CSM. RAO Administrator Quick Start Guide (QSG) Version 1.05

Transcription

1 CSM RAO Administrator Quick Start Guide (QSG) Version 1.05

2 Disclaimer Copyright 2011 AusCERT Pty Ltd. All rights reserved. Guide version Software version Date issued V1.05 V Oct-2011 V1.04 V Oct-2011 V1.03 V Oct-2011 V1.02 V Oct-2011 V1.01 V Oct-2011 V1.0 V Sep-2011 Page 2-28 October 2011 RAO Administrator

3 Contents Guide conventions Different ways to access features Contacting support About this guide Who will use this Guide? Additional documents Prerequisite knowledge What's in this guide? Using the Certificate Service Manager (CSM) Your role as an administrator Introduction to certificates Accessing the CSM and logging in to your account Changing your administrator account password Using the CSM main window Searching for information Creating administrator accounts Setting your administrator account to authenticate using an S/MIME certificate Adding domains for your organisation Adding departments to your organisation Initialising master keys Working with certificates Identifying SSL certificates by scanning your network Requesting/adding an S/MIME client certificate Requesting/adding an SSL certificate Revoking SSL certificates Troubleshooting Fixing the Firefox certificate authentication issue CSM 28 October Page 3

4 GUIDE CONVENTIONS If accessing this guide electronically, this guide uses different fonts to indicate specific information as shown in the following table: Font Example Indicates... Bold Bold Menu option that you can select, or a button/icon that you can touch to activate. Double quotes Cross-reference to another section in the guide. For example, see Guide conventions on page 4. Bold italic Bold italic Reference to another different guide. For example, the CSM RAO Administrator Quick Start Guide (QSG). Blue underline Blue underline Hyperlink that shows additional information. To see the additional information, touch the hyperlink. After touching the hyperlink, you will see the additional information, and the colour of the original hyperlink will change to Purple underline to indicate you have used (or visited ) the hyperlink. Note NOTE: Important information that you should know. In this guide, menu selections appear as File» Print. This means that from the File menu, you should select the Print option. For more information, see the relevant documentation. DIFFERENT WAYS TO ACCESS FEATURES You can access most features via the mouse, menus and shortcut keys. This guide describes how to access features using the mouse. Alternate navigation tips (where available) are shown. CONTACTING SUPPORT For all CSM support issues, please AusCERT CS. Page 4-28 October 2011 RAO Administrator

5 ABOUT THIS GUIDE ABOUT THIS GUIDE This section provides information about this guide. WHO WILL USE THIS GUIDE? This guide is the CSM RAO Administrator Quick Start Guide (QSG) designed to show you how to use the AusCERT Certificate Service Manager (CSM) interface to manage certificates and other associated information. This guide details the key processes only. For more detailed information, please refer to the complete CSM RAO Administrator Guide. ADDITIONAL DOCUMENTS To assist with using the AusCERT CSM, Comodo has released two guides, which are available from the CSM RAO Admin Guide located at CSM End User Guide located at NOTE:As these documents are developed and maintained by Comodo, the links and example information in the documents will sometimes differ from the AusCERT CSM. In addition, it is important that all RAOs and DRAOs and certificate subscribers be familiar with their roles and responsibilities as outlined in the following key documents: AusCERT CS Certification Practice Statement (CPS) and Certificate Policy; AusCERT CS Relying Party Warranty; AusCERT CS Participant Organisation Agreement; and AusCERT CS Participant Organisation Schedule 1. NOTE:These documents are also found in the repository. PREREQUISITE KNOWLEDGE This guide assumes you: Are nominated as a RAO or DRAO representative for your organisation. AusCERT is only able to accept requests from nominated contacts. Understand your responsibilities as an RAO Administrator. CSM 28 October Page 5

