EPassport Solutions 3.00 Issue5

Entrust® ePassport Solutions Guide
3.00
Entrust Authority Security Manager 8.3
Entrust Authority Security Manager Administration 8.3
Entrust Authority Administration Services 9.3
Entrust Authority Document Signer Service 9.0
Document issue: 5.0
Date of issue: April 2019

Copyright © 2018-2019 Entrust Datacard. All rights
reserved.
Entrust is a trademark or a registered trademark of Entrust

Datacard Limited in Canada. All Entrust product names and
logos are trademarks or registered trademarks of Entrust,
Inc. or Entrust Datacard Limited in certain countries. All
other company and product names and logos are
trademarks or registered trademarks of their respective
owners in certain countries.
This information is subject to change as Entrust Datacard

reserves the right to, without notice, make changes to its
products as progress in engineering or manufacturing
methods or circumstances may warrant.
Export and/or import of cryptographic products may be

restricted by various regulations in various countries.
Export and/or import permits may be required.
2 Entrust® ePassport 3.00 Solutions Guide

TOC
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37

Revision information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Documentation conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Note and Attention text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Related documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Obtaining documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Documentation feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Obtaining technical assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Technical support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Email address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Professional Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Overview section ....................................................................... 47

Basic Access Control overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
BAC architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Country Signing Certification Authority . . . . . . . . . . . . . . . . . . . . . . 51
Document Signer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Master List Signer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
ICAO Public Key Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Inspection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
BAC system components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Entrust Authority Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . 54
Entrust Authority Administration Services . . . . . . . . . . . . . . . . . . . . . 55
National PKD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Entrust Authority Document Signer Service . . . . . . . . . . . . . . . . . . . 56
Entrust Authority IS Concentrator . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Entrust Authority IS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
How the Document Signer Service works . . . . . . . . . . . . . . . . . . . . . . . . . . .59
About Verification Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Features and benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
About the Digital Signature Service . . . . . . . . . . . . . . . . . . . . . . . . . 61
The digital signing process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Web server and application server . . . . . . . . . . . . . . . . . . . . . . . . . . 62
About the Profile Creation Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
About the Offline Token Creation Utility . . . . . . . . . . . . . . . . . . . . . . . . . . 64
About Entrust profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
About hardware security modules . . . . . . . . . . . . . . . . . . . . . . . . . . 65
About offline profile creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Advantages to offline profile creation . . . . . . . . . . . . . . . . . . . . 67
About the Signature Delivery Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
How the Signature Delivery Service works . . . . . . . . . . . . . . . . . . . . 69
Operational flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Extended Access Control overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73

EAC architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Country Verifying Certification Authority . . . . . . . . . . . . . . . . . . . . . 75
Single Point of Contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Document Verifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Inspection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
About holder identities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
EAC system components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Entrust Authority Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . 79
Entrust Authority Administration Services . . . . . . . . . . . . . . . . . . . . . 79
Entrust Authority IS Concentrator . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Entrust Authority IS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
EAC certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Certificate lifetimes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Certificate status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Holder and authority references . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Sequence number algorithms. . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Holder and authority references for CVCA certificates . . . . . . . . 85
4 Entrust® ePassport 3.00 Solutions Guide Document issue: 5.0

Holder and authority references for Document Verifier certificates
85
Holder and authority references for Inspection System certificates.
85
Certificate streams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Validation strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Establishing trust between a CVCA and a Document Verifier . . . . . . . . . . . 88
Countersigning Document Verifier certificate requests . . . . . . . . . . . 90
Establishing trust between a Document Verifier and an Inspection System 91
Country Signing CA section .........................................................93

Installing a Country Signing CA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Calculating the validity periods for CSCA certificates . . . . . . . . . . . . . . . . . 96
Formulas for calculating the validity periods . . . . . . . . . . . . . . . . . . . 96
Recommended validity periods for 10-year eMRTDs . . . . . . . . . . . . 97
Recommended validity periods for the Document Signer key pair .
97
Recommended validity periods for the CSCA key pair . . . . . . . . 98
Recommended validity periods for the Master List Signer key pair.
98
Installing and configuring Security Manager . . . . . . . . . . . . . . . . . . . . . . . 99
Installing and configuring Security Manager on Windows . . . . . . . . 99
Installing and configuring Security Manager on Linux . . . . . . . . . . 103
Post-configuration steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Reconfiguring a CA as a CSCA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Calculating the validity periods for CSCA certificates . . . . . . . . . . . . . . . . 112
Formulas for calculating the validity periods . . . . . . . . . . . . . . . . . . 112
Recommended validity periods for 10-year eMRTDs . . . . . . . . . . . 113
Recommended validity periods for the Document Signer key pair .
113
Recommended validity periods for the CSCA key pair . . . . . . . 114
Recommended validity periods for the Master List Signer key pair.
114
5
Configuring the issuerAltName extension . . . . . . . . . . . . . . . . . . . . . . . . 115
Configuring the CSCA root and link certificates . . . . . . . . . . . . . . . . . . . . 117
Configuring CRL Distribution Points (CDPs) . . . . . . . . . . . . . . . . . . . . . . . 120
Configuring certificate revocation lists for a CSCA . . . . . . . . . . . . . . . . . . 123
Encoding the countryName attribute in uppercase . . . . . . . . . . . . . . . . . . 126
Configuring how the CSCA encodes distinguished names . . . . . . . . . . . . 127
Controlling the issuer and subject in CSCA link certificates . . . . . . . . . . . . 129
Configuring the CA policy settings for a CSCA . . . . . . . . . . . . . . . . . . . . 131
Updating the CA certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Managing a Country Signing CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137

Customizing Document Signer certificates . . . . . . . . . . . . . . . . . . . . . . . . 138
Configuring the CDP definitions for Document Signer certificates . 138
Modifying the Document Signer user policy . . . . . . . . . . . . . . . . . . 141
Customizing Master List Signer certificates . . . . . . . . . . . . . . . . . . . . . . . . 143
Configuring the CDP definitions for Master List Signer certificates . 143
Modifying the Master List Signer user policy . . . . . . . . . . . . . . . . . 146
Creating Master List Signer credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Creating a user entry for a Master List Signer profile . . . . . . . . . . . 148
Creating a Master List Signer profile . . . . . . . . . . . . . . . . . . . . . . . . 150
Updating the Master List Signer profile keys . . . . . . . . . . . . . . . . . . 151
Revoking certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Updating the CSCA certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Changing the distinguished name of the CSCA . . . . . . . . . . . . . . . . . . . . 155
Performing a CSCA key update and changing the CSCA DN in Security
Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Known issues and limitations of a CSCA DN change . . . . . . . . . . . 160
Document Signer Service section ............................................... 161

Deploying the Document Signer Service . . . . . . . . . . . . . . . . . . . . . . . . . . .163
Deployment overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Installing the Document Signer Service . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Configuring Verification Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Configuring the Verification Server entrust.ini file . . . . . . . . . . . . . 186
Enabling the Digital Signature service . . . . . . . . . . . . . . . . . . . . . . 189
Adding a user entry to Security Manager for the Digital Signature
service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Creating an Entrust profile and Server Login credentials for the Digital
Signature service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Configuring the Digital Signature service . . . . . . . . . . . . . . . . . . . . 192
Configuring a front-end Web server for the Signature Delivery Service . . 195
Securing access to Verification Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Using application server security . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Protecting the Digital Signature service . . . . . . . . . . . . . . . . . . . . . 198
Logging user names for digital signature requests . . . . . . . . . . . . . 198
Configuring SSL in the Document Signer Service . . . . . . . . . . . . . . . . . . . 199
Configuring SSL on Apache Tomcat . . . . . . . . . . . . . . . . . . . . . . . . 199
Configuring SSL on Apache HTTP Server . . . . . . . . . . . . . . . . . . . . 201
Restarting the Document Signer Service . . . . . . . . . . . . . . . . . . . . . . . . . 206
Verifying that the Document Signer Service started correctly . . . . . . . . . . 208
Using the Signature Delivery Service from your application . . . . . . . . . . . . 211

Configuring the Signature Delivery Service . . . . . . . . . . . . . . . . . . . . . . . 212
Configuring Signature Delivery Service logging . . . . . . . . . . . . . . . . . . . . 216
Message processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Message format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Request format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Response format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Error format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Signature Delivery Service health query . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Implementing the sample client code . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Client programming tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Security concerns and safeguards . . . . . . . . . . . . . . . . . . . . . . . . . 227
ASN.1 profile for Logical Data Structure Security Object . . . . . . . . 227
ASN.1 structure of the Document Security Object returned by Signature
Delivery Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
7
Using the Offline Token Creation Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . .235
Overview of using the Offline Token Creation Utility . . . . . . . . . . . . . . . . 236
Preparing to use the Offline Token Creation Utility . . . . . . . . . . . . . . . . . 237
Configuring Offline Token Creation Utility logging . . . . . . . . . . . . . . . . . 244
Generating a signature key pair on a hardware token . . . . . . . . . . . . . . . 248
Recovering an offline Entrust profile on a hardware token . . . . . . . . . . . . 253
Creating the offline Entrust profile at Security Manager . . . . . . . . . . . . . . 258
Writing the Entrust profile to the hardware token . . . . . . . . . . . . . . . . . . 260
Using Verification Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .263

Using secure logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Creating a user entry in Security Manager for secure logging . . . . . 264
Creating an Entrust profile and Server Login credentials for secure
logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Configuring Verification Server for secure logging . . . . . . . . . . . . . 266
Viewing and verifying the secure audit log files . . . . . . . . . . . . . . . 269
Managing the Entrust profiles used by Verification Server . . . . . . . . . . . . 272
Recovering Entrust profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Updating expiring Entrust profiles . . . . . . . . . . . . . . . . . . . . . . . . . 273
Revoking a service certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Changing the password of an Entrust profile . . . . . . . . . . . . . . . . . 274
Accessing Verification Server services from your application . . . . . . . . . . . 275
Where should clients send requests? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Digital Signature service clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Digital Signature client samples . . . . . . . . . . . . . . . . . . . . . . . . 277
Troubleshooting Verification Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Error logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Customizing the log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Logging levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Log file header. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Log file entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Logging Digital Signature requests. . . . . . . . . . . . . . . . . . . . . . 281
Troubleshooting tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Digital ID login problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Hardware security module (HSM) problems . . . . . . . . . . . . . . . 282

Digital Signature Service problems. . . . . . . . . . . . . . . . . . . . . . 283
Verification Server entrust-configuration.xml file . . . . . . . . . . . . . . . . . . . . 287

Changing global settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Changing Digital Signature service settings . . . . . . . . . . . . . . . . . . . . . . . 293
PKD Writer section ....................................................................299

Installing a PKD Writer Services CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Installing and configuring Security Manager . . . . . . . . . . . . . . . . . . . . . . 302
Deploying the PKD Writer Web Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

Synchronizing Administration Services and Security Manager time settings ..
307
Creating PKD Writer Server credentials . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Creating a user entry for an PKD Writer Server profile . . . . . . . . . . 308
Creating a PKD Writer Server profile . . . . . . . . . . . . . . . . . . . . . . . 309
Updating PKD Writer Server profile keys . . . . . . . . . . . . . . . . . . . . 310
Creating a PKD Writer Client certificate type . . . . . . . . . . . . . . . . . . . . . . 311
Creating PKD Writer Client credentials . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Creating a user entry for a PKD Writer Client profile . . . . . . . . . . . 312
Creating a PKD Writer Client profile . . . . . . . . . . . . . . . . . . . . . . . 313
Updating PKD Writer Client profile keys . . . . . . . . . . . . . . . . . . . . 314
Obtaining a PKD Access credential for the ICAO PKD . . . . . . . . . . . . . . . 315
Checking the entrust.ini file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Collecting installation information for the PKD Writer . . . . . . . . . . . . . . . 319
Installing the PKD Writer Web Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Configuring PKD Writer Server authentication to a directory without anonymous
access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
9
Configuring the PKD Writer Web Service. . . . . . . . . . . . . . . . . . . . . . . . . . .347
Configuring email notification for PKD Writer . . . . . . . . . . . . . . . . . . . . . 348
Configuring SMTP server settings for the PKD Writer . . . . . . . . . . . 348
Email notification files for the PKD Writer . . . . . . . . . . . . . . . . . . . . 349
Enabling and disabling email notification for PKD Writer . . . . . . . . 350
Modifying email notification subject and message text for PKD Writer .
353
Modifying PKD Writer email notification to use HTML content templates
355
Configuring the PKD Access credential expiry notification intervals . . . . . 356
Configuring the assurance levels for uploading CSCA materials . . . . . . . . 357
Configuring the PKD Download connection settings . . . . . . . . . . . . . . . . 359
Configuring the PKD Upload connection settings . . . . . . . . . . . . . . . . . . 362
Configuring the CSCA materials upload status folder . . . . . . . . . . . . . . . . 365
Configuring the PKD Writer Web Service logs . . . . . . . . . . . . . . . . . . . . . 367
Configuring the PKD Writer secure audit log . . . . . . . . . . . . . . . . . . . . . . 369
Configuring automatic uploads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Administering the PKD Writer services . . . . . . . . . . . . . . . . . . . . . . . . . . . .373

Uploading Document Signer certificates to the ICAO PKD . . . . . . . . . . . . 374
Uploading CRLs to the ICAO PKD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Uploading domestic master lists to the ICAO PKD . . . . . . . . . . . . . . . . . . 376
Displaying the status of CSCA materials uploaded to the ICAO PKD . . . . 377
PKD Reader section .................................................................. 379

Installing a PKD Reader Services CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381
Deploying the PKD Reader Web Service . . . . . . . . . . . . . . . . . . . . . . . . . . .385

387

Creating PKD Reader Server credentials . . . . . . . . . . . . . . . . . . . . . . . . . 388
Creating a user entry for an PKD Reader Server profile . . . . . . . . . 388
Creating a PKD Reader Server profile . . . . . . . . . . . . . . . . . . . . . . . 389
Updating PKD Reader Server profile keys . . . . . . . . . . . . . . . . . . . 390
Creating PKD Reader Client credentials . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Creating a user entry for a PKD Reader Client profile . . . . . . . . . . . 391
Creating a PKD Reader Client profile . . . . . . . . . . . . . . . . . . . . . . . 392
Updating PKD Reader Client profile keys . . . . . . . . . . . . . . . . . . . . 393
Obtaining a PKD Access P12 credential for retrieving CSCA Registry information
from the ICAO PKD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Collecting installation information for the PKD Reader . . . . . . . . . . . . . . 399
Installing the PKD Reader Web Service . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Configuring PKD Reader Server authentication to a directory without anonymous
access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Configuring the PKD Reader Web Service . . . . . . . . . . . . . . . . . . . . . . . . . 425

Configuring email notification for PKD Reader . . . . . . . . . . . . . . . . . . . . 426
Configuring SMTP server settings for the PKD Reader . . . . . . . . . . 426
Email notification files for the PKD Reader . . . . . . . . . . . . . . . . . . . 427
Enabling and disabling email notification for PKD Reader . . . . . . . 428
Modifying email notification subject and message text for PKD Reader
431
Modifying PKD Reader email notification to use HTML content
templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Configuring the PKD Reader Web Service logs . . . . . . . . . . . . . . . . . . . . 435
Configuring the PKD Reader download frequency . . . . . . . . . . . . . . . . . 437
Configuring the PKD Reader download attempts . . . . . . . . . . . . . . . . . . 438
Configuring the LDAP page size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Configuring the PKD Download connection settings . . . . . . . . . . . . . . . . 440
Configuring the PKD Upload connection settings . . . . . . . . . . . . . . . . . . 442
Configuring the CSCA materials storage folders . . . . . . . . . . . . . . . . . . . 444
National PKD section ................................................................447
11
Manually deploying a National PKD (optional) . . . . . . . . . . . . . . . . . . . . . .449
Installing an LDAP directory as the National PKD . . . . . . . . . . . . . . . . . . . 450
National PKD schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
pkdMasterListContent attribute . . . . . . . . . . . . . . . . . . . . . . . . 451
pkdVersion attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
pkdConformanceCode attribute. . . . . . . . . . . . . . . . . . . . . . . . 452
pkdConformanceText attribute . . . . . . . . . . . . . . . . . . . . . . . . 452
pkdPKCS10Content attribute. . . . . . . . . . . . . . . . . . . . . . . . . . 452
pkdDeviationListContent attribute . . . . . . . . . . . . . . . . . . . . . . 452
entrustNPKDCSCAMetaData attribute. . . . . . . . . . . . . . . . . . . 453
entrustNPKDAssuranceLevelPolicy attribute. . . . . . . . . . . . . . . 453
entrustNPKDAssuranceLevelExp attribute . . . . . . . . . . . . . . . . 453
entrustNPKDAssuranceLevel attribute . . . . . . . . . . . . . . . . . . . 453
entrustNPKDSignature attribute. . . . . . . . . . . . . . . . . . . . . . . . 454
entrustNPKDPublish attribute . . . . . . . . . . . . . . . . . . . . . . . . . 454
entrustNPKDCreationDate attribute. . . . . . . . . . . . . . . . . . . . . 454
Object classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
pkdMasterList object class . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
pkdDownload object class . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
pkdPKCS10 object class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
pkdDeviationList object class . . . . . . . . . . . . . . . . . . . . . . . . . . 456
entrustNPKDInfo object class . . . . . . . . . . . . . . . . . . . . . . . . . . 456
entrustNPKDPolicy object class . . . . . . . . . . . . . . . . . . . . . . . . 456
Adding required entries to the National PKD . . . . . . . . . . . . . . . . . . . . . . 457
The dc=data entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
The dc=npkd-trust-data entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Information required to install the NPKD services . . . . . . . . . . . . . . . . . . . 458
Installing an NPKD Services CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .459

Deploying the NPKD services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463


Installing and configuring the Web server (optional) . . . . . . . . . . . . . . . . 467
Enabling SSL on your Web server . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Testing the SSL-enabled Web server . . . . . . . . . . . . . . . . . . . . . . . 468
Microsoft IIS features required for Administration Services . . . . . . . 468
Configuring the VirtualHost directive on Apache HTTP Server . . . . 469
470
Creating certificate types for NPKD services . . . . . . . . . . . . . . . . . . . . . . 471
Creating NPKD Server credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Creating a user entry for an NPKD Server profile . . . . . . . . . . . . . . 473
Creating an NPKD Server profile . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Updating NPKD Server profile keys . . . . . . . . . . . . . . . . . . . . . . . . 475
Creating NPKD Client credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
Creating a user entry for an NPKD Client profile . . . . . . . . . . . . . . 476
Creating an NPKD Client profile . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Updating NPKD Client profile keys . . . . . . . . . . . . . . . . . . . . . . . . 478
Obtaining files from the PKD Reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
Installing the NPKD services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
Configuring NPKD Server authentication to a directory without anonymous
access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Configuring PKD Reader Client authentication to a directory without anonymous
access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Completing the Microsoft IIS front-end configuration for the NPKD services .
519
Assigning SSL certificates to the npkd Web site in Microsoft IIS . . . 519
Increasing the upload buffer size for the npkd Web site in Microsoft IIS
522
Installing CA certificates in Microsoft IIS for the NPKD services . . . 524
Completing the Apache HTTP Server front-end configuration for the NPKD
services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
Assigning SSL certificates to the NPKD services VirtualHosts in Apache
HTTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
Adding CA certificates to Apache HTTP Server for the NPKD services .
532
Creating or modifying a user policy for NPKD administrators . . . . . . . . . 535
13
Creating a role for NPKD administrators . . . . . . . . . . . . . . . . . . . . . . . . . 537
Creating NPKD administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
Testing NPKD Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Configuring the NPKD services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .545

Configuring the NPKD services logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
Configuring the NPKD Validation Engine logs . . . . . . . . . . . . . . . . . . . . . 548
Configuring email notification for the NPKD services . . . . . . . . . . . . . . . . 550
Configuring SMTP server settings for the NPKD services . . . . . . . . 550
Email notification files for the NPKD services . . . . . . . . . . . . . . . . . 551
Enabling and disabling email notification for the NPKD services . . . 552
Modifying email notification subject and message text for the NPKD
services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555
Modifying the NPKD services email notification to use HTML content
templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
Configuring the CRL cache timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
Configuring the LDAP page size for Document Signer certificate list operations
560
Enabling and disabling automatic CRL discovery from Document Signer
certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
Configuring automatic assurance level calculations of CSCA materials in the
National PKD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
Enabling and disabling signature validation when retrieving CSCA materials from
the National PKD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
Configuring automatic signature updates of CSCA materials in the National
PKD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
Configuring automatic imports from PKD Reader . . . . . . . . . . . . . . . . . . 567
Configuring the NPKD secure audit log . . . . . . . . . . . . . . . . . . . . . . . . . . 569
Administering data in the National PKD . . . . . . . . . . . . . . . . . . . . . . . . . . .571

Logging in to NPKD Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572

Using grids in NPKD Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
Navigating pages of items in a grid . . . . . . . . . . . . . . . . . . . . . . . . 574
Viewing information that is truncated in a grid cell . . . . . . . . . . . . 576
Resizing columns in a grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576
Sorting items in a grid by column . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Moving columns in a grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
Adding and removing columns in a grid . . . . . . . . . . . . . . . . . . . . . 579
Adding and editing filters in a grid . . . . . . . . . . . . . . . . . . . . . . . . . 580
Removing a filter from a grid column . . . . . . . . . . . . . . . . . . . . . . . 582
Viewing all filters in a grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
Removing all filters from a grid . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
Grouping items in a grid by columns . . . . . . . . . . . . . . . . . . . . . . . 584
Restoring a grid layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
Monitoring the National PKD using the dashboard . . . . . . . . . . . . . . . . . 588
Managing countries in the National PKD . . . . . . . . . . . . . . . . . . . . . . . . . 592
Listing countries in the National PKD . . . . . . . . . . . . . . . . . . . . . . . 592
Viewing detailed information about a country in the National PKD 596
Exporting all CSCA materials from a country to files . . . . . . . . . . . 601
Configuring the assurance policy settings for a country . . . . . . . . . 603
Managing Document Signer certificates in the National PKD . . . . . . . . . . 611
Listing Document Signer certificates in the National PKD . . . . . . . . 611
Viewing detailed information about a Document Signer certificate 613
Viewing the assurance level details of a Document Signer certificate ..
617
Exporting Document Signer certificates to files . . . . . . . . . . . . . . . 620
Removing Document Signer certificates from the National PKD . . . 623
Managing CRLs in the National PKD . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
Listing CRLs in the National PKD . . . . . . . . . . . . . . . . . . . . . . . . . . 625
Viewing detailed information about a CRL . . . . . . . . . . . . . . . . . . . 627
Viewing the assurance level details of a CRL . . . . . . . . . . . . . . . . . 631
Exporting CRLs to files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
Removing CRLs from the National PKD . . . . . . . . . . . . . . . . . . . . . 637
15
Managing master lists in the National PKD . . . . . . . . . . . . . . . . . . . . . . . 639
Listing master lists in the National PKD . . . . . . . . . . . . . . . . . . . . . . 639
Viewing detailed information about a master list . . . . . . . . . . . . . . 641
Viewing the assurance level details of a master list . . . . . . . . . . . . . 644
Exporting master lists to files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
Removing master lists from the National PKD . . . . . . . . . . . . . . . . 649
Assigning CSCA certificates in a master list as trust anchors . . . . . . 651
Managing trust anchors in the National PKD . . . . . . . . . . . . . . . . . . . . . . 655
Listing trust anchors in the National PKD . . . . . . . . . . . . . . . . . . . . 655
Viewing detailed information about a trust anchor . . . . . . . . . . . . . 657
Viewing the assurance level details of a trust anchor . . . . . . . . . . . 660
Exporting trust anchors to files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663
Removing trust anchors from the National PKD . . . . . . . . . . . . . . . 666
Importing CSCA materials into the National PKD from files . . . . . . . . . . . 668
Importing a single CSCA material from a file . . . . . . . . . . . . . . . . . 668
Importing CSCA materials from an LDIF file . . . . . . . . . . . . . . . . . . 676
Importing multiple Document Signer certificates from files . . . . . . . 681
Importing multiple CSCA certificates from files . . . . . . . . . . . . . . . . 684
Importing multiple CRLs from files . . . . . . . . . . . . . . . . . . . . . . . . . 687
Importing multiple master lists from files . . . . . . . . . . . . . . . . . . . . 690
Managing PKD Reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693
Viewing the status of PKD Reader . . . . . . . . . . . . . . . . . . . . . . . . . 693
Importing CSCA materials from PKD Reader into the National PKD 696
Editing PKD Reader settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700
Downloading CSCA materials from ICAO PKD into PKD Reader . . 702
Configuring the global assurance policy settings . . . . . . . . . . . . . . . . . . . 704
Exporting the global and country-specific assurance policies to files . . . . . 708
Configuring NPKD services settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710
Customizing NPKD Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .715

Customizing the NPKD Administration interface . . . . . . . . . . . . . . . . . . . 716
Adding your company logo to NPKD Administration . . . . . . . . . . . 716
Customizing the browser title for NPKD Administration . . . . . . . . . 717
Customizing the application title for NPKD Administration . . . . . . . 718
Customizing NPKD Administration styles . . . . . . . . . . . . . . . . . . . . . . . . . 720

Localizing NPKD Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721
Localization overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 722
About locales . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 722
Defining locales . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 722
Location of NPKD Administration locale folders . . . . . . . . . . . . . . . . . . . . 723
Adding locales to NPKD Administration . . . . . . . . . . . . . . . . . . . . . . . . . . 724
Translating NPKD Administration files . . . . . . . . . . . . . . . . . . . . . . . . . . . 726
Troubleshooting localization in NPKD Administration . . . . . . . . . . . . . . . 729
Translating email notification templates . . . . . . . . . . . . . . . . . . . . . 729
HTML entities referenced by names . . . . . . . . . . . . . . . . . . . . . . . . 729
Broken JavaScript code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729
Master List Signer section ..........................................................731

Installing a Master List Signer Services CA . . . . . . . . . . . . . . . . . . . . . . . . . 733
Deploying the Master List Signer services . . . . . . . . . . . . . . . . . . . . . . . . . . 737

740
Creating Master List Server credentials . . . . . . . . . . . . . . . . . . . . . . . . . . 741
Creating a user entry for a Master List Server profile . . . . . . . . . . . 741
Creating a Master List Server profile . . . . . . . . . . . . . . . . . . . . . . . 742
Updating Master List Server profile keys . . . . . . . . . . . . . . . . . . . . 743
Creating Master List Client credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . 744
Creating a user entry for a Master List Client profile . . . . . . . . . . . 744
Creating a Master List Client profile . . . . . . . . . . . . . . . . . . . . . . . . 745
Updating Master List Client profile keys . . . . . . . . . . . . . . . . . . . . . 746
Obtaining files from the CSCA for the Master List Signer services . . . . . . 749
Obtaining files from the PKD Writer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 750
Installing the Master List Signer services . . . . . . . . . . . . . . . . . . . . . . . . . 751
17
Configuring Master List Signer authentication to a directory without anonymous
access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 772
Configuring Master List Server authentication to a directory without anonymous
access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774
Configuring Master List Signer administrators for PKCS #12 enrollment . . 776
Creating an ePassport Auditor certificate type . . . . . . . . . . . . . . . . . . . . . 777
Creating Master List Signer administrators . . . . . . . . . . . . . . . . . . . . . . . . 779
Testing MLS Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 784
Configuring the Master List Signer services . . . . . . . . . . . . . . . . . . . . . . . . .785

Configuring the Master List Signer services logs . . . . . . . . . . . . . . . . . . . . 786
Configuring domestic master lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 788
Configuring the location of domestic master lists . . . . . . . . . . . . . . 788
Configuring the number of archived domestic master lists . . . . . . . 788
Configuring foreign master lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 790
Configuring draft domestic master lists . . . . . . . . . . . . . . . . . . . . . . . . . . 791
Configuring the location of draft domestic master lists . . . . . . . . . . 791
Configuring the number of draft domestic master lists . . . . . . . . . . 791
Enabling and disabling the Master List Signer Web Service . . . . . . . . . . . 793
Configuring whether MLS Administration can create domestic master lists 794
Changing the password of the trust anchors keystore . . . . . . . . . . . . . . . 795
Administering master lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .797

Logging in to MLS Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 798
Creating and editing domestic master lists . . . . . . . . . . . . . . . . . . . . . . . . 799
Managing the active domestic master list . . . . . . . . . . . . . . . . . . . . . . . . . 812
Viewing the active domestic master list . . . . . . . . . . . . . . . . . . . . . 812
Exporting the active domestic master list . . . . . . . . . . . . . . . . . . . . 815
Exporting CSCA certificates from the active domestic master list . . 817
Uploading the active domestic master list to the ICAO PKD . . . . . . 819
Managing archived domestic master lists . . . . . . . . . . . . . . . . . . . . . . . . . 821
Viewing archived domestic master lists . . . . . . . . . . . . . . . . . . . . . . 821
Exporting archived domestic master lists . . . . . . . . . . . . . . . . . . . . . 824
Making an archived domestic master list the active domestic master list
826

Managing foreign master lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 829
Adding foreign master lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 829
Viewing foreign master lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 832
Changing the assurance level of foreign master lists . . . . . . . . . . . 836
Validating foreign master lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837
Exporting foreign master lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 839
Exporting CSCA certificates from a foreign master list . . . . . . . . . . 841
Adding CSCA certificates in foreign master lists as trust anchors . . 844
Deleting foreign master lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847
Managing trust anchors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851
Adding trust anchors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851
Viewing trust anchors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854
Exporting trust anchors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 856
Changing the assurance level of trust anchors . . . . . . . . . . . . . . . . 858
Validating trust anchors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859
Deleting trust anchors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 861
Managing PKD Writer uploads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 865
Viewing the upload status of CSCA materials . . . . . . . . . . . . . . . . 865
Uploading the latest domestic CSCA CRL to the ICAO PKD . . . . . 870
Viewing the status of the PKD Access credential . . . . . . . . . . . . . . 871
Configuring the PKD Writer upload settings . . . . . . . . . . . . . . . . . 872
Customizing MLS Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875

Customizing the MLS Administration interface . . . . . . . . . . . . . . . . . . . . 876
Adding your company logo to MLS Administration . . . . . . . . . . . . 876
Customizing the application title and browser title for MLS
Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 877
Customizing MLS Administration styles . . . . . . . . . . . . . . . . . . . . . . . . . . 880
Localizing MLS Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 881

Localization overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 882
About locales . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 882
Defining locales . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 882
Location of MLS Administration locale folders . . . . . . . . . . . . . . . . . . . . . 883
Adding locales to MLS Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . 884
19
Translating MLS Administration files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885
Troubleshooting localization in MLS Administration . . . . . . . . . . . . . . . . . 887
HTML entities referenced by names . . . . . . . . . . . . . . . . . . . . . . . . 887
Broken JavaScript code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 887
Web browsers cannot display some locale names . . . . . . . . . . . . . . 887
MLS Web Service API reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .889
Country Verifying CA section .................................................... 891

Installing a Country Verifying CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .893
Installing and configuring Security Manager on Windows . . . . . . . 894
Installing and configuring Security Manager on Linux . . . . . . . . . . 897
Configuring CVCA license information . . . . . . . . . . . . . . . . . . . . . . . . . . 903
Initializing a CVCA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 904
Deploying CVCA Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .907

Installing and configuring the Web server (optional) . . . . . . . . . . . . . . . . 910
Enabling SSL on your Web server . . . . . . . . . . . . . . . . . . . . . . . . . . 910
Testing the SSL-enabled Web server . . . . . . . . . . . . . . . . . . . . . . . . 911
Microsoft IIS features required for Administration Services . . . . . . . 911
Configuring the VirtualHost directive on Apache HTTP Server . . . . 912
913
Creating CVCA Administration Server credentials . . . . . . . . . . . . . . . . . . 914
Creating a user entry for a CVCA Administration Server profile . . . 914
Creating a CVCA Administration Server profile . . . . . . . . . . . . . . . . 916
Updating the CVCA Administration Server profile keys . . . . . . . . . 917

Creating CVCA Administration XAP credentials . . . . . . . . . . . . . . . . . . . . 918
Creating a user entry for a CVCA Administration XAP profile . . . . . 918
Creating a CVCA Administration XAP profile . . . . . . . . . . . . . . . . . 919
Creating Server Login credentials for a CVCA Administration XAP profile
920
Updating the CVCA Administration XAP profile keys . . . . . . . . . . . 920
Creating SPOC Domestic Web Service credentials . . . . . . . . . . . . . . . . . . 921
Creating a user entry for a SPOC Domestic Web Service . . . . . . . . 921
Creating a SPOC Domestic Web Service profile . . . . . . . . . . . . . . . 922
Updating the SPOC Domestic Web Service profile keys . . . . . . . . . 923
Installing CVCA Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 926
Completing the Microsoft IIS front-end configuration for CVCA Administration
957
Assigning SSL certificates to a CVCA Administration Web site in Microsoft
IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 957
Installing CA certificates in Microsoft IIS for CVCA Administration . 960
Completing the Apache HTTP Server front-end configuration for CVCA
Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 964
Assigning SSL certificates to a CVCA Administration VirtualHost in Apache
HTTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 964
Adding CA certificates to Apache HTTP Server for CVCA Administration
967
Configuring CVCA Administration to connect to the CVCA . . . . . . . . . . 970
Creating or modifying a user policy for CVCA administrators . . . . . . . . . 974
Creating roles for CVCA administrators . . . . . . . . . . . . . . . . . . . . . . . . . . 977
Creating CVCA administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 979
Testing CVCA Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 984
Configuring CVCA Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 985

Configuring CVCA Administration logs . . . . . . . . . . . . . . . . . . . . . . . . . . 986
Configuring the CRL cache timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 988
Configuring list operations in CVCA Administration . . . . . . . . . . . . . . . . 989
Configuring the date format for CVCA Administration . . . . . . . . . . . . . . 991
21
Configuring email notification for CVCA Administration . . . . . . . . . . . . . 992
Configuring SMTP server settings for CVCA Administration . . . . . . 992
Changing the email format for CVCA Administration . . . . . . . . . . . 994
Email notification files for CVCA Administration . . . . . . . . . . . . . . . 994
Enabling and disabling email notification for CVCA Administration 998
Modifying email notification subject and message text for CVCA
Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1001
Modifying CVCA Administration email notification to use HTML content
templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1003
Administering a Country Verifying Certification Authority . . . . . . . . . . . . .1005

