Certification Authority Server Installation Manual - Digital Signature [PDF]

Our Certification Authority Server works as an IIS application for most Windows webservers. That means it is not require
9 downloads 12 Views 842KB Size
Report
Download PDF
PNG Network

Recommend Stories

(server) digital certification form
Every block of stone has a statue inside it and it is the task of the sculptor to discover it. Mich
Digital Signature Manual
Learn to light a candle in the darkest moments of someone’s life. Be the light that helps others see; i
SIGNATURE AND AUTHENTICATION CA NC Certification Authority
Your big opportunity may be right where you are now. Napoleon Hill
Digital Signature Verification in PDF
Come let us be friends for once. Let us make life easy on us. Let us be loved ones and lovers. The earth
installation manual installation manual - Pioneer Electronics [PDF]
is explained in the separate Operation Manual or Hardware Manual for the navigation system. Before operating this navigation system ... Pay close attention to all warnings in this manual and follow the instructions carefully. 4. This navigation syste
CompTIA Server+ Certification
Stop acting so small. You are the universe in ecstatic motion. Rumi
Installation & operating manual PDF
Knock, And He'll open the door. Vanish, And He'll make you shine like the sun. Fall, And He'll raise
Installation & operating manual PDF
Your big opportunity may be right where you are now. Napoleon Hill
Digital Signature Acceptance Policy
Be who you needed when you were younger. Anonymous
Walnut Digital Signature Algorithm
Don't ruin a good today by thinking about a bad yesterday. Let it go. Anonymous

Idea Transcript

Certification Authority Server Installation Manual Introduction A Certification Authority issues digital certificates which contain a public key and the identity of the owner. The certificates are issued in PFX (Personal inFormation eXchange) file format protected by a password. Certificates provide the foundation of a public key infrastructure (PKI). These are electronic credentials, issued by a certification authority (CA), that are associated with a public and private key pair. Our Certification Authority Server works as an IIS application for most Windows webservers. That means it is not required to operate an extra CA machine.

Warning and Disclaimer Every effort has been made to make this manual as complete and accurate as possible, but no warranty or fitness is implied. The information provided is on an “as is” basis. The author shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this manual.

Trademarks .NET, Visual Studio .NET are trademarks of Microsoft Inc. Adobe, Adobe Reader are trademarks of Adobe Systems Inc. All other trademarks are the property of their respective owners. Page 1 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

CA Server - new features..........................................................................................................2 Microsoft Store Root Certificate.........................................................................................................................2 Root Certificate Generator ................................................................................................................................3

OCSP Validation Service..........................................................................................................4 How OCSP Validation Service Works................................................................................................................4 Testing the OCSP..............................................................................................................................................5 Validating PDF Signatures ................................................................................................................................6

Prerequisites............................................................................................................................11 Installation...............................................................................................................................12 CA Root Certificate.................................................................................................................14 Issue the CA Root Certificate...........................................................................................................................14

Issue Certificates....................................................................................................................15 Issue User Certificates.....................................................................................................................................15 Issue Certificates from CSR (Certificate Signing Request)..............................................................................16 Revoke a Certificate........................................................................................................................................17 CRL Issuing.....................................................................................................................................................18

Certification Authority Management.....................................................................................19 Certificate Management...................................................................................................................................19 Audit Trail.........................................................................................................................................................20

CA Server The CA Server is available for testing purposes at this link: http://ca.signfiles.com/ca/ The latest version of the CA Server includes the following features – Signing Certificates can be loaded from Microsoft Certificate Store. – OCSP Support – Certificate templates for CSR certificates Microsoft Store Root Certificate If you want to use a HSM Root Certificate, it must appear on Microsoft Certificate Store – Personal Tab. The CA Server can use an existing Root Certificate as the CA certificate (preferred method) or you can generate a new Root Certificate on your CSP. Root Certificate must be available for every CA operation. These operations are: Issuing certificates, CRL issuing, signing the OCSP responses.

