Building an Internal Identity Authentication System for Your Organization

Scenarios

CCM can help you build a complete CA hierarchy so that you can issue and manage self-signed private certificates within your organization.

Now, you can follow the procedure below to apply for a private certificate in CCM and deploy it on your server.

Background

An internally-hosted complete CA hierarchy is called a self-built Public Key Infrastructure (PKI) system.

When building a PKI system, we need to design its structure based on the application scenarios to facilitate subsequent management.

• CA level design

  A path length determines how many levels of subordinate CAs the current CA can issue. It is used to control the certificate chain length.

  A well-designed CA hierarchy can make fine-grained control over certificates a reality. With PCA, you can build a CA hierarchy with up to seven levels. For details, see Designing a Private CA Hierarchy.

• Certificate rotation

  Before a certificate expires, it should be replaced by a new one to prevent service interruption caused by certificate expiration. This process is called certificate rotation.

  The certificate validity period determines the certificate rotation interval. A proper certificate validity period can reduce the risk of key material leakage and certificate rotation costs. For more details, see PCA Certificate Validity Period.

• Certificate revocation management

  If the key of a certificate is disclosed or the certificate is no longer for some reasons, the certificate should be revoked. To that end, you need to enable the certificate revocation list (CRL) when you create a CA. Beyond that, your service should be designed to check the certificate revocation status.

Step 1: Creating a Private Root CA or Subordinate CA

Perform the following steps to create a root CA or subordinate CA. For details about how to create a private CA, see Creating a Private CA.

1. Log in to the management console.
2. Click in the upper left corner of the page and choose Security > Cloud Certificate Management Service. In the navigation pane, choose Private Certificate Management > Private CA.
3. In the upper left corner of the private CA list, click Create CA to switch to the Create CA page.
4. Configure the CA information.
   1. Configure basic information.

      

   2. Configure the Distinguished Name (DN) of the certificate.

      

   3. Configure certificate revocation details.

      

5. Click Next.
6. After confirming the information about the private CA, click Confirm and Create.

Step 2: Activating a Subordinate Private CA with its Parent Private CA

A subordinate CA must be activated, or it cannot issue certificates. The following describes how to activate a subordinate CA in a two-level CA hierarchy system by using an internal private CA. To activate a subordinate CA by using an external private CA, refer to Activating a Private CA

1. Log in to the management console.
2. Click in the upper left corner of the page and choose Security > Cloud Certificate Management Service. In the navigation pane, choose Private Certificate Management > Private CA.
3. Locate the row of the subordinate private CA and click Activate in the Operation column. In the Install CA Certificate and Activate CA page, configure the required parameters. Figure 1 shows an example.
   NOTE:

   The path length varies depending on how many layers of your CA hierarchy has. For details, see Designing a Private CA Hierarchy.

   Figure 1 A private CA
   

4. Confirm the configuration and click OK.

Step 3: Creating a Private Certificate

For details, see Applying for a Private Certificate

1. Log in to the management console.
2. Click in the upper left corner of the page and choose Security > Cloud Certificate Management Service. In the navigation pane, choose Private Certificate Management > Private Certificate.
3. In the upper left corner of the private certificate list, click Apply for Certificate.
4. Enter required certificate information.
   Figure 2 System generated CSR
   

5. Confirm the information and click OK.

   After you submit your application, the system will return to the private certificate list page. Message "Certificate xxx applied for successfully." is displayed in the upper right corner of the page, indicating that the private certificate application is successful.

Step 4: Trusting the Root CA.

Before installing a private certificate, you need to add the root CA to the trusted root certificate authorities of the client or server.

• One-way authentication

  To win more trust from the client for your server, you need to add the root CA for the server certificate to the client-end trusted CAs.

• Two-way authentication

  To enable two-way authentication between a server and a client, each side needs to add the root CA of the other side to their own trusted root CA store.

Download the private root CA certificate and obtain a root CA certificate file named Root CA name_certificate.pem. For details, see Exporting a Private Root CA.

