Introduction
From version 6.8 support has been added to allow the issuance of certificate credentials from EverTrust Certificate Authority (CA). This article will describe how you can configure and use a EverTrust CA to issue a certificate to a credential managed by vSEC:CMS.
In this article we will show you:
- How to setup a connection to EverTrust CA;
- Configure a template to issue a certificate to a managed credential;
- Issue a credential from Admin console.
It will be required that at minimum you have already successfully completed the configuration steps described in the article Setup Evaluation Version of vSEC:CMS. The instructions in this document are applicable regardless of whether you are running the evaluation version or a production version.
It will be required to have an EverTrust CA available and it is expected that the reader of this article has knowledge in using/configuring EverTrust CA.
Configure EverTrust Connection
From Options - Connections - Certificate Authorities click Add. Enter a template name and from the drop-down list select EverTrustHorizon. In the URL enter the connection URL to your EverTrust CA. Enter the user name and password into the User Name and Password fields that you will connect with.
Click the Test button to check that you can connect to the CA.
Click the Templates button and from the dialog enable Show all and select Update to list all available certificate templates. You can select and hide a template if required which will result in the template not being available from Templates - Card Templates when configuring later.
Click the Request fields button. Depending on how your certificate templates are configured and need to be used you may have different requirements here. In this example we will use below fields that we want vSEC:CMS to provide the data for.
It will be necessary to assign values/variables that will be used to populate values to these fields and used when generating the certificate request.
vSEC:CMS uses the horizon API interface when sending the certificate request to the CA.
Additionally, the key type by default is AT_SIGNATURE. If this is not the required key type then you can change this using a configuration file. See the section below Advanced Settings for more details on this.
Click the Fields button to do this. Click the whitespace (as circled below) to open a configuration dialog for the field you want to configure.
You can use variable mapping which will map a variable to an attribute in your user directory, AD for example. See the article Using Variables which describes how you can perform variable mapping to an attribute in your user directory.
Additionally you can use static values and/or combined with variables. Enter the static value into Use free test field and click Get variable to paste the variable value you wish.
You can click Templates and select Show all followed by Update to see all available certificate templates from your EverTrust CA.
It is recommended to enable Proxy through server checkbox which will mean that all client certificate requests will be proxied through the server.
Configure Credential Template
The next step is to configure an actual credential template where the certificate that is to be issued to the credential token will be set.
1. From Templates - Card Templates click the Add button.
Click the Edit link beside General. Enter a template name. Presuming that you are using one of the minidriver credentials that is supported by vSEC:CMS select Minidriver (Generic minidriver card) for Card type. Leave all other settings as default and click Ok to close and save.
2. Click the Edit link beside Issue Card. In the User ID Options section enable Assign user ID and select the AD connection configured earlier in the drop-down list. In the Enroll Certificate Options section enable Enroll certificate(s) checkbox and click the Add button. Select the EverTrust CA template from the Certificate authority drop-down list and select which CA certificate template you want to use and click Ok. Leave all other settings as is and scroll down to the bottom of the dialog and click Ok to save and close.
3. Click Ok to save and close the template configuration dialog.
Issue Credential
From the Lifecycle page attach a blank credential to your host. If it is a credential that is supported by vSEC:CMS you should see the reader and the credential similar to below.
Depending on the credential that you are testing with it will be necessary to have the appropriate credential drivers installed on your host. Please check with the credential provider that you have the correct credential drivers installed.
Click the Issued oval and select the template from Select card template drop-down list and click Execute.
You will be prompted to enter your operator token passcode before the issuance will begin. Then you will be prompted to select the user from AD that the credential will be issued to. Select the user and at the end of the process you will get a short summary dialog of what operations were performed.
The credential will now show as Issued. The credential PIN by default will be blocked. You will need to set a PIN before you can use the credential. Click the Active oval followed by the Execute button. You will be prompted to authenticate again and then set a PIN that meets the policy supported on the credential.
Once you complete this then you can use the credential certificate for whatever use case it is intended.
Advanced Settings
In this section we will describe how to change certificate key specification (KeySpec) from the default type AT_SIGNATURE to AT_KEYEXCHANGE.
Additionally, we will describe how to enable logging which maybe required when investigating integration issues.
You will need to create a configuration file with this name and extension CaPluginEverTrustHorizonCA.cfg. This file should be placed on the server in the plugin folder located in the root of the installation folder (if the default location was chosen during the install then the root folder would be here: C:\Program Files\Versasec\vSEC_CMS S-Series). Copy the contents of the file below and use this as your starting template.
<?xml version="1.0" encoding="UTF-8"?>
<config>
<factory signature="KXpC+EQaYM+DSqPx+ur6dycgzQgq3xL1BdBGmaI89+8UTNvVY1rCL73F+bSdsI11XVJlBuwRHjhKFhpeNzcSIO7oykRyqJ/7DB/8YZ5rD7o/+p0uXNxzMpY6Va6I5WTUjaiw8KeZJ6uQ10ye4VIuJ2fi8LBr/2WUZ+l39O5zW8k=">
<std/>
<force/>
</factory>
<oem>
<std>
<logging>
<file>
<enable>00000000</enable>
<level>00000006</level>
<filename>c:\temp\CaPluginEverTrustHorizonCA_#e#_#p#_#s#.xml</filename>
</file>
</logging>
<cfg>
<templates>
<DefaultTLSClient>
<KeySpec>1</KeySpec>
</DefaultTLSClient>
</templates>
</cfg>
</std>
<force/>
</oem>
</config>
In order to change the default AT_SIGNATURE to AT_KEYEXCHANGE log onto the Admin console on the server. Navigate to Options - Connections - Certificate Authorities and select your CA connection and click Edit. Click the Templates button. Then if you mouse over the certificate template that will be used you can see the name of the template. For example, below we want to use the template highlighted in red. If you mouse over it you will see additional information in the yellow pane. Make a note of the template name highlighted in black and make sure to adhere to the case sensitive characters that you see.
In the configuration file sample above there was a section like this:
<DefaultTLSClient>
<KeySpec>1</KeySpec>
</DefaultTLSClient>
The tag named DefaultTLSClient is the name that was noted when you mouse over it. In your environment you will need to do similar, for example, if your template name is MyLogonCertificateTemplate then the section for you would be like below:
<MyLogonCertificateTemplate>
<KeySpec>1</KeySpec>
</MyLogonCertificateTemplate>
Another consideration is when a certificate template name has a space or none ascii character in its name. This will not be supported as we use XML format for the configuration file. For example, if the template name created on the CA is My Logon é Certificate. This tag would not work with XML. In that case you would need to use an MD5 hash generator and translate the name of the template into a MD5 hash. You can use a tool here and then the entry in the configuration file would be like below:
<md5.c87a015e4577f94a4cf5f9e5aa50cdb4>
<KeySpec>1</KeySpec>
</md5.c87a015e4577f94a4cf5f9e5aa50cdb4>
Enable Logging
For logging you will see section like below:
<logging>
<file>
<enable>00000000</enable>
<level>00000006</level>
<filename>c:\temp\CaPluginEverTrustHorizonCA_#e#_#p#_#s#.xml</filename>
</file>
</logging>
In order to enable logging simply change the enable tag to 00000001.
<enable>00000001</enable>
Also important to note that the file name path and folder need to exist, i.e., vSEC:CMS will not create the folder if it does not exist.
When you have completed integration investigation issues it is recommended to disable logging. In that case just set to 1 to 0 (zero) in the configuration file.