CS-Novidy’s TrustyKey PKI

Prerequisites

  • A technical account should be created.

  • This technical account must have permissions to enroll and revoke SSL certificates on the desired certificate profiles.

  • An authentication and a signature certificate must be issued under as PKCS#12 files for this account.

Limitations

  • Only the following fields are managed: commonName (as mail_lastname), contactEmail (as mail_email), OU (as org_unit), O (as corp_company), C (as country), UID (as employeeID), subjectAltNames DNS and msUPN.

  • For multi-valued fields (SAN DNS), if more data items are provided than configured in TrustyKey for the given PGC, the exceeding items will be ignored.

  • All limitations induced by the use of the TrustyKey CMP Connector.

Create the PKI connector

1. Log in to Horizon Administration Interface.

2. Access PKI from the drawer or card: PKI  PKI Connectors.

3. Click on Add icon.

4. Select the correct PKI type.

5. Click on the next button

General tab

6. Fill in the common mandatory fields:

  • Connector Name* (string input):
    Choose a meaningful connector name allowing to identify the mapping between the PKI and the Certificate Profile. It must be unique and must not contain spaces.

  • Proxy (string select):
    If the PKI is not directly reachable from Horizon, you can set up an HTTP/HTTPS proxy to properly forward the traffic.

  • PKI Queue (string select):
    The PKI Queue used to manage the PKI Requests (enrollment, revocation).

  • Timeout (finite duration):
    Represents a predefined interval of time without a PKI response, when the time has passed "Horizon" will cease trying to establish the communication. Must be a valid finite duration.

7. Click on the next button

Details tab

8. Fill in all mandatory fields:

  • API endpoint URL* (string input):
    URL to access the CS-Novidy’s TrustyKey web service.

  • PGC* (string input):
    Enter name of the PGC to be used.

  • TrustyKey PKI server DN* (string input):
    Enter the DN of the TrustyKey PKI server, starting from the CN.

  • TrustyKey PKI server Certificate* (string input):
    Enter the PEM representing the certificate of the CA issuing the certificates.

  • CN mapping (string input):
    Enter a CN to be mapped.

  • Email mapping (string input): Enter an email address or domain to be mapped.

  • SAN DNS mapping (string input):
    Enter a SAN DNS to be mapped.

  • Profile mapping (string input):
    Enter a profile to be mapped.

  • Issuer mapping (string input):
    Enter an issuer to be mapped.

  • Legacy CMP Style (boolean)
    Chose whether to use the legacy CMP style.

9. Click on the next button.

Authentication tab

10. Fill in the PKI-authentication fields:

  • Authentication PKCS#12* (import p12):
    Import the PKCS#12 file containing the authentication certificate used to connect to the PKI.

  • PKCS#12 Password* (string input):
    Enter the password used to secure the aforementioned PKCS#12.

  • Signer PKCS#12* (import p12):
    Import the PKCS#12 file containing the signature certificate used to sign the CMP messages.

  • Signer certificate password* (string input):
    Enter the password used to secure the aforementioned PKCS#12.

11. Click on the save button.

You can edit Edit PKI, duplicate Duplicate PKI or delete Delete PKI the CS-Novidy’s TrustyKey PKI connector.