Configuration for Issuing Certificates with OpenTrust

You can add the OpenTrust Credential Provider CA, and then create and configure the device profile.

Prerequisites: Make sure you have the following:

  • URL to connect to OpenTrust CA.

  • Private certificate to connect to OpenTrust.

  • Password of the certificate.

  • OpenTrust SSL Truststore that is used to establish the secure connection with OpenTrust CA.

  • Truststore password

Configuring the Certificate Authority

This section describes how to configure the ActivID CMS Operator Portal for OpenTrust.

For detailed instructions on creating directories and CAs in the ActivID CMS, refer to Configuring Repositories and Procedures for Configuring Connections to Certificate Authorities.

  1. Log on to the ActivID CMS Operator Portal with an ActivID CMS Administrator certificate.

  2. Click the Configuration tab, and then click Repositories.

  3. Click Add Certificate Authority, and then from the drop-down list, select OpenTrust IdealX Certificate Server. For Template, accept Default.

  4. Click Submit.

  5. Enter a Name for the Certificate Authority.

  6. Enter the appropriate values for all the required fields.

  7. Click Test to verify the CA configuration.

  8. Click Create to apply your changes.

Creating the Device Policy

This section illustrates how to create a device policy that issues OpenTrust certificates to the user smart card. For more information about creating a device policy, refer to Creating a Device Policy.

To create a device policy, perform the following tasks:

  1. Log on to the ActivID CMS Operator Portal with an ActivID CMS Administrator certificate.

  2. Click the Configuration tab, and then click Policies.

  3. Depending upon the number of PKI applications to be used, add a new device policy.

  4. Click Next, and then add the corresponding PKI1 applications.

  5. Click the Configure button associated with the PKI to display the Device Policy - Set Application Information page.

  6. In the Friendly Name field, enter a valid, descriptive name for the certificate in use for the device policy.

  7. In the Provider drop-down menu, select OpenTrust PKI (IdealX) Authority.

  8. In the Certificate Authority drop-down menu, click to select a Certificate Authority host name.

  9. Depending on the Provisioning Method selected, the fields appear differently. Perform the appropriate tasks based on your selection.

    Note: Selecting the Recover Credential option is the equivalent of setting the former Recover Application option (available in previous ActivID CMS versions) to Yes.

    • Provisioning Method set to Create Credential

      1. If you select Create Credential for the Provisioning Method, select Template as encryption template (key escrow) or authentication template (non-escrow) as per your requirement. The encryption template allows key escrow.

      2. Click Submit.

      1. Enter appropriate information in all the required fields.

      2. Click Set.

    • Provisioning Method set to Recover Credential

      1. If you select Recover Credential for the Provisioning Method, the Recovery Mode options become available. Select ActivID CMS Managed.

      2. Under Recovery Settings, select Revoke for Replacement.

      3. Click Submit.

  10. Click Save.

You can now assign and update the device policy for OpenTrust CA (see the following illustration). For detailed instructions, refer to Updating a Device Policy.