OpenTrust PKI

Prerequisites

  • A certificate profile should be created.

  • An authentication certificate should be issued for Horizon, and it should be given certificate issuance and revocation permissions on the aforementioned certificate profile.

Limitations

  • Only the following fields are managed: commonName, userID, serialNumber, organizationalUnit, organization, country, adminEmail or contactEmail, msCertTemplateName and subjectAltNames DNS, IPadress, RFC822Name, msUPN and msGUID.

  • For multi-valued fields (SAN DNS, IP address and RFC822Name), if more data items are provided than configured in OTPKI 'certificate template name', the exceeding items will be ignored.

  • All limitations induced by the use of the RA SOAP Connector.

Create the PKI connector

1. Log in to Horizon Administration Interface.

2. Access PKI from the drawer or card: PKI  PKI Connectors.

3. Click on Add icon.

4. Select the correct PKI type.

5. Click on the next button

General tab

6. Fill in the common mandatory fields:

  • Connector Name* (string input):
    Choose a meaningful connector name allowing to identify the mapping between the PKI and the Certificate Profile. It must be unique and must not contain spaces.

  • Proxy (string select):
    If the PKI is not directly reachable from Horizon, you can set up an HTTP/HTTPS proxy to properly forward the traffic.

  • PKI Queue (string select):
    The PKI Queue used to manage the PKI Requests (enrollment, revocation).

  • Timeout (finite duration):
    Represents a predefined interval of time without a PKI response, when the time has passed "Horizon" will cease trying to establish the communication. Must be a valid finite duration.

7. Click on the next button

Details tab

8. Fill in all mandatory fields:

  • OTPKI RA Connector URL* (string input):
    Must point to the "RA" connector URL.

  • OTPKI Certificate template name* (string input):
    The OTPKI certificate template to use.

  • OTPKI zone (string input):
    Specify a zone (if used).

  • Contact email mapping (string input):
    Allows to change the default fields names accordingly to certificate profiles.

  • SAN DNS mapping (string input):
    Allows to change the default fields names accordingly to certificate profiles.

  • SAN Email mapping (string input):
    Allows to change the default fields names accordingly to certificate profiles.

  • UID mapping (string input):
    Allows to change the default fields names accordingly to certificate profiles.

9. Click on the next button.

Authentication tab

10. Fill in the PKI-authentication fields:

  • Authentication Credentials* (select):
    Select Certificate credentials containing the authentication certificate used to connect to the PKI.

11. Click on the save button.

You can edit Edit PKI, duplicate Duplicate PKI or delete Delete PKI the OpenTrust PKI connector.