Introduction
This article will describe how you can reissue certificates on credentials that are managed by vSEC:CMS.
For instructions on how to manage certificate reissuance for Enrollment Agent (EA) certificates when Microsoft Certificate Service is used refer to the article Update Enrollment Agent Certificate for details.
Certificate(s) can be reissued centrally by an operator via the Operator Console (OC) or by the user themselves using the vSEC:CMS User Self-Service (USS) application.
Reissue Through OC
If the template that the credential was issued with allows the reissue through the OC then follow the instructions here.
It will be necessary that the template used to issue the credential is configured to support this. You can ensure this by checking the template from Templates - Credential Template and select the template that the credential was issued from. Then in the Issue Credential section ensure that the radio button Issue by Operator(s) is selected.
Reissue Certificate(s)
Log onto the OC with an Operator token that has permission (role) to perform certificate reissue. Additionally, the Operator will need to have an EA certificate available to it. It is presumed that your system is already configured to support such a scenario.
Navigate to Actions - Certificate(s)/keys and attach the credential whose certificate needs to be reissued. You should see the available certificate(s) listed in the table. Select the certificate that you need to reissue and click the Reissue button and follow the on-screen wizard to complete the flow.
Reissue Through USS
If the template that the credential was issued with allows the reissue through the USS then follow the instructions here.
It will be necessary that the template used to issue the credential is configured to support this. This means that at minimum it will need to have USS support enabled. You can verify this by selecting the template that the credential was issued with from Templates - Credential Templates and click the Edit button. Then from the General section make sure that at minimum you have enabled Self-service using the following template and selected a template from the drop-down list.
Additionally, the USS connection needs to be already configured both on the server (under Options - Connections) and on the client the USS application needs to be pointing to the backend connection. See the article Manage Hardware Credentials using vSEC:CMS User Self-Service for example how this configuration would be set up.
Open the My Smartcredential (USS) application on the client and with the credential attached navigate to Certificates tab and select the certificate that is to be reissued and click Reissue. Follow the on-screen wizard to complete the flow.
Certificate Reissue Notification
It may be useful to configure notifications to be sent to the credential holder when the certificate(s) on their credential are due to expire. Follow the instructions in this section to configure this on the credential template that was used to issue the credential.
vSEC:CMS helps you keep track of your certificates. It automatically checks all the credentials you manage and looks for certificates that are nearing their expiration date.
The system uses the valid to date on each certificate to determine if a reissue notification is needed. If a certificate is within the time frame you've set, vSEC:CMS will send out a notification based on your configuration.
If a single credential has multiple certificates, vSEC:CMS will use the earliest valid to date among them. This ensures you get a notification in time to renew the certificate that will expire first.
1. From Templates - Credential Templates select an already configured credential template and click the Edit button.
2. Click the Edit link for Update Credential.
3. Enable the Update when credential expires check-box and in the days field enter the number of days before the certificate on the credential is due to expire. For example, if you wanted to start sending notifications 30 days before the certificate(s) was to expire, enter 30 into the field. For the purpose of this article we will continue to describe the configuration presuming that we want to start sending notifications 30 days before expiration.
4. Click the Configure button and click Add so we can add a new template. In the From field enter 30 and in the To field enter 0 (zero). Enable Force period check box if you want the certificate update dialog to appear when the user logs on to their workstation. It will not be possible to close the update dialog if this is enabled with the intention being that the user will be forced to perform the update.
It will be required to have the self-service application running in system tray mode on the clients for this feature to be activated. See the article vSEC:CMS User Application and look in the section System Tray Mode for details on how to configure this. Additionally, the Credential Update permission needs to be configured on the clients vSEC:CMS User application. See the section Permissions in the same article above for details.
Enable the Enable Notification check-box and enter 1 into the Notify every field. This will mean that a notification will be sent once every day until the certificate(s) is reissued.
Click the Configure Notification button to configure the actual message and mode. click Add. Enter a name and from the drop-down list select the transport type for the notification, either email or SMS. In this article we will use email.
If SMS is the preferred choice see the article vSEC:CMS User Application and look in the section Add SMS Notification Template for example of how SMS can be configured.
Select the Outgoing Email Server from the drop-down list. The email server connection will need to be already configured from Options - Connections - Email. Click the Edit email template button. Enter a From email address and enter the variable name that should be used to retrieve the user email from the user directory. Enter a CC and BCC if required. Enter an appropriate subject for the email. For the email body two options are available - html or text. If Html is selected it will be necessary to import a MHT file which contains the content of the email body. vSEC:CMS variable names can be used which will be replaced with actual data, for example the user's name can be retrieved from the user directory. It is recommended to use built in variables ${DbCardsExpireStr} and ${DbCardsExpiresInDays} when constructing the email content as this will display useful details to the end user regarding time when the certificate is due to expire.
When adding variable placeholders to either MHTML or plain text the variable needs to be entered correctly i.e. the variables are case sensitive.
If text is selected enter the appropriate message body and use vSEC:CMS variables to populate specific details such as the user's name for example.
Click Ok to close this dialog and Save to close and save the template.
The final configuration will look similar to below.
Check Status
You can check the status of a credential to see if there is a certificate update pending in the system. From the Admin application navigate to Repository - Credentials and select a credential that you wish to check. You should see in the Status field a label Update needed similar to below example.
Additionally, if you right click on a credential and select Details you should see a Planned update task(s) section with details on what updates are pending for the credential.
You can also check the transaction log to see when notifications were sent. From Repository - Transaction Log search for "Notify user about credential update" to see when such notifications were sent.
Scheduler
On the server-side there is a background task that will run randomly once a day to check all certificate notifications. It is recommended to configure this to run at a time when the system is not in high use, especially if you have a high amount of credentials managed in the system. On the Admin console navigate to Options - Schedulers. Select the Credential update check and right click and select Configure. We recommend that you configure this task to run daily at a time when the system is not in high usage.
When the scheduler runs and identifies credentials that need certificate updates, you will see a summary in the Last Run Results table. The Run Details show what checks were performed. If the system sent a notification (because one was configured for the found credentials), the notification details will also be listed.
If you want to test particular user notifications see the Schedulers guide here for details.