Share via


Setting up a CA on the IAG server

Applies To: Intelligent Application Gateway (IAG)

This topic describes how you install the Microsoft Certificate Authority on the Whale Communications Intelligent Application Gateway (IAG) 2007 in order to provide users with the required certificates in a local certification authority (CA) setup. If you use a CA installed on a remote computer, you have to use other means in order to provide users with the certificates.

Installing a CA on the IAG server

Install a CA as follows:

To install a Microsoft Certificate Authority

  1. Before beginning installation, set the Server service to automatic and ensure it is started. In addition, stop the Internet Information Services (IIS) service if it is running.
    On the Windows desktop, click Start, click Settings, click Control Panel, and then click Add/Remove Programs.

    The Add/Remove Programs Properties dialog box is displayed.

  2. Click Add/Remove Windows Component.

    The Windows Components Wizard is displayed.

  3. In the “Components” list, check Certificate Services and click Next.

    The CA Type window of the Windows Components Wizard is displayed.

  4. Select Stand-alone root CA.

  5. Select Use custom settings to generate the key pair and CA certificate and click Next.

    The Public and Private Key Pair window of the Windows Components Wizard is displayed.

  6. Select the following:

    • In the “CSP” list, select Microsoft Enhanced Cryptographic Provider v1.0.

    • In the “Hash algorithm” list, select SHA-1.

    • In the “Key length” drop down list, select 2048.

    Click Next.

    The CA Identifying Information window of the Windows Components Wizard is displayed.

  7. Enter the Common name for this Certification Authority and click Next.

    A cryptographic key is generated, and the Certificate Database Settings window of the Windows Component Wizard is displayed.

  8. Do not change the default values displayed in the Certificate Database Settings window. Click Next.

    If Internet Information Services (IIS) is running, you are prompted to stop IIS.

  9. Click Yes to stop IIS on your computer.

    A progress bar appears and the Microsoft Certificate Authority is installed.

  10. Click Finish to exit the Windows Components Wizard.

  11. To verify that the Certificate Authority is installed and working on your computer, in the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.

    The Certification Authority window with the certification authority you just installed is displayed.

Defining a CA policy

The Microsoft CA provides two policies for issuing certificates:

  • Manual—The user’s request is defined as pending until the administrator manually issues the certificate.

  • Automatic—The certificate is automatically issued after the request is received.

When the CA is installed, the default certification policy is Manual. You can change this policy type at any time. If you select the Automatic certification policy, by default, the certificate is issued immediately after the certification request is received. If you wish, you can change the policy to Automatic with Delay, whereby the certificate is issued only after the specified delay period.

Note

When you change the certification policy, the change only affects new certification requests. Requests that were entered prior to the change will be treated according to the policy that prevails when the request was entered.

Use the following procedure to select a certification policy:

To select a certification policy

  1. In the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.

    The Certification Authority window is displayed.

  2. Right-click the home folder of the CA and select Properties.

    The CA’s Properties dialog box is displayed.

  3. Select the Policy Module tab.

  4. Click Properties.

    The Properties dialog box is displayed.

  5. In the Request Handling tab, select one of the following actions:

    • For manual mode, select the option:

      “Set the certificate request status to pending. The administrator must explicitly issue the certificate”.

    • For automatic mode, select the option:

      “Follow the settings in the certificate template, if applicable.

      Otherwise, automatically issue the certificate”.

  6. Click OK.

    The default action is set. It will be applied to all new requests. Existing requests are treated according to the policy that prevails when the request was entered.

Specifying an automatic policy with delay

In addition to the policies you can select via the Certification Authority interface, IAG enables you to specify an Automatic with Delay policy. This policy automatically issues the certificate, but only after a defined delay interval.

To define an Automatic with Delay policy

  1. On the IAG server, access the following file:

    …\Whale-Com\e-Gap\Von\WhaleSEP\inc\info.inc

  2. Copy the file you accessed in step 1 to the following custom folder:

    …\Whale-Com\e-Gap\Von\WhaleSEP\inc\CustomUpdate

    If this folder does not already exist, create it.

    If such a file already exists, use the existing file.

  3. In the file under the CustomUpdate folder, locate the line:

    nAutoModeDelayInMinutes=0

  4. Replace the value 0 with the required delay interval value.

  5. Save the file.

    The default policy is set to Automatic with Delay.

    Note

    If at a later time you change the policy to either Automatic or Manual, you need to manually reset the value of nAutoModeDelayInMinutes back to 0:

    nAutoModeDelayInMinutes=0

Setting pending timeout for a manual CA policy

This procedure describes how you change the pending timeout interval of the Manual certification policy.

To set the pending timeout interval

  1. On the IAG server, open the following file:

    …\Whale-Com\e-Gap\Von\WhaleSEP\inc\certdat.inc

    Note

    This file is only available in IAG after you install the CA on the server,

  2. Change the value of nPendingTimeoutDays. For example, nPendingTimeoutDays=25.

  3. Save the file.

    The pending timeout interval is updated to the new value specified. It will be applied to all new requests. The pending timeout interval for existing requests is the interval that prevails when the request was entered.

Customizing user information properties

This topic describes how you change the properties of the fields that are displayed to users requesting certificates in the Certified Endpoint Certificate - User Information window. The default properties are determined during the installation of the CA on IAG, in the CA Identifying Information window.

