Your browser does not allow storing cookies. We recommend enabling them.

PreviousNextUp[Front page] [Index]

Managing User Certificates

The Web Enrollment Service can be configured to allow account management capabilities for end users including suspension of the user certificates. These services require TLS-protected web enrollment connections. Also, account management has to be specifically enabled in the Web Enrollment Service configuration page. See Section Customizing the Web Enrollment Pages.

Password or TLS client authentication can be used for logging in to the account-management-enabled Web Enrollment Service.

If password authentication is used, the Email address and Account Password attributes of the entity are used in authentication. See Section Entity Attributes.

If TLS client authentication is used, a pre-shared key needs to be generated for an entity by a Certifier operator. See Section Adding and Modifying Pre-Shared Keys. This key has to be distributed to the user and the user has to enter it in the web enrollment page. Remember that TLS protection is needed for confidentiality when shared keys are used in the enrollment. In effect, using TLS client authentication requires setting up two Web Enrollment Services, one for requesting the TLS client certificate and another for the actual account management. When the certificate is issued, it is associated to the entity and can be used to log in to the Web Enrollment Service.

Registering a New Account

If allowed by the Web Enrollment Service, a user can send registration information (including an e-mail address) through the Web Enrollment Service. Based on this information, SSH Tectia Certifier creates an entity and a pre-shared key for the user and sends the pre-shared key to the given e-mail address.

Clicking the Register menu item on the main page opens the Register New User Account page. On this page the user can give a name, e-mail address, and password for the user account. The information is sent to SSH Tectia Certifier when the user clicks the Submit button.

Enrolling New Certificates for the Entity

When a user has logged in using an account, he can make certification requests which can be approved automatically based on the valid user entity.

Note, however, that if the CA policy has been set to issue certificates automatically for valid entities, the certificate is issued regardless of any PSK use count. If this needs to be limited, the correct option is to use the Automatically issue with valid PSK policy module. See Section Policy Modules

Your Account

The Your Account main menu item available when the user has logged in the Web Enrollment Service using an account. Clicking the menu item displays all pending requests and issued certificates of the user. All of the certificates may not be stored in the certificate storages of the browser (such as PKCS #10 enrolled VPN certificates). But also these certificates can be viewed if they are associated to the user entity with pre-shared keys.

A certificate can be viewed in detail by clicking the View Certificate button. On the Certificate page, the certificate can be suspended by clicking the Revoke button. This should be done if the user suspects that someone may have a copy of the private key. If the certificate that is used for TLS client authentication is suspended, even the user cannot log in any more.

Note that instead of revocation, the certificate is actually suspended. From the user's point of view, this is essentially the same as revocation. However, the backdoor has been left for the Certifier operator to reactivate the certificate if the user suspended it mistakenly.

The user can log out from the account by clicking Close Session on the Main Page.

Self-Revocation Using a PSK

If allowed by the Web Enrollment Service settings, users can suspend their certificates by using a pre-shared key. The Web Enrollment Service must use TLS protection for this option to work. See Section Customizing the Web Enrollment Pages.

If revocation is allowed, the Revoke Certificate option is shown on the enrollment pages. Clicking this option opens the Revoke Certificates With Pre-Shared Key page where the PSK can be given. When the pre-shared key is entered and the Show All Certificates button is clicked certificates enrolled with the PSK are displayed.

Clicking View Certificate will display the Revoke Your Certificate page where the contents of the certificate are shown in detail. Clicking Revoke on this page will suspend the certificate. Clicking Cancel will return to the previous page.

Note that instead of revocation, the certificate is actually suspended. From the user's point of view, this is essentially the same as revocation. However, the backdoor has been left for the Certifier operator to reactivate the certificate if the user suspended it mistakenly.

PreviousNextUp[Front page] [Index]


Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more