|[Front page] [Index]|
The Web Enrollment Service can be used to provide enrollment pages for browser-based PKI clients. Default enrollment pages of the Web Enrollment Service include pages (designed for both MS Internet Explorer and Netscape Navigator) that can be used to generate private keys and post certification requests to the Web Enrollment Service. A PKCS #10 enrollment page is also offered to enable submitting certification requests that are generated by other PKI clients. There are also some account management functionality that browser users can use to manage their own certificates.
Service description is a free-form description of the Service and its function.
Service status can be either Active or Disabled. If the service is Disabled, it does not perform its function. This option can be used to take the service temporarily out of use.
The Service bind address is the address where the Web Enrollment Service listens to incoming HTTP and HTTPS connections. Remember to include the port number in the address. For example,
http://0.0.0.0:8080/ is an address for a service running on the local host listening to port 8080. Remember that the Service bind address has to begin with
http instead of
https even if TLS is being used.
Web Enrollment Service can be used to publish CRLs for end entities that use HTTP as an operational protocol to fetch CRLs. To enable this function, select Distribute CRLs for all accessible CAs. If a CA has a publishing method, which uses the Web Enrollment Service for HTTP publishing, and sets CRL distribution point in the issued certificate, the prefix of the CRL distribution URL can be given in the URL prefix for CRL distribution points field. This should be an URL containing scheme, host and port parts, ending in a slash. Note that the given URL must be accessible from all clients. For example
http://enroll.big-corp.com:8080/ is a valid URL prefix. If the URL prefix is left empty, the service address is used instead.
The Security Settings define whether HTTP server is protected with TLS or not. If Unprotected HTTP connection is selected, all the connections between the browser and the server are plain text. By selecting TLS Protected HTTP connection, the server has a certificate, which it uses for authentication. All connections are encrypted when using this option. However, the client has to use login name and password to authenticate itself to the server. When selecting TLS with client authentication, also the client has to have a certificate in order to connect to the server. Client authentication has to be selected, if account management is going to be used. However, if this is the case, there should be another Web Enrollment Service running without TLS client authentication. New users, who do not yet have a TLS client certificate, could use that service to enroll the first certificate.
The CA that is used for issuing TLS server certificates has to be selected in the TLS server CA field. SSH Certifier Internal CA, which is created during the installation, can be used, but it is recommended to have a dedicated CA for this purpose. The same CA that is used for a protected Administration Service can be used. See Section Editing the Administration Service.
When the TLS settings of the Web Enrollment Service are turned on, the service creates a private key and enrolls a TLS server certificate for itself. Validity period length and Key size can be selected in the TLS Server Certificate Settings. The validity period will be included in the certification request. You can later re-issue the TLS server certificate with new parameters, for example, if you want to edit the certificate fields further, which is typically the case.
When TLS protection with client authentication is used, Client Authentication CAs must be set. These are the CAs that are accepted for issuing TLS client certificates for connecting to the Web Enrollment Service. If all CAs are trusted, click Trust all CAs. If only some CAs are trusted for this purpose, click Trust only selected CAs, select the CAs from the drop-down list, and click Add. Or click Trust all except selected CAs, select the CAs that are not trusted for this purpose, and click Add.
If TLS is used, Certificate status shows the status of the TLS certificate of the Service, and the certificate can be viewed by clicking View Certificate.
Accessible CAs is used to define the CAs of the system that are visible in the Web Enrollment Service. We might not want to have all CAs visible to every end user. Also it might be the case that CAs form certain groups that are dedicated to certain organizations. All organizations could have an own dedicated Web Enrollment Service, which would show only their own CAs. If all CAs can be used with the Service, click All CAs. If only some CAs can be used, click Only selected CAs, select the CAs you want to use with the service from the drop-down list, and click Add. Or click All except selected CAs and select the CAs that cannot be used and click Add.
User Interface Options
The options available on the web enrollment pages can be selected under User Interface Options. Selecting Generic shows most options on the enrollment pages. Selecting Restricted user interface shows only a limited number of options. The web enrollment pages can be further customized by clicking the Customize User Interface button. See Section Customizing the Web Enrollment Pages for details. If the pages have been customized, the User Interface Options will display Custom UI.
Entity Mapping is used to select the method used by the Web Enrollment Service to map an entity to a request. If an LDAP Authentication Service has been defined, it can be selected. Otherwise None or Pre-Shared Key can be selected.
Click the Continue button to accept changes made to the Service settings, or click Cancel to discard them. After clicking Continue, remember to Commit Changes on the Edit Server Entity page.