Chapter 5. Interface Descriptions

Table of Contents

1. Public PKI Server
1.1. General
1.2. CA Infos
1.3. User
1.4. Certificates
1.5. Requests
1.6. Language
2. Registration Authority
2.1. General
2.2. Active CSRs
2.3. Active CRRs
2.4. Information
2.5. Utilities
3. Registration Authority Node
3.1. General
3.2. Administration
3.3. Utilites
3.4. Logs
4. LDAP Interface
4.1. Update LDAP
4.2. View CA-Certificates
4.3. View Certificates
4.4. View CRLs

1. Public PKI Server

This section describes the public interface to the OpenCA PKI. From these screens a user can view current certificate lists, manage certificates and download CA and revocation certificates.

There are a set of "tabs" along the top of the screen, each is described below.

1.1. General

This section describes the current versions of the OpenCA modules. There is only one sub menu item, Logout.

1.1.1. Logout

This link has no function as the user has not logged onto the Public Interface.

1.2. CA Infos

This section describes the CA related utilities a user can access. Each heading below relates to a link under the CA Infos tab.

1.2.1. Policy

This link displays the CA poliy as a web page.

1.2.2. Get CA Certificate

By hitting this link the user is presented with a page titled "Download and Install CA Certificates". This page contains links to CA certificates in various formats.

In order for the user to "trust" certificates generated through OpenCA they must have the Certificate Authority root certificate installed. This page provides an easy mechanism for them to do that. Most users will just click the "CA-certificate in format CRT" and follow the instructions presented to them by their environment (e.g. In IE they have the option to "Open" the file and then "Install Certificate").

Apache Web server administrators would use the link "CA-certificate in format PEM" to download the certificate in the appropriate format for inclusion in the Apache configuration files.

1.2.3. Certificate Revocation Lists

By hitting this link the user is presented with a screen entitled "Download and Install CRLs". This page contains links to certificate revocation lists in various formats.

Many certificate aware clients (like Microsoft Outlook and Netscape Navigator) make use of certificate revocation lists to ensure that certificates are still valid and have not been revoked.

Three links are provided each containing the current CRL in a different format depending on the client. Normal client users would download the CRL in DER format for inclusion in their browser. Web server administrators would use the PEM format. The text format is downloaded as a human readable file.

1.3. User

This section allows the user to manage their certificates. It allows certificate request, retrieval, testing and revocation.

1.3.1. Request a certificate

This link presents the user with a page offering a number of certificate request methods. There are subtile differences between methods which are described below. Each one of the links will take the user to a form. The user will fill in the form and submit the data. The data submitted will be used to create a certificate signing request (CSR) which will go to the certificate Authority to sign and return as a certificate.

The form data has the following fields:
  • E-Mail: The email address associated with the certificate

  • Name: The name of the user

  • Certificate Request Group: This is usually the department or sub group the user belongs to

  • Alternative email: Another email to appear in the certificate

  • DNS name: The DNS name if the certificate is a web server cert

  • Name: The real name of the user

  • Email: The users email address

  • Department: The user's department

  • Telephone: The users telephone number

  • Level of Assurance: This is the type of physical authentication the user is to receive

  • Role: The certificate role within the hierarchy, this is usually "User" for most normal users

  • Registration Authority: This is usually the physical location at which the user is to be identified (e.g. Personnel)

  • PIN: A password used to verify the CSR

  • Key Size: The size of the key used in the CSR (Usually set to 1024

After submitting the form the next set of screens the user sees will depend on the client being used and the type of request selected. After the CSR has been generated and submitted the user will be issued with a Certificate Request ID. This takes the form of an integer number. It is important that the user notes this number down as it is required when retrieving their certificate.

Once the user has requested their certificate the Certificate Authority will process the certificate request. This may involve a face to face identification of the user at the Trust Center. When the certificate has been created the user will be informed by email. This email will also include a Certificate Revocation Number (CRIN), this number should be kept in a safe place as it will be required if the user to needs to revoke their own certificate in the future.

1.3.1.1. Request a certificate with automatic browser detection

By pressing this link, OpenCA will try to determine what browser the user is using to request their certificate. Once this has been established the CSR form is presented to the user. The CSR (along with the associated private and public keys) will be generated by the user's browser and submitted to the Certificate Authority.

1.3.1.2. Basic Request

This link leads to a server side key and CSR generation. A user would use this link if their browser did not support CSR generation, of if for some reason they wanted the Certificate Authority to generate the keys and CSR (e.g. For key backup on the server).

1.3.1.3. Netscape's Request

This link should be used if the client is a Netscape type browser (e.g. Navigator or Mozzilla). The CSR generated by the client will be of the type SPKAC.

1.3.1.4. IE Request

This link should be used if the client is an Internet Explorer type browser. The CSR will be generated by the client.

1.3.1.5. Server Request

This link is used to submit a web server certificate request. This is slightly different from a normal client certificate request as the CSR will have already been generated at the web server. There is a field used to upload the CSR, so the user must make sure that they have a CSR to upload before selecting this option.

