In this section, an operator can set policy for the following areas in the ADSS Web RA:


  1. CSR Verification 
  2. Certificate Renewal Settings 
  3. Certificate Expiry 
  4. Device CA Certificate Expiry 
  5. Permanent Certificate Deletion 


Certificate Signing Request (CSR) verification settings allows you to verify the key ownership, signature algorithm, strength of key exponents & modulus, Debian weak key, key lengths and key reuse while creating a CSR certificate on web portal.


  1. To setup CSR validation policies, click on Enable CSR Validation, this will display some more options to configure as validation policy including Key Ownership, Signature Algorithm, Public Key Exponent & Modulus, Debian Weak Key, Public Key Reuse and Key Length.
  2. On selection of one of the above configurations, that particular validation policy will be verified at the time of CSR generation. If one of the policies are not fulfilled then the certificate generation request cannot be completed.

These validation policies once applied, will be applicable across the application, and will validate these upon creation of CSR.


Expand Configurations > Policy from the left menu pane.


Enable CSR (Create Signing Request) Validation


To configure CSR validation policies, first of all you need to select the Enable CSR Validation checkbox. You can tick the following checkboxes to configure settings for CSR generation: 


Enable CSR Validation 

Validation

Description 

Verify the Key Ownership 

Verify if the private key is in possession of the user who requested for a certificate at the time of CSR generation.

Verify the Public Key contains Valid Public Exponent and Modulus

Validate if the key length is among the allowed list of key lengths against the algorithm used in the CSR

Verify the Public Key is not already used 

Verify if the public key is not already used in previously submitted requests, issued, created or revoked certificates

Verify the Key Length 

Validate if the key length is among the allowed list of key lengths against the algorithm used in the CSR

Verify the Signature Algorithm

Verify the signature algorithms must be either RSA or ECDSA.

Verify that Debian weak keys are not used

Validate if the CSR keys are not generated using Debian Weak keys. Debian weak keys are generated because of a bug introduced in openSSL package in 2006. The bug was founded in 2008. All keys generated within that period are vulnerable and should not be used.




1) CSR Validation policies only validate when Enable CSR Validation is set.

2) When one of the above CSR validation policies is configured in ADSS Web RA admin, it validates these policies while approving a certificate request from ADSS Web RA user portal. If one of the CSR validation policies does not meet the criteria at the time of certificate request approval, enterprise RAO can decline the request by adding a reason to decline.

3) If one of the validation policies does not meet, it appears on decline reason dialog as a declining reason. Furthermore, RAO cannot proceed further.

4) If no validation policies failed, RAO can still decline a certificate request but there is no validation policy appears as a declining reason on decline dialog. A custom reason can be added though.

5) CSR-based validation only applies on those certificate requests where either a CSR is imported by the user, or a certificate request created using a PKCS#10, USB/Smart Card Tokens, request for  Go> Sign using MSCAPI.


Certificate Renewal Policy Settings


This setting enables you to renew your certificate, in case of renewing your certificate, the new expiry date will be updated. 


This section will have a drop down that will allow an operator to select a certificate policy for the entire system, no option will be selected by default. 


Basic Information

Field

Description

None

This field will set no policy for certificates in the system, a user cannot renew or rekey his certificates. 

Renew Certificate

This allows a user to set renew policy for certificates in the system.

Rekey Certificate 

This allows a user to set rekey policy for certificates in the system. 



Certificate Expiry Notifications 


When an operator enables the Certificate Expiry Notification checkbox, the following fields will appear (as shown in the screenshot below:


Basic Information

Field

Description

Before Expiry 

Specify number of days to receive notification before a certificate expires

Select Interval

Select the days for interval to send certificate expiry notifications

Select Time

Select the time to start certificate expiry notifications background job 

Send Certificate Expiry Notifications to Users

If an operator enables this checkbox, then system will send notifications to the relevant users 


 

Once a background job is completed after the configured time interval selected above, an email will be sent to the operator to view certificates that are about to expire (based on the selected configurations). 


A user will receive an email as shown below:



After clicking on the View Listing button, the administrator will be redirected to the certificate listing screen along with the filtered certificates.  



If an administrator enables the password authentication, then after clicking on the view listing button in the email, operator will be redirected to the login page.



After logging in successfully, the list of certificates will be visible to the operator.


Device CA Certificate Expiry 


When an operator enables the Device CA Certificate Expiry checkbox, the following fields will appear (as shown in the screenshot below:


Basic Information

Field

Description

Before Expiry 

Specify number of days to receive notification before a Device CA certificate expires

Select Interval

Select the days for interval to send Device CA certificate expiry notifications

Select Time

Select the time to start Device CA certificate expiry notifications background job 



Once a background job is completed after the configured time interval selected above, an email will be sent to the operator to view certificates that are about to expire (based on the selected configurations). 


A user will receive an email as shown below:



After clicking on the View Listing button, the administrator will be redirected to the certificate listing screen along with the filtered certificates.

           


Click "Clear" to remove the filter and the following screen will be displayed where you can filter out Device CA certificate based on their issuance date, or name of the operator to whom certificate was issued:



Permanent Certificate Deletion 


ADSS Web RA allows an operator to set the permanent certificate deletion policy. Delete certificate permanently policy enables you to delete the certificate, request and all activity logs against request and certificate permanently from the system. Deleted information is not retrievable, if this policy is enabled.


Enable Permanent Certificate Deletion 


  1. From the left menu pane, expand Configurations > Policy.
  2. Select the Enable Delete Certificate Permanently check box and click Save. 



If this policy is enabled, when an operator deletes a certificate request, the following permanent deletion dialog will appear:



This means that all the certificates, and activities against this request will be deleted permanently. Once deleted, the information will no longer be retrievable. 


Disable Permanent Certificate Deletion 


  1. From the left menu pane, expand Configurations > Policy.
  2. Uncheck the Enable Delete Certificate Permanently check box and click Save. 



If this policy is disabled, when an operator deletes a certificate request, the following deletion dialog will appear: