sealsign ckc management guide
TRANSCRIPT
ElevenPaths, radical and disruptive innovation in security solutions
[email protected] elevenpaths.com
SealSign CKC (Central Key Control) Management guide
SealSign CKC (Central Key Control)
Management guide V.3.2 – October 2016
2016 © Telefónica Digital España, S.L.U. All rights reserved. Page 2 of 23
Table of content
1 Introduction ................................................................................................................ 3
2 Configuration Tasks ..................................................................................................... 4
2.1 Configuring Certificates in the SealSign DSS Server ................................................................. 4
2.2 Configuring Policies of Access to Central Key Control (Optional, only for Central Key Control Client) .............................................................................................................................................. 4
2.2.1 Opening the Administrative Template ....................................................................................... 4
2.2.2 Loading Administrative Templates ............................................................................................. 5
2.2.3 Configuring the Connection to the SealSign DSS Server (At Machine Level) ............................. 5
2.2.4 Configuring the Connection to the SealSign DSS Server (At User Level) .................................... 9
2.2.5 Configuring Other SealSign DSS Parameters (At Machine Level) ............................................. 12
2.2.6 Configuring Other SealSign DSS Parameters (At User Level) .................................................... 16
2.2.7 Configuring the Parameters of the Certificate Automatic Import (At Machine Level)............. 17
2.2.8 Configuring the Parameters of the Certificate Automatic Import (At User Level) ................... 18
3 Troubleshooting ......................................................................................................... 21
4 Resources .................................................................................................................. 22
SealSign CKC (Central Key Control)
Management guide V.3.2 – October 2016
2016 © Telefónica Digital España, S.L.U. All rights reserved. Page 3 of 23
1 Introduction
SealSign Central Key Control (CKC) is a software product developed entirely by ElevenPaths, designed to centrally control the use of electronic certificates in an organization. CKC is based on the management of the different certificate stores supported by the SealSign Digital Signature Services electronic signature platform.
One of the problems with the electronic signature process is the management of certificates and keys used to sign documents. To solve this, SealSign DSS provides a store of certificates and keys that are associated with rules of use within its configuration database. In addition, both in processes of signature in server and in processes of signature distributed in client, SealSign DSS can use certificates stored in external stores, in Windows certificate stores as well as in stores accessible through PKCS#11 modules.
With Central Key Control you can use certificates stored in the SealSign DSS server from client computers in a very transparent way through an engine based on rules of use with filtering options, as if these certificates were stored locally in each computer.
Moreover, CKC has the possibility of increasing the security of access to certificates by adding an extra authentication factor when using the certificates private key. The authentication extended support is based on the use of the SmartID Professional authentication platform, which can support chip cards, contact and contactless, as well as different biometric factors such as the use of fingerprints.
Finally, with Central Key Control you can configure both a list of processes, client computers and authorized users, and a list of URLs where the use of the private keys associated with platform certificates is allowed.
SealSign CKC (Central Key Control)
Management guide V.3.2 – October 2016
2016 © Telefónica Digital España, S.L.U. All rights reserved. Page 4 of 23
2 Configuration Tasks
Information about licensing is detailed in the document "SealSign - Licensing.pdf"
When using Central Key Control in an organization, the administrator must perform two fundamental tasks:
Configuring certificates and/or rules of use on the SealSign DSS server.
Configuring CKC client policies (Optional)
2.1 Configuring Certificates in the SealSign DSS Server
The Central Key Control storage and management system of certificates and permits is based on the functionality of SealSign DSS server certificates. Before a certificate can be used or shared through Central Key Control, the platform administrator must add the certificate or its reference to the SealSign DSS server.
The Centralized Key Management section of the SealSign DSS Management Guide details the tasks to be conducted to manage centralized access to certificates.
2.2 Configuring Policies of Access to Central Key Control (Optional, only for Central Key Control Client)
In order to apply and configure the parameters of access to CKC certificates through the Central Key Control client software, the Central Key Control installer copies a Windows administrative template that allows the administrator to perform this configuration. Furthermore, in environments where it is not possible or convenient to use administrative templates, any of these parameters can be configured through entries in the system registry.
The administrative template for configuring CKC, KeyControl.adm, is copied to the %Program Files%\Smart Access S.L\Central Key Control folder in the client computers.
