Manage CA Certificates
Users can perform a variety of actions related to CA certificates through the "Manage CA Certificate" feature in the Officer module. These actions include enrolling, revoking, suspending, reinstating, searching, signing certificate signing requests (CSR), importing PKCS12, and manually authorizing DVCA certificates.
Enroll
An officer can enroll new CAs through the following UIs. The enrollment process involves generating a new CA key and a new CA certificate/CSR using that key.
Information:
CA certificates and OCSP certificates are both generated using this UI.
Click on "Search" to open the following filter pop-up:
You can filter for Alias Name or Key Profile with equal- or contains-comparator. Click on "Search" to apply the chosen filter.
Click "Reset" to remove the filter again.
Click "Export to Excel" to export the entire table to an XLSX file. The file will be downloaded to the standard download location of your OS.
Generate Key Pair
Click on "Generate Key Pair " to open the following dialog:
Enter the number of keys that you want to generate. In general, you will need 1 key for 1 CA and 1 more key, if that CA will receive an OCSP certificate.
Select the "Key Profile" you want to use from the first dropdown list.
Choose the "Algorithm" from the drop-down
Select the "Signature algorithm" from the third dropdown list. This will filter the element for the third dropdown list accordingly.
Select the "Key Algorithm" and "Key Size" from the fourth dropdown list.
Press "Proceed" to continue and authenticate the action with your Officer token.
Click on "Generate Key Pair(s)" to generate the keys. After the successful generation of the key pair, the success message as shown below.
Click on "View all" to return to the first UI or click "+ New" to continue with this UI.
Generate CA Certificate
After creating a key pair, the user needs to select the "Generate Certificate" or "CSR" option available in the "Action" column of the created key pair.
Click on 
to start generating a CA certificate.
The above image shows the default UI that will open after starting the process. There are two different options available for generation:
Certificate – use the key to generate a new CA certificate directly.
CSR – use the key to generate a Certificate Signing Request (CSR).
Choose "Certificate" if you want to directly generate a new CA certificate. This option is applicable if the CA is "self-signed", or the "issuing CA" is in the same instance
Choose "CSR" if the issuing CA is not on the same instance. This is the case if ROOT and SUB CAs are not operated on the same system.
Information:
You can operate CAs using the appliance functionalities that have their trust anchored outside the Appliance using the option CSR.
For "Certificate", choose the Certificate type as X509, the certificate Profile you want to use for the CA certificate from the dropdown list:
Click on "View" next to the chosen certificate profile details to inspect the profile in a read-only view.
For "Subject DN Details", enter all Subject Distinguished Name (Subject DN) information for the CA. Required fields are marked with *.
Press "Proceed" to continue. You will be prompted to authenticate the action using your officer token. Press "Authenticate" to proceed.
Click on "Create" to generate the CA certificate.
The "Certificate" will be created and the user is able to download the certificate.
Generate CSR
For CSR, the following dialog will be shown:
Users can select between two certificate types: X509 and CV certificate, using radio buttons.
Select the DN attribute type from the first dropdown and add it to Subject DN.
The following "DN attributes" are available:
Every added DN attribute is marked as required. Remove DN attributes by clicking 
next to them. Click 
next to Subject OID’s to add custom DN attributes.
Enter the OID and value of the custom DN attribute. Remove attributes by clicking the icon.
Click 
next to SAN Details to add Subject Alternative Name (SAN) attributes.
Select the type of SAN attribute from the dropdown list.
A new text field will appear next to the list. You can insert the value for the SAN attribute into the text field. If you want to remove SAN attributes, just click the icon next to them.
Press "Proceed" to continue. You will need to authenticate the action using your Officer token and then press Authenticate.
Click on Create to generate the CSR.
Upon completion, the following view will be displayed:
Click "Download CSR" to download the CSR.
CA Certificates
An Officer can manage the CA certificates in his/her own group using the following UI.
Search
Click on Search to open the following filter pop-up:
To filter your search results, you can use either the Serial Number or the Common Name with the "equal-to" or "contains" comparator. Once you've chosen your filter, click on "Search" to apply it. If you want to remove the filter, simply click "Reset". To import an External CA certificate into the emCA Application, click on "Import Issuer Certificate". Please note that only the CA certificate will be imported, not the CA key. If you want to export the entire table to an XLSX file, click on "Export to Excel". The file will be automatically downloaded to the standard download location of your operating system.
Download LDIF
To download the latest LDAP Data Interchange Format (LDIF) file, simply click on the download
button.
LDIF files are specially formatted text files that are used to exchange data between LDAP directory servers. If you don't intend to publish CA certificate to an LDAP system, you may not need LDIF files.
Once the download is complete, the LDIF file will be saved to the standard download location on your operating system.
Import Issuer Certificate
To import a 
CA certificate in response to a CSR, follow these steps:
1. Click on "Choose File" to select the CA certificate that needs to be imported.
2. Click on "Import X509" to upload the certificate.
3. You will be prompted to authenticate the action.
4. Use your Officer token to authenticate and proceed by pressing "Authenticate".
5. Click on "Import X509" again to complete the upload process.
View Certificate Details
Click on 
to view the CA certificate details:
Download Certificate Details
Click on 
to download the user certificate as
DER-encoded X.509 certificate (.cer)
Base64-encoded X.509 certificate (.cer)
Cryptographic Message Syntax Standard PKCS#7 certificate (.p7b)
Select the export format of your choice and click Download to start the download of the user certificate. The user certificate will be downloaded to the standard download location of your OS.
