Entrust Certificate Services
Certificate Management Service 9.7
User Guide
Document issue: 1.0
Copyright © 2008-2010 Entrust. All rights reserved. Entrust is a trademark or a registered trademark of Entrust, Inc. in certain countries. All Entrust product names and logos are trademarks or registered trademarks of Entrust, Inc. in certain countries. All other company and product names and logos are trademarks or registered trademarks of their respective owners in certain countries.
This information is subject to change as Entrust reserves the right to, without notice, make changes to its products as progress in engineering or manufacturing methods or circumstances may warrant.
Export and/or import of cryptographic products may be restricted by various regulations in various countries. Export and/or import permits may be required.
TOC
TOC
About this guide . . . .7
Documentation conventions . . . 8
Note and Attention text . . . 8
Obtaining additional documentation . . . 10
Documentation feedback . . . 10
Related documentation . . . 10
Obtaining technical assistance . . . 11
Technical support . . . 11
Telephone numbers . . . 11
Email address . . . 11
Mailing Address . . . 11
Getting started. . . .13
About the Entrust Certificate Management Service . . . 14
Using the Certificate Management Service. . . 14
Differences between pooling and non-pooling management models 15 Entrust Discovery . . . 16
Certificate types . . . 18
SSL server certificates and SANs . . . 18
Standard SSL certificates . . . 18
Advantage SSL certificates . . . 18
Extended Validation Multi-Domain SSL certificates . . . 19
Unified Communication Multi-Domain SSL Certificates . . . 19
Wildcard certificates. . . 19
Additional SubjectAltName extensions (SANs) . . . 20
CDS certificates . . . 20
Adobe CDS Individual . . . 20
Adobe CDS Group . . . 20
Adobe CDS Enterprise Pro . . . 21
Code signing certificates . . . 21
Sun® Java™ Object signing certificates . . . 21
Microsoft® Office/Visual Basic for Applications signing certificates 21 Microsoft® Authenticode signing certificates . . . 21
Secure Email certificates . . . 21
Enterprise Secure Email certificates. . . 22
Individual Secure Email certificates . . . 22
Administrator types, roles and permissions . . . 23
Super administrators . . . 23
Sub-administrators . . . 23
Logging in to the Entrust Certificate Management Service . . . 25
Logging in to the Entrust Certificate Management Service using an Entrust IdentityGuard grid . . . 29
Using Entrust IdentityGuard Self-Service . . . 30
The super and sub-administrator dashboard views . . . 32
The super administrator view . . . 32
Menu bar functionality . . . 33
The sub-administrator view . . . 35
Adjusting your view . . . 35
Removing a column . . . 35
Filtering information . . . 36
Saving your changes . . . 37
Purchasing additional services . . . 38
Using Entrust Discovery from the CMS . . . 42
Managing administrators . . . .43
Adding an administrator . . . 44
Managing super administrators . . . 46
Demoting a super administrator . . . 46
Managing sub-administrators . . . 47
Viewing and editing sub-administrator accounts . . . 47
Promoting a sub-administrator to super administrator . . . 48
Managing clients . . . 51
Adding a new client . . . 52
If you plan on using Extended Validation (EV) certificates or Code Signing certificates in your client domains . . . 52
Viewing or altering client accounts . . . 58
Viewing Clients . . . 58
Modifying client domain or organization information . . . 59
Deactivating a client . . . 63
The client verification process . . . 64
Creating and managing certificates . . . 65
An introduction to creating and managing certificates . . . 66
Monitoring certificate use . . . 66
Monitoring certificates from the Inventory Information page. . . 66
Monitoring certificates from the Management dashboard . . . 67
Requesting a code-signing certificate using the CMS interface . . . 70
Requesting a CDS certificate using the CMS interface . . . 73
Requesting an SSL Certificate using the CMS interface . . . 76
Requesting a certificate using the Certificate Request E-Form . . . 81
Enrolling for E-forms . . . 81
Disabling the E-Form . . . 83
Using the Certificate Request E-Form . . . 83
Requesting and administering Secure Email certificates . . . 93
To approve and obtain the certificate . . . 95
Administering Secure Email Enterprise certificates . . . 98
Retrieving an Entrust SSL certificate . . . 100
Reissuing a certificate . . . 102
Renewing a certificate . . . 104
Revoking or deactivating a Certificate . . . 106
Managing certificates from a different vendor . . . 108
Monitoring the Entrust Certificate Management Service . . . 111
Using the Contract Information pages . . . 112
Opening the Contract Information pages . . . 112
Tracking Fields . . . 118
Using the Log History page . . . 121
Expiry Notifications . . . 123
About
About this guide
This guide contains procedures outlining how to use the Entrust Certificate Management Service (CMS). The Certificate Management Service allows you to create certificate requests and monitor certificate use for your internal devices and those used by your customers.
Topics in this chapter include:
• “Documentation conventions” on page 8
• “Obtaining additional documentation” on page 10
Documentation conventions
The following documentation conventions are used in Entrust guides:
Note and Attention text
Throughout this guide, there are paragraphs set off by ruled lines above and below the text. These paragraphs provide key information with two levels of importance, as shown below.
Note
:Information to help you maximize the benefits of your Entrust product.
Table 1: Typographic conventions
Convention Purpose Example Bold text
(other than headings)
Indicates graphical user interface elements and wizards.
Click Next.
Italicized text Used for book or document titles.
Entrust Certificate Services Certficate Management Service 9.2 User Guide Blue text Used for hyperlinks to
other sections in the document.
Entrust supports the use of many types of
certificates.
Underlined blue
text
Used for links to Web sites.
For more information, visit our Web site at
www.entrust.net. Courier type Indicates installation
paths, file names, Windows registry keys, commands, and text you must enter.
Use the entrust-configuration.xml file to change certain Verification Server options.
Angle brackets < >
Indicates variables (text you must replace with your organization’s correct values).
By default, the entrust.ini file is located in <install_path>/conf/security/entrust. ini. Square brackets [courier type] Indicates optional parameters.
Attention
:Issues that, if ignored, may seriously affect performance, security, or the operation of your Entrust product.