Page 2 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

Root Certificate Generator If your CSP not offers a method to generate certificates directly on the CSP (preferred method), you can use Root Certificate Generator.

How to generate a Root Certificate using Root Certificate Generator. - Start Root Certificate Generator - On the Smart Card Certificate Service Provider combobox, select your CSP. - If your CSP not appears on the list, the certificate cannot be generated. - Fill the textboxes with your data (Organization, Email, etc.) - Select Root Certificate template - Optionally, set the key size, validity period, etc. - Press Generate Certificate - Enter the CSP credentials (PIN PED, Password, other mechanisms). - Read the CSP manual to import the generated certificate on Microsoft Certificate Store Personal tab (not Trusted Root Certification Authorities or Other People).

Page 3 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

OCSP Validation Service How OCSP Validation Service Works The OCSP Certificate must be issued by the same Root Certificate as the User Certificate, as below. -----------------|Root Certificate| -----------------| | | | ----------------------------------|OCSP Certificate| |User Certificate| -----------------------------------

- The client must include on the OCSP Request the User Certificate Serial Number that should be verified and the Root Certificate Public Key Hash. - The OCSP Request is send the OCSP Server URL. The OCSP URL is extracted from the User Certificate - Authority Info Access field, like below: [1]Authority Info Access Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1) Alternative Name: URL=http://ca.signfiles.com/OCSP.aspx

The OCSP Server (http://ca.signfiles.com/OCSP.aspx) makes the following steps: • Verify the OCSP Certificate. If the OCSP Certificate is not OK, an error message will be returned (as POST byte[]) or the status: OCSPRespGenerator.InternalError. •

Verify the CRL file. If the CRL file is invalid or unavailable, the status: OCSPRespGenerator.InternalError will be returned.



Validate the OCSP Request structure. If the OCSP Requet is not signed by the current Root CA, OCSPRespGenerator.Unauthorized status will be returned. (Observation: Some OCSP clients could return Unknown status but the pupular CA's like Verisign or Thawte returns OCSPRespGenerator.Unauthorized).



The user certificate serial number is extracted from the OCSP Request and if it is

Page 4 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

found on the CRL, the status Revoked is returned to the Client. •

If the user certificate serial number not appears on the CRL, the certificate is considered valid and the status Good is returned to the Client.



If an exception appears on this process, the status OCSPRespGenerator.InternalError will be returned. All errors above will appear on the Audit Trail.



Testing the OCSP The OCSP service can be tested as below. After the Root Certificate is installed on Microsoft Certificate Store - Trusted Root Authorities, you can use PDF Signer to create a digital signature that will contain the revocation information obtained form OCSP CA Responder. The Root Certificate can be downloaded from here: http://ca.signfiles.com/caOCSP/RootCertificate.cer

To create a PDF digital signature, you must also obtain a signing certificate from the CA Server (http://ca.signfiles.com/caOCSP/IssueUserCertificate.aspx) . The OCSP response can be embedded on the PDF signature only if the Root Certificate that issued the User Certificate exists on Microsoft Certificate Store - Trusted Root Authorities. Also, The OCSP Certificate must be issued by the same Root Certificate as the User Certificate, as below. -----------------|Root Certificate| -----------------| | | | ----------------------------------|OCSP Certificate| |User Certificate| ----------------------------------The OCSP validation service can be also verified using the following command: certutil -url - select OCSP (from AIA) option.

Page 5 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

Validating PDF Signatures By default, the signatures generated by PDF Signer are not considered trusted by Adobe Reader because the Root Certificate used to issue the Signing Certificate is not included on the Adobe Trusted List. More details about Adobe signature validation are available at this link. The OCSP response status cannot be shown on Adobe Reader if the Signature is not trusted so you must validate the signature. Click Add to Trusted Identities button, select all checkboxes, click OK and re-validate the signature.

Page 6 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

After the certificate is considered trusted by Adobe, the signature is valid.

Page 7 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

OCSP Response will look like below:

This means the OCSP Server is working.

