Configuring the CA in the Certificate Authorities workflow

3.1 Configuring the CA in the Certificate Authorities workflow

To configure the DigiCert ONE CA within MyID Desktop:

From the Configuration category, select Certificate Authorities.
Click New.
From the CA Type drop-down list, select DigiCert ONE.

The Edit a CA screen displays the required fields for a DigiCert ONE CA:
Provide the following details:
- CA Name – a name for the CA to identify it within MyID.
- CA Description – a description of the CA.
- Retry Delays – a semi-colon separated list of elapsed times, in seconds.
  
  For example, 5;10;20 means:
  - If the first attempt to retrieve details from the CA fails, a second attempt will be made after a 5 second delay.
  - If this second attempt fails, the CA will be contacted again after 10 seconds.
  - Subsequent attempts will be made to retrieve information every 20 seconds, until a response is received.
  If you want to limit the number of retry attempts, enter 0 as the last number in the sequence.
  
  The default is:
  
  15;60;60;60;60;120;180;360;3600;86400;0
  
  This retries after 15 seconds, then after a minute four times, then two minutes, three minutes, six minutes, an hour, 24 hours, then stops.
- CA Path – this is the business unit ID. See section 2.5, Obtaining the CA path.
- Enable CA – select this option to enable the CA, and deselect it to disable the CA.
- Service Point – the URI of the hosted CA. See section 2.1, Setting up authentication.
Select which method of connection you want to use:
- Certificate – for an HSM-based certificate, or for a software-based certificate that has been installed to the MyID COM+ user's personal user store. You must have the .CER file for this certificate.
- PFX – for a PFX file for a software-based certificate. You must have the password for this file.
- API Key – for connections secured using an API key.
If you are using a Certificate connection method, provide the following information:
- Certificate Store – the path and filename of the .CER file on the MyID application server. The MyID COM+ user must have access to this location.
  
  For example:
  
  C:\certs\digicert.cer
If you are using a PFX connection method, provide the following information:
- PFX Certificate Store – the path and filename of the .PFX file on the MyID application server. The MyID COM+ user must have access to this location.
  
  For example:
  
  C:\certs\digicert.pfx
- Password – the password for the PFX file.
- Confirm Password – confirm the password for the PFX file.
If you are using an API Key connection method, provide the following information:
- API Key – the API key from the DigiCert ONE system.
If you are using dual control for key recovery:
1. Select the Dual Control for Key Recovery option.
2. Type the location of the 2nd Service Point.
3. Set the 2nd Connection Type and provide its connection details.
  
  Note: For dual admin approval, you can use either API keys or certificate-based authentication; however, you must use either two different API keys, or two different RA certificates – do not mix the authentication types.
Click Save.

3.1.1 Enabling certificates on a CA

Although all certificate templates are detected when you add the CA to MyID, they are all initially disabled. To enable them:

From the Configuration category, select Certificate Authorities.
From the CA Name drop-down list, select the certificate authority you want to work with.
Click Edit.
Make sure Enable CA is selected.
Select a certificate template you want to enable for issuance within MyID in the Available Certificates list.
Click the Enabled (Allow Issuance) checkbox.
Set the options for the policy:
- Display Name – the name used to refer to the policy.
  
  If you have more than one KMS, you may not be able to distinguish between the same type of certificate on different KMS servers when selecting certificates in a card profile, as the display names are the same. To avoid this problem, change the Display Name of each certificates for one of your KMS servers.
- Description – a description of the policy.
- Allow Identity Mapping – used for additional identities. See the Additional identities section in the Administration Guide for details.
- Reverse DN – select this option if the certificate requires the Distinguished Name to be reversed.
  
  Note: MyID does not recognize this option when using the Issue Card workflow to issue a card.
- Archive Keys – select whether the keys should be archived.
  
  See the Key archiving section of the Administration Guide for details.
  
  If you have MyID SecureVault installed, you can select Secure Vault to archive the keys in the MyID SecureVault database. For more information, see the Integrating with MyID SecureVault section in the Administration Guide.
- Certificate Lifetime – the life in days of the certificate. You can request a certificate from one day up to the maximum imposed by the CA. For example, type 365 to request one-year certificates.
- Automatic Renewal – select this option if the certificate is automatically renewed when it expires.
- Certificate Storage – select one of the following:
  - Hardware – the certificate can be issued to cards.
  - Software – the certificate can be issued as a soft certificate.
  - Both – the certificate can be issued either to a card to as a soft certificate.
- Requires Validation – select this option if the certificate requires validation.
  
