Managed Services PKI 60-day Trial Quick Start Guide

Entrust Managed Services PKI Managed Services PKI 60-day Trial Quick Start Guide Document issue: 3.0 Date of issue: Nov 2011

Copyright 2011 Entrust. All rights reserved. Entrust is a trademark or a registered trademark of Entrust, Inc. in certain countries. All Entrust product names and logos are trademarks or registered trademarks of Entrust, Inc. in certain countries. All other company and product names and logos are trademarks or registered trademarks of their respective owners in certain countries. This information is subject to change as Entrust reserves the right to, without notice, make changes to its products as progress in engineering or manufacturing methods or circumstances may warrant. Obtaining technical support For support assistance by telephone call one of the numbers below: 1-877-754-7878 in North America 1-613-270-3700 outside North America You can also email Customer Support at: support@entrust.com Export and/or import of cryptographic products may be restricted by various regulations in various countries. Export and/or import permits may be required. 2 Managed Services PKI 60-day Trial Quick Start Guide

1 Registering for the free 60-day trial of Entrust Managed Services PKI If you have not already registered for a free trial of Entrust Managed Services PKI, it is easy to do. To start your trial 1 In a browser, access the Entrust Managed Services PKI Web site: http://www.entrust.com/managed_services The Entrust Managed Services PKI page appears. 3

2 Click Free 60-day Trial. The Free 60-Day Trial: Evaluate Entrust Digital Certificates page appears. 4 Managed Services PKI 60-day Trial Quick Start Guide Document issue: 3.0

3 Read the instructions so you have an idea of what is involved, and click the Sign Up Now! button. The initial registration page appears. Registering for the free 60-day trial of Entrust Managed Services PKI 5

4 Enter your email address in the Email field. Your email address is required in order to provide you with the link to the free trial. Note: Ensure the email address you enter is correct so that you can receive the trial link. 5 Click Submit Form. Am email is sent to the email address you provided. 6 Access your email account and open the email with the subject Entrust Managed Services PKI Registration from managed-pki-trial@entrust.com. 6 Managed Services PKI 60-day Trial Quick Start Guide Document issue: 3.0

7 Click the Continue registration link in the email. The registration Web form appears. Registering for the free 60-day trial of Entrust Managed Services PKI 7

8 On the registration page: a Enter or select values in the required fields and any optional fields. b Read the license agreement. 8 Managed Services PKI 60-day Trial Quick Start Guide Document issue: 3.0

Note: This trial limits the number of users an administrator can create, as stated in the license agreement. c Click Accept. If you click Decline, you cancel the trial. A dialog box appears while the system creates your account. Once complete, the Congratulations page appears. It includes the link to the Entrust Web application (which allows you to create your administrator certificate), and instructions to complete the task. Registering for the free 60-day trial of Entrust Managed Services PKI 9

Note: The Web application link and instructions on how to create your administrator certificate are also sent to your email address. 9 Continue to Getting your administrator certificate on page 12. 10 Managed Services PKI 60-day Trial Quick Start Guide Document issue: 3.0

2 Getting an administrator certificate and creating end-user accounts This chapter includes the following topics Getting your administrator certificate on page 12 Logging into Administration Services with your certificate on page 19 Creating an end-user account on page 22 Enrolling end-users on page 25 Getting an end-user certificate on page 30 11

Getting your administrator certificate To start experiencing the benefits and versatility of the Entrust Managed PKI service, you must first create an administrator digital ID (certificate). Once this is accomplished, you can create user accounts and begin issuing certificates. To create your administrator certificate, complete the following procedure: To obtain your administrator certificate 1 Click the link to access the Entrust Web application as described in Step c on page 9 to create your administrator certificate. The Entrust Authority Digital Identity Management Web application appears in a new browser window. Note: If your browser needs permission to run the Java plug-in, ensure you provide permission. 2 Click Create Security Store. A Security Warning dialog box may appear, which says that Windows cannot validate that the certificate is from the certification authority (CA) it claims to be. This is because the root certificate is not in your Windows trusted certificate store. 12 Managed Services PKI 60-day Trial Quick Start Guide Document issue: 3.0

3 Click Yes so that Windows stores the root certificate in your Windows trusted certificate store. After a few moments, a message appears informing you that your certificate (Entrust digital ID) was created. The application redirects you to the Administration Services application. Getting an administrator certificate and creating end-user accounts 13

