Entrust Managed Services PKI™

Entrust Managed Services PKI Administrator Guide

Document issue: 3.0

Date of issue: May 2009

2

Copyright © 2009 Entrust. All rights reserved.

Entrust is a trademark or a registered trademark of Entrust, Inc. in certain countries. All Entrust product names and logos are trademarks or registered trademarks of Entrust, Inc. in certain countries. All other company and product names and logos are trademarks or registered trademarks of their respective owners in certain countries.

This information is subject to change as Entrust reserves the right to, without notice, make changes to its products as progress in engineering or manufacturing methods or circumstances may warrant.

Export and/or import of cryptographic products may be restricted by various regulations in various countries. Export and/or import permits may be required.

Obtaining technical support

For support assistance by telephone call one of the numbers below:

• 1-877-754-7878 in North America

• 1-613-270-3700 outside North America

You can also email Customer Support at:

support@entrust.com

Entrust Managed Services PKI Administrator Guide

Entrust Managed Services PKIAdministrator Guide

Each Managed Services PKI organization requires an administrator—also known as a local registration authority (LRA)—whose duty it is to manage end-users and their certificates. This document describes the processes that the LRA must follow to:

• complete the creation of an administrator certificate

• set up end-users so that they can create their certificates

Account creation, management, and end-user enrollment is performed through Entrust Authority™ Administration Services, which is available over the Web. Administration Services includes two web-based services: User Management and User Registration.

Administrators use the User Management service to create, modify, deactivate or reactivate accounts as well as perform other administrative functions.

End-users use the User Registration service to enroll for their certificates. Alternatively, if your organization is using Entrust Entelligence™ Security Provider (ESP) for Windows, end-users can install their certificates using ESP.

While users can use certificates without installing the ESP for Windows software, the additional features and benefits they provide add significant value to your managed certificates environment. To learn about the added functions and capabilities, see Why you should use certificates with Entrust Entelligence™ Security Provider available under the Resources tab at www.entrust.com/managed_services.

This guide includes the following sections:

• “Creating an administrator certificate” on page 4

• “Logging in to Administration Services” on page 9

• “Creating end-user accounts” on page 12

• “How end-users obtain a digital certificate” on page 17

• “Supported browsers and JRE” on page 18

Entrust Managed Services PKI Administrator Guide, May 2009Copyright © 2009 Entrust. All rights reserved.

3

4

Creating an administrator certificateAs an administrator, you need to enroll for an administrator certificate (digital ID) using a Web-based application called Administration Services. You can store your certificate on your desktop or on a smart card or token.

Before you start, ensure that you have a supported browser and Java runtime environment. See “Supported browsers and JRE” on page 18 for details.

Complete the following procedure to create an administrator certificate.

To create an administrator certificate

1 Access the Administration Services Web site using the URL provided by Entrust Managed Services PKI.

The following page appears.

2 Click Create Entrust digital ID in the left-hand menu.

Entrust Managed Services PKI Administrator Guide Document issue: 3.0Please report any errors or omissions

The Create Entrust Digital ID page appears.

3 Depending on where you want to store your certificate, complete one of the following:

5Please report any errors or omissions

May 2009

6

if you want to... Do this

store your certificate in an Entrust desktop security store on your computer

1 Click Create Entrust Desktop Security Store

The Create Entrust desktop security store page appears.

2 Click Browse.

A dialog box appears.

3 In the dialog box:

a Navigate to a location to save your digital ID. For example C:\.

b In the File name field, enter a name for your digital ID and ensure it has the extension .epf. For example, Administrator.epf.

c Click Open.

The Entrust Desktop Security Store File Name field shows the path to your digital ID.

Entrust Managed Services PKI Administrator Guide Document issue: 3.0Please report any errors or omissions

4 Enter your administrator reference number and authorization code in the Reference Number field and Authorization Code field respectively. This information is available from your Entrust Managed Services PKI welcome package.

5 Enter the password you want to use to protect your administrative profile in the Password field and enter it again in the Confirm Password field. Use this password to log in to Administration Services after you create your profile.

Note: Ensure you follow the on-screen password rules. The red X beside each rule changes to a green check mark as you type in characters that meet the rules.

