publish a certificate to, or remove a certificate from, external LDAP repositories, you must have the publish issued certificates option set to either manually, or automatically upon certificate issuance on the Preferences, LDAP Repositories configuration page and have entered the appropriate access information for the remote LDAP repository. (For details on the relevant configuration settings, see the section entitled Managing LDAP Repository Settings.) Assuming this is the case: Open the Advanced function page by clicking the DN for the certificate you wish to manage wherever it might appear. In the Action list, select either Publish to LDAP repositories or Remove from LDAP repositories depending on which action you wish to perform. Select the desired LDAP repository. If necessary, modify the DN of the corresponding LDAP entry. Click Submit and then click OK. Click Close when you are ready to close the Advanced page Updating a User s Contact Address To update user s contact addresses: In any of the certificate pages, click on a certificate s DN link to open the Advanced page. Select Update contact address as the Action and modify the data in the address field. To remove the address, leave the field blank. 28

29 4. Click Submit, then click OK. Click Close when you are ready to close the Advanced page Viewing Certificate Properties To inspect a certificate: 4. In any of the certificate pages, click on a certificate s DN link to open the Advanced page. Click the link containing the certificate s Subject DN to view detailed properties of the certificate. The Certificate Inspection dialog displays the current status of the certificate along with its most important attributes and extensions. You can save the certificate to a local disk file by clicking one of the download links. Click Close to close the detailed properties dialog. 7 Managing CRLs Issuing a CRL To issue a new CRL: Click Issue in the CRLs section of the navigation panel for your account. Only newly revoked certificates which have not be included in a CRL will be displayed; previously revoked certificates will be included in the CRL but not displayed. Click Issue CRL. Click OK to confirm this operation. A CRL that includes all certificates pending revocation, all on hold certificates, and all previously revoked certificates will be created. Once the operation has been completed, you will be informed of its status. You may click the new CRL s Effective Date to view its properties in detail, or click Download to save the new CRL to a local disk file on your computer. If the publish CRLs configuration option is enabled and set to manual, click Publish to publish the new CRL to the LDAP repository. 7.2 Viewing CRLs To view, inspect, or download an issued CRL: 8 Requires the revoke permission. 29

30 Click View in the CRLs section of the navigation panel for your account. At first only the most recent CRL will be displayed. If you wish to display a list of all CRLs for your account, click Show All CRLs. Click Download to save one of the CRLs to a local disk file on your computer. (Optional) If the publish CRL option is enabled, you may click Publish to publish the latest CRL to the appropriate LDAP directory. You may also click a CRL s Effective Date to view its properties in detail. Click Close when you are ready to close the properties dialog. 8 Setting Account Preferences Managing Credentials 10 To manage the credentials for your account, click Credentials in the Preferences section of the navigation panel. To generate and install new credentials, click the New Credentials button and follow the directions in the Creating Credential for a CA section. You may export your existing credentials to a file by clicking the Export button and following the directions in the Exporting Credentials section. To renew your current certificate, click the Renew button and follow the directions in the Renewing Certificates section. 8.2 Managing Certificate Enrollment 11 CertAgent supports enrollment of users via a web browser, Enrollment over Secure Transport (EST) and from Registration Authorities (RAs) through the Registration Authority Management Interface (RAMI). To manage certificate enrollment settings, click Enrollment in the Preferences section of the navigation panel. Select one of the following tabs to configure its settings and click Apply to save your changes. 8.1 Configuration Acceptable key types and sizes can be configured on this page. For CertAgent operating in NIAP complaint mode, only RSA 3072 or above, and elliptic curves NIST P- 9 Requires the admin permission. 10 Requires the admin permission. 11 Requires the admin permission. 30

