2.6 Set up the MyID Entrust Certificate Authority

Note: If you want to set up more than one Entrust CA within MyID, you may experience problems. For more information, contact customer support, quoting reference SUP-171.

To edit a Certificate Authority (CA):

  1. From the Configuration category, select Certificate Authorities.

  2. The Certificate Authorities workflow is displayed, with the Select a CA stage highlighted.

    • If an Entrust CA already exists, select it from the list and click Edit.

    • If an Entrust CA does not already exist, click New.

  3. From the CA Type drop-down list, select Entrust JTK.

    Note: All of the fields with a colored background in the example are mandatory.

  4. Set the following fields:

    • CA Name – Enter the name that you will use to identify the CA.

    • CA Description – Enter a description for the CA.

    • CA Type – Select Entrust JTK.

    • Retry Delays – A semi-colon separated list of elapsed times, in seconds.

      For example, 5;10;20 means:

      • If the first attempt to retrieve details from the CA fails, a second attempt will be made after a 5 second delay.

      • If this second attempt fails, the CA will be contacted again after 10 seconds.

      • Subsequent attempts will be made to retrieve information every 20 seconds, until a response is received.

      If you want to limit the number of retry attempts, enter 0 as the last number in the sequence.

    • CA DN – Enter the DN (distinguished name) of the CA.

      You can obtain this value from the CA Distinguished Name item in the [Entrust Settings] section of the entrust.ini file.

    • CA Host – Enter the DNS name or IP address of the Entrust ESAM server.

    • CA Port – Enter the IP Port of the Entrust ESAM server. The default port number is 829.

      You can confirm the port number from the CMPListen item in the [Comms] section of the entmgr.ini file.

    • LDAP Query – Enter the query that MyID uses to find the Entrust LDAP entity.

      See section 3.1, Setting the LDAP query string for details.

    • Entrust.ini – Enter the fully qualified path to the entrust.ini file.

      Important: Do not use Windows-style back slashes (\) in the path. Use UNIX-style forward slashes (/).

    • Directory – Select the LDAP directory being used from the list available.

    • Admin EPF – See section 2.6.1, Admin EPF for details.

      Important: Do not use Windows-style back slashes (\) in the path. Use UNIX-style forward slashes (/).

    • Admin EPF Password – Enter the password for the Admin EPF file.

    • Encryption PFX – Enter the fully qualified path to the encryption certificate file. This can be a PFX or P12 file.

      important: Do not use Windows-style back slashes (\) in the path. Use UNIX-style forward slashes (/).

      Note: This encryption certificate is required only if you are going to be issuing archive certificates from your Entrust CA. If you do not want to issue archive certificates, type a dummy value in this field and in the Encryption PFX Password field. The Encryption PFX field format is validated, so the dummy value must be in the correct format for a file path, but the file does not need to exist.

    • Encryption PFX Password – Enter the password used in conjunction with the encryption certificate file.

      The password is the same as the password associated with the EPF profile file that you used to generate the certificate file.

    • Select Enable CA to make the policies available for issue.
  5. Click Save to save these setting to the database. MyID is now ready to issue certificates.

2.6.1 Admin EPF

The Admin EPF can either be the full file path to the epf file created in section 2.2, Create the MyID server profile, or a compound value representing the P11 library for your HSM, the slot serial number where the hardware based credential was created, and the name of that profile.

Depending on what tools were used to create the hardware based credential, one or more files will have been created. You must copy those files to the MyID application server to a location with the same path as they were original generated.

Note: Contact Entrust for guidance on the appropriate tools for creating the hardware based credential; currently, Entrust suggest the PCU administration services utility.

An epf file can be copied anywhere – when it is a hardware based credential the copies of the files on the application server must match the location on the CA where they were created.

For example:

A hardware based credential was created into c:\authdata\manager\epf for a user HSM Officer. The profile for ‘HSM Officer’ was created (without a space) as HSMOfficer.

The files created, which will include one of more of .apf/.arl/.cch/.crl/.pch/.xcc must be copied to:

C:\authdata\manager\epf

on the MyID application server.

Within MyID, assuming your P11 DLL from your provider is cryptoki.dll, the Admin EPF value recorded in MyID would be:

<path to p11 dll>/SerialNumber|<ProfileName>.tkn

Note: There is no actual .tkn file at the location – the .tkn suffix is used to specify the name of the profile, not a filename.

Important: Do not use Windows-style back slashes (\) in the path. Use UNIX-style forward slashes (/).

C:/Windows/System32/cryptoki.dll/123456789|HSMOfficer.tkn

Or if it is on the system path:

cryptoki.dll/123456789|HSMOfficer.tkn

Or if at the point of installation:

C:/Program Files/SafeNet/LunaClient/cryptoki.dll/123456789|HSMOfficer.tkn