Configuration for Issuing Certificates with Entrust Authority

This section explains how to:

  • Configure Entrust Authority X.509/ESP Certificates

  • Open the Repositories Management Page

  • Add the Entrust CA

  • Initialize the HSM Using Entrust Authority

Enabling Entrust XML Administration Protocol (XAP)

If you are using Entrust Security Manager, you must first configure Entrust as described in this section.

To configure Entrust, perform the following tasks:

  1. To enable login through Entrust XAP protocol, in Entrust Security Manager Administration (SMA) console, add the verification OID 2.16.840.1.114027.10.4 in the Security Policy. For details on how to add the OID, refer to the Entrust SMA documentation.

    untitled

  2. Create a new officer in the security manager SM command console:

    Copy 
    officer create {cn=Third Officer,dc=<Your Company Name>,dc=com} (use the same DN branch as the first officer)
    Create profile (.epf) for the new officer in SMA. (Users->Find->Right-click on the officer->Create Profile)

  3. Update the Entrust credential provider configuration in ActivID CMS to reference the EPF file that you created after the modification of the OID for the field CFG_LOGIN_PROFILE. Use a security officer created after the modification of the OID mentioned in step 1.

Configuring Entrust Authority X.509/ESP Certificates

First, open the ActivID CMS Repositories Management page.

  1. On the Operator Portal, click the Configuration tab.

  2. Click Repositories. The Repositories Management page appears.

    For additional information about the Repositories Management page, refer to Configuring Repositories.

  3. Click Add Certificate Authority. The Certificate Authority Creation page appears.

  4. In the Provider drop-down menu, select Entrust Authority.

  5. Click Submit. The Certificate Authority Creation page appears.

  6. Name—Enter the configuration name identifier of the CA within ActivID CMS (in this example, it is Entrust Authority X509).

  7. Entrust configuration file—Enter the full name (including the path) of the entrust.ini file on the ActivID CMS server (in this example, it is C:\my_ent\entrust.ini).

  8. Entrust profile—Enter the full name (including the path) of the Administrator .epf file on the ActivID CMS server (in this example, it is C:\my_ent\First Officer.epf). If you are using a Registration Authority (RA) credential In the context of HID Global, a credential is a collection of one or more credential elements that together provide some form of digitally provable identity. In the context of PIV, a credential refers to the completed PIV card itself. in the HSM, it is a .tkn file rather than an .epf file.

  9. Password—Enter the password that protects the .epf file. If you are using an RA credential in the HSM, enter the HSM PIN (which acts as the token password).

  10. Entrust connection idle timeout (minutes)—Time after which an unused socket connection is closed. It must be below the time such an unused connection is forcibly closed by the Entrust server or an intervening network equipment (usually half an hour). Recommended value: 10 minutes).

  11. Security Manager connections—Enter the maximum number of concurrent connections that the Credential Provider will open to the Entrust Authority Security Manager (the number of connections range from 1 through 50, with 50 being the recommended value).

  12. For HSM-based credentials, specify the Slot ID; otherwise, specify 0 —Enter the ID number of the HSM slot used for the Entrust credential (only used if the Entrust profile configured is a .tkn file; i.e., if the RA credential is in the HSM).
    If the Entrust profile is configured as a .epf file (case of an RA credential not in an HSM), this value must be set to 0.

  13. User Type—The type of the users to create when issuing credentials. Usually “0” (interpreted as “people”).

  14. Default Security Manager key size—Select the default key size (in bits) for certificates in the Entrust Authority Security Manager (in this example, it is 2048 bits).

    Note: The value you enter must match the default key size that is configured in the Entrust Authority Security Manager. If you select a default key size of 3072, this requires a 3072-bit transport key (for details, see Procedures for Managing the Transport Key).

  15. Publish to LDAP Repository—Select Yes if you want to publish Entrust user to the LDAP Lightweight Directory Access Protocol repository.

  16. Process ChangeDN—Select Yes if you want to be able to use the "DN Change Tool" (see Using the DN Change Tool).

  17. Locate the possible state of the card for which you want to update the revocation reason. For details about the revocation reason code, refer to step 6 of Procedure 2: Updating a Connection to a CA.

    Note: To ensure that publishing to the LDAP repository functions properly, you have to update the usertype.templates of the Entrust CA so that the overrideCommonNameFormat in the [Person] section is commented out.

  18. Click Test to verify that the connection to the CA works.

  19. Click Create. A confirmation message appears.

  20. Click Done.

Initializing the HSM Using Entrust Authority

This section describes how to configure the RA A Registration Authority (RA) is an authority in a network that verifies user requests for a digital certificate and instructs the CA to issue it. An RA is part of a PKI, a networked system that enables companies and users to exchange information safely and securely. credential In the context of HID Global, a credential is a collection of one or more credential elements that together provide some form of digitally provable identity. In the context of PIV, a credential refers to the completed PIV card itself. in the HSM.

Prerequisites:  

  • Install the HSM on the ActivID CMS server.

  • Initialize the HSM with the ActivID Key Management System (KMS) and use in ActivID CMS.

  • Connect the HSM to the system where the ActivID CMS server resides.

  • If applicable, insert a token into the HSM.

  • Install Entrust Authority Security Manager on the ActivID CMS server and make sure that it is up and running.

Note: Since Entrust components now use 64-bit HSM drivers, in the case of upgrades with an Entrust platform, a reconfiguration needs to be done in the entrust.ini file in order to use the achsmf.dll file located in (%SystemDir%\system32).

If you intend to use the Entrust Authority to issue X.509/ESP certificates, you must configure the entrust.ini file to use the 64-bit HSM PKCS#11 library.

  1. To configure the entrust.ini file, use a text editor (such as Notepad) to change the [Entrust Settings] section in the entrust.ini file (as shown in the example below).

    Copy 
    [Entrust Settings]
    CryptokiV2LibraryNT= C:\Windows\System32\achsmf.dll

  2. Launch Entrust Authority Security Manager as a Security Officer (for example, as First Officer), and create another Entrust Security Officer.

  3. Right-click the Entrust Security Officer you just created, and then click Create Profile.

  4. From the Entrust Security Manager Administration Console, select Create credential in token.

  5. Enter the HSM PIN (this is the password of the token). The credential is downloaded to the HSM by the Entrust Security Manager Administration Console.

  6. Click Quit.

  7. Restart the Entrust Security Manager Administration Console, choosing the Token Profile (.tkn file) that is generated in the HSM.