4.4 X.509 Certificate Self-Provisioning

This section describes the X.509 self-provisioning feature.

4.4.1 Overview

When you create an X.509 certificate, there are many important pieces of information that must be identified and substantiated before the Certificate Authority (CA) issues the certificate. Two of the most important tasks are:

  • Verifying the identity of the certificate's subject (verifying the identity of the person or object the certificate is for).

  • Verifying the appropriateness of the subject name in the certificate (verifying that the subject name correctly represents the identity of the person or object the certificate is for).

These two tasks can be very time-consuming and are often performed by a separate administrative person or group.

Novell Certificate Server has always leveraged the secure identity management capabilities of eDirectory to reduce the time and effort needed to perform these verifications. Both iManager and ConsoleOne allow an administrator to create user certificates in bulk; that is, to create a certificate for a large number of users at one time. The CA checks that the identity of the certificate is tied to the eDirectory account, which verifies the identity of the certificate's subject; however, the CA has not verified the appropriateness of the subject name in the certificate. Because of this, creating certificates with Novell Certificate Server has always required that the person or software have administrative rights to the Organizational CA.

In this release, we are adding user and server self-provisioning capabilities to Novell Certificate Server. Self-provisioning allows a user or server to generate certificates without having administrative rights to the Organizational CA and without intervention of a separate administrative person or group, and still maintain the security of the CA.

As previously stated, Novell Certificate Server already verifies the identity of the certificate's subject by checking that the identity of the certificate is tied to the eDirectory account. In this release, we are adding the capability for the CA to verify the appropriateness of the subject name in the certificate by checking against information in eDirectory. This allows the Organizational CA to leverage the security identity management capabilities of eDirectory to reduce administrative tasks while maintaining the security of the CA.

4.4.2 User Self-Provisioning

In the past, creating a user certificate required administrative rights to the CA as well as rights to attributes on the User object. With user self-provisioning, administrative rights to the CA are not necessary; however, Read (R) and Write (W) rights to the userCertificate, NDSPKI:UserCertificateInfo, and SAS:SecretStore attributes are still necessary.

If the person requesting the creation of the certificate has administrative rights to the CA, the certificate creation is not affected by whether or not user self-provisioning is enabled. If the person requesting the creation of the certificate does not have administrative rights to the CA, the subject name in the request is compared to the user's eDirectory DN and any values in the sasAllowableSubjectNames attribute. If the subject name matches, the CA checks to ensure that any Subject Alternative Names are appropriate. The CA does this by checking that there is not more than one Subject Alternative Name. If the name exists, it must be of type email name and it must match a configured email name on the User object. If all these checks succeed, the CA does not require administrative rights to the CA in order to create the certificate.

To use user self-provisioning:

1. Download and install the Novell Certificate Server 3.2.2 or later plug-in for iManager.

2. Extend the eDirectory schema.

3. Enable user self-provisioning:

  1. Launch iManager.

  2. Log in to the eDirectory tree as an administrator with administrative rights to the Organizational CA.

  3. From the Roles and Tasks menu, click Directory Administration > Modify Object.

  4. Browse to and select the Organizational CA object.

  5. Click OK.

  6. Click the General tab, then select Enable user self-provisioning.

  7. Click OK or Apply.

4. Set up inherited rights for users:

  1. Enable the iManager “[this]” object.

    1. Log in to iManager as an iManager administrator.

    2. Click the Configure icon.

    3. Click iManager Server > Configure iManager.

    4. Click the Misc tab.

    5. Select Enable “[this]”.

    6. Click Save.

  2. Add inherited rights.

    1. Log in to iManager as a Certificate Authority administrator.

    2. From the Roles and Tasks menu, click Rights > Modify Trustees.

    3. Browse for and select the object you want the rights to be inherited from (for example, the root of the tree or a container), then click OK.

    4. Click Add Trustee, select the “[this]” object, then click OK.

    5. Click Assign Rights.

    6. Click Add Property.

    7. Select Show all properties in schema.

    8. Select the userCertificate attribute, then click OK.

    9. Select Read and Write rights.

    10. Select Inherit.

    11. Repeat Step 2f through Step 2j for the other attributes (NDSPKI:UserCertificateInfo and SAS:SecretStore).

    12. Click Done > OK.

4.4.3 Server Self-Provisioning

In the past, creating a server certificate required administrative rights to the CA as well as administrative rights to the context the server certificate was to created in. With server self-provisioning, administrative rights to the CA are not necessary; however, administrative rights to the context the server certificate was created in are still necessary.

If the person requesting the creation of the certificate has administrative rights to the CA, the certificate creation is not affected by whether or not server self-provisioning is enabled. If the person requesting the creation of the certificate does not have administrative rights to the CA, then the subject name in the request is compared to the server's eDirectory DN and any IP or DNS addresses as determined by a DNS or eDirectory SLP lookup. If the subject name matches either, then the CA does not require administrative rights to the CA in order to create the certificate.

To use server self-provisioning:

  1. Download and install the Novell Certificate Server 3.2.2 or later plug-in for iManager.

  2. Extend the eDirectory schema.

  3. Enable server self-provisioning.

    1. Launch iManager.

    2. Log in to the eDirectory tree as an administrator with administrative rights to the Organizational CA.

    3. From the Roles and Tasks menu, click Directory Administration > Modify Object.

    4. Browse to and select the Organizational CA object.

    5. Click OK.

    6. Click the General tab, then select Enable server self-provisioning.

    7. Click OK or Apply.

4.4.4 Certificate Self-Provisioning and the Issue Certificate Task

The Issue Certificate task allows the creation of a certificate by using a PKCS#10 Certificate Signing Request (CSR). This task allows the user to create a certificate that is not tied to any eDirectory object. If the person requesting the creation of the certificate has administrative rights to the CA, the certificate creation is not affected. If the person requesting the creation of the certificate does not have administrative rights to the CA, the certificate request is treated as a user self-provisioning request, but the person does not need to have rights to the attributes userCertificate, NDSPKI:UserCertificateInfo, and SAS:SecretStore attributes on the object. This is because the certificate is not stored in eDirectory, so rights to the object are not needed.

User self-provisioning must be enabled for a user to issue certificates without having administrative rights to the CA. Complete Steps 1 through 3 of Section 4.4.2, User Self-Provisioning.

For information on the Issue Certificate task, see Section 4.1.2, Issuing a Public Key Certificate.