OpenTrust PKI

Prerequisites

  • A certificate profile should be created.

  • An authentication certificate should be issued for Horizon, and it should be given certificate issuance and revocation permissions on the aforementioned certificate profile.

Limitations

  • Only the following fields are managed: commonName, userID, serialNumber, organizationalUnit, organization, country, adminEmail or contactEmail, msCertTemplateName and subjectAltNames DNS, IPadress, RFC822Name, msUPN and msGUID.

  • For multi-valued fields (SAN DNS, IP address and RFC822Name), if more data items are provided than configured in OTPKI 'certificate template name', the exceeding items will be ignored.

  • All limitations induced by the use of the RA SOAP Connector.

Create the PKI connector

1. Log in to Horizon Administration Interface.

2. Access PKI from the drawer or card: PKI  PKI Connectors.

3. Click on Add icon.

4. Select the correct PKI type.

5. Click on the next button

General tab

6. Fill in the common mandatory fields:

  • Connector Name* (string input):
    Choose a meaningful connector name allowing to identify the mapping between the PKI and the Certificate Profile. It must be unique and must not contain spaces.

  • Proxy (string select):
    If the PKI is not directly reachable from Horizon, you can set up an HTTP/HTTPS proxy to properly forward the traffic.

  • PKI Queue (string select):
    The PKI Queue used to manage the PKI Requests (enrollment, revocation).

  • Timeout (finite duration):
    Represents a predefined interval of time without a PKI response, when the time has passed "Horizon" will cease trying to establish the communication. Must be a valid finite duration.

7. Click on the next button

Details tab

8. Fill in all mandatory fields:

  • OTPKI RA Connector URL* (string input):
    Must point to the "RA" connector URL.

  • OTPKI Certificate template name* (string input):
    The OTPKI certificate template to use.

  • OTPKI zone (string input):
    Specify a zone (if used).

  • Contact email mapping (string input):
    Allows to change the default fields names accordingly to certificate profiles.

  • SAN DNS mapping (string input):
    Allows to change the default fields names accordingly to certificate profiles.

  • SAN Email mapping (string input):
    Allows to change the default fields names accordingly to certificate profiles.

  • UID mapping (string input):
    Allows to change the default fields names accordingly to certificate profiles.

9. Click on the next button.

Authentication tab

10. Fill in the PKI-authentication fields:

  • Authentication PKCS#12* (import p12):
    Import the PKCS#12 file containing the authentication certificate used to connect to the PKI.

  • PKCS#12 Password* (string input):
    Enter the password used to secure the aforementioned PKCS#12.

11. Click on the save button.

You can edit Edit PKI, duplicate Duplicate PKI or delete Delete PKI the OpenTrust PKI connector.