Sentry CA can allow signing of certificates without administrator intervention (without putting requests into a request queue and then manually signing them). You must simply change the LDAP ACL rules that determine the access to the database by the enrollment server using the 'Modify LDAP ACL Rules' function, and then putting the automatic vetting templates in place.
Note that you do not need to change the LDAP ACL rules if you are doing automatic vetting via the administrative webserver. These rule changes allow the enrollment webserver to have access to the items required for automatic vetting of the certificate requests.
Remember when setting LDAP ACL rules, the order of the rules is critical to producing the correct effect.
1. Determine the md5 of your administration and enrollment server.
This can be found at the end of the LDAP ACL rules in the rule that allows writing to the request queue:
access to dn="dn=request_queue"
by dn="md5=<administration-server-md5>" write
by dn="md5=<enrollment-server-md5>" write
by dn="md5=<dss-enrollment-server-md5>" write
(After installation, the first one is always the admin server, the second one is always the enrollment server, and the third is always the DSS-based enrollment server (port 445)).
If you want to limit which CA can be automatically vetted, you will also need the md5 for each CA that you want to do automatic signing for. This can be viewed by looking at each CA of interest using the 'View existing CA' function. (If you want to allow automatic vetting for all CAs you do not need to find their md5s.)
2. The enrollment server needs access to the Signing Backend for automatic vetting to work. Access to the Signing Backend is controlled by the LDAP ACL Rules. Edit the LDAP ACL Rules as follows to give appropriate access:
Two choices: a. allow access to all CAs
b. allow access only for specific CA
Please follow instructions in either 2a or 2b as appropriate.
a. Modify LDAP ACL rules to allow autovetting access to all CAs
Find the section which controls access to the Signing Backend.
It looks like this:
#
# Admin server has write access to the CA operations (signing)
# backend -- access is denied to all other clients.
#
access to dn="o=ca,o=services"
by dn="md5=12345678901234567890123456789012" write
by dn=".*" none
Add the enrollment server's md5 to the list of allowed DNs above the final
line as shown below.
#
# Admin server has write access to the CA operations (signing)
# backend -- access is denied to all other clients.
#
access to dn="o=ca,o=services"
by dn="md5=12345678901234567890123456789012" write
by dn="md5=<enrollment-server-md5>" write
by dn=".*" none
- - - OR - - -
b.Modify LDAP ACL rules to allow access only to specific CA
Add the following lines above the existing signing backend ACL Rule:
#
# Admin server and enrollment server have write access to the
# CA operations (signing) backend for this particular CA --
# access is denied to all other clients.
#
access to dn="<CA_md5>,o=ca,o=services"
by dn="md5=12345678901234567890123456789012" write
by dn="md5=<enrollment-server-md5>" write
by dn=".*" none
Where <CA_md5> is the md5 of the CA you want the enrollment server to
be able to handle automatic vetting for. Make one of these rules for each CA
you want the enrollment server to handle automatic vetting for.
When finished, your rules should look as follows:
#
# Admin server and enrollment server have write access to the
# CA operations (signing) backend for this particular CA --
# access is denied to all other clients.
#
access to dn="<CA_md5>,o=ca,o=services"
by dn="md5=12345678901234567890123456789012" write
by dn="md5=<enrollment-server-md5>" write
by dn=".*" none
<repeat for each CA you wish to have autovetting for>
#
# Admin server has write access to the CA operations (signing)
# backend -- access is denied to all other clients.
#
access to dn="o=ca,o=services"
by dn="md5=12345678901234567890123456789012" write
by dn=".*" none
3. Set up the auto-signing pages.
To make these templates accessible from your enrollment webserver, put these templates into the enroll-server subdirectory where you installed Sentry CA.
For Netscape 4.x browsers:
Use auto-request-spk.xuda and auto-add-spk-request.xuda
For MSIE 4.x and 5.x browsers:
Use auto-request-msie.xuda and auto-add-msie-request.xuda
You may pick up a sample copy of the xuda templates from:
For Sentry CA 3.5:
autovet35.zip For Sentry CA 3.6:
autovet36.zip For Sentry CA 3.7:
autovet37.zip For Sentry CA 4.0:
autovet40.zip 4. Stop and restart all services.
Additional notes:
- TTL (time to live) should be set to the number of days that you want the certificates to be valid for. You can modify the value for TTL in auto-add-msie-request.xuda or auto-add-spk-request.xuda.
- To allow auto-vetting of a LUNA based CA or any CA for which a passphrase is used, you must ensure that either:
a) The PIN is automatically provided at startup using the "setpin" directive.
or
b) The correct PIN is entered at startup time.
- To reach the autovetting templates from the enrollment page, either add a link to auto-request-spk.xuda and auto-request-msie.xuda from index.xuda in the enroll-server directory. Or if all CAs will be auto-vetted, rename the two templates to request-spk.xuda and request-msie.xuda.
To allow automatic vetting of certificate request for the Sentry CA versions later than 4.0 and Keon CA 5.7, refer to Sentry/Keon CA Administrator's Guide, the "Automatic Vetting of Certificate Requests Submitted via the Enrollment Server" section in Chapter 3 for detailed instructions.