1.3.1.6. Token Request

This link is the same as the "Basic Request" in that the keys and CSR are not generated at the client. This request is used when the Certificate Authority is going to create the key pair and certificate on a hardware token. You only enter your data and the data is stored at the server but no cryptographic operations take place without operator interaction. In simple terms it is like an email with "Hello, I need a cert. Sincerly your Jon Doe".

1.3.2. Get Requested Certificate

This link provides the mechanism for a user to retrieve the requested certificate and install it in the browser.

The user is presented with a screen and a set of instructions. The most important being that the user must be using the same computer that was used to request the certificate. This is important because both IE and Netscape type browsers need to link the certificate back to the CSR and private keys, this can only be done if the computer that was used to generate the CSR is used to retrieve the certificate.

The user should enter their "Serial Number" in the space provided. The serial number can be:
Certificate's Serial

The serial number of the certificate signed by the Certificate Authority

Request's Serial

The serial number of the submitted request issued to the user at CSR submission time

Your ID:

This is the ID which i used for the batchprocessor. Usually this ID is an account but the ID was defined by the administrator of the batchprocessors.

Upon pressing the "Continue" button, OpenCA attempts to install the certificate into the user's browser. The screens presented to the user depend on the browser being used.

1.3.3. Test Certificate

By pressing this link the user is presented with a screen displaying the session server and client certificate details. In most cases this screen will only display the details of the web server certificate used to secure the session (as this screen is not usually access via pages requiring client side authentication).

The user is offered the opportunity to "Sign" a set of data to test the client certificate. Upon pressing the "Sign" button the user is asked to choose the certificate they wish to use to sign the test data. Once they have chosen their certificate they may be asked to enter the pass phrase securing their private keys (this depends on how the user installed the certificate and private keys during key generation time). Once they that completed this the results of the signing process are displayed.

1.3.4. Revoke Certificate

This screen gives the user the opportunity to revoke their own certificate. To do this they need to fill in the form and press "Continue". The Certificate Serial number can be obtained by examining the certificate (using browser functions) or by looking up the certificate in the valid certificates list. The CRIN code was sent to the user at certificate creation time.

1.4. Certificates

This set of options provides the user with lists of certificates in various states, valid, expired, revoked and suspended. It also provides an interface for the user to search for a certificate.

1.4.1. Valid

Following this link the user is presented with a screen displaying all valid certificates. The screen shows 20 certificates at a time. The user can scroll through the valid certificates by using the "Extra References" link in the top right of the screen.

For each certificate the screen shows:
Serial

The serial number of the certificate

Common Name

The common name associated with the certificate

Issued On

The date and time the certificate was issued

Email:

The email address in the certificate (the user can click this link to mail the certificate holder)

Role

The type of certificate (e.g. User)

A user can view the content of a certificate by clicking the serial number of the certificate they wish to view. OpenCA presents a screen displaying the certificate details. At the bottom of this screen are two new links where the user can download the certificate (and install it into their browser) or initiate the revocation procedure (in order to do this the user must have the CRIN number for the certificate being viewed, this number is presented to the certificate holder at certificate creation time, so only the certificate holder can revoke their own certificate).

1.4.2. Expired

Clicking this link shows the user a list of all the expired certificates. The screen shows 20 certificates at a time. The user can scroll through the expired certificates by using the "Extra References" link in the top right of the screen.

1.4.3. Revoked

Clicking this link shows the user a list of all the revoked certificates. The screen shows 20 certificates at a time. The user can scroll through the revoked certificates by using the "Extra References" link in the top right of the screen.

1.4.4. Suspended

Clicking this link shows the user a list of all the suspended certificates. The screen shows 20 certificates at a time. The user can scroll through the suspended certificates by using the "Extra References" link in the top right of the screen. Suspended certificates are certificates that have had the revocation process started but not yet revoked by the Certificate Authority.

1.4.5. Search

This link provides a screen to enable users to search for a certificate on the system. The screen allows the user to search based on the criteria of name, email or distinguished name. Wild cards are allowed (e.g. Chris*) in each of the fields. You do not have to fill in each of the fields for the search function to find a match, but the more search data you enter the finer the granularity of the search.

1.5. Requests

This section displays outstanding requests. New certificate requests and revocation requests can be displayed.

1.5.1. Certificate Requests List

Following this link the user is presented with a list of all the current certificate requests at the Registration Authority. The screen shows 20 requests at a time. The user can scroll through the list by using the "Extra References" link in the top right of the screen.

1.5.2. Certificate Revocation Requests List

Following this link the user is presented with a list of all the current certificate revocation requests at the Registration Authority. The screen shows 20 revocation requests at a time. The user can scroll through the list by using the "Extra References" link in the top right of the screen.

1.6. Language

This heading lists the languages that OpenCA has available, by clicking on one of the language links, the screens change to the selected language.