Entrust Managed Services PKI Administrator Guide

Entrust Managed Services PKI Entrust Managed Services PKI Administrator Guide Document issue: 3.0 Date of issue: May 2009

Copyright 2009 Entrust. All rights reserved. Entrust is a trademark or a registered trademark of Entrust, Inc. in certain countries. All Entrust product names and logos are trademarks or registered trademarks of Entrust, Inc. in certain countries. All other company and product names and logos are trademarks or registered trademarks of their respective owners in certain countries. This information is subject to change as Entrust reserves the right to, without notice, make changes to its products as progress in engineering or manufacturing methods or circumstances may warrant. Obtaining technical support For support assistance by telephone call one of the numbers below: 1-877-754-7878 in North America 1-613-270-3700 outside North America You can also email Customer Support at: support@entrust.com Export and/or import of cryptographic products may be restricted by various regulations in various countries. Export and/or import permits may be required. 2 Entrust Managed Services PKI Administrator Guide

Entrust Managed Services PKI Administrator Guide Each Managed Services PKI organization requires an administrator also known as a local registration authority (LRA) whose duty it is to manage end-users and their certificates. This document describes the processes that the LRA must follow to: complete the creation of an administrator certificate set up end-users so that they can create their certificates Account creation, management, and end-user enrollment is performed through Entrust Authority Administration Services, which is available over the Web. Administration Services includes two web-based services: User Management and User Registration. Administrators use the User Management service to create, modify, deactivate or reactivate accounts as well as perform other administrative functions. End-users use the User Registration service to enroll for their certificates. Alternatively, if your organization is using Entrust Entelligence Security Provider (ESP) for Windows, end-users can install their certificates using ESP. While users can use certificates without installing the ESP for Windows software, the additional features and benefits they provide add significant value to your managed certificates environment. To learn about the added functions and capabilities, see Why you should use certificates with Entrust Entelligence Security Provider available under the Resources tab at www.entrust.com/managed_services. This guide includes the following sections: Creating an administrator certificate on page 4 Logging in to Administration Services on page 9 Creating end-user accounts on page 12 How end-users obtain a digital certificate on page 17 Supported browsers and JRE on page 18 Entrust Managed Services PKI Administrator Guide, May 2009 Copyright 2009 Entrust. All rights reserved. 3

Creating an administrator certificate As an administrator, you need to enroll for an administrator certificate (digital ID) using a Web-based application called Administration Services. You can store your certificate on your desktop or on a smart card or token. Before you start, ensure that you have a supported browser and Java runtime environment. See Supported browsers and JRE on page 18 for details. Complete the following procedure to create an administrator certificate. To create an administrator certificate 1 Access the Administration Services Web site using the URL provided by Entrust Managed Services PKI. The following page appears. 2 Click Create Entrust digital ID in the left-hand menu. 4 Entrust Managed Services PKI Administrator Guide Document issue: 3.0

The Create Entrust Digital ID page appears. 3 Depending on where you want to store your certificate, complete one of the following: May 2009 5

if you want to... store your certificate in an Entrust desktop security store on your computer Do this 1 Click Create Entrust Desktop Security Store The Create Entrust desktop security store page appears. 2 Click Browse. A dialog box appears. 3 In the dialog box: a Navigate to a location to save your digital ID. For example C:\. b In the File name field, enter a name for your digital ID and ensure it has the extension.epf. For example, Administrator.epf. c Click Open. The Entrust Desktop Security Store File Name field shows the path to your digital ID. 6 Entrust Managed Services PKI Administrator Guide Document issue: 3.0

if you want to... Do this 4 Enter your administrator reference number and authorization code in the Reference Number field and Authorization Code field respectively. This information is available from your Entrust Managed Services PKI welcome package. 5 Enter the password you want to use to protect your administrative profile in the Password field and enter it again in the Confirm Password field. Use this password to log in to Administration Services after you create your profile. Note: Ensure you follow the on-screen password rules. The red X beside each rule changes to a green check mark as you type in characters that meet the rules. 6 Continue the procedure at the end of this table (Step 4 on page 8). May 2009 7