Getting started in Security Manager Control Command Shell . . . . . . . . . 1006
Logging in to Security Manager Control Command Shell . . . . . . . 1006
Logging out of Security Manager Control Command Shell . . . . . . 1010
Getting started in CVCA Administration . . . . . . . . . . . . . . . . . . . . . . . . 1011
Logging in to CVCA Administration . . . . . . . . . . . . . . . . . . . . . . . 1011
How the role assigned to the CVCA administrator affects the CVCA
Administration interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1012
Using the CVCA Administration interface . . . . . . . . . . . . . . . . . . . 1013
Information bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1013
Taskbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1013
Action bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1013
Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1013
Other interface elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1014
Viewing the CVCA holder identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1015
Managing domestic CVCA certificates . . . . . . . . . . . . . . . . . . . . . . . . . . 1017
Viewing domestic CVCA certificates . . . . . . . . . . . . . . . . . . . . . . . 1017
Exporting domestic CVCA certificates . . . . . . . . . . . . . . . . . . . . . . 1020
Updating the CVCA keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1026
Viewing the current CVCA signing key . . . . . . . . . . . . . . . . . . . . . 1026
Configuring CVCA key updates . . . . . . . . . . . . . . . . . . . . . . . . . . 1027
Updating the CVCA key pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1030

Managing foreign CVCAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1032
Adding foreign Country Verifying Certification Authorities . . . . . . 1032
Viewing foreign Country Verifying Certification Authorities . . . . . 1033
Disabling or suspending foreign Country Verifying Certification
Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1035
Enabling or activating foreign Country Verifying Certification Authorities
1037
Deleting foreign Country Verifying Certification Authorities . . . . . 1039
Managing foreign CVCA certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . 1042
Importing foreign CVCA certificates . . . . . . . . . . . . . . . . . . . . . . 1042
Viewing foreign CVCA certificates . . . . . . . . . . . . . . . . . . . . . . . . 1047
Exporting foreign CVCA certificates . . . . . . . . . . . . . . . . . . . . . . . 1050
Configuring the Document Verifier policy . . . . . . . . . . . . . . . . . . . . . . . 1056
Managing Document Verifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1060
Adding Document Verifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1060
Viewing Document Verifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1066
Finding Document Verifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1069
Modifying Document Verifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . 1071
Disabling or suspending Document Verifiers . . . . . . . . . . . . . . . . 1076
Enabling or activating Document Verifiers . . . . . . . . . . . . . . . . . . 1079
Deleting Document Verifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1081
Managing Document Verifier certificate requests . . . . . . . . . . . . . . . . . . 1084
Previewing Document Verifier certificate requests for countersigning ..
1084
Countersigning Document Verifier certificate requests . . . . . . . . . 1085
Previewing Document Verifier certificate requests for processing . 1090
Processing Document Verifier certificate requests . . . . . . . . . . . . . 1091
Managing Document Verifier certificates . . . . . . . . . . . . . . . . . . . . . . . . 1096
Viewing Document Verifier certificates . . . . . . . . . . . . . . . . . . . . . 1096
Exporting Document Verifier certificates . . . . . . . . . . . . . . . . . . . 1099
Previewing EAC certificates and certificate requests . . . . . . . . . . . . . . . . 1103
Previewing EAC certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1103
Previewing EAC certificate requests . . . . . . . . . . . . . . . . . . . . . . . 1103
Queued operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105
23
Customizing CVCA Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1109
Customizing the CVCA Administration interface . . . . . . . . . . . . . . . . . . 1110
Adding your company logo to CVCA Administration . . . . . . . . . . 1110
Customizing the browser title for CVCA Administration . . . . . . . . 1111
Customizing the application title for CVCA Administration . . . . . . 1112
Customizing the online help for CVCA Administration . . . . . . . . . . . . . . 1114
Location of the CVCA Administration online help files . . . . . . . . . 1114
Editing the content of the CVCA Administration online help files . 1115
Updating the browser title of the CVCA Administration online help ...
1115
Updating the application title of the CVCA Administration online help .
1116
Customizing CVCA Administration styles . . . . . . . . . . . . . . . . . . . . . . . . 1118
Adding a custom notification service . . . . . . . . . . . . . . . . . . . . . . . . . . . 1119
Localizing CVCA Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1121

Localization overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1122
About locales . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1122
Defining locales . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1122
Location of CVCA Administration locale folders . . . . . . . . . . . . . . . . . . . 1123
Adding a CVCA Administration locale . . . . . . . . . . . . . . . . . . . . . . . . . . 1124
Translating CVCA Administration files . . . . . . . . . . . . . . . . . . . . . . . . . . 1126
Troubleshooting localization in CVCA Administration . . . . . . . . . . . . . . . 1129
Translating email notification templates . . . . . . . . . . . . . . . . . . . . 1129
Translating JSP pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1129
HTML entities referenced by names . . . . . . . . . . . . . . . . . . . . . . . 1130
Web browsers cannot display some locale names . . . . . . . . . . . . . 1130
CVCA command quick reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1133
Single Point of Contact section ................................................ 1151

Installing a SPOC CA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1153
Installing and configuring Security Manager . . . . . . . . . . . . . . . . . . . . . 1154
Installing and configuring Security Manager on Windows . . . . . . 1154
Configuring the SPOC CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1157
Publishing CRLs to the Web server . . . . . . . . . . . . . . . . . . . . . . . 1157
Configuring the SPOC CA certificate . . . . . . . . . . . . . . . . . . . . . . 1157
Post-configuration steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1160
Deploying the SPOC services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1161

Deployment overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1163
1164
Creating new certificate types for SPOC profiles that will be stored on
hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1165
Creating SPOC Server credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1169
Creating a user entry for an SPOC Server profile . . . . . . . . . . . . . 1169
Creating a SPOC Server profile . . . . . . . . . . . . . . . . . . . . . . . . . . 1171
Updating SPOC Server profile keys . . . . . . . . . . . . . . . . . . . . . . . 1171
Creating SPOC Client credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1172
Creating a user entry for a SPOC Client profile . . . . . . . . . . . . . . 1172
Creating a SPOC Client profile . . . . . . . . . . . . . . . . . . . . . . . . . . . 1173
Updating SPOC Client profile keys . . . . . . . . . . . . . . . . . . . . . . . 1174
Checking the entrust.ini file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1175
Obtaining files from the CVCA for SPOC . . . . . . . . . . . . . . . . . . . . . . . 1177
Installing the SPOC services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1178
Configuring SPOC Client authentication to a directory without anonymous
access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1201
Configuring SPOC Server authentication to a directory without anonymous
access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1203
Configuring SPOC Domestic Web Service authentication to a directory without
anonymous access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1205
Configuring SPOC administrators for PKCS #12 enrollment . . . . . . . . . 1207
Creating SPOC administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1208
Testing the SPOC Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1212
25
Configuring the SPOC services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1213
Configuring SPOC services logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1214
Configuring the XAP connection settings for the SPOC services . . . . . . . 1216
Configuring the SPOC message threads . . . . . . . . . . . . . . . . . . . . . . . . . 1218
Configuring the HTTP header for client certificates . . . . . . . . . . . . . . . . 1220
Restricting SPOC service ports to the applicable service URLs . . . . . . . . 1221
Administering a Single Point of Contact. . . . . . . . . . . . . . . . . . . . . . . . . . .1223

Creating SPOC DVCKM Client credentials for Document Verifiers . . . . . 1224
Creating a user entry for a SPOC DVCKM Client profile . . . . . . . . 1224
Creating a SPOC DVCKM Client profile . . . . . . . . . . . . . . . . . . . . 1225
Updating the SPOC DVCKM Client profile keys . . . . . . . . . . . . . . 1226
Providing the SPOC with domestic CVCA certificates . . . . . . . . . . . . . . 1227
Logging in to SPOC Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1228
Managing foreign SPOCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1229
Adding foreign SPOCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1229
Viewing foreign SPOCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1231
Editing foreign SPOCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1232
Deleting foreign SPOCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1234
Generating outbound requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1236
Requesting CVCA certificates from foreign CVCAs . . . . . . . . . . . . 1236
Requesting Document Verifier certificates from a foreign CVCA . . 1240
Sending CVCA certificates to a foreign CVCA . . . . . . . . . . . . . . . 1243
Sending general messages to foreign SPOCs . . . . . . . . . . . . . . . . 1247
Managing outbound requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1249
Viewing outbound requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1249
Deleting outbound requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1253
Managing inbound requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1258
Viewing inbound requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1258
Deleting inbound requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1270
Using the Keystore-Manager tool to manage foreign SPOC certificates . 1272

Customizing SPOC Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1277
Customizing the SPOC Administration interface . . . . . . . . . . . . . . . . . . 1278
Adding your company logo to SPOC Administration . . . . . . . . . . 1278
Customizing the application title and browser title for SPOC
Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1279
Customizing SPOC Administration styles . . . . . . . . . . . . . . . . . . . . . . . . 1282
Localizing SPOC Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1283

About locales . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1284
Location of SPOC Administration locale folders . . . . . . . . . . . . . . . . . . . 1285
Adding locales to SPOC Administration . . . . . . . . . . . . . . . . . . . . . . . . . 1286
Translating SPOC Administration files . . . . . . . . . . . . . . . . . . . . . . . . . . 1287
Troubleshooting localization in SPOC Administration . . . . . . . . . . . . . . . 1289
Broken JavaScript code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1289
Web browsers cannot display some locale names . . . . . . . . . . . . 1289
SPOC Domestic Web Service API reference . . . . . . . . . . . . . . . . . . . . . . . 1291
Document Verifier section ........................................................1293

Installing a Document Verifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1295
Installing and configuring Security Manager . . . . . . . . . . . . . . . . . . . . . 1296
Installing and configuring Security Manager on Windows . . . . . . 1296
Installing and configuring Security Manager on Linux . . . . . . . . . 1298
Configuring Document Verifier license information . . . . . . . . . . . . . . . . 1302
Initializing a Document Verifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1303
Deploying DV Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1305

27
Installing and configuring the Web server (optional) . . . . . . . . . . . . . . . 1307
Enabling SSL on your Web server . . . . . . . . . . . . . . . . . . . . . . . . . 1307
Testing the SSL-enabled Web server . . . . . . . . . . . . . . . . . . . . . . . 1308
Microsoft IIS features required for Administration Services . . . . . . 1308
Configuring the VirtualHost directive on Apache HTTP Server . . . 1309
1310
Creating DV Administration Server credentials . . . . . . . . . . . . . . . . . . . . 1311
Creating a user entry for a DV Administration Server profile . . . . . 1311
Creating a DV Administration Server profile . . . . . . . . . . . . . . . . . 1313
Updating the DV Administration Server profile keys . . . . . . . . . . . 1314
Creating DV Administration XAP credentials . . . . . . . . . . . . . . . . . . . . . 1315
Creating a user entry for a DV Administration XAP profile . . . . . . 1315
Creating a DV Administration XAP profile . . . . . . . . . . . . . . . . . . 1316
Creating Server Login credentials for a DV Administration XAP profile .
1317
Updating the DV Administration XAP profile keys . . . . . . . . . . . . 1317
Installing DV Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1320
Completing the Microsoft IIS front-end configuration for DV Administration .
1351
Assigning SSL certificates to a DV Administration Web site in Microsoft
IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1351
Installing CA certificates in Microsoft IIS for DV Administration . . 1354
Completing the Apache HTTP Server front-end configuration for DV
Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1358
Assigning SSL certificates to a DV Administration VirtualHost in Apache
HTTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1358
Adding CA certificates to Apache HTTP Server for DV Administration .
1361
Configuring DV Administration to connect to the DVCA . . . . . . . . . . . . 1364
Creating or modifying a user policy for DV administrators . . . . . . . . . . . 1368
Creating roles for DV administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . 1371
Creating DV administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1373
Testing DV Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1377

Deploying the DV Certificate Key Management Service . . . . . . . . . . . . . . 1379
1381
Creating DVCKM credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1382
Creating a user entry for a DVCKM profile . . . . . . . . . . . . . . . . . 1382
Creating a DVCKM profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1383
Updating the DVCKM profile keys . . . . . . . . . . . . . . . . . . . . . . . . 1384
Obtaining files from the domestic SPOC for the DVCKM . . . . . . . . . . . 1387
Installing the DVCKM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1388
Configuring DVCKM authentication to a directory without anonymous access
1407
Configuring SPOC DVCKM Client authentication to a directory without
anonymous access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1409
Deploying the DV Web Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1411

1413
Creating DV Web Service credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . 1414
Modifying the role for DV Web Service profiles . . . . . . . . . . . . . . 1414
Creating a user entry for a DV Web Service profile . . . . . . . . . . . 1415
Creating a DV Web Service profile . . . . . . . . . . . . . . . . . . . . . . . . 1417
Updating the DV Web Service profile keys . . . . . . . . . . . . . . . . . . 1417
Obtaining files from the domestic CSCA for the DV Web Service . . . . . 1420
Obtaining files from the National PKD for the DV Web Service . . . . . . . 1421
Installing the DV Web Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1422
Configuring DV Web Service authentication to a directory without anonymous
access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1444
Configuring DV Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1447

Configuring DV Administration logs . . . . . . . . . . . . . . . . . . . . . . . . . . . 1448
Configuring the CRL cache timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1450
29
Configuring list operations in DV Administration . . . . . . . . . . . . . . . . . . 1451
Configuring the date format for DV Administration . . . . . . . . . . . . . . . . 1454
Configuring email notification for DV Administration . . . . . . . . . . . . . . . 1455
Configuring SMTP server settings for DV Administration . . . . . . . 1455
Changing the email format for DV Administration . . . . . . . . . . . . 1457
Email notification files for DV Administration . . . . . . . . . . . . . . . . 1457
Enabling and disabling email notification for DV Administration . . 1461
Enabling email notification for the initial Document Verifier certificate
request for a foreign CVCA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1464
Modifying email notification subject and message text for DV
Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1468
Modifying DV Administration email notification to use HTML content
templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1470
Configuring a jurisdiction policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1471
Configuring the DV Certificate Key Management Service . . . . . . . . . . . . . .1475

Configuring DVCKM logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1476
Configuring email notification for DVCKM . . . . . . . . . . . . . . . . . . . . . . 1478
Configuring SMTP server settings for DVCKM . . . . . . . . . . . . . . . 1478
Email notification files for DVCKM . . . . . . . . . . . . . . . . . . . . . . . . 1479
Enabling and disabling email notification for DVCKM . . . . . . . . . . 1481
Modifying email notification subject and message text for DVCKM ...
1484
Modifying DVCKM email notification to use HTML content templates .
1486
Configuring the XAP connection settings for DVCKM . . . . . . . . . . . . . . 1487
Configuring the XAP message signing algorithm for DVCKM . . . . . . . . 1489
Configuring the DVCKM protocol settings . . . . . . . . . . . . . . . . . . . . . . . 1490
Configuring communications between the DVCKM and SPOC Domestic Web
Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1492
Configuring the DV Web Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1493

Configuring DV Web Service logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1494

Configuring email notification for the DV Web Service . . . . . . . . . . . . . 1495
Configuring SMTP server settings for the DV Web Service . . . . . . 1495
Email notification files for the DV Web Service . . . . . . . . . . . . . . . 1496
Enabling and disabling email notification for the DV Web Service 1497
Modifying email notification subject and message text for the DV Web
Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1500
Modifying DV Web Service email notification to use HTML content
templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1502
Configuring the XAP connection settings for the DV Web Service . . . . . 1504
Configuring the XAP message signing algorithm for the DV Web Service 1506
Configuring CSCA materials distribution . . . . . . . . . . . . . . . . . . . . . . . . 1507
Enabling and disabling CSCA materials distribution . . . . . . . . . . . 1507
Configuring the incoming CSCA materials folder . . . . . . . . . . . . . 1508
Configuring the CSCA materials storage folder . . . . . . . . . . . . . . 1509
Configuring how often the DV Web Service checks for new CSCA
materials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1510
Configuring CRL checking of CSCA materials . . . . . . . . . . . . . . . 1511
Providing the latest domestic CSCA root certificate to the DV Web Service ..
1513
Providing CSCA materials to the DV Web Service . . . . . . . . . . . . . . . . . 1514
Administering a Document Verifier. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1517

Getting started in Security Manager Control Command Shell . . . . . . . . 1518
Logging in to Security Manager Control Command Shell . . . . . . . 1518
Logging out of Security Manager Control Command Shell . . . . . 1522
Getting started in DV Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . 1523
Logging in to DV Administration . . . . . . . . . . . . . . . . . . . . . . . . . 1523
How the role assigned to the DV administrator affects DV Administration
interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1524
Using the DV Administration interface . . . . . . . . . . . . . . . . . . . . . 1525
Information bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1525
Taskbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1525
Action bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1525
Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1525
Other interface elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1526
Viewing the Document Verifier holder identity . . . . . . . . . . . . . . . . . . . 1527
31
Viewing the domestic CVCA holder identity . . . . . . . . . . . . . . . . . . . . . 1528
Configuring the CVCA policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1529
Managing Country Verifying Certification Authorities . . . . . . . . . . . . . . 1530
Adding Country Verifying Certification Authorities . . . . . . . . . . . . 1530
Viewing Country Verifying Certification Authorities . . . . . . . . . . . 1534
Finding Country Verifying Certification Authorities . . . . . . . . . . . . 1536
Modifying Country Verifying Certification Authorities . . . . . . . . . 1537
Disabling or suspending Country Verifying Certification Authorities ...
1541
Enabling or activating Country Verifying Certification Authorities . 1542
Deleting Country Verifying Certification Authorities . . . . . . . . . . . 1545
Managing CVCA certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1546
Importing CVCA certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1546
Viewing CVCA certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1550
Exporting CVCA certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1553
Configuring the Document Verifier policy . . . . . . . . . . . . . . . . . . . . . . . 1559
Managing Document Verifier certificate requests . . . . . . . . . . . . . . . . . . 1565
Creating DV certificate requests . . . . . . . . . . . . . . . . . . . . . . . . . . 1565
Viewing DV certificate requests . . . . . . . . . . . . . . . . . . . . . . . . . . 1571
Canceling DV certificate requests . . . . . . . . . . . . . . . . . . . . . . . . . 1573
Exporting DV certificate requests . . . . . . . . . . . . . . . . . . . . . . . . . 1575
Managing Document Verifier certificates . . . . . . . . . . . . . . . . . . . . . . . . 1578
Importing DV certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1578
Viewing DV certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1581
Exporting DV certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1585
Viewing the current Document Verifier signing keys . . . . . . . . . . . . . . . 1589
Configuring Inspection System policy . . . . . . . . . . . . . . . . . . . . . . . . . . 1590
Managing Inspection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1594
Adding Inspection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1594
Viewing Inspection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1598
Finding Inspection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1601
Modifying Inspection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . 1602
Disabling or suspending Inspection Systems . . . . . . . . . . . . . . . . . 1607
Enabling or activating Inspection Systems . . . . . . . . . . . . . . . . . . . 1609
Deleting Inspection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1611

Managing Inspection System certificate requests . . . . . . . . . . . . . . . . . . 1613
Previewing Inspection System certificate requests . . . . . . . . . . . . 1613
Processing Inspection System certificate requests . . . . . . . . . . . . . 1614
Managing Inspection System certificates . . . . . . . . . . . . . . . . . . . . . . . . 1619
Viewing Inspection System certificates . . . . . . . . . . . . . . . . . . . . . 1619
Exporting Inspection System certificates . . . . . . . . . . . . . . . . . . . . 1622
Previewing EAC certificates and certificate requests . . . . . . . . . . . . . . . . 1627
Previewing EAC certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1627
Previewing EAC certificate requests . . . . . . . . . . . . . . . . . . . . . . . 1627
Queued operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1629
Customizing DV Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1633

Customizing the DV Administration interface . . . . . . . . . . . . . . . . . . . . 1634
Adding your company logo to DV Administration . . . . . . . . . . . . 1634
Customizing the browser title for DV Administration . . . . . . . . . . 1635
Customizing the application title for DV Administration . . . . . . . . 1636
Customizing the online help for DV Administration . . . . . . . . . . . . . . . . 1638
Location of the DV Administration help files . . . . . . . . . . . . . . . . 1638
Editing the content of the DV Administration help files . . . . . . . . 1639
Updating the browser title of the DV Administration online help . 1640
Updating the application title of the DV Administration online help ...
1640
Customizing DV Administration styles . . . . . . . . . . . . . . . . . . . . . . . . . . 1643
Adding a custom notification service . . . . . . . . . . . . . . . . . . . . . . . . . . . 1644
Localizing DV Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1645

About locales . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1646
Location of DV Administration locale folders . . . . . . . . . . . . . . . . . . . . . 1647
Adding a DV Administration locale . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1648
Translating DV Administration files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1649
33
Troubleshooting localization in DV Administration . . . . . . . . . . . . . . . . . 1652
Translating email notification templates . . . . . . . . . . . . . . . . . . . . 1652
Translating JSP pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1652
Web browsers cannot display some locale names . . . . . . . . . . . . . 1653
DV command quick reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1655
Appendix section ................................................................... 1669

Assurance policy tests performed on CSCA materials. . . . . . . . . . . . . . . . .1671
Verifying the integrity of secure audit logs. . . . . . . . . . . . . . . . . . . . . . . . .1675
Extended Access Control audit logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1677
Credentials for Administration Services . . . . . . . . . . . . . . . . . . . . . . . . . . .1687

Credentials for the PKD Writer services . . . . . . . . . . . . . . . . . . . . . . . . . 1688
PKD Writer Server profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1688
PKD Writer Client profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1688
PKD Access credential . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1688
Credentials for the PKD Reader services . . . . . . . . . . . . . . . . . . . . . . . . . 1689
PKD Reader Server profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1689
PKD Reader Client profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1689
PKD Access credential . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1689
Credentials for the NPKD services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1690
NPKD Server profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1690
PKD Reader Client profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1690
NPKD Client profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1690
NPKD administrator certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . 1691

Credentials for the Master List Signer services . . . . . . . . . . . . . . . . . . . . 1692
Country Signing Certification Authority (CSCA) root certificate . . 1692
Master List Signer profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1692
Master List Server profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1692
Master List Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1693
PKD Writer Client profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1693
Master List Signer administrator certificate . . . . . . . . . . . . . . . . . . 1693
Credentials for CVCA Administration . . . . . . . . . . . . . . . . . . . . . . . . . . 1694
CVCA Administration Server profile . . . . . . . . . . . . . . . . . . . . . . . 1694
CVCA Administration XAP profile . . . . . . . . . . . . . . . . . . . . . . . . 1694
CVCA administrator certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . 1694
Credentials for the SPOC services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1696
SPOC Server profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1696
SPOC Client profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1696
SPOC Domestic Web Service profile . . . . . . . . . . . . . . . . . . . . . . 1696
Entire chain of CVCA certificates . . . . . . . . . . . . . . . . . . . . . . . . . 1697
SPOC administrator certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . 1697
Credentials for DV Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1698
DV Administration Server profile . . . . . . . . . . . . . . . . . . . . . . . . . 1698
DV Administration XAP profile . . . . . . . . . . . . . . . . . . . . . . . . . . . 1698
DV administrator certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1698
Credentials for the DV Web Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1699
DV Web Service profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1699
Country Signing Certification Authority (CSCA) root certificate . . 1699
NPKD Client profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1699
Credentials for DVCKM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1700
DVCKM profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1700
SPOC DVCKM Client profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1700
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1701
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1707
35
About
About this guide

This guide describes how to install, configure, and manage an Entrust ePassport
solution. A complete Entrust ePassport solution covers both the Basic Access Control
(BAC) and Extended Access Control (EAC) solutions for electronic passports.
This chapter contains the following sections:
• “Revision information” on page 38
• “Documentation conventions” on page 41
• “Related documentation” on page 43
• “Obtaining documentation” on page 44
• “Obtaining technical assistance” on page 45
37
Revision information
Table 1: Revisions in this document
Document issue Section Description

and date
5.0 “Installing the Document The Document Signer Service installer on
Signer Service” on page 165 Entrust Datacard TrustedCare is the latest
April 2019
patch installer. To reflect the installer changes:
• Updated some steps to reflect the changes
to the installer file name.
• Added a step to the Linux procedure about
restarting the systemd manager
configuration.
5.0 “Restarting the Document Updated the Linux instructions for Linux 7.x.
Signer Service” on page 206 (With the latest patch, Linux 6.x is no longer
April 2019
supported.)
4.0 “Installing and configuring Removed or updated steps that contained
Security Manager on information about configuration options that
February 2019
Windows” on page 1154 no longer exist in Security Manager 8.3.
Added information about configuring CDP
information.
4.0 “Configuring the SPOC CA” Removed topic “Configuring CDP
on page 1157 information”.
February 2019
Information about configuring CDP
information is now included in the Security
Manager installation and configuration
instructions.
4.0 “Configuring the SPOC CA Corrected a file path.
certificate” on page 1157
February 2019
4.0 “Restricting SPOC service Corrected a default port number in the
ports to the applicable example.
February 2019
service URLs” on page 1221
3.0 “Installing and configuring Removed the following statements:
Security Manager on
January 2019 • For compatibility with Entrust ePassport
Windows” on page 99
products, it is recommend that you select
RSA-3072.
• For compatibility with Entrust ePassport
products, it is recommended that you use
RSAPSS-SHA256 for the signing algorithm.

Report any errors or omissions
Table 1: Revisions in this document (continued)

and date
3.0 “Installing and configuring Changed a note to the following:
Security Manager on
January 2019 Note: Currently most Security Manager client
applications do not support https: CDPs and
will ignore them and use the combined CRL
stored in the Security Manager directory. If the
combined CRL is not enabled, you must define
at least one http: or ldap: URL so that
Security Manager client applications can
access the CRL. All https: URLs must be
defined last in the list of CDP URLs.
3.0 “Installing and configuring Removed the following statements:
Security Manager on Linux”
January 2019 • For compatibility with Entrust ePassport
on page 103
products, it is recommend that you select
RSA-3072.
• For compatibility with Entrust ePassport
3.0 “Installing and configuring Changed a note to the following:
Security Manager on Linux”
on page 103
3.0 “Configuring CRL Changed a note to the following:
Distribution Points (CDPs)”
on page 120
About this guide 39

Table 1: Revisions in this document (continued)

and date
3.0 “Configuring the CA policy Removed the following statement:
settings for a CSCA” on
January 2019 For compatibility with Entrust ePassport
page 131
RSA-3072 for the CSCA key type, and
2.0 “Installing the NPKD In the step about configuring the National
services” on page 482 PKD provided by the installer, added the
December 2018
following note:
Note: Administration Services uses ForgeRock
OpenDJ as the provided National PKD.
OpenDJ uses port 4444 for some internal
operations. This port is configured to listen
only on the loopback address. This port is
separate from the LDAP listen port (default
389).
1.0 All sections First release of the guide.
November 2018

Documentation conventions
The following documentation conventions are used in this guide:
Table 2: Typographic conventions
Convention Description
Bold text Indicates graphical user interface elements and wizards. For example:
(other than Click Next.
headings)
Italicized text Used for book or document titles. For example:
Entrust IdentityGuard Administration Guide
Blue text Used for hyperlinks to other sections in the document. For example:
For more information, see “About this guide” on page 37.
Underlined blue Used for Web links. For example:
text
For more information, visit our Web site at
https://www.entrustdatacard.com.
Courier type Indicates installation paths, file names, Windows registry keys, commands,
and text you must enter. For example:
Use the entrust-configuration.xml file to change certain options for
Verification Server.
Angle brackets Indicates variables (text you must replace with your organization’s correct
values). For example:
<>
By default, the entrust.ini file is in the following location:
<install_path>/conf/security/entrust.ini
Square brackets Indicates optional parameters. For example:
[courier type] dsa passwd [-ldap]
Curly braces Used to group parts of a command together. For example:
{} officer client-setting {query <name> | all} | {set <name>
<value>}
Vertical bar Indicates either/or parameters. For example:
| dsa restore all | ca
Plus sign Indicates multiple values can be configured in one command.

+ ca cert config {-lifetime <value> | -period <value>}+
About this guide 41

Table 2: Typographic conventions (continued)
Convention Description
<DSS-install> Indicates the installation directory of Entrust Authority Document Signer
Service.
By default on Windows:
C:/Program Files/Entrust/DocumentSignerService
By default on Linux:
/opt/entrust/DocumentSignerService
<AS-install> Indicates the installation directory of Entrust Authority Administration
Services.
By default on Windows:
C:/Program Files/Entrust/AdminServices
By default on Linux:
/opt/entrust/adminservices
Note and Attention text

Throughout this guide, there are paragraphs set off by ruled lines above and below
the text. These paragraphs provide key information with two levels of importance, as
shown below.
Note:
Information to help you maximize the benefits of your Entrust product.
Attention:
Issues that, if ignored, may seriously affect performance, security, or the
operation of your Entrust product.

Related documentation
This section describes related reading material that may be used in conjunction with
this guide.
Related Security Manager documentation:

• Security Manager 8.3 Release Notes
• Security Manager 8.3 Deployment Guide
• Security Manager 8.3 Directory Configuration Guide
• Security Manager 8.3 Database Configuration Guide
• Security Manager 8.3 Installation Guide
• Security Manager 8.3 Operations Guide
Related Security Manager Administration documentation:

• Security Manager Administration 8.3 Release Notes
• Security Manager Administration 8.3 User Guide
• Security Manager Administration 8.3 Online Help
Related Administration Services documentation:

• Administration Services 9.3 Release Notes
• Administration Services 9.3 Installation Guide
• Administration Services 9.3 Configuration Guide
• Administration Services 9.3 User Administration Guide
• Administration Services 9.3 CSR Administration Guide
Related Document Signer Service documentation:

• Document Signer Service 9.0 Release Notes
• Document Signer Service 9.0 Profile Creation Utility Error messages
• Document Signer Service 9.0 Verification Server Error messages
• Document Signer Service 9.0 Secure Logger Check Audit Utility Error
messages
• Document Signer Service 9.0 Verification Server Guide
About this guide 43

Obtaining documentation
Entrust product documentation, white papers, technical notes, and a comprehensive
Knowledge Base are available through Entrust Datacard TrustedCare. If you are
registered for our support programs, you can use our Web-based Entrust Datacard
TrustedCare support services at:
https://trustedcare.entrustdatacard.com
Documentation feedback
You can rate and provide feedback about Entrust Datacard product documentation
by completing the online feedback form. Any information that you provide goes
directly to the documentation team and is used to improve and correct the
information in our guides. You can access this form by:
• clicking the Report any errors or omissions link located in the footer of
Entrust Datacard’s PDF documents (see bottom of this page).
• following this link: http://go.entrust.com/documentation-feedback
Feedback concerning documentation can also be directed to the Customer Support
email address.
support@entrustdatacard.com

Obtaining technical assistance
Entrust Datacard recognizes the importance of providing quick and easy access to our
support resources. The following subsections provide details about the technical
support and professional services available to you.
Technical support
Entrust Datacard offers a variety of technical support programs to help you keep
Entrust products up and running. To learn more about the full range of Entrust
Datacard technical support services, visit our Web site at:
https://www.entrustdatacard.com/
If you are registered for our support programs, you can use our Web-based support
services.
Entrust Datacard TrustedCare offers technical resources including Entrust product
documentation, white papers and technical notes, and a comprehensive Knowledge
Base at:
https://trustedcare.entrustdatacard.com
If you contact Customer Support, please provide as much of the following
information as possible:
• your contact information
• product name, version, and operating system information
• your deployment scenario
• description of the problem
• copy of log files containing error messages
• description of conditions under which the error occurred
• description of troubleshooting activities you have already performed
Email address
The email address for Customer Support is:
support@entrustdatacard.com
Professional Services
The Entrust Datacard team assists organizations around the world to deploy and
maintain secure transactions and communications with their partners, customers,
suppliers and employees. Entrust Datacard offers a full range of professional services
to deploy our solutions successfully for wired and wireless networks, including
About this guide 45

planning and design, installation, system integration, deployment support, and
custom software development.
Whether you choose to operate your Entrust Datacard solution in-house or subscribe
to hosted services, Entrust Datacard Professional Services will design and implement
the right solution for your organization’s needs. For more information about Entrust
Professional Services please visit our Web site at:
https://www.entrust.com/services
Training
Through a variety of hands-on courses, Entrust Datacard delivers effective training for
deploying, operating, administering, extending, customizing and supporting any
variety of Entrust Datacard digital identity and information security solutions.
Delivered by training professionals, Entrust Datacard’s professional training services
help to equip you with the knowledge you need to speed the deployment of your
security platforms and solutions. Please visit our training Web site at:
https://www.entrustdatacard.com/resource-center/training

Section 1
Overview section
This section provides an overview of the Entrust solution of ePassport products, and
overviews of the Country Signing infrastructure and Country Verifying infrastructure.
This section includes the following chapters:
• “Basic Access Control overview” on page 49
• “How the Document Signer Service works” on page 59
• “Extended Access Control overview” on page 73
47
1
Basic Access Control overview

Security concerns, developing technologies, and emerging standards have led
national governments to issue more sophisticated Machine Readable Travel
Documents (MRTDs) to their citizens. Commonly known as e-passports, these travel
documents contain a chip that stores biometric information, such as fingerprint or iris
patterns.
Basic Access Control (BAC) is the mechanism used to ensure the integrity and
authenticity of the chip and to prevent eavesdropping on the communication
between the MRTD and the Inspection System. (See “Inspection Systems” on
page 76 for information about Inspection Systems.)
This chapter includes the following sections:
• “BAC architecture” on page 50
• “BAC system components” on page 53
49
BAC architecture
Each country has a single Country Signing Certification Authority (CSCA). The CSCA
acts as a root of trust for e-passports issued within its own country. The CSCA issues
certificates to one or more Document Signers. The Document Signers use the
corresponding private keys to sign the Document Security Object on electronic
passports. The CSCA also issues certificates for signing master lists of trusted CSCAs.
Countries may use these master lists to trust the CSCAs from other countries.
Figure 1 illustrates the BAC architecture showing one country.
Figure 1: BAC architecture showing one country

Country Signing Certification Authority
Each country has a single Country Signing Certification Authority (CSCA). The CSCA
acts as a root of trust for e-passports issued within its own country.
The CSCA issues certificates to one or more Document Signers (see “Document
Signer” on page 51). The Document Signers use the corresponding private keys to
sign the Document Security Object on electronic passports.
The CSCA also issues certificates to a Master List Signer, which digitally signs master
lists of trusted CSCAs. Countries may use these master lists to trust the CSCAs from
other countries.
The CSCA must issue and make available Document Signer certificates, relevant
certificate revocation lists (CRLs), and optionally master lists for transmission to the
International Civil Aviation Organization (ICAO) Public Key Directory (PKD) and to
other jurisdictions.
The CSCA key pair is typically generated and stored in a highly-protected, offline
Certification Authority (CA) infrastructure.
Document Signer
Each country has one or more Document Signers. Document Signers are issued
certificates from a Country Signing Certification Authority (CSCA). Document Signers
use the corresponding private keys to sign the Document Security Object on
electronic passports.
Document Signer certificates are renewed based on the number of signings, or after
a certain period of time, or possibly a combination of both variables
Master List Signer

The CSCA issues certificates to a Master List Signer. The Master List Signer signs
master lists of trusted CSCAs. Countries use these master lists to contribute to the
trust of CSCA certificates from other countries. Master lists are uploaded to the
International Civil Aviation Organization Public Key Directory (ICAO PKD) for
download in other jurisdictions.
ICAO Public Key Directory

The International Civil Aviation Organization Public Key Directory (ICAO PKD) is
intended to collect, store, and publish Document Signer certificates, certificate
revocation lists (CRLs), and master lists issued by each country. The ICAO PKD is
maintained by ICAO and is outside the scope of this guide, although Entrust does
supply software to read and write to the ICAO PKD (see “BAC system components”
on page 53).
Basic Access Control overview 51

Inspection Systems
National passport inspection authorities (such as border services, port authorities,
customs, and police personnel) operate Inspection Systems that are capable of
validating e-passports and accessing their biometric data. An Inspection System
consists of:
• a radio frequency identification (RFID) reader capable of interacting with the
integrated circuit chip on an e-passport
• a control system to which the RFID reader is connected
An Inspection System may be located outside of a country’s territorial boundaries. For
example, a country may operate an Inspection System at a foreign airport to pre-clear
passengers before boarding.
Inspection Systems in each country can use the CSCA materials (CSCA certificates,
master lists, CRLs, and Document Signer certificates) to verify the integrity and
authenticity of the MRTD chip.