Page 8 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

If the digital signature is made using a revoked certificate, the PDF document will look like below:

Page 9 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

A revoked digital certificate appears on the CRL:

Page 10 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

Prerequisites CA Server requires the following: – Windows operating system with IIS – Microsoft .NET Framework 2.0 – ASP.NET enabled on your IIS To enable ASP.NET in your IIS webserver, go to Control Panel – Programs and Features – Turn Windows features on or off and on Internet Information Services Features, select ASP.NET as on the image below.

Enable ASP.NET on IIS

Page 11 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

Installation Download CA Server, unzip the content on your IIS webserver (e.g. C:\CAServer).

CA Server folder content

Right now, CA Server must be added as an application on IIS webserver. Go to Computer icon – Right click Manage – Computer Management – Services and Applications – Internet Information Services (IIS) Manager.

IIS Management

Page 12 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

On your website, CA Server must be added as a new Application. Right click on your IIS website (Default Web Site) – Add Application... and set the application alias and the physical path as below.

Attention: CA Server requires Read, Write and Execute permissions to be enabled for the physical path. IIS user must have this rights for the specified physical path. At this moment, CA Server should be installed. To check the installation, go to: http://localhost/ca/.

Page 13 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

CA Root Certificate Issue the CA Root Certificate CA Server needs a special digital certificate (CA certificate) to be used in order to digitally sign other certificates. The CA certificate is a special type of certificate and must be created as below: – Use RSA 2048 – Expiration date: at least 5 years. The CA Root Certificate could be issued by the CA Server following this link: http://localhost/ca/IssueRootCertificate.aspx

Issuing the CA Root Certificate

Page 14 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

Issue Certificates Issue User Certificates To issue User certificates, follow this link: http://localhost/ca/IssueUserCertificate.aspx The certificates are issued in PFX format and it can be installed in Microsoft Certificate Store or it can used in your applications. The certificates are signed by the CA Root Certificate.

Page 15 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

Issue Certificates from CSR (Certificate Signing Request) To issue a certificate from a CSR file, follow this link: http://localhost/ca/IssueFromCSR.aspx Usually, a CSR file is generated by your web server or by a HSM device. The certificate is issued in .CER format and it is signed by the CA Root Certificate.

Page 16 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

Revoke a Certificate When a certificate is issued, a revocation password can be set. To revoke a certificate, follow this link: http://localhost/ca/RevokeCertificate.aspx To revoke a certificate issued by the CA Server, the certificate serial number and revocation password is required. A revoked certificate will appear on the CRL (Certificate Revocation List), in order for other applications to know that the certificate is no longer valid.

Page 17 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

CRL Issuing The Certificate Revocation List (CRL) is a list of certificates (or more specifically, a list of serial numbers for certificates) that have been revoked, and therefore should not be relied upon. Every certificate issued by the CA Server includes the CRL URL so the CRL must be up to date. The CRL is valid 7 days so it must be issued on this interval. To issue the CRL, the page below must be accessed on every 6 days: http://localhost/ca/EmitCRL.aspx?emit=true Because IIS not supports cron jobs like Apahe, EmitCRL.aspx?emit=true page must be called from time to time (usually 6 days) to issue the CRL. If the CRL will expire, all certificates issued by the CA will be considered invalid. The page http://localhost/ca/EmitCRL.aspx?emit=true can be included on Task Scheduler or manually from time to time.

Page 18 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

Certification Authority Management Certificate Management In order to manage issued certificates, follow this link: http://localhost/ca/Manage.aspx On this page will appear information regarding the certificates issued by the CA Server. Also, the certificates can be revoked, downloaded or exported.

Page 19 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

Audit Trail Every action made on the CA server are available encrypted on a Audit Trail Log file. To access the Audit Trail, follow this link: http://localhost/ca/Audit.aspx Every errors occurred on issuing certificates are also available here.

Page 20 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

Helpful Links

Smile Life

When life gives you a hundred reasons to cry, show life that you have a thousand reasons to smile

Get in touch

© Copyright 2015 - 2024 PDFFOX.COM - All rights reserved.