Tip

For information about customizing the look-and-feel of the Certified Endpoint Enrollment pages, see Customizing IAG certified endpoint enrollment pages.

To edit the properties of the data fields in the User Information window

  1. At IAG, access the following file:

    …\Whale-Com\e-Gap\Von\WhaleSEP\inc\info.inc

  2. Copy the file you accessed in step 1 to the following custom folder:

    …\Whale-Com\e-Gap\Von\WhaleSEP\inc\CustomUpdate

    If this folder does not exist, create it.

    If such a file already exists, use the existing file. The file contains the definitions of the User Information data fields.

  3. In the file under the CustomUpdate folder, change the properties of the data fields as required. For each field, you can assign a status, as follows:

    • FIELD_READONLY: read-only. A read-only field is displayed in the User Information window, but users cannot edit its value.

    • FIELD_EDITABLE: read-write. A read-write field is displayed in the User Information window with a text box, enabling users to enter a value.

    • FIELD_HIDDEN: hides the field. A hidden field is not displayed in the User Information window.

      Note

      The content of all fields except the editEmail field is automatically filled in, based on the certificate, therefore it is recommended that these fields retain their default READONLY status.

      A sample of how this code is implemented is provided in Sample Code: info.inc.

      For more information, see Customizing IAG certified endpoint enrollment pages..

  4. Save the file.

    When users next request a certificate, the data fields in the User Information window will display according to the properties you set here.

Sample Code: info.inc

<%' CODEPAGE=65001 'UTF-8

' info.inc - global (DAT)a

if Session(INFO_INC) <> FILE_NOT_EXIST then

include Session(INFO_INC)

else

'Delay between certificate request and certificate issue in

'automatic mode. Default value should be 0

nAutoModeDelayInMinutes=0

'default data fields edit status FIELD_READONLY, FIELD_EDITABLE,

'FIELD_HIDDEN

editCommonName=FIELD_READONLY

editEmail=FIELD_EDITABLE

editCompany=FIELD_READONLY

editDepartment=FIELD_READONLY

editLocalCity=FIELD_READONLY

editState=FIELD_READONLY

editCountry=FIELD_READONLY

end if%>

Adding the CA to the certified trust list

The Certificate Trust List (CTL) is a signed list of CA certificates that have been judged reputable by the administrator. In order to use a CA, you have to notify IAG that you trust the CA by adding it to the CTL for the portal, as follows:

Note

If you are using a remote CA, import your server certificate into the local computer’s Trusted Root Certification Authorities/Certificate store before proceeding.

To add a CA to the CTL

  1. In the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Internet Information Services.

    The Internet Information Services (IIS) Manager window is displayed.

  2. Right-click on the portal and select Properties.

    The portal Properties dialog box is displayed.

  3. Click the Directory Security tab.

  4. In the Secure communications area, click Edit.

    The Secure Communications dialog box is displayed.

  5. Check the option “Enable certificate trust list”, and click New.

    The Welcome to the Certificate Trust List Wizard page is displayed.

  6. Click Next.

    The Certificates in the CTL page of the Certificate Trust List Wizard is displayed.

  7. Click Add from Store.

    The Select Certificate dialog box is displayed.

  8. Select the certificate you wish to use and click OK.

    The Certificates in the CTL page of the Certificate Trust List Wizard is displayed with the certificate you selected.

  9. Click Next.

    The Name and Description page of the Certificate Trust List Wizard is displayed.

  10. Enter a name and description for the new Certificate Trust List and click Next.

    The Completing the Certificate Trust List Wizard page of the Certificate Trust List Wizard displays a summary of your settings.

  11. Click Finish.

    The Certificate Authority is added to the Certificate Trust List. The configuration process is complete. End-users can proceed to make their computers Certified Endpoints, in one of the following ways:

    • Local CA installation: as described in End-User Interaction (Local CA Only).

    • Remote CA installation: end-users need to request a certificate by means determined by the administrator.

Backing up the certificate settings

Make sure that you have a backup of the private key. If not, create backup files via the certificate store. After the initial backup, make sure to back up the certificate settings from time to time, especially before any IAG software upgrade or installation, or any other changes to system settings.

Note

For instructions on how to back up the certificate, see

https://www.thawte.com/ssl-digital-certificates/technical-support/ssl/iis6.html

Viewing and processing CA requests

After a certificate is requested, depending on your Certificate Authority Policy, you can perform one of the following actions for the certificate request:

  • Issue a certificate for the pending request.

  • Deny a certificate for the pending request.

You can view requests for Certificate Authorities in the Certification Authority window.

To view certificate information

  1. In the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.

    The Certification Authority window is displayed.

  2. Select the Certification Authority, and double-click one of the following folders:

    • Revoked Certificates

    • Issued Certificates

    • Pending Requests

    • Failed Requests

    The information in the selected folder is displayed in the right pane of the Certification Authority window.

To issue a certificate from a pending request

  • Right-click the pending request in the Certification Authority window, point to All Tasks, and then click Issue.

    The certificate is issued. The pending request is moved from the Pending Requests folder to the Issued Certificates folder.

To deny a pending request for a certificate

  • Right-click the pending request in the Certification Authority window, point to All Tasks, and then click Deny.

    The pending request is denied and is placed in the Failed Requests folder. When the end-user checks the status of the Certified Endpoint request, a screen is displayed informing the end-user that the request was denied.