Versions Compared

Old Version 60

changes.mady.by.user Pål Axelsson

Saved on

compared with

New Version 61

changes.mady.by.user Kent Engström

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Self-service portal via SAML

Configuration

The Sectigo will provide a self-service portal for requesting client certificates, matching the work-flow seen with the DigiCert portal (digicert.com/sso) and the earlier Confusa portal. That is, an end-user logs in via SAML authentication, selects the appropriate options and gets a certificate back.

The self-service portal is under development. We will update this section when it is ready for testing.

Issuing client certificates using the SCM

is located at https://cert-manager.com/customer/sunet/idp/clientgeant

For it to work for your users, you need to

  • Have your IdP configured correctly for Sectigo. See below under "SAML Configuration".
  • Edit your organization object and set "Academic code (SCHAC Home Organization)" to the same value as your IdP sends for schacHomeOrganization. It will typically be your main domain, but confirm this with your IdP amins.

For it to work for your users who need IGTF/grid certificates, you also need to:

  • Edit your organization object and set "Secondary Organization Name" to the name used in grid certificates (with åäö transcribed correctly to ASCII if needed, and with the same upper/lowercase conventions that you have used before with DigiCert). Please check existing certificates if you are unsure. As grid certificate subjects are used as "usernames" in systems, it is vital that the whole subject string is kept as it was before.
  • Email tcs@sunet.se about this so that we can ask for a validation of the secondary name as you cannot perform this step yourself.

Use

Will be filled in.

Issuing client certificates using the SCM

Note: this is a backup solution. The main way to issue client certificates is via the self-service portal discussed above. With that understood, this While this is not supposed to be the main route when the self-service portal is in place, this is how you can issue personal certificates using the SCM:

...

Things worth noting:

  • Yes, the key is always generated on the server side when you use this method. There is no option of uploading a CSR to keep use a key generated on the client side. This may not be acceptable for users due to policy (not allowed to have the key generated on the server side) or technical reasons (key not exportable from hardware device).  For You can upload a CSR when you use the self-service portal, it will be required that the user is offered to upload a CSR, and then gets certificate+chain back, instead of key+certificate+chain.
  • There is also the option of enabling a AccessCode, which is a shared secret between you and all users than enable them to get a client certificate as long as they have access to their email. We advise you not to use that.
  • There is also the possibility to enter a SecretID per user, to enable them to get a client certificate by entering that together with their email address. For occasional client certificates, we do not see the upside of this as compared to the invitation method above, and for bulk issuing we will rely on the self-service portal via SAML as soon as that is ready.

...