Creating a User Certificate

Enroll

Users with the Officer role enroll an Issuing CA under an existing Root or Intermediate CA.

The result of this UI is always both private and public key for a new user.

Officers can generate two types of user certificates:

  • Soft token – storable in PFX, JKS or JCEKS keystores.

  • Hard token – storable in ePass or eToken hard tokens.

Soft Tokens are software-based authentication tokens (e.g., keystore files).

This means that they do not have any additional requirements and can be stored and used directly on the user’s system.

Note:

It is highly recommended to enable enhanced security when importing Soft Token.

Enhanced security enforces the entry of the Soft Token password on use. If Soft Token certificates are imported without enhanced security, anyone with access to your browser also has access to your certificates.

Hard Tokens are generated onto some hardware token (e.g., secure USB device or smart card).

This means that 2-factor authentication is enforced as a token, and the system can be separated at any time.

emCA supports Hard Token which supports either ePass configuration or eToken configuration.

The following image is an example of a Soft Token UI:

An Officer can choose from all certificate profiles available in his/her group. Depending on the certificate profile additional insert fields will be loaded in.

Viewing Certificate Profile Details

To view the details of a certificate profile, click the "View" button next to it. This will open the profile in a read-only view as displayed above.

The fields displayed will depend on the selected certificate profile.

Subject DN Details

For the Subject DN Details section, you must fill in all of the required fields. Optional fields can be left empty and will be ignored during certificate creation.

The information provided in this section will be used to generate the Subject Distinguished Name (Subject DN) of the certificate owner.

Other Details

For the Other Details section, you can leave the subscriber ID field empty, or enter your subscriber ID if you have one.

Select the Key Algorithm and Key Size for the user certificate.

Note: The Key Algorithm of the issuing CA does not limit the Key Algorithm of the user.

It is however recommended to avoid mixed-cryptography hierarchies because they require additional maintenance effort without real benefits.

For Soft Token, select the Keystore Type from the following options:

For Hard Token, select the Keystore Config from the following options:

For Soft Token, insert the password for the Soft Token into Password and confirm it in Confirm Password.

You can inspect the given password policy by hovering above

Note: Soft Token Password is only intended as a One-Time-Password (OTP). It is recommended to change the token password after receiving it.

For Hard Token, insert the PIN for the Hard Token into Token PIN.

Note: The Token PIN is the already established PIN on the Hard Token of your choice.

Click "Proceed" to Authenticate.

You will be prompted to authenticate using Username & Password or Token.

Authenticate using your Officer token and proceed by pressing Authenticate.

Click on "Create" to create the new user certificate.

Depending on the Key Algorithm and Key Size this may take several seconds.

Upon completion, a summary will be displayed. For Soft Tokens, this summary includes the following element:

Click on "Download Certificate" in order to retrieve the Soft Token of your choice.

PreviousExternal CA Certificate IssuerNextManaging CA Certificates

Last updated