2.2.1 Opening the Administrative Template You can follow these steps to open the administrative template in the group policies editor:
1. Open the Group Policies Editor. The group policies editor can be opened from multiple locations, depending on where you wish to apply the changes. For example, with the command line (gpedit.msc) for policies local to the machine, through the Administrator of Active Directory Users and Computers or by using the Group Policies Editor MMC complement.
2. Expand the policies chart on the left until you find the option needed:
a. Computer Configuration\Administrative Templates\SmartAccess\Central Key Control Parameters and User Configuration Administrative Templates\SmartAccess\ Central Key Control Parameters in Windows XP and Windows 2003.
SealSign CKC (Central Key Control)
Management guide V.3.2 – October 2016
2016 © Telefónica Digital España, S.L.U. All rights reserved. Page 5 of 23
b. Computer Configuration\Administrative Templates\Classic Administrative Templates (ADM)\SmartAccess\Central Key Control Parameters and User Configuration\ Administrative Templates\Classic Administrative Templates (ADM)\ SmartAccess\ Central Key Control in Windows Vista and later.
2.2.2 Loading Administrative Templates If the administrative template is not preloaded in the Group Policies editor, it must be loaded following these steps:
1. Open the Group Policies Editor. The group policies editor can be opened from multiple locations, depending on where you wish to apply the changes. For example, with the command line (gpedit.msc) for policies local to the machine, through the Administrator of Active Directory Users and Computers or by using the Group Policies Editor MMC complement.
2. Right-click on the Administrative Templates node located under Computer Configuration, and select Add/Remove Templates.
3. Click on the Add button.
4. Select the template file (%Program files%\Smart Access S.L\Central Key Control\ KeyControl.adm) and click on Open.
5. Click on Close.
6. The template for the Central Key Control configuration will be available in the editor with the following paths:
a. Computer Configuration\Administrative Templates\SmartAccess\Central Key Control Parameters and User Configuration Administrative Templates\SmartAccess\ Central Key Control Parameters in Windows XP and Windows 2003.
b. Computer Configuration\Administrative Templates\Classic Administrative Templates (ADM)\SmartAccess\Central Key Control Parameters and User Configuration\ Administrative Templates\Classic Administrative Templates (ADM)\ SmartAccess\ Central Key Control in Windows Vista and later.
You can get further information on the loading and use of administrative templates on this article of the Windows knowledge database: http://support.microsoft.com/kb/816662/en.
2.2.3 Configuring the Connection to the SealSign DSS Server (At Machine Level)
2.2.3.1 URL of the Central Key Control Web Service It defines the URL for accessing the Central Key Control web service. Its value should be similar to this: http://sealsignserver/SealSignDSSKeyControl
SealSign Key Control Service URL
Template KeyControl.adm
Configuration Configure SealSign Connection Parameters
Registry Key HKLM\Software\Policies\SmartAccess\KeyControl\SealSignProvider
Property name SealSignKCServiceURL
Property type REG_SZ
SealSign CKC (Central Key Control)
Management guide V.3.2 – October 2016
2016 © Telefónica Digital España, S.L.U. All rights reserved. Page 6 of 23
2.2.3.2 URL of the SealSign Management Web Service It defines the URL for accessing the SealSign management web service. Its value should be similar to this: http://sealsignserver/SealSignDSSService.
SealSign DSS Administration Service URL
Template KeyControl.adm
Configuration Configure SealSign Connection Parameters
Registry Key HKLM\Software\Policies\SmartAccess\KeyControl\SealSignProvider
Property name SealSignDSSAdminServiceURL
Property type REG_SZ
2.2.3.3 User Account for the Connection to the SealSign Server The connection to the SealSign and CKC web services will be performed by default with the current user account. For those environments where it is desired or necessary to use a different account, it must be configured following this policy:
SealSign UserName
Template KeyControl.adm
Configuration Configure SealSign Connection Parameters
Registry Key HKLM\Software\Policies\SmartAccess\KeyControl\SealSignProvider
Property name SealSignUserName
Property type REG_SZ
2.2.3.4 User Password for the Connection to the SealSign Server The connection to the SealSign and CKC web services will be performed by default with the current user account. The alternative user password to access the server must be configured following this policy:
SealSign Password
Template KeyControl.adm
Configuration Configure SealSign Connection Parameters
Registry Key HKLM\Software\Policies\SmartAccess\KeyControl\SealSignProvider
Property name SealSignPassword
Property type REG_SZ
SealSign CKC (Central Key Control)
Management guide V.3.2 – October 2016
2016 © Telefónica Digital España, S.L.U. All rights reserved. Page 7 of 23
In an administrative template, the password will be saved in the log in clear text. That is why we have developed a tool called “GenerateAdmPassword” located in the SealSign CKC Client installation directory. This tool generates an encryption block from a plaintext key. The appearance of the tool is shown in the following figure. The content of the
“Encrypted Password” text field is what needs to be entered in the “SealSign Password” field of the administrative template.
