DOD PKI Information
This section describes how to install, configure, and use PKI Services Manager to operate within the Department of Defense (DOD) or other Public Key Infrastructure (PKI) environment.
Installing and Removing Trust Points
A trust point is any CA certificate in a chain of trust.
Note
PKI Services Manager uses only those trust points that you have explicitly configured. Certificates in other stores are not used unless you configure this.
To install and configure a trust anchor
-
Copy the certificate to the local certificate store. The default store location is:
-
Windows -
common application data folder\Micro Focus\ReflectionPKI\local-store
-
Unix -
/opt/microfocus/pkid/ local-store
You can configure other store locations. In the pki_config configuration file use the LocalStore keyword. Or, from the PKI Services Manager console (Windows only), go to Local Store > Add.
-
Configure PKI Services Manager to use this certificate:
-
From the Console - Trusted Chain >Trust Anchors > Add > Browse
-or-
-
From the Configuration file - Open pki_config and configure the TrustAnchor keyword.
For example:
TrustAnchor = myTrustedCA.cer
-
Save and reload your modified configuration.
To remove a trust anchor
-
Remove the certificate from your list of trust anchors:
-
From the Console - Trusted Chain >Trust Anchors > Remove
-or-
-
From the Configuration file - Open pki_config and remove the TrustAnchor line that specifies this trust anchor, or modify it to use a different certificate.
-
Save and reload your modified configuration.
Retrieving Intermediate Certificates from an LDAP or HTTP Server
Intermediate CA trust points can be retrieved from an LDAP or HTTP server which may be identified by explicit URIs defined in the Authority Information Access (AIA) extension of a certificate, or by configuring explicit LDAP or HTTP server access using PKI Services Manager.
To configure a downloadable certificate server store using the console
-
Open the Trusted Chain pane.
-
In the search order list, select Certificate servers.
-
Under Certificate servers, click Add.
-
Specify the server using either HTTP or LDAP format. This example species an LDAP server:
ldap://ldapserver.myhost.com:10389
-
Save and reload your modified configuration.
To configure a downloadable certificate server store using the configuration file
-
Open the pki_config file.
-
Include 'certserver' in the CertSearchOrder list. For example:
CertSearchOrder = local, certserver
-
Use CertServers to identify your server using either HTTP or LDAP format. This example species an LDAP server:
CertServers = ldap://ldapserver.myhost.com:10389
-
Save and reload your modified configuration.
Configuring Certificate Revocation Checking
Revocation checking ensures that certificates used for validation have not been revoked by their issuers. Certificate revocation checking must be configured to meet DOD PKI requirements.
To configure certificate revocation checking using the console
- Open the Revocation pane.
To | Do this |
---|---|
Use locally stored CRLs | In the search order list, select Local store, then copy the CRL lists to the local-store directory. |
Use CRLs stored on an LDAP or HTTP server | In the search order list, select CRL servers. Under CRL servers, click Add and then specify the server URI. |
Use an OCSP responder | In the search order list, select OCSP. Under OCSP responder URIs, click Add and then specify the responder URI. If your OCSP responder uses a certificate that is self-signed, or not the same as the intermediate CA certificate, you also need to specify a certificate that can be used to sign the OCSP response. Add this certificate to the OCSP certificates list. |
Use revocation checking configured in the certificate | In the search order list, select CDP extension |
- Save and reload your modified configuration.
To configure certificate revocation checking using the configuration file
- Open the pki_config file.
To | Use these example settings |
---|---|
Use locally stored CRLs | RevocationCheckOrder = local With this configuration, you need to copy the CRL lists to the local-store directory. |
Use CRLs stored on an LDAP or HTTP server | RevocationCheckOrder = certserver CRLServers = ldap://ldapserver.com -or- CRLServers = http://ldapserver.com |
Configure an OCSP responder when no OCSP responder is configured in the certificate's AIA extension | RevocationCheckOrder = ocsp OCSPResponders = http://ocsp.myhost.com If your OCSP responder uses a certificate that is self-signed, or not the same as the intermediate CA certificate, you also need to specify a certificate that can be used to sign the OCSP response. Add this certificate to the OCSP certificates list. |
Use an OCSP responder configured in the certificate's AIA extension. | RevocationCheckOrder = ocsp
Include 'aia' in the certificate search order. For example: CertSearchOrder = local, aia
|
Use revocation checking configured in the certificate. | RevocationCheckOrder = cdp |
- Save and reload your modified configuration.
Configuring PKI Services Manager to Meet DOD Requirements
By default, PKI Services Manager allows some configurations that do not meet DOD PKI requirements. To ensure that certificate validation meets DOD requirements, refer to the following procedures.
To configure DOD requirements using the console
-
Install and configure at least one trust anchor.
-
From the General pane:
-
Select Enforce DOD PKI Settings.
-
Select FIPS Mode.
-
Clear Allow version 1 certificates.