6 ABOUT THIS GUIDE WHAT'S IN THIS GUIDE? This guide describes the main tasks that RAO/DRAO administrators need to perform: Task Description For more information, see. Introduction to the CSM and certificates Access the CSM and log in to your account Change your administrator account password Using the CSM main window Search for information Create RAO administrator accounts Set your administrator account to authenticate using an S/MIME certificate Provides an overview of the CSM system including your role and responsibilities as an administrator. To use the CSM, you must login to a secure website address using a unique username and password allocated by AusCERT. For security reasons, the CSM will automatically log you out after 20 minutes of inactivity. Lets you change your administrator account password at any time. NOTE: The first time you login, CSM will prompt you to change your password. The password selected must meet the password criteria to help ensure the security of your password. Describes the areas in the CSM main window. CSM lets you search for information on most pages. Although different pages will show different information, CSM uses the same process for searching for all pages. AusCERT will create the primary RAO administrator account for the Participant Organisation (PO). NOTE: This account will have the maximum privileges enabled. You are responsible for creating and managing any additional accounts that are required. To provide increased security, CSM lets you use S/MIME certificates to authenticate the administrator account when you login. In this situation, CSM will check the certificate store for a certificate that matches the administrator account. A matching certificate must be found in order to login to CSM. Using the Certificate Service Manager (CSM) on page 8. Accessing the CSM and logging in to your account on page 10. Changing your administrator account password on page 12. Using the CSM main window on page 13. Searching for information on page 14. Creating administrator accounts on page 15. Setting your administrator account to authenticate using an S/MIME certificate on page 18. Page 6-28 October 2011 RAO Administrator

7 ABOUT THIS GUIDE Task Description For more information, see. Add domains for your organisation Initialise master key pair Add departments to your organisation Work with certificates Troubleshooting Before you can issue certificates for a particular domain: The domain control/ownership must be validated by AusCERT; and You must add AT LEAST one domain for your organisation. NOTE: AusCERT has added the primary domain for your organisation as a wildcard domain (e.g. *.auscert.org.au). A wildcard domain will let you add multiple sub-domains (e.g. test.cybersecurityaustralia.org.au) without requiring approval from the AusCERT MRAO. Organisations wanting to use key escrow must also initialise the master key pair. NOTE: Organisations using key escrow must have documented processes for managing, storing, and accessing the private key. Lets you add departments to your organisation. Lets you perform certificate-related tasks including: Identifying certificates on your network; Requesting and managing S/MIME, SSL and Code Signing (CS) certificates; and Revoking certificates. This section contains solutions to the following specific issues: Mozilla Firefox Adding domains for your organisation on page 21. Initialising master keys on page 25. Adding departments to your organisation on page 23. Working with certificates on page 28. Troubleshooting on page 39. For more information, see the next sections. CSM 28 October Page 7

8 USING THE CERTIFICATE SERVICE MANAGER (CSM) The AusCERT Certificate Services Manager (CSM) centralises and streamlines the lifecycle management of web server, S/MIME and code signing certificates through a unified interface. The system features full integration with AusCERT Certificate Authority and enables nominated RAO/DRAO administrators to manage the lifespan, issuance, deployment, renewal and revocation of certificates on an Organization, Department and per-user basis. The CSM manages information using a uses a 3-tier hierarchical model to reflect the business practices of the Participant Organisations (POs). This model uses the following administrator account management roles to provide information segregation and help ensure only authorised people are permitted to view delegated information: MRAO - Master Registration Authority Officer - this is a "super user" role that is allocated to AusCERT staff to assist with managing the CSM. The MRAO accounts exist primarily to create authorised Participant Organisations (POs) and RAO accounts. MRAO accounts are able to view, edit, change and delete all administrator accounts and settings for all RAOs and DRAOs levels. RAO - Registration Authority Officer - these roles will be allocated to Participant Organisations (POs) responsible for managing their own organisations using the CSM without intervention from MRAOs and to issue certificates in accordance with their organisation's requirements. DRAO - Departmental Registration Authority - these roles will be allocated to individual internal departments within a participant organisation by the RAO and to issue certificates in accordance with their department's requirements YOUR ROLE AS AN ADMINISTRATOR As an administrator you have a key role in helping ensure the system works as designed and the integrity of the system is not compromised. You are responsible for ensuring the system is only used for the intended operations by: Ensuring that only valid information is requested and entered. Checking information in the CSM on a regular basis to confirm the accuracy of the information. Updating information as required. Ensuring that only authorised people and machines are permitted to access the system. Immediately complying with all requests from AusCERT in a timely manner. Complying with your legal requirements, roles and responsibilities as outlined in the CPS and AusCERT CS agreement. For more information, see Additional documents on page 5. Page 8-28 October 2011 RAO Administrator

