Configuring the Application to Work with Symantec PKI Manager

This section describes how to configure ActivID CMS to work with Symantec certificates using a defined sequence of procedures.

Prerequisites: You must make sure that the following conditions are met:

  • You must have access to Symantec PKI Manager Portal version 8.x.

  • Symantec PKI client must be installed on the workstation that is used to access Symantec PKI Manager Portal.

  • You must know how to create a Java KeyStore and Trust Store to establish mutual SSL authentication with Symantec PKI Manager.

  • If you want to perform key escrow, you must request a SAAS account from Symantec.

For details, refer to the Symantec Managed PKI technical documentation.

Obtaining an RA Certificate to Store in a Java KeyStore File

You can store your RA A Registration Authority (RA) is an authority in a network that verifies user requests for a digital certificate and instructs the CA to issue it. An RA is part of a PKI, a networked system that enables companies and users to exchange information safely and securely. certificate in an HSM A Hardware Security Module (HSM) securely stores secret key material. They are similar to large-storage, multisession smart cards. However, unlike smart cards, they are used mainly on the server side of a system. or a software-based Java KeyStore.

To create and store the SSL credentials In the context of ActivID, a credential is a collection of one or more credential elements that together provide some form of digitally provable identity. In the context of PIV, a credential refers to the completed PIV card itself. in an HSM, you can use the HSM Credentials management feature in the ActivID CMS Configuration tab.

  1. Log on to the ActivID CMS Operator Portal with an ActivID CMS Administrator certificate.

    HSM Credentials section of Configuration tab displaying a Generate Key button in the New Key row, as well as a row for Existing Keys set to None

  2. Go to the Configuration tab, and then click HSM Credentials.

  3. Click Generate Key.

    HSM Credentials - Key Generation dialog box with fields to enter the Key Alias, Key Length and Certificate Subject, as well as a Generate button and a Cancel button at the bottom

  4. Enter the:

    • Key Alias

    • Key Length – Symantec requires the key size to be 2048-bit.

    • Certificate Subject Common Name (CN)

  5. Click Generate to generate the key.

    HSM Credentials - Key Generation dialog box displaying the certificate signing request, with a Done button at the bottom

  6. Click Done.

    In the credentials list, your new credentials appear with the Certificate Type as Self Signed.

    HSM Credentials section of Configuration tab displaying a Generate Key button in the New Key row, as well as a table displaying information for Existing Keys including available actions

  7. Click Get CSR to get the content of the Certificate Signing request.

    HSM Credentials - Get CSR dialog box displaying the Key Alias, Certificate Subject, Certificate Type and Certificate Signing Request (CSR), with a Done button at the bottom

  8. Copy the CSR to the machine that has access to the PKI Manager:

    1. Copy the contents of the CSR to your system clipboard.

    2. Access the PKI Manager and select Get RA certificate.

    3. Paste the contents of your clipboard into the Request field and click Submit.

    4. When prompted, download the RA-Certificate.p7b certificate file.

  9. Return to the HSM Credentials tab, and click Attach Certificate.

    HSM Credentials - Attach Certificate dialog box displaying the Key Alias, Certificate Subject, and the Certificate File field with a Browse button in step 1, as well as a Continue button and a Cancel button in step 2

  10. Click Browse to locate the RA-Certificate.p7b certificate file that you downloaded in the previous step.

  11. Click Continue.

    The file uploads and a success message appears.

    HSM Credentials - Attach Certificate dialog box displaying a success message, as well as a Done button at the bottom

  12. Click Done.

    HSM Credentials section of Configuration tab with a Generate Key button in the New Key row, and a table of information about Existing Keys displaying the Key Alias, Certificate Subject and Certificate Type

    In the credentials list, the RA certificate appears with the Certificate Type as Custom (instead of Self Signed).

    The subject DN of the certificate was customized by the Symantec CA.

  13. Restart the CMS Server service before using this new certificate.

You must use the Java keytool to generate the keys, and import them into your KeyStore. For details, refer to Symantec technical documentation.

To store your RA certificate in a software-based Java KeyStore:

  1. Generate a key pair as follows:

    Copy 
    keytool -genkey -alias pki_ra -keyalg RSA -keysize 2048 -sigalg
    SHA1withRSA -dname "CN=<common name>" -keypass <password>
    -keystore <keystore name> -storepass <password>

  2. Generate a CSR as follows:

    Copy 
    keytool -certreq -alias pki_ra -sigalg SHA1withRSA -file
    pki_raCSR.req -keypass <password> -keystore <keystore name>
    -storepass <password>

  3. Copy the pki_raCSR.req file to the machine that has access to the PKI Manager.

    • Open the pki_raCSR.req file in a text editor, and copy the contents of the file to your system clipboard.

