Manage User Certificates
Users can manage their certificates by enrolling, revoking, suspending, reinstating, searching, signing certificate signing requests (CSR), and manually authorizing them through the "Manage User Certificate" feature in the Officer module.
Enroll
Officers can generate user certificates and keys manually using the following UI.
User certificates are any non-CA and non-role owner certificates in the EmCA Application database.
The result of this UI is always both private and public key for a new user.
Officers can generate two types of user certificates:
Soft token – storable in PFX, JKS or JCEKS keystores.
Hard token – storable in ePass or eToken hard tokens.
Soft Tokens are software-based authentication tokens (e.g., keystore files).
This means that they do not have any additional requirements and can be stored and used directly on the user’s system.
Information:
It is highly recommended to enable enhanced security when importing Soft Token.
Enhanced security enforces the entry of the Soft Token password on use. If Soft Token certificates are imported without enhanced security, anyone with access to your browser also has access to your certificates.
Hard Tokens are generated onto some hardware token (e.g., secure USB device or smart card).
This means that 2-factor authentication is enforced as a token and the system can be separated at any time.
emCA supports Hard Token which supports either ePass configuration or eToken configuration.
An Officer can choose from all certificate profiles available in his/her group. Depending on the certificate profile additional insert fields will be loaded in. The following image is an example of a Soft Token UI:
Viewing Certificate Profile Details
To view the details of a certificate profile, click the "View" button next to it. This will open the profile in a read-only view.
The fields displayed will depend on the selected certificate profile. Required fields are marked with a *.
Subject DN Details:
For the Subject DN Details section, you must fill in all of the required fields. Optional fields can be left empty and will be ignored during certificate creation.
The information provided in this section will be used to generate the Subject Distinguished Name (Subject DN) of the certificate owner.
Other Details:
For the Other Details section, you can leave the subscriber ID field empty, or enter your subscriber ID if you have one.
Select the Key Algorithm and Key Size for the user certificate. The following options are available:
Information:
The Key Algorithm of the issuing CA does not limit the Key Algorithm of the user.
It is however recommended to avoid mixed-cryptography hierarchies because they require additional maintenance effort without real benefits.
For Soft Token, select the Keystore Type from the following options:
For Hard Token, select the Keystore Config from the following options:
For Soft Token, insert the password for the Soft Token into Password and confirm it in Confirm Password.
You can inspect the given password policy by hovering above
Information:
Soft Token Password is only intended as a One-Time-Password (OTP). It is recommended to change the token password after receiving it.
For Hard Token, insert the PIN for the Hard Token into Token PIN.
Information:
The Token PIN is the already established PIN on the Hard Token of your choice.
Click "Proceed" to continue.
You will be prompted to authenticate the save action.
Authenticate using your Officer token and proceed by pressing Authenticate.
Click on "Create" to create the new user certificate.
Depending on the Key Algorithm and Key Size this may take several seconds.
Upon completion, a summary will be displayed. For Soft Tokens, this summary includes the following element:
Click on "Download Certificate" in order to retrieve the Soft Token of your choice.
Revoke/Suspend
An Officer can revoke or suspend user certificates of his/her group manually, if necessary, using this UI.
Revocations or suspensions of certificates may become necessary if keys have been compromised or access must be suspended temporarily for validation purposes.
Select a search criteria from the dropdown box on the left. The following search criteria are available:
Serial Number – the serial number of the user certificate.
Common Name – the common name (CN) of the user certificate.
Issuer Name – the CN of the issuer (= CA) of the user certificate.
Subscriber Id – the subscriber ID used to create the user certificate.
For all search criteria except Issuer Name, the search value can be inserted in the right field.
For Issuer Name, the right field changes to a dropdown box from which you can select any existing CA name.
The following image displays and example for filtering for a specific issuer:
View Certificate
Revoke the certificate
Select one of the following revocation reasons from the dropdown list
Information:
Suspension (=Certificate hold) is a special revocation reason.
Certificates which are suspended can be reinstated at a later point in time.
Warning:
Suspended certificates will be automatically revoked after 15 days of suspension.
Please add a comment in the "Remarks" section explaining the reason for revoking or suspending the certificate.
Click on "Confirm" to continue.
You will need to authenticate the revocation using your Officer token and proceed by pressing the Authenticate button.
Click on "Revoke" to proceed with the revocation process.
Reinstate
An officer can manually reinstate suspended user certificates for their group using this UI. Reinstated certificates will be removed from the next corresponding CRL.
Select a search criteria from the dropdown box on the left. The following search criteria are available:
Serial Number – the serial number of the user certificate.
Common Name – the common name (CN) of the user certificate.
Issuer Name – the CN of the issuer (= CA) of the user certificate.
Subscriber Id – the subscriber ID used to create the user certificate.
For all search criteria, except Issuer Name, enter the search value in the right field. However, when searching for Issuer Name, the right field becomes a dropdown box containing all existing CA names.
