Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:modules_crt [2019/04/26 04:30] kopro [Configuration] add information about revocation status |
tutorial:adm:modules_crt [2023/03/16 07:35] doischert [Configuration] |
||
---|---|---|---|
Line 4: | Line 4: | ||
===== What do you need before you start ===== | ===== What do you need before you start ===== | ||
- | | + | |
+ | | ||
* You need to be logged in as **admin**. | * You need to be logged in as **admin**. | ||
- | * You need to enable **Certificate** module. | + | * You need to enable **Certificate** |
- | * You need to install the **[[tutorial: | + | * You need to install the **[[.: |
- | ===== How to create an authority ===== | + | ===== How to create an authority |
- | By clicking on the left menu on **Certificates** and then on **Authorities** is shown a table with certificate authorities. Click on **Add** button and a popup window is shown. | + | |
- | {{ : | + | |
- | Here you fill: | + | |
- | * **Code** - Label of certification authority | + | |
- | * **Driver** - We are using caw-driver. (There is only caw driver implemented for now.) | + | |
- | * **Path to the CAW distribution** and **Path to the certificate for that authority** - There is needed a path to CAW distribution and certificate for our new authority. | + | |
- | * **OU** - Fill organization unit, it is part of the certificate, | + | |
- | * **Enable approving by workflow process** - It is an option if generating of certificates has to be approved or not. | + | |
- | * **Approver roles** - Specified roles for approving generation of certificates. Users with these roles get tasks to be approved or not. | + | |
- | Then you click on **Save and continue** button | + | By clicking on the left menu on **Certificates** and then on **Authorities** is shown a table with certificate authorities. Click on **Add** |
- | {{ : | + | * **Code** |
- | {{ : | + | * **Driver** |
+ | * **Path to the CAW distribution** | ||
+ | * **OU** | ||
+ | * **Enable approving by workflow process** | ||
+ | * **Approver roles** | ||
+ | Then you click on **Save and continue** | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | ===== How to create an authority on Windows ===== | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | * **Path to Git Bash** | ||
+ | An example of how we can configure the authority can be seen bellow: {{ .: | ||
+ | |||
+ | Other than the extra field Path to Git Bash, the process is the same as on Linux. | ||
===== Generate certificate in GUI ===== | ===== Generate certificate in GUI ===== | ||
- | In the left menu click on **Profile** and then on **Certificates**. There are 2 tables, in **Certificates** table are all certificates owned by the user and in the other table, there are requests of these certificates. Click on **Request certificate**. | ||
- | {{ : | + | In the left menu click on **Profile** |
+ | |||
+ | {{ .: | ||
Fill information in a popup window: | Fill information in a popup window: | ||
- | * **Certificate authority** - There can be more certificate authorities, | ||
- | * **Certificate type** - For which purpose certificate will be issued. **Signing** - for example signing some documents, **Authentication** - to grant access to a resource, network, application, | ||
- | * **Generate certificate by** - It is a specification for whom certificate will be issued. Based on this information will be certificate generated. | ||
- | * **Password** - Downloaded private key will be encrypted with this password. Because this is just tutorial we put a weak password, you should use more powerful one. | ||
- | And click on **Submit a request** button. | + | * **Certificate authority** |
+ | * **Certificate type** | ||
+ | * **Generate certificate by** - It is a specification for whom certificate will be issued. Based on this information will be certificate generated. | ||
+ | * **Password** | ||
+ | And click on **Submit a request** | ||
- | {{ : | + | {{ .: |
- | Now we have the valid certificate and we could download the certificate. **Certificate** button downloads public key and **Key** button downloads encrypted public and private key. | + | Now we have the valid certificate and we could download the certificate. **Certificate** |
- | {{ : | + | {{ .: |
- | For admin, there is another one important section in left menu **Certificates** and again in **Certificates**. This table shows all certificates. | + | For admin, there is another one important section in left menu **Certificates** |
- | {{ : | + | <note tip>If the owner doesn' |
+ | |||
+ | You need to set permission: | ||
+ | |||
+ | * CrtCertificate - DOWNLOADKEY | ||
+ | * CrtAuthority - DOWNLOADKEY | ||
+ | |||
+ | You can use BaseEvaluator so the user can download all keys. Or if you use for example UUID evaluator for CrtAuthority, | ||
+ | |||
+ | {{ .: | ||
===== Generate certificate by CSR ===== | ===== Generate certificate by CSR ===== | ||
- | In the left menu click on **Profile** and then on **Certificates**. There are 2 tables, in **Certificates** table are all certificates owned by the user and in the other table, there are requests of certificates. Click on **Request certificate**. | ||
- | {{ : | + | In the left menu click on **Profile** |
+ | |||
+ | {{ .: | ||
Fill information in a popup window: | Fill information in a popup window: | ||
- | * **Certificate authority** - There can be more certificate authorities, | ||
- | * **Certificate type** - For which purpose certificate will be issued. **Signing** - for example signing some documents, **Authentication** - to grant access to a resource, network, application, | ||
- | * **Generate certificate by** - Fill option **Selected CSR file** and drag CSR file to the marked field right below. | ||
- | And then click on **Submit a request** button. | + | * **Certificate authority** |
