Certificate Authority Server Configuration
Contents
If you have not made any configuration changes yet, please see How to make configuration changes
Introduction
The idenprotect Core Platform can integrate with an external CA or it can use its own internal CA. Not all parameters are required for all CA Types.
Other CA Configuration related articles are Certificate Authority Profile Name Configuration, Certificate Authority Stores Configuration
For more information on specific Certificate Authorities, see one of the following articles:
- Internal Certificate Authority
- EJBCA
- Soap Services Certificate Authority
- Microsoft Certificate Services Certificate Authority
Configurable Settings
General Settings
- CA Server Configuration in the idenprotect Core Platform Admin Console CONFIG Tab
- Server file system in
/etc/idenprotect/ca.properties
| Parameter in Config Tab | Parameter in Properties File | Description |
|---|---|---|
Certificate Authority (CA) Server Type
|
ca.backend
|
The type of CA being used by idenprotect Core Platform. Valid values are internal, ejbca, soap and MicrosoftCertServ |
Elliptic Curve Signing Algorithm
|
ca.ec.signature.algo
|
Signing algorithm used for EC signatures |
RSA Signing Algorithm
|
ca.rsa.signature.algo
|
Signing algorithm used for RSA signatures |
Revocation Policy String
|
ca.revocation.policy
|
NONE = do not revoke certificates. NOT_EPHEMERAL = revoke except ephemeral. ALL = revoke all certificates |
Internal CA specific settings
These properties will only show if the Certificate Authority Server Type has been set to internal.
- CA Server Configuration in the idenprotect Core Platform Admin Console Config Tab
- Server file system in
/etc/idenprotect/ca.properties
| Parameter in Config Tab | Parameter in Properties File | Description |
|---|---|---|
CRL Distribution Point
|
internal.ca.crl
|
Location of CRL - needs to be set if certificates from Internal CA are allowed to be revoked. Default https://{host}/public/crl.crl |
EJBCA specific settings
These properties will only show if the Certificate Authority Server Type has been set to EJBCA.
- CA Server Configuration in the iDENprotectserver Admin Console Config Tab
- Server file system in
/etc/idenprotect/ca.properties
| Parameter in Config Tab | Parameter in Properties File | Description |
|---|---|---|
CA Name
|
ca.name
|
The name of the EJBCA Server |
EJBCA Plugin URL
|
ca.backend.ejbca.plugin.url
|
Url for EJBCA Plugin |
EJBCA WS Url
|
ca.backend.ejbca.ws.url
|
Webservices url of EJBCA server |
SOAP specific settings
These properties will only show if the Certificate Authority Server Type has been set to soap.
- CA Server Configuration in the iDENprotectserver Admin Console Config Tab
- Server file system in
/etc/idenprotect/ca.properties
| Parameter in Config Tab | Parameter in Properties File | Description |
|---|---|---|
CA End User Endpoint
|
ca.backend.soap.ephemeral
|
Destination for ERSA Cert Signings |
SOAP Server Certificate Profile
|
ca.backend.soap.serverprofile
|
The certificate profile to be used when signing the SOAP Certificate |
CA Device Endpoint
|
ca.backend.soap.device
|
Destination for Secure Enclave Cert Signings |
Microsoft specific settings
These properties will only show if the Certificate Authority Server Type has been set to MicrosoftCertServ.
- CA Server Configuration in the iDENprotectserver Admin Console Config Tab
- Server file system in
/etc/idenprotect/ca.properties
| Parameter in Config Tab | Parameter in Properties File | Description |
|---|---|---|
Certificate Server Allow Self Signed Certificates
|
ca.backend.certserv.allow.self.signed.certs
|
Set to true to allow connection over https protected with self-signed certs |
Certificate Server Host
|
ca.backend.certserv.host
|
Hostname or IP address of Cert Services Host |
Certificate Server Password
|
ca.backend.certserv.password
|
Password of account used to access Certificate Services |
Certificate Server Port
|
ca.backend.certserv.port
|
Port used to acceess Cert Services |
Certificate Server Protocol
|
ca.backend.certserv.protocol
|
Protocol used. http / https |
Certificate Server User
|
ca.backend.certserv.username
|
Username of account used to access Certificate Services |
Testing The Connection
Once you have set and committed your settings you can test the connection by pressing the Test Certificate Signing button.
This will submit a cert signing request to the CA Server using the settings saved. It will attempt to use the template associated with the Secure Enclave certificate with a Cn of "Test Certificate".
A pop-up window will show the pass/fail result of the test signing and, in the event of failure, the idenprotect logs (or CA server logs) should help diagnose the reason for failing.