9 INTRODUCTION TO CERTIFICATES The CSM lets you manage the certificate lifecycle for the following different types of certificates: If you want to... Identify network infrastructure (e.g. web servers, etc.). Authenticate a person Show ownership of code Use the following certificate type SSL certificate S/MIME certificate (also called client certificates or personal certificates) Code Signing (CS) certificate NOTE: You must ensure you request the correct certificate type. All certificates pass through a number of different stages called the certificate lifecycle. This identifies the current status of the certificate: Status Requested Approved Issued Description Certificate has been requested. A request for a certificate has been received and approved; and the request has been forwarded for action. A request for a certificate has been approved and the certificate has been issued. Declined A request for a certificate has not be approved. Revoked Invalid Rejected The certificate has been revoked (i.e. cancelled) prior to its normal expiration date/time. The certificate request was not processed due to an error (e.g.incorrect information in the CSR). The Certificate Authority rejected the request. For example, the certificate request may contain invalid information. CSM 28 October Page 9

10 ACCESSING THE CSM AND LOGGING IN TO YOUR ACCOUNT To use the CSM, you must login to a secure website address using a unique username and password allocated by AusCERT. NOTE:The first time you login, CSM will prompt you to change your password. For security reasons, the CSM will automatically log you out after 20 minutes of inactivity. You can also change your administrator account password at any time. For more information on changing your administrator account password, see Changing your administrator account password on page 12. To login: 1. Open a web browser and enter the secure website address 2. Enter your username and password and click Submit: NOTE: AusCERT recommends that RAO/DRAO administrators set the username to be their primary address. 3. The first time you login, CSM will prompt you to change your password. Enter your new password and click OK to save the password: CSM checks the password against the password criteria set for your account. Click Help password requirements. NOTE:Your password cannot contain your username. to show the Page October 2011 RAO Administrator

11 4. CSM changes the password: 5. If your site is using key escrow and you have not initialised encryption, CSM shows a warning message: This warning message does not appear for organisations that are not using key escrow. For more information on key escrow, see Initialising master keys on page Click OK to acknowledge the message. NOTE:This message will continue to appear each time you login until you initialise encryption. 7. You can now work with the CSM. CSM 28 October Page 11

12 CHANGING YOUR ADMINISTRATOR ACCOUNT PASSWORD CSM lets you change your administrator account password at any time. NOTE:The first time you login, CSM will prompt you to change your password. The password selected must meet the password criteria to help ensure the security of your password. To change your administrator account password: 1. Select Settings» My Profile. 2. CSM shows information about your administrator account: 3. Click Change to change the password: 4. CSM prompts you to enter your old password, new password and re-enter the new password again to confirm: 5. Enter the password information and click OK to change the password or click Cancel to quit without changing the password. CSM checks the password against the password criteria set for your account. Click Help password requirements: to show the NOTE:Your password cannot contain your username. 6. CSM changes the password. 7. You can now continue working. Page October 2011 RAO Administrator

13 USING THE CSM MAIN WINDOW The CSM main window contains the following areas: Area Lets you... Tabs Access key functionality Subtabs Search area Information area Action buttons Access sub-areas of functionality Search for information using pre-defined and user-defined information Shows results based on the search criteria and lets you access associated functionality Access the main tasks CSM 28 October Page 13

