Introduction
It is possible to manage certificates such as server certificates, and application certificates, such as web applications, through the vSEC:CMS.
Follow the instructions in this article on how to configure and manage certificates that can be managed in this scenario.
Setup Certificate Management Template
The first task is to add a certificate management template that will be used to manage the certificate(s) that are to be managed. In this example server certificates will be managed.
1. From Templates – Certificate Management Templates click the Add button.
2. Enter a template name.
From Certificate Templates dropdown list select Simple certificate management template.
For Certificate Authority enable the Connect to CA checkbox and select the CA that will be used when managing the certificates.
Only an already configured MS CA template can currently be used.
For the Revocation Options the Revoke certificates at CA will always be enabled and cannot be disabled. It is shown here for information purposes. Enable the Force certificate revocation at CA (Fail if CA is not reachable) if it is required to abort the certificate revocation if for some reason the CA is not available. If this option is not enabled and during the revocation the CA is not available vSEC:CMS will cache the revocation request and attempt to revoke the certificate when an operator logs on again.
In the Expiration Options enable the Notify when certificate expires option and enter the number of days before the certificate expiration that the person who is configured to be notified shall receive an email notification.
Click the Notifications button to configure the email notification. Click the Add button to add a template. Enter a template name and select the Outgoing Email Server from the dropdown list. The email server connection will need to be already configured from Options – Connections – Email. Click the Edit email template button. Enter a From and To email address into the fields available. Enter a CC and BCC if required. Enter an appropriate subject for the email.
For the email body two options are available – html or text. If HTML is selected it will be necessary to import a MHT file which contains the content of the email body. MHT files can be created using MS Word for example. vSEC:CMS variable names can be used which will be replaced with actual data from a directory.
If text is selected enter the appropriate message body and use vSEC:CMS variables to populate specific details.
When adding variable placeholders to either MHTML or plain text the variable needs to be entered correctly i.e. the variables are case sensitive.
From the Permissions section, it is possible to configure the operator roles who will be allowed to configure and use this template. Click the Edit button to adjust the operator role(s) who are allowed to configure this template.
3. Click Save to close and save the template.
Configure Certificate Requests
The next step will be to add server certificates that can be managed by the vSEC:CMS.
From the Actions – Request Certificates page click the Add button to browse to a location where certificate requests of type PKCS#10 are located and select one.
Only certificate requests of type PKCS#10 are currently supported.
Additionally, it is possible to select certificates in CER or DER format.
Depending on the type of certificate that was added different options will be available. If the certificate added is of type CER or DER then select the certificate from the table and click the Manage button. The Status will change to Managed in the table as certificates of this type are already issued by the CA and can now be managed by vSEC:CMS.
If the certificate is a certificate request of type PKCS#10, then select the certificate request from the table and click the Request button. vSEC:CMS in this case will be acting as a PKCS#10 proxy. The request will be sent to the MS CA already configured earlier. Once the request has been successfully processed by the CA the status will change to Issued. Then it will be possible to select the entry and click the Manage button to allow vSEC:CMS to fully manage the lifecycle of the certificate. The status will state at this time that the certificate is Managed – not saved. This means that the certificate is fully managed by vSEC:CMS but the certificate has not been saved as a CER or DER. This may be necessary to save a certificate as a CER or DER and provided back to the original requestor for example.
Once a certificate is managed by the vSEC:CMS it can be deleted from the table.
Select any record in the table and click the Delete button to delete the record from the table. This will not result in the vSEC:CMS terminating the management of the lifecycle of the certificate.
Select any record in the table and click the View button to see additional information about the certificate or certificate request if required.
Select any record in the table and click the Save button to save the selected managed certificate as a CER or DER certificate. The Save button will only be available for certificate requests of type PKCS#10 or for certificates that have been issued from a PKCS#10.
Manage Certificates from Repository
Once the certificate(s) have been added through it is possible to view the status of these certificates from the Repository – Certificates page.
All certificates, including certificates that are managed on credential tokens, will be viewable from here. It is possible to filter the records based on the template or based on the expiration criteria. The Certificate Expiration view on the right will give a visual representation of the current status of all certificates managed by vSEC:CMS.
Select an entry and click the View button to see additional information about the certificate.
vSEC:CMS will only store specific information about the certificate and not the entire certificate file. The entire information that vSEC:CMS will store for the certificate is displayed in the View page.
Select an entry and click the Revoke button to revoke the certificate on the CA. It will only be possible to revoke certificates that are not managed and issued to credential tokens in this case.
Select an entry and click the Delete button to remove the management of the certificate from vSEC:CMS. It will only be possible to delete certificates that are not managed and issued to credential tokens in this case.
Click the Copy button to copy all of the table information into the system clipboard from where it can be saved as a CSV file.