0% found this document useful (0 votes)

188 views

PKI Server Configuration Guide-4.12

Uploaded by

Vinod Hanumantharayappa

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

188 views

PKI Server Configuration Guide-4.12

Uploaded by

Vinod Hanumantharayappa

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 86

OpenTrust PKI 4.

12 Server
Configuration Guide
OpenTrust PKI 4.12 Server Configuration Guide
Release Date: 2019-04-25

IDnomic 175 rue Jean-Jacques Rousseau

CS 70056
92138 Issy-les-Moulineaux Cedex
France
www.idnomic.com

Copyright © 2019 Keynectis SA. All Rights Reserved.

This software package (“Product”), including its related documentation, is protected by copyright and may be protected
by patent.

Restricted Rights. The Product and its associated documentation are the exclusive property of IDnomic (trade name
of Keynectis SA) and its own licensors or other software vendors. They are intended to be used exclusively by holders
of a valid license to use the Product documented herein (hereinafter designated as "Licensee"). Licensee is granted a
personal, non-exclusive and non-assignable right to use the Product, in executable code form, in accordance with the
associated documentation, exclusively as defined in the usage conditions of the license agreement signed with IDnomic
or in the IDnomic General License Terms. Moreover, Licensee shall not remove or modify any trademark, copyright
or other intellectual proprietary rights notices of IDnomic or its licensors contained in the Product components and the
associated documentation.

Confidentiality. The Product and its associated documentation, including technical features, specifications, policies,
technical manuals (installation, operating, administration and use guides), training materials, instructions, requirements,
algorithms, computer programs, models and drawings provided or made available by IDnomic, contain valuable
and confidential information which is proprietary to IDnomic or its licensors and which constitutes trade secrets and
unpublished copyrighted material of IDnomic or its licensors (collectively designated as the "Proprietary Information").
Therefore, Licensee shall (i) not disclose, directly or indirectly, the Proprietary Information obtained from IDnomic to any
other person or entity, (ii) protect the Proprietary Information with at least the same degree of care and confidentiality as
it affords its own confidential information, at all times exercising at least a reasonable degree of care in such protection,
(iii) not print, to copy or reproduce, on any medium whatsoever, all or part of Proprietary Information without the prior
written consent of IDnomic and (iv) not publish, post or distribute all or part of Proprietary Information without the prior
written agreement of IDnomic. The Licensee acknowledges that IDnomic and its own licensors shall have the right to
take all reasonable steps to protect its Proprietary Information, including, but not limited to, injunctive relief and any
other remedies as may be available at law or in equity in the event that the Licensee does not fulfill its obligation of
confidentiality.

Warranty. IDNOMIC DOES NOT WARRANT THAT THE PRODUCT AND ITS ASSOCIATED DOCUMENTATION
ARE ERROR FREE. THEY ARE PROVIDED "AS IS" AND IDNOMIC DISCLAIMS ALL WARRANTIES AND
RERESENTATIONS OF ANY KIND WHATSOEVER, WHETHER EXPRESS OR IMPLIED, WITH RESPECT TO
THE PRODUCT AND ITS DOCUMENTATION, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF
MERCHANTABILITY, SATISFACTORY QUALITY OR FITNESS FOR A PARTICULAR PURPOSE, WARRANTIES
ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. FURTHERMORE, IDNOMIC DOES NOT
WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE USE OR THE RESULTS OF THE USE OF THE
PRODUCT OR RELATED DOCUMENTATION IN TERMS OF THEIR CORRECTNESS, ACCURACY, RELIABILITY OR
OTHERWISE.

Limited Liability. IDnomic shall not be liable for any direct, indirect, consequential, incidental or other damages, either
in contract or tort, whatsoever, arising from or connected with the usage of the documentation even if IDnomic has been
advised of the possibility of such damages.

Changes. Any information contained in the documentation can be amended and modified by IDnomic at any time and
without notice.

Trademarks. IDnomic® is a trademark of Keynectis SA registered in France, in the European Union, in the United
States and other countries.

All other brands, company name or product names contained in the Product and/or in the associated documentation may
be registered as trademarks or trade names of their respective owners.
Contents
Preface ................................................................................................................................................. v
1. Related IDnomic Documentation ............................................................................................................................................... v
1.1. Related OpenTrust PKI Documentation .............................................................................................................................................................................. v
2. Resources ................................................................................................................................................................................... v
2.1. Contact Customer Service .................................................................................................................................................................................................. v
2.2. Provide Documentation Feedback ...................................................................................................................................................................................... v
3. Document Conventions ............................................................................................................................................................. vi
Chapter 1. Manage CAs ......................................................................................................................... 7
1.1. Manage Internal CAs .............................................................................................................................................................. 7
1.1.1. Create an Internal CA ...................................................................................................................................................................................................... 7
1.1.1.1. Begin Internal CA Creation ............................................................................................................................................................................. 7
1.1.1.2. Choose Internal CA Certificate Signing Method ............................................................................................................................................. 8
1.1.1.3. Complete Internal CA Creation ..................................................................................................................................................................... 11
1.1.2. View Internal CAs ........................................................................................................................................................................................................... 13
1.1.3. Edit an Internal CA ......................................................................................................................................................................................................... 13
1.1.4. Delete a Pending Internal CA ........................................................................................................................................................................................ 14
1.1.5. View and Issue CRLs for Internal CAs ......................................................................................................................................................................... 15
1.1.6. Manage Internal CA Certificates .................................................................................................................................................................................... 15
1.1.6.1. Renew CA Certificates .................................................................................................................................................................................. 15
1.1.6.2. Re-sign CA Certificates ................................................................................................................................................................................. 15
1.1.6.3. Revoke CA Certificates ................................................................................................................................................................................. 16
1.2. Manage External CA Configurations .................................................................................................................................... 16
1.2.1. Trust/Register an External CA ....................................................................................................................................................................................... 17
1.2.2. Use Registered External CA Configurations ................................................................................................................................................................. 18
1.2.3. Obtain Registered External CA Configurations from the OpenTrust PKI CA Component ............................................................................................ 19
1.3. Synchronize CA Configurations ............................................................................................................................................ 19
Chapter 2. Configure Certificate Management Profiles ............................................................................ 21
2.1. Configure Standard Directory Components ......................................................................................................................... 21
2.1.1. Configure an LDAP Directory Connection ..................................................................................................................................................................... 21
2.1.2. Configure/Add a Datasource .......................................................................................................................................................................................... 23
2.1.2.1. Understand Datasources ............................................................................................................................................................................... 23
2.1.2.2. Configure a Datasource ................................................................................................................................................................................ 23
2.1.3. Configure an Authentication Scheme ............................................................................................................................................................................ 24
2.2. Configure Optional Certificate Management Profile Components ....................................................................................... 25
2.2.1. Configure a Password Policy ......................................................................................................................................................................................... 25
2.2.2. Configure Browser Usage .............................................................................................................................................................................................. 26
2.2.3. Configure Metadata Types ............................................................................................................................................................................................. 29
2.2.4. Configure Holder Match Settings ................................................................................................................................................................................... 30
2.2.5. Enable Publication of Certificates and CRLs to Directories .......................................................................................................................................... 32
2.2.6. Configure SCEP Policies ............................................................................................................................................................................................... 34
2.2.7. Configure Automatic Emails ........................................................................................................................................................................................... 35
2.2.8. Create Certificate Categories ......................................................................................................................................................................................... 37
2.3. Create a Certificate Management Profile ............................................................................................................................. 37
2.3.1. Configure the General Settings ..................................................................................................................................................................................... 38
2.3.2. Configure an Enrollment Method ................................................................................................................................................................................... 39
2.3.3. Configure Additional Enrollment Options ....................................................................................................................................................................... 44
2.3.4. Configure Renewal Options ........................................................................................................................................................................................... 47
2.3.5. Configure Key Pair Recovery Options ........................................................................................................................................................................... 48
2.3.6. Configure Revocation Options ....................................................................................................................................................................................... 49
2.3.7. Configure Certificate Extension Requirements .............................................................................................................................................................. 50
2.3.8. Configure Subject DN Components ............................................................................................................................................................................... 52
2.4. Import or Export Certificate Management Profile Component Configurations ..................................................................... 53
2.4.1. Export Certificate Management Profile Component Configurations .............................................................................................................................. 54
2.4.2. Import Certificate Management Profile Component Configurations .............................................................................................................................. 54

Chapter 3. Review Module Settings ...................................................................................................... 55

3.1. Configure CA Component's Module Settings ....................................................................................................................... 55
3.2. Configure RA Component's Module Settings ....................................................................................................................... 55
3.2.1. Configure RA Module Settings ...................................................................................................................................................................................... 55
3.2.2. Configure Publication Module Settings .......................................................................................................................................................................... 56
3.2.3. Configure Auto-Enrollment Proxy Module Settings ....................................................................................................................................................... 57
3.3. Configure EE Component's Module Settings ....................................................................................................................... 57
Chapter 4. Renew Internal Certificates .................................................................................................. 59
Chapter 5. Use the Server Administration UI Tools ................................................................................. 63
5.1. Restart the Application .......................................................................................................................................................... 63
5.2. Restart Services .................................................................................................................................................................... 63
5.3. Configure Email Notifications for Internal Modules Certificates Expiration .......................................................................... 64
5.4. Customize the Settings for Output to Syslog ....................................................................................................................... 64
5.4.1. Select the Events to Send to Syslog ............................................................................................................................................................................. 65
5.4.2. Choose a Facility ............................................................................................................................................................................................................ 65
5.4.3. Restrict Syslog Reporting ............................................................................................................................................................................................... 65

OpenTrust PKI 4.12 Server Configuration Guide iii

5.5. Hide or Display Stack Trace Errors ..................................................................................................................................... 66
5.6. Set Date and Time Format ................................................................................................................................................... 66
5.7. Enable Reverse Proxy Compatibility .................................................................................................................................... 66
5.8. Configure Consolidation Intervals ......................................................................................................................................... 67
5.9. Use the IDnomic Support Tool ............................................................................................................................................. 68
5.10. Synchronize RA Configuration ............................................................................................................................................ 68
5.11. Configure and Use SNMP Monitoring ................................................................................................................................ 68
5.11.1. Configure SNMP Monitoring ......................................................................................................................................................................................... 69
5.11.2. Configure the SNMP Dashboard .................................................................................................................................................................................. 70
5.11.3. Use the SNMP Dashboard ........................................................................................................................................................................................... 71

Chapter 6. Use the Audit Logs User Interface ........................................................................................ 73

6.1. Search for Log Entries .......................................................................................................................................................... 73
6.2. Search for Logs Using an Identifier ..................................................................................................................................... 74
6.3. Download the Audit Log Files .............................................................................................................................................. 74
6.4. Verify Log Signatures ............................................................................................................................................................ 74
6.5. Save and Re-use Log Searches .......................................................................................................................................... 75
6.6. Email a Log Entry ................................................................................................................................................................. 75
6.7. Set the Logs Consolidation Interval ..................................................................................................................................... 75
Chapter 7. Use the Automated Scripts .................................................................................................. 77
Chapter 8. Manage Rights .................................................................................................................... 79
8.1. Configure Zones .................................................................................................................................................................... 79
8.2. Configure Groups .................................................................................................................................................................. 80
8.3. Configure Rights ................................................................................................................................................................... 81
8.4. Display Assigned Rights ....................................................................................................................................................... 82
Appendix A. Supported Formats for Subject DN Elements and Subject Alternative Names ........................ 83
A.1. Subject DN Elements ........................................................................................................................................................... 83
A.2. Subject Alternative Names ................................................................................................................................................... 83
A.3. Validation Types .................................................................................................................................................................... 84
Appendix B. Configure Apache as a Reverse Proxy Server With OpenTrust PKI ...................................... 85
B.1. Configure Apache ................................................................................................................................................................. 85
B.2. Set Up a Cron Job to Update Certificate Revocation Lists ................................................................................................. 86

iv OpenTrust PKI 4.12 Server Configuration Guide

Preface
The following sections contain preface information:

• “Related IDnomic Documentation” on page v

• “Resources” on page v

• “Document Conventions” on page vi

1. Related IDnomic Documentation

1.1. Related OpenTrust PKI Documentation
The following documents are included in the OpenTrust PKI documentation set:

• Release Notes - The release notes provide a summary of the new features and changes to existing features
between the previous and most recent versions of OpenTrust PKI. The release notes also contain a list of resolved
issues and known issues, and any late-breaking information that is important to know but is not included in other
documentation.

• Server Installation and Upgrade Guide - This guide provides a comprehensive set of instructions for installing or
upgrading to the latest version of the OpenTrust PKI.

• System Maintenance Guide - This guide should be used by the administrators responsible for maintaining the
OpenTrust PKI host environment and performing system maintenance such monitoring application services,
performing backup and recovery procedures, and evaluating log files.

• Lifecycle Administrator Guide - This guide is intended for administrators who manage the certificate lifecycle by
creating and issuing certificates, and performing recovery and revocation procedures. This guide also contains the
instructions lifecycle administrators can give to certificate holders who need to participate in the administration of
their certificates.

• SOAP Developer Guide - This guide is a reference tool for the SOAP Connectors Application Programming
Interface, which allows external applications - such as OpenTrust CMS, Identity & Access Management (IAM)
platforms, customer care and support applications, and reporting tools - to interact with OpenTrust PKI.

• Audit Logs Guide - This guide is for administrators, software consultants, or developers who need to understand
the OpenTrust PKI audit log system. It contains a general overview of the OpenTrust PKI audit log concepts and
architecture, detailed descriptions of audit events and alerts recorded by the OpenTrust PKI, the structure of the
audit log SQL database for developers or software architects planning to use the log module's SQL database for
reporting purposes, sample log event message XML, and sample syslog output.

2. Resources
Please use the information provided to contact the appropriate IDnomic department or representative.

2.1. Contact Customer Service

Support Web Site, including the Support Download Site https://support.idnomic.com/ (Login requires a
username and password)
Email [email protected]

2.2. Provide Documentation Feedback

As part of an ongoing process to create documentation that is easy to understand and use, as well as relevant
to audience roles as administrator users, we welcome feedback about this guide. Please email any comments or
suggestions to: [email protected]

OpenTrust PKI 4.12 Server Configuration Guide v

Preface Document Conventions

3. Document Conventions
IDnomic documentation uses typographical conventions with specific meanings. These conventions are described in the
following table.

Convention How It Is Used

bold Indicates the most important part of a step in step-based instructions. Example: Click
the OK button.
italic Indicates a reference to another document or guide. Example: See the Release
Notes. Indicates the name of an access right. Example: The unlock right allows an
administrator to help an end user unlock a smart card.
monospaced font Indicates a file name, directory name or path, code examples and elements, application
output, and user-entered text. Example: Save the file in the /webserver directory.
italicized monospaced font Indicates an environment-specific or implementation-specific variable. Example: Save
the file in the root_directory/webserver directory.
Important: Contains important information that must be paid attention to. Failure to do so may
have a negative impact on the application.
Note: Contains valuable supplementary information.
Tip: Contains helpful information that may be useful, for example, a shortcut or another way
of performing a task.

vi OpenTrust PKI 4.12 Server Configuration Guide

1 Manage CAs

Administrators can perform the following tasks related to managing CAs:

• “Manage Internal CAs” on page 7

• “Manage External CA Configurations ” on page 16

• “Synchronize CA Configurations” on page 19

1.1. Manage Internal CAs

To manage internal CAs, administrators can:

• “Create an Internal CA” on page 7

• “View Internal CAs ” on page 13

• “Edit an Internal CA” on page 13

• “View and Issue CRLs for Internal CAs” on page 15

• “Manage Internal CA Certificates” on page 15

1.1.1. Create an Internal CA

CAs are initially added to the OpenTrust PKI during the initialization process described in the OpenTrust PKI Server
Installation and Upgrade Guide. Administrators may want to configure the OpenTrust PKI to use additional CAs at
some point after installation. Administrators then have the option to create additional internal CAs, as described in this
section, or to register existing CAs that are external to the OpenTrust PKI server application, as described in “Trust/
Register an External CA” on page 17. In multi-host server environments, internal CAs are created only on the
OpenTrust PKI CA component and can then be shared with the non-CA OpenTrust PKI components when the non-CA
OpenTrust PKI components are synchronized with the OpenTrust PKI CA component, as described in “Synchronize CA
Configurations” on page 19. Internal CAs are trusted during the creation process. Administrators have the option to
later untrust internal CAs, as described in “Edit an Internal CA” on page 13.

To create an internal CA, administrators need to:

• “Begin Internal CA Creation” on page 7

• “Choose Internal CA Certificate Signing Method” on page 8

◦ “Self-sign or Sign with a Local CA” on page 9

◦ “Sign with an External CA” on page 10

• “Complete Internal CA Creation” on page 11

1.1.1.1. Begin Internal CA Creation

To begin to create an internal CA:

1. Log in to the user interface for the OpenTrust PKI CA component as an administrator with the Access right.
If the initial administration certificate has not yet been deleted, an administrator using the initial administration
certificate can also perform this task.

2. Navigate to the Certification Authority | CA Management | Create a CA page.

3. On the CA Creation page, in the CA Identifier field, enter a name for the CA.

4. Click OK.

5. On the Create a CA: CA Name page, to select a Key Type, choose:

OpenTrust PKI 4.12 Server Configuration Guide 7

Chapter 1. Manage CAs Create an Internal CA

• RSA Software

• DSA Software that was installed as described in the "Install the ECDSA Package" section of the OpenTrust
PKI Server Installation and Upgrade Guide.

• ECDSA Software that was installed as described in the "Install the ECDSA Package" section of the OpenTrust
PKI Server Installation and Upgrade Guide.

• the Hardware Security Module (HSM) that was installed on the host server for the CA component of the
OpenTrust PKI, as described in the "Integrate with a Hardware Security Module" section of the OpenTrust PKI
Server Installation and Upgrade Guide.

If an HSM was not installed on the host server for the CA component of the OpenTrust PKI, only software options
will be available for the Key Type. If an ECDSA package was not installed on all servers hosting OpenTrust PKI
components, the ECDSA option will not be available for the Key Type. If neither an ECDSA package nor an HSM
were installed, unless using a legacy environment that requires DSA Software, administrators using software
keys should choose RSA Software.

6. Complete the additional configuration fields that correspond to the Key Type selected:

• Key Size - If RSA or DSA was selected as the Key Type, choose an encryption level for the CA's private key.
Selecting a larger key size will result in a more secure CA. It may take a longer time to generate larger, more
secure keys and to sign certificates with this CA.

• Curve - If ECDSA Software was selected as the Key Type, choose a supported ECDSA curve to be used to
sign the private key for the CA being created. This drop-down menu is only displayed when ECDSA Software
is selected as the Key Type.

• Additional Hardware Security Module Configuration Fields - If an HSM was selected as the Key Type,
complete any additional configuration fields for the HSM in consultation with an assigned IDnomic technical
representative.

7. Click OK.

8. On the Choose DN and Signature Parameters page, select the DN components to be included in the DN of the
certificate created for the CA and in the Issuer DN of all certificates created by the CA. Use the plus and minus
signs to add and remove DN components from the list. Use the up and down arrows to determine the order in
which the DN components will be included in the DN of the certificate created for the CA and in the Issuer DN of
all certificates created by the CA.

To use the Organization Identifier as a subject DN component, the add-on eIDAS .rpm must be applied. Contact
an assigned IDnomic technical representative for more information.

9. For each selected DN component, enter a meaningful value.

10. Choose to leave UTF8 encoding enabled or to Disable UTF8 Encoding. Most implementations will benefit
from UTF8 encoding and this option should not be selected without consulting an assigned IDnomic technical
representative.

11. Click OK.

12. Continue to “Choose Internal CA Certificate Signing Method” on page 8.

1.1.1.2. Choose Internal CA Certificate Signing Method

To select the signing method for the internal CA's certificate:

1. All CAs are required to have an identifying certificate. As part of the certificate creation process, certificates must
obtain a signature from a CA. The application creating the certificate uses a certificate signing request (CSR) to
obtain the signature for a certificate. The CA-provided signature allows the certificate to be recognized as valid.
On the Certificate Signing Parameters page, choose how the CSR for the certificate being generated for the
OpenTrust PKI CA will be signed:

• Signed by an External CA - If the CA being created will use a CA external to the OpenTrust PKI as a the
signing CA for the OpenTrust PKI and the CA being created will need to request a certificate signature from
the external signing CA, select this option.

• Self-signed - If the CA being created will be a root CA for the OpenTrust PKI, select this option to enable the
CA being created to sign its own certificate signing request.

8 OpenTrust PKI 4.12 Server Configuration Guide

Create an Internal CA Chapter 1. Manage CAs

• Signed by a Local CA - If the CA being created will request its certificate signature from a CA that has
already been created using the OpenTrust PKI, select this option. This option will only be available if a CA has
already been created for the OpenTrust PKI.

2. Click OK and continue to the section that corresponds to the selected certificate signing method:

• “Self-sign or Sign with a Local CA” on page 9

• “Sign with an External CA” on page 10

1.1.1.2.1. Self-sign or Sign with a Local CA

To sign an internal CA certificate by self-signature or with a local CA:

1. If "self-signed" or "signed by a local CA" was not selected as the signature method, continue to Step
1 on page 10. If "self-signed" or "signed by a local CA" was selected as the signature method for the CSR of
the certificate for the CA being created, on the Self-signature page or the Issuer CA Choice page, configure the
required certificate information for the CA certificate:

a. List CAs - If "signed by a local CA" was selected as the signature method for the CSR of the certificate
for the CA being created, select the local CA to use to sign the certificate for the CA being created. If "self-
signed" was selected as the signature method for the CSR of the certificate for the CA being created, skip
this step.

b. Validity (In Days or YYYY-MM-DD) - Enter the number of days the certificate will be valid or enter an
expiration date for the certificate.

c. Hash Function - Select a supported hash function to use to sign the certificate for the CA being created.
For help selecting the hash function most appropriate for the CA being created, contact an assigned
IDnomic technical representative.

d. Randomly Chosen CA Serial Number - If "self-signed" was selected as the signature method, select this
option to attribute a random serial number to the self-signed CA certificate.

• CA Serial Number Prefix - Only displays if the previous option is selected. A prefix may be added to the
random serial number of the self-signed CA certificate. The prefix can either be the hash of the CA's DN,
or a custom string of characters. To use a custom prefix, fill in the corresponding field.

Note: The Custom Prefix field may only contain the following characters: 0123456789abcdef. It
can contain 8 characters maximum.

Then configure the optional extensions for the CA certificate:

• Key Identifiers:

◦ Subject Key Identifier - Subject key identifiers are used to identify certificates that contain a common public
key used by an application. Subject key identifiers are added to certificates through certificate extensions.
To include a non-critical subject-key-identifier certificate extension in the certificate being created for the CA,
select the "Include a Subject Key Identifier in certificates created with this certificate management profile"
option. To create the certificate without a subject-key-identifier certificate extension, de-select the "Include a
Subject Key Identifier in certificates created with this certificate management profile" option.

◦ Authority Key Identifier - Authority key identifiers are used to identify the public key that corresponds to
the private key used to sign a certificate. Authority key identifiers are added to certificates through certificate
extensions. To include a non-critical authority-key-identifier certificate extension in the certificate being
created for the CA, select Signing CA's SKI, which will generate a unique authority key identifier for the
signing CA's public key. Use of the Signing CA's SKI option is strongly recommended for all certificates.
Administrators can select Signing CA's Serial Number and Issuer DN to add the Signing CA's Serial Number
and Issuer DN to the authority key identifier. To prevent future interoperability issues, use of the Signing CA's
Serial Number and Issuer DN option is not recommended. To create the certificate without an authority-key-
identifier certificate extension, de-select the Signing CA's SKI and Signing CA's Serial Number and Issuer
DN options.

OpenTrust PKI 4.12 Server Configuration Guide 9

Chapter 1. Manage CAs Create an Internal CA

in valid certification paths. Basic constraints are added to certificates through certificate extensions. The
certificate being created will automatically be identified as being for a CA. To specify the maximum number
of non-self-issued intermediate CA certificates that may follow the CA certificate being created, in valid
certification paths, select a Certification Path Length.

• CRL Distribution Point - CRL distribution points are locations from which CRLs can be obtained. To include
a CRL distribution point in the certificate being created for the CA, enter a URI from which the CRL of the CA
signing the certificate can be downloaded. The option to use this extension will not be available if self-signed
was selected as the signature method for the CSR of the certificate for the CA being created.

• Authority Information Access - Authority information access extensions contain information about how
to access information and services, such as online validation services and CA certificates, for the CA that
creates the certificate in which the extension appears. The option to use this extension will not be available if
self-signed was selected as the signature method for the CSR of the certificate for the CA being created. To
include an authority information access extension in the certificate for the CA being created, select the method
to use to access the authority information:

◦ OCSP Service - Select this option when revocation information for the certificate in which this extension will
be included can be obtained using an OCSP responder integrated with the OpenTrust PKI. If this option is
selected, for the address, enter the URI of the OCSP service for the OCSP responder. To include more than
one URI for an OCSP service in the extension, click Add More and select the OCSP service option again.

◦ Authority Certificate - Select this option to include a URI from which to obtain the certificate of the CA
being used to sign the certificate in which the extension will be included. The certificate for the CA being
used to sign the certificate can be used to help certificate users select a certification path that terminates at
a point trusted by the certificate user. If this option is selected, for the address, enter the URI from which the
CA certificate can be obtained in the form of a DER file. To include multiple CA certificate addresses in the
authority information access extension, when the CA certificate can be obtained from more than one URI,
click Add More and select the authority certificate option again.

• Certificate Policies - Certificate policies extensions contain information about the policy used to create a
certificate. Certificate policy extensions are comprised of one or more policy information terms, each of which
consists of an object identifier (OID) and optional qualifiers. In a CA certificate, policy information terms limit
the set of policies for certification paths that include the certificate. In an end entity certificate, these policy
information terms indicate the policy under which the certificate has been issued and the purposes for which
the certificate may be used. To add a certificate policy extension to the certificate being created for the CA,
enter any meaningful value for the Policy Identifier OID. The OpenTrust PKI supports the Struct and Address
qualifiers for certificate policies extensions. If a supported qualifier should also be added to the certificate
extension, choose a qualifier and configure the options for the qualifier:

◦ Address - To include, in the certificate being created for the CA, the URI of a Certification Practice
Statement (CPS) published by the signing CA, select Address and enter the URI from which the CPS can be
downloaded.

◦ Struct - To include general information about the certificate policy being used to create the CA certificate,
enter information in any of the optional fields:

▫ Organization - Enter the name of the organization that created the certificate policy. If this option is
configured, Notice Numbers must also be configured.

▫ Notice Numbers - Enter a number associated with the certificate policy. To enter more than one number
associated with the policy, separate the numbers with commas. If this option is configured, Organization
must also be configured.

▫ Text - Enter any meaningful text related to the certificate policy.

2. Click OK and continue to “Complete Internal CA Creation” on page 11.

1.1.1.2.2. Sign with an External CA

To sign an internal CA certificate with an external CA:

1. If "signed by an external CA" was selected as the signature method for the CSR of the certificate for the CA
being created, on the Download File/Upload File page, click the Download Link and Save the .csr file.

2. Leave the user interface of the OpenTrust PKI CA component on which the CA is being created, log in to user
interface of the external PKI as an administrator with CSR signing rights, and use the downloaded .csr file to
obtain a signed certificate for the CA being created. It is possible to use the Offline CA product as the external
signing CA.

10 OpenTrust PKI 4.12 Server Configuration Guide

Create an Internal CA Chapter 1. Manage CAs

3. Once the signature request has been signed and a signed certificate file is available for the CA being
created, return to the user interface of OpenTrust PKI CA component on which the CA is being created as an
administrator with the Configuration right for the CA component and navigate to the Certificate Authority | CA
Management | List CAs page.

4. On the List CAs page, in the "List of Certificate Authorities being created." area, in the row that corresponds to
the CA for which the signed certificate was obtained, in the Actions column, click Add This CA.

5. On the Certificate Signing Parameters page, select Signed by an External CA.

6. Click OK.

7. On the Download File/Upload File page, select a method to access the file containing the signed certificate for
the CA being created, encoded in PEM, DER, or PKCS#7 format and thus typically using a .pem, .der, or .p7b
extension. It is possible for the file containing the certificate, encoded in PEM, DER, or PKCS#7 format, to use an
alternate file extension, such as .crt.

• Local Path - If the file containing the new CA's certificate has been copied to a directory on the machine
where the browser being used to access the user interface for the OpenTrust PKI CA component is installed or
is located on a USB key connected to the machine where the browser being used to access the user interface
for the OpenTrust PKI CA component is installed, enter or browse to and select the directory path and file
name of the file containing the new CA's certificate.

• URL - If the file containing the new CA's certificate is accessible from a server location,
enter the fully-qualified domain name, file path, and file name in the form of a URL such as
https://fqdnofserverhostingcacertificate/certs/CAcertificate.p7b.

8. Click Upload File.

9. On the File Hash Details page, review the file hash details and the details of the certificate being imported for the
new CA, and then click Import.

10. Leave the user interface for the OpenTrust PKI CA component to obtain the certificate and CRL location for
the external signing CA.

11. To register and trust the CA that signed the certificate for the newly created CA, return to the user interface for
the OpenTrust PKI CA component with the certificate and CRL location for the signing CA and complete the
instructions in “Trust/Register an External CA” on page 17.

12. Continue to “Complete Internal CA Creation” on page 11.

1.1.1.3. Complete Internal CA Creation

To complete the creation of an internal CA:

1. On the CA Configuration page, accept or modify the default values for the CA:

• CRL Name - Enter a name for the CA's Certificate Revocation List, appended by .crl. The default CRL
name is the CN of the CA's certificate DN. The CRL's name is used to make the CRL file available via HTTP
on all of the servers hosting OpenTrust PKI components. For example, if the fully-qualified domain name of
the server hosting the OpenTrust PKI EE component is pkiee, the CRL will be available for download at
http://pkiee.com/crl_name.crl.

• Certificates Default Validity Duration - Certificates created by the CA will be valid for the period of time
entered unless the certificate management profile the CA uses to create the certificate specifies a different
validity duration.

• CRL Validity Duration - The CRL issued by the CA will be valid for the period of time entered. IDnomic
recommends that the entered validity period be at least two days so that in case of a server failure, the CRL
will not become invalid while the server is being restored and the CRL cannot be automatically updated.
The CRL is automatically updated every day and after each certificate revocation while the server is
operating correctly unless an administrator disables the CRL update functionality when editing the advanced
configuration options for an internal CA, as described in Step 5 on page 14.

• Hash Function - Select the hash algorithm to use to sign certificates and CRLs created by the CA.

