Policy
Introduction
Certificate Signing Request (CSR) verification settings enables you to verify the key ownership, signature algorithm, strength of key exponents & modulus, Debian weak key, key lengths and key reuse while creating a CSR certificate on user's portal.
How it Works?
- To setup CSR validation policies, click on Enable CSR Validation, this will show up few more options to configure as validation policy including Key Ownership, Signature Algorithm, Public Key Exponent & Modulus, Debian Weak Key, Public Key Reuse and Key Length.
- On selection of one of the above configurations, that particular validation policy will be verified at the time of CSR generation. If one of the policies are not fulfil then the certificate generation request cannot be completed.
|
These validation policies once applied, will be applicable across all application, and will validate these upon creation of CSR. |
Enable CSR (Create Signing Request) Validation
To configure CSR validation policies, follow these steps:
- Tick the Verify the key ownership check box to verify if the private key is in possession of the user who requested the certificate, at the time of CSR generation.
- Tick the Verify the signature algorithm check box to verify the signature algorithms must be either RSA or ECDSA.
- Tick the Verify the public key contains valid public exponent and modulus check box to verify if modulus and public exponent validation is based on [NIST SP 800-89].
- Tick the Verify that Debian weak keys are not used check box to validate if the CSR keys are not generated using Debian Weak keys. Debian weak keys are generated because of a bug introduced in openSSL package in 2006. The bug was founded in 2008. All keys generated within that period are vulnerable and should not be used.
- Tick the Verify the public key is not already used check box in previously submitted requests, issued, created or revoked certificates.
- Tick the Verify key length check box to validate if the key length is among the allowed list of key lengths against the algorithm used in the CSR.
|
1) CSR Validation policies only validates when Enable CSR Validation is set. |
Certificate Policy
This setting enables you to renew your certificate, in case of renewing your certificate, the new expiry date will be updated.
This section will have a drop down that will allow an operator to select a certificate policy for the entire system, no option will be selected by default.
Basic Information |
|
Field |
Description |
None |
This field will set no policy for certificates in the system, a user cannot renew or rekey his certificates. |
Renew Certificate |
This allows a user to set renew policy for certificates in the system. |
Rekey Certificate |
This allows a user to set rekey policy for certificates in the system. |
Certificate Expiry Notifications
When an operator enables the Certificate Expiry Notification checkbox, the following fields will appear (as shown in the screenshot below):
Basic Information |
|
Field |
Description |
Before Expiry |
Specify number of days to receive notification before a certificate expires |
Select Interval |
Select the days for interval to send certificate expiry notifications |
Select Time |
Select the time to start certificate expiry notifications background job |
Send Certificate Expiry Notifications to Users |
If an operator enables this checkbox, then system will send notifications to the relevant users |
Once a background job is completed after the configured time interval selected above, an email will be sent to the operator to view certificates that are about to expire (based on the selected configurations).
However, a user will receive an email as shown below:
After clicking on the View Listing button, the administrator will be redirected to the certificate listing screen along with the filtered certificates.
If an admin enables the password authentication, then after clicking on the view listing button in the email, operator will be redirected to the login page. After logging in successfully. the list of certificates will be visible to the operator (as shown below).