Table of Contents

Modules - Certificates: Basics

Certificate authority (crt) module was designed to handle various certificate authority implementations via specific drivers. Currently, there is one driver implemented - the CAW driver that handles the communication with CAW certificate authority (bundled in the module).

What do you need before you start

How to create an authority on Linux

By clicking on the left menu on Certificates and then on Authorities is shown a table with certificate authorities. Click on Add button and a popup window is shown. Here you fill:

Then you click on Save and continue button and continue this tutorial with generating certificate in GUI or with CSR file.

How to create an authority on Windows

On Windows, using diacritics in certificate/CSR DNs is currently not supported due to bug #8317 in OpenSSL. This affects CRT module with CAW Windows driver. IdM handles this by stripping diacritics from certain strings before passing them to the CAW. On Linux, diacritics works fine.

The process of creating an authority on Windows is similar to the one on Linux but you need to have Git Bash installed. When creating the authority on Windows, we select the win-caw-driver. Then we just need to fill out one extra field:

An example of how we can configure the authority can be seen bellow:

Other than the extra field Path to Git Bash, the process is the same as on Linux.

Generate certificate in GUI

In the left menu click on Profile and then on Certificates. There are 2 tables, in Certificates table are all certificates owned by the user and in the other table, there are requests of these certificates. Click on Request certificate.

Fill information in a popup window:

And click on Submit a request button.

Now we have the valid certificate and we could download the certificate. Certificate button downloads public key and Key button downloads encrypted public and private key.

For admin, there is another one important section in left menu Certificates and again in Certificates. This table shows all certificates. But as you can see, even admin has access just to the public key, in other words, the private key can be downloaded just by owner.

Generate certificate by CSR

In the left menu click on Profile and then on Certificates. There are 2 tables, in Certificates table are all certificates owned by the user and in the other table, there are requests of certificates. Click on Request certificate.

Fill information in a popup window:

And then click on Submit a request button.

Now we have two certificates and as you can see in the picture below, the private part of certificate generated with CSR file cannot be downloaded. It is because CzechIdM does not have a private part. Users have it with CSR file, so if you lose it you will probably have to generate a new certificate.

Upload certificate

Certificate generated by third-party authority can be uploaded to CzechIdM (or synchronized from target system). In the left menu Profile and then in Certificates menu, you can upload certificate by clicking on an Upload certificate button.

And then just drag certificate file to marked box in a popup window.

If we want to allow a user to upload a certificate, we set authorization policies as follows:

Renew and revoke certificate

For users:

It is on the same page as generating a certificate. By clicking on Profile in the left menu and then on Certificates. And as you can see in the picture below, in column Action there are two buttons. Green one is for renew a certificate, it prolongs the validity of a certificate. The red one revokes a certificate (e.g. certificate was compromised), the certificate will stay in certificates section, but it will not be valid.

For admin:

There is agenda in left menu CertificatesCertificates (picture below), where are all certificates and admin can revoke or renew certificates even of other user's.

When a certificate expires, it no longer can be renewed. But in Settings and in Task scheduler process can be created, which sends a notification with a warning, when certificates will expire in few days. Or you can find help in warning notification tutorial.
To allow using this agenda, users have to have this permissions:
  • CrtRequest - Read, Create, Update
  • CrtCertificate - Read, Create
  • CrtAuthority - autocomplete

You can create new role, add this permissions to the role and assign this role to users.

Congratulations, if you are reading this, you successfully completed this tutorial.

Permissions

For CRT exists two special permissions for validating and requesting certificate by CSR request:

These permission must be set to user before they want upload or validate CSR request. Basic requesting via frontend form works with permission create/update.

Configuration

Configuration option that allow create password as another user. For example: admin requesting new certificate for user.

# If value is true admin can set new password, this password will be sent to user in notification. 
# If set to false admin will not able set password to request. The password for certificate will be generated by password policy.
idm.pub.crt.configuration.passCreate.enabled=true
#
# Default status for all identity certificates that will be revocated after identity will be disabled. 
idm.sec.crt.configuration.identityDisabledRevocationReason=UNSPECIFIED
#
# Default status for all identity certificates that will be revocated after identity will be deleted.
idm.sec.crt.configuration.identityDeletedRevocationReason=UNSPECIFIED

Revocation status list