The following image displays an example for filtering for a specific issuer:
View Certificate
Reinstate the certificate
Please provide an explanation as to why the certificate was reinstated into the Remarks section.
Click "Confirm", authenticate with the Officer token, then press "Authenticate"..
To proceed with the reinstatement process, please click on the "Reinstate" button.
Search
The user can search for their own group's certificates only. Certificates of other groups are not accessible. User certificates refer to non-CA and non-role owner certificates within the EmCA Application database.
Select a search criteria from the dropdown box on the left. The following search criteria are available:
Serial Number – the serial number of the user certificate.
Common Name – the common name (CN) of the user certificate.
Issuer Name – the CN of the issuer (= CA) of the user certificate
Status – the state of the certificate
Subscriber Id – the subscriber ID used to create the user certificate
For all search criteria except Issuer Name and Status, insert the search value in the right field. For Issuer Name, select an existing CA name from a dropdown box.
For Status, the right field changes to the following dropdown box:
After inserting the search value or selecting the status filter, click Search to filter for all matching user certificates.
The following image shows an example of a CA-specific filter:
Each entry in the table “Certificate Details” represents one user certificate.
View Certificate
DER-encoded X.509 certificate (.cer)
Base64-encoded X.509 certificate (.cer)
Cryptographic Message Syntax Standard PKCS#7 certificate (.p7b)
Select the export format of your choice and click "Download" to start the download of the user certificate. The user certificate will be downloaded to the standard download location of your OS.
If more search results are found than can be displayed on one page, you can switch pages using the navigation element at the bottom of the table:
If no search results are found a corresponding message will be displayed instead:
Click "Reset" on the top-right of the UI to empty the search filter again.
Sign CSR
Officers can generate user certificates based on a Certificate Signing Request (CSR) manually using the following UI.
User certificates are any non-CA and non-role owner certificates in the emCA Application database.
The result of this UI is always just the public key for a new user.
The private key can be stored independently from the PKI.
To begin, please select the certificate type as X509 Certificate. After that, choose the configuration type as "Upload". Next, click on "Choose file" to select the CSR. Once you have done that, select a certificate profile from the dropdown list. This will automatically fill in the correct issuing CA in the "Certifying Authority" field.
Click on "View" next to the chosen certificate profile to inspect the profile in a read-only view.
Click on "View" next to the issuing CA in order to inspect the CA’s certificate.
Click "Proceed" to continue to the next stage. The summary of the certificate request will be displayed.
The "CSR Details" section displays information that can be obtained from the given CSR.
Click on "Edit" in order to change the information loaded from the CSR.
If not all required data (marked by *) is loaded from the CSR, you will need to fill it in manually.
"Other Details" shows the key size that was determined from the CSR as well as the chosen options for the certificate.
You will need to authenticate the generation of the certificate. Use your Officer token to authenticate and press "Authenticate" to proceed.
Click "Sign CSR" to complete certificate generation. After successful signing, the following message will appear.
Click "Download Certificate" in order to retrieve the new user certificate.
Manual Authorize Certificates
If a certificate profile has "Manual Authorization Enabled," an officer can review and approve or reject any certificate requests using this UI.
Click on "Search" to open the following filter pop-up:
You can filter any column except Status using equal or contains comparator. Click Find to apply filter.
Click "Reset" to remove the filter again.
Click "Export to Excel" to export the entire table to an XLSX file. The file will be downloaded to the standard download location of your OS.
View Certificate
Download Certificate
DER-encoded X.509 certificate (.cer)
Base64-encoded X.509 certificate (.cer)
Cryptographic Message Syntax Standard PKCS#7 certificate (.p7b)
Select your desired "export format" and click Download to obtain your user certificate. The certificate will be automatically saved to the standard download location of your operating system.
Approve
Before approval, click "Edit" to correct CSR details if needed.
To validate the CSR, click on the "Approve" button. If you want to reject the CSR instead, click on the "Reject" button.
After approving, you will need to authenticate the action using your Officer token, then proceed by pressing "Authenticate".
To finish the approval action, simply click on the "Confirm" button.
SCT Requests
If a certificate request with CT Logs Enabled and Manual Process Type is created, an Officer can import a response, view certificate, and download certificate using this UI.
Information:
Signing Certificate Timestamps (SCT) is only relevant for public CAs with abide the Certificate Transparency rule defined in RFC 6962.
To open the filter pop-up, please click on the "Search" button.
You can apply filters to any column, except AppName and Status, by using an equal or contains comparator.
To apply the selected filter, click on the "Search" button. If you want to remove the filter, click on "Reset".
Click "Export to Excel" to download the entire table as an XLSX file.
View Certificate
Download Certificate
DER-encoded X.509 certificate (.cer)
Base64-encoded X.509 certificate (.cer)
Cryptographic Message Syntax Standard PKCS#7 certificate (.p7b)
Select your preferred export format and click 'Download' to obtain your user certificate. The certificate will be saved to the default download location on your OS.
Last updated
