Your browser does not allow storing cookies. We recommend enabling them.

PreviousNextUp[Front page] [Index]

Customizing the Web Enrollment Pages

When browser-based enrollment services are provided, the enrollment pages should be customized to reflect the image the CA wants to impose. For example, only those request fields that are relevant to the particular application should be shown to the user. Basic customization can be done easily via the Administration Service.

Sometimes, it may also be desirable to match the layout and graphics of the pages with the appearance of the site where the enrollment services are provided. While the administration GUI is seen only by a couple of operators, the enrollment pages may be visible to tens of thousands of end users. In this case, the actual HTML templates with the enroll prefix can be customized. The templates are HTML descriptions with a Scheme-based script which is used for customizing the pages on the fly.

The basic customization options are described below. For information on customizing the HTML templates, contact SSH Tectia Certifier technical support (

Figure : Customizing the Web Enrollment Service

Account Management

If account management is enabled, entities can log in the Web Enrollment Service with their accounts. After having logged in, they can view their certificates, revoke and renew them. Account Management can be disabled, allowed with TLS client authentication, or allowed with TLS or password authentication. If account management is enabled, the security level of the Web Enrollment Service has to be set to match.

Template Set

Template Set is the set of HTML templates used by the service. Unless new templates have been customized by the customer, only one template set is available (Web Enrollment Interface). The template sets are located in the SSH Tectia Certifier installation directory under enroll-templates/ (the default set is in the enroll-templates/enroll-html/ sub-directory).

Account Registration

If New Account Registration is allowed, a user can send registration information (including an e-mail address) through the Web Enrollment Service. Based on this information, SSH Tectia Certifier creates an entity and a pre-shared key for the user and sends the pre-shared key to the given e-mail address. This method is not cryptographically secure, but nevertheless may be useful in some cases. In addition to allowing registration on this page, the operator has to edit the lib/ssh-ca-notify-email script to customize the e-mail sending.

Revocation Options

Normally, when account management is enabled, the users can revoke (or actually, suspend) their own certificates. However, Client Certificate Revocation can be specifically allowed or disallowed. If the option is disallowed, the users cannot suspend their TLS client authentication certificate used for logging in to the Web Enrollment Service.

Revocation with PSK can be disabled or allowed. This option is independent of account management settings. If the option is allowed, the users can suspend certificates bound to a specific pre-shared key (PSK). The PSK use count is not affected by this. Activating revocation with PSK requires that the Web Enrollment Service uses TLS protection.

Enrollment Methods

PKCS #10 enrollment and browser enrollment are available through the Web Enrollment Service. By selecting Hide PKCS-10 enrollment or Hide Netscape/IE enrollment under Enrollment Methods, links for PKCS #10 enrollment or browser enrollment, respectively, can be hidden. However, the enrollment pages are not disabled, and they can still be accessed by typing the page URL in the location bar of the browser.

Character Set

The Character Set used by the browser can be autodetected, asked from the user, or forced (UTF-8, ISO-8859-1, or ISO-8859-15).

Advanced Request Editing

Advanced Request Editing can be allowed or disabled. It is also possible to allow only advanced request editing.

Internet Explorer Options

Additional key options that are available on Microsoft Internet Explorer can be set under MSIE Key Generation.

If a check box is selected, the corresponding option is shown on the MS IE enrollment pages. If the check box is cleared, the option is not shown to the user.

For example, if the Allow key size selection option is cleared, and the Default key size is set to 1024, the user cannot select the key size when submitting the request but the browser will generate only 1024-bit keys.

The following options can be selected/cleared:

  • Allow CSP selection

    Allows the user to select the CSP used for key generation. The Default CSP can be entered in the text box.

  • Select key protection

    Allows the user to change the Private key protection setting.

  • Set key protection by default

    Sets Private key protection on.

  • Allow key size selection

    Allows the user to select the key size. Default key size can be entered in the text box.

  • Allow key store selection

    Allows the user to select the key store.

  • Allow key type (KeySpec) selection

    Allows the user to select the KeySpec. The Default KeySpec can be selected from the list.

See Section Browser-Based Enrollment for more information on these settings.

Figure : Customizing the Web Enrollment Service

Request Elements

The Request Elements that are available on the enrollment pages can also be modified. To add a new request element, select an element form the list and click Refresh. The element is added to the bottom of the page. The display order of the elements can be organized by using the Up/Down buttons or by selecting a new place number from the drop-down list next to the element and clicking Refresh.

For subject name components, a default value can be given. To allow editing the value, select the Allow Edit? check box. To make a component mandatory in a request, select the Required? check box.

Key usages can be selected to be on by default. Clearing the Allow Edit? check box prevents editing the requested key usages.

Click Continue to accept the settings and return to the Edit Configuration for Web Enrollment Service page. To take the settings in use, click Continue and click Commit Changes on the Edit Server Entity page.

PreviousNextUp[Front page] [Index]




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now