eTrust PKI™ Administrator Guide 2.0 This documentation and related computer software program (hereinafter referred to as the “Documentation”) is for the end user’s informational purposes only and is subject to change or withdrawal by Computer Associates International, Inc. (“CA”) at any time. This documentation may not be copied, transferred, reproduced, disclosed or duplicated, in whole or in part, without the prior written consent of CA. This documentation is proprietary information of CA and protected by the copyright laws of the United States and international treaties. Notwithstanding the foregoing, licensed users may print a reasonable number of copies of this documentation for their own internal use, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only authorized employees, consultants, or agents of the user who are bound by the confidentiality provisions of the license for the software are permitted to have access to such copies. This right to print copies is limited to the period during which the license for the product remains in full force and effect. Should the license terminate for any reason, it shall be the user’s responsibility to return to CA the reproduced copies or to certify to CA that same have been destroyed. To the extent permitted by applicable law, CA provides this documentation “as is” without warranty of any kind, including without limitation, any implied warranties of merchantability, fitness for a particular purpose or noninfringement. In no event will CA be liable to the end user or any third party for any loss or damage, direct or indirect, from the use of this documentation, including without limitation, lost profits, business interruption, goodwill, or lost data, even if CA is expressly advised of such loss or damage. The use of any product referenced in this documentation and this documentation is governed by the end user’s applicable license agreement. The manufacturer of this documentation is Computer Associates International, Inc. Provided with “Restricted Rights” as set forth in 48 C.F.R. Section 12.212, 48 C.F.R. Sections 52.227-19(c)(1) and (2) or DFARS Section 252.227-7013(c)(1)(ii) or applicable successor provisions. Ó 2002 Computer Associates International, Inc. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. Contents Chapter 1: Introduction PKI Capabilities .............................................................................. Hardware Support ........................................................................ PKI Components ............................................................................. Certificate Authority (CA) Server ........................................................... Registration Authority (RA) Server ......................................................... Web Enrolment Server..................................................................... Registration Authority (RA) Client .......................................................... End Entity Software ....................................................................... Certificate Database ....................................................................... Certificate Repository ..................................................................... CA Configuration Repository .................................................................. Configuration Manager .................................................................... 1-1 1-2 1-2 1-2 1-2 1-3 1-3 1-3 1-4 1-4 1-4 1-5 Chapter 2: Setting Up eTrust PKI Scaling eTrust PKI—the Tiered CA Approach ................................................... 2-1 Advantages of Scaling ..................................................................... 2-2 Setting Up a CA/RA Host ..................................................................... 2-2 Starting the CA/RA Servers ................................................................... 2-3 Setting Up the Servers to Start Automatically ................................................ 2-4 Setting Up a Distributed RA Client ............................................................. 2-5 Task 1—Creating Remote RA Client Configuration Information ............................... 2-5 Task 2—Deploying the RAC Operators...................................................... 2-6 Task 3—Installing the Remote RA Client .................................................... 2-6 Task 4—Loading the Remote RA Client onto a Machine ...................................... 2-7 Installing a Distributed End Entity Client ....................................................... 2-8 Task 1—Creating End Entity Configuration Information ...................................... 2-8 Task 2—Deployment of the End Entity Tier .................................................. 2-9 Task 3—Installing the End Entity Client on the Distributed Machine ........................... 2-9 Task 4—Loading the End Entity Configuration onto the Target Machine ...................... 2-10 Contents iii ........................ 3-16 Recovering Your Configuration Data ................................................................................. 2-13 Chapter 3: Using eTrust PKI Logging In ........... 3-13 Viewing Profiles ................................................................................................................................................... 3-12 Creating and Saving a Customized Report ...... 3-11 Reporting on the Archived Data ........................................................................................................................................................................................ 3-14 Backing Up Private Keys .................................................................................................................................................................................... 4-3 Further Information ..................................................................................................... 3-17 Chapter 4: Certification Authority Rollover Setting Up Rollover......................... 3-12 Standard Reports ........... 3-2 Issuing Certificates ...Installing a Subordinate CA/RA Tier ........ 3-1 Starting the RA Client ...................................................................................... 3-3 Certificate Issuing Methods .......................................... 3-14 Editing Profiles ............................. 4-4 iv eTrust PKI Administrator Guide ........................................................................................................................................................................................................................................................... 3-8 Renewing Certificates....................... 2-11 Task 2—Deploying the Subordinate CA/RA Tier ................ 3-15 Backing Up Your Configuration ........................... 4-3 Background ................ 4-1 CA Key Rollover ......................................................................................................................... 2-12 Task 4—Loading the Configuration onto the Target Machine ....................................................... 3-3 Creating a Certificate Request................................. 2-11 Task 1—Creating Subordinate CA/RA Tier Configuration Information ...... 2-12 Task 3—Installing the Subordinate CA/RA Tier ............................................................................................................................................................................. 3-4 Revoking a Certificate .. 3-12 Using Certificate Profiles ...................... 3-10 Recovering a Private Key .. ............................. 5-4 Requesting a New Certificate......................... Revoking Certificates in Batch Mode ............................................. 5-15 Customizing the eTrust PKI Workflow Home Screen ................................................................................ 5-9 Recovering a Private Key ....... Specifying the File Name and Path ............. 5-1 Starting the Web Enrolment Server ............................ Creating a CRL on Demand ............................................. Renewing Certificates in Batch Mode ................................................................................................................................................................ 5-16 Chapter 6: Batch Processing Using the PKI Batch Tool .................. 5-16 Customizing the Group Drop Down List ...................... 5-11 Renewing a Certificate .................................................................................................Chapter 5: Web Enrolment Configuring Web Enrolment ............................. 5-15 Customizing the eTrust PKI Workflow Logo ......................................... 6-2 6-3 6-5 6-5 6-6 6-6 Contents v . 5-8 Web Enrolment RA Operator Tasks....................................... 5-9 Creating a Certificate ..................................... 5-7 Requesting that a Certificate be Revoked .............................................. 5-12 Viewing Web Enrolment Activity ...... 5-10 Revoking a Certificate ............................................. 5-3 User Tasks ........................................................................... 5-6 Requesting that a Private Key be Recovered ......... 5-13 Customizing the Web Enrolment Interface ................................................................ 5-5 Requesting that a Certificate be Renewed ............................................................................................................................................................................................................... Creating Certificates in Batch Mode ......................................... 5-2 Issuing a Certificate—Workflow ................................................... 5-15 Customizing the eTrust PKI Workflow Style Sheet ......................................................................................................................................................................................................................................... ................................................................ 7-2 Cryptographic Providers ................................. 7-3 Encrypting/Decrypting ................................................. 8-16 vi eTrust PKI Administrator Guide ............................................ 8-5 Saving the Root Certificate on the Smart Card ....... 7-7 The OCSP Section .......... 7-1 Certificates ........... 7-4 Validating Certificates ..................... 7-7 The Provider Sections ........................................................................................ 8-7 Saving the Root Certificate in the Token ............................................................................................................................................................................................................................................... 8-14 Saving a Certificate Through the RA Client ...................... 8-15 Saving a Certificate Through the RA Client ........................................................................................ 8-2 Setting Up GemPlus GemPKCS SDKv3 Smartcards .............................................................................................................. 8-1 Saving a Certificate in the Adapter ................................................................. 7-2 Core Functionality................................. 8-11 Task 1—Install Software... 7-6 The Default Section ................................................. 8-11 Task 2—Installing the Hardware ............................................................................ 8-13 Saving the Root Certificate ................................................................. 7-6 Setting Properties .......................................... 8-3 Setting Up GemPlus GemSAFE Smartcards .......................................................... 8-15 Saving the Root Certificate ............................. 8-12 Task 4—Enabling the Token and Setting Up the PED Keys ............................................ 7-5 Extracting Certificate Details ...................................................................... 8-9 Saving the Root Certificate to a Token ............................................................... 8-12 Task 3—Testing the Install...... 8-14 Setting Up a GemPlus GemSAFE 3.......................................................................................... 8-5 Setting Up Rainbow iKey 2000 – USB Key Tokens ..................................................................................... 8-7 Setting Up Datakey Smartcards ................................................................ 8-3 Saving a Certificate on the Smart Card .....................Chapter 7: Software Development Kit (SDK) Central Concepts ........................................................................................................................................................................................... 7-6 The ETCER Configuration Object ................................................................................................................. 8-10 Setting up a Chrysalis HSM ........................................................ 7-3 Signing/Verifying .................................................... 7-1 Keys .................................. 