Obtaining additional documentation
Entrust product documentation, white papers, technical notes, and a comprehensive knowledge base are available from our Web site:
http://www.entrust.net/
Documentation feedback
You can rate and provide feedback about Entrust product documentation by completing the online feedback form. Any information that you provide goes directly to the documentation team and is used to improve and correct the information in our guides. You can access this form by:
• clicking the Report any errors or omissions link located in the footer of Entrust’s PDF documents (see bottom of this page).
• following this link: http://www.entrust.com/products/feedback/index.cfm
Feedback concerning documentation can also be directed to the Customer Support email address.
Related documentation
Other documents relating to the Entrust Certificate Management Service that you may find helpful are:
• Entrust Certificate Management Service Enrollment Guide
• Entrust Certificate Management Service release information (available from the Certificate Management Service “What’s New” menu)
• Entrust certificate Services Guide to Code Signing for Authenticode • Entrust certificate Services Guide to Code Signing for Java
• Entrust certificate Services Guide to code Signing for Windows Macros and Visual Basic
• Entrust Discovery Agent Administration Guide • Entrust Discovery Administration Guide
Obtaining technical assistance
Entrust recognizes the importance of providing quick and easy access to our support resources. The following subsections provide details about the technical support and professional services available to you.
Technical support
For Entrust technical support services, visit our Web site at:
http://www.entrust.net/ssl-technical/index.htm
For technical resources including a comprehensive Knowledge Base visit:
http://www.entrust.net/knowledge-base/index.cfm
Telephone numbers
For support assistance by telephone or Fax, call one of the numbers below between 8:00 AM and 8:00 PM Eastern:
• North America (toll free) – Phone 1 (866) 267-9297 – Fax 1 (877) 839-3538 • Outside of North America
– Phone 1 (613) 270-2680 – Fax 1 (613) 270-3260
Email address
The email address for Customer Support is:
Mailing Address
Entrust Inc. 1000 Innovation Drive Ottawa, Ontario K2K 3E7 Canada1
1
Getting started
This chapter provides information about features of the Entrust Certificate Management Service (CMS) and how to begin using it.
Topics in this chapter include:
• “About the Entrust Certificate Management Service” on page 14
• “Certificate types” on page 18
• “Administrator types, roles and permissions” on page 23
• “Logging in to the Entrust Certificate Management Service” on page 25
• “The super and sub-administrator dashboard views” on page 32
• “Purchasing additional services” on page 38
About the Entrust Certificate Management
Service
The Entrust Certificate Management Service is a self-service administration tool for buying and managing certificates. The tool acts as a centrally managed, self-service point-of-purchase, that reduces administrative overhead and decreases your risk of accidental certificate expiry. Self-service allows customers to synchronize and control the timing of certificate expiry as well as to pool or re-use certificates (depending on the type of account) for maximum usage.
Information in this introduction includes:
• “Using the Certificate Management Service” on page 14
• “Differences between pooling and non-pooling management models” on page 15
• “Entrust Discovery” on page 16
Using the Certificate Management Service
The service allows you to purchase and maintain an inventory of different types of certificates according to your needs. As your network grows and changes you can use these certificates to establish and maintain secure communication between devices, sign code, secure Adobe Acrobat or LiveCycle documents and forms, or secure email by signing and encrypting messages.
The Certificate Management Service makes it easy for you to:
• know how many certificates of each type are available for use • create and assign certificates
• keep track of certificates used by client accounts • purchase or renew certificates
• add or remove client domains
• add or remove administrator accounts • delegate certificate request approval • approve certificate requests
• use Entrust Discovery to obtain detailed information about certificates in your network
Administrator accounts
The Certificate Management Service (CMS) uses two types of administrator accounts with different degrees of access to management and auditing tools. This allows you to delegate aspects of certificate management for specific domains or clients while
maintaining control and accountability. Super Administrators—accounts with full privileges—can also audit events for ease of management and create reports that tailor information about certificates to their specific requirements. For example, all certificates in domains A, B, and C could be assigned to one sub-administrator and certificates in domains D, E, and F to another.
Differences between pooling and non-pooling management
models
Your organization chose either the pooling or non-pooling model when you became a CMS user. In simplest terms, the non-pooling model is based in the number of certificates purchased, and the pooling model is based on the amount of certificate lifetime purchased. The model being used determines how administrators perform some tasks in the CMS.
Certificates
• CMS administrators for accounts where pooling or non-pooling models are used, can reissue certificates (depending on certificate type). However: – In non-pooling accounts, certificates can only be reissued within 30 days of
their creation date. The exception is Secure Email certificates, which can be reissued at any time during their lifetime.
– In pooling accounts Standard, Advantage, EV, UCC and Secure Email certificates can be re-issued at any time. CDS and Code Signing certificates can only be re-issued within 30 days of their creation date.
• Administrators for accounts using either model can renew certificates. • Only CMS administrators for accounts using the pooling model can reuse
and repurpose certificates. However, only Standard, Advantage, EV, and UCC certificates are returned to inventory and can be reused and repurposed. CDS, Code Signing, and Secure Email certificates are never returned to inventory after being deactivated.
SANs (for additional domains)
• In accounts using the pooling model, any SANs that were added to EV Multi-Domain certificates or UC Multi-Domain certificates from your SAN inventory are returned to the SAN inventory, if the certificate is revoked. The SANs that you get by default with the certificate are not returned to inventory.
For example, if you are using the pooling model and you revoke a UC Multi-Domain certificate with eight SANs, five SANs would be returned to your SAN inventory. This is because when you purchase a UC Multi-Domain certificate, the common name and two additional SANs come with the certificate by default and not from your inventory of additional SANs.
• In accounts using the non-pooling model SANs are not returned to your inventory if you revoke a certificate.
• In accounts using the pooling model additional domains (SANs) are not multiplied by the number of years in the certificate’s life span.
• In accounts using the non-pooling model, the number of SANs required to add more domains than the default number that comes with the certificate is multiplied by the life span of the certificate.
