000022354 - How to configure Keon Certificate Authority (KCA) to capture email address when submitting a PKCS#10 request on the enrollment page

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022354
Applies ToKeon Certificate Authority 6.0
Microsoft Internet Information Server (IIS)
PKCS #10 certificate request
IssueHow to configure Keon Certificate Authority (KCA) to capture email address when submitting a PKCS#10 request on the enrollment page
If a PKCS #10 certificate request that does not contain an email address is submitted through the KCA's Enrollment Server, the vettor has no email address to send the approval response to
CauseMicrosoft doesn't include email address in the PKCS#10 request
KCA's Enrollment Server does not have an option to submit an email address in addition to the PKCS #10 request
ResolutionA workaround is available to add a new field on the PKCS #10 request/enrollment page on KCA. Here are the details:

1. Make a backup of the following 2 files:

    <KCA-INSTALL-DIR>\WebServer\enroll-server\request-pkcs10.xuda
    <KCA-INSTALL-DIR>\WebServer\x-templates\x-add-spk-req.xuda

2. Open the file request-pkcs10.xuda using a text editor

3. Search for the following block of code in request-pkcs10.xuda:

    <UL>
    <PRE>
    <TEXTAREA NAME="pkcs10_input" rows="10" cols="80"></TEXTAREA>
    </PRE>
    </UL>

4. Add the following lines immediately AFTER the above lines:

    <TR>
    <TD ALIGN=RIGHT>Email Address:</TD>
    <TD><INPUT TYPE="text" SIZE="40" NAME="user-email-address"></TD>
    </TR>

5. Save changes to request-pkcs10.xuda

6. Open the second file, x-add-spk-req.xuda, using a text editor

7. Search for the following line in x-add-spk-req.xuda (it should be the last line of the file):

    <!-- XUDA END -->

8. Add the following lines immediately BEFORE the above line:

    !if user-email-address!"NULL"
        <!-- LDAP Modify req-id=[req-id],dn=request_queue
                                 nondn='EA=[user-email-address]'
                                 objectclass=xuda_cert_req -->
        [@user-email-address=]
    !endif

9. Save changes to x-add-spk-req.xuda

10. Close all browser sessions pointing to the KCA Enrollment Server and the KCA administrative interface. Open a new browser session to make a PKCS #10 certificate request; a new field will show up where email address can be entered. Similarly, when viewing such a request on the KCA administrative console, the email address will be available on the vetting page.

NOTE:
RSA Certificate Manager 6.6 (KCA's newer version released in October 2005) will support, out of the box, the option to configure a jurisdiction in such a way that additional non-DN fields can show up on the PKCS #10 enrollment page. Please contact RSA Security Customer Support for more details.
Legacy Article IDa28404

Attachments

    Outcomes