Registration Authority (RA) functionality on the KMES

ra functionality is accessed primarily through the pki > signing workflow menu the role of the registration authority the registration authority (ra) is a critical component of the public key infrastructure (pki) that serves as an intermediary between the client (end user or end device) and the certificate authority (ca) its primary function is to authenticate and validate certificate signing requests (csrs) from entities seeking digital certificates the specific responsibilities of the ra include receiving and processing certificate requests from clients verifying the identity of the client through rigorous authentication procedures evaluating and either approving or rejecting csrs based on established guidelines informing the ca to issue a certificate in case of approval denying access to clients that present invalid or revoked certificates the ra does not create, sign, or manage certificates these roles are carried out by the ca by offloading the identity authentication process from the ca, the ra provides an efficient mechanism to manage digital identities in a pki ra features on the {{k3}} the {{k3}} has all the functionality needed to be a registration authority within your pki ecosystem and provides the following services manage certificate requests manage x 509 extension profile permissions provide web server ra automation features support anonymous roles and identities handle api commands related to ra functions manage signing workflows and approval groups enable the ra the registration authority (ra) settings are part of certificate workflow management perform the following steps to set up and use ra and a connection pair to use this functionality, you must enable the ra license to request this license, contact the {{futurex}} support team at support\@futurex com go to administration > configuration > network options go to the tls/ssl settings tab, located at the top of the network options window select registration authority from the connection drop down menu set the following options option required configuration port use the default port enabled checked use system/host api ssl parameters unchecked allow anonymous connections checked use futurex certificates checked select \[ ok ] this configuration uses {{futurex}} signed certificates for remote authentication if you need an internal ca, you must generate pki keys, export a csr, and the ca, and import the signed certificate we recommend using {{futurex}} signed certificates for easy setup signing workflow and approval the section covers the signing workflow and approval tasks manage roles and identities before using the registration authority functionality, administrators should define two new roles to delegate the separate tasks of uploading certificate signing requests and approving, denying, or revoking those csrs role names are examples only these depend on user input the two roles to create with the minimum permissions are role permissions submitters certificate authority upload approvers signing approval add, approve, delete, modify be sure to grant the submitters and approvers roles you create with the use permission on the issuing ca certificate for more information on creating roles and identities, see the complete {{k3}} user guide creating signing approval groups before submitters can upload a csr, an approver must add a signing approval group to contain the request to do this go to pki > signing workflow and select \[ add approval group ] enter an identifiable name into the name field select \[ ok ] when finished assign permissions a non administrative role must have the appropriate object permissions to perform any action related to a signing approval group for example, an approver should have use permissions at the object level only an administrative identity or role with similar permissions can assign these for more information about permissions and identity management, see the {{k3}} user guide perform the following steps to assign an approval group object permissions right click the desired approval group and select permission in the set object group permissions window, set the device permissions for each role to none , view , use , modify , or delete the administrator role has implicit permissions that you cannot adjust non admin roles must have modify permissions to view and modify the device group protocols select one of the following permission application options from the drop down menu do not apply to children apply to direct children apply to children recursively signing approval groups cannot have children, so recursive and implicit permissions are not applicable select \[ ok ] to save certificate enrollment ras often perform certificate enrollment in this process, an entity requests an x 509 certificate from a ca assuming the entity request is valid, the ca signs the entity public key and provides a certificate to secure the public facing systems of the entity perform the tasks in this section to complete certificate enrollment submit a csr perform the following steps to submit a csr to the registration authority (ra) go to the ra in the browser log in with an identity assigned the permissions required to submit a csr select the signing/issuing certificate you configured in the drop down menu several csr methods are supported select \[ > ] to move to the next step select the approval group you configured, then select \[ > ] select an extension profile in the drop down menu and set custom extensions if required, then select \[ > ] select a dn profile in the drop down menu, then enter information into the fields below and select \[ > ] in the final window, provide the required information and select \[ submit ] in the main menu, this new request displays under pending requests approve a csr with the ra perform the following steps to approve a csr by using the ra go to the ra in the browser log in with an identity assigned the permissions required to approve csrs in the menu on the right, select the pending request go to the approvals tab select \[ approve ] you should see a message confirming that the signing request was successfully approved approve a csr in the {{k}} perform the following steps to approve a csr in the {{k3}} application interface log in to the {{k3}} application interface with an identity assigned the permissions required to approve csrs go to pki > signing workflow right click the pending request and select \[ approve ] the status of the request should change to approved download the signed certificate perform the following steps to download the signed certificate through the ra go to the ra in the browser log in with the identity that submitted the csr in the menu on the right, select the request that was approved and signed go to the download tab select the file format for the certificate download and select \[ download ]