BAC system components
This section describes the principal Entrust components that are required for a Basic
Access Control (BAC) system. Figure 2 illustrates the Entrust components in a BAC
system.
Figure 2: Entrust BAC system components

Entrust Authority Security Manager
Entrust Authority Security Manager is a mandatory component of an Entrust BAC
system. Security Manager provides the following Certification Authorities (CAs) in an
Entrust BAC system:
• Country Signing Certification Authority (CSCA)
The CSCA acts as a root of trust for e-passports issued within its own country.
The CSCA issues digital certificates that verify the public key, and therefore
the identity, of the Document Signer. The CSCA also issues a credential to a
Master List Signer for signing master lists of trusted CSCAs.
If required, you can configure Security Manager as a combined CSCA and
Country Verifying Certification Authority (CVCA). A CVCA is the root of
trust for an Extended Access Control system. For more information about the
CVCA or Extended Access Control, see “Extended Access Control overview”
on page 73.
• Master List Signer Services CA
The Master List Signer Services CA can be the CSCA (as shown in Figure 2
on page 53) or any other CA in an e-passport architecture.
The Master List Signer Services CA provides profiles for the Master List Signer
services provided by Entrust Authority Administration Services.
• PKD Writer Services CA
The PKD Writer Services CA can be combined with the PKD Reader Services
CA. The PKD Writer Services CA can be the CSCA (as shown in Figure 2 on
page 53) or any other CA in an e-passport environment.
The PKD Writer Services CA issues profiles required to run the PKD Writer
services provided by Administration Services.
• PKD Reader Services CA
The PKD Reader Services CA can be combined with the PKD Writer Services
CA. The PKD Reader Services CA can be the CSCA (as shown in Figure 2 on
page 53) or any other CA in an e-passport environment.
The PKD Reader Services CA issues profiles required to run the PKD Reader
• NPKD Services CA
The NPKD Services CA can be combined with the PKD Reader Services CA,
the PKD Writer Services CA, or both. The NPKD Services CA can be the
CSCA (as shown in Figure 2 on page 53) or any other CA in an e-passport
environment.
The NPKD Services CA issues profiles required to run the NPKD services
provided by Administration Services.
• Document Verifier CA

When you install and configure Security Manager, you configure Security
Manager as an X.509 Certification Authority (CA). You use this CA to create
and manage roles, policies, certificate types, and other information for users
and Security Manager client applications.
In an Entrust BAC system, you use the DVCA to create a profile for the DV
Web Service, a DV service provided by Administration Services. In a
BAC-only system, the DVCA issues X.509 certificates only.
In an Entrust EAC system, Security Manager is a mandatory component and
must also be configured as a Document Verifier (see “Extended Access
Control overview” on page 73).
For more information about Security Manager, see the Security Manager
documentation.
Entrust Authority Administration Services

Entrust Authority Administration Services provides Web-based services to manage an
e-passport system.
For a Master List Signer, Administration Services provides:
• MLS Web Service
The MLS Web Service is a Web service designed to create, sign, and retrieve
master lists of trusted foreign CSCAs.
• MLS Administration
MLS Administration is a Web-based interface for administering a Master List
Signer. Master List Signer administrators use MLS Administration to view and
update domestic master lists of trusted foreign CSCAs, and to view and
upload foreign master lists.
For a PKD Writer, Administration Services provides:
• PKD Writer Web Service
The PKD Writer Web service writes master lists, CRLs, and Document Signer
certificates to the ICAO PKD. The PKD Writer Web service also records and
maintains a history of the materials that have been uploaded, and supports
a connection to the MLS Administration interface.
For a PKD Reader, Administration Services provides:
• PKD Reader Web Service
The PKD Reader Web service periodically contacts the ICAO PKD and
downloads foreign master lists, Document Signer certificates, and CRLs.
If the NPKD services are installed, the PKD Reader can import the CSCA
materials into the NPKD services; the import must be enabled at the NPKD
services. If the import is disabled at the NPKD services, an NPKD
administrator can manually import the CSCA materials. If the NPKD services

are not installed, the PKD Reader must copy the CSCA materials to the
appropriate locations at the DV Web Service.
The PKD Reader Web Service also supports a connection to the NPKD
Administration interface so NPKD administrators can manage the PKD
Reader.
For the NPKD services, Administration Services provides:
• NPKD Web Service
The NPKD Web Service retrieves CSCA certificates, master lists, Document
Signer certificates, and CRLs stored in the National PKD, along with their
assurance levels and metadata.
• NPKD Administration
NPKD Administration is a Web-based interface for administering the NPKD
services. NPKD administrators use NPKD Administration to import and
manage CSCA certificates, master lists, Document Signer certificates, and
CRLs stored in the National PKD.
For a Document Verifier, Administration Services provides:
• DV Web Service
The DV Web Service is required to communicate with an IS Concentrator or
IS Client. In a BAC system, the DV Web Service is a Web service designed to
provide CSCA certificates, master lists, CRLs, and Document Signer
certificates to Inspection Systems.
In an EAC system, the DV Web Service can automatically process Inspection
System certificate requests without intervention from an administrator (see
“EAC system components” on page 78).
National PKD
The National PKD stores data taken from the ICAO PKD—master lists, Document
Signer certificates, and CRLs—along with validation test results and metadata. The
data can be imported from the PKD Reader or imported from files.
When deploying the NPKD services provided by Administration Services, you have
the option to deploy a National PKD directory included with Administration Services,
or you can use your own directory.
Entrust Authority Document Signer Service

The Entrust Authority Document Signer Service is the Document Signer component
in an Entrust BAC system. The Document Signer Service incorporates three principal
programs:
• Verification Server

Verification Server provides digital signature services. In terms of the BAC
solution, Verification Server verifies the Logical Data Structure Security
Object (SOLDS) contained in the MRTD by providing a digital signature using
credentials issued by the CSCA. The digital signature provides evidence that
the MRTD was issued by an authorized MRTD issuance system and that the
MRTD was not altered in any way. The signed SOLDS is referred to as the
Document Security Object (SOD). Once the SOLDS is digitally signed,
Verification Server returns the SOD to Signature Delivery Service, which then
returns it to your MRTD issuance system for placement in the Elementary File
Document Security Object.
Note:
Verification Server includes other services that are not used by the CSCA solution.
For more information about Verification Server, see “About Verification

Server” on page 61.
• Signature Delivery Service
Signature Delivery Service receives requests for digital signatures from your
MRTD issuance system. The Signature Delivery Service interface processes
and validates the data in each request. In addition to version and structure
information, the request contains the Logical Data Structure Security Object
(SOLDS) to be digitally signed. The Signature Delivery Service formats and
hashes the SOLDS data, and submits it to Verification Server for signing. The
signed SOLDS is referred to as the Document Security Object (SOD). Once
signed by Verification Server, Signature Delivery Service returns the SOD to
your MRTD issuance system for placement on the passport in the Elementary
File Document Security Object.
For a high level overview, see “About the Signature Delivery Service” on
page 69.
• Profile Creation Utility
The Profile Creation Utility allows you to create digital IDs required by the
Document Signer when you have online access (network connectivity) to
Security Manager.
If you do not have network connectivity to Security Manager, you must use
the Offline Token Creation Utility to create digital IDs.
For more information about the Profile Creation Utility, see “About the
Profile Creation Utility” on page 63.
• Offline Token Creation Utility
Offline Token Creation Utility allows you to create an Entrust profile (.epf
file) on a hardware security module (HSM) when Security Manager is offline.

The Entrust profile manages the key and certificate for Verification Server,
which is used to sign the Logical Data Structure Security Object located in
the MRTD.
If Security Manager has network connectivity, do not use Offline Token
Creation Utility to create an Entrust profile, as it is only used when Security
Manager is in offline mode. The Document Signer Service includes a
software application called the Profile Creation Utility that generates an
Entrust profile through an online exchange with Security Manager.
For more information on the Offline Token Creation Utility, see “About the
Offline Token Creation Utility” on page 64.
Entrust Authority IS Concentrator

Entrust Authority IS Concentrator is an optional component of an Entrust BAC
system. In a BAC system, IS Concentrator obtains CSCA materials (CSCA certificates,
master lists, CRLs, and Document Signer certificates) from the DV Web Service and
provides them to attached IS Clients.
In an EAC system, IS Concentrator manages EAC certificates for one or more
Inspection Systems, and provides the certificates to attached IS Clients (see “EAC
system components” on page 78).
For more information about IS Concentrator, see the IS Concentrator Installation and
Configuration Guide.
Entrust Authority IS Client

Entrust Authority IS Client is a mandatory component of an Entrust BAC system. In a
BAC system, IS Client collects CSCA materials (CSCA certificates, master lists, CRLs,
and Document Signer certificates) and uses them to perform BAC Passive
Authentication with Machine Readable Travel Document (MRTD) chips.
IS Client can run in attached mode or standalone mode. In attached mode, an IS
Concentrator provides the CSCA materials to the IS Client. In standalone mode, IS
Client obtains the CSCA materials directly from the DV Web Service.
In an EAC system, IS Client manages EAC certificates for one or more Inspection
Systems, including complete lifecycle management of Inspection System certificates
(see “EAC system components” on page 78).
For more information about IS Client, see the IS Client Installation and Configuration
Guide.

2
How the Document Signer Service

works
Entrust Authority Document Signer Service is the Document Signer component of a
Basic Access Control architecture (see “Basic Access Control overview” on page 49).
The Document Signer Service incorporates the following principal programs:
• Verification Server
• Offline Token Creation Utility
• Signature Delivery Service
Your Machine Readable Travel Document (MRTD) issuance system uses the
Document Signer Service to create and add digital signatures to the Logical Data
Structure Security Object in order to create the Document Security Object. The
Document Security Object is located in the Elementary File Document Security Object
on a MRTD such as passports.
Note:
The international MRTD effort is being coordinated through the International
Civil Aviation Organization (ICAO), which is responsible for issuing governing
specifications for interoperability between implementing nations. The principal
document produced by ICAO to govern PKI specifications is the Technical Report
on PKI for Machine Readable Travel Documents offering ICC read-only access v
0.4.1.0.
This chapter describes the various components of the Document Signer Service and
how they work. This chapter contains the following topics:
• “About Verification Server” on page 61
59
• “About the Profile Creation Utility” on page 63
• “About the Offline Token Creation Utility” on page 64
• “About the Signature Delivery Service” on page 69

About Verification Server
Verification Server digitally signs Machine Readable Travel Documents (MRTD) using
credentials issued by the Country Signing Certification Authority (CSCA). This
associates an identity with a piece of data and provides proof that the data has not
been altered since it was signed.
Verification Server provides Cryptographic Message Syntax (CMS) digital signatures.
For details, see “About the Digital Signature Service” on page 61.
Note:
Verification Server consists of three services, though you use only the Digital
Signature Service in an e-passport environment. The timestamping and XKMS
services are not used.
Features and benefits

Verification Server provides the following benefits:
• Authentication
A digital signature is unique to the private key used in its creation. It provides
strong authentication for signed travel documents.
• Support for nonrepudiation
Once a travel document is digitally signed, no one can disclaim (or repudiate)
the signature after the fact. This means, for example, that all parties are
protected from fraud.
• Data integrity
A digital signature includes protection of the signed data against any
accidental or intentional tampering of the data. For example, the value of the
document signature cannot be compromised without detection once it is
digitally signed.
About the Digital Signature Service

The Digital Signature Service resides in a Web application running on an application
server. It accepts incoming XML documents from Web service clients such as
Signature Delivery Service, signs them using its signing private key, and sends a CMS
signed data object back to the requester. A single signing private key, belonging to
the Digital Signature Service, is used for signing.
How the Document Signer Service works 61

Note:
Cryptographic Message Syntax (CMS) is based on RFC 3369. See
http://www.ietf.org/rfc/rfc3369.txt for more information.
The Digital Signature Service is based on the SOAP Remote Procedure Call (RPC)
model.
The digital signing process

A digital signature signing operation has these main steps:
1 When a user wants to apply a digital signature to a piece of data, the client (such
as Signature Delivery Service) sends the data to the Digital Signature Service. The
data or URL is sent in a SOAP envelope.
2 When the SOAP message reaches the application server where Verification
Server resides, the SOAP servlet (which is bundled with Verification Server) routes
the SOAP message to the Digital Signature Service.
3 The service returns a CMS digital signature to the requester. It is wrapped in a
SOAP envelope, using HTTP or HTTPS as the transport mechanism.
Web server and application server

Verification Server resides as a Web application within the bundled Apache Tomcat
application server.
The Web server is optional and can be installed on the same server as Apache Tomcat
or on a different server. If you use a Web server, you must install an application server
connector on the Web server so that requests for application server resources are
redirected from the Web server to the application server.

About the Profile Creation Utility
The Profile Creation Utility is a component of the Document Signer Service. Use it to
generate digital IDs required by the Document Signer when you have online access
(network connectivity) to Security Manager.
Note:
If you do not have network connectivity to Security Manager, you must use the
Offline Token Creation Utility to create digital IDs. See “About the Offline Token
Creation Utility” on page 64 for more information.
The Profile Creation Utility performs the following functions:

• Creates an Entrust profile based on a reference number and authorization
code that you enter. The reference number and authorization code are
provided by Security Manager. An Entrust profile can be either a desktop
profile stored on your hard drive or a profile stored on a Hardware Security
Module (HSM), such as a hardware token.
• Creates Server Login credentials (.ual file). Server login allows the Digital
Signature Service and the secure logger to log in to their digital IDs whenever
the computer running Verification Server is restarted (such as after a system
failure) without administrator intervention.

About the Offline Token Creation Utility
The Offline Token Creation Utility is an application that creates an Entrust profile
within a hardware security module when Security Manager is operated in offline
mode.
The components of the Offline Token Creation Utility are:
• Offline Token Creation Utility Client
The Offline Token Creation Utility Client component communicates with the
hardware token to be used by Verification Server.
• Offline Token Creation Utility Server
The Offline Token Creation Utility Server component communicates with the
Security Manager’s Certificate Management Protocol (CMP) service.
In the BAC solution, the Entrust profile created through the Offline Token Creation
Utility manages the key and certificate for Verification Server, which it uses for signing
the Logical Data Structure Security Object contained within the Machine Readable
Travel Document (MRTD), such as a passport.
Note:
If you have online access to Security Manager, do not use the Offline Token
Creation Utility to create an Entrust profile. Instead, use the Profile Creation
Utility. The Profile Creation Utility is used to create an Entrust profile when
Security Manager has network connectivity. See “About the Profile Creation
Utility” on page 63.
About Entrust profiles

An Entrust profile is a collection of data that forms an electronic identity credential.
Applications use the profile for data encryption and digital signing.
An Entrust profile generally contains the following data:
• a cryptographic key pair used for creating and verifying digital signatures
• a public key certificate containing the verification key digitally signed by a
trusted issuer
• a cryptographic key pair used for encryption and decryption
• a public key certificate containing the encryption key digitally signed by a
trusted issuer
• a number of historic decryption keys that form the user’s key history
• a number of data objects containing information about:

– the user to whom the profile is issued
– the security parameters of the profile
– key management information
You can store an Entrust profile in a software file on your desktop or on a hardware
token.
Typically, an Entrust profile is created through an online exchange between a client
and Security Manager (the Certification Authority) using a secure protocol known as
Certificate Management Protocol. For more information on this protocol, see the
Internet Engineering Task Force RFC 2510 (http://www.ietf.org/rfcs/rfc2510.txt).
About hardware security modules

The private keys contained in an Entrust profile are intended to remain under the
control of the user to whom they are assigned.
When these keys are stored in a software file, they are protected by the user’s Entrust
profile password, which is used to encrypt the keys. However, because software files
may be copied without detection, the possibility of a brute force attack should be
considered.
As a result, some organizations choose to utilize tokens (cryptographic hardware
modules) to store their Entrust profiles. Tokens come in many forms, such as smart
cards, USB thumb drives, PCMCIA cards, and network appliances. All share certain
characteristics, such as mechanisms to detect physical tampering, automatic lockout
or erasure after repeated failed login attempts, and an inability to copy or export
cryptographic keys stored within them. As such, tokens offer a higher level of
assurance for the keys and associated certificates they contain than those stored in a
software file. Many tokens are validated against a set of security requirements
defined by the National Institute of Standards and Technology, a bureau of the U.S.
Department of Commerce. For more information on this validation process, known
as Federal Information Processing Standard (FIPS) 140, see
http://csrc.nist.gov/cmvp.
There are several defined standards for communicating with a hardware token. The
Offline Token Creation Utility uses the PKCS #11 v2.01 interface for this purpose.
Your selected HSM must include a software library that provides this interface for
Offline Token Creation Utility to use.
About offline profile creation

An Entrust profile is typically created through an online exchange between an Entrust
client and Security Manager using the Certificate Management Protocol. However, to
increase security or to comply with certain organizational policies, some organizations
operate Security Manager in offline mode. In offline mode, Security Manager is not
connected to the network and may only be operated for short and infrequent periods.

To create a profile when Security Manager has no network connectivity, the Offline
Token Creation Utility engages in an offline exchange of information with Security
Manager to create an Entrust profile exclusively on a hardware token. In this
sequence, the following actions take place:
1 The Offline Token Creation Utility Client instructs the hardware token to
generate a cryptographic key pair to be used for signing and verification.
2 The Offline Token Creation Utility Client forms a certificate request, produces a
hash value of the request, and instructs the hardware token to sign the hash with
the private signing key.
3 The Offline Token Creation Utility Client instructs the hardware token to
generate a cryptographic key pair to be used for protocol encryption and creates
a self-signed certificate containing the public key.
This key pair and certificate are temporary and are only used to encrypt sensitive
information exchanged with Security Manager.
4 The Offline Token Creation Utility Client creates a formatted file containing the
signed certificate request and the protocol encryption certificate.
5 The user copies the file to a computer with network access to Security Manager,
or to the Security Manager computer itself, for further processing.
Because the file contains no sensitive information, its transport may be
accomplished through any convenient means. However, an organization should
have measures in place to ensure that the file is not tampered with before
processing.
6 The file is submitted to Security Manager through the Offline Token Creation
Utility Server with a valid reference number and authorization code generated for
the client.
This operation is performed using the Certificate Management Protocol (CMP).
Security Manager returns a file containing:
• a cryptographic key pair for encryption and decryption
The private key is encrypted using the protocol encryption certificate created
by the client. This protects the private key during transport. The key length
chosen by the client for this certificate determines the strength of the
protection. Security Manager stores this key pair for future key recovery
purposes.
• a public key certificate containing the encryption key.
• the set of data objects that make up the Entrust profile
7 The user transports the file returned by Security Manager to the Offline Token
Creation Utility Client.
While this file contains sensitive data, that data is encrypted and can only be
decrypted by the client hardware token that produced the original request. As

such, the data cannot be replaced. Therefore, users can transport this file to the
client by any convenient means.
8 The Offline Token Creation Utility Client processes the file, writes the certificate
and data objects to the hardware token, and transports the wrapped private
decryption key into the hardware token, where it may be decrypted for
permanent storage.
The Offline Token Creation Utility Client then deletes the protocol encryption
certificate and key pair.
Figure 3: Overview of the offline profile creation process
Note:
As an alternative to the process shown above, the Offline Token Creation Utility
Server may be installed directly on Security Manager. Testing is always
encouraged when altering the configuration of a Security Manager that is in
production.
Advantages to offline profile creation

The Offline Token Creation Utility allows for the secure creation of an Entrust profile
within a hardware security module with the following advantages:

• You can use simple transportation mechanisms, such as a flash drive or email,
to transport data between the client and Security Manager, as the data is
secure.
• You can complete Step 5 and Step 7 within your own time frame, not a time
frame established by Security Manager. The amount of time allowed is
determined by the validity period of the protocol encryption certificate,
which you set during Step 3.

About the Signature Delivery Service
Your Machine Readable Travel Document (MRTD) issuance system uses the Signature
Delivery Service to request that passport data be signed by a Country Signing
Certification Authority (CSCA).
This topic includes:
• “How the Signature Delivery Service works” on page 69
• “Operational flow” on page 69
How the Signature Delivery Service works

Signature Delivery Service is a Java servlet that takes an XML request over HTTP or
HTTPS and returns an XML response containing a signed object.
Passports are generated by an MRTD issuance system. The MRTD issuance system
must interface with Signature Delivery Service in order to request a digital signature
for identity and biometric information contained on passports. Signatures can then be
verified at border crossings, airports, and customs offices.
When Signature Delivery Service receives requests from the MRTD issuance system,
it processes and validates the data in each request. In addition to version and structure
information, the request contains the Logical Data Structure Security Object (SOLDS)
to be digitally signed. Signature Delivery Service formats and hashes the data, and
then submits it to Verification Server for signing.
Signature Delivery Service completes its service by returning the Document Security
Object (SOD), which is the signed SOLDS, contained in the Elementary File Document
Security Object (EF.SOD) to the MRTD issuance system for placement on the
passport.
Operational flow
This flow sequence begins and ends at your MRTD issuance system client software.
For help connecting your client application to the Signature Delivery Service, see
“Using the Signature Delivery Service from your application” on page 211.
1 Client request.
The MRTD issuance system client passes the XML formatted MRTD data to be
digitally signed using the HTTP or HTTPS POST method.
2 Request verification.
Once Signature Delivery Service receives the request from the client, it parses the
request and verifies the tags and formats. The Signature Delivery Service servlet
then reads the initialization file to determine what verification steps to perform.
If a tag or attribute does not comply with what is expected, Signature Delivery
Service may reject the request or record a warning.

3 Base64 decode.
After accepting the request, Signature Delivery Service separates the data groups
that contain MRTD data. Because XML can only pass text data (not binary data),
the MRTD information is Base64 encoded before being sent. Signature Delivery
Service must decode the data to its native form before signing.
4 Hash the data groups.
Once the data groups are decoded to their true form, Signature Delivery Service
hashes each of them in preparation for insertion into the Logical Data Structure
Security Object (SOLDS). The digest values are placed into the SOLDS rather than
the complete data group. This reduces the size of the SOLDS, and enables
verifying entities the option of evaluating a subset of the data groups present in
the MRTD.
Note:
The SOLDS is an ASN.1 object that is encoded using the Distinguished Encoding
Rules as specified in ISO/IEC 8825-1:2002 Information technology ASN.1
encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding
Rules (CER) and Distinguished Encoding Rules (DER).
Signature Delivery Service uses SHA-256 for hashing. Although this algorithm
and standard implementations of it are relatively new, the increased strength is
necessary due to the long validity of the MRTD.
5 Construct the SOLDS.
Signature Delivery Service takes the hashed data groups and wraps them into the
SOLDS. This is the ASN.1 object described in the Note to Step 4.
6 Transmit to Verification Server.
The Signature Delivery Service server passes the entire SOLDS to Verification
Server using a SOAP interface. SOAP is a secure, standard protocol built on XML.
7 Hash the SOLDS in preparation for signing.
Verification Server uses SHA-256 to hash the entire SOLDS.
8 Sign the SOLDS on the hardware security module (HSM).
Verification Server sends the hashed SOLDS to the HSM where it is digitally signed
using the RSA algorithm with a 2048-bit key size. The National Institute of
Standards and Technology (NIST) has recommended the use of 2048-bit keys for
securing data beyond the year 2007. Since the majority of passports are valid for
multiple years, this strength of cryptography is required.
9 Create the Document Security Object.

Verification Server now has all the data components it needs, and it creates the
Document Security Object for placement on the MRTD.
10 Base64 encode the Document Security Object.
Verification Server returns the Document Security Object to Signature Delivery
Service using the SOAP protocol. The CMS object must be Base64 encoded so
that it can be placed in an XML response message for return to the client.
11 Respond to client.
The properly formatted response is sent to the client as a response to the original
POST operation.

3
Extended Access Control overview

Security concerns, developing technologies, and emerging standards have led
national governments to issue more sophisticated Machine Readable Travel
Documents (MRTDs) to their citizens. Commonly known as e-passports, these travel
documents contain a chip that stores biometric information, such as fingerprint or iris
patterns.
Extended Access Control (EAC) is the mechanism used to unlock the biometric data
stored in the e-passport chip. EAC ensures that only authorized entities can access the
biometric data.
• “EAC architecture” on page 74
• “EAC system components” on page 78
• “EAC certificates” on page 82
• “Establishing trust between a CVCA and a Document Verifier” on page 88
• “Establishing trust between a Document Verifier and an Inspection System”
on page 91
73
EAC architecture
Each country has a single Country Verifying Certification Authority (CVCA). The
CVCA acts as a root of trust for e-passports issued within its own country. The CVCA
authorizes domestic and foreign Document Verifiers (DVs) to access the biometrics
stored in the e-passports. Each country has one Single Point of Contact (SPOC). All
international EAC certificate requests and responses are communicated directly
between SPOCs. Each DV authorizes Inspection Systems (ISs) to examine the
contents of e-passports.
Figure 4 illustrates a sample EAC architecture with two countries.
Figure 4: EAC architecture showing two countries

The EAC components are described in further detail in the following topics:
• “Country Verifying Certification Authority” on page 75
• “Single Point of Contact” on page 76
• “Document Verifiers” on page 76
• “Inspection Systems” on page 76
• “About holder identities” on page 77
Country Verifying Certification Authority

CVCA acts as a root of trust for e-passports issued within its own country. It also
determines which countries and which Document Verifiers (see “Document Verifiers”
on page 76) within those countries can access the biometrics stored on the passports
issued by the CVCA's home country.
The CVCA issues the following types of certificates:
• root CVCA certificates
When you initialize the CVCA or update the CVCA keys, the CVCA creates
a self-signed CVCA certificate, called a root certificate. You must send the
initial root CVCA certificate and all link CVCA certificates to each Document
Verifier that you want to authorize.
• link CVCA certificates
When you update the CVCA keys, the CVCA creates link CVCA certificates.
These certificates provide a trust link between the old and new CVCA keys.
You must send the initial self-signed CVCA certificate and all link CVCA
certificates to each Document Verifier that you want to authorize.
• Document Verifier certificates
The CVCA creates Document Verifier certificates in response to certificate
requests from domestic or foreign Document Verifiers. These certificates
allow the Document Verifiers to access the biometrics stored in the
e-passport chips from the CVCA’s home country.
Each e-passport chip your country produces must contain the public key from the
latest CVCA certificate. If your e-passport personalization system supports link
certificates, then the chip must contain the public key from the latest link CVCA
certificate. Otherwise the chip must contain the public key from the latest root CVCA
certificate. The public key from the latest root and link CVCA certificate are identical.
The CVCA produces both a new root and link CVCA certificate so CVCA
administrators can discard old root CVCA certificates when they are no longer
needed. The CVCA also produces a new root certificate for e-passport personalization
systems that do not support link CVCA certificates.
Extended Access Control overview 75

A CVCA certificate is no longer needed after all e-passports issued with that CVCA
certificate as a trust point have expired. For example, consider a scenario where your
country issues MRTDs with a five-year lifetime and you update your CVCA certificate
every two years. In this scenario, any Document Verifier that you commission 10
years from now only requires CVCA certificates that were valid in the last five years.
Single Point of Contact

Each country has one Single Point of Contact (SPOC). All international EAC certificate
requests and responses are communicated directly between SPOCs. Each SPOC
receives certificate requests from other SPOCs, delivers them to the domestic CVCA
for handling, and communicates responses back to the requesting SPOC, on behalf
of its domestic CVCA.
Each SPOC also receives certificate requests from domestic Document Verifiers (DVs),
forwards them to foreign SPOCs for processing, then receives the responses from the
foreign SPOCs and forwards the responses to the domestic DV that initiated the
request.
Document Verifiers
Each country has one or more Document Verifiers (DVs). Each DV issues Inspection
System certificates in response to certificate requests from domestic Inspection
Systems. These certificates authenticate the Inspection System to e-passport chips,
and also specify which biometrics the Inspection System can access.
Each Document Verifier must request and obtain Document Verifier certificates from
the CVCA of each country whose MRTDs the Document Verifier is authorized to
access.
Inspection Systems
National passport inspection authorities (such as border services, port authorities,
customs, and police personnel) operate Inspection Systems that are capable of
validating e-passports and accessing their biometric data. An Inspection System
consists of:
• a radio frequency identification (RFID) reader capable of interacting with the
integrated circuit chip on an e-passport
• a control system to which the RFID reader is connected
• software that can manage Inspection System certificates and certificate
requests
An Inspection System may be located outside of a country’s territorial boundaries. For
example, a country may operate an Inspection System at a foreign airport to pre-clear
passengers before boarding. A Document Verifier does not have to be co-located
with an Inspection System.

About holder identities
Each EAC entity (CVCA, Document Verifier, or Inspection System) has a holder
identity. A holder identity consists of a two-character country code (such as GB for
the United Kingdom, or US for the United States of America), followed by a character
string—called a mnemonic—of one to nine characters. For example, GBcountry or
USairport are examples of a holder identity.
No two EAC entities can share the same holder identity. For example, a CVCA and a
Document Verifier cannot have the same holder identity of GBcountry. It is important
that when you choose to enter a holder identity for your CVCA, Document Verifier,
or Inspection System, that you do not choose a name taken by another EAC entity.
Note that two Inspection Systems could share the same holder identity, as long as
they are not managed by the same Document Verifier (see Figure 4 on page 74).
However, it is recommended that each Inspection System have a unique holder
identity, even if they are managed by different Document Verifiers.
It is also recommended that your country establish a naming convention that allows
you to avoid giving two EAC entities the same holder identity.

EAC system components
This section describes the principal Entrust components that are required for an
Extended Access Control (EAC) system. Figure 5 illustrates the Entrust components in
an EAC system.
Figure 5: Entrust EAC system components

Entrust Authority Security Manager
Entrust Authority Security Manager is a mandatory component of an Entrust EAC
system. Security Manager can be configured as a Country Verifying Certification
Authority (CVCA) or a Document Verifier (DV). Security Manager includes a
command shell that three highly-trusted users—called Master Users—use to
administer the CVCA or Document Verifier.
When you first install and configure Security Manager, you configure Security
Manager as an X.509 Certification Authority (CA). You use this CA to create and
manage roles, policies, certificate types, and other information for users and Security
Manager client applications. For example, you use the CA to create roles for CVCA
or DV administrators to administer the CVCA or Document Verifier. Administrators
with these roles use Administration Services to administer the CVCA or Document
Verifier with Web-based services (see “Entrust Authority Administration Services” on
page 79).
If required, you can configure the X.509 CA as a Country Signing Certification
Authority (CSCA). A CSCA is the root of trust for a Basic Access Control system. For
more information about the CSCA or Basic Access Control, see “Basic Access Control
overview” on page 49.
For more information about Security Manager, see the Security Manager
documentation.
Entrust Authority Administration Services

Entrust Authority Administration Services provides Web-based services to administer
a Country Verifying Certification Authority (CVCA), a Single Point of Contact (SPOC)
or a Document Verifier (DV). Administration Services is an optional CVCA component
of an Entrust EAC system, but a mandatory DV component for communication with
an IS Concentrator or IS Client.
For a CVCA, Administration Services provides:
• CVCA Administration
CVCA Administration is a Web-based interface for administering a CVCA.
CVCA administrators use CVCA Administration to manage domestic and
foreign Document Verifiers, DV certificates and certificate requests.
For a SPOC, Administration Services provides:
• SPOC Administration
SPOC Administration is a Web-based interface for administering a Single
Point of Contact. SPOC administrators use SPOC Administration to manage
certificate requests from foreign SPOCs and domestic Document Verifiers.
• SPOC Web Service

The SPOC Web Service is a Web service designed to automatically send and
receive certificate requests with foreign SPOCs.
• SPOC Domestic Web Service
The SPOC Domestic Web Service is a Web service designed to automatically
submit certificate requests from domestic Document Verifiers to the domestic
CVCA, or to foreign SPOCs to be processed by foreign CVCAs.
For a Document Verifier, Administration Services provides:
• DV Administration
DV Administration is a Web-based interface for administering a Document
Verifier. DV administrators use DV Administration to manage DV certificates
and certificate requests, Inspection Systems, and Inspection System
certificates and certificate requests.
• DV Web Service
In an EAC system, the DV Web Service is a Web service designed to
automatically process Inspection System certificate requests without
intervention from an administrator. The DV Web Service is required to
communicate with an IS Concentrator or IS Client.
In a BAC system, the DV Web Service can provide CSCA certificates, master
lists, CRLs, and Document Signer certificates to Inspection Systems (see
“BAC system components” on page 53).
• DV Certificate Key Management Service (DVCKM)
The DVCKM is a service designed to automatically request DV certificates
from one or more CVCAs through the domestic SPOC without intervention
from an administrator.
Note:
If you use the DVCKM and are storing DV keys on a hardware security module
(HSM), ensure that you back up your HSM whenever the DV creates a new
certificate request. Security Manager will log audit 27974 when a new DV
certificate request is created (see “Extended Access Control audit logs” on
page 1677).
For more information about the services provided by Administration Services, see the
Administration Services Installation Guide.