2.2.3.5 User Domain for the Connection to the SealSign Server The connection to the SealSign and CKC web services will be performed by default with the current user account. The alternative user domain to access the server must be configured following this policy:
SealSign Domain
Template KeyControl.adm
Configuration Configure SealSign Connection Parameters
Registry Key HKLM\Software\Policies\SmartAccess\KeyControl\SealSignProvider
Property name SealSignDomain
Property type REG_SZ
2.2.3.6 Cache Timeout for the SealSign Certificates Password (Seconds)
The recommended value is between 30 and 60 seconds. This cache —since cryptographic operations on the Microsoft platform are not atomic, meaning they are not performed in a single
operation but divided into several independent operations— can transfer the centralized certificate password within calls to the SealSign server without continuously having to request it to the user. This policy only applies when a certificate is registered in SealSignDSS and is configured so that SealSign does not remember its password.
Password Cache Time (seconds)
Template KeyControl.adm
Configuration Configure SealSign Connection Parameters
Registry Key HKLM\Software\Policies\SmartAccess\KeyControl\SealSignProvider
Property name PasswordCacheTime
Property type REG_SZ
SealSign CKC (Central Key Control)
Management guide V.3.2 – October 2016
2016 © Telefónica Digital España, S.L.U. All rights reserved. Page 8 of 23
2.2.3.7 Open Timeout for the Connection to the SealSign Server With this policy you can configure the open timeout for the connection to the SealSign Server:
SealSign Open Timeout
Template KeyControl.adm
Configuration Configure SealSign Connection Parameters
Registry Key HKLM\Software\Policies\SmartAccess\KeyControl\SealSignProvider
Property name OpenTimeout
Property type REG_DWORD
Default value 5 seconds
2.2.3.8 Send Timeout to the SealSign Server With this policy you can configure the send timeout to the SealSign Server:
SealSign Send Timeout
Template KeyControl.adm
Configuration Configure SealSign Connection Parameters
Registry Key HKLM\Software\Policies\SmartAccess\KeyControl\SealSignProvider
Property name SendTimeout
Property type REG_DWORD
Default value 10 seconds
2.2.3.9 Receive Timeout from the SealSign Server With this policy you can configure the receive timeout from the SealSign Server:
SealSign Receive Timeout
Template KeyControl.adm
Configuration Configure SealSign Connection Parameters
Registry Key HKLM\Software\Policies\SmartAccess\KeyControl\SealSignProvider
Property name ReceiveTimeout
Property type REG_DWORD
Default value 10 seconds
Configuration of the connection parameters can be set at machine or user level. If both options are set, the parameters with higher preference are the ones configured at user level.