14 SEARCHING FOR INFORMATION CSM lets you search for information on most pages. Although different pages will show different information, the process for searching is the same for all pages. To search for information: 1. Select the tabs and sub-tabs where you want to search. 2. Select the pre-defined search options and enter the user-defined search options in the search area. 3. Click Search. 4. CSM shows the matching search results in the information area: 5. You can clear the search at any time by clicking Clear to show all matching information in the information area. Page October 2011 RAO Administrator

15 CREATING ADMINISTRATOR ACCOUNTS AusCERT will create the primary RAO administrator account for the Participant Organisation (PO). NOTE:This account has the maximum privileges enabled. You are responsible for creating and managing any additional accounts that are required. For example, you can create additional administrator accounts to help distribute the workload and to be a backup when other RAOs are on leave, etc. When creating accounts, CSM lets you specify two levels of permissions: Role-based permissions - that let you specify the role of the administrator account and relate to the different certificate functions that can be created.; and Peer account permissions - that let you specify permissions for peer accounts. You are permitted to create departmental administrator (i.e. DRAO) accounts and peer administrator accounts that have the same (or lesser) privileges than your current account. NOTE:AusCERT recommends that you create all subsequent RAO accounts without privileges to create, edit or delete other RAOs. All requests for other accounts (e.g. accounts with privileges greater than your current account) will be automatically forwarded to the AusCERT MRAO for approval. NOTE:If you require an account to be approved urgently, please advise AusCERT in advance or immediately after you submit the account request. CSM uses different colours to indicate the account status: Black - indicates an approved account; Red - indicates an account awaiting approval. You can set the status of an administrator account to Inactive at any time by selecting the tick next to the administrator name. You can also set administrator accounts to authenticate using a certificate when logging in.for more information, see Setting your administrator account to authenticate using an S/MIME certificate on page 18. CSM 28 October Page 15

16 To create an administrator account: NOTE:This process lets you create peer RAO accounts as well as create DRAO accounts. 1. Select Admin Management. 2. CSM shows all current administrator accounts: 3. Click Add. 4. CSM prompts you to enter information about the administrator: Page October 2011 RAO Administrator

17 5. Set the administrator information as required: NOTE: AusCERT recommends against enabling subsequent accounts to have create, edit or delete privileges for RAO/DRAO admin users. 6. Click OK to create the administrator: 7. CSM creates the RAO accounts depending on the privileges set. In some situations, RAO accounts may require AusCERT MRAO approval before being created. CSM uses different colours to indicate the account status: Black - indicates an approved account that is available for immediate use; Red - indicates an account awaiting approval: 8. After the MRAO approves the account request, CSM will automatically change the colour from red to black and the account will be available for use. CSM 28 October Page 17

18 SETTING YOUR ADMINISTRATOR ACCOUNT TO AUTHENTICATE USING AN S/MIME CERTIFICATE NOTE:AusCERT strongly recommends that all RAO/DRAOs implement this feature to provide 2 Factor Authentication for access to the CSM, to minimise risks of unauthorised access. To provide increased security, CSM lets you use S/MIME certificates to authenticate the administrator account when you login. In this situation, CSM will check the certificate store for a certificate that matches the administrator account. A matching certificate must be found in order to login to CSM. NOTE:This step cannot be completed until each RAO/DRAO administrator who will use the "Certificate Auth" feature for logging into the CSM, applies for and receives an SMIME certificate, which can also be requested through the CSM. For more information, see Requesting/adding an S/MIME client certificate on page 32. To use certificates, you must: 1. Create the administrator account. 2. Request and download a client certificate. For more information, see Requesting/adding an S/MIME client certificate on page Load the certificate into the local computer certificate store; and 4. Set the account to use certificate authentication. NOTE:You must perform these processes as separate steps; it is not possible to set the account to use certificate authentication at the same time that you create the administrator account. If enabling "Cert Auth" for another RAO or DRAO administrator account (i.e. other than your account), you must first import the S/MIME certificate for the other administrator into your own certificate store. If using Outlook, the simplest way to do this is to have the other administrator to send you an that is digitally signed using their S/MIME certificate. This process imports the administrator's S/MIME certificate into your computer. Once the certificate has been loaded, you can now continue with the following steps. Page October 2011 RAO Administrator