• Backdate Certificates (Seconds) - If the validity start time for certificates created by the CA should be
backdated, enter the number of seconds by which to backdate the certificates created by the CA. This option
can be used to ensure the validity of a certificate when the certificate needs to registered or enrolled on

OpenTrust PKI 4.12 Server Configuration Guide 11

Chapter 1. Manage CAs Create an Internal CA

another server whose clock time may not exactly match the time set on the OpenTrust PKI server clock, such
as in the case of enrolling a Blackberry user's certificate on a BES server.

• Set the Microsoft "crlNextPublish" CRL extension - Select this option to enable the Microsoft
"crlNextPublish" CRL extension. This non-critical CRL extension indicates the date and time when the CA will
publish a new CRL.

• Set the "expiredCertsOnCRL" CRL extension - Select this option to enable the "expiredCertsOnCRL"
CRL entry extension. This non-critical CRL entry extension can be used to list all revoked certificates, both
unexpired and expired since the CA creation date.

• Issue Certificates with Randomly Chosen Serial Number - If this option is selected, the certificates issued
by the CA will have random serial numbers instead of sequential serial numbers.

Important: Once a CA has been configured to issue certificates with random serial numbers, it is
impossible to re-configure it to issue certificates with sequential serial numbers.

◦ Certificates Serial Numbers Prefix - Only displays if the previous option is selected. A prefix may be
added to the random serial numbers of the certificates issued by the CA. The prefix can either be the hash
of the CA's DN, or a custom string of characters. To use a custom prefix, fill in the corresponding field.

Note: The Custom Prefix field may only contain the following characters: 0123456789abcdef. It can
contain 8 characters maximum.

• Set as Default CA - Select this option to make the CA being created the default CA for the OpenTrust PKI.
The default CA is selected by default in the default certificate profiles and is the CA selected by default when
selecting a CA to use to renew and sign internal certificates and to sign the initial administrator .p12 file
for the PKI. This option will only be available if a CA has already been created for the OpenTrust PKI or an
external CA has been trusted by the OpenTrust PKI.

• Generate an Exchange Certificate - Select this option to allow key archival with the Auto-Enrollment Proxy
for the CA.

Important: For key archival with the Auto-Enrollment Proxy to be effective, the corresponding
option must be selected in the properties of the associated Windows Certificate Template (see the
"Certificate Template Options" section of the AEP Server Configuration Guide). This feature requires
Auto-Enrollment Proxy version 2.3 or higher.

2. Click Save.

3. If the "Generate an Exchange Certificate" option was not selected, skip this step and continue to Step
4 on page 12. If the option was selected, configure the properties of the exchange certificate:

a. Select the AEP compatible option. This option fills in the parameters that are required to make the
exchange certificate compatible with the Auto-Enrollment Proxy.

b. Enter the URI of the CRL distribution point.

c. Enter the URI of the authority certificate.

d. Click OK.

4. View the "The Certificate Authority has been successfully created." success message.

5. After the success message is displayed, restart the httpd service on the server hosting the OpenTrust PKI
CA component and restart the ocsp service on the server hosting the OpenTrust PKI RA component. These
services can be restarted using the instructions found in the "Restart Services" section of the OpenTrust PKI
Server Configuration Guide .

6. To configure additional options for a newly created internal CA, follow the instructions in “Edit an Internal
CA” on page 13.

7. To add additional CAs to the OpenTrust PKI, return to Step 2 on page 7 and repeat the procedures. In
environments where the OpenTrust PKI CA component is not hosted on the same server as the OpenTrust PKI
RA, EE, or Logs components, to make a newly created CA available to the OpenTrust PKI RA, EE, or Logs
components, continue to “Synchronize CA Configurations” on page 19.

12 OpenTrust PKI 4.12 Server Configuration Guide

View Internal CAs Chapter 1. Manage CAs

1.1.2. View Internal CAs

Administrators with the Access right for the OpenTrust PKI CA component can view detailed information about the
internal CAs that have been created for the OpenTrust PKI and the internal CAs that are in the process of being created
on the OpenTrust PKI CA.

To view the list of CAs or the configuration details for a particular CA:

2. Navigate to the Certificate Authority | CA Management | List CAs page.

3. On the List CAs page, view the summary details for existing CAs and CAs in progress.

4. To view more details for a fully-configured internal CA, in the Actions column for the CA, select one of the
following options:

• View Certificate Details - displays the CA's certificate in PEM format and more detailed information about to
the CA's certificate than is displayed in the summary information on the List CAs page

• Exchange Certificate Details - displays the CA's exchange certificate in PEM format and additional
information about the exchange certificate. This option is only available for CAs that have an exchange
certificate.

• View CRL Details - displays the CA's CRL in PEM format and detailed information about the CRL

• Configure - displays detailed information about the CA configuration, including the trusted or untrusted status
of the CA

1.1.3. Edit an Internal CA

Administrators with the Access right for the OpenTrust PKI CA component can change the configuration options for an
internal CA, including the basic configuration options that were initially configured when the CA was created and a few
advanced CA configuration options that are only available once the internal CA is created.

To edit the configurable properties for an internal CA:

2. Navigate to the Certificate Authority | CA Management | List CAs page.

3. On the List CAs page, in the Actions column for the CA, select Configure.

4. On the Configuration Options page, make changes to any of the following configuration options:

• CRL Name - Enter a name for the CA's Certificate Revocation List, appended by .crl. The default CRL name
is the CN of the CA's certificate DN.

• CRL Validity Duration - The CRL issued by the CA will be valid for the period of time entered. IDnomic
recommends that the entered validity period be at least two days so that in case of a server failure, the CRL
will not become invalid while the server is being restored. The CRL is automatically updated every day and
after each certificate revocation while the server is operating correctly unless an administrator disables the
CRL update functionality when editing the advanced configuration options for an internal CA, as described in
Step 5 on page 14.

• Hash Function - Select the hash algorithm to use to sign certificates and CRLs created by the CA.

OpenTrust PKI 4.12 Server Configuration Guide 13

Chapter 1. Manage CAs Delete a Pending Internal CA

another server whose clock time may not exactly match the time set on the OpenTrust PKI server clock, such
as in the case of enrolling a Blackberry user's certificate on a BES server.

• Issue Certificates with Randomly Chosen Serial Number - If this option is selected, the certificates issued
by the CA will have random serial numbers instead of sequential serial numbers.

Important: Once a CA has been configured to issue certificates with random serial numbers, it is
impossible to re-configure it to issue certificates with sequential serial numbers.

Note: The Custom Prefix field may only contain the following characters: 0123456789abcdef. It can
contain 8 characters maximum.

• Set as Default CA - Select this option to make the CA the default CA for the OpenTrust PKI. The default CA
is selected by default in the default certificate profiles and is the CA selected by default when selecting a CA to
use to renew and sign internal certificates and to sign the initial administrator .p12 file for the OpenTrust PKI.

• Regenerate an Exchange Certificate - Select this option to revoke the previous exchange certificate and
generate a new one.

5. On the Configuration Options page, administrators may also configure any of the following advanced options:

• Trust this Authority - Trust or untrust the CA. Trusted CAs can be used to verify the certification path of a
user's certificate, which ensures the validity of the certificates used to log in to the OpenTrust PKI.

• Disable Periodic CRL Generation - Disables or enables the daily automatic updates of the CRL.

• Disable CRL Generation on Revocation - Disables or enables the automatic CRL update that occurs every
time a certificate issued by the CA is revoked.

6. Once the modifications are made, click Save.

7. If the "Regenerate an Exchange Certificate" option was selected, configure the properties of the exchange
certificate:

a. Select the AEP compatible option. This option fills in the parameters that are required to make the
exchange certificate compatible with the Auto-Enrollment Proxy.

b. Enter the URI of the CRL distribution point.

c. Enter the URI of the authority certificate.

d. Click OK.

1.1.4. Delete a Pending Internal CA

Administrators with the Access right for the OpenTrust PKI CA component can delete a pending internal CA, which
is a CA that is not fully created because it does not yet have a signed certificate and has not yet been added to the
OpenTrust PKI database.

To delete a pending internal CA:

2. Navigate to the Certificate Authority | CA Management | List CAs page.

3. On the List CAs page, in the Actions column for the CA, click Remove.

4. On the "Remove this pending CA?" confirmation pop-up, click Yes.

14 OpenTrust PKI 4.12 Server Configuration Guide

View and Issue CRLs for Internal CAs Chapter 1. Manage CAs

5. To verify that the pending CA was deleted, view the updated list of CAs.

1.1.5. View and Issue CRLs for Internal CAs

Administrators can view and update the CRLs for internal CAs. The CRLs for internal CAs are automatically updated
every day and are valid until the expiration time set in the configuration of the "CRL Validity Duration," which
was configured in Step 1 on page 11 and can be edited as described in “Edit an Internal CA” on page 13.
Administrators may want to issue new CRLs before the next automatically scheduled update; for example, when
a certificate has been revoked and the CA is not configured to update the CRL automatically after every certificate
revocation.

To view and/or update a CRL for an internal CA:

1. Log in to the user interface for an OpenTrust PKI CA component as an administrator with the Access right. If
the initial administration certificate has not yet been deleted, an administrator using the initial administration
certificate can also perform this task.

2. Navigate to the Certificate Authority | CRL | Manage CRL page.

3. On the Manage CRL page, in the CRL drop-down menu, select the CA that maintains the CRL to be viewed or
updated.

4. To view the CRL details or update the CRL associated with the selected CA, click one of the following buttons:

• Display - displays the selected CA's CRL in PEM format and detailed information about the CRL

• Issue - updates the CRL associated with the selected CA

1.1.6. Manage Internal CA Certificates

Administrators may occasionally need to perform the following administrative tasks for internal CA certificates:

• “Renew CA Certificates ” on page 15

• “Re-sign CA Certificates ” on page 15

• “Revoke CA Certificates ” on page 16

1.1.6.1. Renew CA Certificates

Administrators can renew internal CA certificates. All of the certificates that have been issued by an internal CA whose
certificate is expired will be considered invalid, so administrators must renew the certificate for an internal CA before
the certificate expires. When an internal CA certificate is renewed, the certificate maintains the same key pair, DN,
and certificate extensions as were created when the certificate was initially signed. The validity duration applied to the
renewal will be a duplicate of the originally requested validity duration. For example, if an internal CA certificate was
originally valid for a period of three months, the internal CA certificate will be renewed for a period of three months. To
change the signing CA, DN, certificate extensions, or validity duration of the certificate, the certificate must be re-signed
using the instructions in “Re-sign CA Certificates ” on page 15.

To renew a certificate for an internal CA:

2. Navigate to the Certification Authority | CA Management | List CAs page.

3. On the List CAs page, in the Actions column for the CA, select Renew.

4. On the Renew the Certification Authority page, click Renew the Certification Authority. This option will only be
available if the certificate for the internal CA has a status of Not Revoked.

5. View the "Here is the new Certification Authority certificate." success message.

1.1.6.2. Re-sign CA Certificates

Administrators can re-sign an internal CA certificate to change the signing CA, DN, certificate extensions, or validity
duration of the certificate.

OpenTrust PKI 4.12 Server Configuration Guide 15

Chapter 1. Manage CAs Manage External CA Configurations

To re-sign a certificate for an internal CA:

2. Navigate to the Certification Authority | CA Management | List CAs page.

3. On the List CAs page, in the Actions column for the CA, select Renew.

4. On the Renew the Certificate Authority page, click Re-sign the Certification Authority.

5. The remainder of the certificate re-signing process is the same as the process used to sign the original certificate
for the internal CA. Follow the instructions used to create an internal CA, starting with Step 1 on page 8.

Note: The httpd and ocsp services do not need to be restarted when re-signing internal certificates.

1.1.6.3. Revoke CA Certificates

Administrators can revoke internal CA certificates (self-signed and signed by an internal CA). All of the certificates that
have been issued by an internal CA whose certificate is revoked will be considered invalid.

To revoke a certificate for an internal CA:

2. Navigate to the Certification Authority | CA Management | List CAs page.

3. On the List CAs page, in the Actions column for the CA, select Revoke.

4. On the Revoke a CA page, in the Reason drop-down menu, select a reason for the revocation.

5. In the Comment text box, to record any pertinent information related to the revocation, enter free-form
comments.

6. Click OK.

7. View the "The Certificate Authority has been successfully revoked." success message.

8. For all certificate management profiles that used the CA whose certificate was revoked, change the selected
CA or disable the certificate management profiles to prevent enrollment issues. All certificate holders whose
certificates were generated by a revoked CA must request a new certificate, as certificates signed by a revoked
CA will be considered invalid and cannot be used to authenticate to the OpenTrust PKI.

1.2. Manage External CA Configurations

External CAs are used to declare the full certification path of an internal CA's certificate. By registering the external CA
that signed the internal CA's certificates, the full certification path of a user's certificate can be verified by the OpenTrust
PKI, which ensures the validity of every certificate issued by the OpenTrust PKI.

In an extreme example of how the certification path validity can be applied, if the external CA that signed the certificate
for a unique internal CA of an OpenTrust PKI revokes the internal OpenTrust PKI CA's certificate, the internal OpenTrust
PKI CA's certificate would be in the external signing CA's CRL, making all certificates that were signed by the internal CA
with the now revoked certificate invalid, so the holders of these certificates would be unable to connect to the OpenTrust
PKI.

External CAs can also be used to authenticate certificate holders to the OpenTrust PKI, but holders of certificates issued
by external CAs cannot be assigned rights within the OpenTrust PKI without a customized OpenTrust PKI extension.
Contact an assigned IDnomic technical representative for more information about customized extensions.

Administrators can perform the following tasks related to external CAs:

• “Trust/Register an External CA” on page 17

• “Use Registered External CA Configurations” on page 18

16 OpenTrust PKI 4.12 Server Configuration Guide

Trust/Register an External CA Chapter 1. Manage CAs

• “Obtain Registered External CA Configurations from the OpenTrust PKI CA Component” on page 19

1.2.1. Trust/Register an External CA

CAs are initially added to the OpenTrust PKI during the initialization process described in the OpenTrust PKI Server
Installation and Upgrade Guide. Administrators may want to configure the OpenTrust PKI to use additional CAs at some
point after installation. Administrators then have the option to create additional internal CAs, as described in “Create
an Internal CA” on page 7, or to register existing CAs that are external to the OpenTrust PKI server application. To
be able to verify the certification path of certificates issued by an internal CA whose certificate was signed by external
CA, the OpenTrust PKI needs to register and trust the external CA that issued the internal CA's certificate. External
CAs can be registered from the user interface for any server hosting OpenTrust PKI components. In multi-host server
environments, external CAs are registered only on the OpenTrust PKI component that registered the external CA unless
the external CA is registered on the OpenTrust PKI CA and then one of the non-CA OpenTrust PKI components is
synchronized with the OpenTrust PKI CA component, as described in “Synchronize CA Configurations” on page 19
. External CAs are trusted during the registration process. Administrators have the option to later untrust registered
external CAs, as described in “Use Registered External CA Configurations” on page 18.

To register and trust an external CA:

1. Log in to the user interface for the OpenTrust PKI CA, RA, EE, or Logs component on which the external CA will
be trusted as an administrator with the Server Management right. If the initial administration certificate has not
yet been deleted, an administrator using the initial administration certificate can also perform this task.

2. Navigate to the Server Management | Trust & Internal Certificates | Trusted External CAs page.

3. On the Trust Management page, to begin the process of trusting an external CA, click Trust an External CA.

4. On the Upload File page, select a method to access the file containing the certificate for the external CA,
encoded in PEM or DER format and thus typically using a .pem or .der extension. It is possible for the file
containing the certificate, encoded in PEM or DER format, to use an alternate file extension, such as .crt.

• Local Path - If the file containing the external CA's certificate has been copied to a directory on the machine
where the browser being used to perform these steps is installed, enter or browse to and select the directory
path and file name of the file containing the external CA's certificate.

• URL - If the file containing the external CA's certificate is accessible from a server location,
enter the fully-qualified domain name, file path, and file name in the form of a URL such as
https://fqdnofserverhostingcacertificate/certs/CAcertificate.der.

5. Click Upload File.

6. On the File Hash Details page, review the file hash details, the details of the external CA certificate being
imported, confirm that the CA identifier displayed is the CA identifier of the external CA, and click Add this CA.

7. View the "Certificate Authority has been successfully added to the list of trusted CAs." success message and, in
the "Please restart httpd service to take the modifications into account." message, click restart.

8. On the Restart page, follow the instructions in the "Restart Services" section of the OpenTrust PKI Server
Configuration Guide , selecting httpd as the service to restart.

9. To add a CRL to the newly trusted CA, navigate to the Server Management | Trust & Internal Certificates |
Trusted External CAs page.

10. On the Trust an External CA page, select the newly trusted external CA.

11. On the Trust Management page, in the CRL area, click Add.

12. In the CRL Name field, verify that the CRL name is correct.

13. Choose a method to use to register the external CA's CRL:

• Enter a Download URL:

1. In the Download URL field, enter the URL from which the trusted external CA's CRL can be downloaded.

2. To test the entered CRL Download URL, click Test.

3. View the "CRL Fetch Successful" success message.

OpenTrust PKI 4.12 Server Configuration Guide 17

Chapter 1. Manage CAs Use Registered External CA Configurations

4. Click Save.

• Upload the CRL Manually:

1. Click Upload Manually.

2. On the Upload File pop-up, select a method to access the file containing the CRL for the external CA,
encoded in PEM or DER format and thus typically using a .pem or .der extension. It is possible for the file
containing the CRL for the external CA, encoded in PEM or DER format, to use an alternate file extension,
such as .crt.

◦ Local Path - If the file containing the external CA's CRL has been copied to a directory on the machine
where the browser being used to perform these steps is installed, enter or browse to and select the
directory path and file name of the file containing the external CA's CRL.

◦ URL - If the file containing the external CA's CRL is accessible from a server location,
enter the fully-qualified domain name, file path, and file name in the form of a URL such as
https://fqdnofserverhostingcacertificate/certs/CAcertificate.pem.

3. Click Upload File.

4. On the CRL Details pop-up, verify that the displayed information is correct and click OK.

1.2.2. Use Registered External CA Configurations

Administrators who have registered external CAs in the OpenTrust PKI to authenticate holders of certificates issued
by an external CA may need to access, update, or review the information in the external CA configuration periodically.
In multi-host server environments, registered external CA configurations can only be accessed on the same server as
the OpenTrust PKI component that trusted the external CA during the registration process described in “Trust/Register
an External CA” on page 17 unless the external CA was registered on the server hosting the OpenTrust PKI CA
component and a server hosting OpenTrust PKI RA, EE, or Logs components is synchronized with the OpenTrust PKI
CA, as described in “Synchronize CA Configurations” on page 19. Registered external CAs can be accessed to allow
administrators to perform the following tasks related to external CAs:

• trust or untrust the external CA

• update the CRL name and location for the external CA

• download the certificate for the external CA

• download the CRL for the external CA

• display the last 20 certificates revoked by the external CA

Note: Changes made to registered external CA configurations are applied to the registered external CA
configuration on the host server for the OpenTrust PKI component on which the changes are made. If the
registered external CA configuration has been synched to other OpenTrust PKI components, the configurations
on the other OpenTrust PKI components for the same registered external CA will remain unchanged unless the
same changes are manually applied on the other OpenTrust PKI components.

To use the functionality available for registered external CAs:

1. Log in to the user interface for an OpenTrust PKI component that contains a registered external CA configuration
as an administrator with the Server Management right. If the initial administration certificate has not yet been
deleted, an administrator using the initial administration certificate can also perform this task.

2. Navigate to the Server Management | Trust & Internal Certificates | Trusted External CAs page.

3. On the Trusted External CAs page, select a registered external CA.

4. On the Certificate and CRL page for the CA, use any of the available functionality:

• To trust or untrust the external CA, select or deselect the Trust this Authority checkbox.

• To update the CRL name for the external CA, in the CRL Name row of the CRL table, edit the CRL name.

• To update the CRL location for the external CA, in the Download URL field of the CRL table, follow the
instructions in Step 13 on page 17.

18 OpenTrust PKI 4.12 Server Configuration Guide

Obtain Registered External CA Configurations from the OpenTrust PKI CA Component Chapter 1. Manage CAs

• To download the certificate for the external CA, click "Download this Certificate."

• To download the CRL for the external CA, click "Download this CRL."

• To display the last 20 certificates revoked by the external CA, click "Show the last 20 revoked certificates."

1.2.3. Obtain Registered External CA Configurations from the OpenTrust PKI

CA Component
To obtain registered external CA configurations from the OpenTrust PKI CA component:

• Follow the instructions in “Synchronize CA Configurations” on page 19.

1.3. Synchronize CA Configurations

In multi-host server environments where the OpenTrust PKI CA component is not hosted on the same server as the
OpenTrust PKI RA, EE, or Logs components, if internal CAs are added to the OpenTrust PKI after the initialization
process described in the OpenTrust PKI Server Installation and Upgrade Guide using the instructions in “Create an
Internal CA” on page 7, administrators who need the CA configurations to be available on the OpenTrust PKI
RA, EE, or Logs components can synchronize the non-CA components with the CA component. Once synchronized
from the CA component to the RA and EE components, internal CAs will be available for use in configuring Certificate
Management Profiles on the RA and for use in certificate lifecycle management tasks on the RA and EE components.
Once synchronized from the CA component to a non-CA component, a trusted internal CA can authenticate certificate
holders on the non-CA component.

In multi-host server environments, registered external CA configurations can only be accessed on the same server as
the OpenTrust PKI component that trusted the external CA during the registration process described in “Trust/Register
an External CA” on page 17 unless the external CA was registered on the server hosting the OpenTrust PKI CA
component and a server hosting OpenTrust PKI RA, EE, or Logs components is synchronized with the OpenTrust PKI
CA. Once synchronized from the CA component to a non-CA component, an internal CA whose certificate was signed by
a registered and trusted external CA can authenticate certificate holders on the non-CA component.

To synchronize the CA configurations on a non-CA OpenTrust PKI component with the CA configurations on
the CA component:

1. Log in to the user interface for the OpenTrust PKI RA, EE, or Logs components as an administrator with the
Server Management right. If the initial administration certificate has not yet been deleted, an administrator using
the initial administration certificate can also perform this task.

2. Navigate to the Server Management | Trust & Internal Certificates | CA Synchronization page.

3. On the CA Synchronization page, click Synchronize CA.

4. When the success message is displayed, restart the httpd service on the server on which the synchronization
was performed and restart the ocsp service on the server hosting the OpenTrust PKI RA component. These
services can be restarted using the instructions found in the "Restart Services" section of the OpenTrust PKI
Server Configuration Guide.

5. To verify that registered external CA configurations have been synchronized, in the user interface for the
OpenTrust PKI component to which the CA was synchronized, navigate to Server Management | Trust & Internal
Certificates | Trusted External CAs and view the list of registered external CAs. There is not a centralized user
interface location available to verify that internal CA configurations have been synchronized to OpenTrust
PKI RA, EE, and Logs components, but once synched, the internal CAs will be available for selection when
configuring Settings | Certificates | Certificate Management Profiles on the user interface for the server hosting
the RA component and in the user interface areas for certificate lifecycle administrators authenticated to the RA
and EE components.

Note: If configuration changes are made to a CA after it has been synched to other OpenTrust PKI components
and the changes need to be applied to the CA configuration on separately hosted OpenTrust PKI components,
the changes must be applied on the separately hosted components using the instructions in “Edit an Internal
CA” on page 13 for internal CAs and “Use Registered External CA Configurations” on page 18 for
registered external CAs.

OpenTrust PKI 4.12 Server Configuration Guide 19

This page intentionally left blank.

20 OpenTrust PKI 4.12 Server Configuration Guide

2 Configure Certificate Management
Profiles
To configure certificate management profiles, administrators:

• “Configure Standard Directory Components ” on page 21

• “Configure Optional Certificate Management Profile Components” on page 25

• “Create a Certificate Management Profile” on page 37

• “Import or Export Certificate Management Profile Component Configurations” on page 53

2.1. Configure Standard Directory Components

Administrators use these instructions to configure the standard directory components used in certificate management
profiles:

• “Configure an LDAP Directory Connection ” on page 21

• “Configure/Add a Datasource” on page 23

• “Configure an Authentication Scheme ” on page 24

2.1.1. Configure an LDAP Directory Connection

LDAP directories are used by the OpenTrust PKI server application to to pre-populate values for certificate request form
fields and search for certificate requesters/holders when used in association with datasources, to authenticate certificate
requesters during self-enrollment when used in association with authentication schemes, and to publish certificates
and CRLs using publication configurations. LDAP directories are required to create Datasources, as described in
“Configure/Add a Datasource” on page 23; Authentication Schemes, as described in “Configure an Authentication
Scheme ” on page 24; and Publication Configurations, as described in “Enable Publication of Certificates and CRLs
to Directories ” on page 32, and therefore should be configured before datasources, authentication schemes, and
publication configurations are configured.

To configure an LDAP directory connection:

1. Log in to the user interface for the RA component of the OpenTrust PKI as an administrator with the Profiles
Management right. If the initial administration certificate has not yet been deleted, an administrator using the
initial administration certificate can also perform this task.

2. Navigate to the Settings | Repositories | Directories page.

3. On the Directories page, choose to Create a New Directory Connection or to Modify, Copy, or Remove an
existing LDAP directory connection.

Note: An LDAP directory connection configuration cannot be removed if it is associated with a

datasource or publication configuration that is associated with a certificate management profile.

4. If the choice is to create a new LDAP directory connection or modify or copy an existing LDAP directory
connection, on the Edit an LDAP Directory page, configure the following LDAP directory connection options:

a. Name - Enter a name and description for the LDAP directory connection. The name and description will be
visible in other parts of the user interface, for example, when selecting which LDAP directory to use for a
particular datasource. Providing detailed information in the name field will make it easier to select the correct
LDAP directory in other parts of the user interface.

b. Connection Type - Select the security protocol to use when the RA or EE component of the OpenTrust PKI
connects to the LDAP directory:

OpenTrust PKI 4.12 Server Configuration Guide 21

Chapter 2. Configure Certificate Management Profiles Configure an LDAP Directory Connection

• Plain - Non-secured connection.

• SSL - The Secure Sockets Layer protocol is used to secure the connection between the RA or EE
component of the OpenTrust PKI and the LDAP directory.

• TLS - The Transport Layer Security protocol is used to secure the connection between the RA or EE
component of the OpenTrust PKI and the LDAP directory and prevents eavesdropping, tampering, and
message forgery using RSA encryption.

c. Host - Enter the fully-qualified domain name of the machine hosting the LDAP directory.

d. Port - Enter the port number on the server hosting the LDAP directory that the RA component of the
OpenTrust PKI should use for connections.

e. Authentication Type - Select the type of authentication to use when authenticating the RA or EE
component of the OpenTrust PKI to the LDAP directory.

• None - No authentication is performed. If None is selected, continue to Step 4.h on page 22.

• Password - The authentication is performed using the Bind DN and the Bind DN password. If Password is
selected as the authentication type, continue to Step 4.f on page 22.

• SSL - SSL authentication of the RA or EE component of the OpenTrust PKI to the LDAP directory server
is performed using SSL client identity parameters and a certificate that has been granted access rights to
the LDAP directory server. The certificate that has been granted rights to the LDAP server must be either
a PKCS#12 file or a certificate and private key in PEM format. If SSL is selected as the authentication
type, continue to Step 4.g on page 22.

f. To use Password for the authentication type, configure the following properties:

i. Bind DN - The Bind DN is a user name configured in the LDAP directory for a user who is permitted
to search the LDAP directory for OpenTrust PKI RA or EE administrators and certificate requesters/
holders. The user must also have write permissions if certificates and CRLs will be published to
the LDAP directory as described in “Enable Publication of Certificates and CRLs to Directories
” on page 32.

ii. Bind Password - Enter the password that corresponds to the Bind DN.

Continue to Step 4.h on page 22.

g. To use SSL for the authentication type, configure the following properties:

i. Click Add an SSL Client Identity.

ii. On the SSL Client Identity pop-up, select an authentication type and configure the required fields:

• PKCS#12:

◦ PKCS#12 File Path - Browse to and select or enter the directory path and file name for the
PKCS#12 file that has LDAP access rights.

◦ Password - Enter the password associated with the PKCS#12 file.

• Certificate and Private Key:

◦ Certificate File Path - Browse to or enter the directory path and file name for a certificate that has
LDAP access rights and the associated private key. The certificate must be in PEM format.

◦ Private Key File Path - Browse to or enter the directory path and file name for the private key
associated with the certificate. The private key must be in PEM format.

◦ Password -If there is a password for the private key, enter the password for the private key.

iii. Server Certificate's DN - Enter the DN of the certificate used to authenticate the LDAP directory
server to the RA or EE component of the OpenTrust PKI. The DN should be provided by the LDAP
administrator.

h. Base DN - Enter the Base DN of the LDAP directory.

22 OpenTrust PKI 4.12 Server Configuration Guide

Configure/Add a Datasource Chapter 2. Configure Certificate Management Profiles

i. Version - Choose the version of the LDAP protocol supported by the directory server.

j. Automatically Follow References to Other LDAP Servers - If the LDAP directory for which the connection
is being configured is integrated with other LDAP directories, select this option to allow connections to the
other LDAP directories. The configured authentication settings will be used on all referenced servers.

5. To verify that the settings have been entered correctly and the LDAP directory is accessible, click Test
Connection.

6. Click Save.

2.1.2. Configure/Add a Datasource

Administrators should review the section on how to “Understand Datasources ” on page 23 before attempting to
“Configure a Datasource” on page 23.

2.1.2.1. Understand Datasources

Datasources store user information. The standard implementation of a datasource is an LDAP user repository integrated
with the OpenTrust PKI. Datasources store user data, possibly including passwords. The OpenTrust PKI uses a
connection to a datasource to verify user identities and retrieve user attributes contained in the LDAP directory.
Datasources are extensible within the OpenTrust PKI. A customer may develop a specific datasource fitting particular
needs, such as a user directory only accessible via SOAP messages or a simple SQL database with an employee table
instead of an LDAP directory. For more information on datasource extensibility options, consult an assigned IDnomic
technical representative.

The OpenTrust PKI contains a pre-configured internal datasource which can be used to enroll SCEP devices. The default
configuration values of the internal SCEP datasource can be edited to include additional attributes.

Datasources are used to automatically complete the fields required for certificate requests - for example, to put the
certificate requester's common name in a certificate subject. The values required in certificate requests can be extracted
from one or more datasources. In the OpenTrust PKI user interface, datasources are associated with certificate
management profiles. Multiple datasources can be associated with a single certificate management profile.

If more than one datasource is associated with a certificate management profile, one datasource is designated as the
primary datasource and the other associated datasources are considered secondary datasources for the certificate
management profile. The primary datasource is the datasource selected in the enrollment method options for the
certificate management profile. Secondary datasources for the certificate management profile are datasources that
meet the following criterion: The secondary datasource configuration contains an identifier attribute that is selected
as an attribute in the primary datasource configuration. The attributes selected in the configurations for both primary
and secondary datasources are available for use in the OpenTrust PKI user interface to be dragged and dropped into
certificate management profile configuration fields.

