|[Front page] [Index]|
Creating a new Certifier Server instance is done in two steps:
- A new server entity is added to SSH Tectia Certifier. This server also needs to have a pre-shared key added to it.
- The actual server software is installed to the target machine from the Certifier Subordinate Server package. During the installation process you are prompted for the Certifier Engine address and the pre-shared key you created for the server entity.
See SSH Tectia Certifier Administrator's Guide for more instructions.
After the new Certifier Server is installed and connected to the Certifier Engine it needs to be configured by adding at least one Certifier Service. The currently supported Certifier Services are:
- Administration Service
- CMP Service
- External Enrollment Client Service
- Identity Integration Service
- LDAP Authentication Service
- OCSP Responder Service
- Publishing Service
- SCEP Service
- Web Enrollment Service
Note that to add a service to the system you probably do not have to add a new Server. You can just add the needed Service to some existing Server. This is a much easier process as you will not have to install a new Certifier Subordinate Server.
Each of these services has a configuration, that defines the service-specific parameters. To edit an existing Certifier Service, click the Edit button next to the service entry in the Edit Server Entity page.
To remove an existing service, click the Remove button next to the service, and then click the Commit Changes button in the bottom of the page. All operations, including editing a Certifier Service, need to be confirmed by clicking the Commit Changes button.
Every Server entity has a status field, a name field, and optionally a description field. These are given in the beginning of the Edit Server Entity page. Server status can be Active or Inactive. Inactive server is temporarily out of use.
To give new attributes to a Server entity, click the attributes in the Entity Attribute box, fill the text field, and click Commit Changes button on the bottom of the page. These fields are mainly informational.
Every Server entity has at least one certificate, which is the TLS certificate used to secure the communication between the Server and Certifier Engine. In addition, some of the Services may have certificates. For example, the OCSP Responder Service needs to have a certificate in order to be operational. All certificates related to the Server entity are listed under Client certificates. If the CA that is issuing certificates does not allow automatic issuing, the pending certificate requests are listed under Pending client requests.
Services enroll and renew their certificates automatically. If a certificate needs to be changed, for example, to give it a more suitable name, it can be done by viewing the certificate and then Reissuing it. Then the service must be restarted and it will automatically fetch and use the new certificate.
A server can also have a shared secret which it uses when setting up new Certifier Subordinate Servers. Normally a server needs only one pre-shared key and it can be removed after the service is running. A server does not need a pre-shared key during normal operation and it can renew its certificate automatically.
However if a service installation has been erased or if it has not been used for some time, it might have lost its certificate or the certificate might have expired. In order to reinstall the server, a new shared secret must be added to server entity.
To view the server entity log or server entity requests, click the corresponding View Log and View Requests buttons. Server entities with similar configurations can be created by clicking Copy Entity button. The server entity can be removed by clicking the Remove Entity button. This operation should be used with extreme care.