Info |
---|
This article is valid for Certificate Manager 8.1 and later. |
The Certificate Issuing System (CIS)
...
in Smart ID Certificate Manager (CM) performs the signing of certificates and certificate revocation lists. CIS creates, uses, and deletes CA keys on demand from the Certificate Factory (CF).
This article describes how to configure the CIS. The description in the article is for Windows.
Configuration files
Expand |
---|
title | Configuration files for CIS |
---|
|
The configuration options for the CIS are set up in configuration files that are edited with a text editor. The configuration files are located in the directory <configuration_root>/config. |
Prerequisites
Expand |
---|
|
Date, time and time zone settings (in the Control Panel) must be the same on both the CIS and the CF (Certificate Factory, that is, the CM servers). |
Step-by-step instruction
Expand |
---|
title | Option: Disable the CIS audit log |
---|
|
All certificate and CRL signing requests are optionally logged in the CIS. This log is digitally signed. - To disable the audit log, use the parameter
cis.audit.logenabled in cis.conf. - To specify the key to be used when signing the log entries, use
cis.audit.logsignkey .
|
Expand |
---|
title | Configure TLS authentication between CIS and CF |
---|
|
You can configure two-way TLS authentication for the connection between a CIS and the Certificate Factory (CF). In such a configuration, CIS uses a TLS server certificate and a trust store of which TLS client certificates to accept, and CF uses a TLS client certificate and its database as trust store for which TLS server certificates to accept. These certificates and corresponding keys can be stored in either soft tokens, or in HSMs. - Issue a TLS server certificate that will be used as server TLS certificate by CIS. This certificate can be issued either into a soft-token PKCS#12 file, or by using a key in an HSM. For an example of how to issue certificates, see "Changing TLS Server Certificate" in the "Systems Administrators Guide", excluding the parts about changing any configuration files.
- Update cis.conf so that CIS uses the issued TLS server certificate. To do this, read the descriptions in cis.conf for the following configuration parameters, and update them appropriately:
ssl.file ssl.cert ssl.tokenlabel ssl.pin ssl.nopin pkcs11.1
- Issue a TLS client certificate that will be used as TLS client certificate by CF when connecting to CIS. For an example of how to issue certificates, see "Changing TLS Server Certificate" in the "Systems Administrators Guide", excluding the parts about changing any configuration files. This certificate can also be issued either into a soft-token PKCS#12 file, or by using a key in an HSM.
- Update the main configuration file, cm.conf, so that CF uses the issued TLS client certificate when connecting to CIS. To do this, read the descriptions in cm.conf for the following configuration parameters, and update them appropriately:
cis.ssl.file cis.ssl.pin cis.ssl.nopin cis.ssl.tokenlabel cisfailover.<n>.cis.ssl.file cisfailover.<n>.cis.ssl.cert cisfailover.<n>.cis.ssl.tokenlabel cisfailover.<n>.cis.ssl.pin cisfailover.<n>.cis.ssl.nopin pkcs11.1
- Find the issuer of the TLS client certificate created in the step above.
- Export this certificate to a file.
- Update the trust store that CIS uses to validate incoming TLS client certificates by placing the exported issuer certificate file into the following directory: <configuration_root>/ config/cistrust/.
- To validate the TLS server certificate presented by CIS, CF will examine all existing CAs, and consider the certificate trusted if the chain validates, and is issued by a CA that CF recognizes. This is done automatically and no action is required.
|
Expand |
---|
title | After the configuration |
---|
|
- Restart the CIS service after saving the changes.
- If CIS is running within the CF service (see Configure the Certificate Factory in Certificate Manager, also restart CF after the CIS configuration changes
|
...
...
Related information
...