7-8 Chapter 8: Setting Up HSMs Setting Up Eracom CSA7000 and CSA8000 HSMs ...................0 Smartcard ...... .................................................................................................... Task 2—Cross Certifying .................................................................................... Task 1—Copying the Public Key.... Cross Certification Options ............... Possible Problems with Cross Certification ..................Chapter 9: Cross Certification Cross Certification Theory ...... Publishing Cross Certificates ....... Cross Certifying with Another CA........................................................................................................................................................................ 9-1 9-1 9-2 9-2 9-3 9-3 9-4 Glossary Contents vii ................................. they are a critical part of a public key infrastructure (PKI). eTrust PKI can publish CRLs. but eTrust PKI will work with any fully LDAP-compliant directory. PKIX standards.509. eTrust PKI publishes completed digital certificates and certificate revocation lists (CRLs) in a directory. eTrust™ Directory is the recommended directory.Chapter 1 Introduction eTrust™ PKI issues and maintains digital certificates. Digital certificates provide an assured binding of the name of a person or system to a public key. including x. It can also update the directory whenever a certificate is revoked—this allows the use of eTrust™ OCSPro for true online certificate status reporting. This provides interoperability for PKI implementations. The administrator can use the Configuration Manager to set up the eTrust PKI security controls to be: § § Extremely secure Relaxed for less stringent environments eTrust PKI can be scaled for large environments through the establishing of tiers of Certificate Authority/Registration Authority pairs. PKI Capabilities eTrust PKI includes eTrust Directory and eTrust OCSPro. but it does not rely on them entirely. eTrust PKI supports the important PKI public standards. and PKCS standards. Introduction 1–1 . The RA server: § § § Holds the database describing the certificates that are currently in progress Publishes certificates and CRLs to a directory Communicates with: The CA server to get signatures RA clients to issue and revoke certificates End entity software to accept certificate requests Third party RA servers to chain requests and relay responses to requests 1–2 eTrust PKI Administrator Guide . providing flexibility of configuration. It is literally the “key” to everything—it holds the key used in signing. the accepted hardware interface standard. These can be installed on different machines. Hardware support is by way of PKCS#11.PKI Components Hardware Support eTrust PKI supports key generation and certificate storage on a range of hardware devices by a range of different vendors. Certificate Authority (CA) Server The CA server signs the certificates.Smartcard & GEMSAFE smartcards Rainbow iKey 2000 – USB key token PKI Components eTrust PKI has several components. or on the same machine. Hardware support includes: § § § § § Chrysalis-its Luna CA3 Data Key EraCom CSA 7000/8000 HSM GemPlus GPK8000 . You must make the CA server physically secure. Registration Authority (RA) Server This component is the central server. Tip: For a completely web based certificate issuance tie the batch processes of an RA client to a Windows based web server. and interact with the RA server to get the certificate signed. the RA operator provides the end entity client software to the user. bundle the public key with the rest of the certificate request. the batch processes are provided for bulk and automated processing. Registration Authority (RA) Client Operators use the RA client to issue and revoke certificates. This software can generate a key-pair. The RA client communicates with the RA server to: § § § § Obtain profiles Obtain data to produce reports Submit certificate issuances Submit certificate revocations The RA client supports both background batch processes and a foreground wizard-based GUI. Use the Configuration Manager policy controls to customize the functionality of the RA client. The end entity client is a Java GUI that requires that the Java Run Time Libraries are installed on the client machine. The web enrolment server allows the RA operator to issue and maintain certificates for the users without the users being physically present. The RA client is a Java GUI that requires the Java Run Time Libraries to be installed on the client machine. It is a GUI designed to be used by a minimally trained operator. Introduction 1–3 . The GUI provides direct control. End Entity Software When issuing a certificate request. There are many web scripting techniques (for example CGI).PKI Components Web Enrolment Server This component provides a web interface between the users and the RA server. CA Configuration Repository Certificate Database The certificate database: § § § Stores requests that are in progress (the user has requested the certificate and received the package, but has yet to return the request with the public key) Contains information on the revoked certificates Stores information from the tiers This information can be used to generate reports. Certificate Repository The certificate repository is a directory service used to publish certificates and CRLs. The interface to the directory uses LDAP connecting to eTrust Directory. This allows access to any directory that offers a fully compliant LDAP interface. CA Configuration Repository The CA configuration repository is a directory service used to store distributed configuration settings for all PKI components within a defined infrastructure. The only directory supported as the administrative repository is eTrust Directory. This is for reasons of security and distribution. The administrative repository is separated from the publication directory. This allows you to choose eTrust Directory, or a third party directory, as the directory used to publish certificates. 1–4 eTrust PKI Administrator Guide CA Configuration Repository Configuration Manager The configuration manager allows the administrator to control the servers, and the general operation of the system. This includes stopping the servers, and changing the key-pairs available for signing certificates. The Configuration Manager also provides a GUI for controlling the configuration of subordinate tiers. The Configuration Manager communicates locally or remotely with any component by altering the configuration settings in the configuration directory. This allows the central rollout, administration, and maintenance of any component in the infrastructure. Introduction 1–5 Chapter 2 Setting Up eTrust PKI This chapter discusses how to set up eTrust PKI. eTrust PKI can be set up on: § § A single host machine In a tier to handle large configurations Scaling eTrust PKI—the Tiered CA Approach A system that will handle extremely large numbers must be designed to accommodate scaling. The approach we advocate is to replicate the CA/RA cluster. There are two principles to this approach: § § The CA/RA pair are treated as a unit (they run on the same machine), and are replicated as such Every pair that is not a root node has its signing certificate signed by a parent This requires only one modification to the existing design—the signing certificate is not necessarily self-signed. This is not a modification to the software, but rather to the setup process—the signing certificate is installed rather than generated. Setting Up eTrust PKI 2–1 because there is no requirement for on-going connection between the replicated systems— the connection is one of issuing certificates. 2–2 eTrust PKI Administrator Guide . You can test the software more readily—it will not have different modes of operation depending on the scale of operations. It is possible for a failing node to be ‘covered’ by another node—the RA clients can fail over from one RA server to another without loss of functionality. One subordinate CA can have its signing certificate signed by another subordinate CA. § § § § § Setting Up a CA/RA Host The CA/RA host was set up in the standard installation procedure.Setting Up a CA/RA Host Advantages of Scaling The advantages of scaling are: § § § You can continue to build on a working design. Signing chains are supported for certificates generated by other systems. and that has excellent scalability already. the root CA can be restricted to issuing certificates for subordinate CAs. The load is split. Performance problems can be addressed by upgrading or splitting the node. For details see the eTrust PKI Getting Started. Failure of any node does not affect any other node. A single root CA can issue signing certificates to a vast number of subordinate CAs. The impact of a compromised CA key is limited to those certificates that include the compromised CA in their chain. This design does not complicate the SDK component. and can operate off-line. which in turn might have its certificate signed by the root CA. Each CA/RA node is capable of independent operation. There is no communications load (except for the OCSP traffic). The only commonality required is in the eTrust OCSPro responder. or even by another level of subordinate CA. There is no limit to the scaling. This does not impact other areas. To minimize exposure even further. The Server Status Monitor dialog is displayed. 2. Foreground CA/RA Servers. Computer Associates.Starting the CA/RA Servers Starting the CA/RA Servers To start up the CA/RA servers: 1. Setting Up eTrust PKI 2–3 . eTrust PKI. Programs. Click the Start button. Select Start. The CA and RA servers start. 2–4 eTrust PKI Administrator Guide . Server Administrative Tools. Press Enter to complete installation. 2.Starting the CA/RA Servers Setting Up the Servers to Start Automatically To set up the CA/RA servers to start automatically: 1. Select Services and Applications. Important! If the servers are running as services. Services. 4. Computer Associates. Select eTrust PKI Services and click the Start Services button to enable the services. 3. Programs. 5. The next time the computer is restarted. The Command dialog is displayed. Select Start. eTrust PKI. they cannot start in the foreground. Right click My Computer and select Manage. Install CA and RA Servers as Services. eTrust PKI Services will start automatically. Programs. Configuration Manager. 11. 10. Task 1—Creating Remote RA Client Configuration Information This task is performed on the CA/RA host. Select the RAC Operators node under the Root CA node and click on the Registration Authority Clients tab in the right window. then enter the following data: § § 4. 6.Setting Up a Distributed RA Client Setting Up a Distributed RA Client To set up remote RA clients to run with the root CA/RA tier. 7. Enter a key alias for the key and click Next. Click the Add New User button. Enter the location of the default RAC key (the name of the key will reflect the name of the new RAC operator you entered) and click Next. 8. New RA and click Next. 12. 2. 5. Select Start. for example. Connect. Select the Root Tier node under the eTrust PKI node. Enter a name for the new RA User. Configuration Manager. Select File. HOST: localhost PORT: 15389 Select Security Level SSL + SASL + Keystore Password from the drop down list. 1. Enter a passphrase to protect the private key and click Finish. Setting Up eTrust PKI 2–5 . eTrust PKI. complete the following tasks. 3. Ensure that the foreground CA/RA servers are running. Computer Associates. Enter the client keystore passphrase then click OK. 9. is deployed. 3. Create a new folder. A prompt is displayed asking where to save the new RAC. The RAC Operator deployment is completed. 6. 2–6 eTrust PKI Administrator Guide . 1. 2. Click Deploy Existing Users. Select eTrust PKI from the Product Explorer and click Install. 5. Select the new folder without opening it and press Save. Task 3—Installing the Remote RA Client This task is done on the remote RA client. Separately select the CA and RA servers and EE client and choose 'This feature will not be available' so that only the RA client is available for install. Load the Product Explorer from the eTrust PKI CD onto the computer that the remote RA client will be installed on. 6. 4. Click Next and then Install. Select the RAC Operators node in the Configuration Manager tree structure. 8. 5. 1. Note the location of the files and click OK.Setting Up a Distributed RA Client Task 2—Deploying the RAC Operators This task is done on the CA/RA host. for example. The new RAC. 2. New RA. The default path for eTrust PKI installations is: C:\Progra~1\CA\eTrust PKI\. Install the Java Runtime Environment from the supporting products folder. 4. 3. Ensure that the foreground CA/RA servers are running. Choose Custom Install. Select the Registration Authority Clients tab. A dialog is displayed asking you to enter the directory where your eTrust PKI files are installed on the computer that houses the remote RA Client. along with any existing RAC. 7. 1. Run MyConfig. You can now run the RA client of the remote machine with the servers running on the root machine. for example New RA. for example via floppy disk. 2. Setting Up eTrust PKI 2–7 .bat. This is located in the folder you saved the new configuration data into. Access the saved RAC data files created in task 2.Setting Up a Distributed RA Client Task 4—Loading the Remote RA Client onto a Machine This task is done on the remote RA client. Example Host Name COMPUTER1 COMPUTER1 Port Number 2001 2001 3. and click on the CA-RA Tier Container tab in the right window. 2. 9. Enter a passphrase to protect all the client keys generated. Select File. 2–8 eTrust PKI Administrator Guide . Enter a DN for the computer the end entity client will be installed on. The Configuration Manager dialog is displayed. Select Start. Click the Add New Tier button. Configuration Manager. 6. Enter the information needed to generate a new distributed end entity client. Configuration Manager. Enter the host's computer name (for example COMPUTER1) and the following port numbers: Screen CA Server RA Server 8. Connect. then enter the following data: HOST: localhost PORT: 15389 4. 10. Computer Associates. 1.Installing a Distributed End Entity Client Installing a Distributed End Entity Client To install a distributed end entity client complete the following tasks. Select the Root Tier Node. Programs. 5. eTrust PKI. Ensure that foreground CA/RA servers on the host computer are running. Enter a unique name for the CA/RA tier and click Finish. 7. Select security level SSL + SASL + Keystore password and enter the client keystore passphrase then select OK. Task 1—Creating End Entity Configuration Information This task is completed on the CA/RA host. 3. 1. 5. Note the location of the files click OK. Separately select the CA and RA servers and RA client and choose ‘This feature will not be available' so that only the end entity client is available for install. A dialog appears asking you to enter the folder on the machine with the remote RA client that you will install the eTrust PKI files in. 4. 6. 3. Click Next and then Install. 7. Select the new CA tier node in the Configuration Manager tree structure. Ensure that the foreground CA/RA servers are running.Installing a Distributed End Entity Client Task 2—Deployment of the End Entity Tier This task is done on the CA/RA host. Setting Up eTrust PKI 2–9 . Install the Java Runtime Environment from the Supporting products folder. The End Entity Tier is deployed. 4. Select eTrust PKI from the Product Explorer and click Install. A dialog appears prompting for the folder to save the new tier in. 5. The default path for PKI installations is: C:\Progra~1\CA\eTrust PKI\. 6. Choose Custom Install. Select the second folder without opening it and press save. Create a new folder and another folder within the new folder. 2. This is in the CA/RA tier just created. 8. Task 3—Installing the End Entity Client on the Distributed Machine 1. Load the Product Explorer from the eTrust PKI CD onto the computer the end entity client will be installed on. Click Deploy. Select the CA/RA Tier tab. 2. 2. Access the folders created in task 2. 2–10 eTrust PKI Administrator Guide . The existing certificate structure is replaced with the subordinate certificates. Important: The following step must be done from the local hard drive. Do not try to do this over a network because the subordinate tier may not load properly. Run MyConfig.Installing a Distributed End Entity Client Task 4—Loading the End Entity Configuration onto the Target Machine 1.bat located in the root of the Configuration folder. Copy the main end entity folder and sub-folders onto the machine where you installed the end entity client. Do this via floppy disk or network connection. 3. Programs. 9. Click the Add New Tier button. Ensure that the Foreground CA/RA Servers on the host computer have been started. Host Name REMOTEMACHINENAME REMOTEMACHINENAME Port Number 2001 2001 Enter a DN for the computer you will install the subordinate CA/RA tier on. enter the information needed to generate a subordinate CA/RA tier. Enter the remote machine name as the CA and RA servers. Select SSL + SASL + Keystore Password and enter the default_administrator passphrase then click OK. The Configuration Manager is displayed. Screen CA Server RA Server 8. Configuration Manager. 6. Select File. 3.Installing a Subordinate CA/RA Tier Installing a Subordinate CA/RA Tier To install a subordinate CA/RA tier complete the following tasks. Task 1—Creating Subordinate CA/RA Tier Configuration Information The task is done on the CA/RA host. 5. Enter a unique name for the CA/RA tier an click Finish. 1. 2. eTrust PKI. Connect. Select the Root Tier node. Computer Associates. Setting Up eTrust PKI 2–11 . Configuration Manager. then enter the following data: HOST: localhost PORT: 15389 4. Enter a passphrase to protect the client keys generated. On the CA-RA Tier tab. 10. and click on the CA-RA Tier Container tab in the right window. 7. Select Start. 4. 5. A dialog is displayed asking for the folder on the machine the subordinate tier eTrust PKI files will be installed in. When the certificates are generated and saved. After the reboot. 3. 2–12 eTrust PKI Administrator Guide . 4. Load the Product Explorer from the eTrust PKI CD onto the computer the subordinate CA/RA tier will be installed on. then create a second folder within that one. Select the CA Tier node. Select the CA/RA tier tab in the right hand window and click the Deploy button. Select eTrust PKI from the Product Explorer and click Install. 5. Important: If you choose a custom install you must install all products for the Subordinate CA/RA Tier to work. 6. run the PKI configuration.Installing a Subordinate CA/RA Tier Task 2—Deploying the Subordinate CA/RA Tier In this task you will deploy the configuration files and certificates (from the CA/RA host with the CA/RA Servers running) to run on the subordinate machine 1. Create a folder to save the configuration data in. Task 3—Installing the Subordinate CA/RA Tier 1. Done! appears next to the Deploy button. Select the Configuration Manager tree structure and expand the tier created in Task 1. Choose Complete Install. 2. Click Next and then Install. Selected the second folder created in Step 1 without opening it and press Save. The default is: C:\PROGRA~1\CA\eTrust PKI\. 2. 7. 6. 3. A dialog box appears prompting for a directory to save into. Install the Java Runtime Environment from the supporting products folder. bat located in the root of the Configuration folder. Setting Up eTrust PKI 2–13 .Installing a Subordinate CA/RA Tier Task 4—Loading the Configuration onto the Target Machine 1. Access the folders created in task 2. Run MyConfig. Do this via floppy disk or network connection. 3. This replaces your existing certificate structure with the subordinate certificates. Do not try to do this over a network because the subordinate tier may not load properly. Copy the main subordinate tier folder and sub-folders onto the machine where you installed eTrust PKI as a subordinate CA/RA Tier. Important: The following step must be done from the local hard drive. 2. Chapter 3 Using eTrust PKI This chapter describes the main functions of eTrust PKI. The only commands accepted are Login and Cancel if: § § § The program is first started The operator has logged out A defined time interval without operator activity has elapsed The form of the login is determined by the policy set by the administrator. Logging In You must log in before using eTrust PKI. It consists of a: § § § Certificate User ID Passphrase Using eTrust PKI 3–1 . Programs. Foreground CA/RA Services. The Load Key Store File dialog is displayed. 2. eTrust PKI. select Start. Log onto the computer that has the RA client loaded. Click Browse. 4. The RA Client Logon Information dialog is displayed. 3–2 eTrust PKI Administrator Guide . 3. If these services have not been set to automatically load when the computer is started. Computer Associates. Programs. Select the RA client operator p12 certificate (the default is defaultRAC_crt. RA Client. The CA/RA services must be started before the RA client can run. Select Start. then click Start to launch the services. 5.p12) and click Open.Starting the RA Client Starting the RA Client The RA client is the interface used to access: § § The day-to-day PKI functionality The administration of user certificates To start the RA client: 1. eTrust PKI. Starting the RA Client 6. The RA client interface is displayed. Enter the RA client operator’s passphrase and click Login. Using eTrust PKI 3–3 . Use the web enrolment interface to process certificates requests from remote users. If required. certificates can be converted from PKCS#12 format to PEM format using SSL. 3–4 eTrust PKI Administrator Guide . This allows private encryption keys to be backed up to allow recovery of encrypted material. PEM. In stages: The user registers with an RA client They complete the generation of the keys at their own computer The generated public key is securely sent back to the RA server for inclusion into a certificate The completed certificate is returned to the user Tip: Use the batch tools provided with eTrust PKI to automatically process a large number of certificates. Certificates can be issued: § § In DER. For hardware such as: Smartcards USB tokens Cryptographic boards HSMs Certificate Issuing Methods There are two main methods of issuing certificates: § § In a single step at the RA client.Issuing Certificates Issuing Certificates Certificates are issued according to editable profiles set up by the CA administrator. and PKCS#12 format. Task 1—Processing a User Certificate Request Different organizations have different processes—the steps below are given as a guide. The following tasks describe the capture process. The directory browser illustrated allows the RA client operator to search the directory and locate the user and their certificates. Any user can approach the RA client operator if they do not have an entry in the directory. This provides a structured process for handling the request. 2. For a typical RA client operator to create a certificate for a user: 1. The RA client operator can do one of the following: § Create a new entry in the directory and issue a certificate. The RA client operator checks the user’s credentials. The RA client operator issues the user with a certificate request package after the user’s details are captured. Search the directory for an existing user to use in certificate generation. PKI allows users that have an entry in the associated directory to have certificates created for them. It is expected that the RA client operator will also be able to add users to the directory. When you request a certificate for the user you are guided through the data capture process by a wizard. § Using eTrust PKI 3–5 .Issuing Certificates Creating a Certificate Request When a user requires a certificate the process starts at the RA client. for the operator to locate the user in a directory than type in the distinguished name. 3. and less error-prone. The certificate profile: § § § § Dictates the list of attributes assigned to the certificate Specifies fixed values for some fields Specifies default values for some fields—where default values are blank Enforces the fields that must be populated before the certificate process can proceed For further information on the profile attributes. The list of available certificate profiles is obtained from the RA server when the operator logs in. The RA client copies the user’s distinguished name (DN) from directory. It is simpler. The operator must select a certificate profile for the request.Issuing Certificates Tip: Locating the user in the directory ensures that a valid distinguished name for the user is captured. 3–6 eTrust PKI Administrator Guide . The RA client operator chooses the certificate profile and signing key-pair. 4. click Help. the RA client generates the following list of items needed to complete the certificate request: § § § § A key-pair (if the encryption key-pair is to be generated by the PKI).Issuing Certificates Task 2—Generating Certificate Items After the RA client operator has requested a certificate. email the files to the user. Using eTrust PKI 3–7 . A session key (used to send the certificate request back to the RA client). The information on the floppy includes: § § § The incomplete certificate The MAC session key The address of the RA server One floppy can hold the information for more than one certificate request. This simplifies matters when generating multiple certificates for a single user. This default can be changed to transport the files via another medium. The information is stored on the floppy by default. The end entity client software picks up all the certificate requests on the floppy disk. Important! A different floppy must be used for each user. An incomplete certificate that contains: The user’s identity The specification of choice of CA signing key-pair Task 3—Creating an RA Client’s Package The RA client creates a package for the user that contains: § § § § End entity client software—on the eTrust PKI CD-ROM An incomplete certificate—on a floppy disk Configuration files—on a floppy disk Instructions for how the user is to complete the generation of the keys The floppy contains the information needed by the end entity client software to complete the certificate request and submit it. for example. The key-pair is optionally backed up. and will act on each of them. A message authentication code (if the user is to finish creating the certificate on their own machine). Saves the certificate. The RA server validates the request. 3. Constructs PKCS#10 request for the certificate. 7. 5. Generates a signing key-pair. Places the public keys in an incomplete certificate. In software using PKCS#12 In smartcard or token or HSM 2. making it available for use with certificate enabled applications. 6. Generates an encryption key-pair (if applicable). they will need to install the software for the smartcard reader before generating their key-pair. 3–8 eTrust PKI Administrator Guide . Transmits a request to the RA server. encrypted using the unique session key issued by RA client. Stores the private keys. and sends the signed certificate to the end entity client software. If the user plans to store the certificate on a smart card.Issuing Certificates Task 4—Setting Up the End Entity Client The end entity client: 1. 4. submits the complete certificate to the CA server for signing using the selected signing key. publishes the certificate in the directory using LDAP. Tip: Select certificateHold as the revocation reason to revoke the certificate and provide a recovery option. the RA client notifies the RA server.Revoking a Certificate Revoking a Certificate There are many reasons why a certificate may be revoked. To revoke a certificate: 1. and in the directory. After the revocation is completed a dialog giving the option to update the CRL is displayed. Under Revocation settings select the reason for revoking a certificate as well as how the administrator has been contacted. You will need to select the specific certificate if multiple certificates have been issued to the user. and the exact certificate to be revoked. The details of the revoked certificates are published in a generally accessible CRL and in the certificate status field held in the directory that contains the user details. Using eTrust PKI 3–9 . The RA server marks the certificate as revoked in both the internal database. The interface displays the details of the certificate to be revoked. This is to confirm that you have selected the correct certificate. Confirm both the identity of the certificate’s subject. Browse the Directory Information Tree (DIT) to locate the certificate to be revoked. Once the revocation is confirmed. or because a person is no longer in the organization. Select the Revoke a Certificate option from the RA client interface. 3. 2. It may be due to a user becoming concerned that their certificate has been compromised. Depending on the importance of the certificates being revoked. If your PKI uses certificate revocation lists. 3–10 eTrust PKI Administrator Guide . Do one of the following: § § Click Yes to update the CRL immediately Click No to continue working without updating the CRL. Use the web enrolment interface to revoke certificates from remote users. You can update the CRL later with the RA Client’s Generate CRL option. it may be better to wait until all the certificates have been revoked before updating the CRL. Tip: Use the batch tools provided with eTrust PKI to automatically revoke a large number of certificates. the lists are updated by this option.Revoking a Certificate 4. 3. A dialog to confirm the renewal is displayed. 4. The level of ID required is determined by the profile issued. Using eTrust PKI 3–11 . 6. Profiles for higher levels of security are likely to require the user to provide more ID. In Renewal Settings enter the date the new certificate expires. 10. Use the Explore tab and the DIT to find the customer record. Click Yes to proceed with the renewal. If a certificate expires and the private key has not been compromised.Renewing Certificates Renewing Certificates A certificate must contain an expiry date. The new expiry date of the certificate cannot be later than the expiry of the CA root certificate This option allows a customer to keep their existing set of keys and issue a new certificate for the next period. Save the new certificate onto a floppy disk and pass it to the user along with instructions on how to install it. The RA server creates and signs a new version of the certificate. 2. The date is in MM/DD/YYYY format. 5. From the RA client interface. 9. To renew a certificate: 1. Click the Renew button. The Renew a Certificate dialog is displayed. The renewal process involves changing the expiry date and having the certificate signed again. Tip: Use the batch tools provided with eTrust PKI to automatically renew a large number of certificates. 8. Open the customer folder and select certificateSerialNumber. The user can now install the new certificate onto their computer. 7. the certificate owner can apply to have the certificate renewed. Check that the certificate details match the ID presented by the user. select the Renew a Certificate. Use the web enrolment interface to renew certificates for remote users. which they then completed on their own computer. Save the private key to a floppy disk and pass it to the user with instructions on how to install it. 9.Recovering a Private Key Recovering a Private Key This task can only be performed if the private key is backed up on the CA server. From the RA Client click Recover a Private Key. Check that the certificate details match the ID presented by the user requesting the recovery. Click the Recover button to continue. Check with the CA Administrator for further details. The profile selected for certificate creation sets this option. 