Use either of the following methods to add the root CA to the trusted root CA store based on the operating system:

NOTE:

Root CA PCA TEST ROOT GO is used as an example.

• For Windows OSs
  1. Change the file name extension of the root CA certificate from .pem to .crt. and double-click the certificate file. The root CA certificate information shows that the root certificate is untrusted.
     Figure 3 Root CA not trusted
     
  2. Click Install Certificate, select a certificate storage location based on the certificate usage, and click Next.
  3. Select Place all certificates in the following store and click Browse. Then, select Trusted Root Certification Authorities and click OK.
     Figure 4 Storing a root certificate
     
  4. Click Next, and then click OK. A dialog box is displayed, indicating that Windows will trust all certificates issued by the private root CA. Click Yes.
  5. Double-click the root CA certificate file. If the Certificate Information area shows that the system trusts the root CA certificate, the root CA is added to the trusted root CAs.
     Figure 5 Trusted root CA
     
• For Linux OSs

  The path for and method of storing root CA certificates vary depending on Linux OS versions. The following procedure use CentOS 6 as an example:

  1. Copy the root CA certificate file to the /home/ directory.
  2. If ca-certificates is not installed on the server, run the following command to install ca-certificates:

     yum install ca-certificates

  3. Copy the root CA certificate to the /etc/pki/ca-trust/source/anchors/ directory:

     cp /home/root.crt /etc/pki/ca-trust/source/anchors/

  4. Add the root CA certificate to the trusted root certificate file:

     update-ca-trust extract

  5. Check whether the information about the newly added root CA certificate is included in the command output:

     view /etc/pki/tls/certs/ca-bundle.crt

     Figure 6 Root CA certificate added to the trusted CA list
     
  NOTE:

  If the OpenSSL version is too old, the configuration may not take effect. You can run the yum update openssl -y command to update the OpenSSL version.

• macOS
  1. Open the MacOS startup console and select Keychain Access.
  2. Enter the password to log in to Keychain Access.
  3. Drag and drop the target root CA certificate into Keychain Access. The root CA certificate now is untrusted by the system.
  4. Right-click the root CA certificate to load its details.
  5. Click Trust, select Always Trust for When using this certificate, and click Close.
  6. Enter the password to make the configuration of the trusted root CA certificate take effect.
  7. View the root CA certificate on the Keychain Access window. If the certificate is trusted by the system, the root CA is successfully added to the trusted root CA store.

Step 5: Installing a Private Certificate

Installing a Private Certificate on a Client (Using Windows as an Example)

1. Log in to the management console.
2. Click in the upper left corner of the page and choose Security > Cloud Certificate Management Service. In the navigation pane, choose Private Certificate Management > Private Certificate.
3. Locate the row containing the desired certificate. In the Operation column, click Download.
4. Select the IIS tab and click Download Certificate.
5. Decompress the downloaded certificate file package client_iis.zip to obtain certificate file server.pfx and private key password file keystorePass.txt.
6. Double-click certificate file server.pfx, select a certificate storage location based on its usage, and click Next.
7. Confirm the name of the certificate file you want to import and click Next.
8. Enter the password obtained from private key password file keystorePass.txt and click Next.
9. Select Place all certificates in the following store, click Browse, select Personal, and click OK, as shown in Figure 7.
   Figure 7 Storing a private certificate
   

10. Click Next and Finish. The certificate is installed when a dialog box is displayed indicating that the certificate is imported successfully.

Installing a Private Certificate on a Server

The procedure for installing a private certificate on a server is the same as that for installing an international standard SSL certificate. The following lists some examples:

• Installing an SSL Certificate on a Tomcat Server
• Installing an SSL Certificate on an Nginx Server
• Installing an SSL Certificate on an Apache Server
• Installing an SSL Certificate on an IIS Server
• Installing an SSL Certificate on a WebLogic Server
• Installing an SSL Certificate on a Resin Server