SealSign CKC (Central Key Control)
Management guide V.3.2 – October 2016
2016 © Telefónica Digital España, S.L.U. All rights reserved. Page 9 of 23
2.2.4 Configuring the Connection to the SealSign DSS Server (At User Level)
2.2.4.1 URL of the Central Key Control Web Service It defines the URL for accessing the Central Key Control web service. Its value should be similar to this: http://sealsignserver/SealSignDSSKeyControl
SealSign Key Control Service URL
Template KeyControl.adm
Configuration Configure SealSign Connection Parameters
Registry Key HKCU\Software\Policies\SmartAccess\KeyControl\SealSignProvider
Property name SealSignKCServiceURL
Property type REG_SZ
2.2.4.2 URL of the SealSign Management Web Service It defines the URL for accessing the SealSign Management web service. Its value should be similar to this: http://sealsignserver/SealSignDSSService
SealSign DSS Administration Service URL
Template KeyControl.adm
Configuration Configure SealSign Connection Parameters
Registry Key HKCU\Software\Policies\SmartAccess\KeyControl\SealSignProvider
Property name SealSignDSSAdminServiceURL
Property type REG_SZ
2.2.4.3 User Account for the Connection to the SealSign Server The connection to the SealSign and CKC web services will be performed by default with the current user account. For those environments where it is desired or necessary to use a different account, it must be configured following this policy:
SealSign UserName
Template KeyControl.adm
Configuration Configure SealSign Connection Parameters
Registry Key HKCU\Software\Policies\SmartAccess\KeyControl\SealSignProvider
Property name SealSignUserName
Property type REG_SZ
SealSign CKC (Central Key Control)
Management guide V.3.2 – October 2016
2016 © Telefónica Digital España, S.L.U. All rights reserved. Page 10 of 23
2.2.4.4 User Password for the Connection to the SealSign Server The connection to the SealSign and CKC web services will be performed by default with the current user account. The alternative user password to access the server must be configured following this policy:
SealSign Password
Template KeyControl.adm
Configuration Configure SealSign Connection Parameters
Registry Key HKCU\Software\Policies\SmartAccess\KeyControl\SealSignProvider
Property name SealSignPassword
Property type REG_SZ
In an administrative template, the password will be saved in the log in clear text. That is why we have developed a tool called “GenerateAdmPassword” located in the SealSign CKC Client installation directory. This tool generates an encryption block from a plaintext key. The appearance of the tool is shown in the following figure. The content of the
“Encrypted Password” text field is what needs to be entered in the “SealSign Password” field of the administrative template.
2.2.4.5 User Domain for the Connection to the SealSign Server The connection to the SealSign and CKC web services will be performed by default with the current user account. The alternative user password to access the server must be configured following this policy:
SealSign Domain
Template KeyControl.adm
Configuration Configure SealSign Connection Parameters
Registry Key HKCU\Software\Policies\SmartAccess\KeyControl\SealSignProvider
Property name SealSignDomain
Property type REG_SZ
SealSign CKC (Central Key Control)
Management guide V.3.2 – October 2016
2016 © Telefónica Digital España, S.L.U. All rights reserved. Page 11 of 23
2.2.4.6 Cache Timeout for SealSign Certificates Password (Seconds)
The recommended value is between 30 and 60 seconds. This cache —since cryptographic operations on the Microsoft platform are not atomic, meaning they are not performed in a single
operation but divided into several independent operations— can transfer the centralized certificate password within calls to the SealSign server without continuously having to request it to the user. This policy only applies when a certificate is registered in SealSignDSS and is configured so that SealSign does not remember its password.
Password Cache Time (seconds)
Template KeyControl.adm
Configuration Configure SealSign Connection Parameters
Registry Key HKCU\Software\Policies\SmartAccess\KeyControl\SealSignProvider
Property name PasswordCacheTime
Property type REG_SZ
2.2.4.7 Open Timeout for connection to the SealSign Server With this policy you can configure the open timeout for the connection to the SealSign Server:
SealSign Open Timeout
Template KeyControl.adm
Configuration Configure SealSign Connection Parameters
Registry Key HKCU\Software\Policies\SmartAccess\KeyControl\SealSignProvider
Property name OpenTimeout
Property type REG_DWORD
Default value 5 seconds
2.2.4.8 Send Timeout to the SealSign Server With this policy you can configure the send timeout to the SealSign Server:
SealSign Send Timeout
Template KeyControl.adm
Configuration Configure SealSign Connection Parameters
Registry Key HKCU\Software\Policies\SmartAccess\KeyControl\SealSignProvider
Property name SendTimeout
Property type REG_DWORD
Default value 10 seconds
SealSign CKC (Central Key Control)
Management guide V.3.2 – October 2016
2016 © Telefónica Digital España, S.L.U. All rights reserved. Page 12 of 23
2.2.4.9 Receive Timeout from the SealSign Server With this policy you can configure the receive timeout from the SealSign Server:
SealSign Receive Timeout
Template KeyControl.adm
Configuration Configure SealSign Connection Parameters
Registry Key HKCU\Software\Policies\SmartAccess\KeyControl\SealSignProvider
Property name ReceiveTimeout
Property type REG_DWORD
Default value 10 seconds
Configuration of the connection parameters can be set at machine or user level. If both options are set, the parameters with higher preference are the ones configured at user level.
