This is an old revision of the document!
Table of Contents
Entrust PKI Certificate Installation
The CeRTNA ERDS and G2G web applications and the CeRTNA APEX application use Public Key Infrastructure (PKI) technology to perform user authentication, encryption, and decryption functions. These functions are dependent on PKI certificates that are issued by the Entrust Certification Authority (CA).
The Entrust certificates that are installed on your USB token and your G2G workstations use a 3-tier architecture that is structured as follows:
Root Certificate
Intermediate Certificate
End User Certificate
Most of the CeRTNA End User Certificates have been distributed in the past and as a consequence the Intermediate and Root Certificates are already installed on the end-user workstation so existing certificates and renewed certificates typically have the correct hierarchy in place.
The following paragraphs outline the process for verifying your certificate hierarchy and optionally installing intermediate and root certificates.
Verifying PKI Certificate Installation
The certificates that are installed on your token, depend on a ‘certificate chain’ in order to function properly. You can verify that the certificate chain is valid by completing the following steps with your token inserted in the USB port.
Note: Depending on your local IT security policy, you may need to contact your local IT staff to perform the following steps:
Click the Windows Start button and enter mmc.exe in the Search field.
You should see mmc.exe listed at the top of the results list.
Click mmc.exe and the following window will be displayed:
Select the File / Add-Remove snap in… menu option.
The following window is displayed:
Note: I have my Actions pane visibility turned off, so you window might contain 3 panes instead of the 2 that these screenshots show.
Select Certificates in the left panel and click the Add button.
The following window is displayed:
My user account should be already selected. (If not select it.)
Click the finish button. You will be returned to the following updated window:
The certificate snap-in should be shown in the right pane.
Click the Ok button and the following window will be displayed:
In the left pane, click the carat that appears next to Certificates – Current User
In the left pane, click the carat that appears next to the Personal folder.
Click the Certificates folder.
Your window should look similar to the following:
The certificates in the right pane should reflect your identity.
Double-click either certificate and the following window is displayed:
Click the Certification Path tab and the following window is displayed:
If you do not see a 3-tier certification path, your certificate installation is not complete. The most likely reason is that the Entrust Intermediate and Root certificates were not installed when you inserted the token. To resolve this issue, continue with the next section
If your window shows the proper 3-tier certification path, you are finished with the certificate verification process and you can skip the next section entitled Entrust Intermediate & Root Certificate Installation.
Entrust Intermediate & Root Certificate Installation
Windows supports user-level certificate stores and computer-level certificate stores. If you need to manually install the Entrust Intermediate or Entrust Root certificates on your computer, CeRTNA recommends installing these certificates in the computer-level certificate store.
Depending on your IT security policy your Windows userid may not have access to the computer-level certificate store. If this condition exists, you should install your certificate into the user-level certificates store.
Before you can install the Entrust Intermediate and Entrust Root certificates you will need to download them from the following URL:
https://www.certna.org/ErdsUI/Downloads/Entrust_Token_Root_Intermediate_Certs.zip
Once the zip file has been downloaded, unzip it to a working folder. You will have the following two files in your unzipped work folder:
- Token_Intermediate.cer
- Token_Root.cer
These two certificates can be installed in either the user-level certificate store or the computer-level security store. CeRTNA recommends installing the certificates in the computer-level store so that you will not have to repeat this process for each Windows user login on the ERDS workstation.
There are a couple of important notes here:
- You will need Administrator level access on the CeRTNA ERDS workstation in order to install certificates into the computer-level certificate store. CeRTNA recommends contacting your local IT support to assist with this.
- Depending on your local IT security policy, your Windows user may not have the appropriate authority to access the computer certificate store. If that is the case, then your local IT support staff can assist you with installing the certificates into the user-level certificate store.
To install the Entrust Intermediate and Entrust Root certificates complete the following steps:
Click the Windows Start button and enter mmc.exe in the Search field.
You should see mmc.exe listed at the top of the results list.
Click mmc.exe and the following window will be displayed:
Select the File / Add-Remove snap in… menu option.
The following window is displayed:
Select Certificates in the left panel and click the Add button.
