2. Registration Authority

This section describes the registration authority interface to the OpenCA PKI. From these screens an RA Administrator can manage certificate requests, view certificate information and manage the RA server.

The user is first asked to authenticate themselves to the RA, depending on the configuration, this authentication may be nothing, username and password or by certificate.

Each one of the headings below coresponds to tab accross the top of the default RA screens.

2.1. General

2.1.1. Server Management

Pressing this link takes the user to the RA Node interface. From here the RA user can control data flow to and from the RA.

2.1.2. LDAP Admin

Pressing this link takes the user to the LDAP Administration interface. From here the RA user can control the import and deletion of data from the LDAP Directory (if it is configured).

2.1.3. Logout

Pressing this link logs the user out of the interface.

2.2. Active CSRs

This tab list functions that can be performed on Active Certificate Signing Requests, i.e. requests from users for a certificate.

2.2.1. New

This link shows new CSRs at a specific Registration Authority with a certain Level of Assurance (as specified by the user at certificate request time). The RA Operator chooses the RA and LoA.

The screen shows all the new CSRs.

Each one of the requests must be processed in turn. By clicking the serial number of the request the operator is presented with the details of the request. Four options are then available to the RA Operator:

2.2.1.1.  Edit Request

Pressing this button allows the RA User to edit the details of the request. The editable fields are; Subject alternative name (this is usually defaulted to the supplied email address, but can contain other fields), Subject (or the DN) and Role (or certificate type).

2.2.1.2.  Approve and Sign Request

Pressing this button allows the RA User to approve the request and use a certificate to sign this approval. Upon pressing the button the RA User is presented with a list of certificates with which to sign the request approval. Note, if the requests are going to be processed on the CA as a batch process, then each request must be signed with a valid RA certificate (signed by the certificate authority).

2.2.1.3.  Approve Request without Signing

Pressing this button approves the request. Note, this can potentially be dangerous as the CA Administrator will have to make a trust decision to process the request or not. If the approved request was signed by a valid RA cert then this decision is unnecesary.

2.2.1.4.  Delete Request

Pressing this button deletes the request from the system.

2.2.2. Renewed

This screen displays any re-newed certificate siging requests. The list of options is the same as the "New" function.

2.2.3. Pending (be processed already)

This screen displays any already processed CSR's

2.2.4. Waiting for additional signature

In some circumstances CSR's require two signatures, those requests are displayed here. The functionality is the same as "New" requests.

2.3. Active CRRs

A user can initiate their own certificate revocation or it can be initiated by an RA Operator. This screen shows Certificate Revocation Eequests in various states.

2.3.1. New

This section shows new certificate revocation requests. The RA Operator can process them by clicking on the CRR serial number.

2.3.1.1.  Approve and Sign Request

Pressing this button allows the RA User to approve the revocation request and use a certificate to sign this approval. Upon pressing the button the RA User is presented with a list of certificates with which to sign the request approval. Note, if the requests are going to be processed on the CA as a batch process, then each request must be signed with a valid RA certificate (signed by the certificate authority).

2.3.1.2.  Approve Request without Signing

Pressing this button approves the revocation request. Note, this can potentially be dangerous as the CA Administrator will have to make a trust decision to process the request or not. If the approved request was signed by a valid RA cert then this decision is unnecesary.

2.3.1.3.  Delete Request

Pressing this button deletes the revocation request from the system.

2.3.2. Pending (be processed already>

This section shows CRRs that have been approved and exported to the CA.

2.3.3. Waiting for additional signature

Some CRRs require two signatures before they can be processed, these are displayed here. The RA Operator proccess them like "New" requests.

2.4. Information

This tab allows the RA Operator a different view of CSRs, CRR, User certificates, CA certificates and CRLs.

2.4.1. Certificate Requests

This link displays the user submitted requests and enables the RA Administrator to presses them.

The following lists of certificate requests can be displayed.

  • New

  • Renewed

  • Pending

  • Signed (waiting for additional signature)

  • Approved

  • Archived

  • Deleted

2.4.2. Revocation Requests

This link displays the user submitted revocation requests and enables the RA Administrator to presses them.

The following lists of certificate revocation requests can be displayed.

  • New

  • Pending

  • Signed (waiting for additional signature)

  • Approved

  • Archived

  • Deleted

2.4.3. Certificates

This link displays information about certificates in the PKI.

The following lists of certificates can be displayed.

  • Valid

  • Expired

  • Suspended

  • Revoked

2.4.4. CA Certificates

This link displays information about CA certificates in the PKI.

The following lists of CA certificates can be displayed.

  • Valid

  • Expired

2.4.5. CRLs

This link displays information about CRLs in the PKI.

The following lists of CRLs can be displayed.

  • All

2.5. Utilities

This section contains RA Operator utilities.

2.5.1. Search Certificate

This allows the RA Operator to search for a specific certificate based on Name, Email, DN or Role.

2.5.2. Search CSR

This allows the RA Operator to search for a specific certificate signing request based on Name, Email, DN or Role.

2.5.3. Warn Expiring Certificates

This allows the RA Operator to search for certificates expiring in the next "N" days (default 31).