Entrust Authority IS Concentrator
Entrust Authority IS Concentrator is an optional component of an Entrust EAC
system. IS Concentrator manages EAC certificates for one or more Inspection
Systems, including complete lifecycle management of Inspection System certificates.
IS Concentrator provides the certificates to attached IS Clients.
In a BAC system, IS Concentrator obtains CSCA materials (CSCA certificates, master
lists, CRLs, and Document Signer certificates) from the DV Web Service and provides
them to attached IS Clients (see “BAC system components” on page 53).
For more information about IS Concentrator, see the IS Concentrator Installation and
Entrust Authority IS Client

Entrust Authority IS Client is a mandatory component of an Entrust EAC system. In
an EAC system, an IS Client manages EAC certificates for an Inspection System,
including complete lifecycle management of Inspection System certificates. IS Client
provides these certificates to e-passport reader applications that perform EAC
Terminal Authentication with Machine Readable Travel Document (MRTD) chips. IS
Client also performs cryptographic operations related to EAC Terminal
Authentication, such as signing the challenges issued to the reader application by the
MRTD chips.
IS Client can run in attached mode or standalone mode. In attached mode, an IS
Concentrator manages the certificates for the IS Client. In standalone mode, IS Client
manages the certificates.
In a BAC system, IS Client provides CSCA materials (CSCA certificates, master lists,
CRLs, and Document Signer certificates) to e-passport reader applications that
perform BAC Passive Authentication with MRTD chips (see “BAC system
components” on page 53).
For more information about IS Client, see the IS Client Installation and Configuration
Guide.

EAC certificates
Extended Access Control (EAC) certificates are ISO 7816 Card Verifiable (CV)
certificates rather than X.509 public key certificates. The following topics describe
some of the elements of CV certificates in more detail:
• “Certificate lifetimes” on page 82
• “Certificate status” on page 82
• “Holder and authority references” on page 83
• “Certificate streams” on page 85
• “Validation strings” on page 86
Certificate lifetimes
CV certificates tend to have short lifetimes. By default in Security Manager:
• a CVCA certificate expires after three years
• a Document Verifier (DV) certificate expires after three months
• an Inspection System certificate expires after one month
A CVCA administrator determines the initial lifetime of the CVCA certificates when
initializing the CVCA, and can change subsequent CVCA certificate lifetimes by
configuring the CVCA key update settings. A CVCA determines the lifetime of DV
certificates. A DV determines the lifetime of Inspection System certificates.
In Security Manager, DV certificates cannot exceed the lifetime of the issuing CVCA
certificate. Likewise, Inspection System certificates cannot exceed the lifetime of the
issuing DV certificates. For example, if you configure DV certificates to expire after
three months, but issue a DV certificate signed by a CVCA certificate that expires in
three days, the DV certificate will expire in three days.
CV certificates can have a lifetime between one day and 25 years. The dates in a CV
certificate (the effective date and the expiration date) do not contain a time value. In
Security Manager, the expiration date cannot be the same as the effective date. CV
Certificates will expire at the end of the day on the expiration date.
It is important when planning your e-passport environment that you carefully
consider the certificate lifecycle and manage your certificates accordingly.
Certificate status
In Security Manager, CV certificates have a certificate status associated with them.
The certificate status determines the state of the certificate. A certificate can have one
of the following states:
• Not yet valid

A certificate may have this state if the clock difference between a CVCA and
a DV is significant. You should not see this state very often.
• Valid
A CV certificate contains an effective date and an expiration date. These two
dates determine the validity period of the certificate. A certificate with a Valid
state indicates that the certificate is within the validity period. You should not
use the certificate outside of its validity period.
• Expired
This state indicates that the certificate has reached the end of its lifetime and
is no longer valid.
• Nearing expiry
This state indicates that the certificate is nearing the end of its lifetime and
should be renewed.
• Unknown
This state indicates that an error occurred and Security Manager could not
determine the certificate status. You can find the details about the error in
the Security Manager logs (see “Extended Access Control audit logs” on
page 1677).
Holder and authority references

Each CV certificate contains a holder reference and an authority reference. The holder
reference identifies the public key in the certificate. The authority reference identifies
the public key that was used to create the certificate’s signature. Holder and authority
references consist of a holder identity (see “About holder identities” on page 77) and
a sequence number (see “Sequence number algorithms” on page 84).
Holder and authority references are different depending on whether the CV
certificate is a CVCA, DV, or Inspection System certificate.
The following topics contain more information about sequence number algorithms,
as well as detailed information about holder and authority references for each EAC
component:
• “Sequence number algorithms” on page 84
• “Holder and authority references for CVCA certificates” on page 85
• “Holder and authority references for Document Verifier certificates” on
page 85
• “Holder and authority references for Inspection System certificates” on
page 85

Sequence number algorithms
A sequence number is a five-character string. This string is appended to a holder
identity to form a holder reference or an authority reference. A sequence number
algorithm determines the format of the sequence number and the next number in the
sequence. EAC certificates use one of the following formats:
• five numerical digits, such as 00001
• five alphanumeric characters, such as 00FA1
• the country code plus three numerical digits, such as GB001
• the country code plus three alphanumeric characters, such as GB0F1
For sequence number algorithms with alphanumeric characters, the sequence follows
ASCII ordering: 0 to 9, A to Z, a to z. However, sequence number algorithms with five
alphanumeric characters never use two uppercase characters to start the sequence,
since it could be confused with a country code.
When a sequence number algorithm reaches its limit, the sequence resets to one. For
example, if a sequence number algorithm of five numerical digits reaches 99999, it
starts back at 00001 for the next number in the sequence.
You can also change the sequence number algorithm (see “Configuring CVCA key
updates” on page 1027 and “Configuring the Document Verifier policy” on
page 1056). When you next update the CVCA keys or issue the next DV certificate,
the sequence number increments according to the following rules:
• When changing from a numerical sequence to an alphanumeric sequence,
the sequence increments by one alphanumerically (0 to 9, A to Z, a to z).
However, sequence number algorithms with five alphanumeric characters
never use two uppercase characters to start the sequence, since the sequence
number could then be confused with a country code.
• When changing from an alphanumeric sequence to a numeric sequence, the
sequence increments to the next alphanumeric sequence containing all
numbers.
For example, 000A0 becomes 00100.
• When changing from a sequence that contains a country code to a sequence
that does not contain a country code, the country code is replaced with two
zeros.
For example, GB006 becomes 00007.
• When changing from a sequence that does not contain a country code to a
sequence that does contain a country code, the first two characters are
replaced with the country code.
For example, 00006 becomes GB007.

Holder and authority references for CVCA certificates
For CVCA certificates, the holder reference identifies the public key of the CVCA
certificate, and the authority reference identifies the public key of the issuing CVCA
certificate. If the holder and authority reference match, the CVCA certificate is a root
certificate. Otherwise it is a link certificate.
When you initialize a CVCA, Security Manager creates a self-signed CVCA certificate.
When you update the CVCA keys, Security Manager creates a new self-signed
certificate and a new link certificate signed by the previous CVCA key.
For example, if you create a CVCA with the holder identity GBcvca, Security Manager
creates an initial root CVCA certificate with holder reference GBcvca00001 and
authority reference GBcvca00001 when you initialize the CVCA. When you update
the CVCA keys, Security Manager creates two CVCA certificates:
• a new root certificate with holder reference GBcvca00002 and authority
reference GBcvca00002
• a link certificate with holder reference GBcvca00002 and authority reference
GBcvca00001
Holder and authority references for Document Verifier

certificates
For Document Verifier certificates, the holder reference identifies the public key of the
Document Verifier certificate, and the authority reference identifies the public key of
the issuing CVCA certificate. For example, a Document Verifier certificate can have
the holder reference GBdv00001 and authority reference GBcvca00001.
Holder and authority references for Inspection System

certificates
For Inspection System certificates, the holder reference identifies the public key of the
Inspection System certificate, and the authority reference identifies the public key of
the issuing Document Verifier certificate. For example, an Inspection System
certificate can have the holder reference GBis00001 and authority reference
GBdv00001.
Certificate streams
A CVCA issues DV certificates to Document Verifiers. In turn, Document Verifiers
issue Inspection System certificates anchored by the CVCA. A certificate stream is the
set of all certificates issued to an EAC entity that are anchored by a particular CVCA.
Consider the scenario illustrated in Figure 6 on page 86. In this scenario, GBcvca and
CAcvca each issue DV certificates to GBdv. GBdv then issues Inspection System

certificates to GBis, each set of certificates rooted in a different CVCA. In this scenario,
there are two certificate streams, one for each CVCA:
• the United Kingdom certificate stream
The CVCA is from the same country as the Document Verifier and Inspection
System, so all certificates anchored by the United Kingdom CVCA are in the
domestic certificate stream.
• the Canada certificate stream
The CVCA is from a different country than the Document Verifier and
Inspection System, so all certificates anchored by the Canada CVCA are in a
foreign certificate stream.
Figure 6: Certificate streams
Validation strings
When you view or export any self-signed certificate or certificate request (such as a
root CVCA certificate or unauthenticated DV certificate request), Security Manager
displays validation strings for the certificate or certificate request. A validation string
is a string of alphanumeric characters representing the hash of the certificate or
certificate request. Validation strings allow administrators to verify the authenticity of
a certificate or certificate request.
For example, when a Document Verifier (DV) administrator creates and exports an
unauthenticated DV certificate request, Security Manager generates and displays
validation strings. The DV administrator then sends the certificate request and

validation strings to the CVCA administrator. When the CVCA administrator
processes the certificate request, the administrator provides the validation strings and
the CVCA validates the certificate request using the validation strings.
DV administrators send the DV certificate request and validation strings to the CVCA
administrator using a secure method, such as secure email or diplomatic courier. It is
strongly recommended that administrators send the certificate request and validation
strings separately to prevent tampering.
Validation strings are only required for initial root CVCA certificates, or initial
Document Verifier or Inspection System (or unauthenticated) certificate requests. For
link CVCA certificates or subsequent certificate requests, Security Manager can
validate the certificate or certificate request using certificates stored in the database.

Establishing trust between a CVCA and a
Document Verifier
The following provides a high-level overview of the steps involved in establishing
trust between a CVCA and a Document Verifier (DV). The steps are illustrated in
Figure 7 on page 89.
At the CVCA
1 If the CVCA does not recognize the DV, the CVCA administrator adds the DV
holder identity to the CVCA.
2 The CVCA administrator exports the required CVCA certificates and sends them
to the DV administrator.
DVs require the initial CVCA root certificate and all subsequent link CVCA
certificates.
At the Document Verifier

3 If the DV does not recognize the CVCA, the DV administrator adds the CVCA
holder identity to the DV.
4 The DV administrator imports the CVCA certificates into the DV.
5 The DV administrator generates a certificate request and sends it to the CVCA
administrator.
If the certificate request is intended for a foreign CVCA, the DV administrator can
send the certificate request to the domestic CVCA for countersigning (see
“Countersigning Document Verifier certificate requests” on page 90).
At the CVCA
6 The CVCA administrator accepts the certificate request.
7 The CVCA processes the certificate request and generates a DV certificate.
8 The CVCA administrator exports the DV certificate and sends it to the DV.

9 The DV administrator imports the DV certificate.

Figure 7: Establishing trust between a CVCA and a Document Verifier

Countersigning Document Verifier certificate requests
To establish trust between a CVCA and a Document Verifier, a DV administrator
creates a certificate request and sends it to the Document Verifier for processing (see
“Establishing trust between a CVCA and a Document Verifier” on page 88). If the
certificate request is intended for a foreign CVCA, a DV administrator can send the
certificate request to the domestic CVCA for countersigning.
When creating a certificate request for countersigning, the Document Verifier signs
the certificate request with the current domestic Document Verifier signing keys. The
DV administrator then sends the certificate request to the domestic CVCA for
countersigning. To countersign the certificate request, the CVCA wraps the certificate
request with an outer signature generated by the CVCA's current signing key. A
CVCA administrator then sends the countersigned certificate request to the intended
foreign CVCA for processing.
If the foreign CVCA has the latest certificate from the domestic CVCA, the foreign
CVCA can validate the certificate request cryptographically without requiring an
alternate form of validation, such as a validation string.

Establishing trust between a Document Verifier
and an Inspection System
The following provides a high-level overview of the steps involved in establishing
trust between a Document Verifier (DV) and an Inspection System. The steps are
illustrated in Figure 8 on page 92.

1 If the DV does not recognize the Inspection System, the DV administrator adds
the Inspection System holder identity to the DV.
2 The DV administrator exports the required CVCA and DV certificates, and sends
them to the Inspection System administrator.
Inspection Systems require the initial CVCA root certificate and all subsequent
link CVCA certificates, and the most recent DV certificate issued by the CVCA.
At the Inspection System

3 The Inspection System administrator imports the CVCA and DV certificates into
the Inspection System.
4 The Inspection System administrator generates a certificate request and sends it
to the DV administrator.

5 The DV administrator accepts the certificate request.
6 The DV processes the certificate request and generates an Inspection System
certificate.
7 The DV administrator sends the certificate to the Inspection System
administrator.
At the Inspection System

8 The Inspection System administrator imports the certificate into the Inspection
System.

Figure 8: Establishing trust between a Document Verifier and an Inspection System

Section 2
Country Signing CA section
This section provides instructions for installing a Country Signing Certification

Authority (CSCA), customizing certificates for a country signing environment, and
instructions for managing a CSCA.
• “Installing a Country Signing CA” on page 95
• “Reconfiguring a CA as a CSCA” on page 111
• “Managing a Country Signing CA” on page 137
93
4
Installing a Country Signing CA

Installing a CSCA requires that you install and configure Entrust Authority Security
Manager as a CSCA.
If you already installed Security Manager and you want to reconfigure your
Certification Authority as a CSCA, or if you want to make sure you correctly installed
a CSCA, see “Reconfiguring a CA as a CSCA” on page 111.
• “Calculating the validity periods for CSCA certificates” on page 96
• “Installing and configuring Security Manager” on page 99
• “Post-configuration steps” on page 109
95
Calculating the validity periods for CSCA
certificates
For a Country Signing Certification Authority (CSCA), you must determine the
validity periods—the key lifetime and private key usage period—for the following key
pairs to meet ICAO requirements:
• Country Signing CA key pair
• Document Signer key pair
• Master List Signer key pair
After upgrading Security Manager, you may want to update the validity periods for
these key pairs.
This section contains the following topics:
• “Formulas for calculating the validity periods” on page 96
• “Recommended validity periods for 10-year eMRTDs” on page 97
Formulas for calculating the validity periods

CSCAs are root CAs that issue end entity Document Signer certificates which are used
to sign eMRTDs. According to ICAO recommendations:
• CSCA keys roll over somewhere between 3 and 5 years.
• Document Signer keys roll over somewhere between 1 and 3 months.
• eMRTDs are valid typically 5 years or 10 years.
The above points tie into the lifetime of the CSCA and Document Signer certificates.
You can itemize the lifetime variables as the following:
• emrtd_life is the lifetime of issued eMRTDs.
• emrtd_pre_issue_time is the eMRTD pre-issue time.
eMRTDs may be issued before they become valid. This is optional.
Some States may issue eMRTDs before they become valid, for instance on a
change of name upon marriage. The effect of doing this is to extend the
validity period by the longest period it is possible to pre-issue the eMRTD.
• ds_validity is the validity period (key lifetime) of the Document Signer end
entity certificate.
• ds_pku is the private key usage period of the Document Signer end entity
certificate.
• csca_validity is the validity period (key lifetime) of the CSCA root
certificate.

• csca_pku is the private key usage period of the CSCA root certificate.
The Document Signer certificate issues the eMRTD. The lifetime of the Document
Signer certificate (ds_validity) must be at least as long as the eMRTD lifetime
(emrtd_life), plus the eMRTD pre-issue time (emrtd_pre_issue_time)—if eMRTDs
will be issued before they become valid—plus the private key usage period of the
Document Signer certificate. So the formula for calculating the minimum validity
period of Document Signer certificates becomes:
ds_validity = emrtd_pre_issue_time + emrtd_life + ds_pku
The CSCA certificate issues Document Signer certificates. The CSCA certificate must
be at least as long as the Document Signer validity period, plus the private key usage
period of the CSCA root certificate. So the formula for calculating the minimum
validity period of the CSCA root certificate becomes:
csca_validity = csca_pku + ds_validity
ICAO has no specified validity requirements for the Master List Signer key pair. A
Master List Signer is expected to sign master lists of trusted CSCAs far less frequently
than a Document Signer will sign passports.
Recommended validity periods for 10-year eMRTDs

The following table lists the recommended values for CSCA-issued key pairs,
assuming that your eMRTDs must remain valid for 10 years (120 months). The
recommended values are discussed in more detail in the following sub-topics.
Table 3: Recommended key usage and validity for CSCA key pairs
Key pair Recommended key lifetime Recommended private key usage period
Document 123 months 2.4038%

Signer (10 years and 3 months) (Maximum of 90 days of a 123-month lifetime)
CSCA 187 months 32.09%

(15 years and 7 months) (Maximum of 5 years of a 187-month lifetime)
Master List 60 months 20%

Signer (5 years) (12 months)
Recommended validity periods for the Document Signer key pair

The Document Signer private key should not be used to sign eMRTDs any longer
than 3 months.
The Document Signer certificate validity period should be at least as long as the
eMRTD lifetime (10 years or 120 months), plus the private key usage value (3
months).
Installing a Country Signing CA 97

Therefore, the following values are recommended for the Document Signer key pair:
• Key lifetime: 123 months
• Private key usage period: 2.4038% (maximum of 90 days of a 123-month
lifetime)
Recommended validity periods for the CSCA key pair

The CSCA private key used to sign certificates and CRLs should not be used to sign
any longer than 5 years (60 months).
The CSCA certificate validity period should be at least as long as the Document Signer
certificate lifetime (123 months), plus the CSCA private key usage value (60 months).
Some additional validity period should be added to cover any administrative time
needed for a CSCA key rollover. An additional 4 months is sufficient.
Therefore, the following values are recommended for the CSCA key pair:
• Private key usage period: 32.09% (maximum of 5 years of a 187-month
lifetime)
Recommended validity periods for the Master List Signer key pair
A Master List Signer is expected to sign master lists of trusted CSCAs far less
frequently than a Document Signer will sign passports.
Therefore, the following values are recommended for the Master List Signer key pair:
• Private key usage period: 20% (12 months)

Installing and configuring Security Manager
Before installing Security Manager 8.3, ensure that you read all preinstallation
information described in the Security Manager 8.3 Installation Guide. Ensure that
you install and configure a supported LDAP directory and database as described in
the Security Manager 8.3 Installation Guide.
When using the countryName (c=) directory attribute to specify a two-letter country
code, the two-letter country code must be in uppercase characters to meet the ISO
3166 standard.
Note:
Microsoft Active Directory is not supported for a Country Signing Certification
Authority (CSCA).

• “Installing and configuring Security Manager on Windows” on page 99
• “Installing and configuring Security Manager on Linux” on page 103
Installing and configuring Security Manager on Windows

Install and configure Security Manager 8.3 according to the instructions in the
Security Manager 8.3 Installation Guide. When configuring Security Manager, you
must configure Security Manager so your CSCA conforms to the guidelines outlined
by the International Civil Aviation Organization (ICAO).
Attention:
Not all Security Manager client applications support all the algorithms that you
can select when configuring Security Manager. When configuring Security
Manager, ensure that you select algorithms supported by all the client
applications that you plan to use.
1 For CA Type, select Country Signing Root CA (CSCA).

Selecting this option sets the advanced setting CSCA=1, and configures the CSCA
to conform to the requirements set by the International Civil Aviation
Organization (ICAO).
When CSCA=1, it enforces the following advanced settings:
CrlUseDefRevokeReason=0
DNEncoding=utf8

EncodeCountryNameUpper=1
ExplicitCurveParameters=1
MsCompatibility=0
MsCompatWasOn=0
UseCombinedCRL=1
Security Manager Configuration also prompts you for information required by a
CSCA.
2 For CA key pair type, select the algorithm for your CSCA key pair.
ICAO recommends that a CSCA with RSA keys use RSA-3072 or stronger. ICAO
recommends that a CSCA with an elliptic curve use a 256-bit elliptic curve or
stronger. The curves EC-P-256, EC-ansix9p256k1, EC-ansix9p256r1,
EC-brainpoolP256r1, and EC-brainpoolP256t1 are 256-bit elliptic curves.
3 For CA Signing Algorithm, select the algorithm used to sign certificates.
The CSCA signing algorithm should be as strong as the key type or stronger. For.
example, an RSA-3072 key type should use an RSAPSS-SHA256 or stronger
signing algorithm, and a 256-bit elliptic curve should use an ECDSA-SHA256 or
stronger signing algorithm.
You can only select an RSA algorithm if you selected an RSA key pair type. You
can only select an elliptic curve (EC) algorithm if you selected an EC key pair type.
4 For CRL Distribution Point Information, you must specify at least one CDP URL
in the CSCA CDP URLs list. You do not have to specify any CDP URLs in the
Default CDP URLs list.
CDP URLs in the CSCA CDP URLs list are CDP URLs that will apply to the
following CSCA-specific certificate types: CSCA root certificates, CSCA link
certificates, Master List Signer certificates, and Document Signer certificates. The
CDP URLs in this list will be written to the entmgr.ini file under the [CSCA CDP]
section. For the CSCA-specific certificate types, the CSCA CDP URLs list takes
precedence over the Default CDP URLs list.
To specify a CDP URL for the CSCA-specific certificate types:
a From the URL Type drop-down list, select a CDP URL type (http, ldap, file,
ftp).
Note:
Currently most Security Manager client applications do not support https: CDPs
and will ignore them and use the combined CRL stored in the Security Manager
directory. If the combined CRL is not enabled, you must define at least one http:
or ldap: URL so that Security Manager client applications can access the CRL. All
https: URLs must be defined last in the list of CDP URLs.

b In the URL Host field, enter the host name or IP address of the Web server,
FTP server, or File server that will host the CRL files. This option is disabled if
the URL Type is ldap.
c Click Create from Settings.
The CDP Definition field is filled with a CDP URL based on the CDP type and
host information you provided. For example:
http://domain.example.com/CRL/ca_entry_example_mm_crlfile<Number>.crl
Where <Number> is a token that Security Manager will replace with a value
identifying the CRL and its type. See the Security Manager Operations Guide
details about this token and other available tokens.
d (Optional.) In the CDP Definition field, edit the CDP URL.
e Select CSCA.
f Click Add.
The CDP URL is added to the CSCA CDP URLs list.
You can add as many CDP URLs for CSCA certificates as you require.
g For Combined CRL, enter the path to the folder where Security Manager will
write combined CRLs. For a CSCA, Security Manager must write combined
CRLs to a shared folder on the network.
By default, the folder is named CRL and is located on the server where you
are configuring Security Manager. The Security Manager configuration
wizard will create this folder. To change the default server, click Change and
then select a folder from your network connections. The folder must be
named CRL.
Security Manager can only write to a network location if the account used
by the Security Manager services has direct write privileges to that location.
5 For Issuer Alternative Name, you must specify values to include in the
IssuerAltName extension for CSCA-specific certificates.
CSCA root certificates, Master List Signer certificates, and Document Signer
certificates issued by your CSCA must include an issuerAltName extension.
The issuerAltName extension must provide contact information associated with
your CSCA. The contact information can be one or more of the following:
• rfc822Name for an email address. For example:
rfc822Name=csca@example.com
• dNSName for a Domain Name System (DNS) name. For example:
dNSName=csca.example.com
• uniformResourceIdentifier for a Uniform Resource Identifier (URI). For
example:
uniformResourceIdentifier=http://csca.example.com

The issuerAltName extension must also provide a directory string made of
ICAO-assigned country codes. The string must be a directoryName with one of
the following values:
• localityName (l=) that contains the ICAO country code as it appears in the
MRZ (Machine Readable Zone) of the e-passport. For example:
directoryName=l=CAN
• If the country code does not uniquely define the issuing State or
organization, then stateOrProvinceName (s=) that contains the
ICAO-assigned three-letter code for the issuing State or organization.
directoryName=st=HKG
Security Manager will DER-encode the data and include it in the CSCA root
certificates, Master List Signer certificates, and Document Signer certificates
issued by your CSCA.
To add a value to the IssuerAltName extension:
a From the Name Type drop-down list, select the type of information to add
to the IssuerAltName extension.
b In the Name Value field, enter a value.
c Click OK.
The value is added to the list.
6 For CA verification certificate lifetime, enter a lifetime, in months, for the initial
CA verification certificate.
For 10-year eMRTDs, it is recommended that you configure the CSCA with a
lifetime of 187 months (see “Calculating the validity periods for CSCA
certificates” on page 96).
7 For CA private key usage period, enter a private key usage period for the CSCA
verification certificate.
For 10-year eMRTDs, it is recommended that you configure the CSCA with a CA
private key usage period of 32.09% (see “Calculating the validity periods for
CSCA certificates” on page 96).
The CA private key usage period is a percentage of the CA verification certificate
lifetime. For example, 32.09% of 187 months is 60 months (5 years). When the
private key reaches this lifetime, Security Manager starts writing messages to the
audit logs informing you that the CA is nearing expiry.
For more information about the private key usage, see the Security Manager
Operations Guide.

Attention:
Security Manager will not automatically update your root CA key.
You have installed and configured Security Manager as a CSCA. Proceed to

“Post-configuration steps” on page 109.
Installing and configuring Security Manager on Linux

Install and configure Security Manager 8.3 according to the instructions in the
Security Manager 8.3 Installation Guide. When configuring Security Manager, you
must configure Security Manager so your CSCA conforms to the guidelines outlined
by the International Civil Aviation Organization (ICAO).
Attention:
1 When asked if you are configuring a CSCA:

Is this a Country Signing CA (CSCA)? (y/n) ? [n]
Enter y.
This sets the advanced setting CSCA=1, and configures the CSCA to conform to
the requirements set by the International Civil Aviation Organization (ICAO).
When CSCA=1, it enforces the following advanced settings:
CrlUseDefRevokeReason=0
DNEncoding=utf8
EncodeCountryNameUpper=1
ExplicitCurveParameters=1
MsCompatibility=0
MsCompatWasOn=0
UseCombinedCRL=1
The configuration script also prompts you for information required by a CSCA.
2 When prompted to provide an IssuerAltName extension:
The IssuerAltName\SubjectAltName for the CSCA can be entered now
or later by adding to entmgr.ini before initialization. Syntax

example:
{"directoryName=l=USA" "dNSName=yoursite.com"}.
Enter the IssuerAltName\SubjectAltName for the CSCA ('Q' to quit
and enter later):
CSCA root certificates, Master List Signer certificates, and Document Signer
certificates issued by your CSCA must include an issuerAltName extension.
The issuerAltName extension must provide contact information associated with
your CSCA. The contact information can be one or more of the following:
example:
The issuerAltName extension must also provide a directory string made of
ICAO-assigned country codes. The string must be a directoryName with one of
the following values:
directoryName=l=CAN
directoryName=st=HKG
Security Manager will DER-encode the data and include it in the CSCA root
certificates, Master List Signer certificates, and Document Signer certificates
issued by your CSCA.
To enter an IssuerAltName extension, surround each value—the contact
information value or directory string value—in quotation marks. Separate each
value with a space. Enclose the entire IssuerAltName extension in curly braces.
For example:
{"directoryName=l=USA" "dNSName=domain.example.com"}
3 When prompted for the CA key pair type:
Enter the type of key pair that Entrust Authority Security Manager
will use for signing operations.
Select one of the following:
1. RSA
2. DSA

3. EC
[1] >
Enter 1 to use an RSA key pair type, or enter 3 to use an elliptic curve for the CA
key pair type.
4 When prompted for the CA key pair algorithm:
Enter the type of key pair that Entrust Authority Security Manager
will use for signing operations.
1. RSA-1024
2. RSA-2048
3. RSA-3072
4. RSA-4096
5. RSA-6144
[2] >
The algorithms you can select depend on the key pair type that you selected for
your CA. If you chose an RSA key pair type, you can only select an RSA
algorithm. If you chose EC for the key pair type, you can only select an elliptic
curve.
Enter the number corresponding to the algorithm for your CSCA key pair.
EC-brainpoolP256r1, and EC-brainpoolP256t1 are 256-bit elliptic curves.
5 When prompted for the CA signing algorithm (the algorithm that Security
Manager will use when signing certificates and revocation lists:
Enter the algorithm that Entrust Authority Security Manager will
use for signing operations.
1. RSA-SHA1
2. RSA-SHA224
3. RSA-SHA256
4. RSA-SHA384
5. RSA-SHA512
6. RSAPSS-SHA1
7. RSAPSS-SHA224
8. RSAPSS-SHA256
9. RSAPSS-SHA384
10. RSAPSS-SHA512
[3] >
Enter the number corresponding to the algorithm that Security Manager will use
when signing certificates and revocation lists. The choices displayed depends on
the CSCA key type you select earlier. If you selected an RSA key, only RSA
algorithms are displayed. If you selected ECDSA, only ECDSA algorithms are
displayed.

The CSCA signing algorithm should be as strong as the key type or stronger. For.
stronger signing algorithm
You can only select an RSA algorithm if you selected an RSA key pair type. You
can only select an elliptic curve (EC) algorithm if you selected an EC key pair type.
6 When asked if you want to enter CRL Distribution Point (CDP) URL data using
the configuration utility:
The default CDP (cRLDistributionPoints) extension URL names can be
defined now or later by editing entmgr.ini.
IMPORTANT: The default CDP (cRLDistributionPoints) extension URL
names for the CSCA root CA certificate must be defined in
entmgr.ini before first time initialization.
Enter CDP URL data now? (y/n) ? [y]
Enter y.
7 When asked if you want to define CDP URLs for CSCA-type certificates or all
certificates:
CDPs may be defined once for all certificates issued by this CSCA,
or CDPs can be separately defined for CSCA-type certificates and
other certificates.
Enter how the CDPs will be defined.
1. Define separate CDP settings for CSCA certificates and
other certificates.
2. Define CDP settings for all certificates.
[1]
The following CSCA-type certificates require CDP definitions: CSCA root
certificates, CSCA link certificates, Master List Signer certificates, and Document
Signer certificates.
• To define separate CDP settings for CSCA certificates and other certificates,
enter 1.
• To define CDP settings for all certificates, enter 2.
8 When prompted to define CDP URLs for CSCA-type certificates:
Define the CDPs for CSCA-type certificates.
CDP URLs for the CSCA must be one of the type 'http:', 'https:' or
'ldap:'.
Enter a CDP URL definition or 'q' (quit),'r' (review and finish),

's' (start over)
:

a Enter a CDP URL for the CSCA-type certificates. CDP URLs for CSCA-type
certificates must be http:, https:, or ldap:. For example:
http://domain.example.com/CRL/ca_entry_example_mm_crlfile<Number>.crl
Where <Number> is a token that Security Manager will replace with a value
Note:
After entering a CDP URL, the configuration script will prompt you again to
enter a CDP URL.
b Enter as many CDP URLs for CSCA-type certificates as required.
c If you need to start over, enter s.
d To quit without providing any CDP URLs for CSCA-type certificates, enter q.
You must manually provide CDP URLs for CSCA-type certificates under
[CSCA CDP] in the entmgr.ini file before initializing Security Manager (see
the Security Manager Installation Guide).
e To review the list of CDP URLs you entered for CSCA-type certificates, enter
r.
The configuration script displays the CDP settings, and asks if you are
finished entering CSCA CDP URLs:
The following CDP URLs have been entered:
http://domain.example.com/CRL/crlfile<number>.crl
Include LDAP DN in CDP: no
Place LDAP DN last in CDP: n/a
Finished entering CSCA CDP URLs (y/n) ? [n]
– If you need to enter more CDP URLs for CSCA-type certificates, enter n.
– If you are finished entering CDP URLs for CSCA-type certificates, enter y.
The CDP URLs for CSCA-type certificates are written to the entmgr.ini file
under the [CSCA CDP] section.
9 When prompted to configure the CA certificate lifetime:
Enter the CA certificate lifetime in months (2-300)
[187] >
Enter a lifetime, in months, for the initial CA verification certificate.

lifetime of 187 months (see “Calculating the validity periods for CSCA
10 When prompted for the CA private key usage period:
Enter the CA private key usage period (20-100)
[32.0900] >
Enter a private key usage period for the CSCA verification certificate.
For 10-year eMRTDs, it is recommended that you configure the CSCA with a CA
private key usage period of 32.09% (see “Calculating the validity periods for
CSCA certificates” on page 96).
Operations Guide.
Attention:
You have installed and configured Security Manager as a CSCA. Proceed to

“Post-configuration steps” on page 109.

Post-configuration steps
After configuring your CSCA, you must perform the following steps:
1 Initialize Security Manager.
For more information about initializing Security Manager, see the Security
Manager 8.3 Installation Guide.
2 Install the latest Security Manager patches.
3 Install Security Manager Administration.
Security Manager Administration is the graphical interface for Security Manager.
Install Security Manager Administration according to the instructions in the
Security Manager Administration User Guide.

5
Reconfiguring a CA as a CSCA
If you already installed Security Manager and you want to reconfigure your
Certification Authority (CA) as a CSCA, or if you want to ensure that you correctly
installed a CSCA, complete the steps outlined in this appendix.
This appendix includes the following sections:
• “Calculating the validity periods for CSCA certificates” on page 112
• “Configuring the issuerAltName extension” on page 115
• “Configuring the CSCA root and link certificates” on page 117
• “Configuring CRL Distribution Points (CDPs)” on page 120
• “Configuring certificate revocation lists for a CSCA” on page 123
• “Encoding the countryName attribute in uppercase” on page 126
• “Configuring how the CSCA encodes distinguished names” on page 127
• “Controlling the issuer and subject in CSCA link certificates” on page 129
• “Configuring the CA policy settings for a CSCA” on page 131
• “Updating the CA certificate” on page 133
111
Calculating the validity periods for CSCA
certificates
For a Country Signing Certification Authority (CSCA), you must determine the
validity periods—the key lifetime and private key usage period—for the following key
pairs to meet ICAO requirements:
• Country Signing CA key pair
• Document Signer key pair
• Master List Signer key pair
After upgrading Security Manager, you may want to update the validity periods for
these key pairs.
• “Formulas for calculating the validity periods” on page 112
• “Recommended validity periods for 10-year eMRTDs” on page 113
Formulas for calculating the validity periods

CSCAs are root CAs that issue end entity Document Signer certificates which are used
to sign eMRTDs. According to ICAO recommendations:
• CSCA keys roll over somewhere between 3 and 5 years.
• Document Signer keys roll over somewhere between 1 and 3 months.
• eMRTDs are valid typically 5 years or 10 years.
The above points tie into the lifetime of the CSCA and Document Signer certificates.
You can itemize the lifetime variables as the following:
• emrtd_life is the lifetime of issued eMRTDs.
• emrtd_pre_issue_time is the eMRTD pre-issue time.
eMRTDs may be issued before they become valid. This is optional.
Some States may issue eMRTDs before they become valid, for instance on a
change of name upon marriage. The effect of doing this is to extend the
validity period by the longest period it is possible to pre-issue the eMRTD.
• ds_validity is the validity period (key lifetime) of the Document Signer end
entity certificate.
• ds_pku is the private key usage period of the Document Signer end entity
certificate.
• csca_validity is the validity period (key lifetime) of the CSCA root
certificate.

