The Public Key Infrastructure (PKI) creates, stores, and distributes digital certificates. These certificates are used to verify whether a particular public key belongs to a specific entity.
Advanced Authentication supports the following two forms of PKI authentication:
PKI device stores the digital certificates and private keys securely. It uses the PKI infrastructure to store personal details of user such as private key, PIN, and digital certificate.
You can configure the following settings for the PKI method:
You must upload the trusted root certificates for the PKI method. These certificates must meet the following requirements:
Root CA certificate is in the .pem format.
You can also upload intermediate certificate if the root certificate is not self signed or it is cross signed by another CA.
All certificates in the certification path (except Root CA) contain AIA and CDP http link to check revocation status.
The certificate for PKI device contains a key pair: public and private key in the x509 format. The certificates that do not comply with the requirements are ignored and hidden during enrollment.
For more information, see Single Tier PKI Hierarchy Deployment and Two Tier PKI Hierarchy Deployment.
To upload a new trusted root certificate, perform the following steps:
Click Add in the PKI page.
Click Browse.
Choose a .pem certificate file and click Upload.
Click Save.
You can configure the PKI method (with certificates) in one of the following ways:
NOTE:Advanced Authentication supports the p7b format of parent certificates. These p7b format files can contain certificates and chain certificates, but not the private key. They are Base64 encoded ASCII files with extensions .p7b or.p7c.
For generating the root CA certificate on Microsoft Windows Active Directory Certificate Services (ADCS), perform the following steps:
Install Web Server (IIS) Role.
Create the CertEnroll Folder and grant Share & NTFS permissions to the Cert Publishers group.
Create CertEnroll Virtual Directory in IIS.
Enable Double Escaping on IIS Server.
Install Enterprise Root CA using Server Manager.
Enable Object Access Auditing on CA.
Configure the AIA and CDP.
Publish the Root CA Certificate to AIA.
Export Root CA in .der format and convert the format to .pem.
Export personal certificate (that was signed by Root CA) with private key and place it on a PKI device.
For generating the subordinate CA certificate on Microsoft Windows Active Directory Certificate Services (ADCS), perform the following steps:
Install Web Server (IIS) Role.
Create the CertEnroll Folder and grant Share & NTFS permissions to Cert Publishers group.
Create CertEnroll Virtual Directory in IIS.
Enable Double Escaping on IIS Server.
Install the Standalone Offline Root CA.
Create a CAPolicy.inf for the standalone offline root CA.
Installing the Standalone Offline Root CA.
Enable Auditing on the Root CA.
Configure the AIA and CDP.
Install Enterprise Issuing CA.
Create CAPolicy.inf for Enterprise Root CA.
Publish the Root CA Certificate and CRL.
Install Subordinate Issuing CA.
Submit the Request and Issue subordinate Issuing CA Certificate.
Install the subordinate Issuing CA Certificate.
Configure Certificate Revocation and CA Certificate Validity Periods.
Enable Auditing on the Issuing CA.
Configure the AIA and CDP.
Install and configure the Online Responder Role Service.
Add the OCSP URL to the subordinate Issuing CA.
Configure and publish the OCSP Response Signing Certificate on the subordinate Issuing CA.
Configure Revocation Configuration on the Online Responder.
Configure Group Policy to provide the OCSP URL for the subordinate Issuing CA.
Export Root CA in .der format and convert the format to .pem.
Export personal certificate (that was signed by subordinate CA) with private key and place it on a PKI device.
The Allow key-pair option is enabled by default. This indicates that the enrollment of the PKI method can be done with either the CA certificates or through the key-pair generation. However, you can disable the key-pair based enrollment of the PKI device and enforce PKI enrollment only using a user certificate issued by the CA. To disable this option, set Allow key-pair to OFF.
Virtual Smartcard is an extension of PKI method. Advanced Authentication allows users to enroll the PKI method using a virtual smartcard that is imported to the browser on the user’s system and used for authentication. Virtual smartcard is a certificate that contains information such as digital signature, expiration date, name of user, name of CA (Certificate Authority), and can be used in client SSL certificate. Typically, the certificate is available in .pfx format. The information available in the virtual smartcard is used to authenticate the user to any web environment.
NOTE:The virtual smartcard supports authentication to the OAuth 2.0 and SAML 2.0 events. The virtual smartcard does not support authentication to Advanced Authentication portals, such as Administration, Helpdesk, Self-Service, and Reporting.
