CS-Novidy’s TrustyKey PKI

Prerequisites

  • A technical account should be created.

  • This technical account must have permissions to enroll and revoke SSL certificates on the desired certificate profiles.

  • An authentication and a signature certificate must be issued under as PKCS#12 files for this account.

Limitations

  • Only the following fields are managed: commonName (as mail_lastname), contactEmail (as mail_email), OU (as org_unit), O (as corp_company), C (as country), UID (as employeeID), subjectAltNames DNS and msUPN.

  • For multi-valued fields (SAN DNS), if more data items are provided than configured in TrustyKey for the given PGC, the exceeding items will be ignored.

  • All limitations induced by the use of the TrustyKey CMP Connector.

Create the PKI connector

1. Log in to Horizon Administration Interface.

2. Access PKI from the drawer or card: PKI  PKI Connectors.

3. Click on Add icon.

4. Select the correct PKI type.

5. Click on the next button

General tab

6. Fill in the common mandatory fields:

  • Connector Name* (string input):
    Choose a meaningful connector name allowing to identify the mapping between the PKI and the Certificate Profile. It must be unique and must not contain spaces.

  • Proxy (string select):
    If the PKI is not directly reachable from Horizon, you can set up an HTTP/HTTPS proxy to properly forward the traffic.

  • PKI Queue (string select):
    The PKI Queue used to manage the PKI Requests (enrollment, revocation).

  • Timeout (finite duration):
    Represents a predefined interval of time without a PKI response, when the time has passed "Horizon" will cease trying to establish the communication. Must be a valid finite duration.

7. Click on the next button

Details tab

8. Fill in all mandatory fields:

  • API endpoint URL* (string input):
    URL to access the CS-Novidy’s TrustyKey web service.

  • PGC* (string input):
    Enter name of the PGC to be used.

  • TrustyKey PKI server DN* (string input):
    Enter the DN of the TrustyKey PKI server, starting from the CN.

  • TrustyKey PKI server Certificate* (string input):
    Enter the PEM representing the certificate of the CA issuing the certificates.

  • CN mapping (string input):
    Enter a CN to be mapped.

  • Email mapping (string input): Enter an email address or domain to be mapped.

  • SAN DNS mapping (string input):
    Enter a SAN DNS to be mapped.

  • Profile mapping (string input):
    Enter a profile to be mapped.

  • Issuer mapping (string input):
    Enter an issuer to be mapped.

  • Legacy CMP Style (boolean)
    Chose whether to use the legacy CMP style.

9. Click on the next button.

Authentication tab

10. Fill in the PKI-authentication fields:

  • Authentication Credentials* (select):
    Select Certificate credentials containing the authentication certificate used to connect to the PKI.

  • Signer Credentials* (select):
    Select Certificate credentials containing the signature certificate used to sign the CMP messages.

11. Click on the save button.

You can edit Edit PKI, duplicate Duplicate PKI or delete Delete PKI the CS-Novidy’s TrustyKey PKI connector.