31 256, NIST P-384, and NIST P-521 are supported. Otherwise, DSA and other elliptic curves are supported. Select the acceptable key types and sizes as appropriate for your requirement. If a received certificate request does not meet the specified requirements, it will be automatically rejected. NOTE: As per the NSA Suite B Fact Sheet (and CNSSP-15), use of the 256-bit elliptic curve and SHA- 256 are appropriate for protecting classified information up to the SECRET level; use of the 384- bit elliptic curve and SHA-384 are necessary for the protection of TOP SECRET information. Hence for Suite B compliance, the acceptance of RSA and DSA certificate requests should be disabled and the list of acceptable elliptic curves restricted as appropriate. NOTE: Settings in this page are profile-based. If there are additional profiles associated with your master account, you may manage the profile s settings using the Active Profile drop-down list at the top of the page. 8.2 Web This page controls the settings on the public site s Upload Request and Enroll using Browser pages. The settings you can control on this page are: Enable this profile in enrollment page Internet Explorer options Enable this profile in upload page Comment Field Contact If checked, user can generate a key pair in a browser and submit a certificate request to this account or profile. You can set and/or enforce the choice of CSP, as well as the Strong private key protection and Mark keys as exportable options so that they are suggested to (or forced on) users when they use Internet Explorer to generate and submit a certificate request. If checked, user can submit PKCS#10 request to this account or profile. If enabled, a user comment field will appear on the certificate enrollment or upload form. You can specify the number of address fields to display on the form and number of addresses required to be specified by users. NOTE: Settings in this page are profile-based. If there are additional profiles associated with your master account, you may manage the profile s settings using the Active Profile drop-down list at the top of the page. 8.3 Enrollment over Secure Transport (EST) CertAgent supports Enrollment over Secure Transport (EST) with either certificate-based authentication or basic authentication (common name/password over HTTPS) in cases where the requester does not have a valid certificate. CertAgent supports the following EST operations, authentications, and URLs: Operation Authentication URL Format Distributions of CA certificates None port>/.well-known/est/certagent/<ca>/cacerts Enrollment of Certificate-based port>/.well-known/est/certagent/<ca>/simpleenroll 31

32 clients Basic port>/.well-known/est/certagent/<ca>/simpleenroll Re-enrollment of clients Certificate-based Basic port>/.well-known/est/certagent/<ca>/simplereenroll port>/.well-known/est/certagent/<ca>/simplereenroll For basic authentication, the user name must match the common name in the subject DN, or RFC822 name or DNS name in the subject alternative name of the certificate request. NOTE: Authorized EST users are managed by CA Operations Staff. For details, see the section entitled Enrollment over Secure Transport (EST). For certificate-based authentication, the client s certificate must pass the path validation and trusted by the web server. If the client s certificate is issued by the EST CA and includes the id-kp-cmcra ( ) purpose in the extended key usage extension, the client is a Registration Authority (RA). An RA can submit any certificate requests via EST. If the client is not an RA, the common name in the subject DN and the subject alternative name included in the client certificate must match the ones in the certificate request. CertAgent treats EST re-enrollment operation the same as enrollment. Authorized users or RAs can submit their EST requests to either operation. To enable EST: Check Enable EST checkbox and click Apply. The URLs to access the EST interface will be displayed. CertAgent supports both POST and GET HTTP protocols for EST operations. EST requests can be submitted from EST client or any programs that can submit POST and/or GET requests (e.g., browsers, and curl). To submit a CA certificate request: Either submit a POST or GET request to the following URL from your EST client: port>/.well-known/est/certagent/<ca>/cacerts A base64-encoded CA certificate and its chain in a PKCS#7 format will be returned in the response with HTTP 200 response code, Content-Type: application/pkcs7-mine, and Content-Transfer-Encoding: base64 headers. To submit a certificate enrollment request: Submit a POST request with Content-Type:application/pkcs10 header and base64-encoded certificate request in the content to one of the enrollment URL from a EST client. To submit a POST request using curl, run one of the following commands as appropriate for your authentication: 32