2.2.5 Configuring Other SealSign DSS Parameters (At Machine Level) 2.2.5.1 CKC Certificates Replication Delay This time determines the update interval that the CKC agent uses to perform operations of certificate replication to the client.
Replication Delay
Template KeyControl.adm
Configuration Configure SealSign Connection Parameters
Registry Key HKLM\Software\Policies\SmartAccess\KeyControl
Property name ReplicationDelay
Property type REG_DWORD
Default value 5 minutes
2.2.5.2 Delay before Shutdown When the Central Key Control client is configured to run on demand (Execute KeyControlSrv at user session logon policy at 0), this policy sets out how long it takes for a process to die after the last operation.
Shutdown Delay (minutes)
Template KeyControl.adm
Configuration Configure Central Key Control Parameters
Registry Key HKLM\Software\Policies\SmartAccess\KeyControl
Property name ShutdownDelay
SealSign CKC (Central Key Control)
Management guide V.3.2 – October 2016
2016 © Telefónica Digital España, S.L.U. All rights reserved. Page 13 of 23
Shutdown Delay (minutes)
Property type REG_DWORD
Default value 1440 minutes
2.2.5.3 Delay before Shutdown Due to COM Classes Registration Errors By default, the executable in client that performs all operations against the SealSign server is a COM OOP component. When the Central Key Control client is configured to run on demand (Execute KeyControlSrv at user session logon policy at 0), this policy sets out how long it takes for a process to die after the last attempt to register the COM classes it contains.
Shutdown Delay in COM Classes register errors (seconds)
Template KeyControl.adm
Configuration Configure Central Key Control Parameters
Registry Key HKLM\Software\Policies\SmartAccess\KeyControl
Property name ShutdownDelayRegisterCOMError
Property type REG_DWORD
Default value 30 seconds
2.2.5.4 Running KeyControlSrv in Session Login By default, the executable in client that performs all operations against the SealSign server is a COM OOP component. This COM component runs on demand, therefore, when its tasks are finished, the process dies until it is required again.
Sometimes it is possible to detect COM errors on client computers that can lead to a malfunction of the Central Key Control client. For such cases, you can activate this policy to reduce the COM problems that impact on the Central Key Control client.
Execute KeyControlSrv at user session logon
Template KeyControl.adm
Configuration Configure Central Key Control Parameters
Registry Key HKLM\Software\Policies\SmartAccess\KeyControl
Property name ExecuteSrvInInitSession
Property type REG_DWORD
Default value 0
2.2.5.5 Asking for User Credentials This policy only applies if the Central Key Control client is integrated with SmartID Professional, a product by ElevenPaths. If this policy is activated, an additional protection factor (biometric or smartcard) is added to the use of the centralized certificate private key in the SealSign platform. Installation of the SmartID Professional Software in the client computer is a mandatory requirement.
SealSign CKC (Central Key Control)
Management guide V.3.2 – October 2016
2016 © Telefónica Digital España, S.L.U. All rights reserved. Page 14 of 23
Ask for user credential
Template KeyControl.adm
Configuration Configure Central Key Control Parameters
Registry Key HKLM\Software\Policies\SmartAccess\KeyControl
Property name AskForUserCredential
Property type REG_DWORD
Default value 0
2.2.5.6 Timeout for Credentials Cache This policy only applies if the Central Key Control client is integrated with SmartID Professional, a product by ElevenPaths. If this policy is activated, an additional protection factor (biometric or smartcard) is added to the use of the centralized certificate private key in the SealSign platform. Installation of the SmartID Professional Software in the client computer is a mandatory requirement.
This cache —since cryptographic operations on the Microsoft platform are not atomic, meaning
they are not performed in a single operation but divided into several independent operations— can transfer the SmartID Professional credential associated to a user within calls to the SealSign server without continuously having to request it to the user.