To configure the virtual smartcard, perform the following steps:
NOTE:Before you configure the virtual smartcard support for the SAML 2.0 events, ensure to specify the Identity Provider’s URL in format https://webauth.domain_name in the Web Authentication policy. Later, save the settings before downloading the SAML 2.0 metadata file.
NOTE:Before you configure virtual smartcard support for the PKI method, ensure to perform the following tasks:
Resolve the IP address of Advanced Authentication server with the following host names on the DNS server:
<aaserver_ip_address> <aaserver_hostname>
<aaserver_ip_address> <webauth.aaserver_hostname>
Define the following attributes in the third-party application that you want to integrate with Advanced Authentication server:
authorization_endpoint = https://webauth.aaserver_hostname/osp/a/TOP/auth/oauth2/grant
token_endpoint = https://webauth.aaserver_hostname/osp/a/TOP/auth/oauth2/getattributes
Configure the following settings in the HTTPS Options policy:
Set Enable Client SSL for Webauth Service to ON and upload Root CA certificate in the .pem format that is used by the Web server.
Set Enable auto enrollment based on certificate to ON. This enables you to allow users to auto-enroll the PKI method using virtual smartcard for the OAuth 2.0 and SAML 2.0 events.
NOTE:The manual enrollment of the PKI method using the virtual smartcard is not supported. Therefore, it is required to set Enable auto enrollment based on certificate to ON in the HTTPS Options policy. With this configuration, the users can auto-enroll PKI method using virtual smartcard when they access OAuth 2.0 event for the first time and select a valid certificate. This auto-enrollment happens irrespective of enrollment status of other method(s) that are available with the PKI method in the same authentication chain.
To allow a user to login to the OAuth 2.0 and SAML 2.0 events before auto-enrolling the PKI method, ensure to add at least one more chain to the event (for example, a chain with only the LDAP Password method) below the PKI chain. The user must enroll all method(s) of new chain. During the first login attempt, the PKI method using the virtual smartcard gets enrolled automatically. For the sub-sequent log ins, the top chain in the list (which is PKI) is selected and user is authenticated automatically.
Upload Root CA certificate in the Trusted root certificates section of PKI method.
Import the client SSL certificate to the users browser.
NOTE:The procedure to import the client SSL certificate varies on each browser.
For more information about how to import the client SSL certificate to the Chrome browser, see Importing Client SSL Certificate to a Certificate Store.
Consider the administrator has performed the following steps to allow auto-enrollment of the PKI method using the virtual smartcard:
Created a chain with the PKI method and another chain with preferred methods such as LDAP password and Password.
Mapped the chain to the OAuth 2 event.
Configure the following settings in the HTTPS options policy:
Set Enable SSL Client Certificate to ON and uploaded a valid CA certificate.
Set Enable Auto Enrollment based on certificate to ON.
Imported the client certificate to the user’s browser in the .pfx format containing details, such as digital signature, expiration date, name of user, name of CA and so on.
Mark, an end user, wants to auto-enroll the PKI method using the virtual smartcard. When he tries to access the somecompany.com website, the user name stored in the certificate gets filled in the user name field in the login form automatically. Mark is required to select the preferred certificate to validate his identity in the User Identification Request dialog box. Then, Mark must specify LDAP details for additional validation. If the specified details are valid, Mark gets auto-enrolled to the PKI method using the virtual smartcard without physical PKI token.
During subsequent logins, Mark may experience one of the following scenario:
If there is a chain with only PKI method associated to the web authentication event, then Mark gets authenticated automatically.
If there are more than one chain associated to the web authentication event, then Mark is prompted with the list of chains that contains PKI in addition to other available chains. In this case, he can select the chain with only PKI method to authenticate automatically or select preferred chain and provide corresponding details to authenticate successfully.
To enable and achieve the virtual smartcard authentication to the web environment, it is required to import the Client SSL certificate to the browser.
NOTE:The procedure to import the client SSL certificate varies on each browser.
To import the client SSL certificate to Google Chrome browser, perform the following steps:
Navigate to Settings > Manage Settings.
The Certificates wizard is displayed.
Click Import and select the client SSL certificate.
Ensure that the certificate is in .pfx format.
Click Next and Finish.
A message Certificate has been imported successfully is displayed.