4 Click the Click here to log in with a certificate link. A warning dialog box may appear informing you that the digital signature has been verified and asks whether you want to run the Entrust TruePass applet. Note: Firefox users may encounter problems as a result of browser plug-ins. To resolve this issue, try turning off Firefox plug-ins or use Internet Explorer. 14 Managed Services PKI 60-day Trial Quick Start Guide Document issue: 3.0

5 Click Run. The Select Certificate dialog box appears listing one or more certificates. Getting an administrator certificate and creating end-user accounts 15

6 Select the certificate you created and click OK. It has the name you gave when you filled out the trial registration form. The Creating a new RSA signature key dialog box appears. 16 Managed Services PKI 60-day Trial Quick Start Guide Document issue: 3.0

7 Click OK. The Importing a new private exchange key dialog box appears. 8 Click OK. In a few seconds, the main Administration Services page appears. Getting an administrator certificate and creating end-user accounts 17

From this page, you can create and edit user accounts. For more information on creating end-user accounts, see Creating an end-user account on page 22. 18 Managed Services PKI 60-day Trial Quick Start Guide Document issue: 3.0

Logging into Administration Services with your certificate Once you have created your certificate as described in To obtain your administrator certificate on page 12, you can log into Administration Services to, among other things, create end-user accounts. To log into Administration Services with your certificate, complete the following procedure. To log into Administration Services 1 In a browser, access Entrust Authority Administration Services: https://evaladminservices.managed.entrust.com/adminservices/ The Administrator Login page appears. 2 Click the Click here to log in with a certificate link. Getting an administrator certificate and creating end-user accounts 19

The Select Certificate dialog box appears listing one or more certificates. 3 Select the certificate you created and Click OK. It has the name you gave when you filled out the trial registration form. In a few seconds, the main Administration Services page appears. 20 Managed Services PKI 60-day Trial Quick Start Guide Document issue: 3.0

You successfully logged in to Administration Services. Getting an administrator certificate and creating end-user accounts 21

Creating an end-user account In order to issue certificates to end-users, you must first create an account for each user in Administration Services. Complete the following procedure to create an end-user account. To create an end-user account 1 If you are not currently logged in to Administration Services, log in now. See To log into Administration Services on page 19 for more information. 2 From the main Administration Services page, click Create Account under Account Tasks in the main pane or under Tasks in the left-hand menu. The initial Create Account page appears. 3 Leave the value in the User Type drop-down list as Person. 4 Leave the value in the Certificate Type drop-down list as Enterprise Default. These certificates are used for authentication, signing, and encryption, and can be stored in Microsoft Cryptography API (CAPI). 5 Click Submit. A second Create Account page appears where you provide the user s name and other information. An asterisk indicates a required field. 22 Managed Services PKI 60-day Trial Quick Start Guide Document issue: 3.0

6 From the User Information section: a Enter the end-user s first name and last name in the First Name and Last Name fields respectively. b Optionally, enter the end-user s email address in the Email field. 7 Skip the Notification Email section, as it is not activated for the trial. In a typical deployment, you would enter an email address for the user to receive account status notifications, including emails that: indicate account registration provide the reference number the user needs to enroll for their certificate. (You would still need to provide the user with the matching authentication code) If the email address is the same as the one entered in the User Information section, you would select the Same as above email address check box. 8 Skip the Group Membership section, as it does not apply to this trial. In a typical deployment, you can manage digital IDs for different user groups. 9 Skip the Role section. End User is the only option in this trial. 10 Skip the Location section for this trial. The searchbase entry is already supplied. 11 Click Submit. The Create Account Complete page appears. This page lists the new user s reference number and authorization code for the new user account. Getting an administrator certificate and creating end-user accounts 23

12 Securely record the user s reference number and authorization code. 13 To create additional end-user accounts, click Create Account from the Tasks menu in the left pane and repeat this procedure. Note: This trial limits the number of users an administrator can create, as stated in the license agreement. 14 Once you have created your end-user accounts, you must provide those end-users with the necessary account activation information so they can obtain their certificates. See Enrolling end-users on page 25 for more information. 24 Managed Services PKI 60-day Trial Quick Start Guide Document issue: 3.0

