Managed Services PKI 60-day Trial Quick Start Guide

(1)

Entrust Managed Services PKI™

Managed Services PKI 60-day Trial

Quick Start Guide

(2)

Entrust is a trademark or a registered trademark of Entrust, Inc. in certain countries. All Entrust product names and logos are trademarks or registered trademarks of Entrust, Inc. in certain countries. All other company and product names and logos are trademarks or registered trademarks of their respective owners in certain countries.

This information is subject to change as Entrust reserves the right to, without notice, make changes to its products

Obtaining technical support

For support assistance by telephone call one of the numbers below:

(3)

3

1

Registering for the free 60-day trial

of Entrust Managed Services PKI

If you have not already registered for a free trial of Entrust Managed Services PKI, it is easy to do.

To start your trial

1 In a browser, access the Entrust Managed Services PKI Web site:

http://www.entrust.com/managed_services

(4)

2 Click Free 60-day Trial.

(5)

5 Registering for the free 60-day trial of Entrust Managed Services PKI

Report any errors or omissions

3 Read the instructions so you have an idea of what is involved, and click the Sign

Up Now! button.

(6)

4 Enter your email address in the Email field. Your email address is required in order to provide you with the link to the free trial.

Note: Ensure the email address you enter is correct so that you can receive the

trial link.

5 Click Submit Form.

Am email is sent to the email address you provided.

6 Access your email account and open the email with the subject Entrust Managed

(7)

(8)

(9)

Note: This trial limits the number of users an administrator can create, as stated

in the license agreement.

c Click Accept. If you click Decline, you cancel the trial. A dialog box appears while the system creates your account.

(10)

Note: The Web application link and instructions on how to create your

administrator certificate are also sent to your email address.

(11)

11

2

Getting an administrator certificate

and creating end-user accounts

This chapter includes the following topics

• “Getting your administrator certificate” on page 12

• “Logging into Administration Services with your certificate” on page 19

• “Creating an end-user account” on page 22

• “Enrolling end-users” on page 25

(12)

Getting your administrator certificate

To start experiencing the benefits and versatility of the Entrust Managed PKI service, you must first create an administrator digital ID (certificate). Once this is

accomplished, you can create user accounts and begin issuing certificates. To create your administrator certificate, complete the following procedure:

To obtain your administrator certificate

1 Click the link to access the Entrust Web application as described in Step c on page 9 to create your administrator certificate.

The Entrust Authority Digital Identity Management Web application appears in a new browser window.

Note: If your browser needs permission to run the Java plug-in, ensure you

provide permission.

2 Click Create Security Store.

(13)

13 Getting an administrator certificate and creating end-user accounts

3 Click Yes so that Windows stores the root certificate in your Windows trusted certificate store.

After a few moments, a message appears informing you that your certificate (Entrust digital ID) was created.

(14)

4 Click the Click here to log in with a certificate link.

A warning dialog box may appear informing you that the digital signature has been verified and asks whether you want to run the Entrust TruePass applet.

Note: Firefox users may encounter problems as a result of browser plug-ins. To

(15)

5 Click Run.

(16)

6 Select the certificate you created and click OK. It has the name you gave when you filled out the trial registration form.

(17)

7 Click OK.

The Importing a new private exchange key dialog box appears.

8 Click OK.

(18)

(19)

Logging into Administration Services with your

certificate

Once you have created your certificate as described in “To obtain your administrator certificate” on page 12, you can log into Administration Services to, among other things, create end-user accounts.

To log into Administration Services with your certificate, complete the following procedure.

To log into Administration Services

1 In a browser, access Entrust Authority Administration Services:

https://evaladminservices.managed.entrust.com/AdminServices/

The Administrator Login page appears.

(20)

The Select Certificate dialog box appears listing one or more certificates.

3 Select the certificate you created and Click OK. It has the name you gave when you filled out the trial registration form.

(21)

(22)

Creating an end-user account

In order to issue certificates to end-users, you must first create an account for each user in Administration Services.

Complete the following procedure to create an end-user account.

To create an end-user account

1 If you are not currently logged in to Administration Services, log in now. See “To log into Administration Services” on page 19 for more information.

2 From the main Administration Services page, click Create Account under Account

Tasks in the main pane or under Tasks in the left-hand menu.

