Entrust Managed Services PKI™
Entrust Managed Services PKI
Administrator Guide
Document issue: 3.0
Date of issue: May 2009
Copyright © 2009 Entrust. All rights reserved.
Obtaining technical support
Entrust is a trademark or a registered trademark of Entrust,
Inc. in certain countries. All Entrust product names and
logos are trademarks or registered trademarks of Entrust,
Inc. in certain countries. All other company and product
names and logos are trademarks or registered trademarks
of their respective owners in certain countries.
For support assistance by telephone call one of the
numbers below:
• 1-877-754-7878 in North America
• 1-613-270-3700 outside North America
You can also email Customer Support at:
[email protected]
This information is subject to change as Entrust reserves
the right to, without notice, make changes to its products
as progress in engineering or manufacturing methods or
circumstances may warrant.
Export and/or import of cryptographic products may be
restricted by various regulations in various countries.
Export and/or import permits may be required.
2
Entrust Managed Services PKI Administrator Guide
Entrust Managed Services PKI
Administrator Guide
Each Managed Services PKI organization requires an administrator—also known as a
local registration authority (LRA)—whose duty it is to manage end-users and their
certificates. This document describes the processes that the LRA must follow to:
• complete the creation of an administrator certificate
• set up end-users so that they can create their certificates
Account creation, management, and end-user enrollment is performed through
Entrust Authority™ Administration Services, which is available over the Web.
Administration Services includes two web-based services: User Management and
User Registration.
Administrators use the User Management service to create, modify, deactivate or
reactivate accounts as well as perform other administrative functions.
End-users use the User Registration service to enroll for their certificates.
Alternatively, if your organization is using Entrust Entelligence™ Security Provider
(ESP) for Windows, end-users can install their certificates using ESP.
While users can use certificates without installing the ESP for Windows software, the
additional features and benefits they provide add significant value to your managed
certificates environment. To learn about the added functions and capabilities, see
Why you should use certificates with Entrust Entelligence™ Security Provider
available under the Resources tab at www.entrust.com/managed_services.
This guide includes the following sections:
• “Creating an administrator certificate” on page 4
• “Logging in to Administration Services” on page 9
• “Creating end-user accounts” on page 12
• “How end-users obtain a digital certificate” on page 17
• “Supported browsers and JRE” on page 18
Entrust Managed Services PKI Administrator Guide, May 2009
Copyright © 2009 Entrust. All rights reserved.
3
Creating an administrator certificate
As an administrator, you need to enroll for an administrator certificate
(digital ID) using a Web-based application called Administration Services.
You can store your certificate on your desktop or on a smart card or token.
Before you start, ensure that you have a supported browser and Java
runtime environment. See “Supported browsers and JRE” on page 18 for
details.
Complete the following procedure to create an administrator certificate.
To create an administrator certificate
4
1
Access the Administration Services Web site using the URL provided
by Entrust Managed Services PKI.
The following page appears.
2
Click Create Entrust digital ID in the left-hand menu.
Entrust Managed Services PKI Administrator Guide
Document issue: 3.0
Please report any errors or omissions
The Create Entrust Digital ID page appears.
3
Depending on where you want to store your certificate, complete
one of the following:
May 2009
5
Please report any errors or omissions
if you want to...
Do this
store your certificate in an
Entrust desktop security store on
your computer
1
Click Create Entrust Desktop Security
Store
The Create Entrust desktop security
store page appears.
Click Browse.
A dialog box appears.
3 In the dialog box:
a Navigate to a location to save your
digital ID. For example C:\.
2
b In the File name field, enter a name
for your digital ID and ensure it has the
extension .epf. For example,
Administrator.epf.
c Click Open.
The Entrust Desktop Security Store File
Name field shows the path to your
digital ID.
6
Entrust Managed Services PKI Administrator Guide
Document issue: 3.0
Please report any errors or omissions
if you want to...
Do this
Enter your administrator reference
number and authorization code in the
Reference Number field and
Authorization Code field respectively.
This information is available from your
Entrust Managed Services PKI welcome
package.
5 Enter the password you want to use to
protect your administrative profile in the
Password field and enter it again in the
Confirm Password field. Use this
password to log in to Administration
Services after you create your profile.
Note: Ensure you follow the on-screen
password rules. The red X beside each
rule changes to a green check mark as
you type in characters that meet the
rules.
4
6
Continue the procedure at the end of
this table (Step 4 on page 8).