2.1.2.2. Configure a Datasource

To configure a datasource:

2. Navigate to the Settings | Repositories | Datasources page.

3. On the Datasources page, choose to Create a New LDAP Datasource, to Modify, Copy, or Remove an
existing LDAP datasource, or to edit the internal SCEP datasource. If the choice is to edit the pre-configured
internal SCEP datasource, continue to Step 7 on page 24.

Note: An LDAP datasource cannot be removed if it is associated with a certificate management profile
or an authentication scheme that is associated with a certificate management profile.

4. If the choice is to create a new LDAP datasource or modify or copy an existing LDAP directory, on the LDAP
Datasource page, configure the following LDAP datasource options:

a. Name - Enter a name and description for the LDAP datasource. The name and description will be visible in
other parts of the user interface, for example, when selecting which LDAP datasource to use for a particular
certificate management profile. Providing detailed information in the name and description fields will make it
easier to select the correct LDAP datasource in other parts of the user interface.

OpenTrust PKI 4.12 Server Configuration Guide 23

Chapter 2. Configure Certificate Management Profiles Configure an Authentication Scheme

b. Connection Settings - Select the search criteria to use when the RA component of the OpenTrust PKI
connects to the LDAP datasource:

• Directory - Select a configured LDAP directory connection from the drop-down menu. All directory
connections that have been configured as described in “Configure an LDAP Directory Connection
” on page 21 will be available for selection.

• Search Constraints - This is a generic attribute and value user search filter. Administrators typically
enter: &(objectclass=person)(uid=*)

• Use DN Components - Select this option to include DN components in the list of values returned in the
search result sample.

• Test Search - Enter an attribute and value for performing a directory test search, without surrounding
parentheses. Administrators typically enter: uid=jdoe, where jdoe is the uid value of an entry in the
LDAP directory.

5. Click Search.

6. The search results are a list of user entry attributes from a sample datasource entry matching the search
criteria entered in the Connection Settings options. If the search criteria option to Use DN Components was
selected, the DN component attributes are displayed in the DN Components section of the table. To select
the fields available during searches and communication with the RA or EE component of the OpenTrust PKI
and to determine which LDAP attributes will be available to the OpenTrust PKI for use as default values for
DN components, form parameters and Subject Alternative Name components when generating certificate
requests, in the DN Components and LDAP Attributes sections of the table, select LDAP attributes and their
corresponding options and values. Use the More Details/Less Details toggle to display more or less LDAP
attributes. For descriptions of the columns, mouse over each column name.

7. If configuring an LDAP datasource, skip this step. To add attributes to the internal SCEP datasource, click
Add More. To remove attributes, use the X icon. Only attributes that have not been associated with a certificate
management profile can be deleted.

8. Click Save.

Note: Once a datasource has been saved, an administrator cannot deselect the associated identifiers.
To choose different identifiers, a new datasource must be created. If certificates have not yet been
created using the datasource, administrators can delete the datasource.

2.1.3. Configure an Authentication Scheme

When a certificate is created by the OpenTrust PKI, the certificate must be enrolled in a certificate management profile
which governs the options available to administrators and the certificate requester for certificate lifecycle events and
processes, such as whether an email address must be entered when requesting a certificate. Some of the enrollment
processes that can be configured for certificate management profiles use authentication schemes to allow certificate
requesters to authenticate using their LDAP credentials and to configure certificate passwords based on LDAP
credentials.

To configure an authentication scheme:

2. Navigate to the Settings | Repositories | Authentication Schemes page.

3. On the Authentication Schemes page, choose to Create a New Authentication Scheme or to Modify, Copy, or
Remove an existing authentication scheme.

Note: An authentication scheme cannot be removed if it is associated with a certificate management

profile.

4. If the choice is to create a new authentication scheme, select the type of authentication scheme to configure:

• LDAP - LDAP authentication schemes allow users to authenticate using the information stored
in an LDAP directory associated with a datasource, configured as described in “Configure/Add a
Datasource” on page 23.

24 OpenTrust PKI 4.12 Server Configuration Guide

Configure Optional Certificate Management Profile Components Chapter 2. Configure Certificate Management Profiles

• Master Password - If many SCEP devices will be enrolled, administrators may prefer to use a common
master password for all SCEP devices.

5. Click Create.

6. On the authentication scheme configuration page, enter a Name and Description for the authentication scheme.
The name and description will be visible in other parts of the user interface, for example, when selecting which
authentication scheme to use for a particular certificate management profile. Providing detailed information in the
name and description fields will make it easier to select the correct authentication scheme in other parts of the
user interface.

7. Configure the authentication scheme parameters required for the selected authentication scheme type:

• Datasource - From the drop-down menu, select a configured datasource. The directory associated with the
selected datasource must contain password entries for users who will become certificate holders.

• Master Password - Enter a custom master password or click Generate to generate a random master
password.

8. Click Save.

2.2. Configure Optional Certificate Management Profile

Components
Administrators can configure settings for the optional certificate management profile components:

• “Configure a Password Policy” on page 25

• “Configure Browser Usage ” on page 26

• “Configure Metadata Types” on page 29

• “Configure Holder Match Settings” on page 30

• “Enable Publication of Certificates and CRLs to Directories ” on page 32

• “Configure SCEP Policies” on page 34

• “Configure Automatic Emails” on page 35

• “Create Certificate Categories” on page 37

2.2.1. Configure a Password Policy

Password policies can be used to enforce password and revocation code restrictions on the certificates generated by
the OpenTrust PKI by associating a password policy with a certificate management profile, as described in “Create a
Certificate Management Profile” on page 37.

To create a password policy:

1. Log in to the user interface for an OpenTrust PKI RA component as an administrator with the Profiles
Management right. If the initial administration certificate has not yet been deleted, an administrator using the
initial administration certificate can also perform this task.

2. Navigate to the Settings | Policies | Password Policies page.

3. On the Password Policies page, choose to Create a New Password Policy or to Modify, Copy, or Remove an
existing password policy.

Note: A password policy cannot be removed if it is associated with a certificate management profile.

4. If the choice is to create a new password policy or modify or copy an existing password policy, on the Create a
New Password Policy page, configure the following password policy options:

a. Name and Title - Enter a name and title for the password policy. The name and title will be visible in other
parts of the user interface, for example, when selecting which password policy to use for a particular

OpenTrust PKI 4.12 Server Configuration Guide 25

Chapter 2. Configure Certificate Management Profiles Configure Browser Usage

certificate management profile. Providing detailed information in the name and title fields will make it easier
to select the correct password policy in other parts of the user interface. The default title will be displayed
in the user interface when language-specific titles have not been configured or when the language used
by a certificate requester or certificate holder is not included in the list of configured language-specific
titles. When language-specific titles have been configured, the language-specific titles will be displayed for
configured languages that correspond to the language used by a certificate requester or certificate holder
as set in the Web browser being used to access the OpenTrust PKI. It is possible to configure titles for
any language. To configure titles in an additional language, use the Add More button, enter a two-letter
abbreviation for the language in the drop-down menu, and enter the language-specific title in the text field.

b. Minimum Length - The minimum number of characters required in the password.

c. Maximum Length - The maximum number of characters allowed in the password.

d. Minimum Number of Unique Characters - The number of unique characters required in the password. For
example, if the maximum length is four characters and the minimum number of unique characters is four,
then each of the four numbers in the password must be unique, such as 1234. Another example would be
a password with a maximum length of seven characters and a minimum of four unique characters, where
1122334 would be a valid password.

e. Forbid Sequences - Forbid successive number and letter sequences, including both ascending and
descending sequences, such as 1234, 987654, ABCD, and DCBA.

f. Forbidden Passwords - Forbid specific password choices, such as 1234 or MYPASSWORD. Forbid
multiple passwords by separating them with a space or by entering each forbidden password on a separate
line, for example:
1234 MYPIN BADPIN 9876

or
1234
MYPIN
BADPIN
9876

5. Use Password Rules - To configure specific allowed characters or character subsets, select the Use Password
Rules checkbox. To configure multiple password rules, click Add More. To define the number of rules that must
be complied with, choose a number.

6. Click Save.

7. View the "The password policy has been correctly saved." success message.

2.2.2. Configure Browser Usage

Certificate management profile configurations can include browser usage policies. Within a browser usage policy,
administrators can decide which Web browsers to support when OpenTrust PKI processes require a cryptographic
function that uses an Active X control: private key generation for decentralized enrollment methods, certificate import to
Web browsers, PKCS#12 import with certificate chain to Web browsers, CA certificate import to Web browsers.

By default, in new installations of OpenTrust PKI versions 4.5.0 and higher, all of the pre-configured certificate
management profiles with a browser usage policy selection use the default browser usage policy and all new certificate
management profiles will use the EE browser usage policy. The EE browser usage policy is described in more detail in
“Configure EE Component's Module Settings ” on page 57. In upgrades from versions earlier than OpenTrust PKI
version 4.5.0, all of the pre-configured certificate management profiles with a browser usage policy selection use the
built-in browser usage policy and all new certificate management profiles will use the EE browser usage policy.

The default browser usage policy and the built-in browser usage policy contain the same settings. The default browser
usage policy settings can be edited whereas the built-in browser usage policy is not configurable.

The browser usage policy settings for Firefox cannot be configured and the unconfigurable behavior is as follows:

• Private keys and certificates are stored in the browser keystore (scope is Firefox-only, not the Windows user
context)

• Private key is not protected, by password or any other means.

• For centralized enrollment methods, the private key and certificate are imported manually into the browser.

26 OpenTrust PKI 4.12 Server Configuration Guide

Configure Browser Usage Chapter 2. Configure Certificate Management Profiles

Some settings will not work if the certificate requester has a limited account on the Windows machine. A browser usage
policy configuration for limited account users should include:

• User context

To configure a browser usage policy:

2. Navigate to the Settings | Policies | Browser Usage page.

3. On the Browser Usage page, choose to Create a New Browser Usage Policy or to Modify, Copy, or Remove
an existing browser usage policy.

Note: A browser usage policy cannot be removed if it is associated with a certificate management
profile. If the browser usage policy selected in the EE component's Module Settings configuration,
described in “Configure EE Component's Module Settings ” on page 57, is deleted, the built-in
browser usage policy will be used until the browser usage policy selection in the EE component's
Module Settings is reconfigured.

4. If the choice is to create a new browser usage policy or modify or copy an existing browser usage policy, on
the Create a New Browser Usage Policy page or the Edit Browser Usage Policy page, configure the following
browser usage policy options:

a. Enter a Name and Description for the browser usage policy. The name will be visible in other parts of the
user interface, when selecting which browser usage policy to associate with a certificate management profile
or which browser usage policy to select in the EE component's Module Settings. To make it easier to select
the correct browser usage policy in other parts of the user interface, provide detailed information in the name
and description fields.

b. From the Supported Browsers drop-down menu, select a browser and click Add This Browser. Add all of
the browsers that must be supported for certificate holders or requesters who will use the OpenTrust PKI
to perform processes that require the cryptographic functionality of the Web browser. Certificate holders
whose certificates were created using a certificate management profile with a browser usage policy that
does not include the browser they are using when trying to perform the cryptographic processes will be
unable to complete the cryptographic processes in the OpenTrust PKI. Certificate requesters who try
to request a certificate, as described in the "Obtain Certificates" section of the OpenTrust PKI Lifecycle
Administrator Guide, from a certificate management profile that uses a browser usage policy that does
not support the configurations in browser being used to make the certificate request are not allowed to
complete the certificate request in the browser that is not supported by the certificate management profile.
The configuration order of the selected browsers is not important; the up and down arrows are provided for
the convenience of the administrator configuring the browser usage policy.

c. Complete the additional configuration fields available for selected browsers:

• Machine Context - Select this option to store the private key and certificate in the machine context
instead of in an individual user context. Certificates held by people should be stored in the user context.
Certificates held by servers or machines should be stored in the machine context. This option is used for
private key generation for decentralized enrollment methods, private key import for centralized enrollment
methods, and for certificate import for centralized and decentralized enrollment methods. For IE on Vista
or Windows 7, "Machine Context" is supported for certificate and PKCS#12 imports for decentralized and
centralized enrollment methods if IE is being used by a Windows Administrator.

• Enable Private Key Export - Select this option to enable certificate holders who have imported their
certificate to a Web browser and want to export the certificate to be able to export the corresponding
private key from the Web browser, so that the certificate and private key can be imported to and used in
another browser, such as when an employee needs to change workstations or a company does not want
to re-issue a certificate each time the certificate holder's Web browser is changed.

• Default KSP/CSP - The Key Service Provider or Cryptographic Service Provider that will be displayed first
in the drop-down menu list of Cryptographic Service Providers available for selection on the OpenTrust
PKI's EE component when requesting a certificate, as described in the "Obtain Certificates" section of
the OpenTrust PKI Lifecycle Administrator Guide, using a supported version of the Internet Explorer
browser. The Key Service Provider/Cryptographic Service Provider selection option is only available to
certificate requesters when the certificate management profile selected during the certificate request is
configured to use a decentralized enrollment process and a browser usage policy that includes support

OpenTrust PKI 4.12 Server Configuration Guide 27

Chapter 2. Configure Certificate Management Profiles Configure Browser Usage

for Internet Explorer browsers. In certificate management profiles that use enrollment processes that are
not decentralized, the configured default KSP/CSP selection is ignored and not displayed to certificate
requesters during the certificate request process. In certificate management profiles that only contain
support for Firefox browsers, the default KSP/CSP selection cannot be configured and the certificate
requester does not have the option to select a Key Service Provider/Cryptographic Service Provider when
making a certificate request, as Firefox ignores all browser usage policy settings.

• Allowed KSPs/CSPs - The list of Key Service Providers or Cryptographic Service Providers that will be
displayed as available for selection on the OpenTrust PKI's EE component when requesting a certificate,
as described in the "Obtain Certificates" section of the OpenTrust PKI Lifecycle Administrator Guide, using
a supported version of the Internet Explorer browser. The list of Key Service Providers or Cryptographic
Service Providers available for selection when requesting a certificate include the Allowed CSPs that
are available on the computer where the browser being used to make the certificate request is installed.
To enable the use of all KSPs/CSPs available on the certificate requester's computer without restriction,
delete the pre-configured Allowed KSP/CSP fields. The Key Service Provider/Cryptographic Service
Provider selection option is only available to certificate requesters when the certificate management
profile selected during the certificate request is configured to use a decentralized enrollment process and
a browser usage policy that includes support for Internet Explorer browsers. If none of the configured
allowed KSPs/CSPs are found on the certificate requester's computer, the certificate requester will be
unable to complete the certificate request process.

• Key Protection - Select a protection level for the private keys generated for certificates created using a
certificate management profile that uses the browser usage policy being configured:

◦ None - No protection is applied to the private keys. When authenticating to a software application with
a certificate, the certificate is used for authentication. The certificate holder is not asked to enter a
password when accessing the software application because possession of the private key associated
with the certificate is considered sufficient for the authentication.

◦ Strong - When a certificate request is made on the OpenTrust PKI' EE component using a supported
Internet Explorer browser and CSP, the certificate requester is prompted to complete a series of
Windows pop-ups related to "Creating a New RSA Exchange Key." While completing the Windows pop-
ups, which are used to create the private key for their certificate, the certificate requester is prompted to
protect the private key using either medium-level protection, usually selected by default in the Windows
pop-ups, in which the Web browser will prompt the certificate holder to confirm the use of the certificate
for authentication during each authentication to a software application that requires the certificate, or
using high-level protection, in which the certificate requester configures a password for the private
key before the key is generated, while requesting the certificate, and then is prompted to enter the
private key password when being authenticated by a software application that uses certificate-based
authentication.

◦ Enforce Password Protection - The requester configures a password for the private key before the
key is generated. After importing the certificate into the Web browser being used to access the user
interface for the OpenTrust PKI's EE component, the certificate holder will be required to enter a
password when using the certificate to authenticate to a software application.

• KSP Key Usages - To set flags for use in the MS CertEnroll API by external software or middleware, such
as an HSM or smart cards, select allowed usages for the private keys generated for certificates created
using a certificate management profile that uses the browser usage policy being configured:

◦ Allow Decryption - The keys can be used to decrypt content, such as content received in email or stored
on volumes or disks. This key usage is recommended for most implementations. Before de-selecting
this key usage, consult an assigned IDnomic technical representative.

◦ Allow Signing - The keys can be used for signing, such as when signing email or documents. An
example of an external software application that would use the signature flag is the IDnomic SPI
application. This key usage is not recommended for most implementations. Before selecting this key
usage, consult an assigned IDnomic technical representative.

◦ Allow Key Exchange - The keys can be used to establish key agreement between entities, such as
during SSL authentication. This key usage is recommended for most implementations. Before de-
selecting this key usage, consult an assigned IDnomic technical representative.

◦ Allow All Possible Usages - The keys can be used to decrypt content, for signing, and for establishing
key agreement between entities. This key usage is not recommended for most implementations. Before
selecting this key usage, consult an assigned IDnomic technical representative.

28 OpenTrust PKI 4.12 Server Configuration Guide

Configure Metadata Types Chapter 2. Configure Certificate Management Profiles

• CSP Key Type - To set flags for use in the MS CertEnroll and XEnroll APIs that specify the intended use
of a key for a legacy cryptographic service provider (CSP) by third-party software or middleware, such
as an HSM, select a key type for the private keys generated for certificates created using a certificate
management profile that uses the browser usage policy being configured. Legacy CSPs can support at
most one signature algorithm (AT_SIGNATURE) or one encryption algorithm (AT_KEYEXCHANGE).

◦ Do Not Define the Key Type (AT_NONE) - The intended use for the private keys is not identified. This
option can be selected if the provider that supports the key is a Cryptography API: Next Generation
(CNG) key storage provider (KSP).

◦ Decryption or Key Exchange (AT_KEYEXCHANGE) - The private keys can be used for encryption
(including key exchange), decryption, and signing using RSA algorithms. This is the recommended
key type for most implementations. Before selecting another key type, consult an assigned IDnomic
technical representative.

◦ Signature Only (AT_SIGNATURE) - The private keys can be used for signing but not decryption or
encryption.

• CSP Provider Type - Select RSA or Other. If Other is selected, enter the value provided by the
CSP provider. This option should only be used in consultation with an assigned IDnomic technical
representative.

5. Click Save.

2.2.3. Configure Metadata Types

By default, certificates created using the OpenTrust PKI are created with associated metadata for the certificate subject,
email address, and serial number. Certificate metadata is stored in the OpenTrust PKI database and can be used as
search criteria when administrators and certificate holders/requesters search for certificates on the OpenTrust PKI RA
and EE components. Certificate metadata is also stored in the OpenTrust PKI audit logs related to the certificates and
can be used when searching for audit logs related to a particular certificate.

When configuring certificate management profiles, as described in “Create a Certificate Management

Profile” on page 37, the configuration options for additional form parameters, subject alternative names, and subject
DN components include configured metadata types. A metadata type specifies whether the associated metadata will be
included in certificate audit logs and available as search criteria when searching for certificates on the OpenTrust PKI RA
and EE components.

To configure the options for metadata to associate with certificate form parameters:

1. Log in to the user interface for an OpenTrust PKI CA component as an administrator with the Profiles
Management right. If the initial administration certificate has not yet been deleted, an administrator using the
initial administration certificate can also perform this task.

2. Navigate to the Settings | Certificates | Metadata page.

3. On the Metadata page, choose to add a new metadata type or edit an existing metadata type. If the choice is
to create a new metadata type, click Create a new Metadata. If the choice is to edit an existing metadata type,
select the metadata type and continue to Step 5 on page 29.

4. On the metadata configuration page, enter an Identifier for the metadata type. The identifier will be visible in
other parts of the user interface, for example, when selecting which metadata type to use for an addition form
parameter in a certificate management profile or when configuring holder match settings. Providing detailed
information in the identification field will make it easier to select the correct metadata type in other parts of the
user interface.

5. Configure the metadata options:

• Logged - The metadata will be added to audit logs related to certificates created with this metadata. If this
option is selected, administrators will be able to find the metadata type listed in the Details drop-down menu
on the Audit Logs | Logs Search page of the user interface for the Logs component. After selecting the
metadata type in the Details drop-down menu, in the text field, the administrator can enter a valid additional
form parameter, subject alternative name, or subject DN component that was used to generate metadata for a
certificate. The metadata type will not be available in the Details drop-down menu until at least one certificate
has been created using the metadata type.

• Searchable on the EE - The metadata will be available in the search criteria options when searching for
certificates using the user interface of the EE component.

OpenTrust PKI 4.12 Server Configuration Guide 29

Chapter 2. Configure Certificate Management Profiles Configure Holder Match Settings

• Searchable on the RA - The metadata will be available in the search criteria options when searching for
certificates using the user interface of the RA component.

6. To save the metadata type, click Save. To delete the metadata type, click Remove. Deleting the metadata type
will remove the metadata type from the search criteria available when searching for certificates on the RA or EE
components.

Note: A metadata type cannot be removed if it has been used to generate a certificate.

2.2.4. Configure Holder Match Settings

Holder match settings are used to determine how many certificates a certificate holder possesses or certificate holder
eligibility for new certificates. Holder match settings are used during enrollment processes to determine whether a
certificate holder already holds the allowed number of certificates for a certificate management profile and enforce the
allowed number of certificates for each certificate holder by declining certificate requests that would exceed the number
of certificates allowed per holder for a certificate management profile. The number of allowed certificates for each
certificate holder per certificate management profile can be configured on the General tab of a certificate management
profile. Configured holder match settings are applied to all certificate holders with certificates generated by the OpenTrust
PKI, for all certificate management profiles that have a configured maximum number of certificates per holder. The holder
match settings determine how to interpret the General tab configuration, by matching certificate information to certificate
holders with strict, permissive, or the default search match results.

The default holder match settings, used before any optional additional holder match settings are configured and/
or selected, cannot be configured and use the certificate Subject DN (all of the DN components in the certificate) to
determine the number of certificates already held by a certificate requester. Using the default holder match settings,
the certificate holder would have to request a certificate containing exactly the same DN as a certificate or certificates
already generated from the same certificate management profile for the request to count as a match. The request would
only be rejected if the maximum number of allowed certificates per holder is set to one in the certificate management
profile or the requester already has the maximum number of certificates allowed by the certificate management profile.

The configurable, non-default, holder match settings allow administrators to further refine how holder matches are made,
using certificate DNs and certificate metadata.

For certificate management profiles that use DN components, subject alternative names, or additional form parameters
that are fixed, mandatory, or populated from an LDAP directory, requests for certificates made by the same person
are likely to produce holder matches. When a certificate management profile is configured to use optional Subject DN
components or information entered manually by the requester, the holder match results are less likely, resulting in a
greater possibility that someone could obtain more than the configured allowed number of certificates per certificate
management profile, despite the configured holder match settings, and placing greater responsibility for preventing
holder matches on administrators who approve enrollment requests.

When a certificate request is denied because the request results in a holder match, a message indicating that, "This
user already has the maximum number of allowed certificates." is displayed to the certificate requester. The request is
not recorded on the OpenTrust PKI RA component and is not logged in the OpenTrust PKI audit logs. Administrators
responsible for the IDnomic Credential Management System application and the AEP add-on module for the OpenTrust
PKI configure the holder match settings to avoid inadvertently providing more than the required number of certificates to
an individual server or smart card holder.

Holder matching is performed on a per-certificate management profile basis, with one exception: during self-revocation,
when a certificate holder is authenticated, the OpenTrust PKI searches for certificates based on holder matches for all
certificate management profiles.

To configure holder match settings:

2. Navigate to the Settings | Policies | Certificate Holder Match page.

3. On the Certificate Holder Match page, in the Action column, click Configure to configure one of the available
holder match types:

• Permissive - Using the logical operator OR, when searching for certificate holders to count the number of
certificates already held by a certificate requester, the OpenTrust PKI uses the certificate DN and certificate
metadata to search for certificate holder matches. This means the holder matches can contain any of the
selected search criteria, which can include the certificate DN and/or any or all of the metadata types. For

30 OpenTrust PKI 4.12 Server Configuration Guide

Configure Holder Match Settings Chapter 2. Configure Certificate Management Profiles

example, if one of the form parameters configured for a certificate management profile is configured to be
tagged as a configured metadata type, and the permissive holder match configuration includes a selection of
that metadata type and the DN, the certificate requester would need to have a match for either the selected
metadata type or the DN to return a holder match and be denied an additional certificate. In a more detailed
example, if a certificate requester requested certificates from a certificate management profile with the
maximum number of certificates per holder set to one, using a different DN but using the same administrator
email addresses, such as [email protected] and [email protected], in a certificate
request with the "Administrator's Email" form parameter tagged as metadata type "admin emails," the second
certificate request would be denied because a holder match would be returned based on the administrator
email addresses.

• Strict - Using the logical operator AND, when searching for certificate holders to count the number of
certificates already held by a certificate requester, the OpenTrust PKI uses the certificate DN and certificate
metadata to search for certificate holder matches. This means the holder matches must contain all of the
selected search criteria, which can include the certificate DN and/or any or all of the metadata types. For
example, if one of the form parameters configured for a certificate management profile is configured to be
tagged as a configured metadata type, and the strict holder match configuration includes a selection of that
metadata type and the DN, the certificate requester would need to have a match for the selected metadata
type and the DN to return a holder match and be denied an additional certificate. In a more detailed example,
if a certificate requester requested certificates from a certificate management profile with the maximum
number of certificates per holder set to one, using the same DN but using different email addresses, such as
[email protected] and [email protected], in a certificate request with the "Administrator's
Email" form parameter tagged as metadata type "admin emails," the second certificate request would be
approved because a holder match would not be returned given that the email addresses are different.

4. On the Permissive Match or Strict Match configuration page, choose whether to use the DN components for
holder matching.

5. Select the metadata types to use for holder matching. All configured metadata types will be available for
selection. See “Configure Metadata Types” on page 29 for more information about configuring metadata
types. The DN and metadata type selections determine matches according to the following rules:

• In a permissive match with DN selected, there is a match if at least one of the selected items match: the DN or
any selected metadata type.

• In a permissive match with DN not selected, there is a match if at least one of the selected items match: any
selected metadata type.

• In a strict match with DN selected, there is a match if all selected items match: DN and all selected metadata
types.

• In a strict match with DN not selected, there is a match if all selected items match: all selected metadata types.

6. Click Save.

7. View the "Configuration saved." confirmation message.

8. To configure another holder match type or select the holder match type to be applied to the certificate
management profiles, navigate to the Settings | Policies | Certificate Holder Match page.

9. On the Certificate Holder Match page, to configure another holder match type, repeat Step 3 on page 30 to
Step 7 on page 31. To select which holder match settings will be applied to certificate management profiles,
continue to the next step.

10. To set the holder match rules that will be used to determine how many certificates a person can hold per
certificate management profile, in the drop-down menu, select the strict, permissive, or the default certificate
holder match settings and click Choose this Profile. Only the default match holder type and holder match types
that have been configured will be available for selection in the drop-down menu.

11. View the "Configuration saved." confirmation message.

12. In multi-host server environments where the OpenTrust PKI RA component is not hosted on the same
server as the OpenTrust PKI EE component, to make the holder match settings immediately available on
the EE component, follow the synchronization instructions in “Configure EE Component's Module Settings
” on page 57.

OpenTrust PKI 4.12 Server Configuration Guide 31

Chapter 2. Configure Certificate Management Profiles Enable Publication of Certificates and CRLs to Directories

2.2.5. Enable Publication of Certificates and CRLs to Directories

Publication configurations can be used to publish certificates and Certificate Revocation Lists to LDAP directories and to
publish certificates to Active Directory forests.

To publish certificates in an LDAP directory, create an LDAP publication configuration. To publish certificates in an
Active Directory forest, create an Active Directory forest publication configuration. To be able to publish certificates in
Active Directory, OpenTrust PKI must belong to the Active Directory's Cert Publishers groups in each domain where the
OpenTrust PKI will publish certificates or CRLs.

To publish a CRL in an LDAP directory, create an LDAP publication configuration. Certificate Revocation Lists cannot
be published using Active Directory forest publication configurations. To publish a CRL to an Active Directory forest,
create an LDAP publication configuration and use it to publish the CRL in the Active Directory configuration partition of
the closest domain controller. For additional guidance, contact an assigned IDnomic technical representative.

To enable the publication of certificates and CRLs to LDAP directories and the publication of certificates to
Active Directory forests:

2. Navigate to the Settings | Repositories | Publication page.

3. On the Publication page, choose to Create a New publication configuration or to Modify or Remove an existing
publication configuration.

Note: A publication configuration cannot be removed if it is associated with a certificate management

profile.

4. If the choice is to create a new publication configuration, on the Publication page, choose to create a publication
configuration type.

• LDAP - To publish certificates or CRLs in LDAP or Active Directory directories.

• Active Directory forest - To publish certificates in Active Directory forests containing multiple domains.
Domain controllers are identified by the OpenTrust PKI using DNS resolvers.

5. On the General Information page, enter a Name for the publication configuration. The name will be visible in
other parts of the user interface, such as when selecting which publication configuration to associate with a
certificate management profile. To make it easier to select the correct publication configuration in other parts of
the user interface, provide detailed information in the name field.

6. If configuring an LDAP publication configuration, in the Certificate match type drop-down menu, choose how to
match certificates to directory entries:

• DN - For certificate publication, the certificate's subject DN is equal to the DN for the entry in the directory. For
CRL publication, the DN of the CRL issuer is equal to the DN for the entry in the directory. : "DN" matching
means searching for a LDAP entry whose DN is the DN of the CRL Issuer "Filter" matching means searching
for a LDAP entry whose attributes match the attributes of the CRL Issuer.

• Filter from Certificate - For certificate publication, if the certificate subject DN components do not match the
DN components configured for directory entries, select this method and use the Add More Filters button to
configure which certificate subject DN components to match to which LDAP entry attribute. For each certificate
subject DN component selected from the drop-down menu, enter the corresponding LDAP attribute. For
example, if the User ID subject DN component in a certificate will correspond to the cn attribute for LDAP
entries, select User ID from the drop-down menu and enter cn in the LDAP entry attribute text field.

For CRL publication, if the issuer DN components do not match the DN components configured for directory
entries, select this method and use the Add More Filters button to configure which CRL issuer DN components
to match to which LDAP entry attribute. For each CRL issuer DN component selected from the drop-down
menu, enter the corresponding LDAP attribute. For example, if the User ID DN component for a CRL issuer
will correspond to the cn attribute for LDAP entries, select User ID from the drop-down menu and enter cn in
the LDAP entry attribute text field.

