Versions Compared

Old Version 12

changes.mady.by.user Kent Engström

Saved on

compared with

New Version 13

changes.mady.by.user Kent Engström

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: client certificates

...

  • On the SSL Certificate tab, enable Self Enrollment and put a shared secret value in Access Code and copy the URL present below that field. You can now hand out this URL to persons who can use it with the access code to access the Certificate enrollment page for non-admins. As you can see when you test using it, it contains approximately the same fields as the "Add Certificate" pages in the SCM itself. Be aware that the email address is not checked (more than for having the right domain) so you need an out-of-band method of authenticating the requestor.
  • If you have SAML attribute release working towards Sectigo (see "SAML Configuration" below), you can also enable "Self Enrollment via SAML", keep the Access Code secret and hand out the URL below the Token field to users. They will then have to authenticate using SAML before getting to the same kind of enrollment form as above. As the email address will now come from your IdP via SAML you can be more confident that it is correct, but it is up to you to decide if it is good enough, or you still will require additional conformation out-of-band before approving.
  • Do not enable "Automatically Approve Self Enrollment Requests". At least, you will want to manually approve certificate requests arriving via this route!
  • While you are at it, you will want to Customize the Server Software so the users are not presented with a gazillion choices. Also, you might also want to customize the SSL Types for the Enrollment Form (on the right-hand side), to stop users from selecting certificate types you do not want them to. You can still keep the ability to select them in the SCM (the left-hand Admin UI selection).

Client Certificates

Self-service portal via SAML

Sectigo will provide a FIXME: write about the coming self-service portal (the equivalent to for requesting client certificates, matching the work-flow seen with the DigiCert portal (digicert.com/sso) but also about how to issue client certificates using the SCM as suchand the earlier Confusa portal. That is, an end-user logs in via SAML authentication, selects the appropriate options and gets a certificate back.

The self-service portal is under development. We will update this section when it is ready for testing.

Issuing client certificates using the SCM

While this is not supposed to be the main route when the self-service portal is in place, this is how you can issue personal certificates using the SCM:

  • As a RAO, go to Certificates → Client Certificates and use the Add button. Select the appropriate Organization, Department and Domain. Fill in the Email Address and the Common Name. Fill in the separate name fields. Leave Secret ID blank and Validation Type Standard.
  • You have now added the person, rather than a certificate. Click the person to check the line and use the Certificates button. There, use Send invitation to send an invitation email to the user, containing a nonce that authorized that user to create a client certificate.
  • The user will have to provide a Password (that will be used to encrypt the generated PKCS#12 file) and a Passphrase (that can be used to revoke the certificate without your assistance), as well as accept a click-through license.
  • The user will then receive a PKCS#12 file containing the key, certificate and chain ready for importing in web browsers etc.

Things worth noting:

  • Yes, the key is generated on the server side. There is no option of uploading a CSR to keep use a key generated on the client side. This may not be acceptable for users due to policy (not allowed to have the key generated on the server side) or technical reasons (key not exportable from hardware device). For the self-service portal, it will be required that the user is offered to upload a CSR, and then gets certificate+chain back, instead of key+certificate+chain.
  • There is also the option of enabling a AccessCode, which is a shared secret between you and all users than enable them to get a client certificate as long as they have access to their email. We advise you not to use that.
  • There is also the possibility to enter a SecretID per user, to enable them to get a client certificate by entering that together with their email address. For occasional client certificates, we do not see the upside of this as compared to the invitation method above, and for bulk issuing we will rely on the self-service portal via SAML as soon as that is ready.

Code Signing Certificates

...