May 2009
7
Please report any errors or omissions
if you want to...
Do this
store your certificate within the
Windows framework or on a
smart card or token.
1
Click Create Third-Party Security Store
The Create Third-Party Security Store
page appears.
Enter your administrator reference
number and authorization code in the
Reference Number field and
Authorization Code field respectively.
This information is provided to you by
Entrust.
3 Optionally, to store your certificate on a
smart card or token, select Store Entrust
digital ID on a smart card. Ensure your
smart card or token is connected to your
computer.
2
4
Note:
Click Create Security Store.
If storing on a smart card or token, follow your vendor’s prompts.
Administration Services creates the certificate. Once created, a
success message appears.
You have successfully created your certificate.
5
8
Click Home from the left menu to return to the login page.
Entrust Managed Services PKI Administrator Guide
Document issue: 3.0
Please report any errors or omissions
Logging in to Administration Services
Once you create your administrator profile as outlined in “Creating an
administrator certificate” on page 4, you can use your certificate to log in
to Administration Services, a Web-based application.
From Administration Services, you can create, modify, deactivate or
reactivate accounts as well as perform other administrative functions.
Complete the following procedure to log in to Administration Services.
To log in to Administration Services
1
If you are not already on the login page, enter the Administration
Services URL provided by Entrust Managed Services PKI into a
browser.
The following page appears.
2
Depending on where you stored your certificate, do one of the
following:
May 2009
9
Please report any errors or omissions
if you stored your certificate...
Do this
In the Entrust desktop security
store on your computer
1
within the Windows framework
or on a smart card or token.
1
Click Browse to navigate to the location
where you stored your administrator
digital ID (.epf file) and click Open.
The file name and path appear in the
Entrust Desktop Security Store File
Name field. Select Remember Entrust
Desktop Security Store File Name to
retain the path.
2 Enter the password you created for your
digital ID in Step 5 on page 7 and click
Log in.
Click the Log in with my Third-Party
Security Store link.
The Administrator Login - Third-Party
Third-Party Security Store page
appears.
Note: If logging in with a smart card or
token, ensure it is connected to your
computer.
2 Click Display certificate list.
The Select Certificate dialog box
appears listing one or more digital
certificates.
3
10
Entrust Managed Services PKI Administrator Guide
Select your certificate from the list and
click OK.
Document issue: 3.0
Please report any errors or omissions
Upon successful login, the following page appears.
From this page, you can perform various administrative tasks. This guide
describes how to create a new user account for your end-users. You can
also reset a user’s account if a password or digital ID is lost, and you can
deactivate and reactivate accounts. For more information on these
additional procedures, use the online help incorporated in the specific task
page.
May 2009
11
Please report any errors or omissions
Creating end-user accounts
You must create an account for each end-user who needs a certificate.
When you create a new user account, Administration Services generates a
reference number and authorization code for that user. You must then
securely provide this number and code to the target user so they can enroll
for their certificate. The most secure approach is to send the reference
number and authorization code separately using different secure methods.
If you need to create accounts for multiple users all at once, it is most
convenient to create a bulk input file. For more information on creating
accounts in bulk, see “Creating user accounts in batch” on page 16.
This topic includes:
• “Creating a single end-user account” on page 12
• “Creating user accounts in batch” on page 16
Creating a single end-user account
Administration Services provides many different methods to enroll for a
certificate—administrators have the flexibility to insert themselves into the
process as much or as little as necessary. For more information on the
different types of enrollment methods, see the Entrust Authority
Administration Services Installation and Configuration Guide.
This guide provides one of the enrollment methods for creating a single
user account.
To create a new user account, complete the following procedure.
To create a single end-user account
Log in to Administration Services. For more information, see
“Logging in to Administration Services” on page 9.
2 Click Create Account under Account Tasks in the main pane or
under Tasks in the left-hand menu.
1
12
Entrust Managed Services PKI Administrator Guide
Document issue: 3.0
Please report any errors or omissions
The initial Create Account page appears.
Leave the value for the User Type field as Person.
4 In the Certificate Type drop-down list, select Enterprise – Default.
These certificates are used for authentication, encryption, and
signing and can be stored in the Microsoft framework.
5 Click Submit.
A second Create Account page appears where you provide the
user’s name and other information.
