3.2 Configuring the CA in the Certificate Authorities workflow

Configure the Symantec CA using the Certificate Authorities workflow.

1. Put the RA certificate on the MyID application server.

   Note: The MyID named COM+ user must have access to this file.

2. From the Configuration category, select Certificate Authorities.
3. Click New.

4. From the CA Type drop-down list, select SymantecMPKI8.

   

5. Type a CA Name and CA Description.

6. Type the CA URL.

   This is the URL for the Symantec-hosted certificate authority.

   For MPKI 8 systems:

   https://pki-ws.symauth.com

7. If you are using a KMS, type the KMS URL.

   This is the URL for your locally-hosted Key Management Server. For example:

   https://myserver.example.com:8443/escrow-recovery-service

   Important: This option is a mandatory field; you cannot leave it blank. If you are not using a KMS, type the following:

   n/a

   Note: The URL may depend on the version of MPKI you are using. Contact your CA provider for details. For example, versions before 1.19.0 used:

   https://myserver.example.com:8443/symantec-escrow-recovery-service

8. If you are using a CER file; for example, for an HSM-based RA certificate, or for a software-based certificate that has been installed to the MyID COM+ user's personal user store:

   1. For the Connection Type, select the Certificate option.

   2. Type the location of the RA Cert.

      For example:

      C:\Symantec\RACert.cer

      Note: The file must not be read-only.

   3. Type and confirm the password for the certificate.

      Note: The password cannot contain a pipe | character.

9. If you are using a PFX file for a software-based RA certificate:

   1. For the Connection Type, select the PFX option.

   2. Type the location of the RA Cert PFX.

      For example:

      C:\Symantec\RACert.pfx

      Note: The PFX file must not be read-only.

   3. Type and confirm the password for the certificate.

10. If you are using dual control for key recovery:

    

    1. Select the Dual Control for Key Recovery option.

       Note: If you want to configure dual control for a CA you have already set up in MyID, contact Intercede customer support for help with reconfiguring your system, quoting reference SUP-23.

    2. Type the location of the 2nd RA Cert.

       For example:

       C:\Symantec\RACertTwo.pfx

       Or

       C:\Symantec\RACertTwo.cer

       Note: The PFX or CER file must not be read-only.

    3. If you are using a software-based certificate, type and confirm the password for the certificate.

       Note: The password cannot contain a pipe | character.

11. Set the Retry Delays.

    This is a semi-colon separated list of elapsed times, in seconds.

    For example, 5;10;20 means:

    • If the first attempt to retrieve details from the CA fails, a second attempt will be made after a 5 second delay.

    • If this second attempt fails, the CA will be contacted again after 10 seconds.

    • Subsequent attempts will be made to retrieve information every 20 seconds, until a response is received.

    If you want to limit the number of retry attempts, enter 0 as the last number in the sequence.

    The default is:

    15;60;60;60;60;120;180;360;3600;86400;0

    This retries after 15 seconds, then after a minute four times, then two minutes, three minutes, six minutes, an hour, 24 hours, then stops.

12. Make sure that the Enable CA checkbox is selected.
13. Click Save.

You can now go back into the Certificate Authorities workflow and set up your certificate templates.

3.2.1 Enabling certificates on a CA

Note: Because of the way Symantec MPKI 8 handles certificate template names, the friendly name is not available in MyID. The certificate names provided are not guaranteed to be unique; however, MyID displays the unique OID as part of the name (for example: 2.16.840.1.113733.1.16.1.2.3.5.1.239836912), and you can use this to match up with the certificate templates on the Symantec server.

Although all certificate templates are detected when you add the CA to MyID, they are all initially disabled. To enable them:

1. From the Configuration category, select Certificate Authorities.

2. From the CA Name drop-down list, select the certificate authority you want to work with.

   

3. Click Edit.

   

4. Make sure Enable CA is selected.
5. Select a certificate template you want to enable for issuance within MyID in the Available Certificates list.
6. Click the Enabled (Allow Issuance) checkbox.

7. Set the options for the policy:

   • Display Name – the name used to refer to the policy.

     If you have more than one KMS, you may not be able to distinguish between the same type of certificate on different KMS servers when selecting certificates in a card profile, as the display names are the same. To avoid this problem, change the Display Name of each certificates for one of your KMS servers.

   • Description – a description of the policy.

   • Allow Identity Mapping – used for additional identities. See the Additional identities section in the Administration Guide for details.

   • Reverse DN – select this option if the certificate requires the Distinguished Name to be reversed.

     Note: MyID does not recognize this option when using the Issue Card workflow to issue a card.

   • Archive Keys – select whether the keys should be archived.