If more than one filter is configured, the OpenTrust PKI will publish the certificates or CRLs to the directory
entry matching all configured filter criteria, using a logical AND operator for matching. If more than one
directory entry matches the criteria, the OpenTrust PKI will not publish the certificates or CRLs.

32 OpenTrust PKI 4.12 Server Configuration Guide

Enable Publication of Certificates and CRLs to Directories Chapter 2. Configure Certificate Management Profiles

To use an optional constraint, enter a generic directory entry attribute and value user search filter, without
surrounding parentheses. Administrators typically enter: objectClass=user

7. If configuring an Active Directory forest publication configuration, configure the options unique to Active Directory
forest publication configuration:

a. To configure the Match filters for certificate publishing, use the Add More Filters button to configure
which certificate subject DN components to match to which directory entry LDAP attribute. For each
certificate subject DN component selected from the drop-down menu, enter the corresponding directory
entry LDAP attribute. For example, if the User ID subject DN component in a certificate will correspond
to the msUPN LDAP attribute for directory entries, select User ID from the drop-down menu and enter
userPrincipalName in the LDAP attribute text field.

If more than one filter is configured, the OpenTrust PKI will publish the certificates to the directory entry
matching all configured filter criteria, using a logical AND operator for matching. If more than one directory
entry matches the criteria, the OpenTrust PKI will not publish the certificates.

To use an optional constraint, enter a generic directory entry attribute and value user search filter, without
surrounding parenthesis. Administrators typically enter: objectClass=user

b. To configure the Active Directory Site of the OpenTrust PKI, enter the domain name component used
to identify the site in which the OpenTrust PKI is located. The Active Directory administrator can use the
Active Directory Site and Services MMC to determine which site the OpenTrust PKI is located in. To publish
certificates, the OpenTrust PKI accesses: the closest domain controller if certificates can be published in
the site the OpenTrust PKI belongs to and the first domain controller if there are several domain controllers
available. The OpenTrust PKI follows the priority order (SRV Record Priority) defined by the Active Directory
administrator. If a domain controller has not been declared for the directory entry's domain in the site in
which the OpenTrust PKI is located, the OpenTrust PKI will search the Active Directory forest domain
controllers to find the DNS name for the domain for a directory entry that matches.

c. The OpenTrust PKI's RA component must be able to resolve Active Directory records. If the Active
Directory zones are not delegated in the corporate DNS, edit the /etc/resolv.conf file on the RA
component to include the IP address of the Active Directory forest DNS name. For example, if the IP
address of the Active Directory forest's DNS server is 172.18.0.14, add nameserver 172.18.0.14 to the
file.

8. In the "Directories" field for LDAP publication configurations and in the "Global Catalog" field for Active Directory
publication configurations, select a configured directory connection. All directory connections configured
as described in “Configure an LDAP Directory Connection ” on page 21 will be available for selection.
Use the plus sign to select multiple directory connections. A certificate or CRL is only published in one of the
directories associated with the selected directory connections. The OpenTrust PKI's publication process scans
the directories in the configured order and publishes the certificate in the first directory where an LDAP entry
attribute that meets the Certificate-Directory Entry Matching Criteria, configured in Step 6 on page 32 for
LDAP directories and in Step 7 on page 33 for Active Directory directories, is found. For Active Directory
forest publication configurations, a certificate is not published in the global catalog; the OpenTrust PKI searches
the global catalog to find the domain for the directory entry and then publishes the certificate in the domain for
the directory entry.

9. Enter the LDAP attribute with which the certificate or CRL should be associated when the certificate is written to
the directory or accept the default of userCertificate for certificates and certificateRevocationList
for CRLs.

10. Select a publishing policy:

• Adding - New certificates or CRLs created for the same directory entry are added to the existing certificates or
CRLs stored in the directory.

• Replacing - New certificates or CRLs created for the same directory entry replace existing certificates or CRLs
stored in the directory

11. To remove the certificate from the directory if the certificate is revoked or expires, select Unpublish at
Expiration or Revocation. To leave revoked or expired certificates in the directory, de-select the Unpublish at
Expiration or Revocation option.

12. Click Save.

13. On the Settings | Repositories | Publication page, verify that the publication configuration has been added to
the list of publication configurations. For LDAP or Active Directory forest publication configurations that will be

OpenTrust PKI 4.12 Server Configuration Guide 33

Chapter 2. Configure Certificate Management Profiles Configure SCEP Policies

used to publish certificates, the process is complete and the publication configuration can be selected for use
in certificate management profiles, as described in “Configure the General Settings” on page 38. For LDAP
publication configurations that will be used to publish CRLs, continue to the next step.

14. For LDAP directory publication configurations, to use the publication configuration to publish CRLs, navigate to
the Settings | Repositories | CRL Publication page.

15. On the CRL Publication page, for each CA whose CRL should be published, using the selected publishing
configuration, use the Click to Edit mouseover and select the publication configuration. When a CA with selected
publication configurations generates CRLs, the CRLs will be published to the directory. The CRL for internal CAs
is automatically updated every day and after each certificate revocation while the server is operating correctly
unless an administrator disables the CRL update functionality when editing the advanced configuration options
for an internal CA, as described in Step 5 on page 14.

16. Click Save and view the success message.

2.2.6. Configure SCEP Policies

Administrators can create SCEP policies to govern SCEP enrollment processes. SCEP policies are active
until deleted. SCEP clients submit enrollment requests by using the SCEP policy name in the following URL:
http://DNS_name_used_to_access_server_hosting_RA:port_used_to_access_server_hosting_RA/
cgi-bin/pkiclient.exe/SCEP_policy_name when sending the "getcacert" request. After receiving a
communications certificate in response to the "getcacert" request, the SCEP clients submit a "pkioperation" request to
the same URL.

To configure a SCEP policy:

2. Navigate to the Settings | Policies | SCEP page.

3. On the SCEP Policies page, choose to choose to Create a New SCEP Policy or to Modify, Copy, or Remove
an existing SCEP policy.

4. If the choice is to create a new SCEP policy, click Create New SCEP Policy.

5. Enter a Name and Description for the SCEP policy. The name must be a valid URL component. The name
and description will be visible in other parts of the user interface. Providing detailed information in the name and
description fields will make it easier to select the correct SCEP policy in other parts of the user interface.

6. Select a SCEP Communication Protection Mode:

• Use Dedicated SCEP CA - Select this option to use the pre-configured SCEP CA's certificate to sign and
encrypt communications between the SCEP device and the OpenTrust PKI. The details for the SCEP CA can
be found and edited on the SCEP Policies | Dedicated CA Management tab.

• Use OpenTrust PKI's RA - Select this option to use the OpenTrust PKI's RA's certificate to sign and encrypt
communications between the SCEP device and the OpenTrust PKI.

7. Configure the enrollment options:

• Enrollment Process - Choose whether to use a self-enrollment process, try using a self-enrollment process
and use a manual approval process if the self-enrollment process fails, or use a manual approval process.
If the choice is to use a manual approval process, continue to Step 9 on page 34, as all other options are
removed from the UI.

• Authentication Scheme - Select an authentication scheme to use for enrolling SCEP devices. For more
information about authentication schemes, refer to “Configure an Authentication Scheme ” on page 24.

• Certificate Management Profile - Select a certificate management profile to use for enrolling SCEP
devices or choose to use the certificate_profile attribute in the datasource to dynamically select a certificate
management profile during the enrollment process.

8. To configure the mapping rules between the identifier fields of the datasource(s) associated with the selected
authentication scheme and the RDN fields in the SCEP enrollment requests, select an RDN field for each
Identifier field of the datasource.

9. Click Save.

34 OpenTrust PKI 4.12 Server Configuration Guide

Configure Automatic Emails Chapter 2. Configure Certificate Management Profiles

10. View the URL to use when enrolling SCEP devices using this SCEP policy.

11. If using the dedicated SCEP CA, click "Back to List" and select the Dedicated CA Management tab to review
and/or edit the information for the dedicated SCEP CA. If the choice is to edit the dedicated SCEP CA, configure
the following options:

• CA's DN - Enter a DN for the dedicated SCEP CA.

• CA Validity Duration (in Days or YYYY-MM-DD) - Enter the validity duration for the dedicated SCEP CA's
CRL.

• Key Size - Choose the encryption level for the private keys of the certificate for the dedicated SCEP CA.
Selecting a larger key size will result in a more secure certificate. It may take a longer time to generate
larger, more secure keys and to sign a certificate with larger keys. The dedicated SCEP CA is used only for
communication and cannot be used to issue certificates.

12. Click Save.

2.2.7. Configure Automatic Emails

The OpenTrust PKI can be configured to send automatic emails for various certificate lifecycle events. Email templates
are used to construct the contents of the automatic emails. Administrators can use the default automatic email templates,
customize the default automatic email templates to accommodate specific needs, or use a blank template to create new
automatic emails that correspond to the static certificate lifecycle event email types.

The default automatic email configurations cannot be recovered after being edited.

To create a new automatic email or configure an existing automatic email:

1. Log in to the user interface for the OpenTrust PKI RA component as an administrator with the Profiles
Management right. If the initial administration certificate has not yet been deleted, an administrator using the
initial administration certificate can also perform this task.

2. Navigate to the Settings | Certificates | Email Templates page.

3. On the Email Templates page, choose to:

• Edit an existing automatic email configuration: In the Name column, click the name of automatic email.

• Create a new automatic email using the template of an existing automatic email: In the "Create a New Profile
from" drop-down menu, select an already configured automatic email to use as a template.

• Create a new automatic email from a blank email template: Click Create a New Profile.

4. On the automatic email configuration page, configure the components and contents of the email:

a. In the Profile field, enter a name for the automatic email. The name will be visible in other parts of the user
interface, for example, when selecting which automatic emails to use for a particular certificate lifecycle
management event. Providing detailed information in the name field will make it easier to select the correct
automatic email in other parts of the user interface. The name of the default automatic emails cannot be
edited. The names of administrator-created automatic emails cannot be edited after being saved.

b. In the email Type drop-down menu, from the list of static certificate lifecycle management event email
types, select the type that corresponds to the automatic email being created or configured. The type
cannot be changed once the automatic email has been selected for use in a certificate management profile
configuration, as described in “Create a Certificate Management Profile” on page 37.

c. In the From and To rows, select an option from the drop-down menu. The email address that corresponds
to the selected option will be used as the From: email address and the To: email address(es) when the
automatic email is sent. For the To: email address, use the corresponding plus and minus signs to add and
remove multiple recipients. The drop-down menus are populated with the possible senders and recipients
appropriate for the selected email type:

• CA Administrator - The CA administrator's email address, as configured in “Configure CA Component's

Module Settings ” on page 55.

• RA Administrator - The RA administrator's email address, as configured in “Configure RA Module

Settings” on page 55.

OpenTrust PKI 4.12 Server Configuration Guide 35

Chapter 2. Configure Certificate Management Profiles Configure Automatic Emails

• Publication Administrator - The publication administrator's email address, as configured in “Configure

Publication Module Settings” on page 56.

• EE Administrator - The EE administrator's email address, as configured in “Configure EE Component's

Module Settings ” on page 57.

• Lifecycle Administrator - The lifecycle administrator's email address, identified by the certificate used to
perform the lifecycle management event. This option is only available in the From: drop-down menu.

• Possible Lifecycle Administrators - The email addresses of all lifecycle administrators with the appropriate
rights for the lifecycle management event. This option is only available in the To: drop-down menu.

• User Contact - The certificate holder's email address, as defined by the certificate management
profile used to create the certificate. For lifecycle events related to certificate requests or to certificate
management profiles that do not use a User Contact parameter, the email address configured in the
certificate request is used.

• User Email - The certificate holder's email address, as defined by the certificate management profile used
to create the certificate. For lifecycle events related to certificate requests or to certificate management
profiles that do not use a User Email parameter, the email address configured in the certificate request is
used.

• Requester - The email address for the person performing the action in the certificate lifecycle event.
For example, if a lifecycle administrator requests the revocation or recovery of a certificate, the lifecycle
administrator is considered to be the requester, while the certificate holder, the subject of the certificate, is
not.

• Static - To send the email to the same recipient each time the lifecycle event takes place, enter the
recipient's email address in the text entry field. Multiple static entries can be configured for an automatic
email using the plus sign to add additional recipients.

d. For the email Subject and Body content, if creating a new automatic email, click the link in the Email row
to display and then configure the required settings; if configuring an existing automatic email, configure the
required settings:

i. From the Language drop-down menu, select a language in which to send the email. Use the
corresponding plus and minus icons to add and remove versions of the email in additional languages.
Include all of the languages used by certificate holders. The default automatic emails contain pre-
configured versions of the emails which can be used as is or edited. When a certificate is requested, the
OpenTrust PKI creates information for the certificate that includes the language selected in the browser
used to make the certificate request. An administrator can later change the language associated with
a certificate by using the Registration Authority | Certificate Information | Modify Certificate Information
functionality, as described in the OpenTrust PKI Lifecycle Administrator Guide. When an email is sent
to a certificate holder and a version of the email that corresponds to the language identified in the
certificate holder's certificate information is available in the automatic email configurations, the email
is sent to the recipient in that language. For multi-recipient emails, each recipient receives the email in
their own language. In cases where the language identified in the certificate information does not have a
corresponding version in the automatic email configuration, the email is sent in English.

ii. To add available variables to the Subject or Body of the email, from the Variables drop-down menu,
select a variable and click Add to Body or Add to Subject. The available variables include values stored
in the OpenTrust PKI database, such as names or other stored certificate holder information; values
stored in OpenTrust PKI configurations, such as administrator email addresses configured in the
Module Settings configuration area for each component; and information generated by the OpenTrust
PKI application, such as error numbers. The default versions of the automatic emails contain the
variables relevant to the certificate lifecycle event that precipitates the emails. When creating additional
emails for a particular email type, administrators should consider using the same variables in the
administrator-created automatic emails that exist in the default emails.

iii. Using the variables as needed, edit the default content or write new content in the Subject and Body
fields. Verify that the content is relevant for the selected email type and that the included variables
should be exposed to the configured recipients.

5. In the attachments row, select the attachments to include in the email and choose whether to include a .zip file
that includes all of the selected attachments.

6. If displayed, select or deselect any additional options:

36 OpenTrust PKI 4.12 Server Configuration Guide

Create Certificate Categories Chapter 2. Configure Certificate Management Profiles

• Encrypt for Administrator - This option will encrypt the email sent to the lifecycle administrator who provides
the certificate password to the certificate holder. The automated emails that use this option are usually related
to PKCS#12 certificates and information associated with PKCS#12 certificates.

7. Click Save.

8. View the "Profile saved." success message.

2.2.8. Create Certificate Categories

Certificate categories can be used to logically group certificate management profiles. Administrators may choose to
create certificate categories for certificate management profiles that share common configurations, such as a category
for all certificate management profiles that use decentralized enrollment or a category for all certificate management
profiles that are used to authenticate servers.

After a certificate category has been configured, certificate categories are displayed on the Settings | Certificates
| Certificate Management Profiles page to organize the list of certificate management profiles for administrators.
Administrators can also select a certificate category from a drop-down menu when configuring the General tab for
certificate management profiles, as described in “Create a Certificate Management Profile” on page 37. When a
certificate management profile is associated with a certificate category, certificate requesters will be able to select the
certificate category before selecting a certificate management profile during the certificate request process described in
the "Obtain a Certificate" section of the OpenTrust PKI Lifecycle Administrator Guide.

To create a certificate category:

2. Navigate to the Settings | Certificates | Certificate Categories page.

3. On the Certificate Categories page, choose to Create a New Certificate Category or to Modify, Copy, or
Remove an existing certificate category.

Note: A certificate category cannot be removed if it is associated with a certificate management profile.

4. If the choice is to create a new certificate category, enter a Name for the certificate category.

5. Enter the Title values for the certificate category. The title will be used to display the certificate category in other
parts of the user interface, such as in the list of certificate categories on the Certificate Categories page, in the
list of certificate management profiles on the Settings | Certificates | Certificate Management Profiles page, in the
list of certificate categories available when configuring a certificate management profile, and in the user interface
for the certificate request process. Providing detailed information in the title fields will make it easier to select
the correct certificate category in other parts of the user interface. The default title will be displayed in the user
interface when language-specific titles have not been configured or when the language used by a certificate
requester or certificate holder is not included in the list of configured language-specific titles. When language-
specific titles have been configured, the language-specific titles will be displayed for configured languages that
correspond to the language used by a certificate requester or certificate holder as set in the Web browser being
used to access the OpenTrust PKI. It is possible to configure titles for any language. To configure titles in an
additional language, use the Add More button, enter a two-letter abbreviation for the language in the drop-down
menu, and enter the language-specific title in the text field.

6. Click Save.

7. View the "Settings successfully saved" success message.

2.3. Create a Certificate Management Profile

To configure certificate management profiles, administrators must configure:

• “Configure the General Settings” on page 38

• “Configure an Enrollment Method” on page 39

• “Configure Additional Enrollment Options” on page 44

• “Configure Renewal Options” on page 47

OpenTrust PKI 4.12 Server Configuration Guide 37

Chapter 2. Configure Certificate Management Profiles Configure the General Settings

• “Configure Key Pair Recovery Options” on page 48

• “Configure Revocation Options” on page 49

• “Configure Certificate Extension Requirements” on page 50

• “Configure Subject DN Components” on page 52

2.3.1. Configure the General Settings

To configure the settings of the General tab of a certificate management profile:

2. Navigate to the Settings | Certificates | Certificate Management Profiles page.

3. On the Certificate Management Profiles page, choose to: Create a New Certificate Management Profile or to
Modify, Copy, or Remove an existing certificate management profile.

Note: A certificate management profile cannot be removed after being used to enroll a certificate.

4. If the choice is to create a new certificate management profile or modify or copy an existing certificate
management profile, on the General tab, configure the following certificate management profile options:

a. Enter a Name for the certificate management profile. The name must be unique in the list of certificate
management profiles. The name will only be configurable until the first time the certificate management
profile is saved.

b. Enter the Title values for the certificate management profile. The title will be used to display the certificate
management profile in other parts of the user interface, such as in the list of certificate management profiles
on the Settings | Certificates | Certificate Management Profiles page and in the user interface for the
certificate request process. Providing detailed information in the title fields will make it easier to select the
correct certificate management profile in other parts of the user interface. The default title will be displayed
in the user interface when language-specific titles have not been configured or when the language used
by a certificate requester or certificate holder is not included in the list of configured language-specific
titles. When language-specific titles have been configured, the language-specific titles will be displayed for
configured languages that correspond to the language used by a certificate requester or certificate holder
as set in the Web browser being used to access the OpenTrust PKI. It is possible to configure titles for
any language. To configure titles in an additional language, use the Add More button, enter a two-letter
abbreviation for the language in the drop-down menu, and enter the language-specific title in the text field.

c. Select a Category for the certificate management profile or accept the default uncategorized status of the
certificate management profile. For more information about the use of certificate categories, refer to “Create
Certificate Categories” on page 37.

d. Configure the issuing properties or accept the provided default values:

• CA - Select the CA to use to sign certificates generated using the certificate management profile. The list
of available CAs includes all internal CAs with a valid certificate, as listed on the Certificate Authority | CA
Management | List of CAs page described in “View Internal CAs ” on page 13 . The default CA is the CA
configured as the default CA on the Certificate Authority | CA Management | List of CAs page.

• Validity Duration - Certificates created using the certificate management profile will be valid for the period
of time selected:

◦ Certificates Default Validity Duration for Selected CA - The value entered for the selected CA in
the "Certificates Default Validity Duration" field when configuring the CA, as described in “Manage
CAs” on page 7. This value will be used for the validity duration when the CA default validity duration is
not longer than the CA lifetime. When the CA default validity duration is longer than the CA lifetime, the
value is ignored and the certificate will be valid for the duration of the CA lifetime.

◦ CA Lifetime - The lifetime of the selected CA, meaning for as long as the selected CA has a valid
certificate.

◦ Custom - Use this option to configure a custom validity duration for certificates created using the
certificate management profile. This value will be used for the validity duration when the custom validity

38 OpenTrust PKI 4.12 Server Configuration Guide

Configure an Enrollment Method Chapter 2. Configure Certificate Management Profiles

duration is not longer than the CA lifetime. When the custom validity duration is longer than the CA
lifetime, the value is ignored and the certificate will be valid for the duration of the CA lifetime.

• Maximum Number of Certificates per Holder (0 Means No Limit) - Enter the maximum number of
certificates generated by the certificate management profile that can be held by a single certificate holder.
The value entered will be used in combination with the configured holder match settings described in
“Configure Holder Match Settings” on page 30.

• Browser Profile - Select a browser usage policy to apply to certificates created using the certificate
management profile. All configured browser usage policies will be available for selection. For more
information about the Default browser usage policy, the EE browser usage policy and how browser usage
policies impact certificate requesters, refer to “Configure Browser Usage ” on page 26.

• Publish to Directories - Select the publication configurations to use to publish certificates to LDAP
directories and Active Directory forests. All configured publication configurations, as described in
“Enable Publication of Certificates and CRLs to Directories ” on page 32, will be available for
selection. If a publication configuration is selected, in the Send Publication Error Notifications area,
select the automatic emails to send when certificates cannot be published using the selected publication
configurations. All configured automatic emails that can be used for publication error notifications will
be available for selection. For more information about automatic emails, refer to “Configure Automatic
Emails” on page 35.

e. Configure the optional advanced features:

• Visible on EE for All Available Processes - This option allows certificate holders, certificate requesters,
and administrators to view the certificate management profile when performing processes governed by
or related to the certificate management profile - such as certificate requests, revocation and recovery
procedures, and searches that contain the certificate management profile - on the Enrollment Entity
component of the OpenTrust PKI in addition to being able to perform the same processes on the
Registration Authority component of the OpenTrust PKI. This option is selected by default because it is
appropriate for most certificate management profiles.

• Authentication Required on EE to See this Profile - When the "Visible on EE for All Available
Processes" option is selected, the "Authentication Required on EE to See this Profile" option is available
to restrict the visibility of the certificate management profile on the EE component to authenticated
certificate holders. The "Authentication Required on EE to See this Profile" option is not selected by
default to make the certificate management profile available for certificate requests, using the enrollment
process configured for the certificate management profile. If the "Authentication Required on EE to See
this Profile" option is selected, only people who already have a certificate trusted by the OpenTrust PKI
EE can request to be enrolled in the certificate management profile or request certificates for other people
using the certificate management profile.

• Use UTF-8 Encoding in Certificate Fields When Possible - Select this option to use UTF-8 encoding
for the values entered and automatically generated for a certificate when a certificate is requested from
the certificate management profile.

5. Click Save. If configuring a new certificate management profile, continue to “Configure an Enrollment
Method” on page 39.

2.3.2. Configure an Enrollment Method

To configure the enrollment options for the certificate management profile:

2. Navigate to the Settings | Certificates | Certificate Management Profiles page.

3. On the Enrollment tab, select and configure an enrollment method for the certificate management profile. If the
certificate management profile has already been used to generate certificates, the enrollment method and, in
centralized enrollment processes, the Private Key Escrowing option cannot be modified. When a certificate
requester requests a certificate from a certificate management profile, they are requesting to be enrolled in the
certificate management profile.

• Decentralized Enrollment - In certificate management profiles in which the enrollment method is

decentralized, the key pair for the certificate is generated in the requester's Web browser, while the requester

OpenTrust PKI 4.12 Server Configuration Guide 39

Chapter 2. Configure Certificate Management Profiles Configure an Enrollment Method

is connected to the EE. When using IE, the certificate requester must select a Cryptographic Service Provider
to generate the key pair and transmit the public key to the OpenTrust PKI. When using FireFox, a default
Cryptographic Service Provider is used to generate the key pair and transmit the public key to the OpenTrust
PKI. The public key transmitted to the OpenTrust PKI with the certificate request is included in the "Public Key"
section of the certificate created with the certificate management profile. The certificate can be imported into
the Web browser that generated the key pair, the browser from which the certificate request was made, once
the certificate is delivered to the certificate requester.

If the selected enrollment method for a certificate management profile is decentralized, the certificate
management profile is available for selection on the EE during the certificate request process; when
the certificate management profile is enabled, if configured to be visible on the EE; when the certificate
management profile is configured to require authentication on the EE, if the requester who accesses the
EE is authenticated by certificate; and, when the Certificate Request Right is required, if the requester who
accesses the EE is authenticated by certificate and has the Request Certificate on the EE right for at least
one zone. Certificate management profiles that use a decentralized enrollment method with the "Pre-approval
by an Enrollment Administrator" are displayed in certificate request processes on the RA when the certificate
management profile is enabled.

• Centralized Enrollment - In certificate management profiles in which the enrollment method is centralized,
the key pair for the certificate is generated by the OpenTrust PKI. The public key is included in the "Public Key"
section of the certificate created with the certificate management profile and the certificate can be imported
into a Web browser once the certificate is delivered to the certificate holder.

If the selected enrollment method for a certificate management profile is centralized, the certificate
management profile is available for selection on the EE during the certificate request process; when
the certificate management profile is enabled, if configured to be visible on the EE; when the certificate
management profile is configured to require authentication on the EE, if the requester who accesses the EE is
authenticated by certificate; and, when the Certificate Request Right is required, if the requester who accesses
the EE is authenticated by certificate and has the Request Certificate on the EE right for at least one zone.
Certificate management profiles that use a centralized enrollment method with the "Approval by an Enrollment
Administrator" are displayed in certificate request processes on the RA when the certificate management
profile is enabled.

• Server (Decentralized Enrollment with CSR) - In certificate management profiles in which the enrollment
method is server, the key pair is generated on the server that requests the certificate. A .p10 file is uploaded
to the EE or the RA to communicate the public key to the OpenTrust PKI. This public key is included in the
"Public Key" section of the certificate created with the certificate management profile.

If the selected enrollment method for a certificate management profile is server, the certificate management
profile is available for selection on the EE during the certificate request process; when the certificate
management profile is enabled, if configured to be visible on the EE; when the certificate management profile
is configured to require authentication on the EE, if the requester who accesses the EE is authenticated
by certificate; and, when the Certificate Request Right is required, if the requester who accesses the EE is
authenticated by certificate and has the Request Certificate on the EE right for at least one zone. Certificate
management profiles that use a server enrollment method are displayed in certificate request processes on the
RA when the certificate management profile is enabled.

• Enrollment via SCEP - In certificate management profiles in which the enrollment method is SCEP, the key
pair is generated on the Cisco device that requests the certificate.

Certificate management profiles that use a SCEP enrollment method are never displayed in certificate request
processes on the RA or EE. The certificate request is submitted from the Cisco device and added to the list of
pending certificate requests on the RA. A certificate request can also be pre-approved on the RA and then the
certificate is delivered without being added to the list of pending requests.

If configuring a certificate management profile that uses a server or SCEP enrollment method, continue to
Step 9 on page 44. If configuring a certificate management profile that uses a decentralized or centralized
enrollment method, continue to the next step.

4. If configuring a certificate management profile that uses a centralized enrollment method, to enable recovery of
private keys for certificates, select Private Keys Escrowing.

5. If configuring a certificate management profile that uses a decentralized or centralized enrollment method, select
an enrollment process:

• Enrollment Administrator Approval - If selected, the administrator approval process is as follows: A

certificate requester submits a certificate request on the EE, a certificate request notification is sent to approval
administrators if configured in Step 5 on page 45, and the certificate request is displayed in the list of

40 OpenTrust PKI 4.12 Server Configuration Guide

Configure an Enrollment Method Chapter 2. Configure Certificate Management Profiles

pending certificate requests on the RA; or an administrator submits a certificate request on the RA. If the
required number of administrators approve the certificate request:

◦ For decentralized enrollment methods, which can only be initiated by the certificate requester on the EE, the
private keys are installed in the certificate requester's Web browser when the certificate request is made.
When the certificate request is approved by the required number of administrators on the RA, if configured
in Step 9 on page 44, a notification email will be sent to the certificate requester. The certificate requester
can then import the certificate into their Web browser.

◦ For centralized enrollment methods, the certificate and private key are delivered according to the method
selected in Step 6 on page 43.
If the certificate request is denied by an administrator, a notification email is sent. If the certificate request
expires, a notification email is sent.

LDAP directory values or manually-entered data can be used to identify the certificate requester and the future
certificate holder before the certificate request is submitted. Default values can also be used to pre-populate
some of the fields in certificate request forms. Default values can be configured to be editable by the certificate
requester and/or the approval administrator.

To configure the options unique to administrator approval:

1. Select a certificate request identification/data entry method:

◦ Manual Request - For decentralized enrollment methods and centralized certificate requests initiated
on the EE by the certificate requester: The certificate requester enters the data in the certificate request
form fields manually on the EE. Administrators on the RA find the certificate request and enter data in
the certificate approval form manually.

For centralized certificate requests initiated on the RA by the approval administrator: The approval
administrator enters the data in the certificate request form fields manually on the RA.

Information in the certificate request forms displayed to the certificate requester and the approval
administrator is not pre-populated and does not need to match information available in an LDAP
directory associated with the OpenTrust PKI.

◦ Directory Request on Datasource - For decentralized enrollment methods and centralized certificate
requests initiated on the EE by the certificate requester: The certificate requester enters a unique
identifier to identify themself to the EE. The attributes configured as identifiers in the datasource
selected for the certificate management profile are available for certificate requesters to use on the
EE as identification. After the certificate requester is identified, the form field values that have been
retrieved from the directory for the certificate requester are pre-populated in the certificate request
form fields and the certificate requester can edit the values in the editable certificate request form
fields manually on the EE. Administrators on the RA find the certificate request and enter data in the
certificate approval form manually.

For centralized certificate requests initiated on the RA by the approval administrator: The approval
administrator requests a certificate on the RA and searches for a future certificate holder to receive
the certificate. The attributes configured as search criteria in the datasource selected for the certificate
management profile are available to use as search criteria when the administrator is searching for a
future certificate holder. The future certificate holder receives a certificate, private keys, and password
and can then import the certificate into their Web browser.

To configure the options unique to directory request on datasource:

• Select a datasource. All datasources configured as described in “Configure/Add a

Datasource” on page 23 will be available for selection. If a datasource has not yet been
configured, the Directory Selection on Datasource option will not be available for selection.

◦ User Choice for Manual or Directory Request on Datasource - For decentralized enrollment
methods and centralized certificate requests initiated on the EE by the certificate requester: When
making a certificate request, the certificate requester can choose to use manual entry or search for
an LDAP attribute to use to identify themself to the EE using the Directory Request on Datasource
behavior.

For centralized certificate requests initiated on the RA by the approval administrator: The approval
administrator requests a certificate on the RA. When making the certificate request, the administrator

OpenTrust PKI 4.12 Server Configuration Guide 41

Chapter 2. Configure Certificate Management Profiles Configure an Enrollment Method

can choose to use manual entry or search for a future certificate holder to receive the certificate using
the Directory Request on Datasource behavior.