• csca_pku is the private key usage period of the CSCA root certificate.
The Document Signer certificate issues the eMRTD. The lifetime of the Document
Signer certificate (ds_validity) must be at least as long as the eMRTD lifetime
(emrtd_life), plus the eMRTD pre-issue time (emrtd_pre_issue_time)—if eMRTDs
will be issued before they become valid—plus the private key usage period of the
Document Signer certificate. So the formula for calculating the minimum validity
period of Document Signer certificates becomes:
ds_validity = emrtd_pre_issue_time + emrtd_life + ds_pku
The CSCA certificate issues Document Signer certificates. The CSCA certificate must
be at least as long as the Document Signer validity period, plus the private key usage
period of the CSCA root certificate. So the formula for calculating the minimum
validity period of the CSCA root certificate becomes:
csca_validity = csca_pku + ds_validity
ICAO has no specified validity requirements for the Master List Signer key pair. A
Master List Signer is expected to sign master lists of trusted CSCAs far less frequently
than a Document Signer will sign passports.
Recommended validity periods for 10-year eMRTDs

The following table lists the recommended values for CSCA-issued key pairs,
assuming that your eMRTDs must remain valid for 10 years (120 months). The
recommended values are discussed in more detail in the following sub-topics.
Table 4: Recommended key usage and validity for CSCA key pairs
Key pair Recommended key lifetime Recommended private key usage period
Document 123 months 2.4038%

Signer (10 years and 3 months) (Maximum of 90 days of a 123-month lifetime)
CSCA 187 months 32.09%

(15 years and 7 months) (Maximum of 5 years of a 187-month lifetime)
Master List 60 months 20%

Signer (5 years) (12 months)
Recommended validity periods for the Document Signer key pair

The Document Signer private key should not be used to sign eMRTDs any longer
than 3 months.
The Document Signer certificate validity period should be at least as long as the
eMRTD lifetime (10 years or 120 months), plus the private key usage value (3
months).
Reconfiguring a CA as a CSCA 113

Therefore, the following values are recommended for the Document Signer key pair:
• Private key usage period: 2.4038% (maximum of 90 days of a 123-month
lifetime)
Recommended validity periods for the CSCA key pair

The CSCA private key used to sign certificates and CRLs should not be used to sign
any longer than 5 years (60 months).
The CSCA certificate validity period should be at least as long as the Document Signer
certificate lifetime (123 months), plus the CSCA private key usage value (60 months).
Some additional validity period should be added to cover any administrative time
needed for a CSCA key rollover. An additional 4 months is sufficient.
Therefore, the following values are recommended for the CSCA key pair:
• Private key usage period: 32.09% (maximum of 5 years of a 187-month
lifetime)
Recommended validity periods for the Master List Signer key pair
A Master List Signer is expected to sign master lists of trusted CSCAs far less
frequently than a Document Signer will sign passports.
Therefore, the following values are recommended for the Master List Signer key pair:
• Private key usage period: 20% (12 months)

Configuring the issuerAltName extension
CSCA certificates, Master List Signer certificates, and Document Signer certificates
issued by your CSCA must include an issuerAltName extension.
The issuerAltName extension must provide contact information associated with your
CSCA. The contact information can be one or more of the following:
example:
The issuerAltName extension must provide a directory string made of ICAO-assigned
country codes. The string must be a directoryName with one of the following values:
directoryName=l=CAN
directoryName=s=CAN
You must use the Security Manager Control Command Shell to provide the
information to include in the issuerAltName extension. Security Manager will
DER-encode the data and include it in the CSCA root certificates, Master List Signer
certificates, and Document Signer certificates issued by your CSCA.
To configure the issuerAltName extension

1 Log in to the Security Manager Control Command Shell.
2 To view the current value of the issuerAltName extension, enter the following
command:
db get IssuerAltName
Security Manager displays the name, current value, description, and syntax of the
IssuerAltName advanced setting. For example:
Name : IssuerAltName
Value :
Description: The IssuerAltName of the CA.
Syntax : String representation of a GeneralNames structure.

e.g. {"rfc822Name=sm@entrust.com" "dNSName=entrust.com"}
3 To change the value of the issuerAltName extension, enter the following

command:
db set IssuerAltName {"<contact-info>" "<country-code>"}
Where:
• <contact-info> is the string that identifies contact information associated
with your CSCA.
You can provide multiple forms of contact information with multiple
"<contact-info>" options.
• <country-code> is the string that identifies the ICAO-assigned country code
for your issuing State or organization.
For example:
db set IssuerAltName {"rfc822Name=csca@example.com"
"directoryName=l=CAN"}
For the change to take effect, you must restart the Security Manager service. Do
not restart the service at this time.
4 Proceed to “Configuring the CA policy settings for a CSCA” on page 131.

Configuring the CSCA root and link certificates
Configuring the CSCA root and link certificates requires configuring the certificate
specification file (master.certspec). For more information about this file, see the
To view and configure the CSCA root and link certificates

2 Enter the following command to export the Security Manager certificate
specifications to a file:
fcs export <file>
Where <file> is the full path and file name for the certificate specifications file.
If you do not specify a path, the file is exported to the CA data directory (typically
C:/authdata). For example:
fcs export c:/master.certspec
3 Open the file in a text editor.
Note:
If your CA root and link certificates already include the keyUsage and
basicConstraints extensions, ensure that they conform to ICAO requirements
as shown in this procedure. If your CA root and link certificates also include other
extensions, ensure that all extensions conform to ICAO requirements.
4 To configure the CSCA root certificate definitions:

a Locate the [cacert_default Verification Extensions] section and
ensure that it looks like the following:
[cacert_default Verification Extensions]
issuerAltName=2.5.29.18,n,m,AuthSetting,IssuerAltName
subjectAltName=2.5.29.17,n,m,AuthSetting,IssuerAltName
keyUsage=2.5.29.15,c,m,BitString,0000011
basicConstraints=2.5.29.19,c,m,DER,30060101FF020100
The CSCA issuerAltName and subjectAltName extensions must be the same
value. It is recommended that the IssuerAltName advanced setting be used
instead of a DER encoding to ensure that both extensions have the exact
same value and encoding.
b Locate the [cacert_default Advanced] section.
c Ensure that noEntrustVersInfo=1 is present and uncommented (no
preceding semicolon):

noEntrustVersInfo=1
d Ensure that noCRLDistPoints=1 is either commented out (preceded with a
semicolon) or absent.
;noCRLDistPoints=1
5 To configure the CSCA link certificate definitions:
a Locate the [cacert_link Verification Extensions] section and ensure
that it looks like the following:
[cacert_link Verification Extensions]
The CSCA link certificate definition should not include any entries for the
issuerAltName and subjectAltName extensions. These extensions are derived
from the new and old CSCA root certificates during a CA key update.
b Locate the [cacert_link Advanced] section.
noEntrustVersInfo=1
;noCRLDistPoints=1
6 You may have previously defined a custom forward link certificate type. You are
using a custom forward link certificate type if the setting
forwardLinkCertTypeOverride is set in the [policy] section of the entmgr.ini
file in the (see the Security Manager Operations Guide for details).
To verify the changes to the custom forward link certificate definition:
a Locate the Verification Extensions section for your custom forward link
certificate type and ensure that it contains the following setting:
The CSCA link certificate definition should not include any entries for the
issuerAltName and subjectAltName extensions. These extensions are derived
from the new and old CSCA root certificates during a CA key update.
b Locate the Advanced section for your custom forward link certificate type.
noEntrustVersInfo=1
;noCRLDistPoints=1
7 Save and close the file.

8 If you made changes to the file, import the file back into Security Manager by
entering the following command:
fcs import <file>
fcs import c:/master.certspec
9 Proceed to “Configuring CRL Distribution Points (CDPs)” on page 120.

Configuring CRL Distribution Points (CDPs)
By default, Security Manager includes the LDAP DN for the latest partitioned CRL in
all cRLDistributionPoints (CDP) extensions in certificates. A CSCA cannot use
partitioned CRLs. You must configure the CDP extensions so they refer to only the
combined CRL.
For more information about configuring CDPs, see the Security Manager
Administration User Guide.
To configure CDPs for the CSCA

1 If the CSCA will host the combined CRL at an http: location:
2 Configure Security Manager to publish the combined CRL to a file:
a Open the entmgr.ini file in a text editor.
b Locate the [CRL] section, or add it if it does not exist.
c Locate the CombinedCRLFile setting in this section, or add it if it does not
exist.
d For the value of the CombinedCRLFile setting, enter the path and file name
of the CRL file. For example:
CombinedCRLFile=C:\CRL\CAN.crl
You can also specify the name and location using the Universal Naming
Convention (UNC). For example:
CombinedCRLFile=\\DOMAIN\CRL\CAN.crl
Note:
Security Manager can only write to a network location if the account used by the
Security Manager services has direct write privileges to that location.
e Save and close the file.

f Configure a Web server to host the location of the CRL so users and client
applications can access the CRL. Using the above example, ensure that the
Web server can host files obtainable from C:\CRL or \\DOMAIN\CRL.
3 Enter the following command to export the Security Manager certificate
specifications to a file:
fcs export <file>
If you do not specify a path, the file is exported to the CA data directory (typically
C:/authdata). For example:

fcs export c:/master.certspec
4 Open the file in a text editor.
5 You can define CDPs in the following sections:
• To define global CDPs for all certificate types:
[CDP Definitions]
• To define a custom CDP for a specific certificate type:
[<cert_type> Common CDP Definitions]
Where <cert_type> is the certificate type.
Any CDPs defined in this section take precedence over any CDPs defined in
the global [CDP Definitions] section.
• To define a custom CDP for a specific certificate definition:
[<cert_type> <cert_definition> CDP Definitions]
Where <cert_type> is the certificate type and <cert_definition> is the
certificate definition.
the global [CDP Definitions] section and the [<cert_type> Common CDP
Definitions] section for the same certificate type.
If one of the above sections exists but has no CDP entries defined, the CDP
contains the default LDAP DN only.
A CSCA needs to define CDPs in the following sections:
[cacert_default Verification CDP Definitions]
[cacert_link Verification CDP Definitions]
[ent_mlist_signer Common CDP Definitions]
[epass_doc_signer Document Signer CDP Definitions]
Note:
It is strongly recommended that you define CDP definition data for the individual
CSCA and ePassport certificate types, rather than define the CDP definition
globally for all certificate types.
6 In the [...CDP Definitions] sections that will define the CDPs:

a Add the following setting:
includePartitionedLdapDN=0
When set to 0, this setting will exclude the LDAP DN from the CDP. When
set to 1, the LDAP DN will be included in the CDP. If absent, the value
defaults to 1.

An error will occur if includePartitionedLdapDN=0 and there are no URL
definition entries in the associated [...CDP Definitions] section. An
empty [...CDP Definitions] section indicates that only the LDAP DN is
included so having includePartitionedLdapDN=0 would define an empty
CDP which is invalid.
b Define one or more URL CDP definitions.
Note:
A CSCA may publish the combined CRL to its own locations and the PKD.
For example:
1=http://<server>/CRL/CAN.crl
2=https://pkddownload1.icao.int/CRLs/CAN.crl ;PKD location
See the Security Manager Administration User Guide for more information
about configuring CDPs.
8 If you made changes to the file, import the file back into Security Manager by
entering the following command:
fcs import <file>
fcs import c:/master.certspec
9 Proceed to “Configuring certificate revocation lists for a CSCA” on page 123.

Configuring certificate revocation lists for a
CSCA
Configuring the CSCA requires that you configure certificate revocation lists (CRLs).
Configuring CRLs for a CSCA requires that you enable combined CRLs and exclude
the reasonCode extension from revocation lists if a certificate was revoked without
including a reason for the revocation.
To configure certificate revocation lists

1 Log in to Security Manager Control Command Shell.
2 To see if combined CRLs are enabled, enter:
db get UseCombinedCRL
Security Manager displays the name value and description of the
UseCombinedCRL advanced setting:
Name : UseCombinedCRL
Value : 1
Description: Determines if a combined CRL should be created in the
CA entry.
Syntax : One of: '0' = No (default), '1' = Yes.
3 If UseCombinedCRL=0, enter the following command:
db set UseCombinedCRL 1
4 To see if the reasonCode extension is included in revocation lists if the reason for
revoking a certificate was unspecified, enter:
db get CrlUseDefRevokeReason
CRLUseDefRevokeReason advanced setting:
Name : CrlUseDefRevokeReason
Value : 0
Description: Determines if reasonCode should be included in
revocation lists when the certificate is revoked with the
'unspecified reason'.
Syntax : One of: '0' = No, '1' = Yes (default).
5 If CRLUseDefRevokeReason=1, enter the following command:
db set CrlUseDefRevokeReason 0

6 To see how Security Manager supports Microsoft Windows client applications,
enter:
db get MsCompatibility
MsCompatibility variable:
Name : MsCompatibility
Value : 0
Description: Determines compatibility with Microsoft(R) Windows(R)
client applications.
Syntax : One of: '0' = No special support, '1' = Support all
CAPI clients, '2' = Support clients on Windows XP/2003 and above.
The MsCompatibility advanced setting controls some aspects of how Security
Manager issues CRLs. It must be set to 0 for a CSCA.
7 If MsCompatibility=1 or MsCompatibility=2, enter the following command:
db set MsCompatibility 0
8 Verify that the advanced setting MsCompatWasOn is set to 0 by entering the
following command:
db get MsCompatWasOn
Security Manager displays the name value and description of the MsCompatWasOn
variable:
Name : MsCompatWasOn
Value : 0
Description: Determines if compatibility with Microsoft(R)
Windows(R) client applications should be maintained.
Syntax : One of: '1' = maintain, '0' = do not maintain.
The MsCompatWasOn advanced setting controls some aspects of how Security
Manager issues CRLs. It must be set to 0 for a CSCA.
9 If the advanced setting MsCompatWasOn is set to 1, change it to 0 by entering the
following command:
db set MsCompatWasOn 0
10 Set the advanced setting CSCA to 1 by entering the following command:
db set CSCA 1

The CSCA advanced setting specifies whether the CA is a CSCA. If CSCA=1, the CA
is a CSCA, and Security Manager will enforce UseCombinedCRL=1,
CRLUseDefRevokeReason=0, and MsCompatibility=0, and MsCompatWasOn=0.
Note that these advanced setting must already be set to the correct values or you
cannot set CSCA=1.
When CSCA=1, Security Manager will operate as follows:
• During CA key update, the CSCA forward link certificate validity is set to be
equal to the validity of the new CSCA root certificate.
• The CRL entry extensions reasonCode and invalidityDate will be excluded
from the combined CRL.
• The CSCA forward link certificate subjectAltName and issuerAltName
extensions are derived from the issuerAltName extension in the new and old
CSCA root certificates respectively.
11 Proceed to “Encoding the countryName attribute in uppercase” on page 126.

Encoding the countryName attribute in
uppercase
The value of the countryName (c=) attribute is a two-letter ISO 3166 country code,
such as US for United States. This value should be encoded as uppercase characters
in all DN encodings for new signed objects, regardless of the letter case in the
directory or existing database data.
You can enforce Security Manager to encode the value of the countryName attribute
in all DN encodings for new signed objects using the EncodeCountryNameUpper
advanced setting after upgrading Security Manager.
Note:
It is not mandatory to change the Security Manager directory to have
countryName uppercase, but it is recommended that this is done for clarity so
that the contents in the directory are the same as the DNs in certificates.
To encode the countryName attribute in uppercase

2 To view the current value of the EncodeCountryNameUpper advanced setting,
enter the following command:
db get EncodeCountryNameUpper
EncodeCountryNameUpper advanced setting. For example:
Name : EncodeCountryNameUpper
Value : 0
Description: Enforce that the countryName ('c') attribute is
encoded with uppercase characters in all DN encodings.
Syntax : One of: '0' = Do not enforce uppercase encoding, '1'
= Enforce encoding with uppercase.
3 To change the value of the EncodeCountryNameUpper advanced setting to 1,

db set EncodeCountryNameUpper 1
4 Proceed to “Configuring how the CSCA encodes distinguished names” on
page 127.

Configuring how the CSCA encodes
distinguished names
The advanced setting DNEncoding controls how distinguished name (DN) attributes
of the DirectoryString type (such as commonName) are encoded. The default value
of DNEncoding is
printable teletex utf8
This means that any of the character sets PrintableString, TeletexString, and
UTF8String may be used to encode the attribute values.
The recommended default for a CSCA is printable utf8 or utf8 only.
Note:
If the advanced setting DNEncoding currently has printable set first in the list
and you want to change it to utf8, contact Entrust Customer Support.
See the Security Manager Operations Guide for more information about the
DNEncoding advanced setting.
To configure how the CSCA encodes DNs

2 To view the current value of the DNEncoding advanced setting, enter the
following command:
db get DNEncoding
DNEncoding advanced setting. For example:
Name : DNEncoding
Value : printable teletex utf8
Description: Determines how DNs are encoded.
Syntax : Must be a space separated list in order of
preference. If it has only one entry, that entry cannot be
"printable". Legal values: printable, teletex, bmp, utf8.
3 To set the DN encoding to printable utf8:

db set DNEncoding "printable utf8"
Security Manager issues the following warning:
It is strongly recommended that you read the Operations Guide
carefully before changing the 'DNEncoding' setting.
Do you wish to continue (y/n) ? [n]

4 Enter y to confirm the change to the DN encoding.
5 Proceed to “Controlling the issuer and subject in CSCA link certificates” on
page 129.

Controlling the issuer and subject in CSCA link
certificates
You may have changed the format of the CSCA distinguished name (DN) to meet
ICAO specifications:
• You may have changed the encoding of the countryName attribute from
lowercase to uppercase in “Encoding the countryName attribute in
uppercase” on page 126.
• You may have changed how the CSCA encodes DNs in “Configuring how
the CSCA encodes distinguished names” on page 127.
The advanced setting RetainIssuerDNEncoding controls the issuer in certificates and
CRLs when they are signed by a non-current CA key. The setting also affects the
subject in link certificates. In a CSCA installation, the CSCA link certificate is the only
certificate that is signed by an older CA key.
By default, the issuer and subject in the CSCA link certificate exactly match the
subject in the new CSCA certificate (RetainIssuerDNEncoding=off). If you changed
the format of the CSCA DN, you need to change the value of the advanced setting
RetainIssuerDNEncoding to one of the following values:
• off (default)
The issuer and subject in the CSCA link certificate follow the current DN
encoding settings. The issuer and subject in the CSCA link certificate will
exactly match the subject in the new CSCA certificate.
• cert
The issuer in the CSCA link certificate exactly matches the subject in the old
CSCA certificate, and the subject in the CSCA link certificate exactly matches
the subject in the new CSCA certificate
• cert-link
The issuer and subject in the CSCA link certificate exactly match the subject
in the old CSCA certificate.
To control the issuer and subject in CSCA link certificates

2 To view the current value of the RetainIssuerDNEncoding advanced setting,
db get RetainIssuerDNEncoding
RetainIssuerDNEncoding advanced setting. For example:
Name : RetainIssuerDNEncoding

Value : off
Description: Determines whether the issuer DN in a CRL or
certificate is retained as an exact copy of the subject DN in the
associated issuing root CA certificate.
Syntax : One of: 'off' = Do not retain and follow the
DNEncoding setting, 'cert', 'cert-link' = Retain for certificates,
'crl' = Retain for CRLs, 'all','all-link' = Retain for
certificates and CRLs. The '-link' suffix indicates that the
subject and issuer in CA link certificates match exactly. When
using 'cert' or 'all' with no '-link' suffix, the subject in CA
link certificates is retained as an exact copy of the subject of
the associated certified CA certificate.
3 To change the value of the RetainIssuerDNEncoding advanced setting:
• To change the value of the RetainIssuerDNEncoding advanced setting to
off:
db set RetainIssuerDNEncoding off
cert:
db set RetainIssuerDNEncoding cert
cert-link:
db set RetainIssuerDNEncoding cert-link
4 Proceed to “Configuring the CA policy settings for a CSCA” on page 131.

Configuring the CA policy settings for a CSCA
Configuring the CSCA requires that you configure your CSCA with the keys,
algorithms, and lifetimes required by the International Civil Aviation Organization
(ICAO).
To view and configure the CA key type and signature algorithm

2 To view the current CA key type and CA signing algorithm, enter:
ca key config query
Security Manager displays the CA key type and signing algorithm. For example:
keyType = RSA-3072
signatureAlg = RSAPSS-SHA256
parameters = [none]
EC-brainpoolP256r1, and EC-brainpoolP256t1 are 256-bit elliptic curves
The CSCA signing algorithm should be as strong as the key type or stronger. For
stronger signing algorithm.
3 If your CA key type and signing algorithm do not meet ICAO requirements, you
must change the key type and signing algorithm for the next CA certificate.
To change the key type and signing algorithm for the next CA certificate, enter:
ca key config -keyType <type> -signatureAlg <alg>
Where <type> is the key type and <alg> is the signing algorithm for the next CA
certificate.
For example:
ca key config -keyType RSA-3072 -signatureAlg RSAPSS-SHA256
or
ca key config -keyType EC-P-256 -signatureAlg ECDSA-SHA256
4 Proceed to “To view and configure the CA lifetime and private key usage” on
page 131.
To view and configure the CA lifetime and private key usage


2 To view the CA key type and signature algorithm, enter:
ca cert query
Security Manager displays the CA lifetime and private key usage. For example:
CA certificate lifetime (in months) 180
CA private key usage (% of CA certificate lifetime) 33
lifetime of 187 months, and a CA private key usage period of 32.09% (see
“Calculating the validity periods for CSCA certificates” on page 112).
Operations Guide.
Note:
3 To change the lifetime and private key usage period, enter:

ca cert config -lifetime <lifetime> -period <period>
Where:
• <lifetime> is the CSCA certificate lifetime (in months).
• <period> is the private key usage period.
For example:
ca cert config -lifetime 187 -period 32.09
Entering this command configures the lifetime and private key usage period for
the next CA certificate.
4 Proceed to “Updating the CA certificate” on page 133.

Updating the CA certificate
If you made any changes as described in this chapter, you must update your CA
certificate to process the changes to finish reconfiguring your CA as a CSCA.
Updating your CA certificate requires that you update your CA keys. It is
recommended that you also revoke the previous CA certificate. If you revoke the
previous CA certificate, you must recover all your X.509 users.
Attention:
Do not revoke the previous CA certificate if you issued any passports that were
signed with the previous CA certificate. After revoking the previous CA
certificate, any passports signed with the previous CA key will no longer validate.
For more information about updating CA keys, revoking CA certificates, and

recovering all users, see the Security Manager Operations Guide.
To update the CA keys

2 At the prompt, enter:
ca key update
Security Manager prompts you to select a location to store the new CA keys. For
example:
Select the destination for the new CA key
Choose one of:
1. Software
2. CA Hardware Vendor 1 SN: 12345678 SLOT: 1
4. Cancel operation
If you have no hardware devices installed, no hardware devices will appear in the
list of options.
3 Enter the number associated with the action you want to select. For instance,
from the previous example, enter 1 to update a software-generated key, or 4 to
cancel the update operation.
If you update a hardware-generated key, you may be prompted for the device
password. If you update a software-generated key, no password is required.
4 If the services are running, the following prompt appears:
The services will be stopped and the CA key updated.
Do you wish to continue (y/n) ? [y]

Enter y to stop the services.
5 Security Manager updates the CA key pair and recovers the CA profile. If the
services were running before you updated the CA key pair, Security Manager will
restart the services. If the services were stopped before you updated the CA key
pair, Security Manager will start and then stop the services.
Security Manager prompts you to re-issue all revocation lists:
It is recommended that all revocation lists be re-issued. This can
be done later with the 'rl issue' command. Re-issue revocation
lists now (y/n) ? [y]
6 It is recommended that you re-issue all revocation lists immediately. To re-issue
all revocation lists immediately, enter y. To re-issue the revocation lists later, enter
n.
7 If the Security Manager services are stopped, restart the services with the
following command:
service start
Security Manager needs to be running so client applications can connect to it.
You have now updated the CSCA key pair.
8 If you updated the keys on a hardware security module, back up the key using
the procedure outlined by your hardware vendor.
9 If you want to revoke the previous CA certificate, proceed to “To revoke the
previous CA certificate and recover all users” on page 134.
To revoke the previous CA certificate and recover all users

2 To list all CA certificates, enter:
ca cert list
Security Manager displays a list of all root and link CA certificates. For example:
Serial Type Issue Date Expiry Date Post Revoked
[1] CA 2010/08/16 09:24:59 2020/08/16 09:54:59 yes
[2] CA 2010/08/16 14:24:16 2020/08/16 14:54:16 yes
[3] LINK 2010/08/16 09:24:59 2020/08/16 09:54:59 yes
[4] LINK 2010/08/16 14:24:16 2020/08/16 09:54:59 yes
The certificate with serial number [2] is the current CA certificate.
Serial Numbers:
[1] 4C694332 (1281966898)
[2] 4C69436B (1281966955)
[3] 4C69436C (1281966956)
[4] 4C69436D (1281966957)

3 Note the serial number of the previous root certificate. In the previous example,
the serial number is 4C694332.
4 To revoke the certificate, enter:
ca cert revoke -reason superseded -text "create new CSCA
certificate" <sernum>
Where <sernum> is the hexadecimal serial number of the certificate you want to
revoke. For example, 4C694332.
Security Manager prompts you to confirm the operation. For example:
Are you sure you want to revoke the CA certificate ’4C1B73DC’.
This will restart the services (y/n)? [n]
5 Enter y to revoke the certificate and restart the Security Manager service.
Security Manager revokes the CA certificate and restarts the Security Manager
service.
6 To set all users for key recovery, enter:
ca keyrecover-all
Security Manager prompts you to confirm the operation:
This will set all clients in key recovery state. Proceed (y/n) ?
[n]
7 Enter y to set all users for key recovery. Security Manager displays the progress
and estimated time required to complete the operation.
After setting all users for key recovery, Security Manager displays a list of all
Security Officers (users with the Security Officer role), along with their reference
numbers and authorization codes.
8 Distribute the activation codes to each Security Officer. Security Officers need
these activation codes to recover their profiles.
Security Officers can recover their profiles with Security Manager Administration
(see the Security Manager Administration User Guide). After recovering their
profiles, Security Officers use Security Manager Administration to obtain and
distribute activation codes to the rest of the Security Manager users. Users can
recover their profiles when they log in to a Security Manager client application
such as Entrust Entelligence Security Provider for Windows.
9 If an error occurred when recovering all users, you may need to recover the CA
profile (see the Security Manager Operations Guide for details).

6
Managing a Country Signing CA

This chapter contains important information about specific tasks when managing a
Country Signing Certification Authority (CSCA). For more general information about
managing a CSCA, see the Security Manager Operations Guide and the Security
Manager Administration User Guide.
• “Customizing Document Signer certificates” on page 138
• “Customizing Master List Signer certificates” on page 143
• “Creating Master List Signer credentials” on page 148
• “Revoking certificates” on page 152
• “Updating the CSCA certificate” on page 153
• “Changing the distinguished name of the CSCA” on page 155
137
Customizing Document Signer certificates
Security Manager includes a certificate type named ePassport - Document Signer.
This certificate type is for signing the Document Security Object on electronic
passports. Your Country Signing Certification Authority (CSCA) issues these
certificate types to a Document Signer.
The default ePassport - Document Signer certificate type contains the object
identifiers (OIDs) and extensions required by the International Civil Aviation
Organization (ICAO). When customizing the Document Signer certificates, ensure
you follow the requirements outlined by the ICAO.
This section describes how to customize the Document Signer certificates issued by
your CSCA.
• “Configuring the CDP definitions for Document Signer certificates” on
page 138
• “Modifying the Document Signer user policy” on page 141
Configuring the CDP definitions for Document Signer

certificates
Security Manager maintains standardized, partitioned CRLs at unique distribution
points in the directory. Each certificate contains a pointer to one or more CRL
Distribution Points (CDPs) where applications can find the CRL for the certificate in
question. Security Manager inserts CDP pointers to the relevant CRL in each
certificate it issues. When a client receives a certificate, it checks the entries in the
order they are listed to find one it can interpret.
Configure the CDP definitions for the ePassport - Document Signer
(ent_mlist_signer) certificate type to point to a valid CRL so that client applications
can verify that the Document Signer certificate has not been revoked.
For more information about CDPs, see the Security Manager Administration User
Guide.
To configure the CDP definitions for Document Signer certificates

a Configure Security Manager to publish the combined CRL to a file:
b Open the entmgr.ini file in a text editor.
c Locate the [CRL] section, or add it if it does not exist.
d Locate the CombinedCRLFile setting in this section, or add it if it does not
exist.

e For the value of the CombinedCRLFile setting, enter the path and file name
Note:
f Save and close the file.

g Configure a Web server to host the location of the CRL so users and client
2 Export the Security Manager certificate specifications to a file.
You can export the certificate specifications using Security Manager
Administration. See the Security Manager Administration User Guide for details.
You can also export the certificate specifications from the Security Manager
Control Command Shell using the fcs export command. See the Security
Manager Operations Guide for details.
3 Open the certificate specifications in a text editor.
[CDP Definitions]
Managing a Country Signing CA 139

Note:
5 Locate the following section, or add it if it does not exist:

6 In the [epass_doc_signer Document Signer CDP Definitions] section, add
the following setting:
When set to 0, this setting will exclude the LDAP DN from the CDP. When set to
1, the LDAP DN will be included in the CDP. If absent, the value defaults to 1.
definition entries in the associated [...CDP Definitions] section. An empty
[...CDP Definitions] section indicates that only the LDAP DN is included so
having includePartitionedLdapDN=0 would define an empty CDP which is
invalid.
7 In the [epass_doc_signer Document Signer CDP Definitions] section, define
one or more URL CDP definitions.
Note:
and will ignore it and use the combined CRL stored in the Security Manager
or ldap: URL so that Security Manager client applications can access the CRL.
A CSCA may publish the combined CRL to its own locations and the PKD. For
example:

See the Security Manager Administration User Guide for more information about
configuring CDPs.
9 Import the certificate specifications back into Security Manager.
You can import the certificate specifications using Security Manager
You can also import the certificate specifications from the Security Manager
Control Command Shell using the fcs import command. See the Security
Modifying the Document Signer user policy

Security Manager includes a certificate type named ePassport - Document Signer.
This certificate type is for signing the Document Security Object on electronic
passports. Your Country Signing Certification Authority (CSCA) issues these
certificate types to a Document Signer.
The ePassport - Document Signer certificate type is mapped to a user policy (also
called a policy certificate) named Document Signer Policy. The Document Signer
Policy defines various attributes of the ePassport - Document Signer certificate type,
including certificate lifetime and private key usage period.
This section describes how to customize the certificate lifetime and private key usage
period of the Document Signer Policy. You should have already calculated the validity
values in “Calculating the validity periods for CSCA certificates” on page 96.
For more information about modifying certificate types and user policies, see the
To modify the Document Signer Policy user policy

1 Log in to Security Manager Administration.
2 In the tree view, expand Security Policy > User Policies.
3 Select Document Signer Policy.
4 Click the General Information tab.
5 Under Policy Attributes:
• In the Certificate lifetime field, enter the lifetime (in months) of Document
Signer certificates. A value of 123 is recommended for 10-year eMRTDs.
• In the Precise private key usage field, enter a value for the private key usage
period. (If set to 0, it will use the value set in the Private key usage period
policy attribute.) A value of 2.4038 is recommended for 10-year eMRTDs.

• In the Algorithm for key pair field, enter an algorithm to use for the
Document Signer keys. ICAO recommends using RSA-2048 or stronger
keys, or ECDSA-224 or stronger keys.
Security Manager supports the following algorithms for this policy attribute:
– RSA-1024
– RSA-2048
– RSA-3072
– RSA-4096
– RSA-6144
– DSA-1024
– ECDSA-192
This value is supported for backwards compatibility. It is the same as
EC-P-192.
– EC-<curve>
Where <curve> is a named elliptic curve. For a list of supported elliptic
curves, see the Security Manager Operations Guide.
By default, the algorithm is RSA-2048.
• Configure any other policy attributes as required. For more information
about the other policy attributes, see the Security Manager Administration
User Guide.
6 Click Apply.
7 If prompted, authorize the operation. The operation may require more than one
authorization. See the Security Manager Administration User Guide for details.

Customizing Master List Signer certificates
Security Manager includes a certificate type named ePassport - Master List Signer
(ent_mlist_signer). This certificate type is for Master List Signer profiles. The Master
List Signer signs master lists of trusted Country Signing Certification Authorities
(CSCAs).
The default ePassport - Master List Signer certificate type contains the object
identifiers (OIDs) and extensions required by the International Civil Aviation
Organization (ICAO). When customizing the Master List Signer certificates, ensure
you follow the requirements outlined by the ICAO.
This section describes how to customize the Master List Signer certificates issued by
your CSCA.
• “Configuring the CDP definitions for Master List Signer certificates” on
page 143
• “Modifying the Master List Signer user policy” on page 146
Configuring the CDP definitions for Master List Signer

certificates
Security Manager maintains standardized, partitioned CRLs at unique distribution
points in the directory. Each certificate contains a pointer to one or more CRL
Distribution Points (CDPs) where applications can find the CRL for the certificate in
question. Security Manager inserts CDP pointers to the relevant CRL in each
certificate it issues. When a client receives a certificate, it checks the entries in the
order they are listed to find one it can interpret.
When signing a domestic master list, Administration Services will check the CRL to
determine if the Master List Signer certificate that signed the master list has not been
revoked. Configure the CDP definitions for the ePassport - Master List Signer
(ent_mlist_signer) certificate type to point to a valid CRL so that Administration
Services can verify that the Master List Signer certificate has not been revoked.
For more information about CDPs, see the Security Manager Administration User
Guide.
To configure the CDP definitions for Master List Signer certificates

a Configure Security Manager to publish the combined CRL to a file:
b Open the entmgr.ini file in a text editor.
c Locate the [CRL] section, or add it if it does not exist.

d Locate the CombinedCRLFile setting in this section, or add it if it does not
exist.
e For the value of the CombinedCRLFile setting, enter the path and file name
Note:
f Save and close the file.

g Configure a Web server to host the location of the CRL so users and client
2 Export the Security Manager certificate specifications to a file.
You can also export the certificate specifications from the Security Manager
Control Command Shell using the fcs export command. See the Security
3 Open the certificate specifications in a text editor.
[CDP Definitions]

Note:
5 Locate the following section, or add it if it does not exist:

6 In the [ent_mlist_signer Common CDP Definitions] section, add the
following setting:
When set to 0, this setting will exclude the LDAP DN from the CDP. When set to
1, the LDAP DN will be included in the CDP. If absent, the value defaults to 1.
definition entries in the associated [...CDP Definitions] section. An empty
[...CDP Definitions] section indicates that only the LDAP DN is included so
having includePartitionedLdapDN=0 would define an empty CDP which is
invalid.
7 In the [ent_mlist_signer Common CDP Definitions] section, define one or
more URL CDP definitions.
Note:
and will ignore it and use the combined CRL stored in the Security Manager
or ldap: URL so that Security Manager client applications can access the CRL.

