Registration Authority (RA) functionality on the KMES
RA functionality is accessed primarily through the PKI > Signing Workflow menu.
The Registration Authority (RA) is a critical component of the Public Key Infrastructure (PKI) that serves as an intermediary between the client (end user or end device) and the Certificate Authority (CA). Its primary function is to authenticate and validate certificate signing requests (CSRs) from entities seeking digital certificates. The specific responsibilities of the RA include:
- Receiving and processing certificate requests from clients
- Verifying the identity of the client through rigorous authentication procedures
- Evaluating and either approving or rejecting CSRs based on established guidelines
- In case of an approval, informing the CA to issue a certificate
- Denying access to clients that present invalid or revoked certificates
The RA does not create, sign, or manage certificates - these roles are carried out by the CA. By offloading the identity authentication process from the CA, the RA provides an efficient mechanism to manage digital identities in a PKI.
The has all the functionality needed to be a registration authority within your PKI ecosystem and provides the following services:
- Manage Certificate requests
- Manage X.509 Extension Profile permissions
- Provide web server RA automation features
- Support anonymous roles and identities
- Handle API commands related to RA functions
- Manage signing workflows and approval groups
The Registration Authority (RA) settings are part of certificate workflow management. Perform the following steps to set up and use RA:
To use this functionality, you must enable the RA license. To request this license, contact the Futurex support team at [email protected].
Go to Administration > Configuration > Network Options.
Go to the TLS/SSL Settings tab, located at the top of the Network Options window.
Select Registration Authority from the Connection drop-down menu.
Set the following options:
Option
Required configuration
Port
Use the default port
Enabled
Checked
Use System/Host API SSL Parameters
Unchecked
Allow Anonymous Connections
Checked
Use Futurex certificates
Checked
Select [ OK ].
This configuration uses -signed certificates for remote authentication. If you need an internal CA, you must generate PKI keys, export a CSR, and the CA, and import the signed certificate. We recommend using -signed certificates for easy setup.
The section covers the signing workflow and approval tasks.
Before using registration authority functionality, administrators should define two new roles to delegate the separate tasks of uploading certificate signing requests and approving, denying, or revoking those CSRs.
Role names are examples only. These depend on user input.
The two roles to create with the minimum permissions are:
Role
Permissions
Submitters
Certificate Authority: Upload
Approvers
Signing Approval: Add, Approve, Delete, Modify
Be sure to grant the submitters and approvers roles you create with the Use permission on the issuing CA certificate.
For more information on creating roles and identities, see the complete User Guide.
Before submitters can upload a CSR, an approver must add a signing approval group to contain the request. To do this:
Go to PKI > Signing Workflow and select [ Add Approval Group ].
Enter an identifiable name into the Name field.
Select [ OK ] when finished.
A non-administrative role must have the appropriate object permissions to perform any action related to a signing approval group. For example, an approver should have Use permissions at the object level. Only an administrative identity or role with similar permissions can assign these. For more information about permissions and identity management, see the User Guide.
Right-click the desired approval group and select Permission.
In the Set Object-Group Permissions window, set the device permissions for each role to None, View, Use, Modify, or Delete.
The Administrator role has implicit permissions that you cannot adjust. Non-admin roles must have Modify permissions to view and modify the device group protocols.
Select one of the following permission application options from the drop-down menu:
- Do not apply to children
- Apply to direct children
- Apply to children recursively
Signing approval groups cannot have children, so recursive and implicit permissions are not applicable.
Select [ OK ] to save.
RAs often perform certificate enrollment. In this process, an entity requests an X.509 certificate from a CA. Assuming the entity request is valid, the CA signs the entity public key and provides a certificate to secure the public-facing systems of the entity.
Perform the tasks in this section to do certificate enrollment.
Go to the Registration Authority (RA) in the browser.
Log in with an identity assigned the permissions required to submit a CSR.
Select the signing/issuing certificate you configured in the drop-down menu. Several CSR methods are supported.
Select [ -> ] to move to the next step.
Select the approval group you configured, then select [ -> ].
Select an extension profile in the drop-down menu and set custom extensions if required, then select [ -> ].
Select a DN Profile in the drop-down menu, then enter information into the fields below and select [ -> ].
In the final window, provide the required information and select [ Submit ].
In the main menu, this new request displays under Pending Requests.
Go to the RA in the browser.
Log in with an identity assigned the permissions required to approve CSRs.
In the menu on the right, select the pending request.
Go to the Approvals tab.
Select [ Approve ].
You should see a message confirming that the signing request was successfully approved.
Log in to the application interface with an identity assigned the permissions required to approve CSRs.
Go to to PKI > Signing Workflow.
Right-click the Pending request and select [ Approve ].
The status of the request should change to Approved.
Go to the RA in the browser.
Log in with the identity that submitted the CSR.
In the menu on the right, select the request that was approved and signed.
Go to the Download tab.
Select the file format for the certificate download, and select [ Download ].