To configure the options unique to User Choice for Manual or Directory Request on Datasource:

• Select a datasource. All datasources configured as described in “Configure/Add a

Datasource” on page 23 will be available for selection. If a datasource has not yet been
configured, the Administrator Choice for Manual Entry or Directory Selection on Datasource option
will not be available for selection.

2. Specify the number of administrators that must approve the request. The certificate will only be delivered
once the required number of administrators have approved the request. If multiple approvals are
configured, choose whether or not to require the approval administrators to belong to different access
rights groups. These options do not affect the number of administrators that are required to reject a
request: one administrator alone can reject a request.

• Enrollment Administrator Pre-approval - This option is only available for decentralized enrollment methods.

If selected, the administrator pre-approval process is as follows: An administrator pre-approves a certificate

request on the RA. The administrator communicates the password for the certificate to the future certificate
holder. If the number of administrators that must pre-approve the request is greater than one, a certificate
request notification is sent to approval administrators if configured in Step 5 on page 45, and the certificate
request is displayed in the list of pending certificate requests on the RA. Once the required number of
administrators have pre-approved the request, a notification email is sent to the future certificate holder. The
future certificate holder authenticates on the EE with the password provided by the administrator and the URL
provided in the email, and submits a certificate request. The certificate and private keys are installed in the
certificate requester's Web browser and a message is displayed on the EE user interface indicating that the
certificate and private key have been installed in the requester's browser and the certificate holder should
make a backup copy of the certificate. If configured in Step 9 on page 44, a notification email will be sent.

LDAP directory values or manually-entered data can be used to identify the future certificate requester before
the certificate request is submitted. Default values can also be used to pre-populate some of the fields in
certificate request forms. Default values can be configured to be editable by the certificate requester and/or the
approval administrator.

To configure the options unique to administrator pre-approval:

1. Select a certificate request identification/data entry method:

◦ Manual Entry - To pre-approve a certificate request, an administrator with the Enrollment rights for
the zone/certificate management profile on the RA enters data in the certificate request form fields
manually. The future certificate requester receives a notification and password and then makes a
request on the EE for the pre-approved certificate, which generates a private key for the certificate
and installs the certificate and key pair. The certificate management profile must be configured to be
editable by the enrollment administrator to enable the enrollment administrator to edit the information in
the certificate request form during the pre-approval process. Information in the certificate request forms
displayed to the pre-approval administrator and the future certificate holder is not pre-populated and
does not need to match information available in an LDAP directory associated with the OpenTrust PKI.

◦ Directory Selection on Datasource - To pre-approve a certificate request, an enrollment pre-approval

administrator requests a certificate on the RA from a certificate management profile and searches for
a future certificate requester to associate with the pre-approved certificate information that is used to
generate the private key for the certificate. The attributes configured as identifiers in the datasource
selected for the certificate management profile are available to use as search criteria when the
administrator is searching for a future certificate requester. The future certificate requester receives a
notification and password and then makes a request on the EE for the pre-approved certificate, which
generates a private key for the certificate and installs the certificate and key pair.

To configure the options unique to directory selection on datasource:

• Select a datasource. All datasources configured as described in “Configure/Add a

Datasource” on page 23 will be available for selection. If a datasource has not yet been
configured, the Directory Selection on Datasource option will not be available for selection.

◦ Administrator Choice for Manual Entry or Directory Selection on Datasource - To pre-approve

a certificate request, an enrollment pre-approval administrator requests a certificate on the RA from
a certificate management profile. When submitting the information to be used for the future certificate

42 OpenTrust PKI 4.12 Server Configuration Guide

Configure an Enrollment Method Chapter 2. Configure Certificate Management Profiles

request, the administrator can choose to use manual entry or search for a future certificate requester
to associate with the pre-approved certificate information using the Directory Selection on Datasource
behavior. The future certificate requester receives a notification and password and then makes a
request on the EE for the pre-approved certificate, which generates a private key for the certificate and
installs the certificate and key pair.

To configure the options unique to Administrator Choice for Manual Entry or Directory Selection on
Datasource:

• Select a datasource. All datasources configured as described in “Configure/Add a

2. Select an automatic email to use to "Deliver an Automatic Enrollment URL." All configured automatic
emails that can be used for delivery of automatic enrollment URLs will be available for selection. For more
information about automatic emails, refer to “Configure Automatic Emails” on page 35.

3. Specify the number of administrators that must pre-approve the request. The email containing the URL
of the pre-approved certificate request page will only be sent once the required number of administrators
have pre-approved the request. If multiple approvals are configured, choose whether or not to require
the approval administrators to belong to different access rights groups. These options do not affect
the number of administrators that are required to reject a request: one administrator alone can reject a
request.

• Self-enrollment - If selected, the self-enrollment process is as follows: A certificate requester authenticates on

the EE using LDAP credentials and requests a certificate. Then:

◦ For decentralized enrollment methods, the certificate and private keys are installed in the certificate
requester's Web browser and a message is displayed on the EE user interface indicating that the certificate
and private key have been installed in the requester's browser and the certificate holder should make a
backup copy of the certificate. If configured in Step 9 on page 44, a notification email will be sent.

◦ For centralized enrollment methods, the certificate and private key are delivered according to the method
selected in Step 6 on page 43.

LDAP directory values or manually-entered data can be used to identify the certificate requester before the
certificate request is submitted. Default values can also be used to pre-populate some of the fields in certificate
request forms. Default values can be configured to be editable by the certificate requester.

To configure the options unique to self-enrollment:

• Select an authentication scheme. All authentication schemes configured as described in “Configure an

Authentication Scheme ” on page 24 will be available for selection. If an authentication scheme has not
yet been configured, the self-enrollment option will not be available for selection.

6. If configuring a certificate management profile that uses a centralized enrollment method, in the Deliver
PKCS#12 area, select the method to use to deliver the certificate and key pair when certificate requests are
approved:

• Sent by Email - Select an automatic email to use to deliver the certificate and key pair when certificate
requests are approved. All configured automatic emails that can be used for certificate delivery will
be available for selection. For more information about automatic emails, refer to “Configure Automatic
Emails” on page 35.

• Delivered via EE User Interface - To make the certificate and key pair available for download from the EE
user interface:

1. Choose a browser integration option:

◦ To make the certificate and key pair available to be downloaded and then imported into a Web browser
by the certificate requester, select Download and Import.

◦ To make the certificate and key pair available for automatic Web browser integration when the
OpenTrust PKI can detect the appropriate settings, select Automatic Web Browser Integration.

2. Select an automatic email to use to deliver the link from which the certificate and key pair can be
downloaded or automatically integrated into a Web browser when certificate requests are approved.

OpenTrust PKI 4.12 Server Configuration Guide 43

Chapter 2. Configure Certificate Management Profiles Configure Additional Enrollment Options

All configured automatic emails that can be used for certificate availability notifications will be
available for selection. For more information about automatic emails, refer to “Configure Automatic
Emails” on page 35.

3. Configure the download duration period for the certificate and key pair in the Storage on the EE
parameters:

a. Duration (in days) - Enter the number of days after a certificate request is approved that the
certificate and key pair should be available to download from the EE user interface.

b. Duration after Download (in hours) - Enter the number of days after a certificate and key pair are
downloaded from the EE user interface that the certificate and key pair should remain available to
download from the EE user interface.

Administrators will have the option to remove the download link before the end of the configured download
durations.

7. If configuring a certificate management profile that uses a centralized enrollment method, the password entered
in a certificate request is used to encrypt the certificate. Choose the method by which a password is created for
the certificate:

• User-selected - The certificate requester enters a password in the certificate request form on the RA or EE.

• Randomly Generated - A password is randomly generated by the OpenTrust PKI for the certificate and
delivered with the certificate approval notification emails.

• Authentication Scheme Populated - The certificate holder's password is retrieved from the LDAP directory
associated with the authentication scheme selected in the self-enrollment process configuration. This option is
only available for self-enrollment processes.

8. If configuring a certificate management profile that uses a centralized enrollment method, select the Allow
escrowing of private keys imported via the connector option to allow key archival with the Auto-Enrollment
Proxy.

Note: This feature requires OpenTrust PKI version 4.8 or higher and Auto-Enrollment Proxy version 2.3
or higher.

9. For decentralized, server, or SCEP enrollment methods, in the Deliver Certificate area, select an automatic
email to use to deliver the certificate when certificate requests are approved. All configured automatic emails
that can be used for certificate delivery will be available for selection. For more information about automatic
emails, refer to “Configure Automatic Emails” on page 35. For certificate management profiles that do not
include a contact email, it may be necessary to add a form parameter, subject alternative name, or subject DN
component to the certificate management profile to require the certificate requester to enter an email address
when requesting a certificate. This step is required for decentralized, server, and SCEP enrollment methods.

10. Click Save. If configuring a new certificate management profile, continue to “Configure Additional Enrollment
Options” on page 44.

2.3.3. Configure Additional Enrollment Options

The additional enrollment options available for configuration will vary based on enrollment method configured as
described in “Configure an Enrollment Method” on page 39. Administrators should ignore steps in the configuration
procedure that are not applicable for the enrollment method selected for the certificate management profile.

To configure the additional enrollment options for the certificate management profile:

2. Navigate to the Settings | Certificates | Certificate Management Profiles page.

3. On the Enrollment tab, to configure the global parameters for a certificate management profile:

a. To restrict access to the certificate management profile when requesting and searching for certificates
to authenticated certificate holders on the EE who have the Request Certificate on the EE right for the
certificate management profile in at least one zone, select "Request Certificate on the EE" Right
Required. This option does not impact access to the certificate management profile on the RA. This option

44 OpenTrust PKI 4.12 Server Configuration Guide

Configure Additional Enrollment Options Chapter 2. Configure Certificate Management Profiles

impacts rights management display. If this option is not selected, the certificate management profile will
not be available in the rights management user interface on the EE because the Request Certificate on the
EE right will not be available to assign to certificate holders, as everyone will be able to request certificates
from the certificate management profile without the need for an assigned right. If this option is selected, only
certificate holders with a grant ability for the Request Certificate on the EE right on the EE will be able to
access the right in the rights management user interface on the EE. This option is not available for certificate
management profiles configured to use the SCEP enrollment method.

b. To require certificate holders to use a revocation code when revoking a certificate generated from the
certificate management profile, choose a revocation code method for the certificate management profile:

• None - A revocation code is not required to revoke a certificate.

• Chosen by the requester - The revocation code used to revoke a certificate is configured by the certificate
requester when the certificate request is made. The revocation code cannot be seen by an administrator
who approves a certificate request. The revocation code is not exposed by the OpenTrust PKI and is not
recoverable.

• Chosen by the validator - The revocation code is configured by the administrator who approves the
certificate request during the certificate request approval process. The administrator must communicate
the entered revocation code to the certificate holder. The revocation code cannot be changed or retrieved
after being configured by the administrator during the certificate request approval process.

• Random - A revocation code is generated by the OpenTrust PKI for the certificate when the certificate
request is made and is displayed to the certificate requester in the request confirmation displayed in the
user interface. The revocation code is not exposed by the OpenTrust PKI and is not recoverable.

c. To apply a configured password policy to passwords and revocation codes used for certificates created
using the certificate management profile, select a password policy. All configured password policies, as
described in “Configure a Password Policy” on page 25, will be available for selection. Passwords and
revocation codes generated by the OpenTrust PKI will comply with the selected password policy. Passwords
and revocation codes entered by administrators and certificate requesters that do not comply with the
selected password policy will be rejected by the OpenTrust PKI.

d. To enroll certificates created using the certificate management profile in a particular zone, configure the
Zone Identification Rules. Select a datasource field to use to identify certificate requesters by zone and
then select the default zone for the certificate management profile. All zones associated with the certificate
management profile, as described in “Configure Zones” on page 79, will be available for selection. The
Zone Identification Rules configuration option will only be available in certificate management profiles that
have been associated with a zone and that are configured to use self-enrollment or automatic completion of
certificate request fields.

4. To configure the key parameters:

• If the certificate management profile is configured to use a centralized enrollment method, to configure the
key generation parameters, select an encryption algorithm and choose an encryption level for the private keys
of certificates created using the certificate management profile. Selecting a larger key size will result in more
secure certificates. It may take a longer time to generate larger, more secure keys and to sign certificates with
larger keys. Certificate requests must include key sizes equal to the value configured here.

• If the certificate management profile is not configured to use a centralized enrollment method, to configure the
allowed key types, select an encryption algorithm and choose a minimum encryption level for the private keys
of certificates created using the certificate management profile. Selecting a larger key size will result in more
secure certificates. It may take a longer time to generate larger, more secure keys and to sign certificates with
larger keys. Certificate requests can include key sizes equal to or greater than the value configured here.

Key Size - Choose a minimum encryption level for the private keys of certificates created using the certificate
management profile. Selecting a larger key size will result in more secure certificates. It may take a longer time
to generate larger, more secure keys and to sign certificates with larger keys. Certificate requests can include
key sizes equal to or greater than the value configured here.

5. For certificate management profiles in which the "Approval by an Enrollment Administrator" option is selected
for the enrollment process and when the selected enrollment method is Server or via SCEP, in the Notification
Emails area, select the Notification Emails to send for certificate requests and certificate request rejections. All
configured automatic emails that can be used for certificate request and certificate request rejection notifications
will be available for selection. For more information about automatic emails, refer to “Configure Automatic
Emails” on page 35.

OpenTrust PKI 4.12 Server Configuration Guide 45

Chapter 2. Configure Certificate Management Profiles Configure Additional Enrollment Options

6. Additional form parameters can be used to associate data stored in the OpenTrust PKI with certificates and,
in the case of the Validity Duration form parameter, add content to certificates. To add a form parameter to a
certificate management profile:

a. In the Additional Form Parameters area, click Add More.

b. Select an Element to use as a form parameter. There are several types of elements:

• Administrator's Email and Contact Email Address values are associated with the certificates generated by
the certificate management profile.

• Custom Fields and Phone Number values are associated with certificates generated by the certificate
management profile only if a metadata type is selected. If metadata type is not selected, the information is
entered during the certificate request and then discarded by the OpenTrust PKI.

• Validity Duration values are added to the certificate as content. If validity duration is configured as a
form parameter for the certificate management profile on the General tab, when someone requests
a certificate from the certificate management profile, the validity duration will be configurable by the
certificate requester and/or the administrator. The validity duration for the certificate will be the earliest/
shortest of: the date/time entered when requesting the certificate, the date/time configured on the General
tab, or the date/time of the signing CA's certificate expiration.

c. Select a requirement type for the form parameter:

• Optional - An administrator or a certificate requester may choose to enter the information when
requesting a certificate.

• Mandatory - An administrator or a certificate requester must enter the information or accept the default
value when requesting a certificate or approving a certificate request.

• Static - The default value is always used to populate the certificate request form and cannot be edited.

d. To make the form parameter editable during the certificate request and/or certificate approval process,
when the requirement type is not set to Static, select "Editable by the Requester" and/or "Editable by the
Enrollment Administrator."

e. To associate form parameter metadata with certificates so that the metadata will be included in certificate
audit logs and available as search criteria when searching for certificates, select a metadata type. All
configured metadata types, as described in “Configure Metadata Types” on page 29, will be available
for selection. A metadata type cannot be associated with a form parameter if it is already associated with
another form parameter, a Subject Alternative Name, a Subject DN component, or a Microsoft certificate
template.

f. Configure a default value for the form parameter. If the form parameter is configured to be static, the
default value must be configured and is then pre-populated and uneditable in certificate request forms. If
the form parameter is not configured to be static and a datasource is not associated with the certificate
management profile, the default value is optional when configuring the form parameter and an entered
value will be used to pre-populate certificate request forms. If the form parameter is not configured to be
static and a datasource is associated with the certificate management profile, the default value is optional
when configuring the form parameter and can contain text and datasource values that will be used to pre-
populate certificate request forms. To configure the default value using a datasource value, drag and drop a
datasource field to the default value area.

g. Repeat this process to configure multiple form parameters.

7. Administrators can be sent reminder emails for pending certificate requests. To configure certificate request
reminder emails:

a. In the Certificate Request Reminders area, click Add More.

b. From the list of available automatic emails, select an automatic email. The list will contain all automatic
emails that can be used for certificate request reminders, configured as described in “Configure Automatic
Emails” on page 35.

c. Enter the number of days before the certificate request expiration to send the reminder email.

d. Repeat this process to configure multiple certificate request reminder emails.

8. Configure the certificate request expiration options:

46 OpenTrust PKI 4.12 Server Configuration Guide

Configure Renewal Options Chapter 2. Configure Certificate Management Profiles

• Deletion of Pending Certificate Requests (in days) - Enter the number of days after a certificate request is
made and remains unapproved that the certificate request should be deleted from the list of pending certificate
requests.

• Email Sent on Certificate Request Expiration - To send a notification email when a certificate request
expires, from the list of available automatic emails, select an automatic email. The list will contain all automatic
emails that can be used for certificate request expiration notifications, configured as described in “Configure
Automatic Emails” on page 35.

9. Click Save. If configuring a new certificate management profile, continue to “Configure Renewal
Options” on page 47.

2.3.4. Configure Renewal Options

Administrators can configure several options for certificate management profiles related to certificate renewal. When
renewal is performed for a certificate generated using a certificate management profile for which the enrollment process
is centralized or decentralized, a new key pair is generated.

To configure the renewal options for a certificate management profile:

2. Navigate to the Settings | Certificates | Certificate Management Profiles page.

3. On the Renewal tab, select the renewal approval methods to support in the certificate management profile:

• Renewal with Enrollment Approval Method - This method is always selected and not configurable. It is
always possible to renew certificates using the same approval method selected for certificate enrollment. If
selected, the renewal with enrollment approval method results in a renewal process that is identical to the
original certificate request and enrollment processes. Renewal approval using the enrollment method can be
performed for any certificate holder who holds at least one certificate, currently in its renewal period, that was
generated using the certificate management profile. The renewal requester can change the information for the
renewed certificate by entering values in the certificate renewal request form fields that differ from the values
entered in the original certificate request form fields.

• Renewal with Automatic Approval - This method is only available for the decentralized, centralized, and
SCEP enrollment processes: This method is always selected and not configurable for SCEP enrollment
processes, for which renewed certificates are delivered via SCEP. If selected, the renewal with automatic
approval method results in the following renewal process: A certificate holder authenticates on the EE with the
certificate eligible for renewal and requests renewal for the certificate. Then a new certificate is delivered to the
renewal requester via email for decentralized, server, and centralized/"deliver by email" enrollment processes
and via a page in the EE user interface for centralized/"deliver by page in the EE user interface" enrollment
processes. The renewed certificate will be identical to the previous certificate, except for a new key pair.

If both renewal approval methods are selected, the renewal requester chooses the renewal method during the
certificate renewal request process.

4. To configure the renewal period for certificates generated using the certificate management profile, at the
Renewal Period (in days) prompt, enter the number of days before the certificate expiration date that the
certificate can be renewed. If 0 is entered, the certificates generated using the certificate management profile
are never eligible for renewal. A certificate that is eligible for renewal provides its holder with the ability to have
one more certificate than allowed by the "Maximum Number of Certificates per Holder (0 Means No Limit)" option
described in “Configure the General Settings” on page 38.

5. To notify certificate holders whose certificates are nearing expiration that their certificates are eligible for renewal,
in the Notification Emails area, click Add More and select an automatic email to use for the renewal eligibility
notification. All configured automatic emails that can be used for renewal notifications will be available for
selection. For more information about automatic emails, refer to “Configure Automatic Emails” on page 35.
Then enter the number of days before the certificate expiration date that the renewal notification email should be
sent. Repeat this step to configure multiple renewal notification reminder emails.

6. To continue sending renewal emails to certificate holders who hold a certificate that is not nearing its expiration
date, select Send Renewal Emails Even If a Valid Certificate Exists. This option is not selected by default to
prevent unnecessary emails in the event that a certificate has been renewed and the original certificate has not

OpenTrust PKI 4.12 Server Configuration Guide 47

Chapter 2. Configure Certificate Management Profiles Configure Key Pair Recovery Options

yet expired. This option can be useful for holders of multiple certificates for the certificate management profile
because their certificates may have different expiration dates.

7. Click Save. If configuring a new certificate management profile, continue to “Configure Key Pair Recovery
Options” on page 48.

2.3.5. Configure Key Pair Recovery Options

Recovery processes are only supported for certificate management profiles in which the configured enrollment method
is centralized, with the "Private Keys Escrowing" option selected, and are used to recover the key pairs for a certificate.
Administrators can configure several options for certificate management profiles in which recovery is supported.

To configure the recovery options for a certificate management profile:

2. Navigate to the Settings | Certificates | Certificate Management Profiles page.

3. On the Recovery tab, select the recovery processes to support in the certificate management profile:

• Recovery Requested by the Holder - This recovery process is always selected and cannot be de-selected.
It is always possible for a certificate holder to make a certificate recovery request for a certificate that was
generated by a certificate management profile that is accessible on the EE. To email a recovered certificate
to the certificate holder, select an automatic email to use to deliver the recovered certificate. All configured
automatic emails that can be used to deliver recovered certificates for the holder will be available for selection.
For more information about automatic emails, refer to “Configure Automatic Emails” on page 35.

The recovery requested by the holder process is as follows: A recovery requester logs on to the EE or
a recovery administrator logs on to the RA and requests recovery for the certificate. Then the certificate
recovery request is approved by an administrator or is automatically approved when the request is made by an
administrator on the RA and the recovered certificate and private keys are delivered via email, the certificate
recovery request is denied by an administrator and a notification email is sent, or the certificate recovery
request expires and a notification email is sent.

• Recovery Requested for a Third-party - This recovery process can be modified even if certificates are
associated with the certificate management profile. To email a recovered certificate to the third-party, select
an automatic email to use to deliver the recovered certificate. All configured automatic emails that can be
used to deliver recovered certificates to third-parties will be available for selection. For more information
about automatic emails, refer to “Configure Automatic Emails” on page 35. Choose whether to require
authentication on the EE when requesting recovery for a third-party certificate. If EE authentication is not
required for third-party recovery requests but the certificate management profile is accessible on the EE,
anyone can request a third-party certificate recovery. If EE authentication is required for third-party recovery
requests and the certificate management profile is accessible on the EE, only authenticated certificate holders
can request third-party certificate key pair recoveries.

If selected, the recovery requested for a third-party process is as follows: A recovery requester logs on to the
EE and requests recovery of a certificate for a third party, not for the original holder of the certificate, to be
recovered. Then the certificate recovery request is approved by an administrator and the recovered certificate
and private keys are delivered via email, the certificate recovery request is denied by an administrator and a
notification email is sent, or the certificate recovery request expires and a notification email is sent.

If both recovery processes are selected, a certificate can be recovered by the holder and third-parties.

4. In the Notification Emails area, select the Notification Emails to send for certificate recovery requests and
certificate recovery request rejections. All configured automatic emails that can be used for certificate recovery
request and certificate recovery request rejection notifications will be available for selection. For more information
about automatic emails, refer to “Configure Automatic Emails” on page 35.

5. To remind administrators that there is a pending certificate recovery request, click Add More and select an
automatic email to use for the pending recovery request reminder. All configured automatic emails that can
be used for pending recovery request reminders will be available for selection. For more information about
automatic emails, refer to “Configure Automatic Emails” on page 35. Then enter the number of days before
the recovery request expiration date that the reminder email should be sent. Repeat this step to configure
multiple recovery request reminder emails.

6. Configure the certificate recovery request expiration options:

48 OpenTrust PKI 4.12 Server Configuration Guide

Configure Revocation Options Chapter 2. Configure Certificate Management Profiles

• Deletion of Pending Certificate Recovery Requests (in days) - Enter the number of days after a certificate
recovery request is made and remains unapproved that the certificate recovery request should be deleted from
the list of pending certificate recovery requests.

• Email Sent on Certificate Recovery Request Expiration - To send a notification email when a certificate
recovery request expires, from the list of available automatic emails, select an automatic email. The list
will contain all automatic emails that can be used for certificate recovery request expiration notifications,
configured as described in “Configure Automatic Emails” on page 35.

7. Click Save. If configuring a new certificate management profile, continue to “Configure Revocation
Options” on page 49.

2.3.6. Configure Revocation Options

To configure the revocation options for a certificate management profile:

2. Navigate to the Settings | Certificates | Certificate Management Profiles page.

3. On the Revocation tab, select the revocation processes to support in the certificate management profile:

• Revocation by a Revocation Administrator - This recovery process is always selected and cannot be de-
selected. It is always possible for a certificate holder to make a certificate revocation request for a certificate
that was generated by a certificate management profile that is accessible on the EE. The revocation by a
revocation administrator process is as follows: A certificate holder accesses the EE and requests revocation
for the certificate. Then the certificate revocation request is approved by an administrator on the RA, the
certificate revocation request is denied by an administrator on the RA, or the certificate revocation request
expires. It is also possible for a revocation administrator to start the revocation by a revocation administrator
process on the RA without receiving a request made by a certificate holder on the EE.

• Self-revocation - This revocation process selection can be modified even if certificates are associated with
the certificate management profile. If selected, the self-revocation process is as follows: A certificate holder
authenticates on the EE, using either the certificate to be revoked or a revocation code and unique identifier
combination, and requests revocation for a certificate. Then the certificate is revoked.

Batch revocation is always enabled on the RA for all certificate management profiles, does not require a
revocation request, and does not need to be configured.

4. In the Notification Emails area, select the Notification Emails to send for certificate revocation requests,
certificate revocation request rejections, and certificate revocation notifications. All configured automatic emails
that can be used for certificate revocation request, certificate revocation request rejection, and certificate
revocation notifications will be available for selection. For more information about automatic emails, refer to
“Configure Automatic Emails” on page 35.

5. To remind administrators that there is a pending certificate revocation request, click Add More and select an
automatic email to use for the pending revocation request reminder. All configured automatic emails that can
be used for pending revocation request reminders will be available for selection. For more information about
automatic emails, refer to “Configure Automatic Emails” on page 35. Then enter the number of days before
the revocation request expiration date that the reminder email should be sent. Repeat this step to configure
multiple revocation request reminder emails.

6. Configure the certificate revocation request expiration options:

• Deletion of Pending Certificate Revocation Requests (in days) - Enter the number of days after a
certificate revocation request is made and remains unapproved that the certificate revocation request should
be deleted from the list of pending certificate revocation requests.

• Email Sent on Certificate Revocation Request Expiration - To send a notification email when a certificate
revocation request expires, from the list of available automatic emails, select an automatic email. The list
will contain all automatic emails that can be used for certificate revocation request expiration notifications,
configured as described in “Configure Automatic Emails” on page 35.

7. Click Save. If configuring a new certificate management profile, continue to “Configure Certificate Extension
Requirements” on page 50.

OpenTrust PKI 4.12 Server Configuration Guide 49

Chapter 2. Configure Certificate Management Profiles Configure Certificate Extension Requirements

2.3.7. Configure Certificate Extension Requirements

To configure the certificate extensions to be included in certificates generated using this certificate
management profile:

2. Navigate to the Settings | Certificates | Certificate Management Profiles page.

3. On the Certificate Extensions tab, configure the certificate extensions to include in certificates generated using
the certificate management profile. Certificate extension configurations can be modified even if certificates are
associated with the certificate management profile. Certificate extensions are not required to be configured for
certificate management profiles.

• Key Usage - Select any quantity and combination of key usages to be included in the "X509v3 Key Usage"
section of the certificate. Choose whether to make the key usages critical or non-critical. The criticality setting
is applied to all selected key usages and cannot be applied to individual key usages.

• Extended Key Usage - Select any quantity and combination of key usages to be included in the "X509v3
Extended Key Usage" section of the certificate. Choose whether to make the key usages critical or non-critical.
The criticality setting is applied to all selected key usages and cannot be applied to individual key usages.
To add a custom extended key usage extension to the list of extended key usage extensions available for
selection, click "Add New Custom Key Usage," enter a valid description and OID for the custom extended key
usage extension, and click Add.

• Subject Alternative Names - Select the Subject Alternative Name types to be included in the "X509v3
Subject Alternative Name" section of certificates created using the certificate management profile. The
OpenTrust PKI will generate a Subject Alternative Name for the certificate based on the Subject Alternative
Name type selected and values entered when requesting a certificate. Use the Add More and delete signs to
add and remove Subject Alternative Names from the list. For each selected Subject Alternative Name:

1. Select a requirement type:

◦ Optional - An administrator or a certificate requester may choose to enter the information when
requesting a certificate.

◦ Mandatory - An administrator or a certificate requester must enter the information or accept the default
value when requesting a certificate or approving a certificate request.

◦ Static - The default value is always used to populate the certificate request form and cannot be edited.

2. To make the value for the Subject Alternative Name editable during the certificate request and/or
certificate approval process, when the requirement type is not set to Static, select "Editable by the
Requester" and/or "Editable by the Enrollment Administrator."

3. To associate Subject Alternative Name metadata with certificates so that the metadata will be included in
certificate audit logs and available as search criteria when searching for certificates, select a metadata
type. All configured metadata types, as described in “Configure Metadata Types” on page 29, will
be available for selection. A metadata type cannot be associated with a Subject Alternative Name if it is
already associated with a form parameter, a subject DN component, or a Microsoft certificate template.

4. If "Alternative Name (DNS)" was selected, specify whether the wildcard character * is allowed in the
Alternative Name.

5. Configure a default value for the Subject Alternative Name. If the Subject Alternative Name is configured
to be static, the default value must be configured and is then pre-populated and uneditable in certificate
request forms. If the Subject Alternative Name is not configured to be static and a datasource is not
associated with the certificate management profile, the default value is optional when configuring the
Subject Alternative Name and an entered value will be used to pre-populate certificate request forms.
If the Subject Alternative Name is not configured to be static and a datasource is associated with the
certificate management profile, the default value is optional when configuring the Subject Alternative
Name and can contain text and datasource values that will be used to pre-populate certificate request
forms.

• CRL Distribution Point - CRL distribution points are locations from which CRLs can be obtained. To include a
CRL distribution point in the "X509v3 CRL Distribution Points" section of the certificate, enter a URI from which

50 OpenTrust PKI 4.12 Server Configuration Guide

Configure Certificate Extension Requirements Chapter 2. Configure Certificate Management Profiles

the CRL of the CA signing the certificate can be downloaded. Use the Add More and delete signs to add and
remove CRL distribution points from the list.

• Authority Information Access - Authority information access extensions contain information about how
to access information and services, such as online validation services and CA certificates, for the CA that
creates the certificate in which the extension appears. To include an authority information access extension in
the "Authority Information Access" section of the certificate, select the method to use to access the authority
information:

Use the Add More and delete signs to add and remove authority information access extensions from the list.