Enrolling end-users Administration Services provides many different methods to enroll for a certificate administrators have the flexibility to insert themselves into the process as much or as little as necessary. For more information on the different types of enrollment methods, see End-user enrollment models on page 25. For this evaluation, instructions are based on one of the enrollment models. In this model, you must: 1 Provide each end-user with the reference number and authorization code you received when you created an end-user account ( Creating an end-user account on page 22). Note: The reference number and authorization code must be transported or sent in a secured manner. 2 Provide each end-user with the User Registration Service URL so they can obtain their certificate: https://evaladminservices.managed.entrust.com/userregistration You successfully enrolled your end-users. End-users can now obtain their certificate as documented in Getting an end-user certificate on page 30. End-user enrollment models The user registration instructions described under Enrolling end-users on page 25 reflect just one of the many user registration models available to your organization. The following table briefly describes other available models. Note: Registration model Option 1 in Table 1 is the method described in Enrolling end-users on page 25. Getting an administrator certificate and creating end-user accounts 25

Table 1: Registration models Enrollment option How it works Benefits Option 1: Single user enrollment Option 2: Username and password 1 An administrator at your organization creates a one-time set of activation codes for a single user using the administration service 2 The administrator gives the activation codes to the user 3 The user enters the activation codes on a Web site 4 Certificates are downloaded to the user s computer 1 An administrator at your organization bulk loads usernames and passwords using the administration service 2 An email is sent to each user with a link to a Web site + username 3 The user clicks the link, and enters the appropriate username/password on the Web site 4 Certificates are downloaded to the user s computer No custom development administration service + Web site are provided with the started service Good for scenarios where you only need to enroll a single user, such as a new employee or partner No custom development bulk loading + Web site are provided with the standard service Flexible bulk loading username/password combinations can be dumped from an existing system, or created from scratch 26 Managed Services PKI 60-day Trial Quick Start Guide Document issue: 3.0

Table 1: Registration models Enrollment option How it works Benefits Option 3: Email with embedded activation code Option 4: Self-registration + approvals 1 An administrator at your organization bulk loads your users email addresses using the administration service 2 The administration service generates an email containing a link + embedded, one-time set of activation codes for each user 3 The email is sent to each user securely 4 The user clicks the link in the email and is taken to a Web site where the activation codes are checked 5 Certificates are downloaded to the user s computer 1 Each user self-registers on a Web page, selecting a password 2 An administrator at your organization approves the registration using the administration service 3 The administration service sends an email to the user 4 The user clicks the link in the email, which takes them to a Web page where they can enter their password and download their certificate No user input required the user simply needs to click a link to download their certificates No custom development bulk loading + Web interfaces + activation code functionality are all provided with the standard service No custom development administration service + Web site are provided with the started service No need to create a bulk loading file Approvals ensure security Easy for users they can access the registration page without having to supply a username/password Getting an administrator certificate and creating end-user accounts 27

Table 1: Registration models Enrollment option How it works Benefits Option 5: Existing certificate + self-registration Option 6: Existing username/password + self-registration 1 Your users already have certificates issued by another certificate service 2 Each user goes to a Web site that uses the existing certificate to authenticate them (i.e. client SSL authentication) and then grants them access to a registration page 3 The user supplies personal information 4 A new certificate from Entrust is downloaded to the user s computer to take over from the older certificate 1 You have an existing, in-house authentication system (Windows login for example) 2 Each user logs in to a registration Web page using a username/password from the existing authentication system 3 The user submits personal information 4 Certificates are downloaded to the user s computer No need to create a bulk loading file Leverages your existing investment in certificates to provide a more secure authentication approach Easy for users they can access the registration Web page without having to supply a username/password Note: There is an additional charge for this option. No need to create a bulk loading file Leverages your existing investment in another authentication system Easy and familiar for users they supply a username/password that they already know Note: There is an additional charge for this option. 28 Managed Services PKI 60-day Trial Quick Start Guide Document issue: 3.0

Table 1: Registration models Enrollment option How it works Benefits Option 7: Custom registration page Option 8: Auto-creation and auto-update 1 A Web developer at your organization creates a Web-based registration application 2 The user logs in to this registration page using any authentication mechanism of your choosing 3 The user submits their personal information, which is sent to the administration service 4 The administration service redirects the user to a Web page (supplied by Entrust) where users click a button to download their certificates 1 A thin client is installed on users computers or unmanned machines 2 An administrator creates a one-time set of activation codes for each user or machine using the administration service 3 The user enters the activation codes into the thin client and certificates are downloaded to their computers Note: When the client is installed on an unmanned machine, the client detects that certificates are missing and communicates with the administration service to automatically generate and download certificates. No need to create a bulk loading file Leverages your existing investment in another authentication system for up-to-date passwords Easy and familiar for users they supply a username/password that they already know Custom development can be completed by your organization without the help of Entrust and with no additional fees Certificates are automatically updated no need to go back to a Web site to pick up new certificates Complete automation available perfect for unmanned machines No custom development Many client installation options, for near complete automation, to clicking Next through an installer Client also simplifies deployment of Microsoft Encryption File System (EFS), adds file encryption, and includes a built-in OCSP client Note: There is an additional charge for this option. Getting an administrator certificate and creating end-user accounts 29

Getting an end-user certificate Each end-user must complete the following procedure to obtain a certificate. To activate a certificate using the User Registration Service 1 In a browser, enter the User Registration Service URL: https://evaladminservices.managed.entrust.com/userregistration The Entrust Authority Registration and Self-Administration page appears. 2 Click Generate My Digital ID. 30 Managed Services PKI 60-day Trial Quick Start Guide Document issue: 3.0

The Generate Entrust Digital ID page appears. 3 Click Generate Third-Party Security Store. Attention: While a PKCS12 file is an option, it is not recommended for this evaluation. If required, please contact Entrust. A warning dialog box may appear informing you that the digital signature has been verified and asks whether you want to run the Entrust TruePass applet. Getting an administrator certificate and creating end-user accounts 31

4 Click Run. The Generate Third-Party Security Store page appears. 5 Enter your reference number and authorization code in the applicable fields and click Generate Security Store. Note: If you do not have your number and code, contact your administrator. 32 Managed Services PKI 60-day Trial Quick Start Guide Document issue: 3.0

The Creating a new RSA signature key dialog box appears. 6 Click OK. The Importing a new private exchange key dialog box appears. 7 Click OK. Getting an administrator certificate and creating end-user accounts 33

After a few moments, your digital ID and related certificate is installed on your computer. 34 Managed Services PKI 60-day Trial Quick Start Guide Document issue: 3.0

3 What you can do with your Entrust certificate Digital certificate contents are stored in a standards based format called x509. As a result, the majority of devices and applications accept this format, thereby ensuring compatibility. Note: All Entrust Managed Services PKI documentation is available under the Resources tab at www.entrust.com/managed_services. Table 2: Task and related documentation If you want to... See this guide Description sign and/or encrypt PDF documents (files and forms) sign and/or encrypt Microsoft Office documents Using Entrust certificates with Adobe PDF files and forms Using Entrust certificates with Microsoft Office and Windows This guide documents how to configure Adobe to recognize and trust digital certificates, and how to digitally sign a PDF document. This guide documents: Signing and sending messages using Microsoft Word, Excel, and PowerPoint Sending secure messages using Microsoft Outlook Configuring Microsoft Outlook to use a single certificate Removing message encryption in Microsoft Outlook 35

Table 2: Task and related documentation If you want to... See this guide Description sign and/or encrypt files on your Windows operating system. authenticate to a VPN for secure, remote access to your network Using Entrust certificates with Microsoft Office and Windows Using Entrust certificates with VPN This guide documents how to secure Windows files and folders and send a secure message from a Windows folder. This guide includes information about IPsec and SSL VPN, security issues, and VPN authentication mechanisms. It also provides instructions on how to import your certificate into your VPN client and how to configure your router to trust certificates issued to VPN clients. 36 Managed Services PKI 60-day Trial Quick Start Guide Document issue: 3.0

4 End of trial instructions Once your trial ends, remove the CA root certificate from the Windows trusted root store for security purposes. You must complete this procedure in Internet Explorer To remove the CA root certificate using Internet Explorer 1 Open Internet Explorer. 2 From the toolbar, select Tools > Internet Options. The Internet Options dialog box appears. 37

3 Select the Content tab. The Content page appears. 38 Managed Services PKI 60-day Trial Quick Start Guide Document issue: 3.0

4 Click Certificates. The Certificates dialog appears. End of trial instructions 39

5 Click the Trusted Root Certification Authorities tab. The Trusted Root Certificate Authorities page appears. 40 Managed Services PKI 60-day Trial Quick Start Guide Document issue: 3.0

6 Scroll down the list and select DComRootCA. 7 Click Remove. The Certificates dialog box appears. 8 Click Yes. The Root Certificate Store dialog box appears. End of trial instructions 41

9 Click Yes. You successfully removed the root CA from the trusted root store. 42 Managed Services PKI 60-day Trial Quick Start Guide Document issue: 3.0