A CSCA may publish the combined CRL to its own locations and the PKD. For
example:
See the Security Manager Administration User Guide for more information about
configuring CDPs.
You can also import the certificate specifications from the Security Manager
Control Command Shell using the fcs import command. See the Security
Modifying the Master List Signer user policy

Security Manager includes a certificate type named ePassport - Master List Signer
(ent_mlist_signer). This certificate type is for Master List Signer profiles. The Master
List Signer signs master lists of trusted Country Signing Certification Authorities
(CSCAs).
The ePassport - Master List Signer certificate type includes two certificate definitions:
Encryption and Verification. The Encryption certificate definition is mapped to a user
policy (also called a policy certificate) named Encryption Policy. The Verification
certificate definition is mapped to a user policy named Master List Signer Policy. The
user policies define various attributes of the ePassport - Master List Signer certificate
type, including certificate lifetime and private key usage period.
This section describes how to customize the certificate lifetime and private key usage
period of the Master List Signer Policy. You should have already calculated the
validity values in “Calculating the validity periods for CSCA certificates” on page 96.
For more information about modifying user policies, see the Security Manager
To modify the Master List Signer Policy user policy

3 Select Master List Signer Policy.
4 Click the General Information tab.

• In the Certificate lifetime field, enter the lifetime (in months) of Master List
Signer certificates. A value of 60 is recommended for 10-year eMRTDs.
• In the Precise private key usage field, enter a value for the private key usage
period. (If set to 0, it will use the value set in the Private key usage period
policy attribute.) A value of 20 is recommended for 10-year eMRTDs.
• Configure any other policy attributes as required. For more information
about the other policy attributes, see the Security Manager Administration
User Guide.
6 Click Apply.

Creating Master List Signer credentials
Before installing Administration Services for a Master List Signer, create a Security
Manager profile for the Master List Signer services. The Master List Signer services
requires a Master List Signer profile from the CSCA to communicate with the CSCA
Security Manager.
The Master List Signer Web Service and MLS Administration use the Master List
Signer profile to sign master lists of trusted foreign CSCA certificates.
The Master List Signer profile is required if you are installing the Master List Signer
services (see “Deploying the Master List Signer services” on page 737).
• “Creating a user entry for a Master List Signer profile” on page 148
• “Creating a Master List Signer profile” on page 150
• “Updating the Master List Signer profile keys” on page 151
Creating a user entry for a Master List Signer profile

You must create a user entry in Security Manager for the Master List Signer profile.
You can use Security Manager Administration to create a user entry for the Master
List Signer profile.
For more information about creating users with Security Manager Administration, see
the Security Manager Administration User Guide.
To create a user entry for the Master List Signer profile using Security Manager
Administration
1 Ensure you have performed the steps detailed in “Customizing Master List Signer
certificates” on page 143.
3 Select Users > New User.
The New User dialog box appears.
a In the Type drop-down list, select a user type.
The type that you select determines which attribute fields appear. For
example, if you select Person, the First Name, Last Name, Serial Number,
and Email fields appear. If you select Web server, the Name and Description
fields appears.
b In the available attribute fields, enter the name that will become the common
name of the user entry. An asterisk (*) appears beside required fields. You
must enter information into all fields marked with asterisks.

c In the Add to drop-down list, select the searchbase where you want to add
the user entry (for example, select CA Domain Searchbase to add the user
entry to the default searchbase).
d Ensure that the Create profile check box is not checked.
4 Click the General tab.
5 From the Role drop-down list, select Server Login.
6 Select the Certificate Info tab, and then complete the following:
• In the Category drop-down list, select Enterprise.
• Under Certificate Type, select ePassport - Master List Signer.
7 Click OK.
The Operation Completed Successfully message appears, which displays the
Reference number and Authorization code.
Record these activation codes in a secure manner, as they are required later to
create and activate the user’s Entrust digital ID.
For more details on how the registration number and authorization codes are
used, see the Security Manager Administration User Guide.
9 The Master List Signer profile requires a subjectAltName extension containing
an email address or DNS name associated with the CSCA. To add an email
address:
a In the right pane, select the user you just created and then select Users >
Selected User > Properties.
b Click the SubjectAltName tab.
c Click Add.
The Add subjectAltName component dialog box appears.
d In the Select component name list, select E-mail.
e In the Enter component value field, enter the email address associated with
your CSCA (for example, csca@example.com).
f Click OK to add the email address and close the Add subjectAltName
component dialog box.
g Click OK to save the changes.
h If prompted, authorize the operation. The operation may require more than
one authorization. See the Security Manager Administration User Guide for
details.
10 The Master List Signer profile requires a subjectAltName extension containing
an email address or DNS name associated with the CSCA. To add a DNS name:

c Click Add.
d In the Select component name list, select DNS Name.
e In the Enter component value field, enter the Fully Qualified Domain Name
(FQDN) of the server hosting CSCA (for example, csca.example.com).
f Click OK to add the DNS name and close the Add subjectAltName
details.
You have now created the user entry for the NPKD Server profile. Proceed to
“Creating a Master List Signer profile” on page 150.
Creating a Master List Signer profile

The Master List Signer profile can be stored on software as an EPF file or PKCS #12
file (P12 or PFX file), or on a hardware security module. Create a PKCS #12 file if your
CSCA will be offline.
You can use one of the following applications to create the Master List Signer profile:
The Profile Creation Utility can create the profile on hardware, or on software
as an EPF file or PKCS #12 file (P12 file). For instructions, see the
• Security Manager Administration
When using Security Manager Administration to create the profile, you must
create the profile as an EPF file on software. For instructions, see the
following procedure.
To create a Master List Signer profile using Security Manager Administration

1 Create a user entry for the Master List Signer profile (see “Creating a user entry
for a Master List Signer profile” on page 148).
2 In the right pane, select the user entry you just created and then select Users >
Selected User > Create Profile.
The Create profile dialog box appears.

3 Click Create desktop profile.
4 In the Name field, enter the file name for the Master List Signer profile. Security
Manager Administration will append the .epf extension to the file name.
5 Click Browse to select a folder where you want to save the Master List Signer
profile.
6 In the Password and Confirm fields, enter a password for the Master List Signer
profile.
7 Click OK.
You can now use this Master List Signer profile with Administration Services. You
need the Master List Signer profile, the profile password, and the profile location
when you install Administration Services.
Updating the Master List Signer profile keys

It is not recommended that you copy profiles to other servers. If you do copy a profile,
and the profile keys are updated at one server, copy the updated profile file to each
server.
Note:
There can be only one Master List Signer instance.
Keys are updated only on Administration Services start up. You may have to schedule
server restarts periodically with a frequency that corresponds to the configured
certificate lifetime.

Revoking certificates
The International Civil Aviation Organization (ICAO) requires that CRLs issued by the
CSCA must not include CRL entry extensions. When revoking certificates issued by
the CSCA, you must revoke the certificates with the Unspecified reason.
If you configured your CSCA correctly before initializing Security Manager
(“Installing a Country Signing CA” on page 95) or after initializing Security Manager,
(“Configuring certificate revocation lists for a CSCA” on page 123), revoking
certificates issued by the CSCA with the Unspecified reason ensures that CRLs
conform to ICAO requirements.

Updating the CSCA certificate
When the current CSCA certificate reaches the private key usage period, Security
Manager begins logging audit -7593 in the mgraudit.log file. The audit informs you
that the Certification Authority (CA) key is past the private key usage period, and that
you should perform a CSCA key update.
lifetime. You set the private key usage period when you installed Security Manager
(see “Installing and configuring Security Manager” on page 99), or reconfigured an
existing Security Manager CA (see “Configuring the CA policy settings for a CSCA”
on page 131).
If you followed the instructions in this guide to configure a CSCA, then by default
your CSCA certificates expire after 187 months (15 years and 7 months), and the
private key usage period is 60 months (32.09% of 187 months, or 5 years).
Note:
Security Manager will not automatically update your root CA key. Ensure that
you update the CA key when 33% of the CA verification certificate lifetime has
passed.
The International Civil Aviation Organization (ICAO) requires that countries give 90
days notice before they change their certificate. When Security Manager begins
logging audit -7953, inform the other countries that your CSCA will be updated in 90
days. After 90 days, update your CSCA keys.
To update the CSCA keys

1 Log in to Security Manager Control Command Shell (see the Security Manager
Operations Guide).
ca key update
Security Manager prompts you to select a location to store the new CA keys. For
example:
Choose one of:
1. Software
3. Cancel operation

from the previous example, enter 1 to update a software-generated key, or 4 to
cancel the update operation.
Security Manager prompts you to stop the Security Manager service to update
the CA keys:
The services will be stopped and the CA key updated. Do you wish
to continue (y/n) ? [y]
4 Enter y to stop the Security Manager service and update the CA keys.
Security Manager stops the Security Manager service and updates the CA keys.
When Security Manager updates the CSCA certificate, Security Manager produces a
new root certificate and two new link certificates (see the Security Manager
Operations Guide for details).
ICAO recommends that countries refrain from using the new CSCA certificate for the
first two days after issuing the new certificate.

Changing the distinguished name of the CSCA
If required, you can change the distinguished name (DN) of your CSCA. You may
need to change the CSCA DN if it does not meet ICAO standards.
Note:
Do not change the CSCA DN unnecessarily as it can adversely impact relying
parties. For example, other countries must retain both the old and new names as
valid CSCAs for your country until all e-passports signed under the old name have
expired.
Changing the CSCA DN requires that you also perform a CSCA key update to
generate a new CSCA root certificate.
This section includes the following topics:
• “Performing a CSCA key update and changing the CSCA DN in Security
Manager” on page 155
• “Known issues and limitations of a CSCA DN change” on page 160
Performing a CSCA key update and changing the CSCA DN in

Security Manager
Changing the DN of your CSCA in Security Manager requires that you perform a key
update. As part of a key update, you can specify the new CSCA DN. Security
Manager will then update the CSCA keys and issue a new root CA certificate with the
updated CSCA DN.
As part of the CSCA DN change:
• Security Manager includes the nameChange extension in the CSCA root
certificate and the forward link certificate.
A forward link certificate is a certificate that contains the new CA signing
public key and is signed with the old CA signing private key.
In the ICAO standard, the nameChange extension is required in the forward
link certificate for a CSCA DN change, and optional in the new CSCA root
certificate.
• Security Manager does not include the issuerAltName extension in the
combined CRL.
In the ICAO standard, the issuerAltName extension is optional in the
combined CRL.

To perform a CSCA key update and change the CSCA DN in Security Manager
1 Before you change the CSCA DN in Security Manager, you must modify the
Security Manager directory to include the new entry for the CSCA.
The new CSCA entry:
• must be in the same directory as the existing CSCA entry
• must have the same password as the existing CSCA entry
• must be compatible with Security Manager and needs full access to
everything the previous CSCA DN entry can access
For example, the new CSCA DN entry must have access to all user DNs
managed by the old CSCA, including searchbases. If multiple CSCA DN
changes are performed, the new CSCA DN must have access to all user DN
locations from all previous CSCA DNs.
For information about configuring a CA entry, see the Security Manager
Directory Configuration Guide.
During the CSCA DN change process, Security Manager will switch between
binding as the old DN and new DN. After changing the CSCA DN in Security
Manager, Security Manager will no longer bind as the old CSCA DN, but will
need access to the existing user entries that may be under the previous CSCA DN
entry.
2 Log in to Security Manager Control Command Shell (see the Security Manager
Operations Guide).
3 Enter the following command:
ca key update [-hold] -new-csca-dn <dn>
Parameters in square brackets are optional parameters, where:
• -hold performs a CA key update on hold. See the Security Manager
Operations Guide for information about performing a CA key update on
hold.
• <dn> is the new CSCA DN.
For example:
ca key update -new-csca-dn {cn=New CSCA DN,o=Example,c=MM}
4 Security Manager prompts you to select a storage device. For example:
Choose one of:
1. Software
2. CAHdwareVendor01 SN: 99ERT-A7-00-1 SLOT: 897756
3. CAHdwareVendor02 SN: REM77Z28X SLOT: 1000000029
4. Cancel operation
If you have no hardware devices installed, no hardware devices will appear in the
list of options.

Enter the number associated with the action you want to select. For instance,
from the previous example, enter 1 to update a software-generated key, the
number corresponding to the hardware device to update a hardware-generated
key, or 4 to cancel the update operation.
5 Security Manager performs the following checks on the new CSCA DN:
• It cannot be the same as the current DN.
• It must include the commonName (cn=) attribute.
• The countryName (c=) attribute must be two characters.
• The countryName (c=) attribute must be the same as the current
countryName.
• Binding as the new CSCA DN to the directory with the current CSCA DN
password must be possible.
If any of the checks fail, Security Manager displays an error and does not perform
a key update.
6 If you update a hardware-generated key, you may be prompted for the device
7 Security Manager displays the current and new CSCA DN and asks if you want
to continue:
The CSCA name (DN) will be changed from
'cn=CSCA2,ou=canucks,o=entrust,c=CA'
to:
'cn=CSCA3,ou=canucks,o=entrust,c=CA'
Do you wish to continue (y/n) ? [n]
Enter y to continue.
8 If you performed a root CA key update on hold, Security Manager updates the
CA key pair, creates the associated certificates, and puts the key and certificates
on hold:
CA key and certificate successfully updated using external data
and are on hold (not active). The CA key update may be completed
or canceled at a later date using the 'ca key update' command.
You can cancel or complete the CA key update later.
9 If you performed a root CA key update on hold, and want to cancel the CA key
update:
a Log back in to the Security Manager Control Command Shell.
b Enter the following command:
ca key update -cancel
10 If you performed a root CA key update on hold, and want to complete the CA
key update on hold:
a Log back in to the Security Manager Control Command Shell.

ca key update -complete
c Continue with the rest of this procedure.
The services will be stopped and the CA key update on hold will be
completed.
Do you wish to continue (y/n) ? [y]
Enter y to stop the services and continue with the key update.
12 Security Manager updates the CA key pair and recovers the CA profile:
CA key and certificate successfully updated with CSCA name (DN)
change.
Recovering CA profile...
During the CSCA name change:
• The CA user cn=ASH Service,<current DN> undergoes a DN change to
cn=ASH Service,<new DN>.
The CA user will have new encryption and verification certificates issued by
the new CSCA DN. CA User encryption certificates issued by previous DNs
can still be used to decrypt archive files that were created before the CSCA
name change.
• The read-only searchbase CA Domain Searchbase changes from the old
CSCA DN to the new CSCA DN.
If the old CSCA DN is required as a searchbase, you must re-add to Security
Manager manually. Any other required searchbases that use the new CSCA
DN must also be added manually.
• Any user policy DN that includes the current old CSCA DN changes the
CSCA DN to the new CSCA DN. Policy certificates with new DNs will be
published to the new locations.
User policy DNs may be created under any searchbase. If a user policy DN
does not include the old CSCA DN, it will remain as is.
The main policy certificate will be published to the new CSCA DN entry and
the policy mapping structures will include the new policy certificate DNs.
• All CMP protocol certificates and the event certificate are re-issued with the
issuer and subject set to the new CSCA DN.
• The Security Manager entrust.ini stored in the CA data directory
/manager folder (typically /opt/entrust/authdata/CA/manager or
C:/authdata/manager) is updated to include the new CSCA DN for the
following settings:
[Entrust Settings]
CA Distinguished Name=

[ASH Information]
ASHdn=
You must manually update the entrust.ini file used by client applications
such as Security Manager Administration.
13 Security Manager issues updated revocation lists:
Issuing CRLs, please wait ...
4 CRL(s) were issued.

4 ARL(s) were issued.
1 combined CRL(s) were issued.
Security Manager creates a new partitioned CRL and ARL. The new partitioned
CRL and ARL and all subsequent partitioned CRLs and ARLs are issued by the
new CSCA DN and signed with the new CSCA key.
All previous partitioned CRLs and ARLs are issued by the old CSCA DN and
signed with the old CSCA key, as long as the old CSCA key is still valid. When the
old CSCA key is no longer valid, the previous CRLs and ARLs are issued by the
new CSCA DN and signed with the new CSCA key.
14 If the services were running before you updated the CA key pair, Security
Manager will restart the services. If the services were stopped before you
updated the CA key pair, Security Manager will start and then stop the services.
You have now completed a CA key update.
15 After updating the CA key pair and changing the CSCA DN:
a Using the Security Manager Control Command Shell, recover a Security
Officer or create a new Security Officer.
You need to create or recover a Security Officer so that Security Officer can
manage other user accounts in Security Manager.
To create a Security Officer, use the following command:
officer create
To recover a Security Officer, use the following command:
officer recover
During key recover, certificates with backed up keys that are not issued by
the current CSCA DN, will be automatically created by Security Manager.
The reason is shown in the audits.
See the Security Manager Operations Guide for information about creating
or recovering Security Officers.
b From the CA data directory /manager folder, (typically
/opt/entrust/authdata/CA/manager or C:/authdata/manager), copy the
updated entrust.ini file to Security Manager client applications.

c Recover all administrator profiles before using Security Manager
Administration, Administration Services, or another administrative
application.
Administrator profiles include the profiles required to run Administation
Services.
Use the Security Profile you created or recovered earlier to recover other
Security Officers or human administrators, which in turn can recover other
administrator profiles.
d (Optional.) If any user accounts have a DN that includes the old CSCA DN,
change the DN of these user accounts so they will include the new CSCA DN.
e (Optional.) you can remove the previous CSCA DN entry from the directory
after you confirm it no longer needs to exist.
All users with the previous CSCA DN included in their DN must undergo a
DN change before you can remove the old CSCA DN entry from the
directory.
Known issues and limitations of a CSCA DN change

Changing a CSCA DN has the following known issues and limitations:
• The CA migration feature is not supported.
• Cross-certificates and subordinate CA certificates are not supported.
Cross-certificates and subordinate CA certificates are not required for a
CSCA.
• Previous partitioned CRLs will be maintained but are not published to the old
CA DN LDAP location.
• Revocation of a current root certificate forces a CA key update first. CSCA
DN change is not supported for this scenario. You must first perform a CA
key update, then you can revoke the previous CSCA root certificate.
• After performing a CA key update with CSCA DN change, the link certificate
is not published to the directory (either to the new or old directory entry).
If you need the link certificate, you can use the ca cert list and ca cert
export commands to retrieve the CA link certificate.

Section 3
Document Signer Service section
This section provides instructions for installing and configuring the Document Signer
Service solution of products.
• “Deploying the Document Signer Service” on page 163
• “Using the Signature Delivery Service from your application” on page 211
• “Using the Offline Token Creation Utility” on page 235
• “Using Verification Server” on page 263
• “Verification Server entrust-configuration.xml file” on page 287
161
7
Deploying the Document Signer

Service
This chapter provides the steps required to deploy the Document Signer Service. The
Document Signer Service is the Document Signer component in an Entrust BAC
system.
• “Deployment overview” on page 164
• “Installing the Document Signer Service” on page 165
• “Configuring Verification Server” on page 186
• “Configuring a front-end Web server for the Signature Delivery Service” on
page 195
• “Securing access to Verification Server” on page 197
• “Configuring SSL in the Document Signer Service” on page 199
• “Restarting the Document Signer Service” on page 206
• “Verifying that the Document Signer Service started correctly” on page 208
163
Deployment overview
Deploying the Document Signer Service includes the following steps. Each step is
described in further detail in this chapter.
1 Install the Document Signer Service. For instructions, see “Installing the
Document Signer Service” on page 165.
2 Configure Verification Server (see “Configuring Verification Server” on
page 186).
Verification Server is a component of the Document Signer Service. Verification
Server includes the Digital Signature service. The Digital Signature service accepts
incoming XML documents from Web service clients such as Signature Delivery
Service, signs them using its signing private key, and sends a CMS signed data
object back to the requester.
Configuring Verification Server includes:
• enabling the Digital Signature service
• creating an Entrust profile for the Digital Signature service
• configuring the Digital Signature service for an ePassport system
3 (Optional.) Configure a front-end Web server for the Signature Delivery Service
For instructions, see “Configuring a front-end Web server for the Signature
Delivery Service” on page 195.
Using a front-end Web server provides more security as Signature Delivery
Service clients communicate with the Web server instead of Apache Tomcat
directly. The Web server can act as a proxy for the Apache Tomcat server, which
can be behind a firewall. Apache Tomcat is the application server used by the
Document Signer Service. Apache Tomcat is included in the Document Signer
Service installation.
4 Secure access to the Digital Signature service. For instructions, see “Securing
access to Verification Server” on page 197. The Digital Signature service is a
feature of Verification Server.
5 Configure SSL in the Document Signer Service. For instructions, see “Configuring
SSL in the Document Signer Service” on page 199).
6 Restart the Document Signer Service. For instructions, see “Restarting the
Document Signer Service” on page 206.

Installing the Document Signer Service
This section describes how to install the Document Signer Service on supported
operating systems.
You must install the Document Signer Service components on the following servers:
• Server 1: Offline Token Creation Utility Server
This server requires online access to Security Manager. This server can be the
Security Manager server.
The Offline Token Creation Utility is required only if Verification Server will
not have online access to Security Manager. The Profile Creation Utility can
generate the Entrust profile for Verification Server if it has online access to
Security Manager.
• Server 2: Verification Server, Profile Creation Utility, and Offline Token
Creation Utility Client
The Offline Token Creation Utility is required only if Verification Server will
not have online access to Security Manager. The Profile Creation Utility can
generate the Entrust profile for Verification Server if it has online access to
Security Manager.
• Server 3: Signature Delivery Service
Optionally, you can install the Signature Delivery Service on the same server
as Verification Server.
This section contains the following procedures:

• “To install the Document Signer Service on Windows” on page 165
• “To install the Document Signer Service on Linux” on page 178
To install the Document Signer Service on Windows

1 Download the Document Signer Service installer.
a Log in to Windows as an administrator with sufficient privileges to perform
the installation.
b Log in to Entrust Datacard TrustedCare. You should have received an email
from Entrust that included:
– instructions about accessing the download page
– your user ID and password required to access the download page
c Browse to the Document Signer Service 9.0 product page.
d Download the latest Windows installer file. For example:
DocumentSignerService_9.0.10_Win.exe
2 Double-click the installer to begin the installation.
Deploying the Document Signer Service 165

3 The Document Signer Service installation wizard appears.
Click Next.

4 The Choose Install Set dialog box appears.
a Select one of the following options:

– To install the Offline Token Creation Utility server component, select
Offline Token Creation Utility Server.
– To select which components you want to install, select Custom.
b Click Next to continue.

5 If you selected Custom to select which component you want to install, another
Choose Install Set page appears.
a Select which components you want to install.


6 The Choose Install Folder page appears.
a Enter an installation path for Document Signer Service, or click Choose to

select an existing folder. By default, Document Signer Service is installed in
the following folder:
C:\Program Files\Entrust\DocumentSignerService

7 If you are installing Verification Server, the Get User Input: Verification Server
dialog box appears.
a In the CA Host field, enter the IP address or DNS name of the server hosting
Security Manager. For example:
domain.example.com
b In the CA CMP Port field, enter the CMP port of Security Manager (default
829).
c In the Directory Host field, enter the IP address or DNS name of the server
hosting the Security Manager directory. For example:
ldap.example.com
d In the Directory LDAP Port field, field, enter the LDAP port of the Security
Manager directory (default 389).
e Click Next to continue.

8 If you are installing Verification Server, the Get User Input: Verification Server
Demo dialog box appears.
You can configure demonstration mode with the installer. For demonstration
mode, the installer will modify some configuration files to allow you to start
Verification Server using sample Entrust profiles (EPF files).
Attention:
Do not use the sample profiles in a production system. Many people know the
password and therefore have access to the private keys for the profiles.
a If you want to configure demonstration mode, select Demo Mode.


9 If you are installing the Signature Delivery Service, the Get User Input: Signature
Delivery Service dialog box appears.
a In the VS Host field, enter the IP address or DNS name of the server hosting
Verification Server. For example:
domain.example.com
If you are installing the Signature Delivery Service on the same server as
Verification Server, you can keep the default value localhost.
b In the VS Port field, enter the Verification Server port (default 8080).
By default, Verification Server uses port 8080. If Verification Server uses a
front-end Web server to forward requests, enter the port used by the Web
server.
c Click Next to continue.

10 If you are installing the Offline Token Creation Utility server component, the Get
User Input: Offline Token Creation Utility Server dialog box appears.
a In the CA Host field, enter the IP address or DNS name of the server hosting
Security Manager. For example:
domain.example.com
If you are installing the Offline Token Creation Utility server component on
the same server as Security Manager, you can keep the default value
localhost.
b In the CA CMP Port field, enter the CMP port of Security Manager (default
829).

11 If you are installing the Profile Creation Utility or Verification Server, the License
Agreement: Profile Creation Utility and Verification Server page appears.
a Select I accept the terms of the License Agreement.


12 If you are installing the Signature Delivery Service, the License Agreement:
Signature Delivery Service page appears.


13 If you are installing the Signature Delivery Service, the License Agreement:
Offline Token Creation Utility page appears.


14 The Pre-Installation Summary page appears.
a Check all your settings.

If you need to change anything, click Previous to return to that screen and
make your changes.
b Click Install to install Verification Server.
The Installing Document Signer Service page appears. The progress bar displays
the progress of the installation.
After Document Signer Service is installed, an Install Complete page appears.

15 Click Done in the final screen to close the installer.
You have successfully installed the Document Signer Service.
To install the Document Signer Service on Linux

1 If you are using FTP to transfer the Document Signer Service software file to your
Linux machine, set the transfer method to binary.
2 Download the Document Signer Service installer.
a Log in to Entrust Datacard TrustedCare. You should have received an email
from Entrust that included:
– instructions about accessing the download page
– your user ID and password required to access the download page
b Browse to the Document Signer Service 9.0 product page.
c Download the latest Linux installer. For example:
DocumentSignerService_9.0.10_Lin.bin
3 On a command line, navigate to the directory where you saved the Document
Signer Service installer.
4 Switch to the root user. Only the root user can install Document Signer Service.

5 Change the permissions of the installer to be executable. For example:
chmod +x DocumentSignerService_9.0.10_Lin.bin
6 Run the Document Signer Service installer. For example:
./DocumentSignerService_9.0.10_Lin.bin
Note:
You can quit the installation at any time by pressing Ctrl+C.
The launcher is installed and prepares to install Document Signer Service:

Preparing to install...
Extracting the JRE from the installer archive...
Unpacking the JRE...
Extracting the installation resources from the installer
archive...
Configuring the installer for this system's environment...
Launching installer...
==================================================================
Entrust Document Signer Service (created with InstallAnywhere)
------------------------------------------------------------------
Preparing CONSOLE Mode Installation...
7 The Document Signer Service installation wizard appears:
Introduction
------------
InstallAnywhere will guide you through the installation of Entrust
Document Signer Service.
It is strongly recommended that you quit all programs before
continuing with this installation.
Respond to each prompt to proceed to the next step in the
installation. If you want to change something on a previous step,
type 'back'.
You may cancel this installation at any time by typing 'quit'.
PRESS <ENTER> TO CONTINUE:
Press Enter to continue.
8 The installer prompts you to select an install set:
Choose Install Set
------------------
Please choose the Install Set to be installed by this installer.
->1- Typical
2- Offline Token Creation Utility Server

3- Customize...
ENTER THE NUMBER FOR THE INSTALL SET, OR PRESS <ENTER> TO ACCEPT
THE DEFAULT :
• To install the Offline Token Creation Utility server component, enter 2.
• To select which components you want to install, enter 3.
The Typical option installs Verification Server and the Profile Creation Utility, and
is intended for non-ePassport environments.
9 If you chose to select which components you want to install, the installer prompts
you to select the components you want to install:
Choose Product Features
-----------------------
ENTER A COMMA_SEPARATED LIST OF NUMBERS REPRESENTING THE FEATURES
YOU WOULD LIKE TO SELECT, OR DESELECT. TO VIEW A FEATURE'S
DESCRIPTION, ENTER '?<NUMBER>'. PRESS <RETURN> WHEN YOU ARE DONE:
1- [X] Profile Creation Utility
2- [X] Verification Server
3- [ ] Signature Delivery Service
4- [ ] Offline Token Creation Utility Client
5- [ ] Offline Token Creation Utility Server
Please choose the Features to be installed by this installer.:
Features currently selected to install are marked with an X.
a To view a description of a component, enter a question mark (?) followed by
the component’s number. For example, to view the description for the Profile
Creation Utility, enter ?1.
b To choose which components you want to install, enter a comma-separated
list of which components you want to select and remove from the list.
If you enter a number for a component that is currently selected (marked
with an X), it will be removed from the list. If you enter a number for a
component that is currently deselected, it will be added to the list.
By default, the Profile Creation Utility (1) and Verification Server (2) are
already selected.
Examples:
– If you want to install the Profile Creation Utility (1), Verification Server (2),
Signature Delivery Service (3), and Offline Token Creation Utility Client (4),
enter:
3,4
The Profile Creation Utility (1) and Verification Server (2) are already
selected. This adds the Signature Delivery Service (3), and Offline Token
Creation Utility Client (4) to the list.

– If you want to install only the Signature Delivery Service (3), enter:
1,2,3
This removes the Profile Creation Utility (1) and Verification Server (2) from
the list of features to install, and adds the Signature Delivery Service (3).
10 The installer prompts you for the installation folder:
Choose Install Folder
---------------------
Where would you like to install?
Default Install Folder: /opt/entrust/DocumentSignerService
ENTER AN ABSOLUTE PATH, OR PRESS <ENTER> TO ACCEPT THE DEFAULT :
Enter the path where you want to install the Document Signer Service, or press
Enter to accept the default installation folder:
11 If you are installing Verification Server, the installer prompts you for information
required for Verification Server to connect to the Certification Authority (CA) and
its directory server:
Get User Input: Verification Server
-----------------------------------
Enter the requested information for the Certification Authority
server and Directory server:
a The installer prompts you to provide the CA host:
CA Host (Default: localhost):
Enter the IP address or DNS name of the server hosting Security Manager.
For example:
domain.example.com
b The installer prompts you for the CMP port:
CA CMP Port (Default: 829):
Enter the CMP port of Security Manager (default 829).
c The installer prompts you for the directory host:
Directory Host (Default: localhost):
Enter the IP address or DNS name of the server hosting the Security Manager
directory. For example:
ldap.example.com
d The installer prompts you for the directory port:
Directory LDAP Port (Default: 389):
Enter the LDAP port of the Security Manager directory (default 389).
12 If you are installing Verification Server, the installer asks if you want to configure
demonstration mode:

Get User Input: Verification Server Demo
----------------------------------------
Select Demo Mode if you want to configure demonstration mode. For
demonstration mode, two configuration files will be altered that
will allow you to start the application using sample Entrust
Profiles (EPF files). Do not use these sample profiles in a
production system under any circumstances. Many people know the
password of the sample profiles and have access to their private
keys.
1 /opt/entrust/DocumentSignerService/VerificationServer9.0.0/conf/
security/entrust.ini
2 /opt/entrust/DocumentSignerService/VerificationServer9.0.0/webap
ps/tomcat/verificationserver/WEB-INF/classes/entrust-configuration
.xml
->1- Production Mode

2- Demo Mode
ENTER THE NUMBER FOR YOUR CHOICE, OR PRESS <ENTER> TO ACCEPT THE
DEFAULT::
You can configure demonstration mode with the installer. For demonstration
mode, the installer will modify some configuration files to allow you to start
Verification Server using sample Entrust profiles (EPF files).
Attention:
Do not use the sample profiles in a production system. Many people know the
password and therefore have access to the private keys for the profiles.
• To configure production mode, enter 1. You must create your own Entrust
profiles to use Verification Server.
• To configure demonstration mode, enter 2.
13 If you are installing the Signature Delivery Service, the installer prompts you for
information required for the Signature Delivery Service to connect to Verification
Server:
Get User Input: Signature Delivery Service
------------------------------------------
Enter the requested information for Verification Server:
VS Host (Default: localhost):
Enter the IP address or DNS name of the server hosting Verification Server.
For example:

domain.example.com
If you are installing the Signature Delivery Service on the same server as
Verification Server, you can keep the default value localhost.
VS Port (Default: 829):
Enter the Verification Server port (default 8080).
By default, Verification Server uses port 8080. If Verification Server uses a
front-end Web server to forward requests, enter the port used by the Web
server.
14 If you are installing the Offline Token Creation Utility Server component, the
installer prompts you for information required for the Offline Token Creation
Utility Server to connect to the Certification Authority (CA) server:
Get User Input: Offline Token Creation Utility Server
-----------------------------------------------------
Enter the requested information for the Certification Authority
server:
CA Host (Default: localhost):
Enter the IP address or DNS name of the server hosting Security Manager.
For example:
domain.example.com
If you are installing the Offline Token Creation Utility Server component on
the same server as Security Manager, you can keep the default value
localhost.
CA CMP Port (Default: 829):
Enter the CMP port of Security Manager (default 829).
15 The installer prompts you to accept the license agreement:
License Agreement: Summary
--------------------------
ATTENTION: THIS IS A LICENSE, NOT A SALE. THIS SOFTWARE IS
PROVIDED UNDER THE FOLLOWING LICENSE THAT DEFINES WHAT YOU MAY DO
WITH THE SOFTWARE AND CONTAINS LIMITATIONS ON REPRESENTATIONS,
WARRANTIES, CONDITIONS, REMEDIES, AND LIABILITIES. IF YOU
OBTAINED THIS SOFTWARE IN THE UNITED STATES, "ENTRUST" SHALL MEAN
ENTRUST, INC. IF YOU OBTAINED THIS SOFTWARE OUTSIDE OF THE UNITED
STATES, "ENTRUST" SHALL MEAN ENTRUST DATACARD LIMITED.
"AFFILIATES" OF ENTRUST SHALL MEAN ALL CORPORATIONS OR OTHER
ENTITIES CONTROLLED DIRECTLY OR INDIRECTLY BY ENTRUST HOLDINGS
INC.

