Configuring the MyID RA user

3.3 Configuring the MyID RA user

Before MyID can access your PrimeKey PKI, you must have an RA user, with appropriate access, to enable MyID to manage certificates on the CA. A Registration Authority (RA) certificate is required for this RA user to provide a secure communication between MyID and the web service hosting the CA. You can store your RA certificate in a software keystore or on an HSM. When requesting the certificate, make sure that the request has the Export Private Key option set.

You must copy the RA certificate to the MyID application server. You use the location of the certificate to set the key store location when configuring the CA; see section 3.8, Configuring the CA within MyID.

Although you can specify the location and password of a PFX key store when configuring the CA, you are recommended to enroll the PFX into a CSP or KSP for the MyID COM+ user. Then, export the imported certificate to a certificate file. Use the location of this file when configuring the CA.

3.3.1 Configuring end entity and certificate profiles for an RA User certificate

You must configure a suitable end entity and certificate profile to use when issuing an RA user certificate.

The end entity profile must have the following configuration:

Subject DN Attributes
- Common Name

The certificate profile must have the following configuration:

Key Algorithm – RSA 2048 bits.
Allow subject DN override by End Entity Information – Enable.
Key Usage – Digital Signature, Non-Repudiation, Key Encipherment.
Extended Key Usage – Client Authentication.

Both the end entity and certificate profile must reference the CA that is going to be used to issue the certificate in section 3.3.2, Creating a MyID RA User.

See the PrimeKey EJBCA documentation for details on how to configure the above entities.

3.3.2 Creating a MyID RA User

Create a MyID RA user through the EJBCA RA Web using the Enroll > Make New Request option. The MyID RA user certificate must be signed by an appropriate CA in the EJBCA; for example:

Enroll the user certificate by clicking the Download PKCS#12 button. You can then use the downloaded certificate with MyID; the password is provided in the Enrollment code field.

Note: To allow the establishment of a secure connection, you must configure the EJBCA server to trust the CA that is used to issue the certificate.

3.3.3 Configuring MyID RA user access

The roles assigned to the RA user used by MyID define the MyID administrative capabilities. You can assign access rules for a role when creating the role, as described below, or after creating the role using EJBCA GUI Roles > Access Rules option.

Although MyID acts as an RA administrator, the default RA Administrator template access rules do not provide sufficient access to enable MyID to validate and synchronize the policies of the EJBCA. As such, you need the Advanced Mode to configure the access rules.

At minimum the user must have the following access rules assigned:

Configuration Option	Setting
Role	MyID RA Administrator
Authorized CAs	Access to all Certificate Authorities.
Regular access rules	Default RA Administrator access rules View certificate profile View end entity profiles
End Entity Rules	Create, Delete, Edit, Revoke, and View End Entities. Key Recover End Entities.
End Entity Profiles	Provide access to all the end entity profiles, or at least those end entity profiles associated with MyID. Even if access is provided to all end entity profiles, only those profiles that reference one or more of the CAs used by MyID will be visible within MyID as certificate policies.
Validators	None.
Internal key binding	None.
Other rules	None.

The following shows the minimum configuration options in the Regular Access Rules settings when configuring the access rules in advanced mode:

You can configure an RA administrator role, if not already provided by default, using the administrator RA Web Role Management > Roles option.

3.3.4 Adding the MyID RA user to the RA Administrator role

Add the MyID RA user to the MyID RA Administrator role using the Add Role Member option in the RA Web Role Management > Role Members option; for example:

In the above example, the subject common name is used to determine the user role, and hence their capabilities.

You can also add a user to a role through the EJBCA Adminweb using the Administrator Roles > Members option.