• Certificate Policies - Certificate policies extensions contain information about the policy used to create a
certificate. Certificate policy extensions are comprised of one or more policy information terms, each of which
consists of an object identifier (OID) and optional qualifiers. In a CA certificate, policy information terms limit
the set of policies for certification paths that include the certificate. In an end entity certificate, these policy
information terms indicate the policy under which the certificate has been issued and the purposes for which
the certificate may be used. To add a certificate policy extension to the "X509v3 Certificate Policies" section of
the certificate, enter any meaningful value for the Policy Identifier OID. The OpenTrust PKI supports the Struct
and Address qualifiers for certificate policies extensions. If a supported qualifier should also be added to the
certificate extension, choose a qualifier and configure the options for the qualifier:

◦ Address - To include, in the certificate, the URI of a Certification Practice Statement (CPS) published by the
signing CA, select Address and enter the URI from which the CPS can be downloaded.

◦ Struct - To include general information about the certificate policy being used to create the certificate, enter
information in any of the optional fields:

▫ Organization - Enter the name of the organization that created the certificate policy. If this option is
configured, Notice Numbers must also be configured.

▫ Text - Enter any meaningful text related to the certificate policy.

Use the Add More and delete signs to add and remove certificate policies extensions from the list

• Key Identifiers:

◦ Subject Key Identifier - Subject key identifiers are used to identify certificates that contain a common
public key used by an application. To include a non-critical subject-key-identifier certificate extension in
the "X509v3 Subject Key Identifier" section of the certificate, select the "Include a Subject Key Identifier
in certificates created with this certificate management profile" option. To create the certificate without a
subject-key-identifier certificate extension, de-select the "Include a Subject Key Identifier in certificates
created with this certificate management profile" option.

◦ Authority Key Identifier - Authority key identifiers are used to identify the public key that corresponds to the
private key used to sign a certificate. To include a non-critical authority-key-identifier certificate extension in
the "X509v3 Authority Key Identifier" section of the certificate, select Signing CA's SKI, which will generate a
unique authority key identifier for the signing CA's public key. Use of the Signing CA's SKI option is strongly
recommended for all certificates. Administrators can select Signing CA's Serial Number and Issuer DN
to add the Signing CA's Serial Number and Issuer DN to the authority key identifier. To prevent future
interoperability issues, use of the Signing CA's Serial Number and Issuer DN option is not recommended. To

OpenTrust PKI 4.12 Server Configuration Guide 51

Chapter 2. Configure Certificate Management Profiles Configure Subject DN Components

create the certificate without an authority-key-identifier certificate extension, de-select the Signing CA's SKI
and Signing CA's Serial Number and Issuer DN options.

• Basic Constraints - Basic constraints are used to identify whether the subject of a certificate is a CA and to
specify the maximum number of non-self-issued intermediate CA certificates that may follow a certificate in
valid certification paths. To specify the maximum number of non-self-issued intermediate CA certificates that
may follow the CA certificate being created, in valid certification paths, select a Certification Path Length. The
basic constraints will be listed in the "X509v3 Basic Constraints" section of the certificate.

• Qualified Certificate Statements - To include qualified certificate statements in the "qcStatements" section of
the certificate: Select any of the available option-less ETSI qualified certificate statements. Use the Add More
and delete signs to add and remove IETF qualified certificate statements from the list. For each selected IETF
qualified certificate statement: select a syntax and choose whether to enter a semantics identifier and add one
or more name registration authorities.

• Microsoft Certificate Template - To include a Microsoft certificate template extension in the "Certificate
Template Name" section of the certificate, select "Define the Microsoft Certificate Template Extension" and
then configure the options for the Microsoft certificate template:

1. Select a requirement type:

◦ Optional - An administrator or a certificate requester may choose to enter the information when
requesting a certificate.

◦ Mandatory - An administrator or a certificate requester must enter the information or accept the default
value when requesting a certificate or approving a certificate request.

◦ Static - The default value is always used to populate the certificate request form and cannot be edited.
A mandatory or static Microsoft certificate template extension is listed in the "1.3.6.1.4.1.311.20.2" section
of the certificate. An optional Microsoft certificate template extension that is provided during enrollment is
listed in the "1.3.6.1.4.1.311.20.2" section of the certificate.

2. To make the value for the Microsoft certificate template editable during the certificate request and/
or certificate approval process, when the requirement type is not set to Static, select "Editable by the
Requester" and/or "Editable by the Enrollment Administrator."

3. To associate Microsoft certificate template metadata with certificates so that the metadata will be included
in certificate audit logs and available as search criteria when searching for certificates, select a metadata
type. All configured metadata types, as described in “Configure Metadata Types” on page 29, will be
available for selection. A metadata type cannot be associated with a Microsoft certificate template if it is
already associated with a form parameter, a Subject Alternative Name, a subject DN component, or a
Microsoft certificate template.

4. Configure a default value for the Microsoft certificate template. If the Microsoft certificate template is
configured to be static, the default value must be configured and is then pre-populated and uneditable
in certificate request forms. If the Microsoft certificate template is not configured to be static, the default
value is optional when configuring the Microsoft certificate template and an entered value will be used to
pre-populate certificate request forms.

• Netscape Certificate Type - Select any quantity and combination of Netscape certificate types to be included
in the "Netscape Cert Type" section of the certificate. Choose whether to make the Netscape certificate types
critical or non-critical. The criticality setting is applied to all selected Netscape certificate types and cannot be
applied to individual Netscape certificate types.

• Netscape Comment - To include a comment in the "Netscape Comment" section of the certificate, enter text
in the free-form text field.

4. Click Save. If configuring a new certificate management profile, continue to “Configure Subject DN
Components” on page 52.

2.3.8. Configure Subject DN Components

To configure the subject DN components for certificates generated using the certificate management profile:

52 OpenTrust PKI 4.12 Server Configuration Guide

Import or Export Certificate Management Profile Component Configurations Chapter 2. Configure Certificate Management Profiles

2. Navigate to the Settings | Certificates | Certificate Management Profiles page.

3. On the Subject DN tab, select the DN components to be included in the DN of the certificates created using the
certificate management profile. Use the Add More and delete signs to add and remove DN components from the
list. At least one subject DN component must be configured. Subject DN components can be modified even if
certificates are associated with the certificate management profile.

To use the Organization Identifier as a subject DN component, the add-on eIDAS .rpm must be applied. Contact
an assigned IDnomic technical representative for more information.

4. For each selected DN component:

a. Select a requirement type:

• Optional - An administrator or a certificate requester may choose to enter the information when
requesting a certificate.

• Mandatory - An administrator or a certificate requester must enter the information or accept the default
value when requesting a certificate or approving a certificate request.

• Static - The default value is always used to populate the certificate request form and cannot be edited.

b. To make the value for the DN component editable during the certificate request and/or certificate approval
process, when the requirement type is not set to Static, select "Editable by the Requester" and/or "Editable
by the Enrollment Administrator."

c. To associate subject DN component metadata with certificates so that the metadata will be included in
certificate audit logs and available as search criteria when searching for certificates, select a metadata type.
All configured metadata types, as described in “Configure Metadata Types” on page 29, will be available
for selection. A metadata type cannot be associated with a subject DN component if it is already associated
with a form parameter, a Subject Alternative Name, a subject DN component, or a Microsoft certificate
template.

d. Configure a default value for the subject DN component. If the subject DN component is configured to be
static, the default value must be configured and is then pre-populated and uneditable in certificate request
forms. If the subject DN component is not configured to be static and a datasource is not associated with the
certificate management profile, the default value is optional when configuring the subject DN component and
an entered value will be used to pre-populate certificate request forms. If the subject DN component is not
configured to be static and a datasource is associated with the certificate management profile, the default
value is optional when configuring the subject DN component and can contain text and datasource values
that will be used to pre-populate certificate request forms.

5. Click Save. If configuring a new certificate management profile, the certificate management profile can now be
used to enroll certificates.

Note: In environments where the OpenTrust PKI RA component is not hosted on the same server
as the OpenTrust PKI EE component, certificate management profiles, zones, and browser profiles
configured on the RA component are synchronized periodically. To make certificate management
profiles, zones, and browser profiles configured on the RA component immediately available on the EE,
see “Synchronize RA Configuration” on page 68.

2.4. Import or Export Certificate Management Profile

Component Configurations
Administrators can import and export many of the settings configured on the RA component of the OpenTrust PKI,
such as certificate management profiles, certificate management profile categories, automatic emails, LDAP directory
connection settings, datasource configurations, authentication schemes, password policies, and browser usage policies.
The export and import process is often useful when transitioning from a test environment to a production environment,
allowing the administrator to re-use and/or easily edit the configurations that were developed during testing.

The import and export procedures are described in:

• “Export Certificate Management Profile Component Configurations” on page 54

• “Import Certificate Management Profile Component Configurations” on page 54

OpenTrust PKI 4.12 Server Configuration Guide 53

Chapter 2. Configure Certificate Management Profiles Export Certificate Management Profile Component Configurations

2.4.1. Export Certificate Management Profile Component Configurations

Certificate management profile component configurations can be exported from the OpenTrust PKI RA component in a
text file, individually or collectively.

To export certificate management profile component configurations:

2. Navigate to the Settings | Tools | Settings Export page.

3. On the Settings Export page, select or deselect the configurations to export.

4. Click Export.

5. Choose to save the text file containing the settings configurations.

2.4.2. Import Certificate Management Profile Component Configurations

Certificate management profile component configurations can be imported to the OpenTrust PKI RA component in a
text file using the format provided in the text file generated when exporting certificate management profile component
configurations or using the format provided by an assigned IDnomic technical representative.

To import certificate management profile component configurations:

2. Navigate to the Settings | Tools | Settings Import page.

3. On the Settings Import page, select a method to access the text file containing the certificate management profile
component configurations, with a .txt extension.

• Local Path - If the file containing the certificate management profile component configurations has been
copied to a directory on the machine where the browser being used to perform these steps is installed, enter or
browse to and select the directory path and file name of the file containing the certificate management profile
component configurations.

• URL - If the file containing the certificate management profile component configurations is accessible from a
server location, enter the fully-qualified domain name, file path, and file name in the form of a URL such as
https://fqdnofserverhostingexportedconfigs/exportedconfigfiles/settings.txt.

4. Click Upload File.

5. On the Select the Elements to Import page, for each certificate management profile component configuration
contained in the text file, select or deselect the following options:

• Import - If selected, the certificate management profile component configuration will be imported

• Exists - If selected, an existing certificate management profile component configuration of the same name will
be overwritten with the configuration stored in the text file being used for import.

Note: If importing component configurations that were previously exported, the import will overwrite any
configuration changes that have been made since the configurations were exported.

6. Click Import.

7. View the "Profile import completed. Please verify that profiles are coherent with the platform (missing
dependencies may have been removed)." success message.

54 OpenTrust PKI 4.12 Server Configuration Guide

3 Review Module Settings

The CA, RA, and EE components of the OpenTrust PKI have configurable module settings, as described in:

• “Configure CA Component's Module Settings ” on page 55

• “Configure RA Component's Module Settings ” on page 55

• “Configure EE Component's Module Settings ” on page 57

3.1. Configure CA Component's Module Settings

Administrators can configure the CA module settings on the user interface of the host server for the OpenTrust PKI CA
component.

To configure CA component's module settings:

1. Log in to the user interface for an OpenTrust PKI CA component as an administrator with the Configuration right.
If the initial administration certificate has not yet been deleted, an administrator using the initial administration
certificate can also perform this task.

2. Navigate to the Settings | Module Settings | Certification Authority page.

3. On the Certificate Authority page, configure the settings for the Certificate Authority component or confirm that
the default configurations are appropriate for the production environment:

• Administrator's Email - The administrator's email was originally configured in the "Initialize the Application
Modules" section of the OpenTrust PKI Server Installation and Upgrade Guide. Enter a "from" address
for email that will be sent to administrators who receive email notifications from the OpenTrust PKI server
application, such as CA administrators who are notified when internal certificates for the OpenTrust PKI
components are about to expire. Each OpenTrust PKI component (CA, RA, EE, or Logs) can use a unique
administrator's email address. This email address is used only for emails sent from the OpenTrust PKI
server application through Apache and not for cron event emails that are sent to the email address that was
configured when running the installer. The administrator's email for the CA component is also used for the
CA Administrator option in the "To:" drop-down menu for some of the email templates described in Configure
Automatic Emails.

• Enforce Size to CRT Parameters of RSA Keys - This option can be used to accommodate smart cards that
require CRT (Chinese Remainder Theorem) calculations to be performed during the OpenTrust PKI's RSA-
based keys generation process. This option should only be used in consultation with an assigned IDnomic
technical representative.

4. Click Save.

5. View the "The configuration has been successfully updated." success message.

3.2. Configure RA Component's Module Settings

Using the following instructions, administrators can configure settings for the OpenTrust PKI RA component's RA,
publication, and auto-enrollment proxy modules:

• “Configure RA Module Settings” on page 55

• “Configure Publication Module Settings” on page 56

• “Configure Auto-Enrollment Proxy Module Settings” on page 57

3.2.1. Configure RA Module Settings

To configure the settings for the RA component's RA module:

OpenTrust PKI 4.12 Server Configuration Guide 55

Chapter 3. Review Module Settings Configure Publication Module Settings

1. Log in to the user interface for an OpenTrust PKI RA component as an administrator with the Configuration right.
If the initial administration certificate has not yet been deleted, an administrator using the initial administration
certificate can also perform this task.

2. Navigate to the Settings | Module Settings | Registration Authority page.

3. On the Registration Authority page, configure the settings for the Registration Authority component or confirm
that the default configurations are appropriate for the production environment:

• Administrator's Email - The administrator's email was originally configured in the "Initialize the Application
Modules" section of the OpenTrust PKI Server Installation and Upgrade Guide. Enter a "from" address
for email that will be sent to administrators who receive email notifications from the OpenTrust PKI server
application, such as revocation request notifications. . Each OpenTrust PKI component (CA, RA, EE, or Logs)
can use a unique administrator's email address. This email address is used only for emails sent from the
OpenTrust PKI server application through Apache and not for cron event emails that are sent to the email
address that was configured when running the installer. The administrator's email for the RA component is also
used for the RA Administrator option in the "To:" drop-down menu for some of the email templates described in
Configure Email Templates.

• Search Entries Limit - Enter the maximum number of search results that can be returned when an
administrator searches for a certificate on the RA component by navigating to Registration Authority |
Enrollment | Search for a Certificate. If the number of certificates meeting the search criteria is greater than
the number of search results allowed by this setting, there will not be a warning for the administrator. If a
specific certificate is not listed in the search results, the administrator can use more search criteria to narrow
the search results.

4. Click Save.

5. View the "The configuration has been successfully updated." success message.

3.2.2. Configure Publication Module Settings

To configure the settings for the RA component's publication module:

2. Navigate to the Settings | Module Settings | Publication page.

3. On the Publication page, configure the settings for the Publication module or confirm that the default
configurations are appropriate for the production environment:

• Administrator's Email - The administrator's email was originally configured in the "Initialize the Application
Modules" section of the OpenTrust PKI Server Installation and Upgrade Guide. Enter a "from" address
for email that will be sent to administrators who receive email notifications from the OpenTrust PKI server
application, such as publication error notifications. Each OpenTrust PKI component (CA, RA, EE, or Logs)
can use a unique administrator's email address. This email address is used only for emails sent from the
OpenTrust PKI server application through Apache and not for cron event emails that are sent to the email
address that was configured when running the installer. The administrator's email for the Publishing module
is also used for the Publish Administrator option in the "To:" drop-down menu for some of the email templates
described in Configure Email Templates.

• Number of Publication Attempts - Enter the number of retries the OpenTrust PKI should make to publish
CRLs and certificates when there is a publication failure.

• Initial Delay - Enter the number of seconds after which the OpenTrust PKI should start re-trying to publish
CRLs and certificates when there is a publication failure.

• Delay Law Used - Select a sequence to determine the delay times between the publication retries that occur
after the initial re-attempt.

4. To view the schedule for the publication retries based on the configurations for Number of Publication Attempts,
Initial Delay, and Delay Law Used, click Preview.

5. Click Save.

56 OpenTrust PKI 4.12 Server Configuration Guide

Configure Auto-Enrollment Proxy Module Settings Chapter 3. Review Module Settings

3.2.3. Configure Auto-Enrollment Proxy Module Settings

Administrators may choose to integrate the OpenTrust PKI with an add-on product called AEP, which enables the
OpenTrust PKI to automatically generate certificates for a network of Microsoft servers or computers. If the AEP
application has been integrated with the OpenTrust PKI, administrators can configure the auto-enrollment proxy module
settings on the RA component of the OpenTrust PKI.

To configure the settings for the RA component's auto-enrollment proxy module:

2. Navigate to the Settings | Module Settings | Auto Enrollment Proxy page.

3. On the Auto-enrollment Proxy page, choose to Add a New Forest Mapping or to Modify or Remove an existing
forest mapping.

4. If the choice is to create a new forest mapping, enter a name for the Active Directory forest for which certificate
templates will be mapped to OpenTrust PKI certificate management profiles.

5. If creating a new forest mapping or modifying an existing forest mapping, to map the Microsoft Certificate
Templates to the OpenTrust PKI Certificate Management Profiles in the "Microsoft Certificate Templates -
OpenTrust PKI Certificate Management Profiles Associations" row:

a. In the drop-down menus, select a Microsoft Certificate Template Name and a corresponding OpenTrust
PKI Certificate Management Profile Name.

b. To enable Common Name mapping between the Active Directory and the CN configured for the Subject DN
of the selected certificate management profile, in the "Active Directory attribute mapping" sub-row, select
Enable and enter the Active Directory attribute that should be used for the Common Name.

Use the plus and minus symbols to add additional mappings or remove configured mappings. The OpenTrust
PKI Certificate Management Profile Name drop-down menu will be populated with certificate management
profiles that have been configured for the OpenTrust PKI, as described in “Configure Certificate Management
Profiles” on page 21, and can be used with the AEP; for example, certificate management profiles that are used
to generate and enroll decentralized certificates will be available in the OpenTrust PKI Certificate Management
Profile Name drop-down menu but certificate management profiles that are used to generate and enroll
centralized certificates will not be available for selection because decentralized certificates are more appropriate
for servers in an Active Directory forest. The Microsoft Certificate Template Name drop-down menu will be
populated with all of the Microsoft Certificate Templates available in the Active Directory forest.

6. Click Save.

7. View the "The forest has been successfully saved." success message.

3.3. Configure EE Component's Module Settings

Administrators can configure the EE module settings on the user interface of the host server for the OpenTrust PKI EE
component.

To configure the EE component's module settings:

1. Log in to the user interface for an OpenTrust PKI EE component as an administrator with the Configuration right.
If the initial administration certificate has not yet been deleted, an administrator using the initial administration
certificate can also perform this task.

2. Navigate to the Settings | Module Settings | Enrollment Entity page.

3. On the Enrollment Entity page, configure the settings for the Enrollment Entity component or confirm that the
default configurations are appropriate for the production environment:

OpenTrust PKI 4.12 Server Configuration Guide 57

Chapter 3. Review Module Settings Configure Auto-Enrollment Proxy Module Settings

such as notifications sent to certificate holders whose enrollment requests have been pre-approved. Each
OpenTrust PKI component (CA, RA, EE, or Logs) can use a unique administrator's email address. This email
address is used only for emails sent from the OpenTrust PKI server application through Apache and not for
cron event emails that are sent to the email address that was configured when running the installer. The
administrator's email for the EE component is also used for the EE Administrator option in the "To:" drop-down
menu for some of the email templates described in Configure Email Templates.

• Search Entries Limit - Enter the maximum number of search results that can be returned when an
administrator searches for a certificate on the EE component by navigating to Enrollment Entity | Enrollment |
Search for a Certificate. If the number of certificates meeting the search criteria is greater than the number of
search results allowed by this setting, there will not be a warning for the administrator. If a specific certificate is
not listed in the search results, the administrator can use more search criteria to narrow the search results.

• Enrollment Procedure - This option will not be configurable unless a custom enrollment procedure has
been designed for the OpenTrust PKI. For more information about custom enrollment procedures, contact an
assigned IDnomic technical representative.

• Browser Profile - Select the browser usage policy to use for processes performed on the EE component
that require a browser usage policy but that are not governed by a certificate management profile configured
to use a specific browser usage policy, such as importing a CA certificate. The browser choices include the
default browser usage policy available for customization and use in certificate management profiles, the
non-customizable built-in browser usage policy, and any additional browser usage policies that have been
configured on the RA component, as described in “Configure Browser Usage ” on page 26. The selected
browser usage policy will be the browser usage policy used when "EE Browser Usage Policy" is selected as
the browser usage policy in a certificate management profile.

4. Click Save.

58 OpenTrust PKI 4.12 Server Configuration Guide

4 Renew Internal Certificates

When the OpenTrust PKI server application is initialized, as described in the "Initialize the Server Application" section
of the OpenTrust PKI 4.12 Server Installation and Upgrade Guide, the certificates required for the OpenTrust PKI's
internal modules are signed. Internal certificates are known as internal certificates because the certificates are for the
internal modules of the OpenTrust PKI. Internal certificates, except the escrow certificate, must be renewed before they
expire. If any of the OpenTrust PKI's internal module certificates, except theescrow certificate, are missing or expired, the
OpenTrust PKI will not function correctly.

The certificates for the internal modules (except the escrow module) of all host servers should be renewed at the same
time by the same self-signed and trusted internal OpenTrust PKI CA. In multi-host environments, the CA signing the
internal module certificates must be trusted on all host servers. The internal module certificates for each host server can
be renewed in any order. Administrators will receive an email notification before internal module certificates are set to
expire; the email notification will be sent every day until the internal modules certificates due to expire are renewed or
expire. The sending start date for the notification email can be configured, as described in “Configure Email Notifications
for Internal Modules Certificates Expiration” on page 64.

To renew internal certificates:

1. Log in to the OpenTrust PKI as an administrator with the Server Management right. If the initial administration
certificate has not yet been deleted, an administrator using the initial administration certificate can also perform
this task.

2. Navigate to the Server Management | Trust & Internal Certificates | Internal Certificates Renewal page.

3. On the Internal Module Certificate Renewal page, click link.

4. On the Internal Certificates Renewal tab, select a key size for each module that requires a signed certificate to
be renewed and click Create Keys and Certificate Requests for Internal Modules.

5. At the "Choose one of the following methods to sign the internal modules certificates request." prompt, select the
type of CA to use to sign the certificates for the internal modules and follow the corresponding instructions:

• Local CA - To sign the CSRs for the internal module certificates being renewed with a local CA, select Local
CA, Click Sign, select a CA from the list of CAs, click Next, and view the "Certificates have been successfully
imported." success message. This option will only be available when creating or renewing certificates on a
server hosting the OpenTrust PKI CA. Continue to Step 28 on page 61.

• External OpenTrust CA - In a multi-host installation of the OpenTrust PKI, to sign the CSRs for the internal
module certificates being renewed with an IDnomic CA that is not hosted on the server where the initialization
steps are currently being performed, select External IDnomic CA and continue to Step 6 on page 59.

• External Third-party CA - To sign the CSRs for the internal modules of the server being initialized with a non-
IDnomic CA, select External Third-party CA and continue to Step 21 on page 60.

6. Click Export.

7. On the Download File page, download the certificate signing request using one of the following methods:

• Right-click the Download Link and select Copy Link Location.

• Click the Download Link and Save the .tgz file.

8. If the internal module certificates for a host server other than the server hosting the CA are being renewed, leave
the user interface of the OpenTrust PKI host server on which the internal module certificates are being renewed
and log in to the user interface of an OpenTrust PKI CA as an administrator with CSR signing rights. If the initial
administration certificate has not yet been deleted, an administrator using the initial administration certificate can
also perform this task.

9. To import the certificate signing requests to the OpenTrust PKI's CA and obtain the required signatures, on the
OpenTrust PKI's CA, navigate to the Server Management | Trust & Internal Certificates | Remote IDnomic CSR
Signature page.

10. On the Remote IDnomic CSRs Signature page, select a method for importing the CSRs and enter the required
information:

OpenTrust PKI 4.12 Server Configuration Guide 59

Chapter 4. Renew Internal Certificates

• Local Path - If the .tgz file containing the CSRs has been copied to a directory on the machine where the
browser being used to access the OpenTrust PKI's CA and obtain the signatures is installed, enter or browse
to and select the directory path and file name for the .tgz file containing the CSRs.

• URL - If an OpenTrust PKI was used to create the CSRs and the Copy Link Location download method was
used to export the CSRs from the OpenTrust PKI component being initialized, right-click to paste the URL
location of the .tgz file containing the CSRs.

11. Click Upload File.

12. On the File Hash Details page, from the list of CAs that have been created on the CA component being used to
sign the CSRs, select a trusted CA to use to sign the certificates being renewed for the OpenTrust PKI internal
modules. In multi-host environments, the same internal trusted CA should be selected each time the process is
repeated for the internal module certificates for each host server.

13. Click Remote IDnomic CSRs Signature.

14. On the Download File page, download the signed certificates using one of the following methods:

• Right-click the Download Link and select Copy Link Location.

• Click the Download Link and Save the .tgz file.

15. Return to the user interface of the OpenTrust PKI host server on which the internal module certificates are being
renewed and navigate to the Server Management | Trust & Internal Certificates | Internal Certificates Renewal
page's Internal Certificates Renewal tab.

16. At the "Choose one of the following methods to sign the internal modules certificates request." prompt, select
External IDnomic CA and click Import.

17. On the Internal Modules Certificate page, select a method for importing the signed certificates and enter the
required information:

• Local Path - If the .tgz file containing the signed certificates has been copied to a directory on the machine
where the browser being used to complete the initialization for the OpenTrust PKI component is installed, enter
or browse to and select the directory path and file name for the .tgz file containing the signed certificates.

• URL - If an OpenTrust PKI CA was used to sign the CSRs and the Copy Link Location download method was
used to export the signed certificates from the OpenTrust PKI CA, right-click to paste the URL location of the
.tgz file containing the signed certificates.

18. Click Upload File.

19. On the File Hash Details page, click Import the Certificates.

20. Continue to Step 28 on page 61.

21. Select a method to use to export the CSRs and follow the corresponding instructions:

• To export all of the CSRs, for all of the modules that need signed certificates, in a .tgz file, click Export.

• To export the CSRs for each module individually, In the Request column for the first module that has green
check mark to indicate a CSR needs to be signed, where a mouse over the icon displays an, "Export the
certificate request..." message, click the icon. On the Download File page, click the Download Link and Save
the .p10 file. Return to the Server Management | Trust & Internal Certificates | Internal Certificates Renewal
page. Select External Third-party CA and repeat this process until a .p10 file has been downloaded for each
module that needs a signed certificate to be renewed.

22. Leave the OpenTrust PKI component's user interface to import the certificate signing requests to the non-
IDnomic PKI's CA and obtain the required signatures.

23. Once the signature requests have been signed and a signed certificate file is available for each module, return to
the user interface of the OpenTrust PKI host server on which the internal module certificates are being renewed
and navigate to the Server Management | Trust & Internal Certificates | Internal Certificates Renewal page's
Internal Certificates Renewal tab and select External Third-party CA.

24. In the Certificate column for the first module that has red warning triangle to indicate a signed CSR needs to be
imported, where a mouse over the icon displays an, "Import the certificate signed by..." message, click the icon.

25. On the Internal Modules Certificates page, select a method for importing the signed certificate for the module
requested and enter the required information:

60 OpenTrust PKI 4.12 Server Configuration Guide

Chapter 4. Renew Internal Certificates

• Local Path - If the certificate file containing the signed certificates has been copied to a directory on the
machine where the browser being used to complete the initialization for the OpenTrust PKI component is
installed, enter or browse to and select the directory path and file name for the certificate file containing the
signed certificate.

26. Click Upload File.

27. Return to the Server Management | Trust & Internal Certificates | Internal Certificates Renewal page's Internal
Certificates Renewal tab and select External Third-party CA. Repeat Step 24 to Step 26 until a certificate file
has been uploaded for each module that needs a signed certificate.

28. In multi-host environments, repeat this procedure on each host server.

OpenTrust PKI 4.12 Server Configuration Guide 61

This page intentionally left blank.

62 OpenTrust PKI 4.12 Server Configuration Guide

5 Use the Server Administration UI Tools

This section describes how to use the server administration tools provided in the OpenTrust PKI user interface. The
server administration tools allow administrators to:

• “Restart the Application” on page 63

• “Restart Services” on page 63

• “Configure Email Notifications for Internal Modules Certificates Expiration” on page 64

• “Customize the Settings for Output to Syslog” on page 64

• “Hide or Display Stack Trace Errors” on page 66

• “Set Date and Time Format” on page 66

• “Enable Reverse Proxy Compatibility” on page 66

• “Configure Consolidation Intervals” on page 67

• “Use the IDnomic Support Tool” on page 68

• “Synchronize RA Configuration” on page 68

• “Configure and Use SNMP Monitoring” on page 68

More information on some of these topics can be found in the OpenTrust PKI System Maintenance Guide.

5.1. Restart the Application

The OpenTrust PKI server application can be restarted manually or by using the automated restart option provided in the
user interface. Restarting the application will restart the etc, httpd, and pki-db services of the OpenTrust PKI server
application on the host server on which the restart is performed. These services are described in more detail in “Restart
Services” on page 63.

To restart the OpenTrust PKI server application via the user interface:

1. Log in to the OpenTrust PKI application as an administrator with the System Management right. If the initial
administration certificate has not yet been deleted, an administrator using the initial administration certificate can
also perform this task.

2. Navigate to the Server Management | System Management | Restart page.

3. On the Restart page, in the Application row, select OpenTrust PKI.

4. Click Restart.

5. When the "Restarting OpenTrust PKI" pop-up closes, view the "OpenTrust PKI has been successfully restarted."
success message.

5.2. Restart Services

The OpenTrust PKI application services can be restarted manually or by using the automated restart options provided in
the user interface. In environments in which OpenTrust PKI components are hosted on multiple servers, the services are
restarted only for the OpenTrust PKI components hosted on the server where the restart is performed.

To restart the OpenTrust PKI services using the options provided in the user interface:

OpenTrust PKI 4.12 Server Configuration Guide 63

Chapter 5. Use the Server Administration UI Tools Configure Email Notifications for Internal Modules Certificates Expiration

2. Navigate to the Server Management | System Management | Restart page.

3. On the Restart Services page, in the Service row, select an individual service to restart:

• etc - to register cron tasks on the host operating system's cron service

• httpd - to restart the Web server hosting the OpenTrust PKI server application (and all Web contexts)

• db - to restart the OpenTrust PKI server application's database (when using an embedded PostgreSQL server
database)

• transd - to restart the module that manages communication between the OpenTrust PKI modules; this service
cannot be restarted from the server hosting the OpenTrust PKI EE component when the EE component is not
hosted on a server hosting other OpenTrust PKI components

• ocsp - to restart the Online Certificate Status Protocol module; this service can only be restarted from the
server hosting the OpenTrust PKI RA component

• snmpd - to restart the service that manages the snmp-subagent service (if SNMP monitoring is enabled)

• snmp-subagent - to restart the service responsible for SNMP monitoring (if SNMP monitoring is enabled)

4. Click Restart.

5. When the "Restarting Service" pop-up closes, view the "servicename has been successfully restarted."
success message where "servicename is the name of the service that was restarted.

