Certification Authority ServerInstallation Manual

Introduction

A Certification Authority issues digital certificates which contain a public key and the identity of the owner. The certificates are issued in PFX (Personal inFormation eXchange) file format protected by a password.

Certificates provide the foundation of a public key infrastructure (PKI). These are electronic credentials, issued by a certification authority (CA), that are associated with a public and private key pair.

Our Certification Authority Server works as an IIS application for most Windows webservers. That means it is not required to operate an extra CA machine.

Warning and Disclaimer

Every effort has been made to make this manual as complete and accurate as possible, but no warranty or fitness is implied. The information provided is on an “as is” basis. The author shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this manual.

Trademarks

.NET, Visual Studio .NET are trademarks of Microsoft Inc.Adobe, Adobe Reader are trademarks of Adobe Systems Inc.All other trademarks are the property of their respective owners.

Page 1 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

CA Server - new features..........................................................................................................2Microsoft Store Root Certificate.........................................................................................................................2Root Certificate Generator ................................................................................................................................3

OCSP Validation Service..........................................................................................................4How OCSP Validation Service Works................................................................................................................4Testing the OCSP..............................................................................................................................................5Validating PDF Signatures ................................................................................................................................6

Prerequisites............................................................................................................................11Installation...............................................................................................................................12CA Root Certificate.................................................................................................................14

Issue the CA Root Certificate...........................................................................................................................14Issue Certificates....................................................................................................................15

Issue User Certificates.....................................................................................................................................15Issue Certificates from CSR (Certificate Signing Request)..............................................................................16Revoke a Certificate........................................................................................................................................17CRL Issuing.....................................................................................................................................................18

Certification Authority Management.....................................................................................19Certificate Management...................................................................................................................................19Audit Trail.........................................................................................................................................................20

CA ServerThe CA Server is available for testing purposes at this link: http://ca.signfiles.com/ca/

The latest version of the CA Server includes the following features– Signing Certificates can be loaded from Microsoft Certificate Store.– OCSP Support– Certificate templates for CSR certificates

Microsoft Store Root Certificate

If you want to use a HSM Root Certificate, it must appear on Microsoft Certificate Store – Personal Tab.

The CA Server can use an existing Root Certificate as the CA certificate (preferred method) or you can generate a new Root Certificate on your CSP.

Root Certificate must be available for every CA operation. These operations are: Issuing certificates, CRL issuing, signing the OCSP responses.

Page 2 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

Root Certificate Generator

If your CSP not offers a method to generate certificates directly on the CSP (preferred method), you can use Root Certificate Generator.

How to generate a Root Certificate using Root Certificate Generator.

- Start Root Certificate Generator- On the Smart Card Certificate Service Provider combobox, select your CSP. - If your CSP not appears on the list, the certificate cannot be generated.- Fill the textboxes with your data (Organization, Email, etc.)- Select Root Certificate template- Optionally, set the key size, validity period, etc.- Press Generate Certificate- Enter the CSP credentials (PIN PED, Password, other mechanisms).- Read the CSP manual to import the generated certificate on Microsoft Certificate Store - Personal tab (not Trusted Root Certification Authorities or Other People).

Page 3 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

OCSP Validation Service

How OCSP Validation Service Works

The OCSP Certificate must be issued by the same Root Certificate as the User Certificate, as below.

------------------ |Root Certificate| ------------------ | | | | ------------------ ------------------ |OCSP Certificate| |User Certificate| ------------------ ------------------

- The client must include on the OCSP Request the User Certificate Serial Number that should be verified and the Root Certificate Public Key Hash.- The OCSP Request is send the OCSP Server URL. The OCSP URL is extracted from the User Certificate - Authority Info Access field, like below:

[1]Authority Info AccessAccess Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)Alternative Name:URL=http://ca.signfiles.com/OCSP.aspx

The OCSP Server (http://ca.signfiles.com/OCSP.aspx) makes the following steps:• Verify the OCSP Certificate. If the OCSP Certificate is not OK, an error message will be

returned (as POST byte[]) or the status: OCSPRespGenerator.InternalError.

• Verify the CRL file. If the CRL file is invalid or unavailable, the status: OCSPRespGenerator.InternalError will be returned.

• Validate the OCSP Request structure. If the OCSP Requet is not signed by the current Root CA, OCSPRespGenerator.Unauthorized status will be returned. (Observation: Some OCSP clients could return Unknown status but the pupular CA's like Verisign or Thawte returns OCSPRespGenerator.Unauthorized).

• The user certificate serial number is extracted from the OCSP Request and if it is

Page 4 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

found on the CRL, the status Revoked is returned to the Client.

• If the user certificate serial number not appears on the CRL, the certificate is considered valid and the status Good is returned to the Client.

• If an exception appears on this process, the status OCSPRespGenerator.InternalError will be returned.

• All errors above will appear on the Audit Trail.

Testing the OCSPThe OCSP service can be tested as below.

After the Root Certificate is installed on Microsoft Certificate Store - Trusted Root Authorities, you can use PDF Signer to create a digital signature that will contain the revocation information obtained form OCSP CA Responder. The Root Certificate can be downloaded from here: http://ca.signfiles.com/caOCSP/RootCertificate.cer

To create a PDF digital signature, you must also obtain a signing certificate from the CA Server (http://ca.signfiles.com/caOCSP/IssueUserCertificate.aspx) .

