Your browser does not allow storing cookies. We recommend enabling them.

PreviousNextUp[Front page] [Index]

Editing RA Settings

To configure an existing CA, click the RA name on the RA List page. This will open the Registration Authority page.

Many RA configuration options are identical with CA configuration options. There are, however, some differences. RAs do not publish certificate revocation lists, so an RA does not have any CRL settings. On the other hand, RAs need to have a connection to a remote CA, so there are additional settings related to the RA-CA connection.

Figure : The Registration Authority page

The first field, CA name, is a short and descriptive name that operators can easily identify. It does not have to match the subject name in the RA certificate. Description is a longer description viewed only by the operators. The RA Status is either Active or Inactive. RAs marked as Inactive cannot be used.

RA Connection Configuration

The RA field contains settings of the RA-CA connection. Enroll Client Service is the name of the External Enrollment Client Service used by this RA.

Connection Type indicates the method the RA uses to connect to the CA. Possible connection types are CMP over HTTP connection, Write CMP to file, External command line, and No automatic connection.

  • In case direct CMP connection is used, Connection Path is an HTTP URL of the CMP Service on the CA host.
  • If the CMP request is written to a file, Connection Path is the file name. This option can be used, for example, if the CA is normally offline and batch-processes the requests at certain intervals.
  • If external command line is used, Connection Path is the command line executed when communicating with the CA. The generated RA message is written to a temporary file and the %file tag on command line is replaced with its name.

Polling Interval is the time interval in minutes that the RA polls the CA for accepted certificates. Polling can be disabled by setting the interval to zero. RA message can be sent manually with the Send RA Message button. It will use current connection type and path to send the message. View RA Message button can be used to view the message in browser. Clicking the Insert CA Reply button opens the Process Offline CA Response page, where a PEM-encoded CMP message can be inserted to the RA.

Remote CA Certificate shows the certificate of the remote CA. The certificate can be viewed by clicking View Certificate. The certificate can be changed by clicking Change. This is normally done automatically when RA certificate is enrolled.

Certificate Publishing

Certificate Publish Method describes the current publishing method for certificates issued through the RA. The line shows the current protocol and server address, if applicable. The configuration can be changed on the Edit Certificate Publishing Method page by clicking the Edit Publish button. See Section Publishing Settings.

RA Certificate

The RA certificate can be viewed by clicking the View Certificate button on the RA certificate row. If the RA does not yet have a certificate, a certificate can be searched by clicking the Search button. An existing certificate can be changed by clicking the Change button.

A new certificate can be enrolled by clicking the Enroll New Certificate button. This will also set connection parameters and remote CA certificate in RA configuration and commit the changes. For a detailed description, see Section Enrolling an RA Certificate.

Other Options

Changes made to the RA data can be updated to Database by clicking the Commit Changes button.

The Edit Policy button will display the separate policy editing page where the policy of the RA can be viewed and modified. See Section Policy Chains.

View Log shows all log events related to this RA.

Restarting Publishing

Clicking the Restart publishing unpublished certificates button will search all active certificates issued through this RA that have pending or error as their publishing status. One by one, it tries to republish them. This is useful if many certificates have failed to publish correctly because of a network problem or misconfigured publishing information. The process is only started when this button is clicked and will continue in the background until finished.

The Restart publishing all certificates button is similar, but will instead republish all active certificates of this RA. This can be used, for example, if the LDAP server has changed and all certificates need to be added again.

Both of these two buttons should be used with care as they will generate a lot of Database and network traffic.

PreviousNextUp[Front page] [Index]




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now