For example, if you create UC Multi-Domain certificate with a three year life span for four domains (the common name in the CSR plus three additional domains). Three domains can be used before additional SANs are required because they are purchased with a UC Multi-Domain certificate by default. The fourth domain requires one additional SAN per year of the certificate’s life span—three SANs.
• In accounts using either model, the number of SANs used from inventory is multiplied by the number of servers that the certificate is licensed for. For example, if you create a UC Multi-Domain certificate and license it for two servers, the number of SANs used by the certificate is doubled. For a complete explanation of the advantages of each of these models, talk to an Entrust Sales representative.
Entrust Discovery
Entrust Discovery is composed of one or more Entrust Discovery Agents and the Entrust Discovery Manager. The Entrust Discovery Agent allows an administrator to scan their network or specific portions of their network for certificates. The Agent records pertinent information about each certificate found, including:
• the certificate issuer
• subject DN of the certificate • key algorithm and length • creation and expiry date
• host and port (or hosts and ports if it is installed in more than one place) • the port state
• host names
Discovery Agents can be obtained free-of-charge from Entrust and used without a Discovery Manager to perform scans, however only a summary of the data can be viewed from the Agent.
Detailed information about certificates and certificate management capability is available from the Discovery Manager. The Discovery Manager allows you to choose which certificates to manage and, for each managed certificate:
• to see all of the collected information • assign an owner
• set up an notification schedule to track expiring certificates, license use, and other administrative details
To use the Discovery Manager, you must purchase certificate licenses from Entrust. Contact your Entrust representative for information about purchasing licenses. Three types of licenses are available from Entrust:
• cloud subscription, for use with a Discovery Manager hosted by Entrust Certificate Management Service
• premises subscription, for use with a Discovery Manager hosted by you. The license includes an expiry date based on your subscription. Software support for Entrust Discovery is included.
• premises perpetual, for use with a Discovery Manager hosted by you. The licence contains no expiry date. Software support is extra.
Entrust Discovery can be used as stand-alone application or with the Entrust Certificate Management Service.
Certificate types
Entrust offers SSL, CDS, Code Signing, and Secure Email certificates, all of which you can manage using the Entrust Certificate Management Service (CMS). Topics in this section include:
• “SSL server certificates and SANs” on page 18
• “CDS certificates” on page 20
• “Code signing certificates” on page 21
• “Secure Email certificates” on page 21
SSL server certificates and SANs
Entrust offers several types of SSL certificates. SSL certificates that can be licensed for one or more servers. Each additional server requires a license from your certificate inventory.
The following sections describe these certificates: • “Standard SSL certificates” on page 18
• “Advantage SSL certificates” on page 18
• “Extended Validation Multi-Domain SSL certificates” on page 19
• “Unified Communication Multi-Domain SSL Certificates” on page 19
• “Wildcard certificates” on page 19
• “Additional SubjectAltName extensions (SANs)” on page 20
Standard SSL certificates
These certificates (referred to as Standard in the Certificate Management Service interface) create a secure, confidential communications pipe between the Web server and browser. Communication secured with this certificate supports identification of the Web server, letting the client’s browser know the identity of the site being accessed.
Advantage SSL certificates
These certificates (referred to as Advantage in the Certificate Management Service interface) create a secure, confidential communications pipe between the Web server and the browser or between servers. Use this type of certificate where identification of both the Web server and the browser is required.
Advantage SSL certificates are allowed one additional SubjectAltName (SAN) extension plus the common name for a total of two SANs.
Extended Validation Multi-Domain SSL certificates
Extended Validation certificates (referred to as EV Multi-Domain certificates in the Certificate Management Service interface) are defined by the CA/Browser Forum in response to the growing threat of phishing attacks. The goal of this type of certificate is to increase consumer confidence in online transactions.
EV certificates are issued only after rigorous validation of the authentication information supplied by the purchaser. These certificates provide all the features of the advantage certificate plus:
• adhere to the standards for verification determined by the CA/Browser forum and outlined in Guidelines for the Issuance and Management of
Extended Validation Certificates (available from the CA/Browser forum Web site)
• Web browsers reflect this higher level of identity assurance with prominent trust indicators, such as:
– the green Web address bar, indicating a secure site
– the gold padlock at the top of the Web page, indicating that the Web server is recognized as authentic
– alternating display of issuer and organization name and country
Extended validation certificates are allowed one additional SubjectAltName (SAN) by default( for a total of two domains), but an unlimited number of additional SANs can be added if additional SAN inventory is available.
Unified Communication Multi-Domain SSL Certificates
These certificates (referred to as UC Multi-Domain certificates in the Certificate Management Service interface) provide all the features of the Advantage certificate. Unified Communication certificates are allowed two additional SubjectAltName (SAN) extensions plus the common name by default, for a total of three SANs. An unlimited number of additional SANs can be added, if additional SAN inventory is available.
These certificates are designed to support powerful communications products like Microsoft® Exchange Server and Microsoft® Office Communications Server.
Wildcard certificates
These certificates (referred to as Wildcard in the Certificate Management Service interface) provide all the features of the Standard certificate and allow you to secure multiple Web sites with a single SSL certificate.
Additional SubjectAltName extensions (SANs)
Additional EV Multi-Domain SANs and UC Multi-Domain SANs can be purchased and added to your CMS inventory. You are given the opportunity to add additional domains when you create a an EV or UC Multi-Domain certificate. Each domain added above the default number of SANs associated with the type of certificate uses one of the SANs from your inventory. If the certificate is used on more than one server the number of SANs used from your inventory is multiplied by the number of servers the certificate is licences for. See “SANs (for additional domains)” on page 15 for more information.
SANs can be purchased from the Buy More page of the CMS or through your Entrust representative.
CDS certificates
Entrust offers the following types of certificates for use with Adobe Certified Document Services (CDS):
• “Adobe CDS Individual” on page 20
• “Adobe CDS Group” on page 20
• “Adobe CDS Enterprise Lite” on page 20
• “Adobe CDS Enterprise Pro” on page 21
Adobe CDS Individual
Adobe CDS Individual certificates are purchased with a token. Individuals can use these certificates to sign and certify documents, as needed. For example, individuals might use them to sign workflow approvals, legal documents, contracts, and letters. These certificates are assigned to an individual. The individual’s first and last name and email address appear in the signature.
