Certificate Authority Server Configuration

From iDENprotect Knowledge Base
Jump to: navigation, search

If you have not made any configuration changes yet, please see How to make configuration changes

Introduction

The idenprotect Core Platform can integrate with an external CA or it can use its own internal CA. Not all parameters are required for all CA Types.

Other CA Configuration related articles are Certificate Authority Profile Name Configuration, Certificate Authority Stores Configuration

For more information on specific Certificate Authorities, see one of the following articles:

Configurable Settings

General Settings

  • CA Server Configuration in the idenprotect Core Platform Admin Console CONFIG Tab
  • Server file system in /etc/idenprotect/ca.properties
Parameters for CA
Parameter in Config Tab Parameter in Properties File Description
Certificate Authority (CA) Server Type ca.backend The type of CA being used by idenprotect Core Platform. Valid values are internal, ejbca, soap and MicrosoftCertServ
Elliptic Curve Signing Algorithm ca.ec.signature.algo Signing algorithm used for EC signatures
RSA Signing Algorithm ca.rsa.signature.algo Signing algorithm used for RSA signatures
Revocation Policy String ca.revocation.policy NONE = do not revoke certificates. NOT_EPHEMERAL = revoke except ephemeral. ALL = revoke all certificates

Internal CA specific settings

These properties will only show if the Certificate Authority Server Type has been set to internal.

  • CA Server Configuration in the idenprotect Core Platform Admin Console Config Tab
  • Server file system in /etc/idenprotect/ca.properties
Parameters for Internal CA
Parameter in Config Tab Parameter in Properties File Description
CRL Distribution Point internal.ca.crl Location of CRL - needs to be set if certificates from Internal CA are allowed to be revoked. Default https://{host}/public/crl.crl

EJBCA specific settings

These properties will only show if the Certificate Authority Server Type has been set to EJBCA.

  • CA Server Configuration in the iDENprotectserver Admin Console Config Tab
  • Server file system in /etc/idenprotect/ca.properties
Parameters for EJBCA
Parameter in Config Tab Parameter in Properties File Description
CA Name ca.name The name of the EJBCA Server
EJBCA Plugin URL ca.backend.ejbca.plugin.url Url for EJBCA Plugin
EJBCA WS Url ca.backend.ejbca.ws.url Webservices url of EJBCA server

SOAP specific settings

These properties will only show if the Certificate Authority Server Type has been set to soap.

  • CA Server Configuration in the iDENprotectserver Admin Console Config Tab
  • Server file system in /etc/idenprotect/ca.properties
Parameters for SOAP
Parameter in Config Tab Parameter in Properties File Description
CA End User Endpoint ca.backend.soap.ephemeral Destination for ERSA Cert Signings
SOAP Server Certificate Profile ca.backend.soap.serverprofile The certificate profile to be used when signing the SOAP Certificate
CA Device Endpoint ca.backend.soap.device Destination for Secure Enclave Cert Signings

Microsoft specific settings

These properties will only show if the Certificate Authority Server Type has been set to MicrosoftCertServ.

  • CA Server Configuration in the iDENprotectserver Admin Console Config Tab
  • Server file system in /etc/idenprotect/ca.properties
Parameters for Microsoft
Parameter in Config Tab Parameter in Properties File Description
Certificate Server Allow Self Signed Certificates ca.backend.certserv.allow.self.signed.certs Set to true to allow connection over https protected with self-signed certs
Certificate Server Host ca.backend.certserv.host Hostname or IP address of Cert Services Host
Certificate Server Password ca.backend.certserv.password Password of account used to access Certificate Services
Certificate Server Port ca.backend.certserv.port Port used to acceess Cert Services
Certificate Server Protocol ca.backend.certserv.protocol Protocol used. http / https
Certificate Server User ca.backend.certserv.username Username of account used to access Certificate Services


Testing The Connection

Once you have set and committed your settings you can test the connection by pressing the Test Certificate Signing button.

This will submit a cert signing request to the CA Server using the settings saved. It will attempt to use the template associated with the Secure Enclave certificate with a Cn of "Test Certificate".

CertConnectonTest.png

A pop-up window will show the pass/fail result of the test signing and, in the event of failure, the idenprotect logs (or CA server logs) should help diagnose the reason for failing.