OpenTrust Configuration

This section describes how to configure ActivID CMS to issue certificates using OpenTrust Enterprise PKI.

Prerequisites: You must have the following information and credentials to use key escrow and key recovery with ActivID CMS and your OpenTrust Certificate Authority:

  • OpenTrust account information.

  • OpenTrust administration credentials.

  • OpenTrust policy file.

If escrow and key recovery are required, install the OpenTrust Managed PKI Key Management Service (Local hosting MPKI). For details, refer to the OpenTrusttechnical documentation.

In addition, you must make sure the following conditions are met:

  • Your OpenTrust account must be set to Single Control (not dual). This is mandatory for recovery to work. Dual Control requires two administrator certificates. Do NOT use Dual Control. To be able to issue an initial device, revoke a card’s certificates using the ActivID CMS Help Desk, submit a replacement card request (for example, using lost as the reason), and then to issue a permanent replacement card, make sure your OpenTrust account is set to Single Control. If required, contact OpenTrust customer service.

  • Online Certificate Status Protocol (OCSP) must be enabled in your OpenTrust account. OCSP is used to obtain the revocation status of an X.509 digital certificate. In order to use the ActivID CMS Replacement Cards feature, you MUST enable the OCSP option in OpenTrust Managed PKI. Otherwise, the suspended certificates will appear as revoked in the CRL.

Sequence of Procedures

This section summarizes how to define the OpenTrust signing and encryption connectors. For more information, refer to the OpenTrusttechnical documentation. Perform the entire list of procedures for all OpenTrust RA A Registration Authority (RA) is an authority in a network that verifies user requests for a digital certificate and instructs the CA to issue it. An RA is part of a PKI, a networked system that enables companies and users to exchange information safely and securely. credentials used for each OpenTrust account.

  1. Generate private keys and Certificate Signing Requests (CSRs) for the RA certificates. You must do this whether or not you are using an HSM A Hardware Security Module (HSM) securely stores secret key material. They are similar to large-storage, multisession smart cards. However, unlike smart cards, they are used mainly on the server side of a system..

  2. Submit the CSRs to OpenTrust using the appropriate URL—for a Pilot (testing purposes) or for Production.

  3. Copy the custom ActivID CMS Web page to the OpenTrust Key Management Service machine while you wait for the CSR to come back from OpenTrust.

  4. Import the Certificate (and then create a Transport Key). You must Create a Transport Key before you create the CA connector in ActivID CMS. For specific steps, refer to Add or Import a Transport Key.

  5. Create the OpenTrust CA connector in ActivID CMS.

  6. (Optional) Synchronize filtering attributes.

  7. Create ActivID CMS Device Policies.

    The device policy is used to configure PKI instances for the purposes of signing or for encrypting and key recovery.

  8. Issue the initial permanent card. For details on this procedure, refer to Issuing an Initial Device to a User in Your Directory.

  9. Issue a replacement card to perform key recovery (this process is not described in this section). For specific details and procedural steps, refer to Issuing a Replacement Device.