19 To set the account to use certificate authentication: 1. Select Admin Management. 2. Select the administrator account you want to update and click Edit. 3. CSM shows the administrator account information: 4. Click to set the Certificate Auth(entication) flag and click OK: CSM 28 October Page 19

20 5. CSM shows a message indicating the implications of using the flag: 6. Click OK to continue using certificate authentication or click Cancel to quit without using certificate authentication. 7. CSM checks the certificate store and displays details of the matching certificate: 8. If you are enabling Cert Auth on behalf of another administrator, check that the serial number of the certificate displayed as a 'match' by the CSM, matches the serial number for the certificate, sent with the digitally signed from the administrator. Similarly, if you are enabling Cert Auth for your own administrator account, check that the serial number of the certificate displayed as a 'match' by the CSM, is for the correct certificate. If the serial numbers match, click OK to acknowledge the message. 9. You can now continue working. Page October 2011 RAO Administrator

21 ADDING DOMAINS FOR YOUR ORGANISATION Before you can issue certificates for a particular domain: The domain control/ownership must be validated by AusCERT; and You must add AT LEAST one domain for your organisation. NOTE:AusCERT has added the primary domain for your organisation as a wildcard domain (e.g. *.auscert.org.au). A wildcard domain will let you add multiple sub-domains (e.g. test.cybersecurityaustralia.org.au) without requiring approval from the AusCERT MRAO. You must add additional specific domains if you want to issue certificates. CSM lets you add multiple domains for your organisations; however you are responsible for ensuring that only valid domains (or sub-domains of valid domains) are added. A valid domain is a domain that you have registered for use with AusCERT. To add domains: 1. Select Settings» Domains to show the domains page: 2. Click Add. 3. CSM prompts you to enter information for the domain: 4. You must select the appropriate checkboxes for the different certificate types that you want to be able to issue for the domain. CSM 28 October Page 21

22 5. CSM uses different colours to show the domain approval status: Red - indicates the domain requires approval from the AusCERT MRAO; and Black - indicates the domain is available for use: Colour Example Red You can hover the cursor over a domain awaiting approval to show additional information: Black 6. You can now use the domain. Page October 2011 RAO Administrator

23 ADDING DEPARTMENTS TO YOUR ORGANISATION CSM lets you add departments to your organisation. NOTE: The process for adding departments requires you to set information regarding key escrow for S/MIME certificates. The decision your organisation makes in relation to whether or not it chooses to permit S/MIME private key escrow affects every S/MIME certificate issued by your organisation for this department in the future. The decision your organisation makes now is permanent and irrevocable. Organisations using key escrow must also have documented processes for managing, storing, and accessing the private key. To add departments to your organisation: 1. Select Settings» Organisations. 2. Select the organisation where you want to add the department and click Departments: 3. CSM shows the list of departments currently allocated to the organisation: 4. Click Add to add a new department. 5. CSM prompts you to enter information about the department: CSM 28 October Page 23

24 6. Enter the required information. For example: 7. Select the Client cert tab and set the key escrow information as required: NOTE:You must understand the implications of the settings that you select. For more information, consult the CSM RAO Administrator Guide link in Additional documents on page 5. For more information on initialising master keys, see Initialising master keys on page 25. If you still require further assistance, please contact AusCERT CS as detailed in Contacting support on page 4. For most organisations, the default settings for SSL should be sufficient, however if the department requires code signing, you must enable this on the Code Signing Certificate tab. For more inforamtion, refer to section 2.5 of the CSM manual. If your organisation has not enabled key recovery by Organisation Administrators, you will not be able to select it. AusCERT does not support key recovery by Master Administrators, so this should be deselected. 8. Click OK to add the new department or click Cancel to quit without adding the new department. 9. CSM adds the new department. Page October 2011 RAO Administrator