5.3. Configure Email Notifications for Internal Modules

Certificates Expiration
Administrators can configure OpenTrust PKI to send email notifications when internal modules certificates are about to
expire.

To configure email notifications for internal modules certificates expiration:

1. Log in to the user interface for the OpenTrust PKI server application as an administrator with the Server
Management right. If the initial administration certificate has not yet been deleted, an administrator using the
initial administration certificate can also perform this task.

2. Navigate to the Server Management | Trust & Internal Certificates | Internal Certificates Expiration page.

3. On the Internal Certificates Expiration page, configure the notifications options:

• Recipient Email Address - Enter the email address of the administrator that will receive the notifications.

• Internal Certificates Expiration Reminder (Days) - Enter the number of days in advance of the expiration
date that an email should be sent to the administrator at the email address configured in the Recipient Email
Address field, warning the administrator about the pending expiration date and the need to renew the internal
modules certificates, as described in “Renew Internal Certificates” on page 59. The email notification will be
sent every day until the internal modules certificates due to expire are renewed or expire.

5.4. Customize the Settings for Output to Syslog

The output to syslog settings control how and which audit log messages the OpenTrust PKI sends to syslog. There are
three configurations that can be made for the syslog settings:

• “Select the Events to Send to Syslog” on page 65

• “Choose a Facility” on page 65

• “Restrict Syslog Reporting” on page 65

64 OpenTrust PKI 4.12 Server Configuration Guide

Select the Events to Send to Syslog Chapter 5. Use the Server Administration UI Tools

5.4.1. Select the Events to Send to Syslog

Syslog reporting can include different types of events. If no event type is selected, syslog is not activated.

To select the type of events to send to syslog:

1. Log in to the OpenTrust PKI as an administrator with the System Management right. If the initial administration
certificate has not yet been deleted, an administrator using the initial administration certificate can also perform
this task.

2. Navigate to the Server Management | System Configuration | Syslog Output page.

3. On the Syslog Output page, select one or more types of events to send to syslog:

• alert - includes alert events

• error - includes all failed audit events

• info - includes all successful audit events

4. Click Save.

5. View the "The settings have been saved." success message.

5.4.2. Choose a Facility

A syslog facility is the syslog channel that will be used to send the log messages that are output to syslog. If a syslog
facility is not selected from the drop-down menu, the authpriv facility is the default syslog facility used to store the
syslog messages.

To direct syslog events to a particular directory on the machine hosting the OpenTrust PKI server
application:

1. Log in to the OpenTrust PKI server application as an administrator with the System Management right. If
the initial administration certificate has not yet been deleted, an administrator using the initial administration
certificate can also perform this task.

2. Navigate to the Server Management | System Configuration | Syslog Output page.

3. On the Syslog Output page, choose a Facility from the drop-down menu. To determine which directory on
the machine hosting the OpenTrust PKI server application corresponds to each facility, review the syslog
configuration file. By default, the syslog configuration file is the etc/syslog.conf file on RHEL and the /etc/
syslog-ng/syslog-ng.conf file on SLES.

4. Click Save.

5. View the "The settings have been saved." success message.

5.4.3. Restrict Syslog Reporting

By default, syslog reporting includes reporting for all of the events listed on the Server Management | System | Syslog
Output page once a verbosity level has been set, as described in “Select the Events to Send to Syslog” on page 65.
An administrator can restrict the syslog reporting to particular events by selecting them on the Server Management |
System | Syslog Output page.

To restrict syslog reporting to particular events:

2. Navigate to the Server Management | System Configuration | Syslog Output page.

3. On the Syslog Output page, in the area under the "Choose the events to send to syslog. If none are selected, all
of the events will be sent to syslog." message, select the events to be reported to syslog.

4. Click Save.

5. View the "The settings have been saved." success message.

OpenTrust PKI 4.12 Server Configuration Guide 65

Chapter 5. Use the Server Administration UI Tools Hide or Display Stack Trace Errors

5.5. Hide or Display Stack Trace Errors

When stack trace errors are hidden and certificate holders perform an action that would normally result in a stack trace
error, certificate holders will view a message indicating, "OpenTrust PKI encountered an internal error. Please contact the
administrator to describe the circumstances of the error." When stack trace errors are displayed, certificate holders will
view the "OpenTrust PKI encountered an internal error. Please contact the administrator to describe the circumstances
of the error." message appended with an Error Details link that can be expanded to display the granular details of a stack
trace error. When this setting is changed, only the OpenTrust PKI components hosted on the server where the setting is
configured are impacted by the configuration. For example, if a configuration change to hide the stack trace error is made
on a server hosting the RA, EE, and Logs components but not on the server hosting the CA component, stack trace error
details will still be visible to certificate holders who access the CA component.

To hide or display stack trace errors:

2. Navigate to the Server Management | System Configuration | Interface Settings page.

3. On the Interface Settings page, select or deselect Hide Stack Trace.

4. Click Save.

5. View the "The settings have been successfully modified." success message.

5.6. Set Date and Time Format

Administrators can select a standard date and time format to be used in the UI, except in the log details.

To set the date and time format that will be displayed in the UI:

2. Navigate to the Server Management | System Configuration | Interface Settings page.

3. On the Interface Settings page, choose a date and time format:

• UTC - will display the Coordinated Universal Time date and time

• Server Time Zone - will the display the date and time of the time zone in which the server is hosted

4. Click Save.

5. View the "The settings have been successfully modified." success message.

5.7. Enable Reverse Proxy Compatibility

When reverse proxy compatibility is enabled, users can be authenticated by the OpenTrust PKI server application
through a reverse proxy. If an SSL authentication to the OpenTrust PKI server application is successful, the reverse
proxy compatibility settings will be ignored. If an SSL authentication to the OpenTrust PKI server application is not
successful, an SSL client and server authentication connection to the reverse proxy is established by the OpenTrust
PKI client application. The reverse proxy Web server then connects to the OpenTrust PKI server application via an SSL
server authentication and uses the authentication certificate for the OpenTrust PKI client application, stored as a cookie
or in the HTTP headers set by the reverse proxy Web server, to identify the user to the OpenTrust PKI server application
and act as the intermediary who relays the client-server communications.

To allow the OpenTrust PKI server application to be trusted by the reverse proxy Web server, the certificate chain for the
OpenTrust PKI server application can be imported to the reverse proxy Web server.

66 OpenTrust PKI 4.12 Server Configuration Guide

Configure Consolidation Intervals Chapter 5. Use the Server Administration UI Tools

To see a configuration example for an Apache Web server using a reverse proxy to communicate with OpenTrust PKI,
see “Configure Apache as a Reverse Proxy Server With OpenTrust PKI” on page 85.

To enable reverse proxy compatibility:

2. Navigate to the Server Management | System Configuration | Reverse Proxy Compatibility page.

3. On the Reverse Proxy Compatibility page, select Enable Reverse Proxy Compatibility.

4. In the Type drop-down menu, select the type of reverse proxy to use:

• Apache - The client certificate format should be Apache mod_ssl.

• Bee-Ware 4000 - The client certificate should be Base64 encoded, without spaces or characters that indicate
new lines.

5. Select an authentication mode:

• Cookie - The reverse proxy Web server will store the certificate for the OpenTrust PKI client application in a
cookie.

• HTTP Header - The reverse proxy Web server will store the certificate for the OpenTrust PKI client application
in HTTP headers set by the reverse proxy Web server.

6. Enter the name of the cookie or HTTP header in which the certificate for the OpenTrust PKI client application
will be stored.

7. To configure a password to use to authenticate the reverse proxy Web server to the OpenTrust PKI server
application, select the Use Shared Secret checkbox and configure the password:

a. Enter the name of the cookie or HTTP header in which the shared secret will be stored.

b. Enter a text string to use as the shared secret.

8. Click Save.

9. When the "Restarting httpd service" pop-up closes, view the "The following services have been successfully
restarted: httpd" success message.

5.8. Configure Consolidation Intervals

Administrators can configure the consolidation intervals for the OpenTrust PKI server application audit logs and the
internal certificates.

To configure the log consolidation interval for audit logs or the event consolidation intervals for reporting:

1. Log in to the user interface for the OpenTrust PKI server application as an administrator with the System
Management right. If the initial administration certificate has not yet been deleted, an administrator using the
initial administration certificate can also perform this task.

2. Navigate to the Server Management | System Configuration | Scheduled Jobs page.

3. On the Scheduled Jobs page, configure the available consolidation interval options:

• Audit Logs Consolidation Interval (in minutes) - Enter the number of minutes after which the logs recorded
in the log queue should be consolidated and moved to the audit logs database tables so that they can be
viewed in the Audit Logs user interface. If the OpenTrust PKI log component is not hosted on the same host
server where the configuration is being made, the logs are consolidated and sent to the OpenTrust PKI log
component with the entered frequency.

• Internal Certificates Status Check - Select the frequency with which to check the validity status of internal
certificates. This option is only available in the UI for the server hosting the CA component.

4. Click Save.

OpenTrust PKI 4.12 Server Configuration Guide 67

Chapter 5. Use the Server Administration UI Tools Use the IDnomic Support Tool

5. When the "Please restart etc service to take the modifications into account." prompt is displayed, restart the etc
service using the instructions in “Restart Services” on page 63.

5.9. Use the IDnomic Support Tool

Administrators can use the IDnomic Support Tool to generate a diagnostic file for the OpenTrust PKI server application
when an assigned IDnomic technical representative requests generation of the diagnostic file.

To generate the results of the IDnomic Support Tool:

1. If the user interface being accessed to generate the diagnostic file using the IDnomic Support Tool is associated
with an OpenTrust PKI component hosted on a SLES operating system, while logged in to the host server with
permissions to open and edit the /etc/sudoers file, open the /etc/sudoers file and, if the file does not
already contain the following lines, add the following lines to the file:

Defaults:pki !requiretty
pki ALL = NOPASSWD: /opt/opentrust/ost/sbin/opentrust-support-tool

2. Log in to the user interface for the OpenTrust PKI server application as an administrator with the System
Management right. If the initial administration certificate has not yet been deleted, an administrator using the
initial administration certificate can also perform this task.

3. Navigate to the Server Management | System Management | IDnomic Support Tool page.

4. On the IDnomic Support Tool page, to generate the diagnostic file provided by the IDnomic Support Tool, click
Generate Diagnostic File.

5. When prompted, choose to open or save the diagnostic file.

6. Send the diagnostic file to an assigned IDnomic technical representative for evaluation.

5.10. Synchronize RA Configuration

In environments where the OpenTrust PKI RA component is not hosted on the same server as the OpenTrust PKI EE
component, you can synchronize the EE component with the RA component to make certificate management profiles,
zones, and browser profiles configured on the RA component immediately available on the EE component instead of
waiting for the periodic automatic synchronization.

2. Navigate to the Server Management | System Management | Configuration Update page.

3. Click Synchronize RA Configuration.

5.11. Configure and Use SNMP Monitoring

SNMP monitoring allows administrators to monitor host system data, disk usage, module and service states, directory
connections, internal certificate validity, CA details, or a remote machine hosting another IDnomic product, such as the
IDnomic Credential Management System. Administrators can configure and use SNMP monitoring as described in:

• “Configure SNMP Monitoring” on page 69 - to configure the SNMP monitoring settings

• “Configure the SNMP Dashboard” on page 70 - to configure the built-in SNMP dashboard

• “Use the SNMP Dashboard” on page 71 - to use the built-in SNMP dashboard

Administrators can enable SNMP monitoring to use the IDnomic snmpd service or to use a host operating system
SNMP daemon. If administrators choose to use the IDnomic snmpd service, the host machines to be monitored are
automatically detected and can be selected for monitoring in the SNMP dashboard settings, as described in “Configure

68 OpenTrust PKI 4.12 Server Configuration Guide

Configure SNMP Monitoring Chapter 5. Use the Server Administration UI Tools

the SNMP Dashboard” on page 70. If administrators choose to use a host operating system SNMP daemon and
intend to use the IDnomic SNMP dashboard, after enabling SNMP monitoring, administrators must configure connections
to the host servers that will be monitored, as described in “Configure the SNMP Dashboard” on page 70. If upgrading
from a version earlier than 4.8, an internal certificate must have been created for the snmp-monitoring module, as
described in the "Upgrade Server Application, Add New Components or Features, or Change System Settings on RHEL/
CentOS or SLES" section of the Server Installation and Upgrade Guide.

5.11.1. Configure SNMP Monitoring

SNMP monitoring must be configured on each host server to be monitored by SNMP. The OpenTrust PKI snmp-
subagent service can be managed by the OpenTrust PKI server application snmpd service or by the host operating
system.

To configure SNMP monitoring:

1. Log in to the user interface for the OpenTrust PKI server application as an administrator with the System
Configuration right. If the initial administration certificate has not yet been deleted, an administrator using the
initial administration certificate can also perform this task.

2. Navigate to the Server Management | System Configuration | SNMP Settings page.

3. To enable SNMP monitoring on the host server, select the SNMP Monitoring checkbox.

4. To download the IDnomic MIB for use by an SNMP client, click Click Here to Download IDnomic MIB.

5. Choose the SNMP service to be used to manage the OpenTrust PKI snmp-subagent service:

• OpenTrust PKI-managed SNMP Service - The OpenTrust PKI snmp-subagent service will be
managed by the OpenTrust PKI server application's snmpd service, which can be restarted via the user
interface in the same way as the other OpenTrust PKI server application services described in “Restart
Services” on page 63. this selection allows the host server to be selected for inclusion the SNMP
dashboard without needing additional configuration.

• System SNMP Service - The OpenTrust PKI snmp-subagent service will be managed by the host operating
system's SNMP daemon, which cannot be restarted via the user interface in the same way as the other
OpenTrust PKI server application services described in “Restart Services” on page 63. This selection
requires additional configuration when the host server is selected for inclusion the SNMP dashboard, as
described in “Configure the SNMP Dashboard” on page 70.

6. If the OpenTrust PKI snmp-subagent service will be managed by the OpenTrust PKI snmpd service, continue
to Step 7 on page 69. If the OpenTrust PKI snmp-subagent service will be managed by the host operating
system's SNMP service, in the UNIX Socket (agentXSocket) field, enter the named pipe where the OpenTrust
PKI snmp-subagent service should listen for the master file, for example: agentxsocket /var/agentx/
master

7. If the OpenTrust PKI snmp-subagent service will be managed by the host operating system's SNMP daemon,
skip this step. To use the OpenTrust PKI server application's snmpd service to manage the OpenTrust PKI
snmp-subagent service, configure the following fields:

a. SNMP Port - Enter the port to be used by the snmpd service.

b. Name (sysName) - Enter an identifying name for the host server on which the snmpd service is being
configured.

c. Description (sysDescr) - Enter a description of the host server on which the snmpd service is being
configured.

d. Location (sysLocation) - Enter the location of the host server for the snmpd service.

e. Contact (sysContact) - Enter the email address of the administrator who should receive notifications
regarding the snmpd service on the host server.

f. Version - Select the version of the SNMP protocol to be used by the snmpd service and configure the
corresponding fields:

• V1 - Enter the community string to be used for authentication.

• V3 - Enter the username and password to be used for authentication.

OpenTrust PKI 4.12 Server Configuration Guide 69

Chapter 5. Use the Server Administration UI Tools Configure the SNMP Dashboard

8. To configure the disk space monitoring to be performed via SNMP by listing the mount points to be monitored
and the alert threshold for each mount point:

a. Click Add More.

b. Enter a mount point.

c. Select an alert threshold for the entered mount point.

d. To add more mount points, Repeat these sub-steps.

The entered mount points and thresholds will be added to the /opt/opentrust/pki/etc/
snmpd.confdaemon configuration file. This file cannot be edited and is regenerated each time the daemon is
started.

9. To configure the certificate and CRL monitoring to be performed via SNMP:

a. Select the certificate expiration alert threshold. The selected threshold will be applied to all of the
certificates monitored by SNMP. The certificates monitored by SNMP include the internal certificates of
the OpenTrust PKI server application, the certificates for all internal CAs of the OpenTrust PKI server
application, and the certificates of all registered external CAs.

b. Select the CRL expiration alert threshold. The selected threshold will be applied to all of the CRLs
monitored by SNMP. The CRLs monitored by SNMP include the CRLs of the internal and registered external
CAs for the OpenTrust PKI server application that have an associated CRL.

10. To allow authorized servers to connect to the SNMP monitoring module, in the Authorized DNs field,
click Add More to enter the DNs of the certificates for the servers to be granted access. The machine
to be monitored must be configured to trust the DN of the SNMP internal certificate of the server
performing the SNMP monitoring. The CN of the DN of the certificate performing the monitoring is
server_performing_the_SNMP_monitoring_product_abbreviation]-snmp. For example, if an
OpenTrust PKI machine is trying to monitor an IDnomic CMS machine, the DN to be trusted on the CMS will
contain CN=pki-snmp. The rest of the DN is BaseDN.

11. To save the configuration, add the OpenTrust PKI snmp-subagent service to the list of OpenTrust PKI server
application services available for restart as described in “Restart Services” on page 63, and make the
host server available to be configured in the built-in SNMP dashboard as described in “Configure the SNMP
Dashboard” on page 70, click Save.

12. On the "Do you want to activate/deactivate monitoring services with the new configuration?" pop-up, choose OK
to start the OpenTrust PKI snmp-subagent service and the snmpd service if it was selected to manage the
snmp-subagent service or Cancel to leave the OpenTrust PKI snmp-subagent service and the snmpd service
unstarted.

5.11.2. Configure the SNMP Dashboard

If the SNMP monitoring has been enabled, as described in “Configure SNMP Monitoring” on page 69, and
administrators intend to use the built-in dashboard instead of integrating with an external SNMP monitoring system, the
built-in dashboard can be configured as described in this section.

To configure the built-in SNMP dashboard:

1. Log in to the user interface for the OpenTrust PKI's RA server application as an administrator with the System
Configuration right. If the initial administration certificate has not yet been deleted, an administrator using the
initial administration certificate can also perform this task.

2. Navigate to the Server Management | System Configuration | Dashboard Settings page.

3. On the Dashboard Settings page, select the host servers to be monitored by the SNMP daemon. To be available
for selection, SNMP monitoring must be configured on the host server, as described in “Configure SNMP
Monitoring” on page 69.

4. If the IDnomic snmpd service is being used for SNMP monitoring, continue to Step 5 on page 71. If a host
operating system SNMP daemon is being used for SNMP monitoring, configure the SNMP options used to
access the host operating system SNMP daemon on each of the host servers that has been selected to be
monitored:

a. SNMP Port - Enter the port that should be used to access the host operating system SNMP daemon.

70 OpenTrust PKI 4.12 Server Configuration Guide

Use the SNMP Dashboard Chapter 5. Use the Server Administration UI Tools

b. Version - Select the version of the SNMP protocol being used by the host operating system SNMP daemon
and configure the corresponding fields:

• V1 - Enter the community string to be used for authentication.

• V3 - Enter the username and password to be used for authentication.

5. Click Save. The configuration can be saved if the OpenTrust PKI snmp-subagent service has been started for
the selected host servers.

6. View the success message.

5.11.3. Use the SNMP Dashboard

After the built-in SNMP monitoring dashboard has been configured, as described in “Configure the SNMP
Dashboard” on page 70, administrators can use the built-in dashboard to monitor the host systems. An overview
displays a summary view of any issues that have occurred on the host machines and a detailed monitoring view for each
host machine displays a comprehensive status report for the host system data, disk usage, module and service states,
directory connections, internal certificate validity, and CA details monitored by SNMP.

To use the built-in SNMP dashboard:

1. Log in to the user interface for the OpenTrust PKI's RA server application as an administrator with the System
Management right. If the initial administration certificate has not yet been deleted, an administrator using the
initial administration certificate can also perform this task.

2. Navigate to the Server Management | System Management | Dashboard page.

3. On the Dashboard page, to view the system overview summary or to see more detailed monitoring information
for a particular host machine, select the corresponding tab.

4. On the Dashboard page, to go to the configuration page for a monitored item, select the corresponding link.

5. To refresh the SNMP monitoring information, click Click Here to Refresh.

OpenTrust PKI 4.12 Server Configuration Guide 71

This page intentionally left blank.

72 OpenTrust PKI 4.12 Server Configuration Guide

6 Use the Audit Logs User Interface

Detailed information about the audit log events and the audit logs in general can be found in the OpenTrust PKI Audit
Logs Guide. This section describes how to use the Audit Logs section of the OpenTrust PKI server application user
interface. In the Audit Logs user interface, administrators can:

• “Search for Log Entries” on page 73

• “Search for Logs Using an Identifier” on page 74

• “Download the Audit Log Files” on page 74

• “Verify Log Signatures” on page 74

• “Save and Re-use Log Searches” on page 75

• “Email a Log Entry” on page 75

• “Set the Logs Consolidation Interval ” on page 75

6.1. Search for Log Entries

The OpenTrust PKI server application allows administrators to use detailed search criteria to locate and display log
entries.

To search for log entries:

1. Log in to the OpenTrust PKI server application as an administrator with the Audit Log right. If the initial
administration certificate has not yet been deleted, an administrator using the initial administration certificate can
also perform this task.

2. Navigate to the Audit Logs | Logs | Search page.

3. On the Logs Search page, accept the default search interval to view the recorded logs for the day or select an
interval in the drop-down menu.

4. Use the Add Criterion drop-down menu to add search criteria.

5. Click Search.

6. Use the optional features available in the search results:

• In the returned search results, to view more details for an audit log entry, click in the log entry row to expand
the log entry. To view further details, in the expanded log entry view, click View Log Details.

• To initiate a new search using a tracker associated with one or more log entries, mouse over the tracker icon
associated with the log entry and select a tracker. A tracker is a highlighted search criterion that facilitates
searches for log entries with common content, such as a PIN policy or the serial number associated with a
smart card.

• To navigate through the search results quickly, use the following keyboard shortcuts:

◦ Space - Navigate from an expanded log entry view to an expanded view of the next log entry

◦ Backspace - Navigate from an expanded log entry view to an expanded view of the previous log entry

◦ V - Navigate from an expanded log entry view to the Log Entry Details page for a log

◦ B - Navigate from the Log Entry Details page for a log back to the search results list with an expanded view
of the log entry

OpenTrust PKI 4.12 Server Configuration Guide 73

Chapter 6. Use the Audit Logs User Interface Search for Logs Using an Identifier

6.2. Search for Logs Using an Identifier

Administrators can search for logs using the identifiers displayed in error messages or the unique identifier associated
with a particular log entry.

To search for a logged event using an identifier:

2. Navigate to the Audit Logs | Logs | Search Using Unique Identifier page.

3. On the Search Using Unique Identifier page, use the identifier type drop-down menu to select the type of unique
identifier to use in the search criteria:

• Error Unique Identifier - To enter the unique identifier displayed in an error message.

• Log Identifier - To enter the unique identifier associated with a log entry, as displayed on the Log Entry Details
page in the General Information section.

4. In the text entry field, enter the identifier.

5. Click Search.

6.3. Download the Audit Log Files

Administrators can download the log files or individual log file entries.

To download the audit log files:

1. Follow the instructions in “Search for Log Entries” on page 73.

2. On the Logs Search page, select one of the download options and follow the associated instructions:

• To download selected log entries in a .csv file, click Other Actions | Download in CSV. In the Download
in CSV pop-up menu, select the log entry details to include in the .csv file and then click Download. The
configuration of the details selected for download to a .csv file can be saved for re-use. Saved .csv download
configurations will be displayed to and can be used by all administrators with the Audit Log right.

• To download all of the log entries in an .xml file, click Other Actions | Download in XML.

• To download an individual log entry in an .xml file, follow the instructions in “Search for Log
Entries” on page 73. Then, to display the Log Entry Details page for an individual log entry, click View Log
Details in the row associated with the log entry. On the Log Entry Details page, click Download XML Entry.

6.4. Verify Log Signatures

If the installation administrator chose to configure the XML Logs Signature option to Synchronous or Asynchronous,
as described in the "Initialize the Server Application" procedures in the OpenTrust PKI Server Installation and Upgrade
Guide, and if the Credential Management System server application log presentation resource is hosted on the machine
hosting the Credential Management System server application instead of being hosted on a machine hosting an
OpenTrust PKI, administrators with the Audit Log right have the option to verify log signatures.

To verify log signatures:

1. Follow the instructions in “Search for Log Entries” on page 73.

2. Then, to display the Log Entry Details page for an individual log entry, click View Log Details in the row
associated with the log entry.

74 OpenTrust PKI 4.12 Server Configuration Guide

Save and Re-use Log Searches Chapter 6. Use the Audit Logs User Interface

3. On the Log Entry Details page, view the signature status for the log entry:

• Signature OK - The signature for the log is valid.

• Wrong Signature - The signature for the log is invalid. This might be because the XML version of the log
has been modified or because the certificate used to sign the log entry does not match the expected signing
certificate.

6.5. Save and Re-use Log Searches

Administrators have the option to save log search configurations for later re-use or to configure log searches that include
frequently used search criteria. Saved searches will be displayed to and can be used by all administrators with the Audit
Log right.

To save log searches for later re-use:

1. Follow the instructions in “Search for Log Entries” on page 73.

2. Then, click Save Request.

3. On the Save Request pop-up, enter a Name and Description for the search configuration.

4. Click OK.

5. To verify that a request was saved or to view previously saved searches, click the Requests tab. On the Request
tab, saved searches can be run, copied, or deleted using the icons in the row for the saved search.

6.6. Email a Log Entry

Administrators have the option to email individual log entries.

To email a log entry:

1. Follow the instructions in “Search for Log Entries” on page 73.

2. In the returned search results, to expand the view for an audit log entry, click in the log entry row. In the
expanded log entry view, click View Log Details.

3. On the Log Entry Details page, click Send by Email.

4. On the "Send by Email" pop-up, enter the email address of the recipient and click OK. Separate multiple email
addresses with commas.

5. View the success message pop-up.

6.7. Set the Logs Consolidation Interval

By default, logs are consolidated every five minutes by a cron job named logs-manager send-logs before being
sent to the OpenTrust PKI Logs component. It is possible to adjust the interval between executions of the logs-
manager send-logs cron job. The process by which the logs are consolidated and sent to the Logs component is
described in more detail in the OpenTrust PKI Audit Logs Guide and in “Configure Consolidation Intervals” on page 67.

OpenTrust PKI 4.12 Server Configuration Guide 75

This page intentionally left blank.

76 OpenTrust PKI 4.12 Server Configuration Guide

7 Use the Automated Scripts

The OpenTrust PKI includes automated scripts that may be helpful to administrators. To view the list of automated
scripts, administrators can log in to the server hosting an OpenTrust PKI component and change to the /opt/
opentrust/pki/sbin directory. To change to the /opt/opentrust/pki/sbin directory and view the list of
available automated scripts, enter:
cd /opt/opentrust/pki/sbin
ls

To learn more about the automated scripts, administrators can use the --help option available for each automated
script. The --help option for each script provides information about what the script does and how to use the script.

For example, to find out more about the pki-diag script, an administrator can enter:
/opt/opentrust/pki/sbin/pki-diag --help

OpenTrust PKI 4.12 Server Configuration Guide 77

This page intentionally left blank.

78 OpenTrust PKI 4.12 Server Configuration Guide

8 Manage Rights

Administrators need to configure access rights to manage administrator access to the various parts of the OpenTrust PKI
server application user interface and manage the rights granted to certificate lifecycle administrators to perform certificate
lifecycle management process tasks.

To manage access rights to to the OpenTrust PKI, administrators can configure:

• “Configure Zones” on page 79

• “Configure Groups” on page 80

• “Configure Rights” on page 81

• “Display Assigned Rights ” on page 82

8.1. Configure Zones

Zones are used to associate lifecycle administrators with certificate management profiles and divide the lifecycle
administrator tasks by zone within certificate management profiles. Certificates are associated with zones through the
certificate management profiles used to issue the certificates.

Zones are created on the RA component. Zone configuration is limited to the RA component unless a certificate
management profile is configured with the Certificate Request Right Required option selected on the Enrollment tab.
When the Certificate Request Right Required option is selected on the Enrollment tab of a certificate management
profile, administrators with the Execute right for the certificate management profile on the EE can edit the rights for
the Request Certificate on the EE process in the zones with which the certificate management profile is associated
on the EE. To make zones and their associated certificate management profiles available to the EE administrator
who configures the rights for the OpenTrust PKI EE component, an EE administrator must log in to the EE user
interface, navigate to Settings | Modules Settings | Enrollment Entity and click Synchronize RA Configuration. The
certificate management profiles are then available in the EE user interface on the Rights on Zones and Profiles tab when
configuring rights for users or groups, as described in “Configure Rights” on page 81.

To configure an access rights zone:

1. Log in to the OpenTrust PKI RA server application as an administrator with the Zone Management right. If
the initial administration certificate has not yet been deleted, an administrator using the initial administration
certificate can also perform this task.

2. Navigate to the Access Control | Management | Zones page.

3. On the List of Zones page, choose to Create a New Zone or to Modify, Copy, or Remove an existing zone.

Note: A zone cannot be removed if an active certificate is associated with in the zone.

4. If the choice is to modify the zone configuration, continue to Step 5 on page 80. If the choice is to create a
new zone, on the Create a New Zone page:

a. Enter a Name and Description for the zone. The name and description will be visible in other parts of
the user interface, for example, when selecting which zone to use as the default zone for a certificate
management profile. To make it easier to select the correct zone in other parts of the user interface, provide
detailed information in the name and description fields.

b. Enter the Title values for the zone. The title will be used to display the zone in other parts of the user
interface. Providing detailed information in the title fields will make it easier to select the correct zone in
other parts of the user interface. The default title will be displayed in the user interface when language-
specific titles have not been configured or when the language used by a certificate requester or certificate
holder is not included in the list of configured language-specific titles. When language-specific titles have
been configured, the language-specific titles will be displayed for configured languages that correspond

OpenTrust PKI 4.12 Server Configuration Guide 79

Chapter 8. Manage Rights Configure Groups

to the language used by a certificate requester or certificate holder as set in the Web browser being used
to access the OpenTrust PKI. It is possible to configure titles for any language. To configure titles in an
additional language, use the Add More button, enter a two-letter abbreviation for the language in the drop-
down menu, and enter the language-specific title in the text field.

c. To select the certificate management profiles to associate with the zone, select the checkboxes next to
the certificate management profile names. All configured certificate management profiles will be available for
selection. To help with selecting and deselecting multiple certificate management profiles, toggle the Select
All Profiles/Deselect All Profiles button.

d. Click Save.

