Introduction


Certificate Signing Request (CSR) verification settings enables you to verify the key ownership, signature algorithm, strength of key exponents & modulus, Debian weak key, key lengths and key reuse while creating a CSR certificate on user's portal.


How it Works?


  1. To setup CSR validation policies, click on Enable CSR Validation, this will show up few more options to configure as validation policy including Key Ownership, Signature Algorithm, Public Key Exponent & Modulus, Debian Weak Key, Public Key Reuse and Key Length.
  2. On selection of one of the above configurations, that particular validation policy will be verified at the time of CSR generation. If one of the policies are not fulfil then the certificate generation request cannot be completed.

These validation policies once applied, will be applicable across all application, and will validate these upon creation of CSR.


Enable CSR (Create Signing Request) Validation


To configure CSR validation policies, follow these steps:


  1. Tick the Verify the key ownership check box to verify if the private key is in possession of the user who requested the certificate, at the time of CSR generation.
  2. Tick the Verify the signature algorithm check box to verify the signature algorithms must be either RSA or ECDSA.
  3. Tick the Verify the public key contains valid public exponent and modulus check box to verify if modulus and public exponent validation is based on [NIST SP 800-89].
  4. Tick the Verify that Debian weak keys are not used check box to validate if the CSR keys are not generated using Debian Weak keys. Debian weak keys are generated because of a bug introduced in openSSL package in 2006. The bug was founded in 2008. All keys generated within that period are vulnerable and should not be used.
  5. Tick the Verify the public key is not already used check box in previously submitted requests, issued, created or revoked certificates.
  6. Tick the Verify key length check box to validate if the key length is among the allowed list of key lengths against the algorithm used in the CSR.

1) CSR Validation policies only validates when Enable CSR Validation is set.

2) When one of the above CSR validation policies is configured in Web RA admin, it validates these policies while approving a certificate request from Web RA user's portal. If one of the CSR validation policies does not meet the criteria at the time of certificate request approval, enterprise RAO can decline the request by adding a declining reason.

3) If one of the validation policies does not meet, it appears on decline reason dialog as a declining reason. Furthermore, RAO can not proceed further to navigate on next screen.

4) If no validation policies failed, RAO can still decline a certificate request but there is no validation policy appears as a declining reason on decline dialog. A custom reason can be added though.

5) CSR based validation only applies on those certificate requests where either a CSR is imported by the user, or a certificate request created using a PKCS#10, USB/Smart Card Tokens, request for  Go> Sign using MSCAPI.


Certificate Policy


This setting enables you to renew your certificate, in case of renewing your certificate, the new expiry date will be updated. 


This section will have a drop down that will allow an operator to select a certificate policy for the entire system, no option will be selected by default. 


Basic Information

Field

Description

None

This field will set no policy for certificates in the system, a user cannot renew or rekey his certificates. 

Renew Certificate

This allows a user to set renew policy for certificates in the system.

Rekey Certificate 

This allows a user to set rekey policy for certificates in the system. 




Certificate Expiry Notifications 


When an operator enables the Certificate Expiry Notification checkbox, the following fields will appear (as shown in the screenshot below):




Basic Information

Field

Description

Before Expiry 

Specify number of days to receive notification before a certificate expires

Select Interval

Select the days for interval to send certificate expiry notifications

Select Time

Select the time to start certificate expiry notifications background job 

Send Certificate Expiry Notifications to Users

If an operator enables this checkbox, then system will send notifications to the relevant users 





Once a background job is completed after the configured time interval selected above, an email will be sent to the operator to view certificates that are about to expire (based on the selected configurations). 





However, a user will receive an email as shown below:





After clicking on the View Listing button, the administrator will be redirected to the certificate listing screen along with the filtered certificates. 




 If an admin enables the password authentication, then after clicking on the view listing button in the email, operator will be redirected to the login page. After logging in successfully. the list of certificates will be visible to the operator (as shown below).