  Note: This option is available only if you select Software or Both for the Certificate Storage option.
- Recovery Storage – select one of the following:
  - Hardware – the certificate can be recovered to cards.
  - Software – the certificate can be recovered as a soft certificate.
  - Both – the certificate can be recovered either to cards or to a soft certificate.
  - None – allows you to prevent a certificate from being issued as a historic certificate, even if the Archive Keys option is set. If the Certificate Storage option is set to Both, the certificate can be issued to multiple credentials as a shared live certificate, but cannot be recovered as a historic certificate.
- Additional options for storage:
  
  If you select Software or Both for the Certificate Storage, or Software, Both, or None for the Recovery Storage, set the following options:
  - CSP Name – select the name of the cryptographic service provider for the certificate. This option affects software certificates issued or recovered to local store for Windows PCs.
    
    The CSP you select determines what type of certificate templates you can use. For example, if you want to use a 2048-bit key algorithm, you cannot select the Microsoft Base Cryptographic Provider; you must select the Microsoft Enhanced Cryptographic Provider. See your Microsoft documentation for details.
  - Requires Validation – select this option if the certificate requires validation.
  - Private Key Exportable – when a software certificate is issued to local store, create the private key as exportable. This allows the user to export the private key as a PFX at any point after issuance.
    
    It is recommended that private keys are set as non-exportable for maximum security.
    
    Note: This setting affects only private keys for software certificates – private keys for smart cards are never exportable.
  - User Protected – allows a user to set a password to protect the certificate when they issue or recover it to their local store.
    
    This means that whenever they want to make use of the soft certificate, they will be prompted for a password before they are allowed to use it. This is a CSP feature that is enabled when you set this option, and affects only software certificates that are issued or recovered to local store for Windows PCs.
- Key Algorithm – select the type and length of the key-pairs used for certificate generation. A longer key length is more secure but certain manufacturers' CSPs do not support longer lengths. Select the appropriate key length from the list. This must match the key type and length set up in your CA.
  
  Note: MyID expects a certificate policy to have a single key algorithm and key size (for example, RSA 2048). Within the Certificate Authorities workflow, the Key Algorithm option for a certificate policy shows a single combination of algorithm and key size. You must ensure that this matches the settings for the certificate policy on the CA.
- Key Purpose – select one of the following:
  - Signature – the key can be used for signing only.
  - Signature and Encryption – the key can be used for either signing or encryption.
    
    Note: The Key Purpose option has an effect only where the device being issued supports the feature. PIV cards do not support this feature, while smart cards issued with minidrivers and software certificates issued to local store for Windows PCs do support this feature.
If you need to edit the policy attributes, click Edit Attributes.
1. For each attribute, select one of the following options from the Type list:
  - Not Required – the attribute is not needed.
  - Dynamic – select a mapping from the Value list to match to this attribute.
  - Static – type a value in the Value box.
2. Click Hide Attributes.
Important: You must map the Seat ID as a dynamic mapping to the user's email address. See section 2.7, Configuring name value pairs for details.

Note: MyID may not override the settings of the CA. You need to obtain the correct settings from the administrator of your CA.
Click Save.

Note: Changes made to certificate profiles do not take effect immediately, as the normal interval for MyID to poll for updates is 50 minutes. To force MyID to poll for changes immediately, you must manually restart the eKeyServer service, then restart the eCertificate service.

3.1.2 Editing CA options

If you need to change the connection details for the CA, you can reset the connection.

From the Configuration category, select Certificate Authorities.
From the CA Name drop-down list, select the certificate authority you want to work with.
Click Edit.
Click Reset Connection.

The CA connection options appear, and you can edit them. See section 3.1, Configuring the CA in the Certificate Authorities workflow for details of the options.
Click Save.

3.1.3 Deleting a CA

You can delete a CA from the list of available CAs if you no longer need to be able to work with it, or if you created it in error.

See the Deleting a CA section in the Administration Guide for details.