The following window is displayed:
My user account should be already selected. (If not select it.)
Click the finish button. You will be returned to the following updated window:
The certificate snap-in should be shown in the right pane.
Select the Certificates item in the left pane and click the Add button.
The following window is displayed:
Click the Computer account radio button to select it.
Click the Next button. The following window is displayed:
Select Local computer and click the Finish button.
You are returned to the following updated window:
Click the Ok button to be returned to the following window:
I have highlighted the items we are interested in.
Verifying / Installing The Entrust Root Certificate
The first item we are interested in verifying and/or installing is the Entrust Root certificate.
Review the following window:
For each of the two certificate stores (highlighted) you should verify that you do NOT have an entry in the middle pane for ‘Entrust Managed Services Commercial Private Root CA’ (In my sample above, I have already imported my Root certificate.)
If the Trusted Root Certificate is already installed in either of these two certificate stores, you should continue on and verify/install the Intermediate certificate.
If you discover that both the Trusted Root and Intermediate certificates are already installed on your ERDS workstation but you did not see a valid 3-tier certificate path as shown in section Verifying PKI Certificate Installation then this is an indication of a more complex problem and you will need to contact CeRTNA support staff to address the issue.
If the ‘Entrust Managed Services Commercial Private Root CA’ certificate does not exist in the middle pane, you need to install the certificate carefully following steps outlined below:
Right-click click the Certificates subfolder that is shown in the Certificates (Local Computer) / Trusted Root Certification Authorities path (as shown above)
Select All Tasks / Import… from the pop-up menu.
The following window is displayed:
Click the Next button. The following window is displayed:
Click the browse button.
Locate the folder you extracted the zip file into as shown below:
Select the Token_Root.cer file and click the Open button.
The following window is displayed:
Click the Next button.
The following window is displayed:
Click the Next button.
The following window is displayed:
Click the Finish button.
A pop-up window indicating that the certificate was successfully installed should be displayed.
Click the Ok button to close the pop-up window. You will be returned to the Certificates list.
Select the Certificates folder in the Local Computer / Trusted Root Certification Authorities path and you should now have an ‘Entrust Managed Services Commercial Private Root CA’ certificate in the middle pane, as shown below:
The process for verifying and importing the Entrust Intermediate certificates is primarily the same as just completed. The exact steps are documented in the next section.
Verifying / Installing the Entrust Intermediate Certificate
The next item we are interested in verifying and/or installing is the Entrust Intermediate Certification Authority certificate.
Review the following window:
For each of the two certificate stores (highlighted) you should verify that you do NOT have an entry in the middle pane for ‘Commercial Private Sub CA1’ (In my sample above, I have already imported my Intermediate certificate.)
If you discover that both the Trusted Root and Intermediate certificates are already installed on your ERDS workstation but you did not see a valid 3-tier certificate path as shown in the section Verifying PKI Certificate Installation then this is an indication of a more complex problem and you will need to contact CeRTNA support staff to address the issue.
If the ‘Commercial Private Sub CA1’ certificate does not exist in the middle pane, you need to install the certificate carefully following steps outlined below:
Right-click click the Certificates subfolder that is shown in the Certificates (Local Computer) / Intermediate Certification Authority path (as shown above)
Select All Tasks / Import… from the pop-up menu.
The following window is displayed:
Click the Next button. The following window is displayed:
Click the browse button.
Locate the folder you extracted the zip file into as shown below:
Select the Token_Intermediate.cer file and click the Open button.
The following window is displayed:
Click the Next button.
The following window is displayed:
Click the Next button.
The following window is displayed:
Click the Finish button.
A pop-up window indicating that the certificate was successfully installed should be displayed.
Click the Ok button to close the pop-up window. You will be returned to the Certificates list.
Select the Certificates folder in the Local Comptuer / Trusted Root Certification Authorities path and you should now have an ‘Commercial Private Sub CA1’ certificate in the middle pane, as shown below:
Once you have completed this process, you can return to the section Verifying PKI Certificate Installation and re-verify that your three-tier cerification path is displaying correctly. If the three-tier path is still not displaying correctly, you will need to contact CeRTNA support for additional assistance.