6 Continue the procedure at the end of this table (Step 4 on page 8).

if you want to... Do this

7Please report any errors or omissions

May 2009

8

4 Click Create Security Store.

Note: If storing on a smart card or token, follow your vendor’s prompts.

Administration Services creates the certificate. Once created, a success message appears.

You have successfully created your certificate.

5 Click Home from the left menu to return to the login page.

store your certificate within the Windows framework or on a smart card or token.

1 Click Create Third-Party Security Store

The Create Third-Party Security Store page appears.

2 Enter your administrator reference number and authorization code in the Reference Number field and Authorization Code field respectively. This information is provided to you by Entrust.

3 Optionally, to store your certificate on a smart card or token, select Store Entrust digital ID on a smart card. Ensure your smart card or token is connected to your computer.

if you want to... Do this

Entrust Managed Services PKI Administrator Guide Document issue: 3.0Please report any errors or omissions

Logging in to Administration ServicesOnce you create your administrator profile as outlined in “Creating an administrator certificate” on page 4, you can use your certificate to log in to Administration Services, a Web-based application.

From Administration Services, you can create, modify, deactivate or reactivate accounts as well as perform other administrative functions.

Complete the following procedure to log in to Administration Services.

To log in to Administration Services

1 If you are not already on the login page, enter the Administration Services URL provided by Entrust Managed Services PKI into a browser.

The following page appears.

2 Depending on where you stored your certificate, do one of the following:

9Please report any errors or omissions

May 2009

10

if you stored your certificate... Do this

In the Entrust desktop security store on your computer

1 Click Browse to navigate to the location where you stored your administrator digital ID (.epf file) and click Open.

The file name and path appear in the Entrust Desktop Security Store File Name field. Select Remember Entrust Desktop Security Store File Name to retain the path.

2 Enter the password you created for your digital ID in Step 5 on page 7 and click Log in.

within the Windows framework or on a smart card or token.

1 Click the Log in with my Third-Party Security Store link.

The Administrator Login - Third-Party Third-Party Security Store page appears.

Note: If logging in with a smart card or token, ensure it is connected to your computer.

2 Click Display certificate list.

The Select Certificate dialog box appears listing one or more digital certificates.

3 Select your certificate from the list and click OK.

Entrust Managed Services PKI Administrator Guide Document issue: 3.0Please report any errors or omissions

Upon successful login, the following page appears.

From this page, you can perform various administrative tasks. This guide describes how to create a new user account for your end-users. You can also reset a user’s account if a password or digital ID is lost, and you can deactivate and reactivate accounts. For more information on these additional procedures, use the online help incorporated in the specific task page.

11Please report any errors or omissions

May 2009

12

Creating end-user accountsYou must create an account for each end-user who needs a certificate. When you create a new user account, Administration Services generates a reference number and authorization code for that user. You must then securely provide this number and code to the target user so they can enroll for their certificate. The most secure approach is to send the reference number and authorization code separately using different secure methods.

If you need to create accounts for multiple users all at once, it is most convenient to create a bulk input file. For more information on creating accounts in bulk, see “Creating user accounts in batch” on page 16.

This topic includes:

• “Creating a single end-user account” on page 12

• “Creating user accounts in batch” on page 16

Creating a single end-user accountAdministration Services provides many different methods to enroll for a certificate—administrators have the flexibility to insert themselves into the process as much or as little as necessary. For more information on the different types of enrollment methods, see the Entrust Authority Administration Services Installation and Configuration Guide.

This guide provides one of the enrollment methods for creating a single user account.

To create a new user account, complete the following procedure.

To create a single end-user account

1 Log in to Administration Services. For more information, see “Logging in to Administration Services” on page 9.

2 Click Create Account under Account Tasks in the main pane or under Tasks in the left-hand menu.

Entrust Managed Services PKI Administrator Guide Document issue: 3.0Please report any errors or omissions

The initial Create Account page appears.

3 Leave the value for the User Type field as Person.

4 In the Certificate Type drop-down list, select Enterprise – Default. These certificates are used for authentication, encryption, and signing and can be stored in the Microsoft framework.

5 Click Submit.

A second Create Account page appears where you provide the user’s name and other information.