Credential Cache Time (seconds)
Template KeyControl.adm
Configuration Configure Central Key Control Parameters
Registry Key HKLM\Software\Policies\SmartAccess\KeyControl
Property name CredentialCacheTime
Property type REG_DWORD
Default value 30 seconds
2.2.5.7 Timeout for URL cache
This cache —since cryptographic operations on the Microsoft platform are not atomic, meaning
they are not performed in a single operation but divided into several independent operations— can transfer browser URL associated to the cryptographic operation within calls to the SealSign server without continuously having to request a new authentication to the user.
This policy only applies in the event of accessing the centralized private key using the Microsoft IE browser and when there is a rule of use with a filter through URL associated to
said private key.
Url Cache Time (seconds)
Template KeyControl.adm
Configuration Configure Central Key Control Parameters
SealSign CKC (Central Key Control)
Management guide V.3.2 – October 2016
2016 © Telefónica Digital España, S.L.U. All rights reserved. Page 15 of 23
Url Cache Time (seconds)
Registry Key HKLM\Software\Policies\SmartAccess\KeyControl
Property name UrlCacheTime
Property type REG_DWORD
Default value 30 seconds
2.2.5.8 Deleting orphan private keys By default in Microsoft Windows platforms, when a certificate is deleted from the certificate Store, its associated private key is not deleted. It is the way it was designed. You just need to enable this policy, which essentially clears the orphan private keys in the user store, in order to mitigate this potential security hole activated by the policy.
This key is for experimental use. If once applied, certificates behave strangely, for example, disappearing from the Store, please contact ElevenPaths’ Support.
Delete orphaned private keys
Template KeyControl.adm
Configuración Configure Central Key Control Parameters
Registry Key HKLM\Software\Policies\SmartAccess\KeyControl
Property name DeleteOrphanedPrivateKeys
Property type REG_DWORD
Default value 0
2.2.5.9 Enabling the certificates local inventory The Central Key Control client has the functionality of reporting the information to the SealSign server on certificates installed in the user Store (local certificates, not centralized). To enable this feature you just have to activate this policy.
Enable local certificates inventory
Template KeyControl.adm
Configuration Configure Central Key Control Parameters
Registry Key HKLM\Software\Policies\SmartAccess\KeyControl
Property name EnableCertificateInventory
Property type REG_DWORD
Default value 0
Configuration of the general parameters can be set at machine or user level. If both options are set, the parameters with higher preference are the ones configured at machine level.
SealSign CKC (Central Key Control)
Management guide V.3.2 – October 2016
2016 © Telefónica Digital España, S.L.U. All rights reserved. Page 16 of 23
2.2.6 Configuring Other SealSign DSS Parameters (At User Level)
2.2.6.1 Asking for user credentials This policy only applies if the Central Key Control client is integrated with SmartID Professional, a product by ElevenPaths. If this policy is activated, an additional protection factor (biometric or smartcard) is added to the use of the centralized certificate private key in the SealSign platform. Installation of the Software SmartID Professional installed in the client computer is a mandatory requirement.
Ask for user credential
Template KeyControl.adm
Configuration Configure Central Key Control Parameters
Registry Key HKCU\Software\Policies\SmartAccess\KeyControl
Property name AskForUserCredential
Property type REG_DWORD
Default value 0
2.2.6.2 Deleting orphan private keys By default in Microsoft Windows platforms, when a certificate is deleted from the certificate Store, its associated private key is not deleted. It is the way it was designed. You just need to enable this policy, which essentially clears the orphan private keys in the user store, in order to mitigate this potential security hole activated by the policy.
This key is for experimental use. If once applied, certificates behave strangely, for example, disappearing from the Store, please contact ElevenPaths’ Support.
Delete orphaned private keys
Template KeyControl.adm
Configuration Configure Central Key Control Parameters
Registry Key HKCU\Software\Policies\SmartAccess\KeyControl
Property name DeleteOrphanedPrivateKeys
Property type REG_DWORD
Default value 0
2.2.6.3 Enabling the certificate local inventory The Central Key Control client has the functionality of reporting the information to the SealSign server on certificates installed in the user Store (local certificates, not centralized). To enable this feature you just have to activate this policy.