33 # use basic authentication curl <url> --basic u "<username>:<password>" v o <out p7 file> --cacert <SSL trust root> PKCS#10 file> -H "Content-Type: application/pkcs10" --tlsv1 # use client authentication # convert user s PKCS#12 to PEM format and don t encrypt the private key openssl pkcs12 in <p12 file> -out <out pem file> -nodes curl <url> --cert <out pem file> -v o <out p7 file> --cacert <SSL trust root> PKCS#10 file> -H "Content-Type: application/pkcs10" --tlsv1 If the enrollment is successful, the issued certificate in a PKCS#7 format will be returned in the response with HTTP 200 response code, Content-Type: application/pkcs7-mine, and Content-Transfer-Encoding: base64 headers. Otherwise, one of the HTTP response codes (400: bad request, 404: page not found, or 500: internal server error) will be returned along with the detailed error message in the response. 8.3 Managing RAMI (Registration Authority Management Interface) 12 The CertAgent Registration Authority Management Interface (RAMI) allows a remote or automated client process (acting on behalf of an authorized registration authority) to: submit a certificate request for immediate processing and obtain an issued certificate; revoke a certificate; reinstate a certificate with a status of on-hold or pending revocation; issue a CRL; over a TLS-secured connection (with client authentication). To manage the RAMI settings, click RA Management in the Preferences section of the navigation panel. Depending on the permissions of an authorized user, the options available in this page are appropriately limited. The settings in which a user with certify permission can control on this page are: Allow certificate enrollment Allow certificate request and certificate queries Enabling this option allows an authorized registration authority (RA), possibly an automated process acting on behalf of the CA, to submit certificate requests and obtain certificates over an SSL connection with client authentication. This option applies to all profiles. Permits certificate request and certificate queries via RAMI when checked. This option applies to all profiles. The settings in which a user with revoke permission can control on this page are: Allow CRL issuance Permits CRL issuance via RAMI when checked. This option applies to all profiles. 12 Requires admin, certify, or revoke permissions 33

34 Allow certificate revocation and reinstatement Permits certificate revocation and reinstatement via RAMI when checked. This option applies to all profiles. The settings in which a user with admin permission can control on this page are: Allow POST to override default CRL settings Add Rules If checked, authorized RAs may use POST parameters to override the CRL issuance settings. This option is available if Allow CRL issuance is enabled and applies to all profiles. If set, authorized RAs may use POST parameters to override or append to the default certificate issuance settings. This option is profile-based and is available if NIAP conformance: Enforce profile settings on issuance options is disabled and Allow certificate enrollment is enabled. To add certificate issuance rules: 4. Click Add Rules. Check the desired posted options and click Add Checked. Selected options will be added to the page. To configure posted extended key usage: a. The settings you can control on the Posted Extended Key Usage section are: override default or append to default dropdown allow or require dropdown extended key usage drop-down OID field If override default is selected, the extended key usage specified in the RAMI post will override the default extended key usage setting; Otherwise, the specified extended key usage will be appended to the default key usage setting. If allow is selected, the RAMI post can optionally include the associated key usage. If require is selected, the RAMI post must include the associated key usage; otherwise, the RAMI request will be rejected. This drop-down lists the extended key usage: server authentication, client authentication, code signing, protection, time stamping, Microsoft: encrypted file system, PIV Card Authorization, Microsoft Smart Card Logon, OCSP signing, IPSec IKE, IPSec end system, IPSec tunnel, IPSec user, extensible authentication protocol over LAN, extensible authentication protocol over PPP, SCVP responder, SCVP server, SCVP client, data validation and certification server, accept any, and custom OID. This field appears if Custom OID is selected in the key usage drop-down. a. Select the override default or append to default option from the drop-down. b. For each desired extended key usage, select the allow or require option and the extended key usage from the drop-down. c. To add a custom OID, select Custom OID from the drop-down and enter the OID in the text field. d. To add a new extended key usage, click [+]. NOTE: Any extended key usage not defined in this section will be treated as not allowed. Any RAMI requests containing undefined extended key usage will be rejected. 5. To configure posted key usage: a. The settings you can control on the Posted Key Usage section are: 34

