Your browser does not allow this site to store cookies and other data. Some functionality on this site may not work without them. See Privacy Policy for details on how we would use cookies.

PreviousNextUp[Front page] [Index]

Browser-Based Enrollment

SSH Tectia Certifier allows client-side enrollment to be performed using the most popular web browsers, Microsoft Internet Explorer and Netscape.

Netscape supports the HTML tag keygen, which is used for generating key and certificate requests (using Netscape's proprietary format). When a form containing the keygen tag is posted, the browser will generate a key pair, wrap the public key inside a request, and post the result. The key pair is stored in the encrypted key storage (PKCS #12 format).

The request is submitted to the Web Enrollment Service, which parses it and forwards it to Certifier Engine. If the certificate approval is configured to be automatic, the Web Enrollment Service pushes the issued certificate to the browser to be installed. If the request has to be manually approved, it can be downloaded later, using the request identifier issued by the Certifier Engine, and displayed to the end entity instead of the certificate.

When using Internet Explorer, a Microsoft ActiveX control (xenroll.dll) can be used to perform the client-side enrollment, including the key generation. The control provides a scriptable interface for this. The most relevant functions of the interface are CreatePKCS10 and acceptPKCS7. The CreatePKCS10 function creates a private key in the Windows registry and a base-64-encoded PKCS #10 request, which can then be posted to the Enrollment Service. When the Engine has issued the certificate, it can be installed to be used by Windows client applications such as IE and Outlook Express, by using the acceptPKCS7 function.

Enrollment Forms

The default forms for Netscape and MS IE enrollment in SSH Tectia Certifier are enroll-ns-start.html and enroll-ie-start.html, respectively. The options available on these forms depend on the customization settings of the Web Enrollment Service. See Section Customizing the Web Enrollment Pages. The default options are described below.


client-ieenrollment-53.gif
Figure : Default enrollment page for Internet Explorer in the Web Enrollment Service

The web forms request the user subject name components Common Name, Organization Unit, Organization, and Country. Common Name is mandatory, the other components are optional. Optionally the user may enter subject alternative names, such as an Email address, an IP address, or an URI, if the certificate is to be used in an environment where these are required.

The user may also request a key usage extension for the certificate. The extension can include the Digital Signature, Key Encipherment, and Data Encipherment key usages. The Email Protection, IKE Intermediate, Client Authentication, Server Authentication, Code Signing, OCSP Signing, and Time Stamping extended key usages can also be selected.

The necessary extensions depend on the intended use of the certificate. For example, when requesting a certificate for S/MIME use, the Email Protection check box should be selected in the request form.

The Certification Authority from whom the certificate is requested has to be selected in the web form. Only those active CAs that are included in the Accessible CAs list can be chosen.

If the Web Enrollment Service connection is TLS protected, also a pre-shared key can be given in the enrollment form to enable automatic certificate issuing. This field is not shown in the web enrollment page without TLS, since pre-shared keys should not be sent as plain text.

The Key size of the private key should also be selected.

Additional Private Key Options (MS IE only)

With Microsoft Internet Explorer, additional Private Key Options are available. The user can select the cryptographic provider (CSP) to use for key operations. The available providers depend on the Windows version. If cryptographic tokens, such as Aladdin eToken, have been installed to the system, the token-specific providers will also be available. Selecting a token-based provider will generate the key pair securely on the token.

With IE, the user can also select the certificate store type, either current user or local machine (for Windows IPSec and L2TP). As the names imply, the first store is used for storing personal certificates (for e-mail and TLS) and the latter for storing machine-specific certificates.

With IE, the user can also select to use Private key protection. Selecting this check box will cause Windows to prompt for security level of the key.

  • High security will protect the key with a password, which will be asked every time the key is used. This is a suitable setting if the key is used for non-repudiation signatures, but may be cumbersome if the key is used for TLS or IPSec authentication.
  • Medium security level (default if private key protection is selected) will ask for confirmation every time the key is used. This setting is suitable for S/MIME use, for example, but again may slow the operation unacceptably if the key is used for TLS or IPSec.
  • Low security level (default if private key protection is not selected) will not require confirmation from the user when the key is used.

Advanced Request Editing

If allowed by the Web Enrollment Service settings, the Advanced Options button is shown on the browser enrollment page. Clicking this button immediately begins key generation. After the key has been generated the advanced editing page opens. The layout of this page is similar to the certification request processing page. See Figure Advanced request editing.


client-advanced-54.gif
Figure : Advanced request editing

The following fields can be edited:

Note, however, that the processing of these fields is totally up to CA policy. After editing the fields, the request can be sent by clicking Submit Request.

URL Options

Optionally the pre-shared key, key size, the cryptographic service provider (Internet Explorer only) and other parameters can be given in the URL when either the enroll-ie-start.html, enroll-ns-start.html or simple-enroll.html page templates are used. Use the '?' character in between the template name and the parameters, and the '&' character between the individual parameters.

All options just set the default values in the form. The corresponding selections are still shown to the user and they can be manually edited.

The supported parameters for enroll-ie-start.html are:

  • psk : Sets the pre-shared key in the form.
  • ca : Default CA, given as object id (for example ca=12)
  • keysize : Default key size
  • csp : Default CSP name, or a part of it (for example Microsoft%20Enhanced%20Crypto)
  • protect : Set to no to turn the USER_PROTECT flag in key generation off. Lowers security but can be useful in some cases.
  • c : C component in distinguished name (DN)
  • o : O component in DN
  • ou : OU component in DN
  • cn : CN component in DN
  • email : E-mail subject alternative name
  • dns : DNS subject alternative name
  • ip : IP subject alternative name

The supported parameters for enroll-ns-start.html are:

  • psk : Sets the pre-shared key in the form.
  • ca : Default CA, given as object id (for example ca=12)
  • c : C component in distinguished name (DN)
  • o : O component in DN
  • ou : OU component in DN
  • cn : CN component in DN
  • email : E-mail subject alternative name
  • dns : DNS subject alternative name
  • ip : IP subject alternative name

These are the same options as in enroll-ie-start.html, except that csp, protect, and keysize are not available. Key size cannot be set in URL because it is done in the keygen tag in Netscape.

The supported parameters for simple-enroll.html are:

  • keysize : Default key size
  • csp : Default CSP name, or a part of it (for example Microsoft%20Enhanced%20Crypto)
  • protect : Set to no to turn the USER_PROTECT flag in key generation off. Lowers security but can be useful in some cases.
  • storetype : Sets the key store, either current-user or local-machine. Defaults to current-user.

The supported parameters for simple-form-enroll.html are:

  • psk : Sets the pre-shared key in the form.

The supported parameters for enroll-form-start.html are the same as in enroll-ns-start.html. In addition, the pkcs10 parameter is supported for setting the PKCS #10 request.

The following URLs are examples where one or more of these parameters are given in the URL.

https://pki.ssh.com:8081/enroll-ie-start.html?keysize=2048&psk=ssh&csp=
Microsoft%20Enhanced%20Cryptographic%20Provider%20v1.0

https://pki.ssh.com:8081/enroll-ns-start.html?psk=1234


PreviousNextUp[Front page] [Index]

===AUTO_SCHEMA_MARKUP===