|[Front page] [Index]|
When browser-based enrollment services are provided, the enrollment pages should be customized to reflect the image the CA wants to impose. For example, only those request fields that are relevant to the particular application should be shown to the user. Basic customization can be done easily via the Administration Service.
Sometimes, it may also be desirable to match the layout and graphics of the pages with the appearance of the site where the enrollment services are provided. While the administration GUI is seen only by a couple of operators, the enrollment pages may be visible to tens of thousands of end users. In this case, the actual HTML templates with the enroll prefix can be customized. The templates are HTML descriptions with a Scheme-based script which is used for customizing the pages on the fly.
The basic customization options are described below. For information on customizing the HTML templates, contact SSH Tectia Certifier technical support (http://www.ssh.com/support/).
If account management is enabled, entities can log in the Web Enrollment Service with their accounts. After having logged in, they can view their certificates, revoke and renew them. Account Management can be disabled, allowed with TLS client authentication, or allowed with TLS or password authentication. If account management is enabled, the security level of the Web Enrollment Service has to be set to match.
Template Set is the set of HTML templates used by the service. Unless new templates have been customized by the customer, only one template set is available (Web Enrollment Interface). The template sets are located in the SSH Tectia Certifier installation directory under
enroll-templates/ (the default set is in the
If New Account Registration is allowed, a user can send registration information (including an e-mail address) through the Web Enrollment Service. Based on this information, SSH Tectia Certifier creates an entity and a pre-shared key for the user and sends the pre-shared key to the given e-mail address. This method is not cryptographically secure, but nevertheless may be useful in some cases. In addition to allowing registration on this page, the operator has to edit the
lib/ssh-ca-notify-email script to customize the e-mail sending.
Normally, when account management is enabled, the users can revoke (or actually, suspend) their own certificates. However, Client Certificate Revocation can be specifically allowed or disallowed. If the option is disallowed, the users cannot suspend their TLS client authentication certificate used for logging in to the Web Enrollment Service.
Revocation with PSK can be disabled or allowed. This option is independent of account management settings. If the option is allowed, the users can suspend certificates bound to a specific pre-shared key (PSK). The PSK use count is not affected by this. Activating revocation with PSK requires that the Web Enrollment Service uses TLS protection.
PKCS #10 enrollment and browser enrollment are available through the Web Enrollment Service. By selecting Hide PKCS-10 enrollment or Hide Netscape/IE enrollment under Enrollment Methods, links for PKCS #10 enrollment or browser enrollment, respectively, can be hidden. However, the enrollment pages are not disabled, and they can still be accessed by typing the page URL in the location bar of the browser.
The Character Set used by the browser can be autodetected, asked from the user, or forced (UTF-8, ISO-8859-1, or ISO-8859-15).
Advanced Request Editing
Advanced Request Editing can be allowed or disabled. It is also possible to allow only advanced request editing.
Internet Explorer Options
Additional key options that are available on Microsoft Internet Explorer can be set under MSIE Key Generation.
If a check box is selected, the corresponding option is shown on the MS IE enrollment pages. If the check box is cleared, the option is not shown to the user.
For example, if the Allow key size selection option is cleared, and the Default key size is set to
1024, the user cannot select the key size when submitting the request but the browser will generate only 1024-bit keys.
The following options can be selected/cleared:
- Allow CSP selection
Allows the user to select the CSP used for key generation. The Default CSP can be entered in the text box.
- Select key protection
Allows the user to change the Private key protection setting.
- Set key protection by default
Sets Private key protection on.
- Allow key size selection
Allows the user to select the key size. Default key size can be entered in the text box.
- Allow key store selection
Allows the user to select the key store.
- Allow key type (KeySpec) selection
Allows the user to select the KeySpec. The Default KeySpec can be selected from the list.
See Section Browser-Based Enrollment for more information on these settings.
The Request Elements that are available on the enrollment pages can also be modified. To add a new request element, select an element form the list and click Refresh. The element is added to the bottom of the page. The display order of the elements can be organized by using the Up/Down buttons or by selecting a new place number from the drop-down list next to the element and clicking Refresh.
For subject name components, a default value can be given. To allow editing the value, select the Allow Edit? check box. To make a component mandatory in a request, select the Required? check box.
Key usages can be selected to be on by default. Clearing the Allow Edit? check box prevents editing the requested key usages.
Click Continue to accept the settings and return to the Edit Configuration for Web Enrollment Service page. To take the settings in use, click Continue and click Commit Changes on the Edit Server Entity page.