Configuring the Application to Work with Symantec PKI Manager

This section describes how to configure ActivID CMS to work with Symantec certificates using a defined sequence of procedures.

Prerequisites: You must make sure that the following conditions are met:

  • You must have access to Symantec PKI Manager Portal version 8.x.

  • Symantec PKI client must be installed on the workstation that is used to access Symantec PKI Manager Portal.

  • You must know how to create a Java KeyStore and Trust Store to establish mutual SSL authentication with Symantec PKI Manager.

  • If you want to perform key escrow, you must request a SAAS account from Symantec.

For details, refer to the Symantec Managed PKI technical documentation.

Obtaining an RA Certificate to Store in a Java KeyStore File

You can store your RA A Registration Authority (RA) is an authority in a network that verifies user requests for a digital certificate and instructs the CA to issue it. An RA is part of a PKI, a networked system that enables companies and users to exchange information safely and securely. certificate in an HSM or a software-based Java KeyStore.

To create and store the SSL credentials In the context of HID Global, a credential is a collection of one or more credential elements that together provide some form of digitally provable identity. In the context of PIV, a credential refers to the completed PIV card itself. in an HSM, you can use the HSM Credentials management feature in the ActivID CMS Configuration tab.

  1. Log on to the ActivID CMS Operator Portal with an ActivID CMS Administrator certificate.

  2. Go to the Configuration tab, and then click HSM Credentials.

  3. Click Generate Key.

  4. Enter the:

    • Key Alias

    • Key Length – Symantec requires the key size to be 2048-bit.

    • Certificate Subject Common Name (CN)

  5. Click Generate to generate the key.

  6. Click Done.

    In the credentials list, your new credentials appear with the Certificate Type as Self Signed.

  7. Click Get CSR to get the content of the Certificate Signing request.

  8. Copy the CSR to the machine that has access to the PKI Manager:

    1. Copy the contents of the CSR to your system clipboard.

    2. Access the PKI Manager and select Get RA certificate.

    3. Paste the contents of your clipboard into the Request field and click Submit.

    4. When prompted, download the RA-Certificate.p7b certificate file.

  9. Return to the HSM Credentials tab, and click Attach Certificate.

  10. Click Browse to locate the RA-Certificate.p7b certificate file that you downloaded in the previous step.

  11. Click Continue.

    The file uploads and a success message appears.

  12. Click Done.

    In the credentials list, the RA certificate appears with the Certificate Type as Custom (instead of Self Signed).

    The subject DN of the certificate was customized by the Symantec CA.

  13. Restart the CMS Server service before using this new certificate.

You must use the Java keytool to generate the keys, and import them into your KeyStore. For details, refer to the Symantec Managed PKI technical documentation.

To store your RA certificate in a software-based Java KeyStore:

  1. Generate a key pair as follows:

    Copy 
    keytool -genkey -alias pki_ra -keyalg RSA -keysize 2048 -sigalg
    SHA1withRSA -dname "CN=<common name>" -keypass <password>
    -keystore <keystore name> -storepass <password>

  2. Generate a CSR as follows:

    Copy 
    keytool -certreq -alias pki_ra -sigalg SHA1withRSA -file
    pki_raCSR.req -keypass <password> -keystore <keystore name>
    -storepass <password>

  3. Copy the pki_raCSR.req file to the machine that has access to the PKI Manager.

    • Open the pki_raCSR.req file in a text editor, and copy the contents of the file to your system clipboard.

    • Access PKI Manager, and select Get RA certificate from the Tasks icon at the bottom of the screen.

    • Paste the contents of your clipboard into the Request field and click Submit.

    • When prompted, download the cert.p7b certificate file.

  4. Copy the cert.p7b certificate file to a temporary directory on the machine where the key pair was generated.

  5. Import the certificate into your KeyStore by using the following command:

    Copy 
    keytool -import -alias pki_ra -file cert.p7b -noprompt -keypass
    <password> -keystore <keystore name> -storepass <password>

  6. The root and issuing CAs for the RA certificate are located in the Certificates folder in the Symantec PKI Web Services package which can be downloaded by clicking on the Symantec PKI Resources icon in the lower left corner of the PKI Manager.

    You should import these CAs as trusted root CAs into the KeyStore using the appropriate command. This guarantees that the RA certificate you install is trusted correctly.

    • For intermediate CAs:

    Copy 
    keytool -import -trustcacerts -alias pki_ca -file RAintermegiateCA.cer -keystore <keystore name> -storepass <password>

    • For root CAs:

    Copy 
    keytool -import -trustcacerts -alias root -file RAroot.cer -keystore <keystore name> -storepass <password>

  7. Save the certificates in the ActivID CMS directory (C:\Program Files\HID Global\Credential Management System\certificates).

Setting Up Symantec PKI Certificate Profiles

You must use Symantec PKI Manager to enable the PKI administrator to configure certificate profiles for different CAs.

To set up a Symantec PKI certificate profile:

  1. Go to the URL for the PKI Manager (for example: https://ptnr-pki-manager.bbtest.net/pki-manager/).

  2. To create new Symantec certificate profile, click Manage certificates profiles.

  3. Click Test mode.

    After testing the profile and certificate, you can move to the Production mode.

  4. Select the required template. For more information, refer to the Symantec Managed PKI technical documentation.

    • If you want to use the certificate for authentication, verification, and signing purposes without key escrow, you can select the Client Authentication template.

    • If you want to use key escrow for encrypting the certificates, you can select the Secure Email template.

  5. Click Continue.

  6. Make sure the Enrollment method is set to PKI Web Services for all your templates.

  7. Click Advanced options to customize additional options if required.

  8. If you want to use key escrow, then in the Key escrow field, select Symantec.

  9. By default, the Common Name Standard term for some LDAP directories specified in the format, cn=<common name>. is set to the "First Name Last Name" value. If you want to customize the CN, you need to delete the Common Name field and add it again in the Subject DN fields:

    1. Click Advanced options.

    1. In the list of Certificate fields, remove the Common Name (CN) field at the top.

    2. Then click Add field.

    1. For the Certificate field, select Common Name (CN).

    2. For the Source for the field's value, select Webservice Request.

    1. For Required?, keep No (the default option).

    Note: If you set Required to Yes but you do not provide a CN in the Device Policy, the issuance will fail.

  10. Click Save.

    The certificate profile is created.

  11. Make a note of the Certificate Profile OID.

    You will need the OID when creating ActivID CMS device policy associated with this particular certificate template.