Your browser does not allow this site to store cookies and other data. Some functionality on this site may not work without them. See Privacy Policy for details on how we would use cookies.

PreviousNextUp[Front page] [Index]

Configuring SSH Tectia Certifier

First you need to have a Publishing Service configured in the Certifier Server.

  1. Log in to the Administration Service with your web browser.
  2. Click Servers on the main menu.
  3. Click View Server on the Server you wish to add the service to.
  4. Select Publishing Service from the service drop-down list and click Add.
  5. Fill in the configuration suggested by the ssh-ca-ldap-setup script, for example:
    • Service Description: <free description of the service>
    • Server Address: <ip address or host name of ldap server>
    • Port: 389
    • LDAP Username: cn=Manager, o=SSH, c=FI
    • LDAP Password: manager

    Note that the distinguished name in LDAP Username is in LDAP order, which is the reverse of the order used in other places in the SSH Tectia Certifier Administration GUI.

  6. Click Continue.
  7. Click Commit Changes on the Edit Server Entity page to make the changes final.

Next you need to edit the publishing parameters of the CA.

  1. Click CA Hierarchy on the main menu.
  2. Click on the CA you wish to modify. The Certification Authority page opens.
  3. Click the Edit Publish button on the Certificate Publish Method row.
  4. Choose LDAP as the publishing method and click Add.
  5. Select LDAPv3 pkiUser schema from the schema selection list and click Set. Replace the Object Name Format with the following string:
    c=FI, o=SSH, CN=%{subject-name:CN}
    

    This configuration expects that all published certificates contain a subject name with the CN component. The certificates are stored in the directory under the c=FI,o=SSH hierarchy, no matter what country/organization the subject names of the certificates themselves contain.

    The resulting object in the LDAP directory has the user certificate stored in the userCertificate;binary attribute.

  6. Click Commit Changes to commit this configuration.

CRL publishing is configured similarly.

  1. On the Certification Authority page, click the Edit Publish button on the CRL Distribution Points row. This will display current publishing configuration for CRLs.
  2. Choose LDAP as the publishing method and click Add.
  3. Select LDAPv3 pkiCa schema from the schema selection list and click Set. Replace the Object Name Format with the following string:
    c=FI, o=SSH, CN=%{subject-name:CN}
    

    This expects that the CA certificate has a subject name with the CN component. The CRLs are stored in the directory under the c=FI,o=SSH hierarchy, no matter what country/organization the subject name of the CA certificate itself contains.

    The resulting object in the LDAP directory has the CRL stored in the certificateRevocationList;binary attribute and the corresponding CA certificate in the cACertificate;binary attribute.

  4. Click Commit Changes to commit this configuration.
  5. After this, set the update period of the CRL distribution point (given in seconds) and click Commit Changes.

    Note that value 0 disables the distribution point. While new configuration is tested, it is reasonable to use short periods, like 300 or 600 (5 or 10 minutes).

Now certificate publishing can be tested by enrolling and issuing new certificates or by republishing old certificates already in the database. CRLs are published automatically according to their update periods.


PreviousNextUp[Front page] [Index]

===AUTO_SCHEMA_MARKUP===