1. WARNING: This task could potentially allow an attacker to impersonate a legitimate user. this is because an attacker may attempt to impersonate the certificate owner to gain the private key. As such. 6. 3. Find the certificate to be recovered. Use the DIT with the Explore tab or enter the required name in the search box and click Search to do this. Open the folder and select certificateSerialNumber. Extra forms of ID may be required to verify the identity of the end user. 3–12 eTrust PKI Administrator Guide . The ID requirements for this task may be higher than for other tasks. Click the Refresh button to connect to update the directory information tree. 7. 5. Click Yes to proceed. the use of this task should be limited to the eTrust PKI Administrator. The Recover a Private Key dialog is displayed. A confirmation dialog is displayed. The private key can now be install onto the certificate owners computer. 4. 2. 8. If the user was given a partially completed certificate. there was no opportunity for the private key to be backed up by the RA server. You can change the events recorded to suit your requirements. 2.Reporting on the Archived Data Reporting on the Archived Data This option allows you to run standard reports on the current status of the PKI users. To run a standard report. The report can be run by you or another RA client operator at a later date. You are also able to create your own reports by using SQL commands on the Ingres database. Standard Reports There are a number of standard reports installed with the default installation of the RA client. the log files record warnings. information. and debug events. Using eTrust PKI 3–13 . The details for any unsigned certificates that have been given to end entities. a short description of the report. and the SQL query required to extract the information from the database. By default. Enter the name of the report. Systems activity reports for the RA client. a name to be displayed on the button on the reporting interface. These include: § § § The details for any certificates that have been revoked. open the RA Client and click Report on the Archived Data. Creating and Saving a Customized Report To create customized reports: 1. 3. Click the Edit Reports button. and CA server log. RA server. Click Save. The fully formed and usable certificate profile templates which are installed by default include: § § § § § § § Generic Utility Certificate Signing Certificate Subordinate CA Certificate Encrypting Certificate Self Signed CA Certificate SSL Server Certificate Blank Certificate You can select a profile that suits each applicant.Using Certificate Profiles Using Certificate Profiles To create a certificate profile. The certificate profile determines: § § § § § What fields are compulsory Default values The list of possible valid entries Whether the private / public key-pair is generated by the end entity client or by the RA client Whether the RA server is to retain a copy of the private key for backup purposes 3–14 eTrust PKI Administrator Guide . and save it as a new profile. edit it (optional). select an existing template. Using eTrust PKI 3–15 . To make the required changes expand the tree and: § § § Edit the fields that have changed Add new fields Delete any fields not needed For more information on editing profiles see the online help. V2. From the RA Client select View Profiles. You can only select the latest version of a profile when issuing a certificate but all versions are kept for auditing and rollback purposes. modify the version number each time a profile is modified. Select the profile to be edited. To view a profile: 1.org. Tip: Use the Edit and Delete buttons to maintain your profiles while in view mode.Viewing Profiles Viewing Profiles The RA client operator can see the attributes available for each type of customer profile. To keep previous versions of the profile. 4. or V3 certificate versions see RFC2459 on www. Select a profile from the drop down box. 3. From the RA Client interface click View Profiles. Check with the eTrust PKI administrator before editing or creating new profiles. For information on any of the V1. Click the Edit button.ietf. Editing Profiles To edit a profile: 1. 2. 2. Each profile has common attributes as well as a set of attributes that are personalized for that particular customer profile. the root CA encrypts a copy of the private key. 3. Private encrypting keys should be backed up. Navigate to the certificate to be recovered and select the serial number. Private signing keys should not be backed up. 4. 5. Enter a passphrase to protect the key. Select the file name and path for the recovered key. Open the RA client and select Recover Private Key. This enables the recovery of encrypted files in the case of key loss. some companies back them up for mobility reasons. 3–16 eTrust PKI Administrator Guide .Backing Up Private Keys Backing Up Private Keys If certificate profiles are created with the attribute of ‘archive’. Select Recover and confirm when prompted. 2. To recover a key backed up via the RA client: 1. then when the key-pairs are created at the RA client. however. Select the Start. The Backup/Recover Tool dialog is displayed. Programs. To back up your configuration: 1. When the backup is complete. 5. Using eTrust PKI 3–17 . Computer Associates. 2. click Finish. 4. 3. Select Backup PKI configuration and click Next.Backing Up Your Configuration Backing Up Your Configuration Before making changes to your eTrust PKI configuration. Backup & Recover. The backup process starts. Server Administrative Tools. make a backup of your original configuration. eTrust PKI. Click Next twice. Specify where the original PKI components are installed and where to save the configuration data. Specify where the original PKI configuration data is backed up and where to restore it. The Backup/Recover Tool dialog is displayed. 5. 3. Important! If you are recovering from a backup. 3–18 eTrust PKI Administrator Guide . reinstall PKI with the original path. Click Next twice. When the recovery is completed. eTrust PKI. click Finish. Computer Associates.Backing Up Your Configuration Recovering Your Configuration Data To recover the original configuration: 1. The recovery process starts. 4. Backup & Recover. Select Recover PKI configuration and click Next. 2. install PKI to the original path and copy the backup directory (pkiconfig) to the original path. Programs. Select Start. If you are moving your PKI installation to a new machine. p12) and click open. The Rollover Tool Logon Information dialog is displayed. if the life span of certificates issued to customers is one year. 5. To set up rollover: 1. From a computer with a full PKI installation. The Load Key Store File dialog is displayed. Rollover is needed because certificates have a limited life span. Computer Associates. Programs. For example. The life span of the issued customer certificates is controlled by the life span of the root certificates. This allows the certificates issued by the old CA certificate to continue to be validated until their expiry. As the root certificate approaches the limit of its life span it needs to be replaced. Click Browse.Chapter 4 Certification Authority Rollover eTrust PKI provides a mechanism for replacing an expired certification authority signing certificate. 3. Ensure that the CA/RA servers are running. 2. Select the RA client operator p12 certificate (the default is defaultRAC_crt. The Rollover Tool dialog is displayed. Certification Authority Rollover 4–1 . This process is referred to as rollover. Enter the RA client operator’s passphrase and click Login. 4. choose Start. Rollover tool. Setting Up Rollover Rolling over requires that a new certificate be published to the directory. then the root certificate must be valid for at least the end of that year. The rollover tool creates a new certificate with the old. eTrust PKI. Server Administrative Tools. Enter the fields on the dialog: Valid From—the initial date from which the root certificate will be valid. Valid To—the final date that the certificate will be valid. A calendar is available to ensure that the correct date is selected. - - 4.Setting Up Rollover 6. A calendar is available to ensure that the correct date is selected. There is a trade-off between higher encryption and faster processing. Enter a Passphrase—protects the use of the CA private key. 4–2 eTrust PKI Administrator Guide . This helps to ensure that leap years and short months are taken into account. 1024 or 2048 is recommended. Stop and restart the servers after rolling over the root certificate. 5. 6. The Rollover Progress dialog displays the progress of the rollover process. When you have collected all of the information select Next to complete the rest of the steps required to rollover the old certificate to the new. This helps to ensure that leap years and short months are taken into account. You will need to enter the passphrase used to create the original CA private key. Public Key Encryption Strength—the strength of encryption used for the public certificate. Rollover the new certificate as soon as the validity period of the certificates it issues outlasts its own. Make CA certificates last for at least one year beyond the life span of the certificates issued to the end entities. CAs issue certificates to other CAs: As a mechanism to authorize the existence of the subject CA (for example in a strict hierarchy) To recognize the existence of the subject CA (for example in a distributed trust model) § § Certification Authority Rollover 4–3 .” The CA private key is a signing key.2. so it should follow the same rules. and the new signed with the old) in addition to the new certificate. implies that the keys would be distinct. signed with the new. Background X. to advertise their public key or other information about their operations.509 section 7 lists the CA certificate types: § Self issued—the issuer and the subject are the same CA. If self signed cross certificates are created (the old key. A CA might use a self signed certificate. for example. X. RFC 2510 describes how cross certificates can be used in validation. It is possible to specify a private key usage period for the CA key that implies that it will not be used for signing certificates after a certain date. a path of trust between the new key and the old key is provided.2.509 section 8.5 says: “With digital signature keys. but has a different serial number. Self signed—a special case of self issued certificates where the private key used by the CA to sign the certificate corresponds to the public key that is certified within the certificate. When a new key pair is used it appears to be technically feasible to reuse the same key pair.509 section 7. for example. however. Cross certificate—the issuer and the subject are different CAs.CA Key Rollover CA Key Rollover When a new root certificate is created it has the same name as the old one. during a key rollover operation to provide trust from the old key to the new key. the usage period for the signing private key is typically shorter than that for the verifying public key. A CA might use self issued certificates. X. Note that this relies on issued certificates containing the authority key identifier extension so that the root certificates can be distinguished from each other. nci. The basis of the procedure described here is that the CA protects its new public key using its previous private key and vice versa.ac.pdf 4–4 eTrust PKI Administrator Guide . Thus when a CA updates its key pair it must generate two extra CACertificate attribute values if certificates are made available using an X.org Information on X. When a CA changes its key pair those entities which have acquired the old CA public key via "out-of-band" means are most affected. There are no new data structures required.500 directory (for a total of four: OldWithOld.cn/os/linux/security/x509/X.CA Key Rollover The IETF's RFC2510 states: "2. This will typically be easily achieved when these end entities' certificates expire. NewWithOld. they will only require this for a limited period (until they have acquired the new CA public key via the "out-of-band" mechanism). It is these end entities who will need access to the new CA public key protected with the old CA private key.509: http://www. However.4 Root CA key update. and NewWithNew)." Further Information Information on the IETF can be found at www. This discussion only applies to CAs that are a root CA for some end entity. The data structure used to protect the new and old CA public keys is a standard certificate (which may also contain extensions).ietf. OldWithNew.509_4thEditionDraftV5. click Advanced. 2. Computer Associates. 4. Programs. Select Start. 3. Configuration. To access the advanced configuration settings. Web enrolment removes the need for users to be physically present with the RA operator when requesting that a certificate be: § § § § Issued Revoked Renewed Recovered Configuring Web Enrolment To configure web enrolment: 1. eTrust PKI.Chapter 5 Web Enrolment Web enrolment enables local and remote users and the RA operator to conduct their certificate issuance and maintenance activities via a web server. The web enrolment server must be the same machine as the RA server. Edit the specified DNs and approver Emails for specified DNs fields. 5. The Web Enrolment Configuration dialog is displayed with the current settings. Web Enrolment 5–1 . Tip: For information on the configuration fields and procedures click Help. Web Enrolment. Edit the configuration and default approvers fields. Click Save. Enter your RA client logon passphrase and hit Enter. Start Web Enrolment Server. Programs. Select Start. Enter the path to the client keystore filename. 5–2 eTrust PKI Administrator Guide . Enter the path to the trust store. Computer Associates. 5. Web Enrolment. 3. The web enrolment server connects with the RA server. eTrust PKI. 2.Starting the Web Enrolment Server Starting the Web Enrolment Server To start the web enrolment server: 1. Select "Start the servers". 4.p12 file that contains your public key certificate and private key. The user receives a notification email. and installs it. 6. RA Server Web Enrollment Server RA Operator Users Web Enrolment 5–3 . The user accesses the web enrolment web server via a web browser. downloads the certificate. 7. The RA operator receives an email from the web enrolment server detailing the request. 5. 4. The RA server generates a certificate and notifies the web enrolment server. The web enrolment server generates a request to the RA server to create a certificate. and submits the request. enters their details. The web enrolment server notifies the RA operator and the user that the certificate has been generated. 3. 