13Please report any errors or omissions

May 2009

14

Entrust Managed Services PKI Administrator Guide Document issue: 3.0Please report any errors or omissions

6 From the User Information section:

a Enter the end user’s first name and last name in the First Name and Last Name fields respectively.

b Optionally, fill in the Serial Number, Email, and Comment fields.

7 Optionally, from the Notification Email section, enter an email address if you want the user to receive account status notifications, which include emails that:

• indicate account registration

• provide the reference number the user needs to enroll for their certificate. (You would still need to provide the user with the matching authentication code)

If the email address is the same as the one entered in the User Information section, select Same as above email address.

8 From the Group Membership section, select the member option. If no groups are configured, only the default group appears.

9 From the Role section, select End User from the drop-down list.

10 From the Location section, click Select the searchbase and select your company name from the drop-down list (an entry for your company was created in the directory when you signed up for Entrust Managed Services PKI). This specifies where to add the user in the Administration Services LDAP directory.

11 Click Submit.

15Please report any errors or omissions

May 2009

16

The Create Account – Complete page appears. You have successfully created a user account.

This page lists the new user’s reference number and authorization code. Record this information and store it in a secure manner. Securely provide this information to the new user.

Creating user accounts in batchIf your administrator account role includes the “Create accounts in batch from a file” permission, the Create Accounts from File option is available. This option allows you to use an input file to submit multiple create account operations in one simple procedure.

For more information on creating user accounts in batch, see the Entrust Authority Administration Services Administration Guide for details.

Entrust Managed Services PKI Administrator Guide Document issue: 3.0Please report any errors or omissions

How end-users obtain a digital certificateOnce you have created an end-user account as described in “Creating a single end-user account” on page 12, and provided the end-user with:

• the activation codes (reference number and authorization code)

• the URL to the User Registration Service (not applicable if using Entrust Entelligence Security Provider),

the end-user is now in the position to obtain their certificate.

Based on your organization’s deployment, end-users can use one of the following guides for instructions on obtaining their certificate:

Note: Guides are located under the Resources tab of www.entrust.com/managed_services.

• Getting an end-user Entrust certificate using Entrust Authority Administration Services

End-users should use this guide if Entrust Entelligence Security Provider is not installed on their desktops. This guide provides instructions on how end-users can get their certificate through a Web-based application called Administration Services.

• Getting an end-user Entrust certificate using Entrust Entelligence Security Provider

End-users should use this guide if Entrust Entelligence Security Provider is installed on their desktops.

17Please report any errors or omissions

May 2009

18

Supported browsers and JRETo access the Administration Services Web site, ensure that you are using one of the following browsers (or a later version) on a Microsoft® Windows® operating system: Microsoft® Internet Explorer 6.0, Mozilla® Firefox 1.5, Mozilla® 1.7.2 and 1.7.10, and Netscape® Navigator 8.0.

Entrust Authority Administration Services uses Entrust TruePass® technology to authenticate administrators. As a result, you must ensure that one of the following Java runtime environments (JRE) is installed, and that applicable browser settings are configured. With all supported Web browsers, you must allow cookies and enable both Java and JavaScript.

You can download the Sun JRE from the following site: http://www.java.com/download.

Browser Java Runtime Environment (JRE)

Setting Name Setting

Microsoft Internet Explorer 6

Microsoft Java Virtual Machine (JVM), Sun JRE 1.4.1+ and 1.5.+

First-party cookies Accept or Prompt

Allow per-session cookies (not stored)

Enable or Prompt

Active scripting Enable or Prompt

Scripting of Java applets Enable or Prompt

Third-party cookies Block

Microsoft Internet Explorer 7

See Microsoft Internet Explorer 6

Mozilla Firefox 1.5 Sun JRE 1.4.1+ and 1.5.+

Allow sites to set cookies Enable

Enable Java Enable

Enable JavaScript Enable

If pop-up blocker is enabled, allowed sites

Administration Services sites

Mozilla 1.7.2, 1.7.10 Sun JRE 1.4.2 and 1.5+ See Mozilla Firefox 1.5

Netscape Navigator 8.0 Sun JRE 1.4.2 and 1.5+ Enable cookies Enable

Enable Java Enable

Enable JavaScript Enable

Entrust Managed Services PKI Administrator Guide Document issue: 3.0Please report any errors or omissions