The initial Create Account page appears.

3 Leave the value in the User Type drop-down list as Person.

(23)

6 From the User Information section:

a Enter the end-user’s first name and last name in the First Name and Last

Name fields respectively.

b Optionally, enter the end-user’s email address in the Email field.

7 Skip the Notification Email section, as it is not activated for the trial. In a typical deployment, you would enter an email address for the user to receive account status notifications, including emails that:

– indicate account registration

– provide the reference number the user needs to enroll for their certificate. (You would still need to provide the user with the matching authentication code)

If the email address is the same as the one entered in the User Information section, you would select the Same as above email address check box.

8 Skip the Group Membership section, as it does not apply to this trial. In a typical deployment, you can manage digital IDs for different user groups.

9 Skip the Role section. End User is the only option in this trial.

10 Skip the Location section for this trial. The searchbase entry is already supplied. 11 Click Submit.

(24)

12 Securely record the user’s reference number and authorization code.

13 To create additional end-user accounts, click Create Account from the Tasks

menu in the left pane and repeat this procedure.

Note: This trial limits the number of users an administrator can create, as stated

in the license agreement.

14 Once you have created your end-user accounts, you must provide those

(25)

Enrolling end-users

Administration Services provides many different methods to enroll for a certificate— administrators have the flexibility to insert themselves into the process as much or as little as necessary. For more information on the different types of enrollment methods, see “End-user enrollment models” on page 25.

For this evaluation, instructions are based on one of the enrollment models. In this model, you must:

1 Provide each end-user with the reference number and authorization code you received when you created an end-user account (“Creating an end-user account” on page 22).

Note: The reference number and authorization code must be transported or

sent in a secured manner.

2 Provide each end-user with the User Registration Service URL so they can obtain their certificate:

https://evaladminservices.managed.entrust.com/UserRegistration

You successfully enrolled your end-users. End-users can now obtain their certificate as documented in “Getting an end-user certificate” on page 30.

End-user enrollment models

The user registration instructions described under “Enrolling end-users” on page 25

reflect just one of the many user registration models available to your organization. The following table briefly describes other available models.

Note: Registration model Option 1 in Table 1 is the method described in

(26)

Table 1: Registration models

Enrollment option How it works Benefits

Option 1: Single user enrollment

1 An administrator at your

organization creates a one-time set of activation codes for a single user using the administration service

2 The administrator gives the

activation codes to the user

3 The user enters the activation

codes on a Web site

4 Certificates are downloaded to

the user’s computer

• No custom development— administration service + Web site are provided with the started service • Good for scenarios where you only need to enroll a single user, such as a new employee or partner

Option 2: Username and password

organization bulk loads usernames and passwords using the administration service

2 An email is sent to each user

with a link to a Web site + username

3 The user clicks the link, and

enters the appropriate username/password on the Web site

• No custom development—bulk loading + Web site are provided with the standard service • Flexible bulk loading—

(27)

Option 3: Email with embedded activation code

organization bulk loads your users’ email addresses using the administration service

2 The administration service

generates an email containing a link + embedded, one-time set of activation codes for each user

3 The email is sent to each user

securely

4 The user clicks the link in the

email and is taken to a Web site where the activation codes are checked

• No user input required—the user simply needs to click a link to download their certificates • No custom development—bulk

loading + Web interfaces + activation code functionality are all provided with the standard service

Option 4:

Self-registration + approvals

1 Each user self-registers on a

Web page, selecting a password

organization approves the registration using the administration service

sends an email to the user

4 The user clicks the link in the

email, which takes them to a Web page where they can enter their password and download their certificate

• No custom development— administration service + Web site are provided with the started service • No need to create a bulk loading file • Approvals ensure security

• Easy for users—they can access the registration page without having to supply a username/password

(28)

Option 5:

Existing certificate + self-registration

1 Your users already have

certificates issued by another certificate service

2 Each user goes to a Web site

that uses the existing certificate to authenticate them (i.e. client SSL authentication) and then grants them access to a registration page

3 The user supplies personal

information

4 A new certificate from Entrust is

downloaded to the user’s computer to take over from the older certificate

• No need to create a bulk loading file • Leverages your existing investment

in certificates to provide a more secure authentication approach • Easy for users—they can access the

registration Web page without having to supply a

username/password

Note: There is an additional charge for

this option.