if you want to... store your certificate within the Windows framework or on a smart card or token. Do this 1 Click Create Third-Party Security Store The Create Third-Party Security Store page appears. 4 Click Create Security Store. 2 Enter your administrator reference number and authorization code in the Reference Number field and Authorization Code field respectively. This information is provided to you by Entrust. 3 Optionally, to store your certificate on a smart card or token, select Store Entrust digital ID on a smart card. Ensure your smart card or token is connected to your computer. Note: If storing on a smart card or token, follow your vendor s prompts. Administration Services creates the certificate. Once created, a success message appears. You have successfully created your certificate. 5 Click Home from the left menu to return to the login page. 8 Entrust Managed Services PKI Administrator Guide Document issue: 3.0

Logging in to Administration Services Once you create your administrator profile as outlined in Creating an administrator certificate on page 4, you can use your certificate to log in to Administration Services, a Web-based application. From Administration Services, you can create, modify, deactivate or reactivate accounts as well as perform other administrative functions. Complete the following procedure to log in to Administration Services. To log in to Administration Services 1 If you are not already on the login page, enter the Administration Services URL provided by Entrust Managed Services PKI into a browser. The following page appears. 2 Depending on where you stored your certificate, do one of the following: May 2009 9

if you stored your certificate... In the Entrust desktop security store on your computer within the Windows framework or on a smart card or token. Do this 1 Click Browse to navigate to the location where you stored your administrator digital ID (.epf file) and click Open. The file name and path appear in the Entrust Desktop Security Store File Name field. Select Remember Entrust Desktop Security Store File Name to retain the path. 2 Enter the password you created for your digital ID in Step 5 on page 7 and click Log in. 1 Click the Log in with my Third-Party Security Store link. The Administrator Login - Third-Party Third-Party Security Store page appears. Note: If logging in with a smart card or token, ensure it is connected to your computer. 2 Click Display certificate list. The Select Certificate dialog box appears listing one or more digital certificates. 3 Select your certificate from the list and click OK. 10 Entrust Managed Services PKI Administrator Guide Document issue: 3.0

Upon successful login, the following page appears. From this page, you can perform various administrative tasks. This guide describes how to create a new user account for your end-users. You can also reset a user s account if a password or digital ID is lost, and you can deactivate and reactivate accounts. For more information on these additional procedures, use the online help incorporated in the specific task page. May 2009 11

Creating end-user accounts You must create an account for each end-user who needs a certificate. When you create a new user account, Administration Services generates a reference number and authorization code for that user. You must then securely provide this number and code to the target user so they can enroll for their certificate. The most secure approach is to send the reference number and authorization code separately using different secure methods. If you need to create accounts for multiple users all at once, it is most convenient to create a bulk input file. For more information on creating accounts in bulk, see Creating user accounts in batch on page 16. This topic includes: Creating a single end-user account on page 12 Creating user accounts in batch on page 16 Creating a single end-user account Administration Services provides many different methods to enroll for a certificate administrators have the flexibility to insert themselves into the process as much or as little as necessary. For more information on the different types of enrollment methods, see the Entrust Authority Administration Services Installation and Configuration Guide. This guide provides one of the enrollment methods for creating a single user account. To create a new user account, complete the following procedure. To create a single end-user account 1 Log in to Administration Services. For more information, see Logging in to Administration Services on page 9. 2 Click Create Account under Account Tasks in the main pane or under Tasks in the left-hand menu. 12 Entrust Managed Services PKI Administrator Guide Document issue: 3.0

The initial Create Account page appears. 3 Leave the value for the User Type field as Person. 4 In the Certificate Type drop-down list, select Enterprise Default. These certificates are used for authentication, encryption, and signing and can be stored in the Microsoft framework. 5 Click Submit. A second Create Account page appears where you provide the user s name and other information. May 2009 13