The OCSP response can be embedded on the PDF signature only if the Root Certificate that issued the User Certificate exists on Microsoft Certificate Store - Trusted Root Authorities.Also, The OCSP Certificate must be issued by the same Root Certificate as the User Certificate, as below.

------------------ |Root Certificate| ------------------ | | | | ------------------ ------------------ |OCSP Certificate| |User Certificate| ------------------ ------------------

The OCSP validation service can be also verified using the following command:

certutil -url <path to the .cer file> - select OCSP (from AIA) option.

Page 5 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

Validating PDF Signatures By default, the signatures generated by PDF Signer are not considered trusted by Adobe Reader because the Root Certificate used to issue the Signing Certificate is not included on the Adobe Trusted List. More details about Adobe signature validation are available at this link.The OCSP response status cannot be shown on Adobe Reader if the Signature is not trusted so you must validate the signature.

Click Add to Trusted Identities button, select all checkboxes, click OK and re-validate the signature.

Page 6 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

After the certificate is considered trusted by Adobe, the signature is valid.

Page 7 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

OCSP Response will look like below:

This means the OCSP Server is working.

Page 8 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

If the digital signature is made using a revoked certificate, the PDF document will look like below:

Page 9 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

A revoked digital certificate appears on the CRL:

Page 10 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

PrerequisitesCA Server requires the following:

– Windows operating system with IIS– Microsoft .NET Framework 2.0– ASP.NET enabled on your IIS

To enable ASP.NET in your IIS webserver, go to Control Panel – Programs and Features – Turn Windows features on or off and on Internet Information Services Features, select ASP.NET as on the image below.

Page 11 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

Enable ASP.NET on IIS

InstallationDownload CA Server, unzip the content on your IIS webserver (e.g. C:\CAServer).

Right now, CA Server must be added as an application on IIS webserver.Go to Computer icon – Right click Manage – Computer Management – Services and Applications – Internet Information Services (IIS) Manager.

Page 12 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

CA Server folder content

IIS Management

On your website, CA Server must be added as a new Application.

Right click on your IIS website (Default Web Site) – Add Application... and set the application alias and the physical path as below.

Attention: CA Server requires Read, Write and Execute permissions to be enabled for the physical path. IIS user must have this rights for the specified physical path.

At this moment, CA Server should be installed. To check the installation, go to: http://localhost/ca/.

Page 13 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

CA Root Certificate

Issue the CA Root Certificate

CA Server needs a special digital certificate (CA certificate) to be used in order to digitally sign other certificates.

The CA certificate is a special type of certificate and must be created as below:– Use RSA 2048– Expiration date: at least 5 years.

The CA Root Certificate could be issued by the CA Server following this link: http://localhost/ca/IssueRootCertificate.aspx

Page 14 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

Issuing the CA Root Certificate

Issue Certificates

Issue User Certificates

To issue User certificates, follow this link: http://localhost/ca/IssueUserCertificate.aspx

The certificates are issued in PFX format and it can be installed in Microsoft Certificate Store or it can used in your applications.

The certificates are signed by the CA Root Certificate.

Page 15 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

Issue Certificates from CSR (Certificate Signing Request)

To issue a certificate from a CSR file, follow this link: http://localhost/ca/IssueFromCSR.aspx Usually, a CSR file is generated by your web server or by a HSM device.

The certificate is issued in .CER format and it is signed by the CA Root Certificate.

Page 16 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

Revoke a CertificateWhen a certificate is issued, a revocation password can be set.To revoke a certificate, follow this link: http://localhost/ca/RevokeCertificate.aspx

To revoke a certificate issued by the CA Server, the certificate serial number and revocation password is required.

A revoked certificate will appear on the CRL (Certificate Revocation List), in order for other applications to know that the certificate is no longer valid.

Page 17 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

CRL IssuingThe Certificate Revocation List (CRL) is a list of certificates (or more specifically, a list of serial numbers for certificates) that have been revoked, and therefore should not be relied upon.

Every certificate issued by the CA Server includes the CRL URL so the CRL must be up to date.

The CRL is valid 7 days so it must be issued on this interval.

To issue the CRL, the page below must be accessed on every 6 days: http://localhost/ca/EmitCRL.aspx?emit=true

Because IIS not supports cron jobs like Apahe, EmitCRL.aspx?emit=true page must be called from time to time (usually 6 days) to issue the CRL.

If the CRL will expire, all certificates issued by the CA will be considered invalid.

The page http://localhost/ca/EmitCRL.aspx?emit=true can be included on Task Scheduler or manually from time to time.

Page 18 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

Certification Authority Management

Certificate Management

In order to manage issued certificates, follow this link: http://localhost/ca/Manage.aspx

On this page will appear information regarding the certificates issued by the CA Server.

Also, the certificates can be revoked, downloaded or exported.

Page 19 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/

Audit TrailEvery action made on the CA server are available encrypted on a Audit Trail Log file.

To access the Audit Trail, follow this link: http://localhost/ca/Audit.aspx

Every errors occurred on issuing certificates are also available here.

Page 20 - Certification Authority Server Installation Manual (version 4.0) - http://www.signfiles.com/certification-authority/