PreviousNextUp[Front page] [Index]

PKCS #10 Enrollment

Web-form-based PKCS #10 enrollment is the simplest enrollment option supported by SSH Tectia Certifier. However, it requires more manual work than SCEP and CMP. Most of the VPN end-entity applications and devices support this method if they do not include an SCEP client.

In this enrollment method an end entity generates a key pair and a base-64-encoded (PEM-encoded) PKCS #10 certification request in a file. The PKCS #10 request is then pasted in the web form and submitted to the Web Enrollment Service. The Enrollment Service then parses the request and forwards it to Certifier Engine, which performs the policy processing (ending in approval or denial). Shared secrets can be given in the web form to enable automatic user authentication, in that case, however, TLS has to be enabled to provide confidentiality. If the policy requires manual administrator approval, the user needs to download the certificate later after it has been approved.

SSH Tectia Certifier offers a default HTML page enroll-form-start.html for PKCS #10 submitting.


client-pkcs10request-52.gif
Figure : PKCS #10 enrollment form

Several client applications generate a text file containing the PKCS #10 request after the key generation. The PKCS #10 request looks something like the following example:

-----BEGIN CERTIFICATE REQUEST-----
MIIBwjCCASsCAQAwYjEQMA4GA1UEBhMHRmlubGFuZDEoMCYGA1UEChMfU1NIIENvbW11bmljYXR
pb25zIFNlY3VyaXR5IEx0ZDENMAsGA1UECxMEVGVjaDEVMBMGA1UEAxMMMTkyLjE2OC4yLjQ2MI
GdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQC3RCZScukV5VacEv7t2dlbCNaFUI8c+WkqQZOBH
l88eYPSjImxK4sF/6siNT5596X/LTSbImlLta56K3FbsYDmOuR6OFT6TVgi909z2jIcgn0c3JjR
enn87thTu9ZXYJApt6+/ENSC0PtXcwwXvbNEn79D29o90Szgk8w+/dRZxQIBJaAiMCAGCSqGSIb
3DQEJDjETMBEwDwYDVR0RBAgwBocEwKgCLjANBgkqhkiG9w0BAQQFAAOBgQBsjd4qSie3Iycqff
OI7uMHziZgHX0MMugVzJArlgtmM/Z7E8jeoB2v8ghLLEqFMvLLx+1vDkGgaJM52OZkC6VBT1YJg
XRVOpeJEI8B21yATN/yI/2H6tEzodODQ1IZuFtkNvgI2I9JWKNAXUkpxAoi2ot4tPqzMOrPe4qu
A1m7Nw==
-----END CERTIFICATE REQUEST-----

When this string is pasted to the enrollment form and submitted, a request will be processed in Engine. If Engine cannot automatically issue the certificate, a polling ID is given to the end entity. This id can later be used for polling the issued certificate. The default polling page in the Web Enrollment Service is enroll-poll.html.


PreviousNextUp[Front page] [Index]