Adobe CDS Group
Adobe CDS Group certificates are purchased with a token. Individuals in a group can use these certificates to sign and certify documents on behalf of a group. Individuals are still required to have their own certificate, however the organizational group name is included in the certificate. The organizational group name and email address is displayed in signatures from these certificates. A sales department might use these certificates to sign proposals or RFP responses, for example.
Adobe CDS Enterprise Lite
Like manual CDS Group certificates, these certificates display the organizational group name and email address in the signature. These certificates, however, are intended for use in an automated process, to sign and certify documents. For
example, these certificates could be used to sign invoices, account statements, transcript requests, and confirmations. Each of these certificates can be used for a maximum of 40,000 signatures. These certificates are designed to reside on an hardware security module (HSM). HSMs are available from Entrust.
Adobe CDS Enterprise Pro
These certificates have the same features as Adobe CDS Enterprise Lite but can be used for an unlimited number of signatures.
Code signing certificates
These certificates are used to sign code. The signature provided by these types of certificates is checked against the list of legitimate root certificates. The end-user can then proceed with confidence that the code is from a legitimate source and is free of tampering. Entrust offers the following types of code signing certificate:
• “Sun® Java™ Object signing certificates” on page 21
• “Microsoft® Office/Visual Basic for Applications signing certificates” on page 21
• “Microsoft® Authenticode signing certificates” on page 21
Sun® Java™ Object signing certificates
Use Entrust certificates for Java object signing to sign JAR (Java Archive) files.
Microsoft® Office/Visual Basic for Applications signing
certificates
Use Entrust certificates for Microsoft® Office and Visual Basic Applications (VBA) to sign DOC, DOT, XLS, XLT, XLA, PPT, PPS, and PPA files. Entrust offers PKCS#12 (Public Key Cryptography Standard #12) certificates for use with Microsoft® Office and VBA files.
Microsoft® Authenticode signing certificates
Use Entrust certificates for Microsoft® Authenticode to sign CAB, CAT, CTL, DLL, EXE, and OCX files. Entrust offers PKCS#7 (Public Key Cryptography Standard #7) certificates for use with Authenticode.
Secure Email certificates
Secure Email certificates can be used with email applications that support S\MIME format to encrypt, sign, or encrypt and sign messages. They can also be used to
authenticate SSL VPNs, or to sign Microsoft Office documents, or authenticate to a service on desktops or mobile devices.
Enterprise Secure Email certificates
These certificates are designed to be purchased by businesses or organizations through the CMS and used by employees to sign and secure email messages or authenticate Microsoft Office documents. To purchase Secure Email certificates, use the Certificate Request E-form (see “Using the Certificate Request E-Form” on page 83 for more information).
These certificates offer automated key backup to ensure that you always have access to encrypted historical information.
Individual Secure Email certificates
These certificates are designed to be purchased and used by individuals to sign and secure their personal or business email messages or authenticate Microsoft Office documents. These certificates are not available through the CMS. Individual Secure Email certificates can be purchased directly from the Entrust Web site.
Administrator types, roles and permissions
All administrators must be assigned an administrator type. The Entrust Certificate Management Service provides two types of administrative accounts; the super administrator and the sub-administrator—each with their own set of roles and permissions. Sub-administrators can be assigned certificates and clients to manage. The default assignment is super administrator. Administrator types are discussed in the sections:
• “Super administrators” on page 23
• “Sub-administrators” on page 23
Super administrators
Super administrators can access all features, resources, and services of the Certificate Management System (CMS) and perform all management tasks. They are also responsible for delegating administrative privileges to sub-administrators and approving requests made using the E-form (see “Requesting a certificate using the Certificate Request E-Form” on page 81 for more information about the E-form).
Sub-administrators
All sub-administrators have access to a subset of management features. Specific resources such as certificates, client domain names, and client company names can be assigned to each sub-administrator.
The following table lists the default sub-administrator roles and describes the associated permissions for those roles.
Table 2: Sub-administrator permissions Management feature Permission
create or renew certificates can create certificates or renew certificates assigned to them (if the certificates are renewable)
SubjectAltName (SAN) can create certificates with multiple SubjectAltName (SAN) extensions if there are sufficient SubjectAltNames in the sub-administrator’s inventory and multiple SANs are supported for that type of certificate
management dashboard view
Sub-administrators can view and manage the certificates assigned to them
deactivate certificates Sub-administrators can deactivate certificates, domains and organizational names, client domain names and client company names assigned to them
contract information can view the SSL certificates, domains and organizational names, client domain names and client company names assigned to them
certificate expiry messages can view Certificate Expiry Messages for SSL certificates assigned to them
event logs can view events that they performed but not events associated with super administrators or other sub-administrators
user preferences can customize their own view
reports can view reports concerning certificates assigned to them
Table 2: Sub-administrator permissions (continued) Management feature Permission
Logging in to the Entrust Certificate
Management Service
The Entrust Management System (CMS) supports second-factor authentication using Entrust IdentityGuard grid or Question and Answer (Q and A) authentication. You can choose to use this system when you register for CMS. Super administrators can add IdentityGuard authentication to an existing account from sign up here link on the
Preferences page of the Certificate Management Service. Grids are provided by
Entrust by mail and are valid for two years. Entrust automatically sends a replacement grid when the existing grid approaches its expiry date.
Note
:Second-factor authentication is provided for the entire CMS account, not on a user-by-user basis. If you choose to adopt second-factor authentication, all users will be required to use second-factor authentication to access the CMS.
First-time users receive an email from Entrust with a one time password providing access to the CMS. When the new user uses the password to log in to the Web site, they are required to create and change the password.
To log in to the Entrust Certificate Management Service using a password for the first time
1 You will have received an email from Entrust containing your username and a link. Click the link in the email.
The log in page for Entrust IdentityGuard Self Service opens and a second email containing a temporary password is sent to the email address you provided in the enrollment application.
