Introduction
From version 6.0 it is possible to configure connection to DigiCert ONE CA to manage certificate lifecycle with any credential that is supported by vSEC:CMS. The DigiCert ONE is a RESTful Web service API that provides a range of certificate issuance and management functions.
This article will describe how you can set up a connection to DigiCert ONE and then use this connection to issue and manage the lifecycle of a certificate on a credential managed by vSEC:CMS. The following will be performed in this article:
- Setup a CA connection template to DigiCert ONE;
- Create a credential template and issue it via the vSEC:CMS operator console with an X.509 certificate issued from DigiCert ONE;
- Create a credential template and issue it via the vSEC:CMS self-service with an X.509 certificate issued from DigiCert ONE.
It will be required that at minimum you have already successfully completed the configuration steps described in the article Setup Evaluation Version of vSEC:CMS. The instructions in this document are applicable regardless of whether you are running the evaluation version or a production version.
Configure Connection
The first requirement is to set up a connection to your DigiCert ONE. Navigate to Options - Connections - Certificate Authorities and click Add. Enter a template name and in the drop-down field select DigiCert ONE. In the URL field enter the appropriate connection URL for your setup.
Click the Test button to test that the URL details are correct and that you can connect ok. If the details are correct you should get a success dialog.
An authentication key is required to authenticate to the CA. Enter the key as provided by your DigiCert provider into the Key field and click the Test button. If the authentication key is correct you should get a success dialog.
You can enable the Proxy through server (recommended) if you plan to issue credentials through self-service or client operator consoles.
Click the Request fields button. Here you configure how the certificate request fields will be populated depending on what you need to be set in the certificate request fields.
Click the Fields button and from the Available list select the certificate request fields that you wish to use. In this example we will use DN - Common Name and add this to the Selected list on the right hand side and click Ok.
We need to configure how the certificate request field gets populated with data. Click the Value field in the area as shown below.
This will popup a dialog like below. There are 2 ways that you can populate data into the request field. If you have vSEC:CMS variables already configured to map to Active Directory attributes (see the article Using Variables for details) then you can select Use variable and select the variable that you want to use or add one by clicking Add variable. Alternatively, select Use free text and enter the static data, Bob Smith in this example and select Ok to save and close.
Click Ok to save and close.
Click the Templates button. Select Show all and click Update. You should see a list of all the available templates. Click Ok to close out.
Click Save to save and close the connection settings.
Issue Credential via Operator Console
In this section we will describe how you can configure a credential template that can then be used to issue a certificate from DigiCert ONE to a supported hardware credential. The issuance workflow in this case would be done centrally by an operator/issuance officer.
Navigate to Template - Card Templates and click Add. Select General[Edit]. Enter a template name and for Card type select Minidriver (Generic minidriver card). Leave all other settings as default and scroll to the bottom of the dialog and select Ok to save and close.
Select Issue Card [Edit]. Presuming that a connection is already in place to connect to a directory (Active Directory) in the User ID Options section select Assign user ID and select the AD connection from the drop-down list.
In the Enroll Certificate Options sectionenable Enrol certificate(s) and click Add. Select the CA from Certificate Authority drop-down field and select the certificate that we will issue during the card issuance. Click Ok to save and close.
Leave all other settings as is.
Scroll down to the bottom of the dialog and click Ok.
Click Ok to save and close the template configuration.
Navigate to the Lifecycle page. Attach a blank credential and click the Issue oval. Select the template from the drop-down field and click Execute.
This will start the issuance flow. You will be prompted to select the user from AD that the credential will be issued to. In this case we will select a user Bob Smith from our example AD. This user’s CN will match the static value we entered when setting up the CA connection earlier.
The keys will be generated on the credential and the certificate request will be created and sent to the CA for verification and issuance. Once issued by the CA it will send back to the credential and store it there. A short summary will be provided on completing the issuance.
The credential PIN by default will be blocked. You will need to set a PIN before you can use the certificate on the credential. Click the Active oval followed by the Execute button. You will be prompted to authenticate again and then set a PIN that meets the policy supported on the credential. Once the certificate can be accessed and used as needed.
Issue Credential via Self-Service
In this section we will describe how you can configure a credential template that can then be used to issue a certificate from DigiCert ONE to a supported hardware credential. The issuance workflow in this case would be done by the end user using vSEC:CMS User Self-Service (USS) application.
If you don’t have a connection for self-service already set up then from Options - Connections click the Add button and select User Self-Service and click Ok. Enable the Enable gRPC checkbox as we will use gRPC for this article.
Please ensure that you have read through the article vSEC:CMS Client-Server Communication which gives more details on vSEC:CMS client-server architecture.
Depending on your environment settings enter a hostname and port to listen on. You can also setup support for SSL if you wish to use HTTPS for secure communication between the client and server. If you use SSL it is important that the HostIP address field is entered with the name of the server as it appears in the SSL certificate. The SSL certificate should be a machine certificate available on the vSEC:CMS server.
Make sure that the vSEC:CMS - User Self-Service service is running after you configure this in Windows services.
Ensure that a credential configuration exists for the credential that you are going to use here. See the article Add Credential Configuration before starting below.
From Templates - Card Templates click the Add button.
Click the Edit link beside General. Enter a template name. Presuming that you are using one of the minidriver credentials that is supported by vSEC:CMS select Minidriver (Generic minidriver card) for Card type.
Click the Manage button beside Self-service using the following template. Click the Add button. Enter a template name and enable Self-issuance enabled and Retire card enabled checkboxes. From the User Authentication for PIN Unblock drop-down list select Use windows credentials to authenticate user. Leave all other settings as is and click the Save button to save and close.
Click Close and from the main General dialog enable Self-service using the following template and from the drop-down list select the template just created. Leave all other settings as is and click Ok to save and close the dialog.
Click the Edit link beside Issue Card. Select the checkbox Automatically initiate cards after issuance and Issue by user(s) radio button. Click the Configure button in the User ID Options section. Select the AD connection already configured from User ID from drop down list and select Supplied domain credentials from Authenticate user using drop down list. Click Ok to save and close.
In the Enroll Certificate Options sectionenable Enrol certificate(s) and click Add. Select the CA from Certificate Authority drop-down field and select the certificate that we will issue during the card issuance. Click Ok to save and close.
Leave all other settings as is.
Scroll down to the bottom of the dialog and click Ok.
Click Ok to save and close the template configuration.
On a client machine it will be necessary to install the USS application. Use the vSEC:CMS Client MSI to install this component. It is recommended to install the USS silently as it is possible to pass in the URL link to the backend vSEC:CMS server that the USS needs to communicate with. This will remove the requirement to manually configure the USS to communicate with the backend in this case.
Open a command Window as administrator and change to the location where the MSI installer is located. Run the command similar to below
msiexec /i "vSEC_CMS Client 64bit.msi" /quiet ADDLOCAL=USS USSGRPC="https://2016-server:8445" USSPCL=4
Where USSGRPC points to the backend gPRC service where vSEC:CMS is installed and USSPCL=4 configures the USS client to use gRPC.
The client host will automatically reboot when running above command so make sure you have saved any material you may be working on when performing this task.
Depending on the credential that you are testing with it will be necessary to have the appropriate credential drivers installed on your host. Please check with the credential provider that you have the correct credential drivers installed.
Start the My Smartcard from the shortcut icon on the client desktop. Go to the My Profile page. With the credential attached that is to be issued click the Issue button.
Enter the domain credentials of the user to authenticate.
At the end of the process you will be prompted to enter a PIN for the credential to complete the flow.
Once you complete this the certificate credential can be used for whatever use cases required.