     If you have MyID SecureVault installed, you can select Secure Vault to archive the keys in the MyID SecureVault database. For more information, see the Integrating with MyID SecureVault section in the Administration Guide.

   • Certificate Lifetime – the life in days of the certificate. You can request a certificate from one day up to the maximum imposed by the CA. For example, type 365 to request one-year certificates.

   • Automatic Renewal – select this option if the certificate is automatically renewed when it expires.

   • Certificate Storage – select one of the following:

     • Hardware – the certificate can be issued to cards.
     • Software – the certificate can be issued as a soft certificate.
     • Both – the certificate can be issued either to a card to as a soft certificate.

   • Requires Validation – select this option if the certificate requires validation.

     Note: This option is available only if you select Software or Both for the Certificate Storage option.

   • Recovery Storage – select one of the following:

     • Hardware – the certificate can be recovered to cards.
     • Software – the certificate can be recovered as a soft certificate.
     • Both – the certificate can be recovered either to cards or to a soft certificate.
     • None – allows you to prevent a certificate from being issued as a historic certificate, even if the Archive Keys option is set. If the Certificate Storage option is set to Both, the certificate can be issued to multiple credentials as a shared live certificate, but cannot be recovered as a historic certificate.

   • Additional options for storage:

     If you select Software or Both for the Certificate Storage, or Software, Both, or None for the Recovery Storage, set the following options:

     • CSP Name – select the name of the cryptographic service provider for the certificate. This option affects software certificates issued or recovered to local store for Windows PCs.

       The CSP you select determines what type of certificate templates you can use. For example, if you want to use a 2048-bit key algorithm, you cannot select the Microsoft Base Cryptographic Provider; you must select the Microsoft Enhanced Cryptographic Provider. See your Microsoft documentation for details.

     • Requires Validation – select this option if the certificate requires validation.

     • Private Key Exportable – when a software certificate is issued to local store, create the private key as exportable. This allows the user to export the private key as a PFX at any point after issuance.

       It is recommended that private keys are set as non-exportable for maximum security.

       Note: This setting affects only private keys for software certificates – private keys for smart cards are never exportable.

     • User Protected – allows a user to set a password to protect the certificate when they issue or recover it to their local store.

       This means that whenever they want to make use of the soft certificate, they will be prompted for a password before they are allowed to use it. This is a CSP feature that is enabled when you set this option, and affects only software certificates that are issued or recovered to local store for Windows PCs.

   • Key Algorithm – select the type and length of the key-pairs used for certificate generation. A longer key length is more secure but certain manufacturers' CSPs do not support longer lengths. Select the appropriate key length from the list. This must match the key type and length set up in your CA.

     Note: MyID expects a certificate policy to have a single key algorithm and key size (for example, RSA 2048). Within the Certificate Authorities workflow, the Key Algorithm option for a certificate policy shows a single combination of algorithm and key size. You must ensure that this matches the settings for the certificate policy on the CA.

   • Key Purpose – select one of the following:

     • Signature – the key can be used for signing only.

     • Signature and Encryption – the key can be used for either signing or encryption.

       Note: The Key Purpose option has an effect only where the device being issued supports the feature. PIV cards do not support this feature, while smart cards issued with minidrivers and software certificates issued to local store for Windows PCs do support this feature.

8. If you need to edit the policy attributes, click Edit Attributes.

   

   1. For each attribute, select one of the following options from the Type list:

      • Not Required – the attribute is not needed.
      • Dynamic – select a mapping from the Value list to match to this attribute.
      • Static – type a value in the Value box.
   2. Click Hide Attributes.

   For information on mapping attributes for PIV systems, see section 3.4, Attribute mapping for PIV and PIV-I systems.

   Note: MyID may not override the settings of the CA. You need to obtain the correct settings from the administrator of your CA.

9. Click Save.

Note: Changes made to certificate profiles do not take effect immediately, as the normal interval for MyID to poll for updates is 50 minutes. To force MyID to poll for changes immediately, you must manually restart the eKeyServer service, then restart the eCertificate service.

3.2.2 Editing CA options

If you need to change the connection details for the CA, you can reset the connection.

1. From the Configuration category, select Certificate Authorities.
2. From the CA Name drop-down list, select the certificate authority you want to work with.
3. Click Edit.

4. Click Reset Connection.

   

   The CA connection options appear, and you can edit them. See section 3.2, Configuring the CA in the Certificate Authorities workflow for details of the options.

5. Click Save.

3.2.3 Deleting a CA

You can delete a CA from the list of available CAs if you no longer need to be able to work with it, or if you created it in error.

See the Deleting a CA section in the Administration Guide for details.