35 override default or append to default dropdown allow or require dropdown key usage drop-down If override default is selected, the key usage specified in the RAMI post will override the default key usage setting; Otherwise, the specified key usage will be appended to the default key usage setting. If allow is selected, the RAMI post can optionally include the associated key usage. If require is selected, the RAMI post must include the associated key usage; otherwise, the RAMI request will be rejected. This drop-down lists the key usage: digital signature, non-repudiation, key encipherment, data encipherment, key agreement, certificate signing, CRL signing, encipher-only, and decipher-only. b. Select the override default or append to default option from the drop-down. c. For each desired key usage, select the allow or require option and the key usage from the drop-down. d. To add a new key usage, click [+]. NOTE: Any key usage not defined in this section will be treated as not allowed. Any RAMI requests containing undefined key usage will be rejected. 6. To configure posted subject alternative name: a. The settings you can control on the Posted Subject Alternative Name section are: override default or append to default dropdown allow or require dropdown subject alternative name drop-down If override default is selected, the subject alternative name specified in the RAMI post will override the default subject alternative name setting; Otherwise, the specified subject alternative name will be appended to the default subject alternative name setting. If allow is selected, the RAMI post can optionally include the associated subject alternative name. If require is selected, the RAMI post must include the associated subject alternative name; otherwise, the RAMI request will be rejected. This drop-down lists the subject alternative name: RFC822 name, URL, DNS name, DN, IP address, other name, EDI party name, registered ID, and X400 address. b. Select the override default or append to default option from the drop-down. c. For each desired subject alternative name, select the allow or require option and the subject alternative name from the drop-down. d. To add a new subject alternative name, click [+]. NOTE: Any subject alternative names which are not defined in this section will be treated as not allowed. Any RAMI requests containing these undefined subject alternative names will be rejected. 7. If Any POST values is allowed, any POST extensions that are not defined in the above posted rules will override or append to the default certificate issuance settings. NOTE: Add Rule settings in this page are profile-based. If there are additional profiles associated with your master account, you may manage the profile s settings using the Active Profile drop-down list at the top of the page. For details on submitting RAMI requests, see the CertAgent Installation Guide. 35

36 NOTE: The access control list for RAMI is managed by the authorized administrator of the System Administrative site. For details, see the CertAgent Administrator Guide. 8.4 Managing Certificate Profiles 13 A master CA account can have one or more profiles with their own account IDs and access control lists (administered by a user of the master account with admin permission). While each profile shares its credentials with the master CA account, each profile can have its own default settings for certificate issuance, etc. In this way, a master CA can delegate to subordinates the issuance of certificates (and possibly CRLs) with varying default attributes and extensions, but the same issuer keys. To create a new profile: Click Certificate Profiles in the Preferences section of the navigation panel, then click Create. Enter the Profile ID and display name, then click Create. Profile ID A unique identifier for this profile; may only contain the characters A-Z, a-z, and 0-9. Display Name Copy Setting from The friendly name of the profile; may only contain the characters A-Z, a-z, 0-9, and space. If (none) is selected, default configuration will be assigned to the new profile. Otherwise, configuration of the selected profile will be copied to the new profile. Click OK to confirm the operation. A profile will be created with the specified profile ID. This profile will share credentials with its master account (i.e., the master account and all profiles use the same key pair for issuing certificates and CRLs). However, each profile has its own certificate issuance, enrollment, and settings, and a separate access control list. To remove a profile from the system: 4. Click Certificate Profiles in the Preferences section of the navigation panel. Select the master profile from the Active Profile drop-down list at the top of the page. Check one or more profile you wish to delete from the list, then click Remove. Click OK to confirm the operation. To modify the settings for a profile: Click Certificate Profiles in the Preferences section of the navigation panel. Select the profile you wish to modify from the Active Profile drop-down list at the top of the page. 13 Requires the admin permission. 36

37 4. To change the display name: a. Select the Display Name tab to change the profile name and rights as desired b. Click Apply to save your changes. To manage the profile access control list: a. Select the Access Control List tab. The certificates of all users authorized to use this profile are displayed. b. To add a certificate to the list, click Add. Then upload the certificate by clicking Browse, locating the appropriate certificate file, selecting the desired permissions, and clicking Upload. A confirmation message will be displayed and the certificate will appear in the access control list if the operation is successful. c. To remove one or more certificates from the ACL, check the box before each certificate you wish to delete and click Remove. Click OK in the confirmation dialog to remove the selected certificate(s) from the account ACL. Managing settings for profile enrollment, certificate issuance, and operations are similar to managing these settings for the master account. Select the profile from the Active Profile dropdown list and continue following the steps in the appropriate section below: Managing Certificate Enrollment Managing Certificate Issuance Managing Notifications 8.5 Managing Certificate Issuance 14 To change the certificate issuance options for an account, click Certificate Issuance in the Preferences section of the navigation bar. If you are logged in as an authorized user with certify permission only, the option you can control on this page is: Automatically issue certificates upon request To enable automatic certificate issuance, check this box. If you are logged in as an authorized user with admin permission, you will be presented with a page containing the Properties, Extension, Filter, and Serial No. tabs. The sections below describe the settings on each tab Properties 15 The Properties tab displays the default settings for issuing certificates. The options you can control on this page are: 14 Requires the admin or certify permission. 15 Requires the admin permission. 37