SealSign CKC (Central Key Control)
Management guide V.3.2 – October 2016
2016 © Telefónica Digital España, S.L.U. All rights reserved. Page 17 of 23
Enable local certificates inventory
Template KeyControl.adm
Configuration Configure Central Key Control Parameters
Registry Key HKCU\Software\Policies\SmartAccess\KeyControl
Property name EnableCertificateInventory
Property type REG_DWORD
Default value 0
Configuration of the general parameters can be set at machine or user level. If both options are set, the parameters with higher preference are the ones configured at machine level.
2.2.7 Configuring the Parameters of the Certificate Automatic Import (At Machine Level)
2.2.7.1 Enable certificate automatic import In a way that is transparent to the user, the Central Key Control client can automatically import certificates from the local user store to the SealSign server (local certificates, no centralized). To enable this feature you just have to activate this policy.
Enable automatic import of local certificates
Template KeyControl.adm
Configuration Configure Central Key Control AutoImport Parameters
Registry Key HKLM\Software\Policies\SmartAccess\KeyControl
Property name EnableAutomaticPFXImport
Property type REG_DWORD
Default value 0
2.2.7.2 Overwriting local certificates In the event that the user has a centralized certificate assigned identical to a local certificate, this policy states what to do in relation to its visibility within the certificate store. If the policy is enabled, the local certificate will be ignored (access to it will not be possible) and only the centralized certificate will be used. Otherwise, two identical certificates will appear in the user certificate store, one local and one centralized, so you will be able to use either one or another.
Overwrite local certificates
Template KeyControl.adm
Configuration Configure Central Key Control AutoImport Parameters
Registry Key HKLM\Software\Policies\SmartAccess\KeyControl
SealSign CKC (Central Key Control)
Management guide V.3.2 – October 2016
2016 © Telefónica Digital España, S.L.U. All rights reserved. Page 18 of 23
Overwrite local certificates
Property name OverwriteLocalCertificates
Property type REG_DWORD
Default value 0
2.2.7.3 Filtering by issuer This policy defines which certificate issuers are authorized to perform the automatic import of certificates. If you do not wish to automatically import all certificates from the user certificate store to SealSign, you can define this filter by issuer.
Issuer names (CN) are case sensitive. In the list, you must register the issuer CN. For example, in the case of the FNMT (“Fábrica Nacional de Moneda y Timbre”, National Mint and Stamp Factory), the CN would be “FNMT Class 2 CA”.
If issuer “*” is registered, every certificate in the user certificate store will be automatically imported to SealSign.
Issuer Filters
Template KeyControl.adm
Configuration Configure Central Key Control AutoImport Parameters
Registry Key HKLM\Software\Policies\SmartAccess\KeyControl\AutoImportIssuersFilter
Property name Issuer1…. IssuerN
Property type REG_SZ
Default value NA
Configuration of the autoimport parameters can be set at machine or user level. If both options are set, the parameters with higher preference are the ones configured at machine
level.
2.2.8 Configuring the Parameters of the Certificate Automatic Import (At User Level)
2.2.8.1 Enabling certificate automatic import In a way that is transparent to the user, the Central Key Control client can automatically import certificates from the local user store to the SealSign server (local certificates, no centralized). To enable this feature you just have to activate this policy.
Enable automatic import of local certificates
Template KeyControl.adm
Configuration Configure Central Key Control AutoImport Parameters
Registry Key HKCU\Software\Policies\SmartAccess\KeyControl
SealSign CKC (Central Key Control)
Management guide V.3.2 – October 2016
2016 © Telefónica Digital España, S.L.U. All rights reserved. Page 19 of 23
Enable automatic import of local certificates
Property name EnableAutomaticPFXImport
Property type REG_DWORD
Default value 0
2.2.8.2 Overwriting local certificates In the event that the user has a centralized certificate assigned identical to a local certificate, this policy states what to do in relation to its visibility within the certificate store. If the policy is enabled, the local certificate will be ignored (access to it will not be possible) and only the centralized certificate will be used. Otherwise, two identical certificates will appear in the user certificate store, one local and one centralized, so you will be able to use either one or another.