2 Log in to Entrust IdentityGuard Self Service using your temporary password. The Password Change page appears.
3 In the Password Change page, type the one-time password that was sent to you by Entrust, into the Current Password field. Enter a new password that conforms to the Password Rules into the Password field and again, into the Confirm
Password field. 4 Click Submit.
Note
:Passwords expire after one year. After your password expires, you must create a new password the next time you log in.
If you are setting up the account, the license agreement page appears. This page does not appear if you adding a user to an existing account.
5 Read through the license agreement and click Accept to agree and continue. If you Decline the agreement, you cannot log into the CMS.
6 Select questions from the pull down menu and type your answers into the
Answer field below.
Note
:Select questions and answers that are easy to remember. You will have to answer these questions correctly before you can perform some administrative tasks (changing your password, for example).
7 Click OK.
Use your new password the next time you log into the Certificate Management Service. To change your password or question and answer pairings, use the Click here
for IdentityGuard Self-Service link on the Preferences page as shown in Figure 2 on page 30.
Note
:If you forget your password, use the Recover my password link to have a temporary password sent to you. You will be asked to change the temporary password when you log in to CMS.
Logging in to the Entrust Certificate Management Service using
an Entrust IdentityGuard grid
Users registered for Entrust IdentityGuard grid authentication are issued a Entrust IdentityGuard grid card similar to the one shown in Figure 1 on page 29.
During the log in process, the interface displays sets of column and row coordinates that correspond to positions in the grid. Enter the letter or number in that position on your grid card.
For example, if you are using the card shown in Figure 1 on page 29 and given the coordinates [B4], [D4], [F3] you would respond with 5, T, 6. If you have not yet received a grid, you can use a one time password to log in.
If you decide to use second-factor authentication at a later date, super administrators can apply for grid cards from the Sign up here link on the Preferences page of the Certificate Management Service.
Figure 2: Preferences menu
Using Entrust IdentityGuard Self-Service
The Entrust IdentityGuard self-service menu (available from the Click here for
IdentityGuard Self-Service link on the Preferences and the log in page) can be used
to:
• authenticate with a temporary password if you have temporarily misplaced your grid
• request a new grid if yours is lost or compromised • change your question and answer pairings • change your password
Figure 3: Entrust IdentityGuard Self-Service menu
Select your intended action from the list.
If you have temporarily forgotten your card a temporary pin will be sent to you by email and your card will be disabled. To use your card again use the I’ve found my
grid and would like to start using it again link when you log in.
Grid cards are temporarily disabled for a maximum of 30 days, after which they are considered lost.
If you change your card because it has been lost or compromised, your card is permanently de-activated. Entrust issues a new card. Until you receive your new card, use your user name and password to log in to CMS.
The super and sub-administrator dashboard
views
The Management Dashboard page is displayed when the Entrust Certificate Management Service opens or can be accessed through the Management Dashboard tab. The dashboard is designed to simplify monitoring certificate and service item use with easy access to management tools appropriate to the user’s type of account. Options available from the dashboard are different for super administrators and sub-administrators.
The super administrator view
Figure 4: Super Administrator view of the dashboard
The dashboard offers super administrators immediate access to information about: • expiring certificates
• pending and ready certificate requests • existing Entrust and non-Entrust certificates
• service items (administrators, domains, clients, and organizations) In addition, super administrators can:
• add or view service items
• download Entrust Discovery Agents
• open the Entrust Discovery Manager (if you have enrolled for the Discovery Manager)
Menu bar functionality
The super administrator view displays the following menu bar items:
Create Certificate
This menu item opens a page allowing he administrator to create certificate requests. See “Modifying client domain or organization information” on page 59 for
information about adding and deleting client domains.
Management dashboard
This page displays a current view of the certificates and service items that the owner of the account can manage. Tools for managing these certificates and items are accessible from the dashboard.
E-Form
This menu contains the item Settings.
If you have not enrolled for the E-Forms, a link allowing you to enroll appears. If you have enrolled for the E-Forms, the Settings page contains links to them.
Admin Tools
This menu contains the following items:
• Add Domain
creates a request to add a domain to a client and submit the request to Entrust or a subcontractor.
• Contract Information
displays information about the service or account. See the “Using the Contract Information pages” on page 112 section for further details.
• Log History
opens a log of transactions for the account (for example, log in and create request).
• Tracking Fields
opens a page that enables a super administrator to establish additional tracking information fields for the Certificate Request E-Form or the Create
page within the Interface. See“Tracking Fields” on page 118 for further details.
• Purchase Additional Services
opens a page that enables the super administrator to purchase additional services (additional certificates, administrators, client domain names, and client company names). See “Purchasing additional services” on page 38
section for further details.
• Client Management
enables the super administrator to manage the client list (add, edit and deactivate). See“Managing clients” on page 51 section for further details
• Admin Management
opens a page that enables the super administrator to manage the administrators (add super or sub-administrators and edit-assign resources and deactivate sub-administrators). See the“Managing administrators” on page 43 section for further details.
• Certificate Import
imports certificates not currently managed by CMS for ease of management.
Reports
The menu item opens a page displaying tabs for: • System Reports
displays links to pre-created system reports • Custom Reports
opens a report generation wizard enabling an administrator to select the fields and criteria for a custom report. The report can be saved for future use.
Help
The help menu contains the following items: • User Guide
opens this guide in Adobe PDF format
• Knowledge Base
opens the Entrust Certificate Services Support Knowledge Base with links and information pertinent to Certificate Management
• Web Server FAQs
opens a page with links to information about Web servers that can be used with Entrust SSL certificates and a link to the Entrust Certificate Services Support Knowledge Base
• Other FAQs
opens a page with links to frequently asked questions about Entrust SSL certificates and links to the Entrust Certificate Services Support Knowledge Base and other pertinent information
What’s New
opens a page containing information about the current release of the Certificate Management System.
Preferences
opens a page enabling a super administrator to customize the CMS interface view, sign up for Entrust IdentityGuard multifactor authentication, or adjust your Entrust IdentityGuard log in options.
BUY MORE
opens a page from which you can purchase certificates and services.
Logout
opens a log out page.
