Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
tutorial:adm:modules_crt [2018/02/08 11:10] stloukalp |
tutorial:adm:modules_crt [2024/05/09 08:01] (current) kratochvils [What do you need before you start] |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Modules - Certificates: | ||
+ | |||
+ | Certificate authority (crt) module was designed to handle various certificate authority implementations via specific drivers. Currently, there is one driver implemented - the CAW driver that handles the communication with CAW certificate authority (bundled in the module). | ||
+ | |||
+ | ===== What do you need before you start ===== | ||
+ | |||
+ | * You need to install **CzechIdM 7.7.0** | ||
+ | * Modules imported via remote console through WinSCP (Windows) or SCP (Linux) into **/ | ||
+ | * idm-crt-api 3.x.x | ||
+ | * idm-crt-impl 3.x.x | ||
+ | * axis-1.x | ||
+ | * jaxrpc-api-1.x | ||
+ | * wsdl4j-1.6.x | ||
+ | * You need to be logged in as **admin**. | ||
+ | * You need to enable **Certificate** | ||
+ | * You need to install the **[[.: | ||
+ | |||
+ | |||
+ | ===== How to create an authority on Linux ===== | ||
+ | |||
+ | By clicking on the left menu on **Certificates** | ||
+ | |||
+ | * **Code** | ||
+ | * **Driver** | ||
+ | * **Path to the CAW distribution** | ||
+ | * **OU** | ||
+ | * **Enable approving by workflow process** | ||
+ | * **Approver roles** | ||
+ | Then you click on **Save and continue** | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | ===== How to create an authority on Windows ===== | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | * **Path to Git Bash** | ||
+ | An example of how we can configure the authority can be seen bellow: {{ .: | ||
+ | |||
+ | Other than the extra field Path to Git Bash, the process is the same as on Linux. | ||
+ | |||
+ | ===== Generate certificate in GUI ===== | ||
+ | |||
+ | In the left menu click on **Profile** | ||
+ | |||
+ | {{ .: | ||
+ | |||
+ | Fill information in a popup window: | ||
+ | |||
+ | * **Certificate authority** | ||
+ | * **Certificate type** | ||
+ | * **Generate certificate by** - It is a specification for whom certificate will be issued. Based on this information will be certificate generated. | ||
+ | * **Password** | ||
+ | And click on **Submit a request** | ||
+ | |||
+ | {{ .: | ||
+ | |||
+ | Now we have the valid certificate and we could download the certificate. **Certificate** | ||
+ | |||
+ | {{ .: | ||
+ | |||
+ | For admin, there is another one important section in left menu **Certificates** | ||
+ | |||
+ | <note tip>If the owner doesn' | ||
+ | |||
+ | You need to set permission: | ||
+ | |||
+ | * CrtCertificate - DOWNLOADKEY | ||
+ | * CrtAuthority - DOWNLOADKEY | ||
+ | |||
+ | You can use BaseEvaluator so the user can download all keys. Or if you use for example UUID evaluator for CrtAuthority, | ||
+ | |||
+ | {{ .: | ||
+ | |||
+ | ===== Generate certificate by CSR ===== | ||
+ | |||
+ | In the left menu click on **Profile** | ||
+ | |||
+ | {{ .: | ||
+ | |||
+ | Fill information in a popup window: | ||
+ | |||
+ | * **Certificate authority** | ||
+ | * **Certificate type** | ||
+ | * **Generate certificate by** - Fill option **Selected CSR file** | ||
+ | And then click on **Submit a request** | ||
+ | |||
+ | {{ .: | ||
+ | |||
+ | Now we have two certificates and as you can see in the picture below, the private part of certificate generated with CSR file cannot be downloaded. It is because CzechIdM does not have a private part. Users have it with CSR file, so if you lose it you will probably have to generate a new certificate. | ||
+ | |||
+ | {{ .: | ||
+ | |||
+ | ==== Upload certificate ==== | ||
+ | |||
+ | Certificate generated by third-party authority can be uploaded to CzechIdM (or synchronized from target system). In the left menu **Profile** | ||
+ | |||
+ | {{ .: | ||
+ | |||
+ | And then just drag certificate file to marked box in a popup window. | ||
+ | |||
+ | If we want to allow a user to upload a certificate, | ||
+ | |||
+ | * Permission to read, create and download one's own identity certificates: | ||
+ | |||
+ | ===== Renew and revoke certificate ===== | ||
+ | |||
+ | **For users:** | ||
+ | |||
+ | It is on the same page as generating a certificate. By clicking on **Profile** | ||
+ | |||
+ | {{ .: | ||
+ | |||
+ | **For admin:** | ||
+ | |||
+ | There is agenda in left menu **Certificates** | ||
+ | |||
+ | {{ .: | ||
+ | |||
+ | <note tip>When a certificate expires, it no longer can be renewed. But in **Settings** | ||
+ | |||
+ | <note tip>To allow using this agenda, users have to have this permissions: | ||
+ | |||
+ | * CrtRequest - Read, Create, Update | ||
+ | * CrtCertificate - Read, Create | ||
+ | * CrtAuthority - autocomplete | ||
+ | |||
+ | You can create new role, [[.: | ||
+ | |||
+ | Congratulations, | ||
+ | |||
+ | ===== Permissions ===== | ||
+ | |||
+ | For CRT exists two special permissions for validating and requesting certificate by CSR request: | ||
+ | |||
+ | * Validate CRS request, | ||
+ | * Upload CSR request. | ||
+ | |||
+ | These permission must be set to user before they want upload or validate CSR request. Basic requesting via frontend form works with permission create/ | ||
+ | |||
+ | ===== Configuration ===== | ||
+ | |||
+ | Configuration option that allow create password as another user. For example: admin requesting new certificate for user. | ||
+ | < | ||
+ | |||
+ | # If value is true admin can set new password, this password will be sent to user in notification. | ||
+ | # If set to false admin will not able set password to request. The password for certificate will be generated by password policy. | ||
+ | idm.pub.crt.configuration.passCreate.enabled=true | ||
+ | # | ||
+ | # Default status for all identity certificates that will be revocated after identity will be disabled. | ||
+ | idm.sec.crt.configuration.identityDisabledRevocationReason=UNSPECIFIED | ||
+ | # | ||
+ | # Default status for all identity certificates that will be revocated after identity will be deleted. | ||
+ | idm.sec.crt.configuration.identityDeletedRevocationReason=UNSPECIFIED | ||
+ | |||
+ | </ | ||
+ | |||
+ | There is a processor which start provisioning for user when a new certificate is created for them. This processor is disabled by default and can be enabled, find the " | ||
+ | |||
+ | ==== Revocation status list ==== | ||
+ | |||
+ | * UNSPECIFIED | ||
+ | * KEY\_COMPROMISE | ||
+ | * CA\_COMPROMISE | ||
+ | * AFFILIATION\_CHANGED | ||
+ | * SUPERSEDED | ||
+ | * CESSATION\_OF\_OPERATION | ||
+ | * CERTIFICATE\_HOLD | ||
+ | |||