3.1 Setting up the CA

You must provide MyID with the certificate it needs to sign any requests it makes and make the policies published by the CA available for use.

1. Copy the PKCS#12 certificate generated by the Registration Authority Operator (RAO) to the MyID Application server.
2. Log on to MyID.
3. From the Configuration category, select Certificate Authorities.

4. Click New.

5. From the CA Type drop-down list, select UniCERT.

   

6. Enter a name for the CA in CA Name and a short name in CA Description.
7. In CA Type, select UniCERT.

8. Set the Retry Delays – A semi-colon separated list of elapsed times, in seconds.

   For example, 5;10;20 means:

   • If the first attempt to retrieve details from the CA fails, a second attempt will be made after a 5 second delay.
   • If this second attempt fails, the CA will be contacted again after 10 seconds.
   • Subsequent attempts will be made to retrieve information every 20 seconds, until a response is received.

   If you want to limit the number of retry attempts, enter 0 as the last number in the sequence.

   The default is:

   15;60;60;60;60;120;180;360;3600;86400;0

   This retries after 15 seconds, then after a minute four times, then two minutes, three minutes, six minutes, an hour, 24 hours, then stops.

9. Enter the distinguished name (DN) for the CA in CA Path.

10. Enter the web address for contacting the UPI in Service Point.

    For example:

    https://myserver.example.com/UPI

11. Enter the DN for the RA in Enrollment Agent.

12. In RA / RRO Path, enter the location of the PKCS#12 certificate file, or the path to a PKCS#11 device:

    • For a PKCS#12 file on the application server:

      Specify the path on the application server to a PKCS#12 file containing the RAO/RRO certificate.

      For example:

      C:\unicert\myrro.p12

    • For a PKCS#11 device, specify an entry like the following:

      HSM://P11Driver/SlotName

      Where:

      • P11Driver is the filename of the PKCS#11 driver for your device. It may be the full path or just the name of the file if it is in the system path.
      • SlotName is the name of the Slot on which the certificate resides.

      To use a preferred signer from the slot, for example if you have a common partition shared by a number of CAs, the format instead is:

      HSM://P11Driver/SlotName|PreferredSigner

      For example:

      HSM://cryptoki.dll/vinfunica01|MyID_HSM - DS, NR, KE

      where the PreferredSigner name is how it is shown in the UniCERT TokenManager utility.

13. Type the RA / RRO Password for the RAO/RRO certificate and confirm it in the Confirm Password box.

    Note: Do not use a pipe | symbol in the password; this is a reserved character.

14. If you are using an HSM for key generation seeding, specify the location of the configuration file in the Cfg File Path field.

    See section 3.1.1, Using an HSM for key generation seeding below for details of the configuration file.

15. If your HSM requires a login to generate the random number for key generation seeding, type the Cfg File Password and confirm it in the Confirm Password box.

    Note: Do not use a pipe | symbol in the password; this is a reserved character.

16. Click Save.

MyID automatically detects the policies published by the CA and these can immediately be enabled for use by card policies.

3.1.1 Using an HSM for key generation seeding

If you want to use an HSM for key generation seeding, you must create a configuration file on the MyID application server and specify its location in the Cfg File Path field. The MyID COM+ user must have read access to this file.

The configuration file must contain:

• a full path to your vendor's provided 64-bit DLL.
• a slotListIndex value that matches the slot usage at the HSM level.

For example:

name = LunaSA
library = c:/Program Files/SafeNet/LunaClient/cryptoki.dll
slotListIndex=0
attributes( *,*,* ) = {
CKA_EXTRACTABLE = false
CKA_SENSITIVE = false
CKA_SIGN = true
}

Note: For the library entry, you must use forward slashes (/) in the path.

You must also make sure that your java.security file contains an entry for SunPKCS11 in the list of security providers; for example:

security.provider.13=SunPKCS11

To support HSM usage with UniCERT, you must have configured 64-bit HSM usage; this includes copying the following files from the archive provided with your UniCERT installation:

• JCryptoki.dll
• keytoolspkcs11utils_57u.dll

Contact your vendor for information on the location of these files; for example, you may find them in the following folder in the .rpm package for UniCERT UPI:

• \usr\local\Verizon\UniCERT\UPI\bin\win64\

Copy these DLLs into the Windows System32 folder on the MyID application server.

3.1.2 Certificate lifetime

If the expiry time for the certificate is later than the expiry date for the device, and the Restrict certificate lifetimes to the card option (on the Certificates page of the Operation Settings workflow within MyID) is set to Yes, the certificate lifetime is reduced to match the lifetime of the device.

MyID stores certificate lifetimes in days, while UniCERT may use other units; for example, years. MyID converts these units to the correct number of days, taking into account leap years, when displaying the lifetime of the certificate.