3.4 X.509 Certificate Self-Provisioning

This section describes the X.509 self-provisioning feature.

3.4.1 Overview

When you create an X.509 certificate, there are many important pieces of information that must be identified and substantiated before the certificate authority (CA) issues the certificate. Two of the most important tasks are:

  • Verifying the identity of the certificate's subject (verifying the identity of the person or object the certificate is for).

  • Verifying the appropriateness of the subject name in the certificate (verifying that the subject name correctly represents the identity of the person or object the certificate is for).

These two tasks can be very time-consuming and are often performed by a separate administrative person or group.

NetIQ Certificate Server has always leveraged the secure identity management capabilities of eDirectory to reduce the time and effort needed to perform these verifications. iManager allows an administrator to create user certificates in bulk; that is, to create a certificate for a large number of users at one time. The CA checks that the identity of the certificate is tied to the eDirectory account, which verifies the identity of the certificate's subject; however, the CA has not verified the appropriateness of the subject name in the certificate. Because of this, creating certificates with NetIQ Certificate Server has always required that the person or software have administrative rights to the Organizational CA.

Self-provisioning allows a user or server to generate certificates without having administrative rights to the Organizational CA and without intervention of a separate administrative person or group, and still maintain the security of the CA.

NetIQ Certificate Server verifies the identity of the certificate's subject by checking that the identity of the certificate is tied to the eDirectory account. The CA also verifies the appropriateness of the subject name in the certificate by checking against information in eDirectory. This allows the Organizational CA to leverage the security identity management capabilities of eDirectory to reduce administrative tasks while maintaining the security of the CA.

3.4.2 User Self-Provisioning

In the past, creating a user certificate required administrative rights to the CA as well as rights to attributes on the User object. With user self-provisioning, administrative rights to the CA are not necessary; however, Read (R) and Write (W) rights to the userCertificate, NDSPKI:UserCertificateInfo, and SAS:SecretStore attributes are still necessary.

If the person requesting the creation of the certificate has administrative rights to the CA, the certificate creation is not affected by whether or not user self-provisioning is enabled. If the person requesting the creation of the certificate does not have administrative rights to the CA, the subject name in the request is compared to the user's eDirectory DN and any values in the sasAllowableSubjectNames attribute.

If the subject name matches, the CA checks to ensure that any Subject Alternative Names are appropriate. The CA does this by checking that there is not more than one Subject Alternative Name. If the name exists, it must be of type email name and it must match a configured email name on the User object. If all these checks succeed, the CA does not require administrative rights to the CA in order to create the certificate.

To use user self-provisioning:

  1. Ensure that you have eDirectory 8.8 and the NetIQ Certificate Server 3.2.2 or later plug-in for iManager installed.

    Both eDirectory 8.8 and the NetIQ Certificate Server 3.2.2 plug-in for iManager are included with Open Enterprise Server (OES) 2 and are installed automatically when you select any of the eDirectory-required components during the OES 2 installation.

  2. Enable user self-provisioning

    1. Launch iManager.

    2. Log in to the eDirectory tree as an administrator with administrative rights to the Organizational CA.

    3. On the Roles and Tasks menu, click NetIQ Certificate Server > Configure Certificate Authority.

    4. Select Enable user self-provisioning.

    5. Click OK.

  3. Set up inherited rights for users by enabling the iManager “[this]” object:

    1. Log in to iManager as an iManager administrator.

    2. Click the Configure icon.

    3. Click iManager Server > Configure iManager.

    4. Click the Misc tab.

    5. Select Enable “[this]”.

    6. Click Save.

      Next, you need to add inherited rights.

  4. Log in to iManager as a Certificate Authority administrator.

  5. On the Roles and Tasks menu, click Rights > Modify Trustees.

  6. Browse for and select the object you want the rights to be inherited from (for example, the root of the tree or a container), then click OK.

  7. Click Add Trustee, select the “[this]” object, then click OK.

  8. Click Assigned Rights.

  9. Click Add Property.

  10. Select Show all properties in schema.

  11. Select the userCertificate attribute, then click OK.

  12. Select Read and Write rights.

  13. Select Inherit.

  14. Repeat Step 6 through Step 10 for the other attributes (NDSPKI:UserCertificateInfo and SAS:SecretStore).

  15. Click Done > OK.

3.4.3 Server Self-Provisioning

In the past, creating a server certificate required administrative rights to the CA as well as administrative rights to the context the server certificate was to be created in. With server self-provisioning, administrative rights to the CA are not necessary; however, administrative rights to the context the server certificate was created in are still necessary.

If the person requesting the creation of the certificate has administrative rights to the CA, the certificate creation is not affected by whether or not server self-provisioning is enabled. If the person requesting the creation of the certificate does not have administrative rights to the CA, then the subject name in the request is compared to the server's eDirectory DN and any IP or DNS addresses as determined by a DNS or eDirectory SLP lookup. If the subject name matches either, then the CA does not require administrative rights to the CA in order to create the certificate.

NOTE:Be aware that when PKI Health Check runs on a server with server self-provisioning enabled, your server’s server certificates might be automatically created (if none exist) or replaced (if they are expired). For more information, see Section 3.10, PKI Health Check

To use server self-provisioning:

  1. Ensure you have eDirectory 8.8 and the NetIQ Certificate Server 3.2.2 or later plug-in for iManager installed.

    Both eDirectory 8.8 and the NetIQ Certificate Server 3.2.2 plug-in for iManager are included with OES 2 and are installed automatically when you select any of the eDirectory-required components during the OES 2 installation.

  2. Enable server self-provisioning:

    1. Launch iManager.

    2. Log in to the eDirectory tree as an administrator with administrative rights to the Organizational CA.

    3. On the Roles and Tasks menu, click NetIQ Certificate Server > Configure Certificate Authority.

    4. Select Enable server self-provisioning.

    5. Click OK.

3.4.4 Certificate Self-Provisioning and the Issue Certificate Task

The Issue Certificate task allows the creation of a certificate by using a PKCS#10 certificate signing request (CSR). This task allows the user to create a certificate that is not tied to any eDirectory object. If the person requesting the creation of the certificate has administrative rights to the CA, the certificate creation is not affected. If the person requesting the creation of the certificate does not have administrative rights to the CA, the certificate request is treated as a user self-provisioning request, but the person does not need to have rights to the attributes userCertificate, NDSPKI:UserCertificateInfo, and SAS:SecretStore attributes on the object. This is because the certificate is not stored in eDirectory, so rights to the object are not needed.

User self-provisioning must be enabled for a user to issue certificates without having administrative rights to the CA. Complete Steps 1 through 3 of Section 3.4.2, User Self-Provisioning.

For information on the Issue Certificate task, see Section 3.1.2, Issuing a Public Key Certificate.