3
May 2009
13
Please report any errors or omissions
14
Entrust Managed Services PKI Administrator Guide
Document issue: 3.0
Please report any errors or omissions
From the User Information section:
a Enter the end user’s first name and last name in the First Name
and Last Name fields respectively.
b Optionally, fill in the Serial Number, Email, and Comment fields.
7 Optionally, from the Notification Email section, enter an email
address if you want the user to receive account status notifications,
which include emails that:
• indicate account registration
• provide the reference number the user needs to enroll for their
certificate. (You would still need to provide the user with the
matching authentication code)
If the email address is the same as the one entered in the User
Information section, select Same as above email address.
6
From the Group Membership section, select the member option. If
no groups are configured, only the default group appears.
9 From the Role section, select End User from the drop-down list.
10 From the Location section, click Select the searchbase and select
your company name from the drop-down list (an entry for your
company was created in the directory when you signed up for
Entrust Managed Services PKI). This specifies where to add the user
in the Administration Services LDAP directory.
11 Click Submit.
8
May 2009
15
Please report any errors or omissions
The Create Account – Complete page appears. You have
successfully created a user account.
This page lists the new user’s reference number and authorization code.
Record this information and store it in a secure manner. Securely provide
this information to the new user.
Creating user accounts in batch
If your administrator account role includes the “Create accounts in batch
from a file” permission, the Create Accounts from File option is available.
This option allows you to use an input file to submit multiple create
account operations in one simple procedure.
For more information on creating user accounts in batch, see the Entrust
Authority Administration Services Administration Guide for details.
16
Entrust Managed Services PKI Administrator Guide
Document issue: 3.0
Please report any errors or omissions
How end-users obtain a digital certificate
Once you have created an end-user account as described in “Creating a
single end-user account” on page 12, and provided the end-user with:
• the activation codes (reference number and authorization code)
•
the URL to the User Registration Service (not applicable if using
Entrust Entelligence Security Provider),
the end-user is now in the position to obtain their certificate.
Based on your organization’s deployment, end-users can use one of the
following guides for instructions on obtaining their certificate:
Note: Guides are located under the
www.entrust.com/managed_services.
Resources tab of
•
Getting an end-user Entrust certificate using Entrust Authority
Administration Services
End-users should use this guide if Entrust Entelligence Security
Provider is not installed on their desktops. This guide provides
instructions on how end-users can get their certificate through a
Web-based application called Administration Services.
• Getting an end-user Entrust certificate using Entrust Entelligence
Security Provider
End-users should use this guide if Entrust Entelligence Security
Provider is installed on their desktops.
May 2009
17
Please report any errors or omissions
Supported browsers and JRE
To access the Administration Services Web site, ensure that you are using
one of the following browsers (or a later version) on a Microsoft®
Windows® operating system: Microsoft® Internet Explorer 6.0, Mozilla®
Firefox 1.5, Mozilla® 1.7.2 and 1.7.10, and Netscape® Navigator 8.0.
Entrust Authority Administration Services uses Entrust TruePass®
technology to authenticate administrators. As a result, you must ensure
that one of the following Java runtime environments (JRE) is installed, and
that applicable browser settings are configured. With all supported Web
browsers, you must allow cookies and enable both Java and JavaScript.
You can download the Sun JRE from the following site:
http://www.java.com/download.
Browser
Java Runtime
Setting Name
Environment (JRE)
Setting
Microsoft Internet
Explorer 6
Microsoft Java Virtual
Machine (JVM), Sun
JRE 1.4.1+ and 1.5.+
First-party cookies
Accept or Prompt
Allow per-session
cookies (not stored)
Enable or Prompt
Active scripting
Enable or Prompt
Scripting of Java applets Enable or Prompt
Third-party cookies
18
Microsoft Internet
Explorer 7
See Microsoft Internet Explorer 6
Mozilla Firefox 1.5
Sun JRE 1.4.1+ and
1.5.+
Allow sites to set cookies Enable
Enable Java
Enable
Enable JavaScript
Enable
If pop-up blocker is
enabled, allowed sites
Administration
Services sites
Mozilla 1.7.2, 1.7.10
Sun JRE 1.4.2 and 1.5+ See Mozilla Firefox 1.5
Netscape Navigator 8.0
Sun JRE 1.4.2 and 1.5+ Enable cookies
Entrust Managed Services PKI Administrator Guide
Block
Enable
Enable Java
Enable
Enable JavaScript
Enable
Document issue: 3.0
Please report any errors or omissions