Requests
In this section, an operator can set policy for the following areas in the ADSS Web RA:
Certificate Signing Request (CSR) verification settings allows you to verify the key ownership, signature algorithm, strength of key exponents & modulus, Debian weak key, key lengths and key reuse while creating a CSR certificate on web portal.
- To setup CSR validation policies, click on Enable CSR Validation, this will display some more options to configure as validation policy including Key Ownership, Signature Algorithm, Public Key Exponent & Modulus, Debian Weak Key, Public Key Reuse and Key Length.
- On selection of one of the above configurations, that particular validation policy will be verified at the time of CSR generation. If one of the policies are not fulfilled then the certificate generation request cannot be completed.
|
|
These validation policies once applied, will be applicable across the application, and will validate these upon creation of CSR. |
Expand Configurations > Policies > Requests from the left menu pane.
Enable CSR (Create Signing Request) Validation
To configure CSR validation policies, first of all you need to select the 'Enable CSR Validation' checkbox. You can tick the following checkboxes to configure settings for CSR generation:
|
Enable CSR Validation |
|
|
Validation |
Description |
|
Verify the Key Ownership |
Verify if the private key is in possession of the user who requested for a certificate at the time of CSR generation. |
|
Verify the Public Key contains Valid Public Exponent and Modulus |
Validate if the key length is among the allowed list of key lengths against the algorithm used in the CSR |
|
Verify the Public Key is not already used |
Verify if the public key is not already used in previously submitted requests, issued, created or revoked certificates |
|
Verify the Key Length |
Validate if the key length is among the allowed list of key lengths against the algorithm used in the CSR |
|
Verify the Signature Algorithm |
Verify the signature algorithms must be either RSA or ECDSA. |
|
Verify that Debian weak keys are not used |
Validate if the CSR keys are not generated using Debian Weak keys. Debian weak keys are generated because of a bug introduced in openSSL package in 2006. The bug was founded in 2008. All keys generated within that period are vulnerable and should not be used. |
|
|
1) CSR Validation policies only validate when Enable CSR Validation is set. |
PIN Password Policy
Expand Configurations > Policies > Requests from the left menu pane.
This is a default policy that will determine the default values for PIN and govern the process for users or operators when resetting these credentials.
When enabled by the operator, it applies at the enterprise level. The selected settings and options are automatically reflected at the Enterprise level in the ‘Policies’ section.
When the operator enables the ‘Enable PIN Password Policy’ checkbox, the following fields will appear.
|
Fields |
Description |
|
Minimum Password Length |
Defines the minimum number of characters required for a valid password. |
|
Include 1 or more lowercase characters |
If enabled, the password must contain at least one lowercase character. |
|
Include 1 or more uppercase characters |
If enabled, the password must contain at least one uppercase character. |
|
Include 1 or more special characters |
If enabled, the password must contain at least one special character. |
PUK Password Policy
Expand Configurations > Policies > Requests from the left menu pane.
This is a default policy that will determine the default values for PUK and govern the process for users or operators when resetting these credentials.
When enabled by the operator, it applies at the enterprise level. The selected settings and options are automatically reflected at the Enterprise level in the ‘Policies’ section.
When the operator enables the ‘Enable PUK Password Policy’ checkbox, the following fields will appear.
|
Fields |
Description |
|
Minimum Password Length |
Defines the minimum number of characters required for a valid password. |
|
Include 1 or more lowercase characters |
If enabled, the password must contain at least one lowercase character. |
|
Include 1 or more uppercase characters |
If enabled, the password must contain at least one uppercase character. |
|
Include 1 or more special characters |
If enabled, the password must contain at least one special character. |
Request Settings
Expand Configurations > Policies > Requests from the left menu pane.
This section allows operators to configure the permitted actions for certificate requests.
Checkbox - Allow operators to create certificates on behalf of the user and facilitate automatic assignment
If this policy is enabled, the operators will have the option to generate certificates for users.
Note: If the certificate is being created for a user who does not exist in the system, a new account will be created for the user along with the certificate.
If the user already has a registered account in the WebRA system, only the certificate will be created. The user will be notified via email about the certificate generation.
Meanwhile, if the user exists in the system but is not part of the enterprise where the certificate is being created, the system will send an invitation for the user to join that enterprise and will generate the certificate as well.
Checkbox - Allow declined requests to be resubmitted
If this policy is enabled, users can resubmit a certificate request that has been declined. This allows them to modify the required details and submit the request again for approval.