+ | * **Certificate type** | ||
+ | * **Generate certificate by** - Fill option **Selected CSR file** | ||
+ | And then click on **Submit a request** | ||
- | {{ : | + | {{ .: |
Now we have two certificates and as you can see in the picture below, the private part of certificate generated with CSR file cannot be downloaded. It is because CzechIdM does not have a private part. Users have it with CSR file, so if you lose it you will probably have to generate a new certificate. | Now we have two certificates and as you can see in the picture below, the private part of certificate generated with CSR file cannot be downloaded. It is because CzechIdM does not have a private part. Users have it with CSR file, so if you lose it you will probably have to generate a new certificate. | ||
- | {{ : | + | {{ .: |
==== Upload certificate ==== | ==== Upload certificate ==== | ||
- | Certificate generated by third-party authority can be uploaded to CzechIdM (or synchronized from target system). In the left menu **Profile** and then in **Certificates** menu, you can upload certificate by clicking on an **Upload certificate** button. | ||
- | {{ : | + | Certificate generated by third-party authority can be uploaded to CzechIdM (or synchronized from target system). In the left menu **Profile** |
+ | |||
+ | {{ .: | ||
And then just drag certificate file to marked box in a popup window. | And then just drag certificate file to marked box in a popup window. | ||
If we want to allow a user to upload a certificate, | If we want to allow a user to upload a certificate, | ||
+ | |||
* Permission to read, create and download one's own identity certificates: | * Permission to read, create and download one's own identity certificates: | ||
===== Renew and revoke certificate ===== | ===== Renew and revoke certificate ===== | ||
+ | |||
**For users:** | **For users:** | ||
- | It is on the same page as generating a certificate. By clicking on **Profile** in the left menu and then on **Certificates**. And as you can see in the picture below, in column **Action** there are two buttons. Green one is for **renew** a certificate, | + | It is on the same page as generating a certificate. By clicking on **Profile** |
- | {{ : | + | {{ .: |
**For admin:** | **For admin:** | ||
- | There is agenda in left menu **Certificates** | + | There is agenda in left menu **Certificates** |
- | {{ : | + | {{ .: |
- | <note tip>When a certificate expires, it no longer can be renewed. But in **Settings** and in **Task scheduler** process can be created, which sends a notification with a warning, when certificates will expire in few days. Or you can find help in [[tutorial: | + | <note tip>When a certificate expires, it no longer can be renewed. But in **Settings** |
+ | |||
+ | <note tip>To allow using this agenda, users have to have this permissions: | ||
- | <note tip>To allow using this agenda, users have to have this permissions: | ||
* CrtRequest - Read, Create, Update | * CrtRequest - Read, Create, Update | ||
* CrtCertificate - Read, Create | * CrtCertificate - Read, Create | ||
- | * CrtAuthority - autocomplete | + | * CrtAuthority - autocomplete |
- | You can create new role, [[tutorial: | + | You can create new role, [[.: |
Congratulations, | Congratulations, | ||
Line 103: | Line 126: | ||
For CRT exists two special permissions for validating and requesting certificate by CSR request: | For CRT exists two special permissions for validating and requesting certificate by CSR request: | ||
+ | |||
* Validate CRS request, | * Validate CRS request, | ||
* Upload CSR request. | * Upload CSR request. | ||
Line 112: | Line 136: | ||
Configuration option that allow create password as another user. For example: admin requesting new certificate for user. | Configuration option that allow create password as another user. For example: admin requesting new certificate for user. | ||
< | < | ||
- | # If value is true admin can set new password, this password will be sent to user in notification. | + | |
+ | # If value is true admin can set new password, this password will be sent to user in notification. | ||
# If set to false admin will not able set password to request. The password for certificate will be generated by password policy. | # If set to false admin will not able set password to request. The password for certificate will be generated by password policy. | ||
idm.pub.crt.configuration.passCreate.enabled=true | idm.pub.crt.configuration.passCreate.enabled=true | ||
# | # | ||
- | # Default status for all identity certificates that will be revocated after identity will be disabled. | + | # Default status for all identity certificates that will be revocated after identity will be disabled. |
idm.sec.crt.configuration.identityDisabledRevocationReason=UNSPECIFIED | idm.sec.crt.configuration.identityDisabledRevocationReason=UNSPECIFIED | ||
# | # | ||
# Default status for all identity certificates that will be revocated after identity will be deleted. | # Default status for all identity certificates that will be revocated after identity will be deleted. | ||
idm.sec.crt.configuration.identityDeletedRevocationReason=UNSPECIFIED | idm.sec.crt.configuration.identityDeletedRevocationReason=UNSPECIFIED | ||
+ | |||
</ | </ | ||
+ | |||
+ | There is a processor which start provisioning for user when a new certificate is created for them. This processor is disabled by default and can be enabled, find the " | ||
==== Revocation status list ==== | ==== Revocation status list ==== | ||
+ | |||
* UNSPECIFIED | * UNSPECIFIED | ||
- | * KEY_COMPROMISE | + | * KEY\_COMPROMISE |
- | * CA_COMPROMISE | + | * CA\_COMPROMISE |
- | * AFFILIATION_CHANGED | + | * AFFILIATION\_CHANGED |
* SUPERSEDED | * SUPERSEDED | ||
- | * CESSATION_OF_OPERATION | + | * CESSATION\_OF\_OPERATION |
- | * CERTIFICATE_HOLD | + | * CERTIFICATE\_HOLD |
+ |