Certification Authority Server Installation Manual .Certification Authority Server Installation...

download Certification Authority Server Installation Manual .Certification Authority Server Installation Manual

of 20

  • date post

    28-Aug-2018
  • Category

    Documents

  • view

    213
  • download

    0

Embed Size (px)

Transcript of Certification Authority Server Installation Manual .Certification Authority Server Installation...

  • Certification Authority ServerInstallation Manual

    Introduction

    A Certification Authority issues digital certificates which contain a public key and the identity of the owner. The certificates are issued in PFX (Personal inFormation eXchange) file format protected by a password.

    Certificates provide the foundation of a public key infrastructure (PKI). These are electronic credentials, issued by a certification authority (CA), that are associated with a public and private key pair.

    Our Certification Authority Server works as an IIS application for most Windows webservers. That means it is not required to operate an extra CA machine.

    Warning and Disclaimer

    Every effort has been made to make this manual as complete and accurate as possible, but no warranty or fitness is implied. The information provided is on an as is basis. The author shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this manual.

    Trademarks

    .NET, Visual Studio .NET are trademarks of Microsoft Inc.Adobe, Adobe Reader are trademarks of Adobe Systems Inc.All other trademarks are the property of their respective owners.

    Page 1 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

    http://www.signfiles.com/certification-authority/

  • CA Server - new features..........................................................................................................2Microsoft Store Root Certificate.........................................................................................................................2Root Certificate Generator ................................................................................................................................3

    OCSP Validation Service..........................................................................................................4How OCSP Validation Service Works................................................................................................................4Testing the OCSP..............................................................................................................................................5Validating PDF Signatures ................................................................................................................................6

    Prerequisites............................................................................................................................11Installation...............................................................................................................................12CA Root Certificate.................................................................................................................14

    Issue the CA Root Certificate...........................................................................................................................14Issue Certificates....................................................................................................................15

    Issue User Certificates.....................................................................................................................................15Issue Certificates from CSR (Certificate Signing Request)..............................................................................16Revoke a Certificate........................................................................................................................................17CRL Issuing.....................................................................................................................................................18

    Certification Authority Management.....................................................................................19Certificate Management...................................................................................................................................19Audit Trail.........................................................................................................................................................20

    CA ServerThe CA Server is available for testing purposes at this link: http://ca.signfiles.com/ca/

    The latest version of the CA Server includes the following features Signing Certificates can be loaded from Microsoft Certificate Store. OCSP Support Certificate templates for CSR certificates

    Microsoft Store Root Certificate

    If you want to use a HSM Root Certificate, it must appear on Microsoft Certificate Store Personal Tab.

    The CA Server can use an existing Root Certificate as the CA certificate (preferred method) or you can generate a new Root Certificate on your CSP.

    Root Certificate must be available for every CA operation. These operations are: Issuing certificates, CRL issuing, signing the OCSP responses.

    Page 2 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

    http://www.signfiles.com/certification-authority/http://ca.signfiles.com/ca/

  • Root Certificate Generator

    If your CSP not offers a method to generate certificates directly on the CSP (preferred method), you can use Root Certificate Generator.

    How to generate a Root Certificate using Root Certificate Generator.

    - Start Root Certificate Generator- On the Smart Card Certificate Service Provider combobox, select your CSP. - If your CSP not appears on the list, the certificate cannot be generated.- Fill the textboxes with your data (Organization, Email, etc.)- Select Root Certificate template- Optionally, set the key size, validity period, etc.- Press Generate Certificate- Enter the CSP credentials (PIN PED, Password, other mechanisms).- Read the CSP manual to import the generated certificate on Microsoft Certificate Store - Personal tab (not Trusted Root Certification Authorities or Other People).

    Page 3 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

    http://www.signfiles.com/certification-authority/

  • OCSP Validation Service

    How OCSP Validation Service Works

    The OCSP Certificate must be issued by the same Root Certificate as the User Certificate, as below.

    ------------------ |Root Certificate| ------------------ | | | | ------------------ ------------------ |OCSP Certificate| |User Certificate| ------------------ ------------------

    - The client must include on the OCSP Request the User Certificate Serial Number that should be verified and the Root Certificate Public Key Hash.- The OCSP Request is send the OCSP Server URL. The OCSP URL is extracted from the User Certificate - Authority Info Access field, like below:

    [1]Authority Info AccessAccess Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)Alternative Name:URL=http://ca.signfiles.com/OCSP.aspx

    The OCSP Server (http://ca.signfiles.com/OCSP.aspx) makes the following steps: Verify the OCSP Certificate. If the OCSP Certificate is not OK, an error message will be

    returned (as POST byte[]) or the status: OCSPRespGenerator.InternalError.

    Verify the CRL file. If the CRL file is invalid or unavailable, the status: OCSPRespGenerator.InternalError will be returned.

    Validate the OCSP Request structure. If the OCSP Requet is not signed by the current Root CA, OCSPRespGenerator.Unauthorized status will be returned. (Observation: Some OCSP clients could return Unknown status but the pupular CA's like Verisign or Thawte returns OCSPRespGenerator.Unauthorized).

    The user certificate serial number is extracted from the OCSP Request and if it is

    Page 4 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

    http://www.signfiles.com/certification-authority/

  • found on the CRL, the status Revoked is returned to the Client.

    If the user certificate serial number not appears on the CRL, the certificate is considered valid and the status Good is returned to the Client.

    If an exception appears on this process, the status OCSPRespGenerator.InternalError will be returned.

    All errors above will appear on the Audit Trail.

    Testing the OCSPThe OCSP service can be tested as below.

    After the Root Certificate is installed on Microsoft Certificate Store - Trusted Root Authorities, you can use PDF Signer to create a digital signature that will contain the revocation information obtained form OCSP CA Responder. The Root Certificate can be downloaded from here: http://ca.signfiles.com/caOCSP/RootCertificate.cer

    To create a PDF digital signature, you must also obtain a signing certificate from the CA Server (http://ca.signfiles.com/caOCSP/IssueUserCertificate.aspx) .

    The OCSP response can be embedded on the PDF signature only if the Root Certificate that issued the User Certificate exists on Microsoft Certificate Store - Trusted Root Authorities.Also, The OCSP Certificate must be issued by the same Root Certificate as the User Certificate, as below.

    ------------------ |Root Certificate| ------------------ | | | | ------------------ ------------------ |OCSP Certificate| |User Certificate| ------------------ ------------------

    The OCSP validation service can be also verified using the following command:

    certutil -url - select OCSP (from AIA) option.

    Page 5 - Certification Authority Server Installation Manual (ve