The sub-administrator view
Sub-administrators have a simplified view, allowing them to create, deactivate, and manage the SSL certificates and service items for which they have authorization. See
“Sub-administrators” on page 23 for information about sub-administrator permissions.
If sub-administrators attempt to access and use tools for which they do not have permission, an error message is displayed.
Adjusting your view
Some pages in the CMS interface can potentially display a great deal of information. You can tailor the content of many pages to help you to find details more easily.
Removing a column
To temporarily remove unneeded columns from pages, select any column on the page, open the pull down menu, and deselect the check box associated with the column. To restore the column, open the pull down menu and select the check box again.
Figure 5: Removing or restoring a column
Filtering information
As shown in Figure 6 and Figure 7, you can also filter information in a specific column. For example, in the Status column of the Client Management page the possible entries are Active, Ready, Pending, Expired and Deactivated. If you select
Active, no pending, ready, expired or deactivated client names are displayed in the
list.
FIltering columns without a standard set of filters
If the column does not have a standard set of filters, you can type the information into the filter. For example, typing an administrator ID into the Administrator column in the Log Histories page limits the entries to actions performed by a particular administrator.
Figure 7: Filtering entries in a column (non-standard information)
Similarly, use Group By This Field to group entries by the type of information in the column. Show in Groups creates a tree view with information from other columns in the entry row branching from the information in that column. For example, select this option in the Requester column and all other information in each entry row is grouped under the requester. Select + beside the requester to expand the tree view and reveal the other information.
To turn off any of these features (except Group By This Field) deselect them in the pull-down menu.
Saving your changes
To save your changes, select Save Filter from the menu at the bottom of the page. To return to the default view, use Clear Filter.
Purchasing additional services
Super administrators can use the CMS interface purchase the following additional items: • certificates • EV and UC SANs • administrators • organization names • domain names • client names
You can purchase additional items by credit card or by purchase order. Follow the steps below to purchase any of these additional services.
Note
:After additional certificates, administration options, or renewal changes are processed by Entrust, the resulting agreement (Entrust Certificate Management Service Agreement) is presented to the next super or sub-administrator logging in to the CMS interface. The agreement must be accepted before the requested item can be used.
For information about contacting Entrust, see “Obtaining technical assistance” on page 11.
To purchase additional services
1 From the top menu bar, select Admin Tools > Purchase Additional Services or select Buy More from the top menu bar.
The Purchase Additional Services page appears.
2 Enter the quantity in the applicable field for each certificate type and
using your expiry date and the lifetime of your account. For non-pooling account users the price is based on number of certificates..
Note
:The prices depicted in the illustration may be out-of-date. The most recent prices are listed on the Purchase Additional Services page in the CMS.
3 Under Payment Type, select either the PO or Credit Card radio buttons.
Note
:Only use the Purchase Order (PO) option for orders above $1,000.00 USD in value. An Entrust sales representative will contact you for more information after you order using this option.
4 If you select the Credit Card radio button, enter the card type (MasterCard®, VISA or American Express®), card number, card expiry date, and the billing name
and address for the credit card holder. The address provided must match the billing address of the credit card.
5 Click Submit (or click Reset to clear the form).
If you select the PO (purchase order) payment option, an Entrust Sales representative will contact you for more information.
If you select the Credit Card payment option, the specified credit card is billed and a receipt emailed to the billing contact for the account. Your inventory is updated immediately after the transaction is approved.
Using Entrust Discovery from the CMS
Entrust Discovery Manager can be opened and used from Entrust CMS however, it is separate Entrust product. You can download Discovery agents free-of-charge from the Discovery tab on the CMS dashboard.
The Entrust Discovery Manager and certificate licenses can be ordered by clicking
Open Manager in the Entrust Discovery page. The Entrust Discovery Administration
Guide contains information about deploying the Discovery Manager and Agent solution. The Entrust Discovery Agent Administration Guide contains information about deploying Discovery Agents without a Discovery Manager. The guides are available from their respective Click here links on the Entrust Discovery page of the CMS dashboard.
For more information about Entrust Discovery, see the administration guide for your deployment.
2
2
Managing administrators
Your initial Entrust Certificate Management Service view has a default inventory of two administrator accounts. Use one of these administrator accounts to start using the Entrust Certificate Management Service. Your first administrator must be a super administrator, since you need access to all of the CMS tools.
Super administrator is the default administrator account type and has full privileges. If there are unused administrator accounts in inventory, super administrators can create sub-administrators. By assigning sub-administrator accounts, a super
administrator can delegate responsibility for specific certificates, domains and clients. Sub-administrators are established by either demoting an existing super administrator account or creating a new administrator account with the sub-administrator role. To add more administrator accounts to your inventory, contact Entrust or order directly using the Certificate Management Service interface (see “Purchasing additional services” on page 38).
If a request for an additional administrator account is rejected by Entrust the account is not displayed in the Admin Management pages.
This chapter discusses the following topics: • “Adding an administrator” on page 44
• “Managing super administrators” on page 46
Adding an administrator
Follow the procedure in this section to add either a super or sub-administrator.
Note
:Never add a sub-administrator account that has been deactivated. Use the re-activate icon instead.
To add an administrator
1 As a super administrator, select Admin Tools > Admin Management from the top menu bar.
The Admin Management page appears.
2 Type the name of the new administrator in the Administrator Name text box.
3 From the pull-down list beside the Administrator Type field, select either Super
Administrator or Sub-administrator. 4 Click Submit.
5 Complete all of the fields in the form.
This information is required to complete administrator verification and establish a unique ID for the new administrator.
Select either the Super Administrator or Sub-administrator radio buttons.
6 Click Submit Administrator.
A pop-up window appears, stating that your request for an additional administrator has been submitted.
7 Click OK.
The Admin Management page opens. The new administrator is now listed as the applicable administrator type, with a status of Pending in the Status column.
After the form is submitted, Entrust completes the required verification, creates the Unique ID, and emails all super administrators to inform them that the administrator ID is available.
Managing super administrators
To view the details of a super administrator account, from the Admin Tools menu, select Admin Management. In the Admin Management page, click the name of the super administrator account.
