...
End users cannot revoke certificates themselves in the self-service portal. Instruct them to contact you if revocation is needed. You as RAOs can revoke certificates by going to Certificates → Client Certificates, selecting the right person, clicking Certificates, selecting the right certificate and clicking Revoke.
...
Note: this is a backup solution. The main way to issue client certificates is via the self-service portal discussed above. With that understood, this is how you can issue personal certificates using the SCM:.
This has changed. Contact us if you need to use this.
As a RAO, go to Certificates → Client Certificates and use the Add button. Select the appropriate Organization, Department and Domain. Fill in the Email Address and the Common Name. Fill in the separate name fields. Leave Secret ID blank and Validation Type Standard.You have now added the person, rather than a certificate. Click the person to check the line and use the Certificates button. There, use Send invitation to send an invitation email to the user, containing a nonce that authorized that user to create a client certificate.The user will have to provide a Password (that will be used to encrypt the generated PKCS#12 file) and a Passphrase (that can be used to revoke the certificate without your assistance), as well as accept a click-through license.The user will then receive a PKCS#12 file containing the key, certificate and chain ready for importing in web browsers etc.
Things worth noting:
Yes, the key is always generated on the server side when you use this method. There is no option of uploading a CSR to keep use a key generated on the client side. This may not be acceptable for users due to policy (not allowed to have the key generated on the server side) or technical reasons (key not exportable from hardware device). You can upload a CSR when you use the self-service portal.There is also the option of enabling a AccessCode, which is a shared secret between you and all users than enable them to get a client certificate as long as they have access to their email. We advise you not to use that.There is also the possibility to enter a SecretID per user, to enable them to get a client certificate by entering that together with their email address. For occasional client certificates, we do not see the upside of this as compared to the invitation method above, and for bulk issuing we will rely on the self-service portal via SAML as soon as that is ready.
Code Signing Certificates
We will update this section when a SUNET TCS member has found the need for a code signing certificate, gone through the procedure and shared the experience with usshared the experience of using the new interface to order a Code Signing certificate.
Notifications
Under Settings → Email Notifications you can add and edit what notifications the system will send you when certain conditions are met. Use the Add button to have a look at the various Notification Types that are available.
...
If you have a need to change the text in the emails sent from the system, you can do that under Settings → Templates → Email TemplateTemplates. If you do, please report your experience with that feature (good or bad) to tcs@sunet.se.
...
- To use federated login in the SCM portal you need to go into all your current RAO and DRAO admin accounts (in Settings → Admins) and change in the Authentication tab change the field Identity provider SAML IdP to "Your institution" and the field IdP Person Id to the field EPPN the ePPN (eduPersonPrincipalName) of the admin. If you don't do this manual mapping of eduPersonPrincipalName to the admin account then a much more insecure automatic mapping by mail address will be done at first SAML login. Right now there is a annoying known bug when using the SAML integration. The SAML integration picks up the name from the SAML assertion but don't handle character encoding correct.
- See above under "Allowing non-admins to request certificates" for information about "Self Enrollment via SAML" for SSL certificates.
...