2. The RA operator confirms the validity of the request then processes it. issue.Issuing a Certificate—Workflow Issuing a Certificate—Workflow The workflow involved to request. and receive a new certificate is: 1. The user can issue a request to: § § § § Create a certificate Recover a private key Renew a certificate Revoke a certificate 5–4 eTrust PKI Administrator Guide .User Tasks User Tasks All of the user tasks are performed from the eTrust PKI Workflow interface page of the web enrolment server. The Create a Certificate page is displayed. Web Enrolment 5–5 .html). Enter details into the fields. 6. Locate the file and double-click it. 7. For information on the fields click Help. The email is sent to the address specified in step 3.domain. A wizard is displayed. 11. The filename. 10. Wait for the RA operator to process the request and respond via email. Enter the passphrase you used in step 3 and click Download. Select Create a Certificate. 5. 9. Click on the hyperlink. 2. The File Download dialog is displayed. 4. Click Submit. 3. An email containing the details of the request is generated and sent to the RA operator. Open Internet Explorer and enter the address of the web enrolment web server (https://webservercomputername. Specify a location to save the file to and click Save. The eTrust PKI Workflow home page is displayed.com:8443/user/index.User Tasks Requesting a New Certificate To request a new certificate via the web interface: 1. Open the notification email from the RA operator.p12 certificate downloads. Follow the steps in the wizard to extract and save the certificate in the Microsoft Certificate key store. The Collect a Certificate page is displayed. 8. Enter details into the fields using the serial number recorded in step 4 and the certificate passphrase. The Internet Options dialog is displayed. 10. 4. 15. 14. 9. The email is sent to the address specified in step 8. 6. The filename. Click Download. Double click on the certificate to be renewed.com:8443/user/). Select the Details tab and record the Serial Number of the certificate. Wait for the RA operator to process the request and respond via email. 2.domain. 3. 8. Locate the file and double click it. Select Renew a Certificate.p12 certificate downloads. Internet Options. Open Internet Explorer and select Tools. Click Submit. 5–6 eTrust PKI Administrator Guide . The File Download dialog is displayed. For information on the fields click Help. Select the Contents tab and click Certificates. Open the notification email from the RA operator and click on the hyperlink. The eTrust PKI Workflow home page is displayed. 7. A wizard is displayed. The Collect a Certificate page is displayed. 11. An email containing the details of the request is generated and sent to the RA operator. Enter the address of the web enrolment web server (https://webservercomputername. 5. 12.User Tasks Requesting that a Certificate be Renewed To request that a certificate be renewed via the web interface: 1. Specify a location to save the file to and click Save. The Certificate dialog is displayed. Follow the steps in the wizard to extract and save the certificate in the Microsoft Certificate key store. Close the dialog and return to the Internet Explorer home screen. 13. The Renew a Certificate page is displayed. 14. 6.User Tasks Requesting that a Private Key be Recovered To request that a certificate be recovered via the web interface: 1.p12 certificate downloads. 9. The Recover a Private Key page is displayed. Enter details into the fields using the serial number recorded in step 4. Wait for the RA operator to process the request and respond via email. and the passphrase you used when requesting the certificate. Enter the address of the web enrolment web server (https://webservercomputername.com:8443/user/). 10. 13. The Certificate Collection page is displayed. The name. 2. 5. Select the details tab and record the Serial Number of the certificate. 7. 12. The Certificate dialog is displayed. Double click on the certificate of the key to be recovered. 11. Specify a location and click Save. Click Submit. The eTrust PKI Workflow home page is displayed. Open the notification email from the RA operator and click on the hyperlink. Web Enrolment 5–7 . Select the Contents tab and click Certificates. The email is sent to the address specified in step 8. 4. Click Download.domain. A wizard is displayed 15. The Internet Options dialog is displayed. An email containing the details of the request is generated and sent to the RA operator. The File Download dialog is displayed. Open Internet Explorer and select Tools. Return to the Internet Explorer home screen. 8. For information on the fields click Help. Follow the steps in the wizard to extract and save the certificate in the Microsoft Certificate key store. Locate the file and double click it. Internet Options. 3. Select Recover a Private Key. Return to the Internet Explorer home screen. The Internet Options dialog is displayed. Select Revoke a Certificate. The email is sent to the address specified in step 8. 3. Enter the address of the web enrolment web server (https://webservercomputername. 6. 10. Enter details into the fields using the serial number recorded in step 4. 11.domain. The eTrust PKI Workflow home page is displayed. Open Internet Explorer and select Tools. The certificate is revoked and a notification email is sent to the RA operator and the user. Double click on the certificate to be revoked. Click Submit. The Certificate dialog is displayed. Wait for the RA operator to process the request and respond via email. 5–8 eTrust PKI Administrator Guide . 2. 7.User Tasks Requesting that a Certificate be Revoked To request that a certificate be revoked via the web interface: 1. 9. An email containing the details of the request is generated and sent to the RA operator.com:8443/user/). The Revoke a Certificate page is displayed. 4. Select the Contents tab and click Certificates. Select the details tab and record the Serial Number of the certificate. For information on the fields click Help. 8. Internet Options. 5. and the passphrase entered when requesting the certificate. The Client Authentication dialog is displayed. If you approved the request. Confirm your identity by selecting your certificate (the RAC operator certificate) and clicking OK. Click Submit. Tick the Approve Request or Deny Request radio button. Tip: If you reject a request. Examine the request details and perform the required verification checks.Web Enrolment RA Operator Tasks Web Enrolment RA Operator Tasks The RA Operator: § § Responds to email requests from the users Views the status and history of the tasks performed Creating a Certificate To process a certificate request from the web: 1. 4. Open the email that arrived from the user and click on the hyperlink. 2. add a comment explaining why it was rejected. 5. the web enrolment server: § § § Sends a request to the RA server for the certificate to be generated Sends an email containing a hyperlink to the certificate to the user Sends an email confirming that the certificate was generated to your email address 3. Web Enrolment 5–9 . This is included in the notification email to the user. The eTrust PKI Web Enrolment Operator home page is displayed. Web Enrolment RA Operator Tasks Recovering a Private Key To recover a private key with the web enrolment server: 1. 5. add a comment explaining why it was rejected. Tick the Approve Request or Deny Request radio button. the web enrolment server: § § § Sends a request to the RA server for the private key to be recovered Sends an email containing a hyperlink to the recovered private key to the user Sends an email confirming that the private key was recovered to your email address Tip: If you reject a request. 5–10 eTrust PKI Administrator Guide . The Client Authentication dialog is displayed. 4. 3. 2. If you approved the request. Click Submit. Confirm your identity by selecting your certificate and clicking OK. Open the email that arrived from the user and click on the hyperlink. The eTrust PKI Web Enrolment dialog is displayed. Examine the request details and perform the required verification checks. This is included in the notification email to the user. 4. 5. 3. Click Submit. If you approved the request.Web Enrolment RA Operator Tasks Revoking a Certificate To revoke a certificate with the web enrolment server: 1. Examine the request details and perform the required verification checks. 2. the web enrolment server: Sends a request to the RA server for the certificate to be revoked Sends an email confirming that the certificate was revoked to the user Sends an email confirming that the certificate was revoked to your email address Web Enrolment 5–11 . The Client Authentication dialog is displayed. Tick the Approve Request or Deny Request radio button. Open the email that arrived from the user and click on the hyperlink. The eTrust PKI Web Enrolment dialog is displayed. Confirm your identity by selecting your certificate and clicking OK. If you approved the request.Web Enrolment RA Operator Tasks Renewing a Certificate To renew a certificate with the web enrolment server: 1. This is included in the notification email to the user. the web enrolment server: § § § Sends a request to the RA server for the certificate to be renewed Sends an email containing a hyperlink to the renewed certificate to the user Sends an email confirming that the certificate was renewed to your email address Tip: If you reject a request. Confirm your identity by selecting your certificate and clicking OK. 2. Examine the request details and perform the required verification checks. 3. 4. Tick the Approve Request or Deny Request radio button Click Submit. The Client Authentication dialog is displayed. The eTrust PKI Web Enrolment dialog is displayed. 5–12 eTrust PKI Administrator Guide . Open the email that arrived from the user and click on the hyperlink. 5. add a comment explaining why it was rejected. Select See all Certificate Requests. The eTrust PKI Workflow Operator home page is displayed. 4. Open Internet Explorer and enter the address of the web enrolment operator web server (https://webservercomputername. You can: § § View the status of certificate requests Process open certificate requests Viewing and Processing Certificate Requests To view all certificate requests: 1.domain. 2. Web Enrolment 5–13 . Open requests have their ID displayed as a hyperlink. 3. To process an open request select the ID hyperlink. Approve or deny the request. The Certificate Requests page is displayed.html).Web Enrolment RA Operator Tasks Viewing Web Enrolment Activity The eTrust PKI Workflow Operator home page displays the status of the web enrolment tasks. The Approve a Request page is displayed.com:8444/operator/index. Viewing and Processing Recovery Requests To view all recovery requests: 1. Approve or deny the request. The Recovery Requests page is displayed. 3.domain.html). Open Internet Explorer and enter the address of the web enrolment operator web server (https://webservercomputername.Web Enrolment RA Operator Tasks Viewing and Processing Revocation Requests To view all revocation requests: 1. Approve or deny the request. Viewing and Processing Renewal Requests To view all renewal requests: 1. The Approve a Request page is displayed. The Revocation Requests page is displayed. 4. 2. 2. The Renewal Requests page is displayed.html).com:8444/operator/index. The Approve a Request page is displayed.com:8444/operator/index. 2. 3.domain. The eTrust PKI Workflow Operator home page is displayed. Approve or deny the request. 3. Select See all Revocation Requests. The eTrust PKI Workflow Operator home page is displayed. 4. Select See all Revocation Requests. Open requests have their ID displayed as a hyperlink To process a request select the ID hyperlink. 5–14 eTrust PKI Administrator Guide . Open Internet Explorer and enter the address of the web enrolment operator web server (https://webservercomputername.html). Open requests have their ID displayed as a hyperlink To process a request select the ID hyperlink. Select See all Renewal Requests.domain. Open Internet Explorer and enter the address of the web enrolment operator web server (https://webservercomputername. The eTrust PKI Workflow Operator home page is displayed. Open renewals have their ID displayed as a hyperlink To process a request select the ID hyperlink. 4.com:8444/operator/index. The Approve a Request page is displayed. 3. Navigate to %PKIHOME%\tomcat\user\images. 3. 6.gif.css files with your new one. 2. Navigate to %PKIHOME%\tomcat\operator\images.gif.Customizing the Web Enrolment Interface Customizing the Web Enrolment Interface Important! You must have write privileges to the web enrolment server to complete these tasks. To change the logo on the eTrust Workflow pages: 1. Make a backup of the original logo.gif with your new logo. Replace the original logo.gif. Customizing the eTrust PKI Workflow Logo The logo displayed in the top left hand corner of each eTrust PKI Workflow Dialog can be replaced with your company logo. Replace the original stylesheet. 2. The style sheet determines things such as the types of font and background colors. To change the style of the eTrust Workflow pages: 1.gif with your new logo. 5. Replace the original logo.css and %PKIHOME%\tomcat\user\stylesheet. Make a backup of the files: %PKIHOME%\tomcat\operator\stylesheet.gif.css that reflects your corporate font/color scheme. 7. 4. Create a gif file with the same dimensions as logo. Create a new stylesheet.gif. Web Enrolment 5–15 . Customizing the eTrust PKI Workflow Style Sheet The general appearance of the eTrust PKI Workflow Dialogs is controlled by a cascading style sheet. Make a backup of the original logo.css. CountryValue.gif. Make a backup of the original splashscreen.gif with your new splashscreen. Navigate to %PKIHOME%\tomcat\user\images.gif.Customizing the Web Enrolment Interface Customizing the eTrust PKI Workflow Home Screen You can replace the home screen picture displayed in the eTrust PKI Workflow Dialog with a picture of your choice. Organization and Org Unit fields of the distinguished name.Testing SecondGroup. 4.gif. Make a backup of the original splashscreen.US. Each value is separated by a comma.AU. To change the splash screen on the eTrust Workflow pages: 1.HR 5–16 eTrust PKI Administrator Guide . Replace the original splashscreen. Customizing the Group Drop Down List The group drop down list pre-populates the Country.Marketing ThirdGroup. The structure of this file is: Groupname. Org UnitValue.AU. for example: FirstGroup.gif. 7.txt. 6. 2. Each new line represents a new group. The options the user can select from are in the: %PKIHOME%\tomcat\user\web-inf\classes\groups.gif.Acme. OrganizationValue. Replace the original splashscreen. Navigate to %PKIHOME%\tomcat\operator\images.gif with your new splashscreen. 5. 3. Create a gif file with the same dimensions as splashscreen.Acme.Acme. HR FourthGroup.Acme. Navigate to Create a Certificate Request.Acme.Customizing the Web Enrolment Interface To add a group to the list: 1. 4. Select the new group.UK. 3.US. Reboot the user web server. The DN fields are populated.Acme.Marketing ThirdGroup. Web Enrolment 5–17 . Save the file. For example: FirstGroup. 5. The new group is displayed in the list.Finance 2. Open the file and add the new group.Testing SecondGroup. 6.AU.AU.WidgetCo. Select the drop down list. Use the batch processor to: § § § § § Create certificates (using a GUI or as a command line tool) Revoke certificates Renew certificates Create reports Generate CRLs on demand Batch Processing 6–1 .Chapter 6 Batch Processing The batch processor enables you to process a large number of transactions. and renew certificates are in %PKIHOME%\doc\samples. When specifying command line parameters. The batch file batchc. there must be one or more spaces after the switch. This example will work: batchc –p “Generic Utility Certificate version 1. Examples of the text files used to create.log. It can be executed from any directory when using the command line.0” § Delimiters chosen must be unique. revoked.Using the PKI Batch Tool Using the PKI Batch Tool Important points to remember when using the PKI batch tool are: § Syntax is paramount. This is made easy by the fact that delimiters can be multiple characters in length. or renewed by the batch client is logged to the text file %PKIHOME%\lib\batchc_retry.bat is located in %PKIHOME%\lib directory. Values for basic key usage and extended key usage are separated by a pipe symbol (|). revoke. A certificate that is not created.0” This example will not work: batchc –p“Generic Utility Certificate version 1. and should not occur naturally within the text file. Use this file to correct any errors and retry the process. § § § § 6–2 eTrust PKI Administrator Guide . for example: ZZZZ9999. c om.com . Create a text file that contains the details of the certificates to be produced.10/15/2003.OU=Users.10/15/2003. The text file needs to include an entry for every editable field for every entity being issued a certificate. 4.10/15/1999.nonRepudiation|digitalSignature.clientAuth|serverAuth This makes the passphrase to the certificate issued to Andrew Bumblebee secret01 and the passphrase to the certificate issued to or Bart Cummins secret02. The fields required for the text file are determined by the certificate profile selected for the type of certificate to be issued to the user.email:
[email protected]=Bart Cummins.nonRepudiation|digitalSignature. The entries must be in the same order as they appear in the profile.10/15/2003.10/15/1999. Open the RA client and select View Profiles.10/15/1999.CN=Bart Cummins.nonRepudiation|digitalSignature. Otherwise.CN=Andrew Bumblebee.O=CAI Example.clientAuth|serverAuth 2.email:1@cai. Batch Processing 6–3 .Creating Certificates in Batch Mode Creating Certificates in Batch Mode To create certificates in batch mode: 1. Examine the profile and note all profile attributes marked 'editable'. Click Browse and select the client keystore to log onto the batchc application.nonRepudiation|digitalSignature.10/15/1999.O=CAI Example. C=US.com .clientAuth|serverAuth _password_secreet02_password_C=US. To use the GUI to facilitate the production of the batch certificates type one of the following on the command line: batchc –genCert -gui or batchc –genCert –gui –certPassword secret4all This makes “secret4” the passphrase for all the certificates created by the job The RAC batch client logon information is displayed.OU=Users.O=CAI Example.email:
[email protected]=Users. the default passphrase “secret” is used. Typical input may look like: Or: _password_secret01_password_C=US. 3.email:
[email protected]=CAI Example.clientAuth|serverAuth C=US.10/15/2003.c om. 5.OU=Users.CN=Andrew Bumblebee. Select the output directory the certificates will be saved in. 7. Select the file containing the input data and the delimiter used to define the end of each entity. 8. and passphrase). Enter your passphrase and click Login. Select the profile for the type of certificate to be issued. A profile is the full name of the certificate template used to create certificates. To run the entire process from the command line use the command: batchc –genCert –profile "<Profile>" –datafile "<datafile>" –delimiter ”<delimiter>” –outputDir "output directory" –keystore "<keystore location>" –keypassword "<password>" 6–4 eTrust PKI Administrator Guide . If these are not entered the program prompts for their input.Creating Certificates in Batch Mode 6. keystore location. Tip: Keystore details can be optionally entered with the certificate creation command. 9. This reduces the command entry to one from three (creation. 10. 21. From the command line.Revoking Certificates in Batch Mode Revoking Certificates in Batch Mode To revoke certificates in batch mode: 1. and revocation reason of the certificate to be revoked. and a new 'valid to:' date of the certificate to be renewed.CN=Andrew Bumblebee. enter the command: batchc –revokeCert –dataFile "<dataFile>" –delimiter "<delimiter>" Renewing Certificates in Batch Mode To renew certificates in batch mode: 1. Serial Number. For example: C=US.O=CAI Example.10/10/2007 2.OU=Users. Create a data file that contains the DN.O=CAI Example. Serial Number.keyCompromise 2.OU=Users.CN=Andrew Bumblebee. enter the command: batchc –renewCert –datafile "<datafile>" –delimiter "<Delimiter>" -outputDir "<output directory>" Batch Processing 6–5 .=US. For example: C=US.28. Create a data file that contains the DN. From the command line. Use it with the scheduling software built into most operating systems to schedule regular CRL production for auditing and legal purposes. enter the command: batchc –genCrl 6–6 eTrust PKI Administrator Guide . Creating a CRL on Demand The gencrl command creates a new CRL. This command is case sensitive. enter the command: batchc -report –query "<Query Name>" –outputFile "<Output Path and Filename>" Note: The query must already be configured and saved using the Reporting option from the RAC before it can be run from the command line. From the command line. From the command line.Specifying the File Name and Path Specifying the File Name and Path This option allows the report logs to be created and stored in the path\filename of your choice. Chapter 7 Software Development Kit (SDK) This chapter describes the key eTrust PKI SDK concepts. Central concepts for the use of the eTrust PKI SDK are: § § § Keys Certificates Cryptographic providers Most of the API functions take handles representing these types of objects. A key should not be used after its associated provider has been closed. Keys Keys are used for encrypting/decrypting data. Central Concepts The SDK provides functionality that enables the use of public key cryptography in applications. Symmetric keys complement public key/private key pairs by providing a less computationally intensive encryption operation. To use a key it must be associated with a cryptographic provider. Each key is associated with a specific encryption algorithm. Software Development Kit (SDK) 7–1 . Both symmetric keys and asymmetric keys (public/private key pairs) are available. Cryptographic Token Interface Standard. Although certificates are frequently stored within cryptographic providers. they can exist independently and can be used even if the providers they have been loaded from are offline. After initialization. The certificate specifies the name of the entity. Cryptographic Providers A cryptographic provider represents a device that can store certificates and keys. Although efforts have been made to ensure that the ETCER API will handle such variations in a robust fashion.Central Concepts Certificates A certificate is a signed electronic document that asserts that a particular entity is the holder of the private key that corresponds to a particular public key. and the public key. To use the default provider NULL should be passed instead of a provider handle. This may be a hardware device such as a smart card. using information specified in a configuration file. When communicating with hardware providers the ETCER API uses the PKCS#11 . The default provider holds all of the trusted certificates. the name of the authority that makes this assertion. it is not possible to add more certificates to the default provider. it cannot be guaranteed that the ETCER API will be able to perform exactly as described for all such devices on the market. Users of the ETCER API should be aware that not all hardware providers implement all algorithms detailed in this standard and not all hardware providers implement the standard in the same way. A default provider is created when the API is initialized. 7–2 eTrust PKI Administrator Guide . or it may be implemented entirely in software. The biggest draw back with this method is finding a secure way for the sender of a message to inform the intended recipient of the symmetric key used. This form of encryption is not well suited to large amounts of data. Symmetric is better suited to large amounts of data than asymmetric encryption/decryption and is usually faster. Data encrypted with either one of the keys must be decrypted using the other key. the other will be designated the public key and may be freely distributed. Asymmetric—requires a key pair. The functions that are available with this version include: § § § § Encrypting/Decrypting Signing/Verifying Certificate validation Extracting certificate details Encrypting/Decrypting There are two types of encryption/decryption supported by the ETCER API: § Symmetric—encrypts and decrypts using the same key. The recipient can then decrypt the message using the associated private (secret) key. This method also fails to scale well as each individual that wishes to secretly communicate needs to have a shared secret with each other party. This allows systems that use asymmetric encryption to scale far better than systems that use symmetric keys. The sender of a message can encrypt the message with the desired recipient’s public key.Core Functionality Core Functionality The ETCER API is designed to provide simple access to common cryptographic functions. § Software Development Kit (SDK) 7–3 . Usually one of these keys will be designated the private key and kept secret. Signing is the process of generating a digital signature for a piece of data (often a document or a certificate). Signatures are a fixed length and are generated by first generating a digital hash or ‘fingerprint’ of the document and then encrypting that ‘fingerprint’ using the signing entities private key. When sending the same document to multiple recipients the document only needs to be encrypted once. If the data being checked is not the same as the data that was signed. the signature will also be invalid. 7–4 eTrust PKI Administrator Guide . See the appropriate readme files for further details. or because the private key used during signing is not the pair of the public key used during verification.Core Functionality To get the best from both forms of encryption the following method is used: § § § § § § The sender of a message generates a symmetric key The sender uses the symmetric key to encrypt the message The sender uses recipient’s public key to encrypt the symmetric key—this is because the public key is usually very short compared to the actual message The sender sends both the encrypted message and the encrypted symmetric key to the recipient The recipient decrypts the symmetric key using their private key The recipient uses the decrypted symmetric key to decrypt the message This combination of symmetric/asymmetric encryption has a secondary benefit. If the public key used is not valid for the private key used during signing. It is not possible to distinguish between a signature being found invalid because of tampering with the document content. Signing/Verifying Digital signing and verifying of data can be used to ensure that the data has come from a particular source and that the data has not been tampered with. Sample code that illustrates encryption and decryption is provided within the samples folder of the ETCER SDK installation. Verification is performed using the public key associated with the private key used during signing. Verifying is the process of testing that a digital signature and a piece of data match. the signature will be invalid. The symmetric key used to encrypt the document can then be asymmetrically encrypted for each recipient using the recipient’s public key. Validating Certificates Certificates provide a means of associating a public key with a particular entity. Certification authorities issue certificates. These authorities sign the certificates they issue. Sample code is provided in the samples folder of the ETCER SDK installation that illustrates validation. Software Development Kit (SDK) 7–5 . The certificate authority will provide a certificate that can be used to verify this signature. The ETCER API supports all of the above aspects of certificate authentication. either being used before or after its valid date range The issuing certificate authority has revoked it No certificate in the certification path is trusted by the entity performing the validation. See the appropriate readme files for further details.Core Functionality Sample code is provided in the samples folder of the ETCER SDK installation that illustrates signing and verification. so that those using the public key can feel secure in the knowledge that the key really does belong to the entity that they think it belongs to. Before using a certificate it is vital to check that it is valid. It is up to the relying party to decide for themselves whether or not to trust a self-signed certificate. This is said to occur when a certificate authority signs its own certificate. it may be self-signed. if the authority in question is a root certificate authority. The chain of certificate signing that results is called a certification path. This certificate will either be signed by another certificate authority or. A certificate may be deemed invalid if: § § § It is out of date. See the appropriate readme files for further details. It is often important to be able to extract this information in a portable. and who is the subject of the certificate. Missing mandatory properties or incorrect values may cause some functionality to be unavailable. such as the certificate serial number. For example. Sample code is provided in the samples folder of the ETCER SDK installation that illustrates the extracting and printing of certificate details. some properties within a section may be mandatory should that section exist. The ETCER API provides such access to various certificate fields.Extracting Certificate Details Extracting Certificate Details X. The ETCER Configuration Object The ETCER configuration object stores configuration information grouped into various sections. a user who possesses a number of certificates for different aspects of their business can browse through these certificates so that they can identify the one they wish to use to sign a document.509 type certificates can contain a wealth of information. Setting Properties Properties and sections within a configuration object can be created and/or updated directly using the ECTER API function calls: Etcer_OpenConfigSection. Etcer_CloseConfigSection. returning the values as null terminated strings. Etcer_SetConfigString