38 Class 1 Assurance Automatically issue certificates upon request RDNs For -based end-user identity proofing. If checked, every certificate request must contain the submitter s address; otherwise, it will be rejected. The requester will not receive a Request ID after enrollment, rather an notification containing a retrieval URL will be sent to him once the certificate request has been processed. Certificates are only considered valid once they have been retrieved via these ed links. To enable automatic certificate issuance, check this box. Each specified RDN has a default value and an inclusion setting: Require: Use the value found in the request; the user must enter a value for this RDN on the public Enrollment page. Allow: Use the value found in the request; the specified default value is displayed on the public Enrollment page, but the user is allowed to change it. Force: Always use the specified value; it displays on the public Enrollment page, and the user cannot change it. When issuing certificates for this account, CertAgent will include the available RDNs in the specified order. Use the Use the Use the Use the button to add an RDN component below the current RDN. button to delete the current RDN. button to move the current RDN up. button to move the current RDN down. If the internal LDAP repository for your CA account is enabled by the site administrator, make sure your default RDN settings agree with the configured LDAP search base. For example, if the search base is set to O=ISC, C=US, the default settings for certificate issuance should include the forced RDNs O=ISC and C=US. All issued certificates must have subject DNs ending with the search base criteria to be returned in response to queries to the internal LDAP server. Encoding Validity Period Message Digest Encoding of DNs: PrintableString or UTF8String (default). Specify the default validity period for issued certificates. One or more of the following message digest algorithms are available: SHA1, SHA-224, SHA-256, SHA-384 and SHA-51 Certificates will be signed using the specified message digest. The most appropriate choice depends on the size and type of the CA s credentials. Modify any settings you wish to change in the Properties pages then click Apply Extensions 16 The Extensions tab displays the default certificate extension settings. To add extensions: Click Add Extensions. A list of supported extensions will be displayed: 16 Requires the admin permission. 38

39 To add a single extension and close this dialog, just click on its link. To add multiple extensions, check them and click Add Checked. To remove extensions: Click the [X] to the right of the extension name. Brief descriptions of all supported extensions are given in the following table. Each of these extensions is flagged as critical if the associated Critical checkbox is set. Extension Authority Information Access Authority Key Identifier Basic Constraints Description This extension indicates how to access CA information and services for the issuer of the certificate in which the extension appears. Available access methods are CA Issuer, CA OCSP and user specified OID. This extension provides a means of identifying the public key corresponding to the private key used to sign a certificate. Available identifier types: key ID, CA issuer DN, and issuer serial number. NOTE: If Require authoritykeyidentifier extension option is enabled in the Admin Site, this extension cannot be removed from the default extension list and all certificates to be issued must include this extension. This extension indicates whether the subject can act as a CA or is only an end-user entity. It is added to every certificate issued by CertAgent. This extension is flagged as critical if the Critical checkbox is set. If you are a root CA whose sole (or principal) role is to certify the public keys of subordinate CAs (as opposed to end-users), you should set the CA certificate checkbox (and optionally select a default pathlength value). On the other hand, if you typically issue end-user certificates, leave this box unchecked. The Path length setting, if one is selected, indicates to consumers of the certificate that they should not accept a certificate path whose length exceeds the specified value by more than one. For example, if the pathlength attribute is set to 2, users should not accept as valid chains containing more than three certificates. 39