25 INITIALISING MASTER KEYS Organisations wanting to use key escrow must initialise the master key pair. If enabled for the organisation, the RAO will be prompted to generate a master key; if key recovery is enabled for a department, the DRAO will be prompted. NOTE: The process for adding departments requires you to set information regarding key escrow for S/MIME certificates. The decision your organisation makes in relation to whether or not it chooses to permit S/MIME private key escrow affects every S/MIME certificate issued by your organisation in the future. RAO Administrators can check if recovery is enabled for a specific organisation by selecting Settings» Organization and editing the specific organization and viewing the Client Cert tab. DRAO Administrators cannot access this information and will need to confirm the information with their RAO Administrator if required. To view the client certificate settings and optionally initialise encryption: 1. Login as RAO Administrator. 2. Click Edit for the specific organization and select the Client Cert tab to show the current settings: Key escrow Example Enabled Not enabled CSM 28 October Page 25

26 3. RAO Administrators can inspect the department escrow configuration by selecting Departments» Edit: 4. If the key has not been initialised then the organisation will not be able to issue client certificates. The RAO Administrator must generate a key for RAO and/or each and every department for which escrow is desired. 5. To check initialization status for your organisation (or department if performing this step as a DRAO Administrator), select the Encryption tab: 6. Click Initialize Encryption. Page October 2011 RAO Administrator

27 7. CSM starts the process and generates the master key: NOTE:You must copy the private key and paste it in a.txt file and store the file in a secure location. This master private key is NOT stored in the CSM. You MUST save the private key in a secure, password protected location if you want to reencryption the keys or download a user's client certificate. 8. Click Done to indicate you have saved the key in a secure location or click Cancel to quit the process. 9. After the keys have been initialised, CSM changes state to indicate that the public key is loaded: 10. CSM will now encrypt the private keys for S/MIME certificates issued at the RAO level using the master public key. Decryption will require the private key that was saved earlier. You can also reencypt the master key if required. 11. The generation process described in steps 3-8 must be repeated for each department that has key recovery enabled. CSM 28 October Page 27

28 WORKING WITH CERTIFICATES CSM lets you perform the certificate-related tasks: Task Description For more information, see. Identify SSL certificates on your network Request/add S/MIME client certificates Request/add SSL certificates Request/add Code Signing (CS) certificates Revoking SSL certificates Lets you perform a network scan to identify SSL certificates on your network and their current status. Lets you request/add S/MIME certificates for authenticating users. Lets you request/add SSL certificates for identifying computer infrastructure (e.g. web servers, etc.). Lets you request/add Code Signing (CS) certificates that show ownership of code. Lets you cancel an SSL certificate prior to its normal expiration date/time. Identifying SSL certificates by scanning your network on page 29. Requesting/adding an S/ MIME client certificate on page 32. Requesting/adding an SSL certificate on page 34. Revoking SSL certificates on page 38. For more information, see the next sections. Page October 2011 RAO Administrator

29 IDENTIFYING SSL CERTIFICATES BY SCANNING YOUR NETWORK CSM lets you perform a network scan to identify SSL certificates on your network and their current status. When you run the scan, CSM runs a scan for information purposes only; CSM does not change the status of any identified certificates. NOTE:You should only run scans on your own network. For more information on your network ranges, see your IT systems administrator. The process to scan a network uses the following two steps: Setup the network scan; and Run the network scan. To scan your network for certificates: 1. Select Settings» Certificate Discovery to open the Certificate Discovery page: 2. Enter the information for the network where you want to run the certificate scan: 3. Click Add to save the network information. CSM adds the network information to the list network scans. CSM 28 October Page 29

30 4. To perform a network scan, click to select the network scan you want to run, the organization and department where you want to assign any unmanaged certificates and select the scan frequency (e.g. Manual indicates that you want to run the scan immediately). 5. Click Scan Now to start the scan. CSM starts the scan and indicates the progress of the scan: NOTE:You can cancel the scan at any time by clicking Cancel. 6. CSM runs the scan and assigns any unmanaged certificates to the selected organisation/department: Page October 2011 RAO Administrator