Configuration information can also be imported from a file using the ETCER API function call: Etcer_ImportConfigFile The file is structured as a Microsoft Windows initialization file. humanreadable form. See the appropriate readme files for further details. who issued the certificate. None of these sections is mandatory. or may cause the API initialization to fail. however.pem 7–6 eTrust PKI Administrator Guide . For example. to set the 'initpem' property of the 'default' section the file would look like: [default] initpem=root. The ETCER Configuration Object The Default Section This section is used to set properties for the default provider and has the supported property: § initpem—used to specify the name of a PEM format file containing one or more trusted certificates. If a file is specified but not found, initialization of the API fails. The OCSP Section This section is used to specify details of an OCSP responder to use during validation. The following properties are supported: § library—the client library to load for OCSP support. If the value of this property is not a fully qualified path name then the default system rules for locating dynamic link libraries are used to locate the library. responder—set this property to the URL where the OCSP responder can be located. timeout—set this property to the maximum time to wait for a response from the OCSP responder. The time is specified in milliseconds. A timeout of zero indicates that there is no timeout for requests. httpproxy— (optional) set this property to the URL of the http proxy server used to connect to the OCSP responder. If this property is not set, connection will be attempted directly to the URL specified by the responder property. Trustedcert— (optional) set this property to the name of a PEM format file containing a trusted certificate that can be used to verify the responder’s response. § § § § Software Development Kit (SDK) 7–7 The ETCER Configuration Object The Provider Sections Zero or more sections can be supplied to specify providers. Each section must be given a unique name that does not clash with one of the reserved section names, these being 'default' and 'ocsp'. Each provider section must include the properties: § § type—the type of interface used when communicating with this provider. The only value accepted in the current version is pkcs11. library—the driver library to load when using this provider. If the value of this property does not include a fully qualified path name then the default system rules for locating driver libraries will be used to locate the library. Under Windows the most common form this driver library will take is a DLL. slot—the number of the slot that is managed by the specified library. § 7–8 eTrust PKI Administrator Guide Chapter 8 Setting Up HSMs eTrust PKI supports key generation and certificate storage on a range of HSMs. This chapter describes how to use eTrust PKI with: § § § § § § Eracom CSA7000 and CSA8000 HSMs GemPlus GemPKCS SDKv3—Smartcard and GemSAFE Smartcard Rainbow iKey 2000 USB key token Datakey Smartcard Chrysalis-ITS Luna CA3 GemPlus GemSAFE Smartcard Setting Up Eracom CSA7000 and CSA8000 HSMs To set up a CSA7000 or CSA8000 HSM: 1. 2. 3. Install the Eracom CSA7000 or CSA8000 adapter. Install the drivers for the adapter. Use Windows Explorer to navigate to: E:\cprov_3_0_cdv1_10\Win32\Driver_8000\ (Where E: is the CD drive.) Double click csa8k_driver.exe and add csa8000 to the path. Use Windows Explorer to navigate to: E:\cprov_3_0_cdv1_10\Win32\CPROV_Runtim\ (Where E: is the CD drive.) Double click cprov_rt.exe. Follow the instructions in the custom install wizard. Include the CSA8000 and GUI tools. 4. 5. 6. 7. Setting Up HSMs 8–1 Follow the Issue a Certificate instructions until Step 7. 5. 3.Setting Up Eracom CSA7000 and CSA8000 HSMs Saving a Certificate in the Adapter To save certificates on the Eracom CSA Adapter. save the root on the Eracom CSA Adapter. 2. 8–2 eTrust PKI Administrator Guide . change it here also Leave as default To save a certificate to the Eracom CSA adapter through the RA client: 1. Choose via smartcard option and ensure that your setup matches the configuration: Field Vendor: DLL: Slot: Pin number: Alias: Value Eracom_CSA_7000_0 cryptoki 0 **** rsa1 Notes This is the vendor for Eracom drivers Leave as default Leave as default Default – if this has been changed. Choose Via Smartcard and the Eracom CSA7000 Vendor. 4. Change the PIN field to your Eracom CSA Adapter passphrase. Choose Profile of Certificate. Follow the configuration as normal until you reach Step 7 (Select keystore media). Click Issue a Certificate. Select Start. 7. Saving a Certificate on the Smart Card To save the root certificate on the smart card: 1. choosing the correct reader and port number. 2. 2.Setting Up GemPlus GemPKCS SDKv3 Smartcards Setting Up GemPlus GemPKCS SDKv3 Smartcards The GemSAFE GemPKCS SDKv3 can only be used on WinNT systems. 5. Deselect the In Software option and choose the Via Smartcard option. 4. Card Details Tool. Follow the install wizard through a custom install. Reboot your PC. Insert a GemPKCS card into the reader. Reinitialize.exe. The Card Details panel is displayed. Programs. 3. if it is not empty select Card. 4. (1024 is the maximum key length for the card. Follow the configuration until you reach Step 4 (Choose a key size). Select Card. To install the GemPKCS SDKv3 drivers: 1. Setting Up HSMs 8–3 . Examine. Choose 512 or 1024 for the key size. 3.) Double click setup. Read the card. GemPKCS. 6. Navigate to: E:\GemPlus\GemPCKSv3\GemPlus\ (Where E: is the CD drive.) Follow the configuration until you reach Step 7 (Select keystore media). 8. Setting Up GemPlus GemPKCS SDKv3 Smartcards 5. 3. do not save any more certificates on that card. 5. Change the PIN field to your Smart Card passphrase. 2. To save a certificate to the smart card through the RA Client: 1. 8–4 eTrust PKI Administrator Guide . 4. Choose Via Smartcard and the GEMPLUS_SmartCard Vendor. Ensure that your setup matches the configuration: Value GEMPLUS_SmartCard ck2priv 0 **** rsa1 Notes This is the vendor for GemPKCS SDKv3 drivers Default Default Default – if this has been changed. Choose Profile of Certificate. Follow the Issue a Certificate instructions until Step 7. change it here also Default Field Vendor: DLL: Slot: Pin number: Alias: After you have saved the root on the smart card. Click Issue a Certificate. Programs. GemSAFE Card Details Tool Enter the card passphrase.) Continue to follow the configuration as normal until you reach Step 7 (Select keystore media). 5. Follow the configuration as normal until you reach Step 4 (Choose a key size). If you encounter any difficulties reading the card. 7. 6. Saving the Root Certificate on the Smart Card To save the root certificate on the smart card: 1. Select Card. Setting Up HSMs 8–5 . Information.Setting Up GemPlus GemSAFE Smartcards Setting Up GemPlus GemSAFE Smartcards When installing the GemPlus drivers. Follow the wizard for a typical install and deselect the GemSAFE logon. 2. Check that the card is empty. reboot the PC and try again. the GemSAFE logon must not be installed. GemSAFE. Choose a key size of 512 or 1024. 3. GEMSAFE Card Details Tool 2000: Start. Use the card details tool to check that you can talk to the card: NT: Start. Deselect the In Software option and choose the Via Smartcard option. To install on Windows NT: 1. 4. 4. Programs. Insert a GemSAFE smart card into the card reader. (1024 is the maximum key length for the card. 3. Important! When installing the drivers for Windows 2000 do not use the complete installation – the typical installation provides the correct functionality. Choose the correct reader and port number. 2. To save a certificate to the smart card through the RA Client: 1. Choose Profile of Certificate. Ensure that your setup matches the configuration: Value GEMPLUS_SmartCard ck2priv 0 **** rsa1 Notes This is the vendor for GemPLUS drivers Default Default Default – if this has been changed. Follow the Create a Certificate instructions until Step 7. 5. 2. 4. change it here also Default Field Vendor: DLL: Slot: Pin number: Alias: After you save the root on the smart card. Click on Issue a Certificate. do not save any more certificates on that card. 8–6 eTrust PKI Administrator Guide . Change the PIN field to your Smart Card passphrase. 3. Choose Via Smartcard and the GEMPLUS_SmartCard Vendor.Setting Up GemPlus GemSAFE Smartcards 5. exe. Follow the install wizard through a typical installation. Programs. Click Display Token Objects to see the information on the token. The card is initialized. Select Start. 4. (2048 is too large for the token.Setting Up Rainbow iKey 2000 – USB Key Tokens Setting Up Rainbow iKey 2000 – USB Key Tokens Important! You may encounter problems if you have a Rainbow iKey Token and a Datakey smart card installed on the same computer. Rainbow Technologies. Token Manager. Follow the configuration as normal until you reach Step 4 (Choose a key size). To install the Rainbow iKey drivers: Double click on E:\Rainbow setup. The Token manager dialog is displayed. 5. Open the Token drop down menu and selecting Initialize Token. 2. Use the Token Manager to check that the USB Reader is displayed as the current reader. 3. Saving the Root Certificate in the Token To save the root certificate to the token: 1. 1. 6. Choose the key size as 512 or 1024. 3.) Continue to follow the configuration as normal until you reach Step 7 (Select keystore media). Only have one or the other plugged in when using eTrust PKI. where E: is the CD drive. Ensure that you can view the token. Setting Up HSMs 8–7 . 2. Choose Via smartcard and the Rainbow_iKey Vendor. 8–8 eTrust PKI Administrator Guide .Setting Up Rainbow iKey 2000 – USB Key Tokens 4. Click Create a Certificate Request. 4. Follow the Create a Certificate instructions until Step 7. 5. 2. do not save any more certificates on that token. 3. Change the PIN field to your token’s passphrase. Uncheck the In Software option and choose the Via Smartcard option. change it here also Default Field Vendor: DLL: Slot: Pin number: Alias: After you have saved the root on the token. Choose Profile of Certificate. ensuring that your setup matches the configuration: Value Rainbow_iKey dkck201 0 ******* rsa1 Notes This is the vendor for Rainbow iKey drivers Default Default Default – if this has been changed. To save a certificate to the token through the RA Client: 1. Check the card for previous information and make sure that it is empty. The readers that can be used with the Datakey smart card are: § § § § DKR610 Serial Reader iKey 2000/2032 Datakey 10SR Serial DKR 630 USB Reader When using the Datakey with eTrust PKI ensure that you have the right drivers for the reader you are using. Follow the install wizard and choose the correct reader and port number. The Token Utility dialog is displayed. 2. 8. 7. Insert a Datakey smartcard into the card reader. To install the Datakey drivers: 1. Datakey. 4. Select Start. Setting Up HSMs 8–9 . 6. Enter the card passphrase. The card is initialized. Token Utility. 5. Click Display Objects. 3.Setting Up Datakey Smartcards Setting Up Datakey Smartcards Important! You may encounter problems if you have a Rainbow iKey Token and a Datakey smart card installed on the same computer. Opening the Token drop down menu and select Initialize Token. Only have one or the other plugged in when using eTrust PKI. Programs. The card information is displayed. Check that you can talk to the card. change it here also Default Field Vendor: DLL: Slot: Pin number: Alias: After saving the root on the smart card. Choose Profile of Certificate. To save a certificate to the smart card through the RA Client: 1. 5. do not save any more certificates on that card. 3. Choose the Via Smartcard option and ensure that your setup matches the configuration: Value Datakey dkck201 0 ******* rsa1 Notes This is the vendor for Datakey drivers Default Default Default – if this has been changed. Follow the configuration as normal until you reach Step 7 (Select keystore media). 8–10 eTrust PKI Administrator Guide . Follow the Create a Certificate instructions to Step 7. Click on Create a Certificate Request. 2. Change the PIN field to your smart card passphrase. 4. 2.Setting Up Datakey Smartcards Saving the Root Certificate to a Token To save the root certificate to the token: 1. Choose Via Smartcard and the Datakey vendor. dll [Luna] DefaultTimeOut=500000 PEDTimeout1=100000 PEDTimeout2=100000 [CardReader] RemoteCommand=1 [LBLib2] L-ibNT=C:\Program Files\Luna\cryst201.Setting up a Chrysalis HSM Setting up a Chrysalis HSM Important! Install the software before inserting the controller card.dll Enabled=1 Setting Up HSMs 8–11 . Change the data to: [Chrystoki2] L-ibNT=C:\Program Files\Luna\cryst201.dll L-ibNT=C:\Program Files\Luna\lblib201. Restart the PC.ini. 3. Insert the Chrysalis CD-ROM and select the Luna CA3/Xplus install option.dll [Luna] DefaultTimeOut=500000 PEDTimeout1=100000 PEDTimeout2=100000 [CardReader] RemoteCommand=1 [LBLib2] LibNT=C:\Program Files\Luna\cryst201. Task 1—Installing the Software To install the Chrysalis software: 1.dll LibNT=C:\Program Files\Luna\lblib201. The file contains the data: [Chrystoki2] LibNT=C:\Program Files\Luna\cryst201. Open C:\WINNT\crystoki.dll E-nabled=1 4. 2. Task 3—Testing the Install 1. 4. 9. Uncheck Floppy disk drives and CD-ROM drive and check Specify a location. then Finish.Setting up a Chrysalis HSM Task 2—Installing the Hardware 1. Browse to C:\Program Files\Luna\oemsetup and click Open. 8–12 eTrust PKI Administrator Guide . 2. 10. Turn off the PC and insert the controller card. The Found new hardware wizard appears.exe Run menu options 2 . When the window finds the driver click Next. 6. 2. Use the MDR-26 cable to connect card port A to the dock reader. Check the Search for a suitable driver. 3.. Run C:\Program Files\Luna\lunadiag. Connect the power cord to the controller. 5. 8. option and click Next. 7.. Select Next. If no errors are returned the installation is successful. Click OK. Turn on the PC.3 and 4. Enter a PIN to protect the key. Setting Up HSMs 8–13 . Type N when asked if this is a group PED key. 8. 6. Insert the red PED key and press Enter. 10.) 15. 11. 4. Run C:\Program Files\Luna\Enabler. The initialization completes. Insert the gray PED key into the reader and press Enter. 14.exe. 3. 5. Enter a PIN to protect the key.) Type N when asked if this is a duplicate PED key. 9. Insert the blue PED key into the reader and press Enter. Insert the blue and black PED keys. (This can be left blank.Setting up a Chrysalis HSM Task 4—Enabling the Token and Setting Up the PED Keys 1. (This can be left blank. 13. 2. Select Initialize a Token. 12. Type N for the M of N option. Select No when asked if this is a duplicate PED key. Type N when asked if this is a duplicate PED key. Select No when asked to create a domain. 7. Enter the slot ID of the token and a label for the token. Select keystore media. 3.Setting up a Chrysalis HSM Saving the Root Certificate To save the root certificate in the HSM: 1. 