Overwrite local certificates
Template KeyControl.adm
Configuration Configure Central Key Control AutoImport Parameters
Registry Key HKCU\Software\Policies\SmartAccess\KeyControl
Property name OverwriteLocalCertificates
Property type REG_DWORD
Default value 0
2.2.8.3 Filtering by issuer This policy defines which certificate issuers are authorized to perform the automatic import of certificates. If you do not wish to automatically import all certificates from the user certificate store to SealSign, you can define this filter by issuer.
Issuer names (CN) are case sensitive. In the list, you must register the issuer CN. For example, in the case of the FNMT (“Fábrica Nacional de Moneda y Timbre”, National Mint and Stamp Factory), the CN would be “FNMT Class 2 CA”.
If issuer “*” is registered, every certificate in the user certificate store will be automatically imported to SealSign.
Issuer Filters
Template KeyControl.adm
Configuration Configure Central Key Control AutoImport Parameters
Registry Key HKCU\Software\Policies\SmartAccess\KeyControl\AutoImportIssuersFilter
Property name Issuer1…. IssuerN
Property type REG_SZ
Default value NA
SealSign CKC (Central Key Control)
Management guide V.3.2 – October 2016
2016 © Telefónica Digital España, S.L.U. All rights reserved. Page 20 of 23
Configuration of the autoimport parameters can be set at machine or user level. If both options are set, the parameters with higher preference are the ones configured at machine
level.
SealSign CKC (Central Key Control)
Management guide V.3.2 – October 2016
2016 © Telefónica Digital España, S.L.U. All rights reserved. Page 21 of 23
3 Troubleshooting
During the SealSign installation process, a specific log, called SealSign DSS, will be created in each server's event viewer. If an error occurs in server operations, in addition to being reported in the product audit, events will be included as they occur with the complete description of the error in the log created for this purpose.
Information about monitoring is detailed in the document "SealSign - Monitoring.pdf"
SealSign CKC (Central Key Control)
Management guide V.3.2 – October 2016
2016 © Telefónica Digital España, S.L.U. All rights reserved. Page 22 of 23
4 Resources
For information about the different SealSign services available, please go to this address:
https://www.elevenpaths.com/es/tecnologia/sealsign/index.html
Also, on the ElevenPaths blog you can find interesting articles and innovations regarding this product.
You can find more information about Eleven Paths products on YouTube, on Vimeo and on Slideshare.
SealSign CKC (Central Key Control)
Management guide V.3.2 – October 2016
2016 © Telefónica Digital España, S.L.U. All rights reserved. Page 23 of 23
PUBLICATION
October 2016
At ElevenPaths we have our own way of thinking when we talk about security. Led by Chema Alonso, we are a team of experts who are passionate about their work, who are eager to redefine the industry and have great experience and knowledge about the security sector.
Security threats in technology evolve at an increasingly quicker and relentless pace. Thus, since June 2013, we have become a startup company within Telefónica aimed at working in an agile and dynamic way, transforming the concept of security and, consequently, staying a step ahead of our attackers.
Our head office is in Spain, but we can also be found in the UK, the USA, Brazil, Argentina and Colombia.
IF YOU WISH TO KNOW MORE ABOUT US, PLEASE CONTACT US AT:
elevenpaths.com Blog.elevenpaths.com @ElevenPaths Facebook.com/ElevenPaths YouTube.com/ElevenPaths
The information disclosed in this document is the property of Telefónica Digital España, S.L.U. (“TDE”) and/or any other entity within Telefónica Group and/or its licensors. TDE and/or any Telefonica Group entity or TDE’S licensors reserve all patent, copyright and other proprietary rights to this document, including all design, manufacturing, reproduction, use and sales rights thereto, except to the extent said rights are expressly granted to others. The information in this document is subject to change at any time, without notice.
Neither the whole nor any part of the information contained herein may be copied, distributed, adapted or reproduced in any material form except with the prior written consent of TDE.
This document is intended only to assist the reader in the use of the product or service described in the document. In consideration of receipt of this document, the recipient agrees to use such information for its own use and not for other use.
TDE shall not be liable for any loss or damage arising out from the use of the any information in this document or any error or omission in such information or any incorrect use of the product or service. The use of the product or service described in this document are regulated in accordance with the terms and conditions accepted by the reader.
TDE and its trademarks (or any other trademarks owned by Telefonica Group) are registered service marks.