End Entity Certificate

A standard process for issuing an end entity certificate involves the following stages:

- Using the Digi-CA™ RAMC, the Administrator initiates a certificate invitation email message that is sent to the intended recipient (user)

- The recipient (user) enters the online certificate application form using the URL provided in the invitation email message;

- The user completes the online certificate application form by providing personal information such as:

• Full name;
• Email address
• Organisation (it is possible to restrict the value of the Organisation to a pre-defined read-only string)
• Organisational Unit/Department
• Locality
• Telephone
• Country (it is possible to restrict the value of the Country to a pre-defined read-only option)
• Secret Question
• Secret Answer
• Other custom values based on the customer requirements

- A key-pair (Private and public key) and a PKCS#10 certificate Signing Request [CSR] code is generated on the user PC using a local Cryptographic Service Provider [CSP] engine installed on the user’s computer. It can be either a built-in Microsoft CryptoAPI software engine or a hardware USB Token or Smart Card CSP engine;

- Using HTTP POST method over SSL/TLS all the user data is transferred securely to the RA [Registration Authority] Server;

- The system Administrator/Validations Officer verifies and validates the user application data and depending on the content of the application, it is either approved or rejected;

- If the certificate application is approved, the application data is passed to the certificate Engine core server and the CSR is signed by the Certification Authority certificate;

- The certificate Engine core server generates a unique key/PIN number and sends a certificate activation email message to the end user. The message contains a URL to activate and install the certificate;

- The recipient (user) enters the certificate activation screen from the URL provided in the certificate activation email and completes the installation of the certificate by clicking the installation button on the screen;

- The certificate is collected from directly the certificate directory via a background TCP/IP connection and installed on the user’s PC using the CSP engine chosen at the time of the certificate application;

- The user may now use the certificate.

End entity certificates are requested by using the online certificate application form or by the Administrator (on the users behalf) using the Digi-CA™ RAMC.

From the Digi-CA™ Control Centre, all certificate requests are either entered into the database on an individual basis, using a batch upload file or automatically, depending on the Class of Digi-CA™ you are using. Similarly, all requests for end entity certificates are accepted, rejected or deferred either manually or automatically, depending on the Class of Digi-CA™ you are own, using the RAMC console of the Digi-CA™.

The Digi-CA™ system automatically generates a certificate Signing Request [CSR] if the requesting party did not already supply one and then generates the end entity certificate. The generation is done in batch processes according to schedules set in crontab. The default is to run the process every hour.

After generation, the certificate is activated at the users PC or it can be delivered by email as a .p12 file. Storage of the certificate can be on the PC or any suitable media such as a Digi-Card™ or a Digi-Token™. Similarly, the Administrator can pre-install the certificate on the Digi-Card™ or Digi-Token™ prior to dispatch. This is particularly convenient where the Administrator wants ‘Zero Touch’ at the user’s location.

The method of distribution is set in the database at the time of the validation. The default is that certificates are distributed over the web, with the certificate holder getting an email containing a one-time password needed to pick it up.

If the billing module is installed, this module is updated with information and then passed on to your billing system.