3. Follow the configuration as normal until you reach step 7. Ensure that your setup matches the configuration: Value Chrysalis-ITS lblib201 0 **** rsa1 Notes This is the vendor for Chrysalis-ITS Luna CA3 Default Default Default – if this has been changed. Click Issue a Certificate. Change the PIN field to your HSM passphrase. Select Via Smartcard and the Chrysalis-ITS Vendor. change it here also Default Field Vendor: DLL: Slot: Pin number: Alias: Saving a Certificate Through the RA Client To save a certificate on the HSM through the RA client: 1. Select Profile of certificate Follow the Create a Certificate instructions until step 7. Deselect the In Software option and choose the Via Smartcard option. 2. 5. 4. 8–14 eTrust PKI Administrator Guide . 2. choose a key size.0 Smartcard Important! To install the GemPlus 3. 3. 6. The card is unblocked. 1. 5. Insert the GemSAFE smart card into the card reader. Setting Up HSMs 8–15 . 2. Follow the configuration as normal until you reach step 4.0 Smartcard Setting Up a GemPlus GemSAFE 3. Deselect the GemSafe Logon. Enter the card PIN. Saving the Root Certificate To save a root certificate on the Smartcard. Deselect the In Software option and choose the Via Smartcard option. Follow the configuration until you reach Step 7 (Select keystore media). Card Maintenance Tool to check that you can access the card. Programs. Choose a key length of 512 or 1024 (1024 is the maximum key length for the card). Select Start. Check the card for previous information such as certificates. 7. To set up the Smartcard: 1.0 drivers you must have Windows NT with service pack 6 applied or Windows 2000 with service pack 1 or higher applied. 4. Start the wizard and select a typical installation. 4. GemSAFE enterprise. 3. The card must be clear before saving any certificates. Select your reader and port number.Setting Up a GemPlus GemSAFE 3. 2. 5. Choose Via Smartcard and the GemPLUS3. 3.0_SmartCard vendor.0_ SmartCard GCLib 0 **** rsa1 Notes This is the vendor for GemPLUS 3.0 drivers Default Default Default – if this has been changed. 4. Ensure that your setup matches the configuration: Value GemPLUS3. Follow the Create a Certificate instructions until step 7.0 Smartcard 5. Click on Issue a Certificate. 8–16 eTrust PKI Administrator Guide . 2.Setting Up a GemPlus GemSAFE 3. Select Profile of Certificate. Saving a Certificate Through the RA Client To save a certificate on the Smartcard through the RA client: 1. Change the PIN field to your Smartcard passphrase. change it here also Default Field Vendor: DLL: Slot: Pin number: Alias: Note: Do not save any other certificates on the card with the root certificate. Chapter 9 Cross Certification Cross certification occurs where one CA certifies that another CA can be trusted. It has provision for publishing cross certificates within other CA domains.2) describes how cross certificates should be published.2. The issuer is listed as CA1. Cross Certification Theory CA1 generates a new certificate X that contains the subject name of the CA2 root certificate.509 section 11. Users of CA1 consider CA2 to be an intermediate CA subordinate to CA1. for example publishing the above cross certificate in CA2’s directory. Cross certification can be used to verify third party CAs and their certificates.3 (and RFC 2587 section 3. and it is signed using the CA1 private key. Publishing Cross Certificates X. This can be important when you want your certificates to work with third party hardware or software that has fixed trusted root certificate stores. Cross Certification 9–1 . This is the minimum requirement to implement cross certification. It may be required that additional constraints be placed on the certificates issued from CA2 that are to be trusted with the CA1 framework. because the root certificate in the file may be used in preference to the cross certificate. 9–2 eTrust PKI Administrator Guide . If CA2 has policies used in issued certificates. then the cross certificate should use the policy mapping extension to map the CA2 policies to equivalent policies. If a CA1 user is given the PKCS#12 file. it will include the CA2 root certificate.Cross Certification Theory Cross Certification Options It is possible to specify policy mappings in the cross certificate. If a PKCS#12 file is provided by a CA2 user. including the root certificate. Possible Problems with Cross Certification PKCS#12 files often contain all of the certificates in the path. Use the basic constraints to specify a maximum path length and mark the certificate as a CA certificate. it is possible that validation will fail. A user of your PKI will be able to verify that a certificate was generated by the third party CA. This will only allow end users to check that the certificate was originally created by the third party CA. Cross Certification 9–3 . Click Next. You can: § § Apply to the CA for a copy Extract a copy from Internet Explorer if the CA is one of the CAs accepted by the MS certificate store To copy a public key from the MS certificate store: 1. 6. Select the CA to cross certify with. The completed dialog is displayed. Select the Trusted Root Certification Authorities tab. you need a copy of its public key. The Internet options dialog is displayed. Finish. then enter the path and file name where the certificate is stored. 7. This process will verify. 5. Open Internet Explorer. 4. Task 1—Copying the Public Key To cross certify with another CA. Click Next twice. Select Tools. 2. The Certificate Manager Export Wizard is displayed. 8. but not allow end users to validate. 9. Select Export. Internet Options. The Certificates Manager dialog is displayed.Cross Certifying with Another CA Cross Certifying with Another CA Important! This procedure allows your CA to accept a third party’s public certificate as legitimate. Select the Contents tab and click Certificates. Click OK and close Internet Explorer. 3. eTrust PKI.Cross Certifying with Another CA Task 2—Cross Certifying To cross certify to another CA: 1. eTrust PKI. Note the Issued By field as this will be change when cross certification is finished. Click Browse. From the Cross CA Certificate Generation wizard. Programs. Select the client keystore p12 certificate (the default is defaultRAC_crt. If the CA/RA services are not running. You may need to do this because some applications do not store certificates with a . Select View Cert and check the details of the certificate.p12) and click Open. select Start. The Cross Certification Logon Information dialog is displayed. Cross Certification Tool. The Cross CA Certification Generation wizard is displayed. 2. 5. 4. 6. select Next to start updating the Certificate details. 7. Select Start. Name: The distinguished name (DN) of the CA root server Non-standard DN: The DN of the CA root server Ordered DN: This allows a DN to be specified in a structured manner Country: The two letter country code where the subject CA root server is located Organization: The organization that owns the subject CA root server Organization Unit: The office or group that controls the CA Root server Name: The name of the CA root server E-mail: The e-mail address of the CA root server 9–4 eTrust PKI Administrator Guide . Computer Associates. Server Administrative Tools. Foreground CA/RA Services and click Start. Tip: Set Files of Type to All files. The Load Key Store File dialog is displayed. Select Load Cert and pick the certificate for the cross certification. 3. Programs.DER extension. it would be unusual to cross certify to an individual’s certificate.Cross Certifying with Another CA 8. This may be useful if you want to certify a single user. Click Next to continue. 12. 9. Enter where to save copies of the new certificate. For this reason a path length of 1 is recommend. Users of your new cross certificate will know where to check its online status. Enter the details for Valid To—the last day that the root CA certificate will be valid. The new certificate is created. This specifies the number of certificates that can be chained from your cross certified CA. In practice. Enter the field Basic Constraints. Enter the details for Valid From—the first date that the root CA certificate will be valid from. 1—You only trust the certificates that were issued by the CA that you are cross certifying to. 11. These allow you to specify if the certificate being cross certified to is for a user or for a CA. 15. You will only trust the exact certificate that is being cross certified. Click Next to confirm your wizard selections. The options are: None—You do not trust any certificates that were issued by the cross certificate CA. and also trust a certificate issued by a third CA who is trusted by the CA that you are cross certifying with. 13. 14. Enter the field Path Length. Enter the details for Authority Info Access—the host name and port number for the OCSP responder. - Tip: You may not be fully aware of the issuance policies that are used by third parties. 10. It is expected that you would normally cross certify to another CA. Select Type = EE and Path Length Constraint = None. 2—You trust the CA that you are cross certifying with. Cross Certification 9–5 . which is digitally signed with the private key of the AA which issued it.* Glossary–1 . not just for issuing them.Glossary Attribute Authority (AA) An authority trusted by one or more users to create and sign attribute certificates. For example. a particular certificate policy might indicate applicability of a type of public key certificate to the authentication of electronic data interchange transactions for the trading of goods within a given price range. not just for issuing them.* Certification Authority (CA) An authority trusted by one or more users to create and assign public key certificates. It is important to note that the CA is responsible for the public key certificates during their whole lifetime. Certificate Policy (CP) A named set of rules that indicates the applicability of a public key certificate to a particular community and/or class of application with common security requirements.* Certificate Can refer to either an AC or a public key certificate. Optionally the CA may create the user’s keys. It is important to note that the AA is responsible for the attribute certificates during their whole lifetime.* Attribute Certificate (AC) A data structure containing a set of attributes for an end-entity and some other information.* Certification Practice Statement (CPS) A statement of the practices which a CA employs in issuing public key certificates. It defines the format used to transfer data across a network. set the signature of the response. (An EE from the PKI can be an AA in the PMI). DER Distinguished Encoding Rules. for example. Lightweight Directory Interchange Format (LDIF) An ASCII file format used to exchange data and enable the synchronization of that data between LDAP servers. each of which perform a welldefined unit of work. e. DER is a component of the Abstract Syntax Notation (ASN. Supports lightweight access to static directory services.g. etc.1) standard as defined by the International Standards Organization (ISO). Lightweight Directory Access Protocol (LDAP) A communications protocol that allows access to a directory service. HSMs may be certified as resistant to various forms of electronic and physical attack.Certificate Revocation Lists (CRL) A list of certificates that have been revoked before their scheduled expiration date. The important feature is that the private key never leaves the HSM. End-entity (EE) A subject of a certificate who is not a CA in the PKIX or an AA in the PMI. FIPS 140-1 Level 3. Directory Information Tree (DIT) The collection of entries within a directory organized in hierarchical fashion that reflects their inter-relationship.* HSM Hardware Security Module. When a document is to be signed. HSMs are used to securely store private keys. the document is sent to the HSM which then generates the signature. Method Each policy consists of one or more methods. allowing relatively fast search and update. Glossary–2 eTrust PKI Administrator Guide . OCSP Online Certificate Status Protocol. set the status of the response. such as: confirming the subject’s identity. This format has become popular and is now used by several other applications. with their issuing AA’s.* Registration Authority (RA) An optional entity given responsibility for performing some of the administrative tasks necessary in the registration of subjects. Example roles in the Identris model are Relying Customer Role and Inter-participant Role. is referred to as a Privilege Management Infrastructure. validating that the subject is entitled to have the values requested in the PKC and verifying that the subject has possession of the private key associated with the public key requested for a PKC. Privilege Management Infrastructure (PMI) A collection of AC’s.* Relative Distinguished Name (RDN) A name component that identifies an entry with respect to the entry just above in the hierarchy.rsasecurity. distribute and revoke PKC’s based on public-key cryptography. subjects. Policy Each policy represents a personality or role that the responder takes on. software.* Public Key Certificate (PKC) A data structure containing the public key of an end-entity and some other information. CRLs and private keys.* PKCS Public Key Cryptography Standards. manage. which is digitally signed with the private key of the CA which issued it. relying parties and repositories.PEM Privacy Enhanced Mail. Glossary–3 . The PEM application defines a file format for storing certificates. policies and procedures needed to create. people. This is a series of standards defined by RSA Laboratories (http:// www.com). eTrust OCSPro uses PKCS #11: Cryptographic Token Interface to access Hardware Security Modules (HSMs). store. Public Key Infrastructure (PKI) The set of hardware. Selection criteria are based on attributes of the request. This is the tool which configures the OCSPro Responder. simply that the CA in question is trusted directly. Subordinate CA A "subordinate CA" is one that is not a Root CA for the EE in question. Glossary–4 eTrust PKI Administrator Guide .ietf. securely acquiring the value of a Root CA public key requires some out-of-band steps. that is. draft-ietf-pkixroadmap-04. Often a subordinate CA will not be a Root CA for any entity.org. * Denotes that this definition has come from the IETF PKIX Roadmap.* Top CA A CA that is at the top of a PKI hierarchy. available from http://www.* Selection Criteria Selection criteria are evaluated prior to the execution of each policy and method to determine whether the policy/method should be evaluated.Relying Party (RP) A user or agent (for example. the current state of the response and information stored in the directory. Subject Certificate The certificate identified in the CertId field of the OCSP request. this term is not meant to imply that a Root CA is necessarily at the top of any hierarchy. but this is not mandatory. a client or server) who relies on the data in a certificate when making decisions. Root CA A CA that is directly trusted by an EE.txt.* Resco Responder Configuration.