Super administrator accounts can be can be downgraded to sub-administrator.
Demoting a super administrator
You cannot use the Certificate Management Service to demote a super administrator to sub-administrator. To demote a super administrator, the service Authorization Contact must send an email to Entrust at [email protected]. In this email, the service Authorization Contact must provide the account name and the name of the existing super administrator being demoted.
Once Entrust completes the request, an email is sent to the service Authorization Contact and the service administrators (Super and Sub) informing them of the change.
When existing super administrator accounts are demoted to sub-administrator, only the certificates created by that account a super administrator appear in their
Management Dashboard. By default, the sub-administrator account will not have
access to any client names. These can be assigned to the account by a super administrator.
Managing sub-administrators
From the Admin Management page a super administrator can manage
sub-administrators using the view , edit , deactivate or activate icons. Sub-administrators cannot access any certificates or clients until those certificates or clients have been delegated to them by a super administrator. Accelerator licenses cannot be assigned to sub-administrators.
The following sub-administrator management tasks are discussed: • “Viewing and editing sub-administrator accounts” on page 47
• “Promoting a sub-administrator to super administrator” on page 48
• “Deactivating and reactivating a sub-administrator” on page 49
Viewing and editing sub-administrator accounts
Super administrators can view and edit all sub-administrator accounts. They can access and edit contact information as well as what clients, certificates, and principle clients are assigned to a sub-administrator.
To view sub-administrators
1 As a super administrator, from the top menu bar select Admin Tools > Admin
Management.
The Admin Management page appears.
2 Select the Sub-administrators tab. The Sub-administrators pane provides a list of all sub-administrators.
The Administrator Details page appears. This page shows the contact information for the sub-administrator as well as the certificates, clients and primary client that are assigned to the sub-administrator.
To edit sub-administrators
1 As super administrator, from the top menu bar select Admin Tools > Admin
Management.
2 Click (edit) for the applicable sub-administrator.
The Administrator Details page displays. This page shows the contact information for the sub-administrator and the resources are assigned to the account.
3 Modify the information, as required.
4 Click Submit.
The Administrator Details page displays all of the certificates assigned to the sub-administrator in the Certificate Assignment section. Click
Client/Organization Names to see associated clients.
Promoting a sub-administrator to super administrator
Only super administrators can promote sub-administrators.
To promote a sub-administrator to super administrator
1 As super administrator, from the top menu bar select Admin Tools > Admin
Management.
2 Select the sub-administrators tab.
3 Click (edit) for the applicable sub-administrator. The Administrator Details page displays.
4 Click the Promote sub-administrator: check box at the bottom of the page.
5 Click Submit.
A pop-up message opens, stating that the sub-administrator promotion is complete.
6 Click OK.
The administrator type is updated and an email is sent to the Authorization Contact and the service administrators, informing them of the change.
See “Sub-administrators” on page 23 for further details on the role and permissions granted to sub-administrators.
Deactivating and reactivating a sub-administrator
Sub-administrator accounts can be deactivated. After an account has been deactivated it cannot be used or edited until it is reactivated. When a
sub-administrator is removed from the service, their certificate inventory is returned to the general account inventory.
After you deactivate a sub-administrator, a reactivate icon appears in the entry for that sub-administrator account. Use the reactivate icon to start using the account again.
Note
:To reactivate an administrator, you must have unused administrator accounts in your inventory .
To deactivate a sub-administrator
1 As a super administrator, from the top menu bar select Admin Tools > Admin
Management.
2 Select the Sub Administrators tab.
3 Click (deactivate) for the applicable sub-administrator.
A pop-up window opens, stating that this action will completely remove the administrator from the system. Click Ok to continue.
The Status column shows the sub-administrator as Deactivated.
To reactivate a sub-administrator
1 As a super administrator, from the top menu bar select Admin Tools > Admin
Management.
2 Select the Sub Administrators tab.
3 Click (reactivate).
A pop-up window opens, asking you to confirm.
4 Click OK to reactivate.
3
3
Managing clients
This section contains the following topics: • “Adding a new client” on page 52
• “Viewing or altering client accounts” on page 58
• “Deactivating a client” on page 63
Adding a new client
Use either the Client Management page or the Client Request E-Form to request additional clients (company and domain names). To use the Client Request E-Form you must enroll for the form with Entrust.
Be sure that all information used in a client transaction is correct. Entrust uses this information to contact the company and complete the required verification.
If you plan on using Extended Validation (EV) certificates or Code
Signing certificates in your client domains
Use of EV and Code Signing certificates requires more rigorous verification of the client domains. To use these certificates, more information about the client and domains is requested by the CMS and a longer time period is required to verify the information. See “Before adding the client (company and domain name), Entrust or a third party verifies the following information:” on page 64 for more information about the validation process. If you add domains at a later date and choose to use them with EV or Code Signing certificates, they will also require validation.
To add a new Client using the CMS interface
1 From the top menu bar, select Admin Tools > Client Management. The Client Management page appears.
2 Type the new client company name in the Client Company Name: field (click the
? icon for information about the format of the company name). You must type
the client's registered business name. Do not use abbreviations.
Note
:You must have remaining unused Client company and Client domain names in your inventory. See the Contract Information pages, Inventory page for inventory information.
3 Click the Add this client button.
The Management View page appears.
4 Read the Add Client section of the page. This information is required to successfully request a new client.
5 Complete the Client Company Information pane. The DUNS Number is the nine digit number that uniquely identifies the client company. DUNS stands for data universal numbering system. The system was originally created by the Dun and Bradstreet Corporation. The Address should be the legal business address of the client company
6 Type the requested information into the fields in the Client Contact Information tab. This is the person acting as the contact for the client company
7 Type the requested domain name into the Domain Name field Client Domain
Information tab. If you are adding another domain to the Client information click Add Domain and type the domain name into the new field.
If you are requesting an EV or code-signing certificate select EV/Code signing for the appropriate domain. Tabs for entering the additional information required to obtain EV and code-signing certificates appear.
For more information about EV certificates see“Certificate types” on page 18. If you make an EV request, fill out the Business Headquarters, Jurisdiction of
Incorporation, Higher Authority and Contract Signer pages.