->1- View Entire License Agreement
2- Accept License and Continue
3- Exit the Installation Program
ENTER THE NUMBER OF THE DESIRED CHOICE, OR PRESS <ENTER> TO ACCEPT
THE DEFAULT:
• To view the entire license agreement, enter 1.
The installer displays the first page of the license agreement. The installer
displays the license agreement by pages. Press Enter to display the next page
of the license agreement. Keep pressing Enter until you have read the entire
license agreement.
When you reach the end of the license agreement, the following prompt
appears:
DO YOU ACCEPT THE TERMS OF THIS LICENSE AGREEMENT? (Y/N):
– If you accept the terms of the license agreement, enter y.
– If you do not accept the terms of the license agreement, enter n.
The installer warns you that you must accept the license agreement to
install the Document Signer Service, and then prompts you to accept the
license agreement:
Warning! If you do not accept the terms of the License Agreement
you will not be allowed to continue with this installation.
DO YOU ACCEPT THE TERMS OF THIS LICENSE AGREEMENT? (Y/N):
To reject the license agreement and exit the installer, enter n. Otherwise,
enter y to accept the license agreement and continue installing the
• To accept the license agreement and continue with the installation, enter 2.
• To exit the installer without installing Administration Services, enter 3.
16 The installer displays a summary of the options you chose. For example:
Pre-Installation Summary
------------------------
Please Review the Following Before Continuing:
Product Name:
Entrust Document Signer Service
Install Folder:
Link Folder:
DO NOT INSTALL
Disk Space Information (for Installation Target):
Required: 222,459,705 Bytes
Available: 10,712,854,528 Bytes

PRESS <ENTER> TO CONTINUE:
Press Enter to continue.
17 The installer asks if you want to proceed with the installation:
Ready To Install
----------------
InstallAnywhere is now ready to install Entrust Document Signer
Service onto your system at the following location:
PRESS <ENTER> TO INSTALL:
Press Enter to install the Document Signer Service.
18 The Document Signer Service is installed to your server. A progress indicator
displays the progress of the installation:
Installing...
-------------
[==================|==================|==================]
[------------------|------------------
19 When the installation is finished, a success message appears:

Installation Complete
---------------------
Congratulations. Entrust Document Signer Service has been
successfully installed to:
To start | stop the application use cmd:
service DSSTomcatService start | stop
PRESS <ENTER> TO EXIT THE INSTALLER:
Press Enter to exit the installer.
20 Enter the following command to restart the reload the systemd manager
configuration:
systemctl daemon-reload
After reloading the systemd manager configuration, you can use Linux
commands to start, stop, and display the status of the service.
You have successfully installed the Document Signer Service.

Configuring Verification Server
You must make the following configuration changes to Verification Server before you
can begin to use the Document Signer Service:
• “Configuring the Verification Server entrust.ini file” on page 186
• “Enabling the Digital Signature service” on page 189
• “Adding a user entry to Security Manager for the Digital Signature service”
on page 189
• “Creating an Entrust profile and Server Login credentials for the Digital
Signature service” on page 191
• “Configuring the Digital Signature service” on page 192
Configuring the Verification Server entrust.ini file

Verification Server includes an entrust.ini file. The Profile Creation Utility uses this
entrust.ini file when creating the Entrust profile and Server Login credentials.
You must configure this entrust.ini file before you create an Entrust profile for the
Digital Signature service, a service provided by Verification Server.
To configure the Verification Server entrust.ini file

1 Log in to the server hosting Entrust Authority Document Signer Service with the
Verification Server component.
2 Open the Verification Server entrust.ini file in a text editor. The entrust.ini
file is located in the following folder:
<DSS-install>/VerificationServer<version>/conf/security
Where <DSS-install> is the Document Signer Service installation folder,
typically:
C:/Program Files/Entrust/DocumentSignerService/VerificationServer<
version>/conf/security
or
/opt/entrust/DocumentSignerService/VerificationServer<version>/con
f/security
3 Under the following section:
[Entrust Settings]
Configure the following settings:
• Authority=
This setting specifies the host (IPv4 address or DNS name) and CMP port of
the Security Manager server.

This setting was configured when you installed Verification Server.
For example:
Authority=securitymanager.example.com+829
If Verification Server is configured offline from Security Manager and the
LDAP directory, leave this setting blank.
• Server=
This setting specifies the host (IPv4 address or DNS name) and LDAP port of
the Security Manager directory.
This setting was configured when you installed Verification Server.
For example:
Server=ldap.example.com+389
If you have multiple LDAP servers, you can specify more than one host and
port number. Separate each address with a comma. For example:
Server=ldap1.example.com+389,ldap2.example.com+389
Note:
If you specify more than one address and port number in the Server= setting,
each address must point to redundant instances of the same directory server.
Each address must reference the primary directory server or mirror instances of
the primary directory server.
If the first address does not respond within the time specified by the
DirectoryOperationTimeLimit setting, Verification Server tries to connect
using the second address, and so on.
Once Verification Server has connected to an LDAP-compliant directory, it
does not try to connect to any other directory in the list for the duration of
the session.
If Verification Server is configured offline from Security Manager and the
LDAP directory, leave this setting blank.
• DefaultProfileLocation=
This setting specifies the default profile location. This setting is used by the
Profile Creation Utility.
By default:
DefaultProfileLocation=C:/Program Files/Entrust/DocumentSignerS
ervice/VerificationServer<version>/conf/security
or

DefaultProfileLocation=/opt/entrust/DocumentSignerService/Verif
icationServer<version>/conf/security
It is recommended that you keep the default value.
• (Linux only.) CryptokiV2Library=
This setting is required if you will store the Entrust profile on a hardware
device. This setting specifies the full path to the location of the PKCS#11
library.
For example:
CryptokiV2Library=/usr/vendor1/bin/device1.so
If you installed Verification Server on Windows, or if you will store the Entrust
profile on software, leave this setting blank.
• (Windows only.) CryptokiV2LibraryNT=
This setting is required if you will store the Entrust profile on a hardware
device. This setting specifies the full path to the location of the PKCS#11
library.
For example:
CryptokiV2LibraryNT=C:\Program Files\vendor1\device1.dll
If you installed Verification Server on Linux, or if you will store the Entrust
profile on software, leave this setting blank.
4 Under the following section:
[Directory Connection Settings]
Configure the following settings:
• DirectoryConnectTimeLimit=
This setting specifies the length of time (in seconds) to wait for a connection
operation to the LDAP directory to succeed. If no response from the directory
is received within this time period, the attempt to connect is aborted and the
user will log in without access to the directory.
By default:
DirectoryConnectTimeLimit=30
• DirectoryOperationTimeLimit=
This setting specifies the time (in seconds) that the directory has to respond
when a client application attempts to connect to the host server. Once a
client application has connected to a server, it will not attempt to connect to
any other server for the duration of that session.
By default:
DirectoryOperationTimeLimit=30

Enabling the Digital Signature service
Verification Server includes a service called the Digital Signature service. The Digital
Signature service accepts incoming XML documents from Web service clients such as
Signature Delivery Service, signs them using its signing private key, and sends a CMS
signed data object back to the requester.
Verification Server includes services other than the Digital Signature service that are
enabled by default, but are not supported in an ePassport Document Signer Service
solution. To enable only the Digital Signature service required for ePassport, you must
make changes to the web.xml file used by Verification Server.
Complete the following procedure to enable the Digital Signature service, and disable
the Timestamp and XKMS Certificate Validation services.
To enable the Digital Signature service in Verification Server

2 Browse to the following location:
<DSS-install>/VerificationServer<version>/webapps/tomcat/webapps/v
erificationserver/WEB-INF/
Where <DSS-install> is the Document Signer Service installation folder,
typically:
C:/Program Files/DocumentSignerService/VerificationServer<version>
/webapps/tomcat/verificationserver/WEB-INF/
or
/opt/entrust/DocumentSignerService/VerificationServer<version>/web
apps/tomcat/verificationserver/WEB-INF/
3 Rename web.xml to web.xml.old.
4 Rename digsig_only_web.xml to web.xml.
Adding a user entry to Security Manager for the Digital Signature

service
The Digital Signature service requires an Entrust profile. Before you can create a
profile for the Digital Signature service, you must create a user entry in Security
Manager for the profile. You can use Security Manager Administration to create a
user entry for the Digital Signature service.
For more information about creating or adding users with Security Manager
Administration, see the Security Manager Administration User Guide.

To create a user entry in Security Manager for the Digital Signature service
3 Click the Naming tab, and then complete the following:
fields appears.
d Leave Create profile deselected. You will use the Profile Creation Utility or
Offline Token Creation Utility to create the profile.
4 Click the General tab, and then complete the following.
a From the User role drop-down list, select End User.
b Under User group(s), select All groups. By default, this option should already
be selected.
5 Click the Certificate Info tab, and then complete the following:
a For Category, select Enterprise.
b For Type, select ePassport - Document Signer
For information about the ePassport - Document Signer certificate type, see
“Customizing Document Signer certificates” on page 138.
6 Click OK.
Security Manager Administration displays the reference number and
authorization code required to create the Digital Signature service profile.
8 Record the authorization code and reference number. You need these activation
codes to generate the profile.
9 Proceed to “Creating an Entrust profile and Server Login credentials for the
Digital Signature service” on page 191.

Creating an Entrust profile and Server Login credentials for the
Digital Signature service
The Digital Signature service requires an Entrust profile and Server Login credentials.
Server Login allows the Digital Signature service to log in to the Entrust profile
without outside intervention.
Note:
If you are storing the Entrust profile on a hardware security module (HSM),
ensure you have installed and configured your HSM according to the instructions
provided by your HSM vendor. You must initialize the HSM before creating an
Entrust profile on it. You may also want to test the HSM installation to ensure the
hardware is operational. HSM vendors typically provide a utility you can use to
test the HSM. See your token vendor’s documentation for more information.
To create the Entrust profile and Server Login credentials:

1 Create an Entrust profile for the Digital Signature service using one of the
following utilities:
• If Verification Server has network connectivity to Security Manager, create an
Entrust profile using the Profile Creation Utility.
For instructions, see the Document Signer Service Verification Server Guide.
The Profile Creation Utility can create the profile on a hardware token, or as
an EPF file on software.
When creating an Entrust profile, the Profile Creation Utility can also create
the required Server Login credentials.
• If Verification Server does not have network connectivity to Security
Manager, create an Entrust profile using the Offline Token Creation Utility.
For instructions, see “Using the Offline Token Creation Utility” on page 235.
The Offline Token Creation Utility can only create the profile on a hardware
token.
2 Use the Profile Creation Utility to create the Server Login credentials. For
instructions, see Document Signer Service Verification Server Guide.
If you used the Profile Creation Utility to create the Entrust profile, you may have
already created the Server Login credentials.
After creating an Entrust profile and Server Login credentials for the Digital Signature
service, proceed to “Configuring the Digital Signature service” on page 192.

Configuring the Digital Signature service
Complete the following procedure to configure Verification Server to connect to a
hardware token.
For more information about configuring the entrust-configuration.xml file, see
“Verification Server entrust-configuration.xml file” on page 287.
To configure Verification Server to connect to a hardware token

2 Open the Verification Server entrust-configuration.xml file in an XML or text
editor. You can find the file in the following location:
<DSS-install>/VerificationServer<version>/webapps/tomcat/verificat
ionserver/WEB-INF/classes
3 Under the main <global> section, locate the <entrust-ini> element to ensure
it contains the correct file path to the entrust.ini. By default:
<entrust-ini>file:///C:\Program Files\Entrust\DocumentSignerServic
e/VerificationServer9.0.0/conf/security/entrust.ini</entrust-ini>
or
<entrust-ini>file:////opt/entrust/DocumentSignerService/Verificati
onServer9.0.0/conf/security/entrust.ini</entrust-ini>
4 Locate the section for the Digital Signature service. The section begins with the
following lines:

<digsig>
<global>
5 Locate the settings for the Digital Signature server credentials:

<entrust-credential>

<profile>file:///C:\Program Files\Entrust\DocumentSignerService/
VerificationServer9.0.0/conf/security/digsig.epf</profile>

<ual>file:///C:\Program Files\Entrust\DocumentSignerService/Veri
ficationServer9.0.0/conf/security/digsig.ual</ual>





</entrust-credential>
a If the Entrust profile for the Digital Signature service is an EPF file stored on
software, ensure that the <profile> setting provides the full path and file
name to the EPF. For example:
<profile>file:////opt/entrust/DocumentSignerService/Verificatio
nServer9.0.0/conf/security/digsig.epf</profile>
or
<profile>file:///C:\Program Files\Entrust\DocumentSignerService
/VerificationServer9.0.0/conf/security/digsig.epf</profile>
The path must begin with file:///.
b If the Entrust profile for the Digital Signature service is stored on hardware,
comment out the <profile> setting. For example:

Do not comment out this setting the Entrust profile is an EPF file stored on
software.
c Ensure that the <ual> setting has the correct path and file name for the
Server Login credentials (digsig.ual). For example:
<ual>file:///C:\Program Files\Entrust\DocumentSignerService/Ver
ificationServer9.0.0/conf/security/digsig.ual</ual>
or
<ual>file:////opt/entrust/DocumentSignerService/VerificationSer
ver9.0.0/conf/security/digsig.ual</ual>
d If the Entrust profile for the Digital Signature service is stored on hardware,
uncomment the <hsm-slot> setting and change the value to the HSM slot
number that contains the profile for the Digital Signature service.
For example:
<hsm-slot>10</hsm-slot>
Do not uncomment this setting the Entrust profile is an EPF file stored on
software.
6 In the <cms> settings for the Digital Signature service:
a Change
<digest-method>sha256</digest-method>
to match the key pair algorithm configured in the Document Signer Policy
(see “Customizing Document Signer certificates” on page 138). For
example, sha1 for RSA-1024 or sha256 for RSA-2048. If the policy uses DSA,
you must use sha1 as your digest method.
Possible values are: sha1, sha224, sha256, sha385, or sha512.

b Change
<include-ca-cert>true</include-ca-cert>
to
<include-ca-cert>false</include-ca-cert>
You must change this option to false to include only the Document Signer
certificate in the Document Security Object.
c Change
<rsa-pss-enabled>false</rsa-pss-enabled>
to
<rsa-pss-enabled>true</rsa-pss-enabled>
You must change this option to true to ensure that your Document Signer
can generate and verify RSASSA-PSS signatures.
7 In the <xml> settings for the Digital Signature service, change:
<digest-method>sha256</digest-method>
to match the key pair algorithm configured in the Document Signer Policy (see
“Customizing Document Signer certificates” on page 138). For example, sha1
for RSA-1024 or sha256 for RSA-2048. If the policy uses DSA, you must use sha1
as your digest method.
Possible values are: sha1, sha224, sha256, sha385, or sha512.

Configuring a front-end Web server for the
Signature Delivery Service
The Signature Delivery Service is a component of the Document Signer Service.
Apache Tomcat is the application server used by the Signature Delivery Service.
Apache Tomcat is included in the Document Signer Service installation.
For added security, you can use a Web server as a front-end to the Signature Delivery
Service. Using a front-end Web server provides more security as Signature Delivery
Service clients communicate with the Web server instead of Apache Tomcat directly.
The Web server can act as a proxy for the Apache Tomcat server, which can be behind
a firewall.
Configuring the Web server requires downloading and installing a supported Tomcat
connector (also known as a Web server plug-in), and then mapping the Web server
and Apache Tomcat to each other. The connector allows requests for application
server resources to be redirected from the Web server to the application server.
To install and configure Apache HTTP Server as a front-end for the Signature
Delivery Service
1 From the Apache HTTP Server Project Web site (http://httpd.apache.org),
download and install a supported version of Apache HTTP Server, including
OpenSSL.
For supported Linux operating systems, Linux may include a native Apache HTTP
Server and OpenSSL that you can install.
2 Download the latest binary release of the mod_jk.so module (Tomcat connector)
for your operating system supplied by the Apache Software Foundation
(http://tomcat.apache.org/download-connectors.cgi). For Windows operating
systems, the binary release is packaged in a ZIP file.
The Document Signer Service is a 64-bit application. Ensure you download the
64-bit (x84_64) version of the Tomcat connector.
3 Extract the mod_jk.so file from the ZIP package.
4 Copy mod_jk.so into the Apache HTTP Server /modules directory. For example:
C:/Apache24/modules
or
/usr/lib64/httpd/modules
5 Create a new file called workers.properties in the Apache HTTP Server /conf
directory. For example:
C:/Apache24/conf
or

/etc/httpd/conf
6 Add the following lines to the workers.properties file you just created:
worker.list=ajp13
worker.ajp13.host=<Tomcat host>
worker.ajp13.port=8009
worker.ajp13.type=ajp13
Where <Tomcat host> is the IPv4 address of DNS name of the Apache Tomcat
server.
7 Open the Apache HTTP Server httpd.conf file in a text editor.
8 At the end of the LoadModule section, add the following lines:
LoadModule jk_module modules/mod_jk.so
JkMount /sds ajp13
JkMount /sds/* ajp13
JkWorkersFile conf/workers.properties
10 Restart Apache HTTP Server.
11 To test the connection, enter the following URL in a browser:
http://localhost/sds
The index page appears.
12 To test the health of the servlet, enter the following URL in a browser:
http://localhost/sds/servlets/SDSServlet
If the Signature Delivery Service status is healthy, an SDS Health Status:
HEALTHY message will appear.
13 Update the SDS.ini file as necessary (for example, the URL of Verification Server,
a preferred log level and file path, and so forth). See “Configuring the Signature
Delivery Service” on page 212 for more information.
14 After updating the SDS.ini file, restart the following:
• Apache HTTP Server
• Apache Tomcat
For instructions, see “Restarting the Document Signer Service” on page 206.
15 Test using the included sample client, which provides three levels of SSL
authentication. For more details, see the Readme.txt for the sample client:
/opt/entrust/DocumentSignerService/SignatureDeliveryService<versio
n>/samples/sampleclient/Readme.txt
You successfully deployed the Signature Delivery Service.

Securing access to Verification Server
Verification Server includes a service called the Digital Signature service. The Digital
Signature service accepts incoming XML documents from Web service clients such as
Signature Delivery service, signs them using its signing private key, and sends a CMS
signed data object back to the requester.
For a digital signature to be meaningful and to adequately bind the identity
associated with the Digital Signature service to the signed data, you must ensure that
only authorized users or processes can request and receive digital signatures.
One way to control access is to deploy the Digital Signature service within a protected
network and allow it to accept all requests coming from within this trust community.
A more sophisticated approach is to create an access control policy for the URL where
the Digital Signature service is deployed, using built-in application server security.
Topics in this section:
• “Using application server security” on page 197
• “Protecting the Digital Signature service” on page 198
• “Logging user names for digital signature requests” on page 198
Using application server security

This topic describes the following configurations:
• HTTP basic user name and password authentication, and authorization using
built-in application server and Web server capabilities
Note:
This approach is vulnerable to passive eavesdropping security attacks.
• HTTPS basic user name and password authentication, and authorization

using built-in application server and Web server capabilities
SSL protects the password in transit and authenticates the server to the
client. To generate an SSL certificate, see “Configuring SSL in the Document
Signer Service” on page 199.
The Digital Signature sample clients shipped with Verification Server provide
examples of how to implement client authentication. For more information, see
“Implementing the sample client code” on page 226.
For additional information, see the Apache Tomcat documentation available from the
Apache Software Foundation Web site (http://tomcat.apache.org).

Protecting the Digital Signature service
To limit access to the Digital Signature service, you must use your Apache Tomcat
application server to create a security role and assign that role to the users who will
access the service. You then associate the security role with a security constraint that
allows only users with that role to access the Digital Signature service.
For additional information, see the Apache Tomcat documentation available from the
Apache Software Foundation Web site (http://tomcat.apache.org).
Logging user names for digital signature requests

If a client has authenticated, the Digital Signature service retrieves the client’s user
name and adds the user name to the audit log entry that records the digital signature
request. If the user has not authenticated, only the user’s IP address is logged with
the request.

Configuring SSL in the Document Signer
Service
If you want to encrypt communications between the various components for
increased security, you must configure Secure Sockets Layer (SSL). You must
configure SSL on both Apache Tomcat and Apache HTTP Server. Configuring SSL
requires that you obtain an SSL certificate for each server.
You can use the following Entrust products to obtain Web server (SSL) certificates:
• Entrust Authority Enrollment Server for Web
Enrollment Server for Web is a Security Manager client application that runs
on a Web server, and allows you to create Web certificates that are signed
by your own CA.
• Entrust Certificate Management Services
Entrust Certificate Management Service provides you with flexible certificate
options, auditing and reporting tools, and on-demand services for your SSL
certificate needs. To find out more, see the Web site at
http://www.entrust.net/ssl-certificate-services/managed.htm.
• “Configuring SSL on Apache Tomcat” on page 199
• “Configuring SSL on Apache HTTP Server” on page 201
Configuring SSL on Apache Tomcat

Apache Tomcat is the application server for Entrust Authority Document Signer
Service. To configure SSL on Apache Tomcat, you must:
1 Generate a Certificate Signing Request (CSR) for Apache Tomcat.
2 Use the CSR to obtain an SSL certificate.
3 Apply the SSL certificate to Apache Tomcat.
Complete the following procedures to configure SSL for Apache Tomcat.
For the most recent instructions for your version of Apache Tomcat, see the Apache
Tomcat documentation located on the Apache Software Foundation Web site
(http://tomcat.apache.org).
To generate a CSR for Tomcat running Signature Delivery Service

Signature Delivery Service component.
2 Open a command line.
3 Navigate to the following location:

<DSS-install>/_jvm/bin
4 Enter the following command to create a certificate keystore:
keytool -genkey -alias tomcat -keyalg RSA
and specify a password value of changeit.
5 Enter the following command to create a local certificate:
keytool -genkey -alias tomcat -keyalg RSA -keystore
<your_keystore_filename>
Where <your_keystore_filename> is a keystore file name of your choosing.
For example:
keytool -genkey -alias tomcat -keyalg RSA -keystore
example_keystore
6 Enter the following command to create a CSR:
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr
-keystore <your_keystore_filename>
Where <your_keystore_filename> is the name of the keystore file you entered
in the previous step. For example:
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr
-keystore example_keystore
After creating the CSR, use the CSR file (certreq.csr) to obtain an SSL certificate
from a Certification Authority (CA).
After obtaining the SSL certificate, proceed to “To apply the Web certificate to
Apache Tomcat” on page 200 to apply the SSL certificate to Apache Tomcat.
To apply the Web certificate to Apache Tomcat

1 Obtain the CA key (from the CA that issued the SSL certificate) save it as
cacert.crt.
<DSS-install>/_jvm/bin
5 Import the CA key into the keystore by entering the following command:
keytool -import -trustcacerts -alias ca -file cacert.crt -keystore
<your_keystore_filename>
Where <your_keystore_filename> is the name of the keystore file you created
in “To generate a CSR for Tomcat running Signature Delivery Service” on
page 199. For example:

keytool -import -trustcacerts -alias ca -file cacert.crt -keystore
example_keystore
6 Import the SSL certificate into the keystore by entering the following command:
keytool -import -alias server -file "<SSL_cert>" -keystore <your
keystore>
Where:
• <SSL_cert> is the path and file name of the SSL certificate file (such as
C:/SSLcert.cer).
• <your_keystore_filename> is the name of the keystore file you created in
“To generate a CSR for Tomcat running Signature Delivery Service” on
page 199.
For example:
keytool -import -alias server -file "C:/SSlcert.cer" -keystore
example_keystore
7 Open the following file in a text editor:
<DSS-install>/apache-tomcat-8.0.28/conf/server.xml
8 Add the following setting:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="<your_keystore_filename>" />
Where <your_keystore_filename> is the name of the keystore file you created
in “To generate a CSR for Tomcat running Signature Delivery Service” on
page 199.
For example:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="example_keystore" />
Configuring SSL on Apache HTTP Server

To configure SSL on Apache HTTP Server, you must:
1 Generate a Certificate Signing Request (CSR) for Apache Tomcat.
2 Use the CSR to obtain an SSL certificate.
3 Apply the SSL certificate to Apache HTTP Server.
Complete the following procedures to configure SSL for Apache HTTP Server.

For the most recent instructions for your version of Apache HTTP Server, see the
Apache HTTP Server documentation located on the Apache HTTP Server Project Web
site (http://httpd.apache.org/).
To generate a CSR on Apache HTTP Server

1 (Windows only.) Set the OPENSSL_CONF environment variable to the location of
the openssl.cnf file:
a Open the Windows Control Panel.
b Click System.
The System dialog box appears.
c Click Advanced System settings.
The System Properties dialog box appears.
d Click the Advanced tab.
e Click Environment Variables.
The Environment Variables dialog box appears.
f In the System variables pane, click New.
The New System Variable dialog box appears.
g In the Variable name field, enter OPENSSL_CONF.
h In the Variable value field, enter the installation location of the openssl.cnf
file. For example:
C:/Apache24/conf/openssl.cnf
i Click OK to close the New System Variable dialog box.
j Click OK to close the Environment Variables dialog box.
k Click OK to close the System Properties dialog box.
2 Open a command prompt.
3 (Windows only.) Navigate to the directory containing OpenSSL. For example:
C:/Apache24/bin
4 Enter the following command to generate a new key:
openssl genrsa -des3 -out server.key <key_size>
Where <key_size> is the bit size of the RSA key, either 1024 or 2048. For
example:
openssl genrsa -des3 -out server.key 2048
5 You are prompted to provide a pass phrase to protect the server.key file:
Enter pass phrase for server.key:

Enter a pass phrase to protect the server.key file. A strong pass phrase is at least
eight characters long, and contains at least one uppercase character, one
lowercase character, one number, and one non-alphanumeric character.
6 You are prompted to confirm the pass phrase:
Verifying - Enter pass phrase for server.key:
Enter the pass phrase again.
7 Back up the server.key file. The file is stored in the same directory as OpenSSL.
8 Enter the following commands to remove the pass phrase from server.key.
Removing the pass phrase prevents errors when starting Apache HTTP Server:
copy server.key server.key.org
openssl rsa -in server.key.org -out server.key
When prompted, provide the pass phrase you entered in the previous steps.
9 Enter the following command to create a Certificate Signing Request (CSR):
openssl req -new -key server.key -out server.csr
You are prompted to provide information that will be incorporated into your CSR.
Enter the information as required.
When OpenSSL prompts you for the Common Name, enter the Fully Qualified
Domain Name (FQDN) of the server. This allows you to access the Web site for
which you generated a CSR.
You can see the details of this CSR by entering the following at the command
prompt:
openssl req -noout -text -in server.csr
10 You are prompted to provide extra attributes that will be sent with the CSR,
including a challenge password and an optional company name. Press Enter to
keep the extra attributes blank.
After creating the CSR, use the CSR file (server.csr) to obtain the SSL certificate.
The server.csr CSR file is created in the same directory as OpenSSL and server.key
file.
For a list of Entrust products you can use to obtain the SSL certificate, see
“Configuring SSL in the Document Signer Service” on page 199. After obtaining the
SSL certificate, apply the SSL certificate to Apache HTTP Server (see “To apply the
Web certificate to Apache HTTP Server” on page 203).
To apply the Web certificate to Apache HTTP Server

2 (Windows only.) Navigate to the directory containing OpenSSL. For example:
C:/Apache24/bin

openssl x509 -noout -text -in <file>
Where <file> is the file containing the Web certificate. If you save the file in the
same location as the server.csr CSR file, you do not have to provide the path
to the file. For example:
openssl x509 -noout -text -in server.crt
5 On Windows:
a Locate the following line:
#LoadModule ssl_module modules/mod_ssl.so
And remove the preceding pound sign (#):
LoadModule ssl_module modules/mod_ssl.so
This line may already be uncommented.
b Locate the following line:
#Include conf/extra/httpd-ssl.conf
And remove the preceding pound sign (#):
Include conf/extra/httpd-ssl.conf
c Save and close the file.
6 Open the Apache HTTP Server httpd-ssl.conf or ssl.conf file in a text editor.
7 Locate the following line:
Listen 443
The default SSL port is 443. If you need to use another port for SSL, enter a
different port number.
8 Locate the SSLCertificateFile setting. For example:
SSLCertificateFile "C:/Apache24/bin/server.crt"
If required, change the value to the full path and file name of the Web server
certificate file. Use forward slashes (/) in the file path.
9 Locate the SSLCertificateKeyFile setting. For example:
SSLCertificateKeyFile "C:/Apache24/bin/server.key"
If required, change the value to the full path and file name of the server.key
file. Use forward slashes (/) in the file path.
10 Locate the SSLSessionCache setting. For example:
SSLSessionCache "shmcb:C:/Apache24/logs/ssl_scache(512000)"
11 Locate the following line:
SSLPassPhraseDialog builtin
And comment out the line by preceding it with a pound sign (#):
#SSLPassPhraseDialog builtin

13 Restart Apache HTTP Server.
You successfully applied the Web certificate to Apache HTTP Server.

Restarting the Document Signer Service
You need to restart the Apache Tomcat application server whenever you modify one
of the configuration files or deploy an ePassport WAR file.
To start or stop the Document Signer Service on Linux

1 Open a terminal.
2 To stop the Document Signer Service, enter:
systemctl stop DSSTomcatService
3 To start the Document Signer Service, enter:
systemctl start DSSTomcatService
4 To display the status of the Document Signer Service, enter:
systemctl status DSSTomcatService
For information about verifying that the Document Signer Service started
correctly, see “Verifying that the Document Signer Service started correctly” on
page 208.
To start or stop the Document Signer Service on Windows using a command

line
1 Open a Command Prompt as administrator by right-clicking Start > Command
Prompt (Admin).
The Services dialog box appears.
2 To stop the Document Signer Service, enter:
net stop DSSTomcatService
3 To start the Document Signer Service, enter:
net start DSSTomcatService
page 208.
To start or stop the Document Signer Service on Windows using the Services
administrative tool
1 Open the Services administrative tool:
• On Windows Server 2016, select Start > Windows Administrative Tools >
Services.
• On Microsoft Windows Server 2012 R2, click Start, then click the down
arrow to access Apps, then click Services.

When sorting by name or category, Services is listed under Administrative
Tools.
The Services dialog box appears.
2 Select Entrust Document Signer Service.
Note:
Do not click Restart or Apache Tomcat may fail to start properly. Always stop and
then start Apache Tomcat.
3 To stop the Document Signer Service, click Stop.

4 To start the Document Signer Service, click Start.
page 208.

Verifying that the Document Signer Service
started correctly
After starting Verification Server, you can verify that Verification Server started
correctly by looking at the Apache Tomcat logs, Verification Server logs, and
Signature Delivery Service logs.
If any errors occur in the logs during startup, repair all errors and restart the
To verify that Apache Tomcat started correctly

1 Open the Apache Tomcat log file:
• On Windows:
<DSS-install>/apache-tomcat-8.0.28/logs/dsstomcatservice-stderr
.<date>
Where <date> is the date that Apache Tomcat was started. For example:
dsstomcatservice-stderr.2017-09-12
• On Linux:
<DSS-install>/apache-tomcat-8.0.28/logs/catalina.out
2 Verify that no errors are in the logs leading up to a successful server startup. For
example:
INFO: Server startup in 81337 ms
If Verification Server and Signature Delivery Service are installed on separate servers,
you must verify the Apache Tomcat logs on both servers.
To verify that Verification Server started correctly

1 Open the Verification Server log file in a text editor. By default, the Verification
Server log file is in the following location:
<DSS-install>/VerificationServer<version>/logs/webservices.log
2 Verify that no errors are in the logs leading up to a successful Digital Signature
service self-test. For example:
[2017-09-12 19:59:31-0400][INFO ][dsig_ws][][localhost-startStop-1][] self-test
successful
Some warnings may be expected. You will see warnings if you are using
demonstration profiles.

To verify that Signature Delivery Service started correctly
1 Open the Signature Delivery Service log file in a text editor. By default, the
Signature Delivery Service log file is in the following location:
<DSS-install>/SignatureDeliveryService<version>/logs/SDS.log
2 Verify that no errors or warnings are in the logs leading up to a successful
Signature Delivery Service self-test. For example:
[INFO ] 2017-09-12 19:59:40.384 [localhost-startStop-1] SDSServletSelfTest -
self-test successful

8
Using the Signature Delivery Service

from your application
This chapter explains how to connect your MRTD issuance system application to the
Signature Delivery Service.
This chapter contains the following topics:
• “Configuring the Signature Delivery Service” on page 212
• “Configuring Signature Delivery Service logging” on page 216
• “Message processing” on page 219
• “Message format” on page 220
• “Signature Delivery Service health query” on page 225
• “Implementing the sample client code” on page 226
211
Configuring the Signature Delivery Service
The Signature Delivery Service is a Web application hosted on an application server
that acts as a J2EE servlet container.
When deployed, the Signature Delivery Service looks for the SDS.ini file. The
SDS.ini file determines how the Signature Delivery Service processes incoming
messages.
You can find the SDS.ini file in the following location:
<DSS-install>/SignatureDeliveryService<version>/webapps/tomcat/sig
naturedeliveryservice/WEB-INF/conf
The following table describes each of the SDS.ini file settings and provides the
default where appropriate.
If you make any changes to the file, you must restart the Document Signer Service
for the changes to take effect. See “Restarting the Document Signer Service” on
page 206 for instructions about restarting the Document Signer Service.
Table 5: SDS.ini file settings
Setting Required Description

VerificationServerAddress Yes Sets the URL where requests must be sent to on
Verification Server. A typical Verification Server URL is:
http://<server>:<port>/verificationserver/ser
vices/DigSig
Where:
• <server> is the DNS name or IP address of the
server where Verification Server is deployed.
If Verification Server and Signature Delivery Service
are on the same server, you can use localhost.
• <port> is the port number of Verification Server.
The default port number for Verification Server is
8080.
If Verification Server is using a front-end Web
server, use the port number of the Web server.
For example:
http://domain.example.com:8080/verificationse
rver/services/DigSig

Table 5: SDS.ini file settings (continued)

VerificationServerURN Yes Sets the SOAP namespace of the Digital Signature
Web service.
Note: You should never have to change the default
value of urn:Entrust-DigSig.
If there is any doubt, retrieve the name from the
Verification Server's WSDL. It is available through the
index page.
A typical index page URL is:
http://<server>:<port>/verificationserver/ind
ex.html
Where:
• <server> is the DNS name or IP address of the
server where Verification Server is deployed.
If Verification Server and Signature Delivery Service
are on the same server, you can use localhost.
• <port> is the port number of Verification Server.
The default port number for Verification Server is
8080.
If Verification Server is using a front-end Web
server, use the port number of the Web server.
For example:
http://domain.example.com:8080/verificationse
rver/index.html
The relevant message or operation within the WSDL
file is rfc2630Sign.
The default value is urn:Entrust-DigSig.
VerificationServerUseSoap No Controls whether the Signature Delivery Service
communicates with Verification Server using Apache
Axis2, or legacy SOAP.
Permitted values:
• true to use legacy SOAP.
• false to use Axis2.
The default value is false.
Using the Signature Delivery Service from your application 213


useLDSv1.8 No Controls whether to use ICAO LDS version 1.8. ICAO
LDS 1.8 adds an optional signed attribute, containing
the LDS and Unicode version information.
Permitted values:
• true to use ICAO LDS 1.8.
• false to use ICAO LDS 1.7.
The default value is false.
MandatoryDataGroups No Provides a comma-delimited list of Logical Data
Structure (LDS) data groups (1-16) that must be
present in the request.
No default.
OptionalDataGroups No Provides a comma-delimited list of Logical Data
Structure (LDS) data groups (1-16). If the list is present
in the request, it is sent to the Verification Server for
signing.
No default.
IncludeSignedData No Indicates whether the input Logical Data Structure
(LDS) is encapsulated in the response. Valid values
include:
• 1 (yes or true)
• 0 (no or false)
By default, the input LDS data is included in the
resulting digital signature.
The default value is 1.
IncludeTimeStamp No Indicates whether the resulting digital signature is
time-stamped in accordance with RFC3161. Valid
values include:
• 1 (yes or true)
• 0 (no or false)
By default, the digital signature is not time-stamped.


eContentTypeOID No Sets the eContentType OID to Logical Data Structure
Security Object (2.23.136.1.1.1), as per ICAO
specification 9303 v6 (LDS v1.7).
If specified, the request sent to Verification Server will
contain the provided OID that sets the eContentType
in the request.
If not set, it uses the default OID 2.23.136.1.1.1.
The default is 2.23.136.1.1.1.
VerificationServerTimeout No Sets the amount of time in seconds that Signature
Delivery Service waits for a response from Verification
Server before reporting an error condition.
If the setting is absent, it defaults to 60 seconds.