Option 6: Existing

username/password + self-registration

1 You have an existing, in-house

authentication system (Windows login for example)

2 Each user logs in to a

registration Web page using a username/password from the existing authentication system

3 The user submits personal

information

• No need to create a bulk loading file • Leverages your existing investment

in another authentication system • Easy and familiar for users—they

supply a username/password that they already know

this option.

(29)

Option 7:

Custom registration page

1 A Web developer at your

organization creates a Web-based registration application

2 The user logs in to this

registration page using any authentication mechanism of your choosing

3 The user submits their personal

information, which is sent to the administration service

redirects the user to a Web page (supplied by Entrust) where users click a button to download their certificates

• No need to create a bulk loading file • Leverages your existing investment in another authentication system for up-to-date passwords

• Easy and familiar for users—they supply a username/password that they already know

• Custom development can be completed by your organization without the help of Entrust and with no additional fees

Option 8:

Auto-creation and auto-update

1 A thin client is installed on users’

computers or unmanned machines

2 An administrator creates a

one-time set of activation codes for each user or machine using the administration service

3 The user enters the activation

codes into the thin client and certificates are downloaded to their computers

Note: When the client is installed

on an unmanned machine, the client detects that certificates are missing and communicates with the administration service to automatically generate and download certificates.

• Certificates are automatically updated—no need to go back to a Web site to pick up new certificates • Complete automation available—

perfect for unmanned machines • No custom development

• Many client installation options, for near complete automation, to clicking ‘Next’ through an installer • Client also simplifies deployment of

Microsoft Encryption File System (EFS), adds file encryption, and includes a built-in OCSP client

this option.

(30)

Getting an end-user certificate

Each end-user must complete the following procedure to obtain a certificate.

To activate a certificate using the User Registration Service 1 In a browser, enter the User Registration Service URL:

https://evaladminservices.managed.entrust.com/UserRegistration

The Entrust Authority Registration and Self-Administration page appears.

(31)

The Generate Entrust Digital ID page appears.

3 Click Generate Third-Party Security Store.

Attention: While a PKCS12 file is an option, it is not recommended for this

evaluation. If required, please contact Entrust.

(32)

4 Click Run.

(33)

The Creating a new RSA signature key dialog box appears.

6 Click OK.

The Importing a new private exchange key dialog box appears.

(34)

(35)

35

3

What you can do with your Entrust

certificate

Digital certificate contents are stored in a standards based format called x509. As a result, the majority of devices and applications accept this format, thereby ensuring compatibility.

Note: All Entrust Managed Services PKI documentation is available under the Resources tab at www.entrust.com/managed_services.

Table 2: Task and related documentation

If you want to... See this guide Description

sign and/or encrypt PDF documents (files and forms)

Using Entrust certificates with Adobe PDF files and forms

This guide documents how to configure Adobe to recognize and trust digital certificates, and how to digitally sign a PDF document. sign and/or encrypt

Microsoft Office documents

Using Entrust certificates with Microsoft Office and Windows

This guide documents:

• Signing and sending messages using Microsoft Word, Excel, and PowerPoint

• Sending secure messages using Microsoft Outlook

• Configuring Microsoft Outlook to use a single certificate • Removing message encryption

(36)

sign and/or encrypt files on your Windows operating system.

Using Entrust certificates with Microsoft Office and Windows

This guide documents how to secure Windows files and folders and send a secure message from a Windows folder.

authenticate to a VPN for secure, remote access to your network

Using Entrust certificates with VPN

This guide includes information about IPsec and SSL VPN, security issues, and VPN authentication mechanisms. It also provides instructions on how to import your certificate into your VPN client and how to configure your router to trust certificates issued to VPN clients.

Table 2: Task and related documentation

(37)

37

4

End of trial instructions

Once your trial ends, remove the CA root certificate from the Windows trusted root store for security purposes.

You must complete this procedure in Internet Explorer

To remove the CA root certificate using Internet Explorer 1 Open Internet Explorer.

(38)

(39)

39 End of trial instructions

4 Click Certificates.

(40)

(41)

41 End of trial instructions

6 Scroll down the list and select DComRootCA.

7 Click Remove.

The Certificates dialog box appears.

8 Click Yes.

(42)

9 Click Yes.