    • Access PKI Manager, and select Get RA certificate from the Tasks icon at the bottom of the screen.

    • Paste the contents of your clipboard into the Request field and click Submit.

    • When prompted, download the cert.p7b certificate file.

  4. Copy the cert.p7b certificate file to a temporary directory on the machine where the key pair was generated.

  5. Import the certificate into your KeyStore by using the following command:

    Copy 
    keytool -import -alias pki_ra -file cert.p7b -noprompt -keypass
    <password> -keystore <keystore name> -storepass <password>

  6. The root and issuing CAs for the RA certificate are located in the Certificates folder in the Symantec PKI Web Services package which can be downloaded by clicking on the Symantec PKI Resources icon in the lower left corner of the PKI Manager.

    You should import these CAs as trusted root CAs into the KeyStore using the appropriate command. This guarantees that the RA certificate you install is trusted correctly.

    • For intermediate CAs:

    Copy 
    keytool -import -trustcacerts -alias pki_ca -file RAintermegiateCA.cer -keystore <keystore name> -storepass <password>

    • For root CAs:

    Copy 
    keytool -import -trustcacerts -alias root -file RAroot.cer -keystore <keystore name> -storepass <password>

  7. Save the certificates in the ActivID CMS directory (C:\Program Files\HID Global\Credential Management System\certificates).

Setting Up Symantec PKI Certificate Profiles

You must use Symantec PKI Manager to enable the PKI administrator to configure certificate profiles for different CAs.

To set up a Symantec PKI certificate profile:

  1. Go to the URL for the PKI Manager (for example: https://ptnr-pki-manager.bbtest.net/pki-manager/).

    Symantec PKI Manager listing available actions with Manage certificate profiles circled in red

  2. To create new Symantec certificate profile, click Manage certificates profiles.

    Symantec Manage certificate profiles dialog box displaying a choice between two options: Test mode and Production mode

  3. Click Test mode.

    After testing the profile and certificate, you can move to the Production mode.

  4. Select the required template. For more information, refer to the Symantec technical documentation.

    • If you want to use the certificate for authentication, verification, and signing purposes without key escrow, you can select the Client Authentication template.

    • If you want to use key escrow for encrypting the certificates, you can select the Secure Email template.

  5. Click Continue.

    Symantec Customize options dialog box displaying various template options with the Certificate friendly name field empty

  6. Make sure the Enrollment method is set to PKI Web Services for all your templates.

    Primary certificate options section of Symantec Customize options dialog box with the Enrollment method selected in the lefthand panel and PKI Web Services selected in the Enrollment method drop-down list in the righthand panel

  7. Click Advanced options to customize additional options if required.

    Additional certificate options section of Symantec Customize options dialog box displaying the options that can be customized

  8. If you want to use key escrow, then in the Key escrow field, select Symantec.

    Symantec Customize options dialog box displaying various template options with the Certificate friendly name field set to Encryption

  9. By default, the Common Name Standard term for some LDAP directories specified in the format, cn=<common name>. is set to the "First Name Last Name" value. If you want to customize the CN, you need to delete the Common Name field and add it again in the Subject DN fields:

    1. Click Advanced options.

    Symantec Advanced options dialog box displaying the Certificate fields with an Add field button next to Subject DN and a Hide options button at the top

    1. In the list of Certificate fields, remove the Common Name (CN) field at the top.

    2. Then click Add field.

    Symantec Advanced options dialog box displaying the Certificate fields in the lefthand panel, with the Add certificate field panel on the right displaying Common Name selected in the Certificate field drop-down list and Webservice Request being selected in the Source for the field's value drop-down list

    1. For the Certificate field, select Common Name (CN).

    2. For the Source for the field's value, select Webservice Request.

    Symantec Advanced options dialog box displaying the Certificate fields in the lefthand panel, with the Add certificate field panel on the right displaying Common Name selected in the Certificate field drop-down list, Webservice Request selected for the Source for the field's value drop-down list, and the option No selected in the Required section

    1. For Required?, keep No (the default option).

    Note: If you set Required to Yes but you do not provide a CN in the Device Policy, the issuance will fail.

  10. Click Save.

    Symantec Certificate profile information including the Certificate Profile OID which is highlighted

    The certificate profile is created.

  11. Make a note of the Certificate Profile OID.

    You will need the OID when creating ActivID CMS device policy associated with this particular certificate template.