A higher authority can be a corporate executive, legal counsel, company director or the direct manager of the contract signer or authorization contact. The person acting as the higher authority cannot also be the contract signer.
The contract signer is the individual who signs the subscription agreement on behalf of the company. The subscription agreement is sent to that person. The agreement must be accepted before the order can be processed.
The persons listed must respond if contacted by Entrust or a third party representative of Entrust. If they fail to do so, the certificate will be delayed or canceled.
8 Click Submit Request.
A confirmation page opens. Be sure that the information on the page is correct. Click Confirm to submit the request or Edit to change any information.
After the request is sent to Entrust, the client will be listed in the Clients list on the Client Management page with a status of Pending in the Client Status column.
Entrust performs the required verification (see the“Before adding the client (company and domain name), Entrust or a third party verifies the following information:” on page 64 for details of the verification process) and, if successful, adds the client (company and domain names) to the approved lists.
To add a new Client using the Client Request E-Form
1 From your browser, enter the URL of the Client Request E-Form Web page. For more information about the E-Forms see “Disabling the E-Form” on page 83.
2 If a password has been established for the E-Form, you must enter it before the request can be submitted.
3 Type in the applicable information in all of the fields in all the sections on the page. “Requesting a certificate using the Certificate Request E-Form” on page 81 for details).
The form has the following sections:
• Submitter Information
The submitter’s Name and Email Address you enter in the Submitter
Information section is the address used for the email acceptance or rejection
notification (if email notification is enabled).
• Domain Information (check the Setup as EV check box if you want Extended
Validation) additional pane appear to
The DUNS Number is the nine digit number that uniquely identifies the client company. DUNS stands for data universal numbering system..
Note
:The company information must be accurate and reflect the legal identity of the client being requested.
• Client Contact Information
Information that can be used to contact someone in the company requesting the client who has knowledge of the transaction.
If you make an EV request, fill out the Business Headquarters, Jurisdiction of
Incorporation, Higher Authority and Contract Signer pages.
A higher authority can be a corporate executive, legal counsel, company director or the direct manager of the contract signer or authorization contact. The person acting as the higher authority cannot also be the contract signer.
The contract signer is the individual who signs the subscription agreement on behalf of the company. The subscription agreement is sent to that person. The agreement must be accepted before the order can be processed.
The persons listed must respond if contacted by Entrust or a third party representative of Entrust. If they fail to do so, the certificate will be delayed or canceled.
Note
:The information in this form is sent to Entrust. Entrust or a third party
representative will contact the client to complete an Authorization Letter. The contact must complete and return the Authorization Letter before the transaction can proceed.
4 Click the Submit Request button. Or click the Reset button to clear the information on the form and start again.
Once the request is sent to Entrust, the client will be listed in the Clients list on the
Client Management page with a status of Pending (Awaiting Consent) in the Client Status column.
Entrust performs the required verification (see “Before adding the client (company and domain name), Entrust or a third party verifies the following information:” on page 64 for details of the verification process). If verification is successful, Entrust adds the client company and domain names to the approved lists.
Viewing or altering client accounts
You can view client accounts and add or remove domains. Client information can only be changed by Entrust. The following topics are discussed in this section:
• “Viewing Clients” on page 58
• “Modifying client domain or organization information” on page 59
To view client accounts select Admin Tools > Client Management, from the top menu bar.
The Client Management page displays icons (see Figure 8) beside every Client Company Name. These icons are linked to actions that allow you to view clients and add or remove domains. If you specify EV certificate use for an additional domain, it will
Note
:Clicking any icon beside a deactivated client opens a pop-up window, stating
This client is deactivated. Figure 8: Client Management Page.
Viewing Clients
Click the “view” icon to open the Edit Client page. The Client Company
Information tab displays the existing information (Company Name, Address, DUNS
associated domains. The Business Headquarters, Jurisdiction of Incorporation,
Higher Authority, and Contract Signer tabs will be present if EV has been selected.
Modifying client domain or organization information
Super administrators can request changes to the list of domains and organizations. Client domains and organizations can be added or removed. Extended validation can be added to existing domains. Other information about clients can be viewed but not modified.
Note
:Only a super administrator can submit a request to add or remove additional Domain Names.
To edit client domain information
The Client Management page appears.
2 In the Client Management page, click the edit icon corresponding to the client.
The Edit Client Information page appears.
3 Select the Client Domain Information tab.
4 Use the Remove check boxes to remove a domain. To enable a domain for EV or code-signing certificates, select the checkbox in the EV/Code Signing column. To add a domain to the client list type the domain name in the field at the bottom of the list of domains and click Add Domain.
Note
:Entrust cannot remove a domain that is in use by an active certificate. Before removing a domain, deactivate any active certificates using it.
5 Click Submit Request to send the information to Entrust or Reset to start over.
Note
:Removing a domain does not make the domain available to use again without validation. Domains require validation before being added to an account.
To edit client organization information
1 From the menu bar, select Admin Tools > Client Management. The Client Management page appears.
2 In the Client Management page, click the edit icon corresponding to the client.
3 Select the Client Organization Information tab.
4 Use the Remove check box to remove an organization. To add an organization to the client list type the name in the organization field.
Note
:Entrust cannot remove an organization that is in use by an active certificate. Before removing a domain, deactivate any active certificates in the domain.
Deactivating a client
You can deactivate a client from the Client Management pane .
To deactivate a client
1 From the menu bar, select Admin Tools > Client Management. The Client Management page appears.
2 In the Client Management page, click the “deactivate” icon for the client.
3 If you click the deactivate icon for a client with the status Active or Pending, a confirmation window, stating Deactivating this client will mean you will no
longer be able to create certificates for them appears.
4 Click OK to proceed or the Cancel button to stop the deactivation.
5 Click OK to deactivate the client (company and domain name) from your list of approved Client company and client domain names.
After the client has been deactivated, it appears in the client list with deactivated as its Client Status.
Note
:Removing a client does not add it to the list of unused inventory. Full verification is required to add a client. The name can only be added once.