14 Entrust Managed Services PKI Administrator Guide Document issue: 3.0

6 From the User Information section: a b Enter the end user s first name and last name in the First Name and Last Name fields respectively. Optionally, fill in the Serial Number, Email, and Comment fields. 7 Optionally, from the Notification Email section, enter an email address if you want the user to receive account status notifications, which include emails that: indicate account registration provide the reference number the user needs to enroll for their certificate. (You would still need to provide the user with the matching authentication code) If the email address is the same as the one entered in the User Information section, select Same as above email address. 8 From the Group Membership section, select the member option. If no groups are configured, only the default group appears. 9 From the Role section, select End User from the drop-down list. 10 From the Location section, click Select the searchbase and select your company name from the drop-down list (an entry for your company was created in the directory when you signed up for Entrust Managed Services PKI). This specifies where to add the user in the Administration Services LDAP directory. 11 Click Submit. May 2009 15

The Create Account Complete page appears. You have successfully created a user account. This page lists the new user s reference number and authorization code. Record this information and store it in a secure manner. Securely provide this information to the new user. Creating user accounts in batch If your administrator account role includes the Create accounts in batch from a file permission, the Create Accounts from File option is available. This option allows you to use an input file to submit multiple create account operations in one simple procedure. For more information on creating user accounts in batch, see the Entrust Authority Administration Services Administration Guide for details. 16 Entrust Managed Services PKI Administrator Guide Document issue: 3.0

How end-users obtain a digital certificate Once you have created an end-user account as described in Creating a single end-user account on page 12, and provided the end-user with: the activation codes (reference number and authorization code) the URL to the User Registration Service (not applicable if using Entrust Entelligence Security Provider), the end-user is now in the position to obtain their certificate. Based on your organization s deployment, end-users can use one of the following guides for instructions on obtaining their certificate: Note: Guides are located under the Resources tab of www.entrust.com/managed_services. Getting an end-user Entrust certificate using Entrust Authority Administration Services End-users should use this guide if Entrust Entelligence Security Provider is not installed on their desktops. This guide provides instructions on how end-users can get their certificate through a Web-based application called Administration Services. Getting an end-user Entrust certificate using Entrust Entelligence Security Provider End-users should use this guide if Entrust Entelligence Security Provider is installed on their desktops. May 2009 17

Supported browsers and JRE To access the Administration Services Web site, ensure that you are using one of the following browsers (or a later version) on a Microsoft Windows operating system: Microsoft Internet Explorer 6.0, Mozilla Firefox 1.5, Mozilla 1.7.2 and 1.7.10, and Netscape Navigator 8.0. Browser Entrust Authority Administration Services uses Entrust TruePass technology to authenticate administrators. As a result, you must ensure that one of the following Java runtime environments (JRE) is installed, and that applicable browser settings are configured. With all supported Web browsers, you must allow cookies and enable both Java and JavaScript. You can download the Sun JRE from the following site: http://www.java.com/download. Microsoft Internet Explorer 6 Microsoft Internet Explorer 7 Mozilla Firefox 1.5 Java Runtime Environment (JRE) Microsoft Java Virtual Machine (JVM), Sun JRE 1.4.1+ and 1.5.+ Setting Name See Microsoft Internet Explorer 6 Sun JRE 1.4.1+ and 1.5.+ First-party cookies Allow per-session cookies (not stored) Active scripting Scripting of Java applets Third-party cookies Setting Allow sites to set cookies Enable Enable Java Enable Enable JavaScript Enable If pop-up blocker is enabled, allowed sites Mozilla 1.7.2, 1.7.10 Sun JRE 1.4.2 and 1.5+ See Mozilla Firefox 1.5 Accept or Prompt Enable or Prompt Enable or Prompt Enable or Prompt Block Administration Services sites Netscape Navigator 8.0 Sun JRE 1.4.2 and 1.5+ Enable cookies Enable Enable Java Enable Enable JavaScript Enable 18 Entrust Managed Services PKI Administrator Guide Document issue: 3.0