31 7. CSM runs the scan and reports any unmanaged certificates on the selected network: NOTE:You can also hover the cursor over the certificate to show additional information. 8. You can manage the certificates by selecting the required operation next to a certificate (e.g. Renew). CSM opens the SSL certificate renewal page and pre-populates the information based on the discovered certificate: 9. You can now complete the certificate renewal process. For more information, see Requesting/adding an SSL certificate on page 34. CSM 28 October Page 31

32 REQUESTING/ADDING AN S/MIME CLIENT CERTIFICATE CSM lets you request/add S/MIME certificates for authenticating users. S/MIME certificates are also called client certificates or personal certificates. This can be done by RAO/DRAO administrators either: Manually - by entering inforamtion for a specific certificate; Via bulk upload - using comma separated variable (CSV) files; or Via the self-provisioning system - that lets users self-enrol for S/MIME certificates. NOTE:this example shows the process for manually requesting/adding an S/MIME client certificate. To request/add an S/MIME client certificate: 1. Select Certificate Management» Client Certificates to show the client certificates page: 2. Click Add to show the Add New Person page: NOTE:The SECRET ID field is used if you add a person who you want to self-enrol for a certificate. This functionality is not covered in this guide. For more information on self-enrolment, see Section in the CSM RAO Admin Guide. By default, AusCERT has enabled all client certificates to be only "standard" assurance. In this situation, changing the Validation Type setting will not change the certificate type (i.e. changing the Validation Type to High will have no effect). Organisations that require high assurance client certificates must: Follow the validation steps - outlined in the AusCERT Certification Practice and Policy Statement (CPS). For more information, see Additional documents on page 5; and Contact AusCERT - and request their CSM account be modified to permit the organisation to issue High assurance client certificates. Page October 2011 RAO Administrator

33 3. Enter the information and click OK to create the new person or click Cancel to quit without creating the new person. 4. CSM adds the new person. You can then manage the certificates for the person by clicking Certs: 5. In this example, the person does not have any existing certificates. 6. Click Send Invitation to send a certificate enrolment message: 7. CSM prompts you to confirm you want to send the certificate enrolment invitation: 8. Click OK to confirm the certificate enrolment invitation or click Cancel to quit. 9. CSM shows a message indicating the certificate enrolment message was sent to the person: 10. The final step in this process is for the end user to download their client certificate by following the instructions in the that is automatically sent to them. For more information on this process, see the CSM End User Guide detailed in Additional documents on page After the end user has downloaded and installed their client certificate, you can activate 2 factor authentication for the administrator account as detailed in Setting your administrator account to authenticate using an S/MIME certificate on page 18. CSM 28 October Page 33

34 REQUESTING/ADDING AN SSL CERTIFICATE CSM lets you request/add SSL certificates for identifying network infrastructure (e.g. web servers, etc.). To request/add an SSL certificate you must have the following information: Certificate Signing Request (CSR); and (Ideally) Server Software information - for the server that will use the certificate (e.g. Microsoft IIS, Apache, etc.). When adding an SSL certificate, CSM populates most field with default information; however you can change the information as required. To request/add an SSL certificate: 1. Select Certificates Management» SSL Certificates to show the SSL certificates page: 2. Click Add to show the SSL certificates request page: Page October 2011 RAO Administrator

35 3. To enter the CSR information, open the CSR and copy/paste the information into the field. 4. Select the appropriate SSL certificate type (e.g. AusCERT SSL Certificate, etc.). 5. Click Get CN from CSR to populate the Common Name field. NOTE:There is a direct relationship between the Certificate Type and the Common Name. For example, if you want to request a Common Name that contains a wildcard you must select the Wildcard certificate type. If you do not select the correct certificate type/common name combination, the CSM will show an error. 6. The certificate request page also shows the licence agreement: NOTE:To submit the certificate request, you must scroll to the bottom of the licence agreement and then click I Agree to activate the OK button at the bottom of the page. 7. Click OK to submit the certificate request. 8. The CSM submits the certificate request and sets the state of the certificate to Requested: CSM 28 October Page 35

