Table of Contents
Advertisement
Certificate-Based Enrollment
Note: This feature is supported only in legacy enrollment. CMS supports
certificate-based enrollment for browser certificates. End users can use preissued
certificates to authenticate to the server in order to enroll for certificates. The
following are two deployment scenarios that explain the usefulness of
certificate-based enrollment:
•
You have deployed a client that can generate dual key pairs and you want to
issue dual certificates (one for signing and another for encrypting data) to your
users. You also want to make sure that users put their key materials only on
hardware tokens.
One way to achieve this would be to initialize hardware tokens in bulk and
preload them with dual certificates issued by CMS for dual key pairs. You
generate these certificates with some generic-looking common names, for
example,
between users and the hardware tokens initially. Once the tokens are ready,
you make them available to users by some means. Basically, a user can get and
use any pre-initialized and certificate-loaded hardware token.
Next, each user uses the randomly-picked token to enroll for a pair of
certificates that have a subject name derived from their LDAP attribute values;
the certificates will be issued for the existing key pairs preloaded into the
token, but now the key pairs will be associated with the user's identity.
•
You want users use the signing certificate already in their possession to get an
encryption certificate.
For example, assume you have deployed CMS and have issued single
certificates (for single key pairs) to users. Recently, you deployed a client
application that is capable of generating dual key pairs. Your CMS installation
includes the Data Recovery Manager, but you weren't using it until now
because you didn't have clients that were capable of generating dual-key pairs.
Now, you want your users to use their signing certificates as authentication
tokens to request another certificate that they'll use for encrypting data.
Setting Up Certificate Based Enrollment
General guidelines to set up certificate-based enrollment are as follows:
•
Customize the enrollment form you want your users to use for enrollment.
. This way, there's no one-to-one relation
hardwaretoken1234
Certificate-Based Enrollment
Chapter 9
Authentication
407
Advertisement
Table of Contents
