000025582 - Certificates can be created with longer validity than CAs.

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025582
Applies ToSentry CA 3.5
Keon Certificate Authority
TechNote 0143
IssueCertificates can be created with longer validity than CAs.
ResolutionBy default, it is possible to create a certificate with a longer validity period than the CA that issues it.  In such case, you may need to either revoke those certs and reissue, or extend the CAs to last longer than the certs.

A better way to deal with this is to change the templates to check this and to disallow it.  There are three methods that can be used:

1. Fix the validity period of the certs to two days less than CAs, so the certs
   creator can not modify this field at all. This template is useful when the
   administrators want to create the longest validity period for every certificate they
   issue.

2. Make a drop-down list which lists the valid options of the validity period for the
   cert, only those periods that are not longer than CA expiry will be listed.  User
   can only pick up the validity period option from the list.

3. Display a warning message when a longer validity period (than its CA's) is
   entered. The certificate will not be issued and the user must go back and
   re-enter again. This is the most flexible one, since the administrators can enter
   any validity period they want and don't have to worry about exceeding the expiry  
   date of the issuing CA (the system will do the checking).


We have made available sample replacement templates for each of the above options. The steps to do the above are as follows:

----
For method 1:
1. Make a backup of your original "view-request.xuda" file (under <sentry-installation-directory>/SentryCA/WebServer/admin-server/ca/admin).

2. Pick up a sample copy of the xuda templates from:  https://knowledge.rsasecurity.com/docs/utilities/TTL_Fixed_Period.zip

3. Unzip the TTL_Fixed_Period.zip file.
   Copy "view-request.xuda" to ...SentryCA/WebServer/admin-server/ca/admin/
   (note you may need to change file permissions on the original file to be able to overwrite it)

4. Issue the certificate using the usual process.


----
For method 2:

1. Make a backup of your original "view-request.xuda" file (under
<sentry-installation-directory>/SentryCA/WebServer/admin-server/ca/admin).

2. Pick up a sample copy of the xuda templates from:
    https://knowledge.rsasecurity.com/docs/utilities/TTL_Dropdown_List.zip

3. Unzip the TTL_Dropdown_List.zip file.
  Copy "view-request.xuda" to .../SentryCA/WebServer/admin-server/ca/admin/
  Copy "x-ttl-option.xuda" to .../SentryCA/WebServer/x-templates/
   (note you may need to change file permissions on the original files to be able to overwrite them)

4. Issue the certificate using the usual process.

Notes: You may go to the "x-ttl-option.xuda" to customize the drop-down list to fit your own requirements.


----
For method 3:

1. Make a backup of the following files:
  .../SentryCA/WebServer/admin-server/ca/admin/view-request.xuda
  .../SentryCA/WebServer/admin-server/ca/admin/authorize-request.xuda
  .../SentryCA/WebServer/x-templates/x-forward-request.xuda

2. Pick up a sample copy of the xuda templates from:
    https://knowledge.rsasecurity.com/docs/utilities/TTL_Warning_Message.zip

3. Unzip the TTL_Warning_Message.zip file.
  Copy "view-request.xuda" and "authorize-request.xuda"
       to .../SentryCA/WebServer/admin-server/ca/admin/
  Copy "x-forward-request.xuda" to .../SentryCA/WebServer/x-templates/
   (note you may need to change file permissions on the original files to be able to overwrite them)

4. Issue the certificate using the usual process.
Legacy Article IDa3721

Attachments

    Outcomes