40 Certificate Policies Certificate Template Name CRL Distribution Points Custom Extension Extended Key Usage Inhibit Any-Policy Issuer Alternative Name Key Usage Name Constraints Netscape Certificate Type OCSP No Revocation Checking Policy Constraints Policy Mapping Qualified Certificate Statements This extension contains a sequence of one or more policy information terms, each of which consists of an object identifier (OID) and optional policy qualifiers (CPS and user notice). This extension contains the certificate template name. This extension identifies how CRL information is obtained. URL (e.g., LDAP and HTTP URL) and DN forms are accepted. To add an extension that is not explicitly supported by CertAgent, enter the base64- encoded extension data into the text box. This extension indicates one or more purposes for which the certified public key may be used in addition to, or in place of, the basic purposes indicated in the key usage extension. See the following table for details. This extension indicates that the special anypolicy OID, is not considered an explicit match for other certificate policies. The value indicates the number of additional certificates that may appear in the path before anypolicy is no longer permitted. This extension allows alternative names to be bound to the issuer of the certificate. Supported name forms include: rfc822name, othername, dnsname, DN, URL, IPAddress, edipartyname, registeredid, and x400address. If Octet String type is selected for othername, its value can be a text string or hexencoded string starting with 0x ; otherwise, the value can be a text string or UTF8 string. To include an x400address value, enter the desired base64-encoded value into the supplied text box. An extension that indicates the intended purpose of the subject public key inside the certificate. Select usage settings in accordance with your current certificate authority policy, taking into account the type of the public keys you will most likely be asked to certify. (See definitions below.) The recommended keyusage setting for end-user certificates is digital signature + non-repudiation + key encipherment + key agreement. For CA certificates it is certificate signing (mandatory) + CRL signing (mandatory). If the Critical checkbox in this section is set, and this extension is to be added to a certificate, it will be flagged as critical. Turn criticality on if use of the subject s public key for a purpose other than that indicated by the selected keyusage bits would constitute a violation of your certificate authority policy. This extension is used only in CA certificates. It indicates a name space within which all subject names in subsequent certificates in a certification path must be located. This is a Netscape specific extension that can be used to limit the applications for a certificate. Available types are: SSL client certificate, SSL CA certificate, SSL server certificate, S/MIME user certificate, S/MIME CA certificate, object signing certificate and object signing CA certificate. This extension is used only in an OCSP signing certificate. If this extension is included, no revocation checking is to be performed on the OCSP signing certificate during OCSP operations. This extension can be used to prohibit policy mapping or require that each certificate in a path contain an acceptable policy identifier. If require explicit policy is set, the value indicates the number of additional certificates that may appear in the path before an explicit policy is required for the entire path. If inhibit policy mapping is set, the value indicates the number of additional certificates that may appear in the path before policy mapping is no longer permitted. This extension is used only in CA certificates. It lists one or more pairs of OIDs; each pair includes an issuerdomainpolicy and a subjectdomainpolicy. The pairing indicates that the issuing CA considers its issuerdomainpolicy equivalent to the subject CA s subjectdomainpolicy. This extension is the inclusion of statements defining explicit properties of the certificate. Available statements are: Financial limit clause (id-etsi-qcs-qclimitvalue), ETSI TS authentic certificate clause (id-etsi-qcs-qccompliance), NES telecommunication agency authentic certificate clause and retention period (id-etsiqcs-qcretentionperiod). 40