36 9. The next step is to approve the certificate request by clicking Approve. 10. CSM prompts you to enter the reason for approving the certificate: NOTE:Regardless of whether the RAO/DRAO requested the SSL certificate, the RAO/DRAO may still be required to approve the request for the certificate. 11. Enter the reason and click OK. 12. CSM changes the state of the certificate request to Applied and forwards the certificate request for action 13. The CSM will issue the certificate and then change the certificate state to Issued. 14. You can view the certificate information at any time by clicking View. Page October 2011 RAO Administrator

37 15. When the certificate is issued, CSM automatically updates the certificate state to Issued and you can click View to download the certificate: CSM 28 October Page 37

38 REVOKING SSL CERTIFICATES CSM lets you cancel an SSL certificate prior to its normal expiration date/time. To revoke a certificate: 1. Select Certificates Management and select the tab for the certificate you want to revoke (i.e. SSL Certificates). 2. CSM shows the certificates: 3. Select the certificate you want to revoke and click Revoke. 4. CSM prompts you to enter a reason for the certificate revocation: 5. Enter the reason for revoking the certificate and click OK to revoke the certificate or click Cancel to quit without revoking the certificate. 6. CSM revokes the certificate and updates the information on the certificates page. Page October 2011 RAO Administrator

39 TROUBLESHOOTING TROUBLESHOOTING This section contains solutions to the following specific problems: Fixing Firefox certificate authentication issue. FIXING THE FIREFOX CERTIFICATE AUTHENTICATION ISSUE Issue: This information summarises security issue CVE (a man-in-the-middle vulnerability in the TLS/SSL protocol) which applies to SSL/TLS/https/etc. and describes the action to take in Mozilla. Information source: Mozilla have published official information and advice for this issue at Background: In 2009, a flaw was discovered in the SSL/TLS protocol which is widely used in Internet applications, for example when accessing web content via an address prefixed with https. This flaw could allow a man-in-the-middle (MITM), to be able to inject data into a connection between an Internet client and an Internet server, and potentially allow an attacker to execute commands using the credentials of an authorised user, or to even collect authentication credentials of authorised users. NOTE:The flaw is not limited to any specific software implementation, but is rather a fundamental protocol design flaw, a lot of software using SSL/TLS is vulnerable. When a RAO/DRAO administrator attempts to login to the CSM using the default Firefox web browser (including current versions) and where Cert Auth is enabled for the administrator account, the following error appears: CSM 28 October Page 39

40 TROUBLESHOOTING Additional information: There are two solutions to this issue: Recommended solution - add cert-manager.com as an allowed host for SSL renegotiation as detailed in By default this value is Empty; however you can set the string preference as a list of host names separated by a comma. Wildcards are not permitted. For example: Negotiation may be performed on these hosts when using the old vulnerable protocol. Alternate (not recommended solution) - allow unrestricted renegotioation as detailed in Security:Renegotiation#security.ssl.allow_unrestricted_renego_everywhere_temporarily_available_pref Note that this approach is not recommended as it completely disables specific protection mechanisms. The following images detail the recommended solution: 1. Open Mozilla and show the configuration information by opening about_config: 2. Read the displayed warning and acknowledge the warning by clicking I ll be careful I promise. 3. Set the filter to security.ssl.renego_unrestricted_hosts: NOTE:The status is currently set to Default and there is no value which indicates that the preference has not been set. Page October 2011 RAO Administrator

41 TROUBLESHOOTING 4. Right click and from the shortcut menu select Modify: 5. The system prompts you to enter the new preference value: 6. Enter cert-manager as the new preference value and click OK to set the information or click Cancel to quit without setting the information. 7. The system updates the preference information: NOTE:The status is now set to user set and shows the new preference value which indicates that the preference has now been set. CSM 28 October Page 41

42 TROUBLESHOOTING Page October 2011 RAO Administrator