-
From the Trusted Chain pane:
Under Search order when building path to trust anchor, ensure that "Windows certificate store" is not selected.
-
From the Revocation pane:
-
Under Search order to use for revocation, ensure that "None" is not selected.
-
Select and configure at least one option for checking certificate revocation.
-
Save your settings and restart the service.
To configure DOD requirements using the configuration file
-
Install and configure at least one trust anchor.
-
Open the pki_config file.
-
Configure the following:
EnforceDODPKI = yes FipsMode = yes AllowVers1 = no
-
Use RevocationCheckOrder ensure that "none" is not included in the list of options, and configure at least one option for checking certificate revocation.
-
Ensure that "windows" is not included in the list of options specified for CertSearchOrder.
-
Save your settings and restart the service.
Configuring Micro Focus Products to Use PKI Services Manager for Certificate Authentication
After PKI Services Manager is correctly configured, you must also configure the Reflection products that use PKI Services Manager for certificate authentication. For details, search on "PKI Services Manager" in the product documentation.
Private Key Safeguards
If a client private key is stolen, a malicious user can gain access to files on any servers accessible to that user. If a server private key is stolen, a malicious user can use this key to accomplish an impersonation attack, in which another server poses as your host. Use the following guidelines to minimize these risks.
Protecting private keys on the client:
-
Each client user should always protect his or her private key with a passphrase. This ensures that only someone who knows the passphrase can authenticate with that key.
-
Users should create and protect passphrases following your the specifications for password length and complexity in your organization’s Security Policy.
-
File permissions on the private key should be set so that only the user has access to the key.
Protecting private keys on the server:
- Micro Focus servers enforce permissions on server private keys to ensure that only the server administrator has access to private keys. If key permissions are altered to allow greater access in a way that allows other access, the server resets correct permissions and logs a warning. If you see this warning, you should investigate to determine the cause.
Actions to Take if a Key is Compromised
Consider a private key compromised if it has become available to any unauthorized entity, or if you have reason to distrust the actions of any person who has access to the key.
If a private key is compromised, revoke the client certificate.
To replace a compromised key:
-
Obtain a new private key and certificate
-
Replace the compromised key, and update the PKI Services Manager client application to authenticate using the new key.
To remove the compromised key
-
Remove the key from the local store using a DOD-approved file erasure utility.
-
If the original file containing the old key and certificate (.pfx or .p12) is still on the client computer, use a DOD-approved file erasure utility to delete this file.
Using Uniform Resource Identifiers for DOD PKI Services
PKI Services Manager supports the use of URIs for automatic retrieval of updated CRL lists as defined in section 4.2.1.14 of RFC3280.
PKI Services Manager checks for certificate revocation as follows:
-
Check the crl_cache for valid revocation information. If none is found, continue on to step 2.
-
If CDP checking is enabled, check the CDP extension in the certificate for HTTP or LDAP URIs and query these in the order specified (first HTTP, then LDAP). If the certificate is found to be revoked, the validation fails. If the certificate is not found continue on to step 3.
-
If download from a CRL server is enabled and one or more CRL servers are configured for PKI Services Manager, assemble the Distinguished Name for the CA listed in the Issuer extension of the certificate and query for the CRL file. If the certificate is not found to be revoked in any CRL, continue to the next validation step.
Updates for expired CRLs are handled automatically, and do not require administrator intervention or configuration.
If OCSP checking is enabled, PKI Services Manager always checks all available OCSP responders to ensure that the connection will fail if any of these responders knows that the certificate has been revoked. For the connection to succeed at least one OCSP responder must be available and return a value of 'good' for the certificate status. PKI Services Manager performs these checks as follows.
-
If AIA extension checking is enabled, check the AIA extension in the certificate for one or more OCSP responders and query each of those responders. If the status of the certificate comes back as 'revoked' from any responder, the validation fails.
-
Check for one or more user-configured OCSP responders and query each of those responders. If the status of the certificate comes back as 'revoked' from any responder, the validation fails.
-
If all responders returned 'unknown' the validation fails. If a 'good' response was returned from at least one of the queried OCSP responders continue on to the next validation step.
Using URIs to Retrieve Intermediate Certificates
As defined in section 4.2.2.1 of RFC3280, PKI Services Manager can use URIs to retrieve intermediate CA certificates as follows:
-
If the local store is enabled, check the cert_cache file for the required intermediate certificate. If it is not found, continue on to step 2.
-
If AIA is enabled, and either HTTP or LDAP URIs are defined in the Authority Information Access (AIA) extension of a certificate, attempt to use these (first HTTP, then LDAP) to retrieve intermediate CA certificates.
-
If download from a certificate server is enabled, and one or more servers are configured in the certificate servers list, the preceding attempts fail, assemble a Distinguished Name from the issuing certificate's Subject Name, and queries the defined LDAP or HTTP server for the contents of the CACertificate attribute.