41 Subject Alternative Name Subject Directory Attribute Subject Key Identifier This extension allows alternative names to be bound to the subject of the certificate. Supported name forms include: rfc822name, othername, dnsname, DN, URL, IPAddress, edipartyname, registeredid, and x400address. If the appropriate RFC822 name options are checked and address in the subject DN is set and /or contact addresses are specified, they will be included in this extension. If Octet String type is selected for othername, its value can be a text string or hexencoded string starting with 0x ; otherwise, the value can be a text string or UTF8 string. To include an x400address value, enter the desired base64-encoded value into the supplied text box. If Accept values from the public enrollment page checkbox is checked, select one or more of the supported names. Selected names will be appeared in the public enrollment page and user can specify the values if needed. This extension is used to convey identification attributes of the subject. Available attributes are country of citizenship (US DOD), country of citizenship (RFC 3739), employee type and nationality. This extension provides a means of identifying certificates that contain a particular public key. Brief descriptions of the options in the keyusage extension and the X.509 ASN.1 variables to which they correspond are given in the following table: CertAgent Option ASN.1 Variable Description digital signature digitalsignature The subject public key may be used to validate signatures used for purposes other than nonrepudiation and signing certificates/crls. non-repudiation nonrepudiation The subject public key may be used to validate signatures used in non-repudiation services. key encipherment keyencipherment The subject public key may be used to wrap a (symmetric) session key for the purpose of key transport. data encipherment dataencipherment The subject public key may be used for bulk data encryption. key agreement KeyAgreement The subject public key may be used in a key agreement protocol. certificate signing KeyCertSign The subject key may be used to validate signatures on certificates. This bit cannot be set for end-user certificates and must be set for CA certificates. CRL signing CRLSign The subject public key can be used to validate the signature on a certificate revocation list (CRL). This bit can only be set for CA certificates. encipher-only encipheronly (Rarely used) The subject key can only be used for encryption as part of a key agreement protocol. (Should be used only in conjunction with the key agreement option.) decipher-only decipheronly The subject key can only be used for decryption as part of a key agreement protocol. Should be used only in conjunction with the key agreement option. Brief descriptions of the key purpose identifiers and other attributes that may be included in the Extended Key Usage (EKU) extension are given in the following table: Identifier server authentication Description The subject public key may be used for TLS WWW server authentication. 41

42 client authentication code signing protection time stamping Microsoft: encrypted file system PIV Card Authorization Microsoft Smart Card Logon OCSP signing IPSec IKE IPSec end system IPSec tunnel IPSec user extensible authentication protocol over LAN extensible authentication protocol over PPP SCVP responder SCVP server SCVP client data validation and certification server accept any user-defined OIDs The subject public key may be used for TLS WWW client authentication. The subject public key may be used for signing of downloadable executable code. The subject public key may be used for protection. The subject public key may be used for binding the hash of an object to a time. The subject public key may be used for Microsoft s encrypted file system. This subject public key may be used for PIV Card authorization. This subject public key may be used for Microsoft s smart card logon. This subject public key may be used for signing by an OCSP responder; see RFC This subject public key may be used for IPSec IKE (old OIDs have been deprecated). This subject public key may be used for an IPSec end system. This subject public key may be used for IPSec tunneling. This subject public key may be used for an IPSec user. This subject public key may be used for EAP over LAN. This subject public key may be used for EAP over PPP; see RFC This subject public key may be used for an SCVP responder. This subject public key may be used for an SCVP server. This subject public key may be used for an SCVP client. This subject public key may be used for a data validation and certification server. This subject public key may be used for any usages. One or more user-defined OIDs (specified in standard dot notation may be included in a certificate s extendkeyusage extension. If Require consistent values in keyusage and extendedkeyusage option is enabled in the Admin site, the following purposes in the extended key usage extension must be set with the specified purpose in the key usage extension: Server authentication ( ) must be set with digital signature, key encipherment or key agreement Client Authentication ( ) must be set with digital signature and/or key agreement Code signing ( ) must be set with digital signature protection ( ) must be set with digital signature, non-repudiation, and/or (key encipherment or key agreement) Time stamping ( ) must be set with digital signature and/or non-repudiation OCSP signing ( ) must be set with digital signature and/or non-repudiation 42

43 Modify any settings you wish to change in the Extensions pages, then click Apply Filter 17 The Filter tab displays the rules for processing certificate requests. By default, all extensions in submitted certificate requests are omitted from the issued certificates. To accept and pass through certain extensions, rules for their handling must be explicitly defined. To add rules: Click Add Rules. A list of extensions will be displayed. To add a single extension and close the dialog, click on its link. To add multiple extensions, check them and click Add Checked. To add extensions that are not explicitly supported, check the OIDs checkbox and enter a list of extensions in the text box. Modify the handling of each newly added extension by appropriately setting the corresponding action value. Brief descriptions of the available action values appear in the following table: Require Allow Action Description This extension is required. If a submitted request doesn t contain this extension, it is automatically rejected. By default, this extension is included in the certificate and the default value specified in the Extension tab is ignored. This extension is optional. If it appears in a request, it is included in the certificate. Otherwise, the default value specified in the Extension tab is applied. 17 Requires the admin permission. 43