Renewing an Expired Entrust CA Certificate

This section briefly describes the renewal process for expired Entrust CA certificates, and it provides a procedure that renews (or reconfigures) existing Entrust CA certificates that have expired.

Refer to the Entrust Authority technical documentation for specific details about revoking certificates, issuing new certificates, or issuing new credentials In the context of ActivID, a credential is a collection of one or more credential elements that together provide some form of digitally provable identity. In the context of PIV, a credential refers to the completed PIV card itself. for ActivID CMS.

This documentation is not intended to be a replacement for the product-based technical documentation from Entrust Authority. For specific information related to updating or enabling an Entrust certificate that has expired or for using the Entrust Authority software, refer to the Entrust Authority Operator Guide or other documents in the Entrust Authority suite of technical documentation.

When an Entrust Authority certificate expires, becomes disabled or invalid, the following actions must be taken:

• Revoke the Entrust subordinate CA certificate (this requires using the Entrust Authority Administrative console).

• Issue a new Entrust CA certificate (this requires using the Entrust Authority Administrative console).

• Issue new credentials for ActivID CMS (this requires using an existing Entrust profile, soft token or HSM A Hardware Security Module (HSM) securely stores secret key material. They are similar to large-storage, multisession smart cards. However, unlike smart cards, they are used mainly on the server side of a system., and using the Entrust Authority Administrative console).

• Update the Entrust CA configuration in ActivID CMS (this requires using the ActivID CMS Operator Portal; for more details, refer to Procedures for Configuring Connections to Certificate Authorities).

• Renew all Entrust certificates for use (updating the cards to reflect the Entrust Authority certificate that was renewed).

For information on replacing the ActivID CMS server certificate on Windows platforms using Microsoft IIS servers, refer to Installing ActivID CMS for details and procedures.

1. On the Operator Portal, click the Configuration tab.

2. Click Repositories. The Repositories Management page appears.

3. Select the existing Entrust CA that you intend to renew. The Certificate Authority Creation page appears:

   

4. Provider—Select Entrust Authority (X509, ESP).

5. Template—Select Entrust Authority X509.

6. Click Submit. The Certificate Authority Creation page appears:

   

7. Name—Enter the name that identifies the CA within ActivID CMS that you want to renew.

8. Entrust configuration file—Enter the full name (including the full path) of the entrust.ini file on the ActivID CMS server.

9. Entrust profile—Enter the full name (including the full path) of the Administrator .epf file on the ActivID CMS server. (If you are using an RA A Registration Authority (RA) is an authority in a network that verifies user requests for a digital certificate and instructs the CA to issue it. An RA is part of a PKI, a networked system that enables companies and users to exchange information safely and securely. credential in the HSM, this would be a .tkn file instead of the .epf file.)

10. Password—Enter the password associated with the .epf file. (If you are using an RA credential in the HSM, enter the HSM PIN which acts as the token password.)

11. Entrust connection idle timeout (minutes)—Time after which an unused socket connection is closed. It must be below the time such an unused connection is forcibly closed by the Entrust server or an intervening network equipment (usually half an hour). Recommended value: 10 minutes.

12. Security Manager connections—Enter the maximum number of concurrent connections that the Credential Provider opens to the Entrust Authority Security Manager (the range is from 1 through 50, with the recommended value being 50).

    Note: The more connections you open to the Credential Provider, the faster ActivID CMS can issue additional cards concurrently.

13. For HSM-based credentials, specify the Slot ID; otherwise, specify 0—Enter the ID number of the HSM slot used for the Entrust credential (only used if the Entrust profile configured is a .tkn file; i.e., if the RA credential is in the HSM).
    If the Entrust profile is configured as a .epf file (case of an RA credential not in an HSM), this value must be set to 0.

14. User Type—The type of the users to create when issuing credentials. Usually “0” (interpreted as “people”).

15. Default Security Manager key size—Select the default key size (in bits) for certificates in the Entrust Authority Security Manager.

    Note: The value you enter must match the default key size that is configured in the Entrust Authority Security Manager.

16. Publish to LDAP Repository—Select Yes if you want to publish Entrust user to the LDAP Lightweight Directory Access Protocol repository.

17. Process ChangeDN—Select Yes if you want to be able to use the "DN Change Tool" (see Using the DN Change Tool).

18. Locate the possible state of the card for which you want to update the revocation reason. For details about the revocation reason code, refer to step 6 of Procedure 2: Updating a Connection to a CA.

    Note: To ensure that publishing to the LDAP repository functions properly, you have to update the usertype.templates of the Entrust CA so that the overrideCommonNameFormat in the [Person] section is commented out.

19. Click Test to verify that you can connect to the CA.

20. Click Create. A confirmation message appears.

21. Click Done.

    In the Certificates Authorities panel of the Repositories Management page, you will see the Entrust Authority X509 certificate is present:

    

22. In the Action column next to the Entrust Authority X509 certificate, click Update to update the ActivID CMS server with this certificate.