Field

Description

Installation Name

Installation name is the application name that appears in the browser header and notification emails. You can continue with the default name of the application or can change it to a name of your choice e.g. Certificate Hub 

Company Name

Name of the company providing the service to the end users. This name is used in the email notifications and Web RA Web status bar

Support Email Address

Support email address that will be shown in the error message toaster of the application. The users can send the email on this address if they find any issue with the application.

Admin Address (Public)

Public URL to Web RA Admin instance that is accessible to all the Web RA and Enterprise administrators over mutual TLS authentication only.

If the Web RA is configured in the militarized environment where there is no internet access on the server and you want the Enterprises Administrators to manage their enterprises outside the organization then this address must be accessible over the internet. 

If the Web RA is deployed behind a proxy server, load-balancer or web application firewall (WAF), the connection should not be terminated on the proxy server, otherwise communication with the server will fail. The connection must be configured on the Layer 4 so that it may terminate on the application server instead of the proxy server. 

Web Address (Public)

Public URL of Web RA Web instance that is accessible to all the Web RA users. This URL is used in the notification email links that are sent to the end users.

API Address (Public)

Public URL to Web RA API instance that is used for the Web API/RESTful API calls.

Enable password protection as a second factor authentication for administrators with the TLS client authentication

Administrators can access the portal using their TLS authentication certificates. If additional security is needed, admin password authentication can be enabled to ask for a password as a second factor authentication in addition to the TLS Client Authentication. In case, an Admin does not have their password set previously, then after a successful login through TLS Client Authentication, the user will be asked to set a password for him. Once set, the user will be redirected to the login page to enter the password.

If you don't want two-factor authentication for your Admin users, keep this check box unchecked.  

Field

Description

Access Token Expiry (mins)

Expiry configuration for access token generated for the OAuth API communication, default value is 1440 minutes

User Session Timeout (mins)

If the Web RA Web session is not used for the configure number of minutes then the application will be logged out automatically to avoid the identity theft. The end user have to re-login if the application in that case.

Email Link Expiry (mins)

Duration of a link expiry in minutes, these links are usually sent out to the end users in emails

Refresh Token Expiry Time (Days) 

Expiry configuration for refresh token generated, default value is 1 day 

Field

Description

Vetting Method Settings

Certificate requests can be vetted for approval or rejection before the completion of the request. The vetting method can be configured for the whole system by setting a value from the drop down. Default value is Manual Vetting which mean the vetting is enabled. Administrators will be able to see pending requests and can process them manually. Other possible option is None. When the value is set to None, the certificate will be issued without the administrator vetting.

Field

Description

Enable Key Encryption Key (KEK) to secure sensitive data

By default the application generates a random Key Encryption Key (KEK) for each installation and it is stored in the database. The KEK is used to encrypt the Data Encryption Key (DEK) when then encrypts the sensitive information in the database e.g. user credentials and other key material.

You have a choice to generate the KEK in HSM using ADSS Server and then configure the Web RA to use the KEK from ADSS Server by enabling this option for the enhanced security.

Note that if you lose the KEK, it can become a single point of failure and even Ascertia can not help to recover this key. It is highly recommended that you got a proper backup mechanism for the KEK to avoid any un-foreseen issue in future.

Encryption Server

Encryption server is the ADSS Server instance that can be used to encrypt the Data Encryption Key (DEK)

Field

Description

Enable Dual Control on Certificate Request Management

By default the dual control is disabled. This feature allows an RAO to review the certificate requests that are coming from another RAO.

The dual control is only applicable to the certificate requests instead of the application configurations.