5. On the Edit Zone page, make any necessary changes to the zone description and the certificate management
profiles selected for association with the zone.

6. Click Save.

8.2. Configure Groups

Groups are used to logically group users or groups who share the same rights. This section does not explain how to add
a user or group to a group, but only how to create and nest groups. To add a user or group to a group, use the Access
Control | Management | Rights section of the UI, as described in “Configure Rights” on page 81.

A group can be configured only on the OpenTrust PKI component host server on which the group was created.

To configure an access rights group:

1. Log in to the OpenTrust PKI server application as an administrator with the Group management right. If the initial
administration certificate has not yet been deleted, an administrator using the initial administration certificate can
also perform this task.

2. Navigate to the Access Control | Management | Groups page.

3. On the List of Groups page, choose to Create a New Group or to Modify, Copy, or Remove an existing group.

4. If the choice is to modify the configuration for a group, continue to Step 5 on page 80. If the choice is to create
a new group, on the Create a New Group page:

a. Enter a Name and Description for the group. The name and description will be visible in other parts of the
user interface, for example, when selecting which groups should be associated with specific rights. To make
it easier to select the correct group in other parts of the user interface, provide detailed information in the
name and description fields.

b. Click Save.

5. On the Edit Group page, on the Managers tab, manage the list of users and groups with the right to add and
remove members of this group. To add users or groups, click Add New Group Managers.

a. On the Search for Managers pop-up, to search for a group or user DN to grant the right to add and remove
members of this group, enter a value in any of the available search fields. The wildcard character '*' will
return all results that exist for the search criterion.

b. Click Search.

c. To add a search result to the list of users and groups with the right to add and remove members of this
group, close the Search for Managers pop-up, and return to the Edit Group page, select the search result.

d. In the row for the user or group in the list of users and groups with the right to add and remove members of
this group:

• To grant the user or group the right to add and remove members of this group, select the checkbox in the
Execute column.

• To grant the user or group the ability to grant the right to add and remove members of this group to other
users and groups, in the Grant Ability column:

◦ Select Execute if the user or group can give others the right to add and remove members.

80 OpenTrust PKI 4.12 Server Configuration Guide

Configure Rights Chapter 8. Manage Rights

◦ Select Execute & Grant to Others if the user of group can give others the right to add and remove
members and give others the right to grant the right to others.

• Use the trash can icon to Remove the user or group from the list of users and groups with the right to add
and remove members of this group.

e. Click Save.

6. On the Members tab, view the users and groups who are member of this group. No configuration can be made
on the Members tab; it is view-only.

8.3. Configure Rights

Administrators can grant individual rights to users or groups.

To grant individual rights to a user or group:

1. Log in to the OpenTrust PKI server application as an administrator with a Grant Ability for at least one right.
If the initial administration certificate has not yet been deleted, an administrator using the initial administration
certificate can also perform this task.

2. Navigate to the Access Control | Management | Rights page.

3. On the Rights Management page, to search for a group or user to edit or display, enter a value in any of the
available search fields and click Search. The wildcard character '*' will return all results that exist for the search
criterion.

4. To configure the rights for a user or group returned in the search results, select the search result.

5. On the Edit Rights page, on the Group Membership tab, to make the user or group being edited a member of an
available group, select or deselect the group. The user or group being edited will be a member of all selected
groups.

6. On the Rights on Modules tab, in the row for a specific right:

• To grant the user or group access rights for OpenTrust PKI server application functionalities by module, select
the checkbox in the Execute column. A description of each right appears under the name of the right in the
user interface.

• To grant the user or group the ability to grant the right to others, in the Grant Ability column:

◦ Select Execute if the user or group can give others the right to execute the right.

◦ Select Execute & Grant to Others if the user of group can give others the right to execute the right and give
others the right to grant the right to others.

7. On the Zones & Profiles tab, to configure the user or group rights on certificate management profiles by zone, in
the Zone drop-down menu, select a Zone. The certificate management profiles that have been associated with
the zone, as described in “Configure Zones” on page 79, will be displayed.

8. For each certificate management profile displayed in the list, to expand the certificate management profile and
view the rights option for the certificate management profile, click the Certificate Management Profile: name.

9. For each certificate lifecycle management process displayed for a certificate management profile, in the row for a
specific right:

• To grant the user or group the rights for tasks associated with the certificate lifecycle management processes
configured for the certificate management profile, select the checkbox in the Execute column. A description of
each right appears under the name of the right in the user interface.

• To grant the user or group the ability to grant the right to others, in the Grant Ability column:

◦ Select Execute if the user or group can give others the right to execute the right.

◦ Select Execute & Grant to Others if the user of group can give others the right to execute the right and give
others the right to grant the right to others.

OpenTrust PKI 4.12 Server Configuration Guide 81

Chapter 8. Manage Rights Display Assigned Rights

• To apply the rights and grant ability options selected for one certificate management profile to all of the other
certificate management profiles in the zone, click the "Apply all these rights on all profiles of this zone" icon.

10. Click Save.

8.4. Display Assigned Rights

Administrators with the Rights audit right or Grant Ability rights for modules can use the Display Rights section of the user
interface as a dashboard to display the rights that have been assigned for the modules for each of the OpenTrust PKI
components: CA, RA, EE, and Logs. On the RA and EE components, administrators with Grant Ability rights for zones
and certificate management profiles and administrators with the Rights audit right will also be able to view the rights that
have been assigned for zones and certificate management profiles on the RA or EE component.

To view the rights that have been assigned for a module, zone, or certificate management profile on one of
the OpenTrust PKI components:

1. Log in to the user interface for the OpenTrust PKI component as an administrator with the Rights audit right or
with Grant Ability rights for a zone or certificate management profile. If the initial administration certificate has not
yet been deleted, an administrator using the initial administration certificate can also perform this task.

2. Navigate to the Access Control | Audit | Rights page.

3. On the Rights Display page, choose to display the assigned rights for a module, zone, or certificate management
profile and follow the corresponding instructions:

• Module: Leave the default of "All Modules" or select an available module.

• Zone: Leave the default of "Any Zone" or select an available zone. Then select a corresponding certificate
management profile for the zone.

• Certificate Management Profile: Select an available certificate management profile. Then select a
corresponding zone for the certificate management profile.

4. Click Display.

82 OpenTrust PKI 4.12 Server Configuration Guide

Appendix A. Supported Formats for Subject
DN Elements and Subject Alternative Names

A.1. Subject DN Elements

The following table describes, for each DN element, the format and maximum length supported by OpenTrust PKI. For
more detailed information about the validation types, see “Validation Types” on page 84.

DN Element name Identifier Short Identifier Maximum Validation Type

Length
Common Name commonName CN 64 utf8
Country (two-letter code) countryName C 2 country
Description description description 64 utf8
DN Qualifier dnQualifier dnQualifier 512 utf8
Domain Component domainComponent DC 63 dnsComponent
Email emailAddress emailAddress 128 email
Employee Number employeeNumber employeeNumber 64 utf8
First Name givenName G 512 utf8
Generation Qualifier generationQualifier generationQualifier 3 utf8
Initials initials initials 5 utf8
INN INN INN 12 utf8
Locality localityName L 128 utf8
Mail (rfc822Mailbox) rfc822Mailbox mail 64 utf8
Name name name 512 utf8
OGRN OGRN OGRN 13 utf8
Organization organizationName O 64 utf8
Organizational Unit organizationalUnitName OU 64 utf8
Postal Code postalCode postalCode 13 utf8
Pseudonym pseudonym pseudonym 128 utf8
Role role role 128 utf8
Serial Number serialNumber SN 64 DNname
SNILS SNILS SNILS 11 utf8
State stateOrProvinceName ST 128 utf8
Street Address streetAddress street 128 utf8
Surname surname S 512 utf8
Title title T 64 utf8
Unstructured Address unstructuredAddress unstructuredAddress 255 utf8
Unstructured Name unstructuredName unstructuredName 255 utf8
User Identifier userID uid 64 utf8
X500 Unique Identifier x500UniqueIdentifier x500UniqueIdentifier 64 utf8

A.2. Subject Alternative Names

The following table describes the Subject Alternative Names that are supported by OpenTrust PKI. For more detailed
information about the validation types, see “Validation Types” on page 84.

Subject Alternative Name Identifier Maximum Validation Type

Length
Alternative name (DNS) DNS dnsName

OpenTrust PKI 4.12 Server Configuration Guide 83

Appendix A. Supported Formats for Subject DN Elements and Validation Types
Subject Alternative Names

Subject Alternative Name Identifier Maximum Validation Type

Length
Alternative name (IP) IP 15 ipv4Address
Alternative name (URI) URI altname_uri
Email email 255 utf8
Microsoft GUID msGUID 47 msGUID
Microsoft User Principal Name msUPN utf8

A.3. Validation Types

1
• altname_uri - An absolute Uniform Ressource Identifier, with limitations described in RFC 3280 , paragraph 4.2.1.7:
The name must not be a relative URL, and it must follow the URL syntax and encoding rules specified in RFC
2
1738 . The name must include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. The scheme-
specific-part must include a fully qualified domain name or IP address as the host.

• country - String must be the two-letter ISO code of a country.

• DNname - String must be composed of "PrintableString" characters, that is ASCII letters and numbers
(ABCDEGHIJKLMNOPQRSTUVWXYZ, abcdeghijklmnopqrstuvwxyz, 0123456789), the characters '()+-.:?, and the
space character.

• dnsComponent - String must be composed of ASCII letters, numbers and the "-" character ("hyphen", ASCII code
0x2D).

• dnsName - DNS fully qualified domain name. To comply with RFC 3280, the "preferred name syntax" is used, as
3
described in RFC 1034 , paragraph 3.5.
4
• email - String must be a valid email address, as defined in RFC 5322 .

• ipv4Address - Text representation of an IP v4 address. For example: 192.168.123.234.

5
• msGUID - See also The description of the event ID 9646 message includes a GUID instead of a recipient name .
The GUID can be specified in two forms:

◦ a "natural" form: 00112233445566778899AABBCCDDEEFF, 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE

FF, 0x00112233445566778899AABBCCDDEEFF

◦ a "human" form: 33221100-5544-7766-8899-AABBCCDDEEFF

• utf8 - String must be composed of a valid UTF8 alphanumerical character, or a common symbol: °'"()|-_.:?!/&,=@[];
{}€$£~^¨µ§æ«þßðđħĸł»¢“”·<>`%*+#

1
http://www.ietf.org/rfc/rfc3280.txt
2
http://www.freesoft.org/CIE/RFC/Orig/rfc1738.txt
3
http://tools.ietf.org/html/rfc1034
4
https://tools.ietf.org/html/rfc5322
5
http://support.microsoft.com/?scid=kb%3Ben-us%3B899663

84 OpenTrust PKI 4.12 Server Configuration Guide

Appendix B. Configure Apache as a Reverse
Proxy Server With OpenTrust PKI
To configure an Apache reverse proxy with OpenTrust PKI, administrators must:

• “Configure Apache” on page 85

• “Set Up a Cron Job to Update Certificate Revocation Lists” on page 86

B.1. Configure Apache

The following code example explains how to configure an Apache Web server as a reverse proxy to communicate
with OpenTrust PKI. When using the reverse proxy feature with Apache, both the SSL_CLIENT_CERT and the
SSL_SHARED_SECRET headers must be set, as described in the example. Moreover, the RequestHeader configuration
directive must always use the value "set" to reset the authentication headers before sending them to the OpenTrust PKI
back-end server.

Important: Improper use of this functionality may have negative impact on the security of the application.

# make sure the following modules are loaded:

# * ssl
# * proxy
# * proxy_http
# * headers

# and that the server is configured to listen on 443

# Listen 443

# server name, associated certificate, see below

ServerName pki-reverseproxy.example.com

SSLEngine on
SSLVerifyDepth 10

# you may want to tweak the following options depending on requirements

# or the underlying openssl version
# SSLProtocol
# SSLCipherSuite
# on a server with the EE module installed and where it is allowed to connect
# without a certificate, set client verification to optional
SSLVerifyClient optional

# on a server with no EE or where unauthenticated access is forbidden,

# setting client verification to require will force the use of a certificate
#SSLVerifyClient require

# Server certificate
# - CN must match ServerName
# - subjectAltName with the URI of the server, e.g. https://<ServerName>
SSLCertificateFile /etc/httpd/mycert.crt
SSLCertificateKeyFile /etc/httpd/mycert.key

# CA information, should match trusted CAs from PKI

SSLCACertificateFile /etc/httpd/ca-bundle.pem
SSLCARevocationFile /etc/httpd/crl-bundle.pem

SSLProxyEngine on
SSLProxyVerify none

ProxyPass / https://my.actual.pki.example.com/
ProxyPassReverse / https://my.actual.pki.example.com/

# Headers configuration

OpenTrust PKI 4.12 Server Configuration Guide 85

Appendix B. Configure Apache as a Reverse Proxy Server Set Up a Cron Job to Update Certificate Revocation Lists
With OpenTrust PKI

RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"

RequestHeader set SSL_SHARED_SECRET "opentrust"

# Logging
CustomLog "logs/rp__access_log" common
ErrorLog "logs/rp__error_log"
LogLevel info
#LogLevel debug

</VirtualHost>

B.2. Set Up a Cron Job to Update Certificate Revocation

Lists
After configuring the reverse proxy, it is necessary to set up a cron job to regularly update the CRLs by fetching them
from the PKI. Otherwise, no revocation checking will be performed, as OpenTrust PKI relies on mod_ssl checks.

The following example script describes a cron job that fetches CRLs from the OpenTrust PKI, checks for errors, and
checks whether CRLs need to be updated.
#!/bin/bash
echo "!!!!!!!!!"
echo "EDIT this file to suit your needs"
echo "!!!!!!!!!"
exit 1

pkihost=my.actual.pki.example.com
crlbundle=/etc/httpd/crl-bundle.pem
httppidfile=/var/run/httpd/httpd.pid

tempcrlbundle=/tmp/crl-bundle.pem
logfile=/tmp/logfile-$$

wget http://${pkihost}/crl-bundle.pem -O ${tempcrlbundle} > ${logfile} 2>&1

ret=$?
if [ "$ret" -ne "0" ]; then
echo "failure while getting CRL: "
cat ${logfile}
unlink ${logfile}
exit 1
fi

if [ ! -s "$tempcrlbundle" ]; then
echo "crl file is empty"
unlink ${logfile}
exit 1
fi

unlink ${logfile}

if [ "${tempcrlbundle}" -nt "${crlbundle}" ]; then

echo crl is newer, updating
mv -fv ${tempcrlbundle} ${crlbundle}
else
echo crl is NOT newer, leaving
exit 0
fi

# not running
test -r ${httppidfile}|| exit 0
pid=$(cat ${httppidfile})
test -d /proc/$pid || exit 0

# kick httpd to force reload

kill -USR1 $pid

86 OpenTrust PKI 4.12 Server Configuration Guide

TRM Brochure
No ratings yet
TRM Brochure
28 pages
Blueprint Reading: Construction Drawings for the Building Trade
From Everand
Blueprint Reading: Construction Drawings for the Building Trade
Sam Kubba
No ratings yet
Syrma SGS Technology Limited - Annual Report 2022 23
No ratings yet
Syrma SGS Technology Limited - Annual Report 2022 23
324 pages
Cloud Computing Concepts Technology Architecture
0% (1)
Cloud Computing Concepts Technology Architecture
26 pages
Qwest Odoo Proposal Generic
No ratings yet
Qwest Odoo Proposal Generic
29 pages
AWS Managed Service by InterVision Service Guide
No ratings yet
AWS Managed Service by InterVision Service Guide
26 pages
PGE BMW IChargeForward Final Report
No ratings yet
PGE BMW IChargeForward Final Report
51 pages
Cricut for Beginners and Cricut Design Space: the Ultimate Guide to Master your Cricut Machine
From Everand
Cricut for Beginners and Cricut Design Space: the Ultimate Guide to Master your Cricut Machine
Kimberly Space
No ratings yet
Fritzing for Inventors: Take Your Electronics Project from Prototype to Product
From Everand
Fritzing for Inventors: Take Your Electronics Project from Prototype to Product
Simon Monk
No ratings yet
Waging War on Complexity Costs (PB)
From Everand
Waging War on Complexity Costs (PB)
Stephen A. Wilson
5/5 (1)
Fast Innovation: Achieving Superior Differentiation, Speed to Market, and Increased Profitability: Achieving Superior Differentiation, Speed to Market, and Increased Profitability
From Everand
Fast Innovation: Achieving Superior Differentiation, Speed to Market, and Increased Profitability: Achieving Superior Differentiation, Speed to Market, and Increased Profitability
Michael L. George
3/5 (3)
Programming FPGAs: Getting Started with Verilog
From Everand
Programming FPGAs: Getting Started with Verilog
Simon Monk
3.5/5 (2)
BMW Group 2007 PDF
No ratings yet
BMW Group 2007 PDF
247 pages
Points To Remember #
No ratings yet
Points To Remember #
69 pages
Economics Final Take-Home Exam Feb.'20
0% (1)
Economics Final Take-Home Exam Feb.'20
2 pages
66 1001 001-8 User Manual RFID Encoder and Updater
No ratings yet
66 1001 001-8 User Manual RFID Encoder and Updater
32 pages
Embedded Finance
No ratings yet
Embedded Finance
5 pages
Visionmobile Report
100% (1)
Visionmobile Report
60 pages
Microchip License Agreement - English
No ratings yet
Microchip License Agreement - English
12 pages
Property Management Training Manual
No ratings yet
Property Management Training Manual
59 pages
Discussion Forum Unit 6 2201
No ratings yet
Discussion Forum Unit 6 2201
2 pages
FE Mechanical Exam Prep Complete Study Guide for the Fundamentals of Engineering with Practice Questions and Proven Strategies to Conquer the Exam
From Everand
FE Mechanical Exam Prep Complete Study Guide for the Fundamentals of Engineering with Practice Questions and Proven Strategies to Conquer the Exam
Tony Boyd
No ratings yet
Arduino + Android Projects for the Evil Genius: Control Arduino with Your Smartphone or Tablet
From Everand
Arduino + Android Projects for the Evil Genius: Control Arduino with Your Smartphone or Tablet
Simon Monk
4.5/5 (2)
Programming Arduino Next Steps: Going Further with Sketches
From Everand
Programming Arduino Next Steps: Going Further with Sketches
Simon Monk
3/5 (3)
Programming Arduino Next Steps: Going Further with Sketches, Second Edition
From Everand
Programming Arduino Next Steps: Going Further with Sketches, Second Edition
Simon Monk
3/5 (3)
American Landlord Law: Everything U Need to Know About Landlord-Tenant Laws
From Everand
American Landlord Law: Everything U Need to Know About Landlord-Tenant Laws
Trevor Rhodes
No ratings yet
CHST Study Guide Construction Health and Safety Technician Exam – Proven Tips and Practice Questions to Pass with Confidence
From Everand
CHST Study Guide Construction Health and Safety Technician Exam – Proven Tips and Practice Questions to Pass with Confidence
Mike L Turner
No ratings yet
PMP PMBOK 7 2025-2026 A Simplified Guide to Passing the Project Management Professional Exam on Your First Try with Proven Strategies for Success
From Everand
PMP PMBOK 7 2025-2026 A Simplified Guide to Passing the Project Management Professional Exam on Your First Try with Proven Strategies for Success
Mike L Porter
5/5 (2)
Viral Ipod Video
From Everand
Viral Ipod Video
MUHAMMAD NUR WAHID ANUAR
No ratings yet
Programming the Intel Galileo: Getting Started with the Arduino -Compatible Development Board
From Everand
Programming the Intel Galileo: Getting Started with the Arduino -Compatible Development Board
Christopher Rush
5/5 (1)
Building High Performance Government Through Lean Six Sigma: A Leader's Guide to Creating Speed, Agility, and Efficiency
From Everand
Building High Performance Government Through Lean Six Sigma: A Leader's Guide to Creating Speed, Agility, and Efficiency
Mark Price
No ratings yet
Cybersecurity for Executives: A Guide to Protecting Your Business
From Everand
Cybersecurity for Executives: A Guide to Protecting Your Business
Matthew C. Smith
No ratings yet
Mobile Telecommunication Customer Loyalty in Nigeria: Determining factors
From Everand
Mobile Telecommunication Customer Loyalty in Nigeria: Determining factors
Olayiwola Bello
No ratings yet
Trading Mastery: Unleashing Financial Potential in the Modern Markets Innovative Strategies, Prudent Approaches, and Insider insights for Mastering the Art of Trading
From Everand
Trading Mastery: Unleashing Financial Potential in the Modern Markets Innovative Strategies, Prudent Approaches, and Insider insights for Mastering the Art of Trading
GEORGE L . BROWN
No ratings yet
10K Blueprint
From Everand
10K Blueprint
Cian O Farrell
5/5 (2)
Blockchain & Decentralized Finance #1 Guide To Invest In Blockchain Technology, Cryptocurrencies, Altcoins, Smart Contracts and NFTs
From Everand
Blockchain & Decentralized Finance #1 Guide To Invest In Blockchain Technology, Cryptocurrencies, Altcoins, Smart Contracts and NFTs
Andrew Walker
No ratings yet
Tarot & Oracle Card Reading For Dummies
From Everand
Tarot & Oracle Card Reading For Dummies
Charles Harrington
No ratings yet
Teardowns: Learn How Electronics Work by Taking Them Apart
From Everand
Teardowns: Learn How Electronics Work by Taking Them Apart
Bryan Bergeron
No ratings yet
Practical Handbook for the Marketing of Foreign Investment Funds in Germany: A legal overview
From Everand
Practical Handbook for the Marketing of Foreign Investment Funds in Germany: A legal overview
Kathrin Schmidt
No ratings yet
The Ultimate Small Business Marketing Toolkit: All the Tips, Forms, and Strategies You'll Ever Need!
From Everand
The Ultimate Small Business Marketing Toolkit: All the Tips, Forms, and Strategies You'll Ever Need!
Beth Goldstein
3/5 (1)
Computing Fundamentals: IC3 Edition
From Everand
Computing Fundamentals: IC3 Edition
Faithe Wempen
No ratings yet
Electronics from the Ground Up: Learn by Hacking, Designing, and Inventing
From Everand
Electronics from the Ground Up: Learn by Hacking, Designing, and Inventing
Ronald Quan
3.5/5 (2)
IBM Cognos 8 Business Intelligence: The Official Guide
From Everand
IBM Cognos 8 Business Intelligence: The Official Guide
Dan Volitich
No ratings yet
How to Profit in the Stock Market: Short-Term Trading and Investing Strategies for Beginners
From Everand
How to Profit in the Stock Market: Short-Term Trading and Investing Strategies for Beginners
Michael Sincere
5/5 (1)
Accounting for Infrastructure Regulation: An Introduction
From Everand
Accounting for Infrastructure Regulation: An Introduction
Eric Ian Groom
No ratings yet
Software Patterns Made Easy
From Everand
Software Patterns Made Easy
Justice Nanhou
No ratings yet
Troubleshooting Electronic Circuits: A Guide to Learning Analog Electronics
From Everand
Troubleshooting Electronic Circuits: A Guide to Learning Analog Electronics
Ronald Quan
No ratings yet
Alea, riesgo y teoría del contrato
From Everand
Alea, riesgo y teoría del contrato
Enrico Gabrielli
No ratings yet
The Strategy Gap: Leveraging Technology to Execute Winning Strategies
From Everand
The Strategy Gap: Leveraging Technology to Execute Winning Strategies
Dennis Ganster
No ratings yet
Big Data Investments: Effects of Internet Search Queries on German Stocks
From Everand
Big Data Investments: Effects of Internet Search Queries on German Stocks
Jan Becker
No ratings yet
Programming Arduino: Getting Started with Sketches, Third Edition
From Everand
Programming Arduino: Getting Started with Sketches, Third Edition
Simon Monk
No ratings yet
Programming Arduino: Getting Started with Sketches
From Everand
Programming Arduino: Getting Started with Sketches
Simon Monk
3.5/5 (5)
The Crafty Kids Guide to DIY Electronics: 20 Fun Projects for Makers, Crafters, and Everyone in Between
From Everand
The Crafty Kids Guide to DIY Electronics: 20 Fun Projects for Makers, Crafters, and Everyone in Between
Helen Leigh
No ratings yet
The TAB Book of Arduino Projects: 36 Things to Make with Shields and Proto Shields
From Everand
The TAB Book of Arduino Projects: 36 Things to Make with Shields and Proto Shields
Simon Monk
5/5 (7)
American Mortgage: Everything U Need to Know About Financing a Home: Everything U Need to Know About Purchasing and Refinancing a Home
From Everand
American Mortgage: Everything U Need to Know About Financing a Home: Everything U Need to Know About Purchasing and Refinancing a Home
Trevor Rhodes
No ratings yet
Financial Business Intelligence: Trends, Technology, Software Selection, and Implementation
From Everand
Financial Business Intelligence: Trends, Technology, Software Selection, and Implementation
Nils H. Rasmussen
No ratings yet
Six Sigma for IT Management
From Everand
Six Sigma for IT Management
Melvin Harteveld
No ratings yet
Purchasing Power Parities and the Real Size of World Economies: A Comprehensive Report of the 2011 International Comparison Program
From Everand
Purchasing Power Parities and the Real Size of World Economies: A Comprehensive Report of the 2011 International Comparison Program
The World Bank
No ratings yet
Purchasing Power Parities and the Real Size of World Economies
From Everand
Purchasing Power Parities and the Real Size of World Economies
The World Bank
No ratings yet
The IT Factory
From Everand
The IT Factory
H.J.C. van Aken
No ratings yet
Programming the Photon: Getting Started with the Internet of Things
From Everand
Programming the Photon: Getting Started with the Internet of Things
Christopher Rush
5/5 (1)
Policing and Safety Measures
From Everand
Policing and Safety Measures
Aditya Prajapat
No ratings yet
QuickBooks 2011 QuickSteps
From Everand
QuickBooks 2011 QuickSteps
Thomas A. Barich
3/5 (1)
Mergers, Acquisitions and Divestitures - How To Unite Your Active Directories
No ratings yet
Mergers, Acquisitions and Divestitures - How To Unite Your Active Directories
10 pages
20Q1 Next-Gen Virtualization FD VMware Special Edition
No ratings yet
20Q1 Next-Gen Virtualization FD VMware Special Edition
62 pages
Windows Clustering Technologies-An Overview: Published: November 2001
No ratings yet
Windows Clustering Technologies-An Overview: Published: November 2001
29 pages
Enabling Forms-Based Authentication For OWA 2010 Users in Exchange 2010 Published Using Forefront TMG 2010
No ratings yet
Enabling Forms-Based Authentication For OWA 2010 Users in Exchange 2010 Published Using Forefront TMG 2010
43 pages
Uncovering The New RPC Client Access Service in Exchange 2010
No ratings yet
Uncovering The New RPC Client Access Service in Exchange 2010
47 pages
Pramod Pansare Resume 001
No ratings yet
Pramod Pansare Resume 001
3 pages
PC Interfacing Fourth Level Lecture TWO: Parallel (Centronic) Port Interface
No ratings yet
PC Interfacing Fourth Level Lecture TWO: Parallel (Centronic) Port Interface
9 pages
Module BI1-M2 Data Warehouse Architecture: SAP University Alliances
No ratings yet
Module BI1-M2 Data Warehouse Architecture: SAP University Alliances
15 pages
320 - Computer Security - R - 2018
No ratings yet
320 - Computer Security - R - 2018
10 pages
Delivery Release TIA Portal V15
No ratings yet
Delivery Release TIA Portal V15
6 pages
CCNA3 Chap 6 Study Answers
No ratings yet
CCNA3 Chap 6 Study Answers
2 pages
Chapter 1-SPCC
No ratings yet
Chapter 1-SPCC
13 pages
International Cyber Security Challenges: I. Duić, V. Cvrtila, T. Ivanjko
No ratings yet
International Cyber Security Challenges: I. Duić, V. Cvrtila, T. Ivanjko
5 pages
11PT.8.5 x 11 Inch (21.59 x 27.94 Cm) the Cybersecurity and Computer Networking Bible
No ratings yet
11PT.8.5 x 11 Inch (21.59 x 27.94 Cm) the Cybersecurity and Computer Networking Bible
168 pages
Error List
No ratings yet
Error List
2 pages
Cambridge International AS & A Level: Computer Science 9608/11
No ratings yet
Cambridge International AS & A Level: Computer Science 9608/11
20 pages
A4 From RAD To MVC
No ratings yet
A4 From RAD To MVC
17 pages
Graylog Optimizing SIEM Log MGMT Ebook
No ratings yet
Graylog Optimizing SIEM Log MGMT Ebook
12 pages
Data Communication & Networks
No ratings yet
Data Communication & Networks
73 pages
BH US 12 Katz Soler HTExploit Slides
No ratings yet
BH US 12 Katz Soler HTExploit Slides
12 pages
General Web Application Security Questions 1729578061
No ratings yet
General Web Application Security Questions 1729578061
27 pages
Computer Abstractions and Technology: Omputer Rganization AND Esign
No ratings yet
Computer Abstractions and Technology: Omputer Rganization AND Esign
50 pages
IMS Basic Signaling Procedure (SIP&IMS Procedures)
100% (4)
IMS Basic Signaling Procedure (SIP&IMS Procedures)
66 pages
Huawei Pass4sure H13-629 v2018-01-14 by - Paul - 150q
No ratings yet
Huawei Pass4sure H13-629 v2018-01-14 by - Paul - 150q
70 pages
Csi Cnsa 2.0 Faq PDF
No ratings yet
Csi Cnsa 2.0 Faq PDF
20 pages
MIS Chapter 3
No ratings yet
MIS Chapter 3
22 pages
INS2020 Programming I Year 2022
No ratings yet
INS2020 Programming I Year 2022
4 pages
The SIEM Buyer's Guide For 2022: The Who, What, Where, When and Why of Buying An Analytics-Driven Security Solution
No ratings yet
The SIEM Buyer's Guide For 2022: The Who, What, Where, When and Why of Buying An Analytics-Driven Security Solution
23 pages
CV and Cover Letter
0% (1)
CV and Cover Letter
4 pages
CPU EC581: - CPU With Network Interface ARCNET BNC
No ratings yet
CPU EC581: - CPU With Network Interface ARCNET BNC
19 pages
Atoll The RF Planning Tool
No ratings yet
Atoll The RF Planning Tool
16 pages
(Paul Barry) Head First Python A Brain-Friendly G
100% (5)
(Paul Barry) Head First Python A Brain-Friendly G
624 pages
Grandstream Networks, Inc.: UCM6510 Basic Configuration Guide
No ratings yet
Grandstream Networks, Inc.: UCM6510 Basic Configuration Guide
30 pages