CSR Creation Using Existing KeyPair
Click on 
to create a new CSR based on the same key. This option is only available for CA keys with pending CA certificate requests.
You will be forwarded to the following CSR creation UI:
You will have the option to edit the new CSR before creating it.
Click "Proceed" to continue.
You will be prompted to authenticate the action.
Authenticate using your Officer token and proceed by pressing "Authenticate".
Click on "Create" to generate the new CSR.
Revoke
An Officer can revoke CA certificates in his/her own group manually, if necessary, using this UI.
Revocations of CA certificates may become necessary if keys have been compromised.
Select a search criteria from the dropdown box on the left. The following search criteria are available:
Serial Number – the serial number of the CA certificate
Common Name – the common name (CN) of the CA certificate
Issuer Name – the CN of the issuer (= CA) of the CA certificate
To search for certificate information, you can enter search criteria in the appropriate fields. For all search criteria except the Issuer Name, you can enter the desired search value in the right field. However, when you search using the Issuer Name, the right field changes to a dropdown box. From this dropdown, you can select the name of any existing Certificate Authority (CA).
The image below illustrates an example of how to filter search results using a specific Issuer Name.
View Certificate
Click on 
to view the CA certificate details:
Revoke Certificate
Click on 
in order to start the revocation process for the selected CA certificate.
Select one of the following revocation reasons from the dropdown list:
CA certificates cannot be suspended.
Provide an explanation for the revocation/suspension of the certificate in the Remarks section.
Select "Confirm" to proceed. You'll then need to authenticate the revocation by using your Officer token and pressing "Authenticate."
Warning:
Revocations are permanent! Revoked CA certificates cannot be recovered by any means.
Click on "Revoke" to proceed with the revocation process.
Search
The user can search for CA certificates in his/her own group. The user cannot inspect the certificates of other groups.
Select a search criteria from the dropdown box on the left. The following search criteria are available:
Serial Number – the serial number of the CA certificate
Common Name – the common name (CN) of the CA certificate
Issuer Name – the CN of the issuer (= CA) of the CA certificate
Status – the state of the certificate
For all search criteria except Issuer Name and Status, the search value can be inserted in the right field.
For Issuer Name, the right field changes to a dropdown box from which you can select any existing CA name.
For Status, the right field changes to the following dropdown box:
After inserting the search value or selecting the status filter, click "Search" to filter for all matching user certificates.
The following image shows an example of a CA-specific filter:
View Certificate
Click on 
to view the user certificate details:
Download Certificate
Click on 
to download the user certificate as
DER-encoded X.509 certificate (.cer)
Base64-encoded X.509 certificate (.cer)
Cryptographic Message Syntax Standard PKCS#7 certificate (.p7b)
Select the export format of your choice and click Download to start the download of the user certificate. The user certificate will be downloaded to the standard download location of your OS.
If more search results are found than can be displayed on one page, you can switch pages using the navigation element at the bottom of the table:
If no search results are found a corresponding message will be displayed instead:
Click "Reset" on the top-right of the UI to empty the search filter again.
Sign CSR
An Officer can use the following UI in order to sign CA CSR from External CAs using existing CAs and certificate profiles from the EmCA Application.
Steps to Generate a Certificate
Select the certificate type as X.509.
Choose the Configuration type as Upload or Text area, with the default setting.
Click "Choose file" to select the CSR for signing.
Pick the desired certificate profile from the dropdown list.
Make sure that the certificate profile is of type CA, not Root.
Upon selecting a certificate profile, the Certifying Authority field will be filled with the correct CA.
Click "View" next to the certificate profile to view it read-only.
Click on "View" next to the issuing CA in order to inspect the CA’s certificate.
To move on to the next stage, simply click on the "Proceed" button.
The following summary of the certificate request will be displayed:
The CSR Details section displays the data that can be obtained from the CSR (Certificate Signing Request) that has been submitted.
To download the CSR once again, please click on the 
icon provided.
To make changes to the loaded CSR information, simply click 'Edit'.
If the CSR is missing any required data (indicated by *), fill it in manually.
The Other Details section displays the key size generated by the CSR and the certificate options selected.
You will need to authenticate the generation of the certificate. Use your Officer token to authenticate and press "Authenticate" to proceed.
To finish generating the certificate, simply click on the "Sign CSR" button.
The following UI will be shown upon completion:
To get the latest CA certificate, all you need to do is click on the "Download Certificate" button.
Import PKCS12
An Officer can import existing PKCS12 keystores into the emCA Application HSM using the following UI.
The PKCS12 keystore must include a CA certificate; user certificates are ignored.
To choose the PKCS12 keystore from your system, simply click on the "Choose file" button.
Please enter the password for the PKCS12 keystore in the "Enter Password" field.
To select the key profile, you must choose an option from the drop-down menu.
To continue, please click on the "Proceed" button.
You will need to authenticate the upload using your Officer token. Press "Authenticate" to proceed.
Click on "Import" to upload the PKCS12 to the EmCA Application HSM.
Last updated