Configuring Signature Delivery Service logging
Logging can help troubleshoot issues when using the Signature Delivery Service. You
can customize the log file settings for the Signature Delivery Service. You can
configure the following log settings:
• the log file name and location
• the level of messages recorded in the file
• the maximum size the log file can reach before a new log file is created
• the number of old log files to retain
Note:
The Signature Delivery Service uses Apache Log4j 2 as its logging mechanism.
The following procedure provides some guidance about configuring the default
logging settings for the Signature Delivery Service. For more complete
information about configuring Log4j 2, see the Apache Log4j 2 documentation.
To configure Signature Delivery Service logging

2 Open the Signature Delivery Service log4j2.xml file in a text editor. The file is in
the following location:
<DSS-install>/SignatureDeliveryService<version>/webapps/tomcat/sig
naturedeliveryservice/WEB-INF/classes
3 To change the path or file name of the log files:
a Locate the <RollingFile> element. For example:
<RollingFile name="RollingFile-Appender"
fileName="/opt/entrust/DocumentSignerService/SignatureDeliveryS
ervice9.0.0/logs/SDS.log"
filePattern="/opt/entrust/DocumentSignerService/SignatureDelive
ryService9.0.0/logs/SDS.log.-%d{yyyy-MM-dd}-%i.log">
b The fileName attribute controls the full path and file name of the current
Signature Delivery Service log file. It is recommended that you do not change
the path or file name.
c The filePattern attribute controls the full path and file name of old
(rolled-over) Signature Delivery Service log files. It is recommended that you
do not change the path or file name.

By default, when the current log file reaches a certain size, the log file is
renamed and the next log messages are written (rolled-over) to a new file.
It is strongly recommended that you do not change or remove the pattern
.-%d{yyyy-MM-dd}-%i.log from the file name. This pattern is the date and
time that the log file was rolled over.
4 To change how often the log files are rolled over:
a Under <RollingFile>, locate the <Policies> section. By default:
<Policies>
<TimeBasedTriggeringPolicy />
<SizeBasedTriggeringPolicy size="10 MB" />
</Policies>
b The <TimeBasedTriggeringPolicy> element controls how long to wait
before rolling over the log file.
By default, this element has no value, so the log file is not rolled over based
on time. It is recommended that you do not modify this element.
c The <SizeBasedTriggeringPolicy> element controls the maximum size of
the active log file before rolling over the log file. Change the value of the
size= attribute if required. For example, 10 KB or 10 MB.
5 To change how many log files are kept:
a Under <RollingFile>, locate the <DefaultRolloverStrategy> element. By
default:
<DefaultRolloverStrategy max="30" />
b The max= attribute controls the maximum number of log files to keep.
Change the value if required.
6 To change the logging level:
a Under <Loggers>, locate the <Root> section. By default:
<Loggers>
<Root level="info">
<AppenderRef ref="RollingFile-Appender" />
</Root>
</Loggers>
b The level= attribute controls the logging level. Change the value if required.
The logging level can be one of (in increasing severity) debug, info, warn,
error, or fatal. This sets the lowest level of message to show. For example,
warn provides messages of warn, error and fatal status.

You do not need to restart the Document Signer Service. The changes are applied
immediately.

Message processing
Figure 9 illustrates the Signature Delivery Service message sequence of a request to
sign the Logical Data Structure Security Object (SOLDS) data using Signature Delivery
Service.
Figure 9: Message flow

Message format
This topic explains the format of the XML request and response documents that pass
between the printing and personalization system and Signature Delivery Service. The
error format is also included.
• “Request format” on page 220
• “Response format” on page 222
• “Error format” on page 223
Request format
Signature Delivery Service is a Web application that receives requests as XML
documents. The content-type of the data should be set to text/xml.
As illustrated in Figure 9 on page 219, the printing and personalization (or other
external) system makes an HTTP (or HTTPS) POST request to Signature Delivery
Service with the XML request as the contents of the request. Signature Delivery
Service handles the request and passes it along to Verification Server for signing. The
signed Logical Data Structure Security Object (SOLDS) is referred to as the Document
Security Object (SOD). After Verification Server signs the SOLDS, it returns the SOD
to Signature Delivery Service. Signature Delivery Service packages the SOD into an
XML document and returns it to the caller.
The Signature Delivery Service message consists of the SOD data encapsulated in an
XML document.
Note:
A sample XML document is available in the /sampleclient folder for the
Signature Delivery Service and is named SDSv3Req.xml. The /sampleclient
folder also contains an XML schema file named SDSv3.xsd that you can use to
generate client code.
The following illustrates a sample request. In this sample, the sample request sends
the Logical Data Structure Security Object (SOLDS) as separate data groups. Requests
to the Signature Delivery Service can also send the SOLDS as a single Base64-encoded
string.
<SDSMSG TYP="REQ" ID="9EAFF983A3FC3B211AE3">
<PERSIST>
<ANYTHING>
<REQSRC LOC="ONTARIO" OFFICE="5A"/>

</ANYTHING>
</PERSIST>
<LD>
<DG1>...Base64 Encoded Data Group 1...</DG1>
</LD>
</SDSMSG>
In this sample request, only data groups 1, 2, 11, and 12 are to be signed.
The following table describes the data elements in the request.
Table 6: Signature Delivery Service request message format
Data element Description
SDSMSG Represents the top-level element in the document. It contains the LD

child element and, optionally, a PERSIST child element. It also
contains the following two attributes:
• TYP - use REQ
• ID - an arbitrary request ID assigned by the requester.
This ID is echoed back in the response.
PERSIST Represents an optional child element of the SDSMSG top-level

element. If present, this element and any children are included in the
response. Signature Delivery Service does not process the contents
of this element.
LD Represents a mandatory child element of the top-level SDSMSG

element.
It must contain one of the following:
• the individual data groups to be signed
Each data group to be signed must be included as a child element
(from DG1 to DG16). The Signature Delivery Service will build the
Logical Data Structure Security Object (SOLDS) from these data
groups.
The preceding example shows a sample request with individual
data groups to be signed.
• a pre-built Logical Data Structure Security Object (SOLDS)
The Logical Data Structure Security Object must be a
Base64-encoded string containing a valid ASN.1 byte string.

Table 6: Signature Delivery Service request message format (continued)
DG1-DG16 Lists each data group from 1-16. The content of each element is the
Base64-encoded representation of the actual data group data.
Each data group element can include a hashed attribute. This
attribute indicates whether the provided value is already hashed. For
example:
<DG1 hashed="true">
Permitted values:
• true to indicate that the data group value provided is already
hashed.
• false to indicate that the data group value is not hashed. The
Signature Delivery Service will hash the value.
If the hashed attribute is not included, it defaults to false (the
Signature Delivery Service will hash the value).
Note: If you send the entire unsigned Logical Data Structure Security
Object (SOLDS) in the request, do not include data groups.
Response format
The Signature Delivery Service response consists of the signed data groups
encapsulated in an XML document.
Note:
The following is a sample response:

<SDSMSG ID="9EAFF983A3FC3B211AE3" TYP="RESP">
<PERSIST>
<ANYTHING>
<REQSRC LOC="ONTARIO" OFFICE="5A" />
</ANYTHING>
</PERSIST>

<SDSINFO IP="192.0.2.0" TI="GMT 2013-01-24 15:28:39" TO="GMT
2013-01-24 15:29:06" />
<LDSO>
<SIG>...Base64 Encoded SOD...</SIG>
</LDSO>
</SDSMSG>
The following table describes the data elements in the response.
Table 7: Signature Delivery Service response message format
SDSMSG Represents the top-level element in the document. It contains the

SDSINFO and LDSO child elements and, optionally, a PERSIST child
element. It also contains the following two attributes:
• TYP - always RESP
• ID - the request ID copied from the request

element. If present in the request, it is copied, along with any
children, to the response.
SDSINFO Represents a mandatory child element of the SDSMSG top-level

element. This element carries the IP address of Signature Delivery
Service, the time in (TI) associated with the request, and the time out
(TO).
LDSO Represents a mandatory child element of the SDSMSG top-level

element. This element carries the Document Security Object, which
is the signed Logical Data Structure Security Object.
SIG Lists the Base64-encoded Document Security Object.
Error format
The Signature Delivery Service error response consists of an XML document.
Note:

The following is a sample error response:
<SDSMSG ID="9EAFF983A3FC3B211AE3" TYP="RESP">
<PERSIST>
<ANYTHING>
<REQSRC LOC="ONTARIO" OFFICE="5A" />
</ANYTHING>
</PERSIST>
<SDSINFO IP="192.0.2.0" TI="GMT 2013-01-24 15:28:39" TO="GMT
2013-01-24 15:29:06" />
<SDSERR COD="203" FLD="" DES="Source:
SDSDigSigClient::invokeSignatureService. A SOAP fault was
generated during the verification server call. SOAP Exception:
code=SOAP-ENV:Client description=Error opening socket:
java.net.ConnectException: Connection timed out: connect" />
</SDSMSG>
The following table describes the data elements.
Table 8: Signature Delivery Service error message format
SDSMSG Represents the top level element in the document. It contains the LD
child element and, optionally, a PERSIST child element. It also
contains the following two attributes:
• TYP - always RESP
• ID - the request ID copied from the request

element. If present in the request, it is copied, along with any
children, to the response.
SDSINFO Represents a mandatory child element of the SDSMSG top-level

element. This element carries the IP address of Signature Delivery
Service, the time in (TI) associated with the request, and the time out
(TO).
SDSERR Represents a mandatory child element of the SDSMSG top-level

element. This element carries the error code (COD), a description of
the error (DES) and, if the error came from a particular data group,
the identity of the data group (FLD). If the error did not result from
processing a particular data group, the FLD attribute is blank.

Signature Delivery Service health query
The signing functionality of Signature Delivery Service uses an HTTP (or HTTPS)
POST request to access the servlet URL. The servlet also supports the use the HTTP
GET request to retrieve health information about itself.
An HTTP GET request to the servlet URL returns one of the following HTML
fragments.
• If the servlet is healthy:
<font color="green">
<p>SDS Health Status: <b>AVAILABLE</b></p>
</font>
• If the servlet is unhealthy and no further diagnostic information is available:
<font color="red">
<p>SDS Health Status: <b>UNAVAILABLE</b><br><br>
No health description available.
</p></font>
• If the servlet is unhealthy and further diagnostic information is available:
<font color="red">
<p>SDS Health Status: <b>UNAVAILABLE</b><br><br>
[a diagnostic message]
</p></font>

Implementing the sample client code
The Signature Delivery Service includes a sample Java class that acts as a basic
Signature Delivery Service client. The sample takes three command line arguments:
• the URL of Signature Delivery Service; for example:
https://localhost/SDS/servlets/SDSServlet
• the name of a file containing a valid Signature Delivery Service request
• the name of a file in which to write the Signature Delivery Service response
or Signature Delivery Service error
• “Client programming tasks” on page 226
• “Security concerns and safeguards” on page 227
• “ASN.1 profile for Logical Data Structure Security Object” on page 227
• “ASN.1 structure of the Document Security Object returned by Signature
Delivery Service” on page 229
Client programming tasks

The following are the major programming tasks implemented in the sample client
(error handling is not shown):
1 Establish a TLS context.
2 Create an empty KeyManager (this client will not present a TLS certificate).
3 Create a TrustManager to trust all server certificates.
4 Initialize the context with the KeyManager and the TrustManager.
5 Use the context to create an SSLSocketFactory.
6 Create a URL object using the Signature Delivery Service URL from the command
line.
7 Create an HttpsUrlConnection by opening the connection on the URL object.
8 Assign the previously created SSLSocketFactory to the HttpsUrlConnection.
9 Set the method used by HttpsUrlConnection to POST and tell it to do both
input and output.
10 Set the request property content-type to text/xml.
11 Read the input file one byte at a time and write it to the output stream of the
HttpsUrlConnection.
12 Read the input stream of the HttpsUrlConnection one byte at a time and write
it to the output file.
13 Flush and close all streams.

Security concerns and safeguards
The sample client code shown here has been simplified, and it has several deficiencies
regarding security. A production client application (the printing and personalization
system) should have more robust security. In order to ensure a high degree of security,
deploy Signature Delivery Service on a TLS-enabled Web server that requires mutual
authentication. Each client node should then be provisioned with a digital certificate
to use during client-server mutual authentication.
ASN.1 profile for Logical Data Structure Security Object

The Elementary File Document Security Object contains the Document Security
Object (SOD). The SOD is implemented as a SignedData Type, as specified in [R14]
RFC 3369. The SOD contains the hash values of the Logical Data Structure Data
Groups that are being used (this structure is called the Logical Data Structure Security
Object.
The ASN.1 profile of the Logical Data Structure Security Object is outlined below:
LDSSecurityObject {iso(1) identified-organization(3) icao(ccc)
mrtd(1)
security(1) ldsSecurityObject(1)}
DEFINITIONS IMPLICIT TAGS ::=

BEGIN
-- Imports from RFC 3280 [PROFILE], Appendix A.1

AlgorithmIdentifier FROM
PKIX1Explicit88 { iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7)
id-mod(0) id-pkix1-explicit(18) }
-- Constants
ub-DataGroups INTEGER ::= 16
-- Object Identifiers
id-icao OBJECT IDENTIFIER ::= {2.23.136}
id-icao-mrtd OBJECT IDENTIFIER ::= {id-icao 1}
id-icao-mrtd-security OBJECT IDENTIFIER ::= {id-icao-mrtd 1}
id-icao-ldsSecurityObject OBJECT IDENTIFIER ::=
{id-icao-mrtd-security

1}
-- LDS Security Object

LDSSecurityObjectVersion ::= INTEGER {V0(0)}
DigestAlgorithmIdentifier ::= AlgorithmIdentifier
LDSSecurityObject ::= SEQUENCE {

version LDSSecurityObjectVersion,
hashAlgorithm DigestAlgorithmIdentifier,
dataGroupHashValues SEQUENCE SIZE (2..ub-DataGroups) OF
DataGroupHash }
DataGroupHash ::= SEQUENCE {

dataGroupNumber DataGroupNumber,
dataGroupHashValue OCTET STRING }
DataGroupNumber ::= INTEGER {

dataGroup1 (1),
dataGroup2 (2),
dataGroup3 (3),
dataGroup4 (4),
dataGroup5 (5),
dataGroup6 (6),
dataGroup7 (7),
dataGroup8 (8),
dataGroup9 (9),
dataGroup10 (10),
dataGroup11 (11),
dataGroup12 (12),
dataGroup13 (13),
dataGroup14 (14),
dataGroup15 (15),
dataGroup16 (16)}
END

ASN.1 structure of the Document Security Object returned by
Signature Delivery Service
The data returned from Signature Delivery Service is the Document Security Object,
as specified in ICAO 9303.
The ASN.1 structure of the Document Security Object returned by Signature Delivery
Service is below:
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.7.2 (signedData)
[0] {
SEQUENCE {
INTEGER 3
SET {
SEQUENCE {
OBJECTIDENTIFIER 2.16.840.1.101.3.4.2.1 (sha256)
NULL
}
}
SEQUENCE {
OBJECTIDENTIFIER 2.23.136.1.1.1
(id-icao-ldsSecurityObject)
[0] {
OCTETSTRING
3081b1020100300d0609608648016503040201050030819c3025020101042072e2
ac9d866c9e37abff9479e6e670c594408f9693394a74bcba0fc3f1e03d72302502
010204200b7d47a3740c7c126e92fbc1f03edd29ce4f9a3c5234979ae3673be1e6
e258cb302502010b042031c5f526cc47a7218f0953e00987e073b92a85ada427d5
2c1c7b1ee11a351952302502010c0420cf4d0c80982f7cedb0aa7419078dd950e2
929fa0ce7794646e6e7b2a366ce020
}
}
[0] {
SEQUENCE {
SEQUENCE {
[0] {
INTEGER 2
}
INTEGER 4a01d9ef : Too long Integer. Printing in
HEX.

SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.1.5
(sha256withRSAEncryption)
NULL
}
SEQUENCE {
SET {
SEQUENCE {
OBJECTIDENTIFIER 2.5.4.6 (countryName)
PrintableString 'ca'
}
}
SET {
SEQUENCE {
OBJECTIDENTIFIER 2.5.4.10
(organizationName)
PrintableString 'entrust'
}
}
SET {
SEQUENCE {
(organizationalUnitName)
PrintableString 'sm80e'
}
}
}
SEQUENCE {
UTCTime '090508165926Z'
UTCTime '190506184011Z'
}
SEQUENCE {
SET {
SEQUENCE {
}

}
SET {
SEQUENCE {
(organizationName)
}
}
SET {
SEQUENCE {
}
}
SET {
SEQUENCE {
OBJECTIDENTIFIER 2.5.4.3 (commonName)
PrintableString 'DSS2'
}
}
}
SEQUENCE {
SEQUENCE {
(rsaEncryption)
NULL
}
BITSTRING
0x3082010a0282010100b26ef92b74386617f9a2341fec782636e81afc9ffa1926
c56ff60e86628cf0e5c295ed4a4ac3c7fe27811cc1c1063f51ee2896ca9eb238e2
5d0ad4efcdc265b260623c4880a0f822ef6ed3d04995443a7421a1d5eb91e2cf3f
049d6f912149ba836e590bd355d020473f85489b3eb9d477597a2af6ba52d9b5fa
5a7baf902c2e7911f4e432932d00e20c1a8357cf2a60c5ed61d48af299f0a42ff2
cfd4e7f202bf70a0395b63f11ce889bc8956197e57d1026f672703ab66afa56d95
674c67482d64415d42d8c46915bacbc78a8d9914657fc8d6309dbeb5d1393c0779
d94135539a753295c3709cd6ca0e21647d675ac7f92d7664e08283ffbe4ecd943a
3ef90203010001 : 0 unused bit(s)
}

[3] {
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 2.5.29.15 (keyUsage)
BOOLEAN TRUE
OCTETSTRING 03020780
}
SEQUENCE {
(privateKeyUsagePeriod)
OCTETSTRING
3022800f32303039303530383136353932365a810f323030393130303131373239
32365a
}
SEQUENCE {
(authorityKeyIdentifier)
OCTETSTRING
301680140719fab163d619a0a2a0583ee25ffed523064001
}
}
}
}
SEQUENCE {
(sha256withRSAEncryption)
NULL
}
BITSTRING
0x426b63e9e874130d59b9201e4dfb3d44b5b72e0c632b037d4ffde3d2cb9d1d32
1277322e6c10c7e71038b249b3a0842ef2bd1dd3ec5226eb6e74f43c8484f1807e
a1ffda2d70832ac2299ae156b66496a024cce4bbcc6034a7a85b2eb92930de8a2c
2f49ab98163c1b74ff0498d19635e5229493a1fe87f39dd2de4c225ab360 : 0
unused bit(s)
}
}
SET {
SEQUENCE {
INTEGER 1

SEQUENCE {
SEQUENCE {
SET {
SEQUENCE {
}
}
SET {
SEQUENCE {
(organizationName)
}
}
SET {
SEQUENCE {
}
}
}
INTEGER 4a01d9ef : Too long Integer. Printing in
HEX.
}
SEQUENCE {
OBJECTIDENTIFIER 2.16.840.1.101.3.4.2.1 (sha256)
NULL
}
[0] {
SEQUENCE {
(contentType)
SET {
OBJECTIDENTIFIER 2.23.136.1.1.1
(id-icao-ldsSecurityObject)

}
}
SEQUENCE {
(signingTime)
SET {
UTCTime '090513170656Z'
}
}
SEQUENCE {
(messageDigest)
SET {
OCTETSTRING
21ab8c0a60a96a700114fff7dffc61e77a5fd1420c9bd87ef341f3c051ddf6a7
}
}
}
SEQUENCE {
(rsaEncryption)
NULL
}
OCTETSTRING
274ab71dbdf4820e8ee73f6b4499936453cf747a513bae5543b36be027ffbe1c12
f3ee1e64646480ef3fd9633bc412d7d27f9e0886eea5539a00352f4f7e0c07946c
8bda5f79f2fe075d92381af2ac9c4a75f3309df93c0a15fbfeac609bf6746160c8
9a3010f27fa60879d6e798a4e4408383bbc3c35a707b5089397d9831af2f7c51c7
57f902f7d69057fb91f11dee1fad9fd902d263f383bd21ea3edae2736101520b04
4dcdb3d5907c44eb855eb260c9edcfcd301d78d0ffe461cd29ad45c22246d6cf47
2285f5925d9fe6cd73ca0a5e7b3dedd636adf02efb6d327ac396e8df2d440cc14f
f38de8452c79315b595b0e0dc2e748d2a2090c50ea27c39f2e
}
}
}
}
}

9
Using the Offline Token Creation

Utility
This chapter provides instructions about using the Offline Token Creation Utility to
create digital IDs for Verification Server when Verification Server does not have direct
access to Security Manager.
Note:
You must initialize the HSM before creating an Entrust profile on it. You may also
want to test the HSM installation to ensure the hardware is operational. HSM
vendors typically provide a utility you can use to test the HSM. See your token
vendor’s documentation for more information.
This chapter includes:

• “Overview of using the Offline Token Creation Utility” on page 236
• “Preparing to use the Offline Token Creation Utility” on page 237
• “Configuring Offline Token Creation Utility logging” on page 244
• “Generating a signature key pair on a hardware token” on page 248
• “Recovering an offline Entrust profile on a hardware token” on page 253
• “Creating the offline Entrust profile at Security Manager” on page 258
• “Writing the Entrust profile to the hardware token” on page 260
235
Overview of using the Offline Token Creation
Utility
Use the Offline Token Creation Utility to create or recover Entrust profiles for
Verification Server when Verification Server does not have network access to Security
Manager.
To create or recover an offline Entrust profile on a hardware token

1 Configure the Offline Token Creation Utility settings. For instructions, see
“Preparing to use the Offline Token Creation Utility” on page 237.
These settings control the behavior and output of the utility.
2 (Optional.) Configure the Offline Token Creation Utility logging settings. For
instructions, see “Configuring Offline Token Creation Utility logging” on
page 244.
Logging can help troubleshoot issues when using the Offline Token Creation
Utility.
3 Use the Offline Token Creation Utility Client:
• If creating a new Entrust profile on a token, generate a signature key pair on
the token. For instructions, see “Generating a signature key pair on a
hardware token” on page 248.
• If recovering an existing Entrust profile on a token, recover the Entrust
profile. This operation generates a new signature key pair on the token. For
instructions, see “Recovering an offline Entrust profile on a hardware token”
on page 253.
This operation creates a certificate request file.
4 Use the Offline Token Creation Utility Server to connect to Security Manager.
Security Manager processes the certificate request file and generates the Entrust
profile. For instructions, see “Creating the offline Entrust profile at Security
Manager” on page 258.
5 Use the Offline Token Creation Utility Client to write the Entrust profile to the
hardware token. For instructions, see “Writing the Entrust profile to the hardware
token” on page 260.
After you create or recover an offline Entrust profile on a token, use the Profile
Creation Utility to create Server Login credentials for the profile. For instructions, see
the Document Signer Service Verification Server Guide.

Preparing to use the Offline Token Creation
Utility
Before using the Offline Token Creation Utility to put an Entrust profile on a hardware
token, you may need to configure some settings in the Offline Token Creation Utility
Client and Offline Token Creation Utility Server. These settings control the behavior
and output of the utility.
• “To configure the Offline Token Creation Utility Client” on page 237
• “To configure the Offline Token Creation Utility Server” on page 241
To configure the Offline Token Creation Utility Client

Offline Token Creation Utility Client component.
2 Open the Offline Token Creation Utility Client hsmops.config file in a text editor.
The file is in the following location:
<DSS-install>/OfflineTokenCreationService<version>/config
3 Configure the following settings:
Note:
Settings in the hsmops.config file preceded by a number sign (#) are considered
comments and are ignored by the Offline Token Creation Utility. You can include
as many comments as you want in the hsmops.config file. For example, you can
add a comment for each setting to describe why you set a particular value.
Using the Offline Token Creation Utility 237

Table 9: Settings in the hsmops.config file
Setting Description
smartcard.p11Library.default This setting specifies the full path and file name of the
default PKCS #11 v2.01 token interface library.
Note: On Windows computers, use a forward slashes
(/) or double backslashes (\\) in file paths.
For example:
smartcard.p11Library.default = C:/Program
Files/Token/pkcs11.dll
or
smartcard.p11Library.default = C:\\Program
Files\\Token\\pkcs11.dll
smartcard.p11Library.slot.<num> You can repeat this setting for as many slot numbers as
where <num> is a token slot number necessary.
This setting specifies the full path and file name of a
PKCS #11 v2.01 token interface library to use with a
specific slot number.
This setting overrides the global default for the slot
indicated. Slot numbers are typically assigned by the
hardware token software and are generally consistent,
using a specified range for their tokens.
For example:
smartcard.p11Library.slot.10 = C:/Program
Files/Token/pkcs11.dll
or
smartcard.p11Library.slot.10 = C:\\Program
Files\\Token\\pkcs11.dll
smartcard.preferredSigningMecha Attention: While this setting is configurable, it is

nisms recommended that you keep the default value.
This setting specifies the preferred signing key
algorithms.
Default:
smartcard.preferredSigningMechanisms =
CKM_RSA_PKCS, CKM_DSA, CKM_ECDSA

Table 9: Settings in the hsmops.config file (continued)
Setting Description
hashalgorithm This setting specifies the hash algorithm used by the
protocol encryption certificate.
The Offline Token Creation Utility Client uses this hash
algorithm when displaying the hash value for a
certificate request file or Entrust profile.
Note: The value of this setting must be the same value
that is set in the Offline Token Creation Utility Server
easmmops.config file. The values must match so the
Offline Token Creation Utility Client and Offline Token
Creation Server can display the same hash values of
the certificate request file and Entrust profile.
For example:
hashalgorithm = SHA-384
By default this setting is commented out (defaults to
SHA-256).
default.selection.mainMenuChoic This setting specifies the menu option that is selected
e by default in the main menu.
For example:
default.selection.mainMenuChoice = 1
option 1).
default.selection.slotSelect This setting specifies the token slot that is selected by
default in a list of token slots.
For example:
default.selection.slotSelect = 0
By default this setting is commented out (no token slot
is selected by default).
default.selection.signingKeyAlg This setting specifies the menu option that is selected
orithmChoice by default in a list of signature algorithms.
For example:
default.selection.signingKeyAlgorithmChoice =
2
option 2).

Setting Description
default.selection.pecValidDays This setting specifies the default lifetime, in days, for
the self-signed protocol encryption certificate.
For example:
default.selection.pecValidDays = 365
365 days).
default.selection.outputDir This setting specifies the default output directory when
prompting a user to enter an output directory.
For example:
default.selection.outputDir =
C:\\temp\\OTCU\\certs
or
default.selection.outputDir =
C:/temp/OTCU/certs
By default this setting is commented out (no default
output directory is provided).
default.selection.doYouWantToCo This setting specifies the default value when asking
ntinue users if they want to continue.
Permitted values:
• y for yes.
• n for no.
For example:
default.selection.doYouWantToContinue = n
n).
default.selection.ecdsaNamedCur This setting specifies the menu option that is selected

veChoice by default in a list of named elliptic curves.
For example:
default.selection.ecdsaNamedCurveChoice = 1
option 1).

Setting Description
default.selection.useSpecifiedE This setting specifies the default value when asking
CParams users if they want to use specified elliptic curve domain
parameters in the public key.
Permitted values:
• y for yes.
• n for no.
For example:
default.selection.useSpecifiedECParams = n
n).
To configure the Offline Token Creation Utility Server

Offline Token Creation Utility Server component.
2 Open the Offline Token Creation Utility Server easmops.config file in a text
editor. The file is in the following location:
3 Configure the following settings:

Note:
Settings in the easmops.config file preceded by a number sign (#) are considered
comments and are ignored by the Offline Token Creation Utility. You can include
as many comments as you want in the file. For example, you can add a comment
for each setting to describe why you set a particular value.
Table 10: Setting in the easmops.config file
Setting Description
securitymanager.ip This setting specifies the DNS name, host name, or
IPv4 address of the server hosting Entrust
Authority Security Manager.
For example:
securitymanager.ip = domain.example.com
or
securitymanager.ip = 192.0.2.0
This setting was configured during installation.
securitymanager.port This setting specifies the CMP port used by
Security Manager. The default CMP port is 829.
For example:
securitymanager.port = 829
This setting was configured during installation.

Table 10: Setting in the easmops.config file (continued)
Setting Description
hashalgorithm This setting specifies the hash algorithm used by
the protocol encryption certificate.
The Offline Token Creation Utility Server uses this
hash algorithm when displaying the hash value for
a certificate request file or Entrust profile.
Note: The value of this setting must be the same
value that is set in the Offline Token Creation
Utility Client hsmops.config file. The values must
match so the Offline Token Creation Utility Client
and Offline Token Creation Server can display the
same hash values of the certificate request file and
Entrust profile.
For example:
hashalgorithm = SHA-384
By default this setting is commented out (defaults
to SHA-256).
default.selection.doYouWantToConti This setting specifies the default value when asking
nue users if they want to continue.
Permitted values:
• y for yes.
• n for no.
For example:
default.selection.doYouWantToContinue = n
By default this setting is commented out (defaults
to n).

Configuring Offline Token Creation Utility
logging
Before using the Offline Token Creation Utility to put an Entrust profile on a hardware
token, you may want to configure logging settings for the Offline Token Creation
Utility Client or Offline Token Creation Utility Server.
Logging can help troubleshoot issues when using the Offline Token Creation Utility.
Note:
The Offline Token Creation Utility uses Apache Log4j 2 as its logging mechanism.
The following procedures provide some guidance about configuring the default
logging settings for the Offline Token Creation Utility. For more complete
information about configuring Log4j 2, see the Apache Log4j 2 documentation.

• “To configure Offline Token Creation Utility Client logging” on page 244
• “To configure Offline Token Creation Utility Server logging” on page 246
To configure Offline Token Creation Utility Client logging

Offline Token Creation Utility Client component.
2 Open the Offline Token Creation Utility Client hsmops-log4j2.xml file in a text
fileName="/opt/entrust/DocumentSignerService/OfflineTokenCreati
onService9.0.0/logs/hsmops.log"
filePattern="/opt/entrust/DocumentSignerService/OfflineTokenCre
ationService9.0.0/logs/hsmops.log.-%d{yyyy-MM-dd}-%i.log">
Offline Token Creation Utility Client log file. Change the value if required.
(rolled-over) Offline Token Creation Utility Client log files.

<Policies>
</Policies>
on time. It is recommended that you do not modify this element.
default:
<Loggers>
<Root level="info">
</Root>
</Loggers>
b The level= attribute controls the logging level of the Offline Token Creation
Utility Client. Change the value if required.

To configure Offline Token Creation Utility Server logging
Offline Token Creation Utility Server component.
2 Open the Offline Token Creation Utility Server easmops-log4j2.xml file in a text
fileName="/opt/entrust/DocumentSignerService/OfflineTokenCreati
onService9.0.0/logs/easmops.log"
filePattern="/opt/entrust/DocumentSignerService/OfflineTokenCre
ationService9.0.0/logs/easmops.log.-%d{yyyy-MM-dd}-%i.log">
Offline Token Creation Utility Server log file. Change the value if required.
(rolled-over) Offline Token Creation Utility Server log files.
<Policies>
</Policies>
on time. It is strongly recommended that you do not modify this element.
default:

<Loggers>
<Root level="info">
</Root>
</Loggers>
b The level= attribute controls the logging level of the Offline Token Creation
Utility Server. Change the value if required.

Generating a signature key pair on a hardware
token
The first step in creating an offline token profile is to generate the needed signature
key pairs securely within the client token, and to create the certificate request for
Security Manager. You perform this task using the Offline Token Creation Utility
Client.
Complete the following procedure to generate key pairs and create the certificate
request file.
To generate key pairs and create the request file

1 Log in to the server hosting the Document Signer Service with the Offline Token
Creation Utility Client component.
2 Insert your hardware token into the computer.
<DSS-install>/OfflineTokenCreationService<version>/bin
4 Run the Offline Token Creation Utility Client:
• On Windows, run runHsmClient.bat.
• On Linux, run runHsmClient.sh (enter ./runHsmClient.sh).
5 The main menu appears:
Main Menu
1. Generate signature key pair on token
2. Recover profile from Security Manager
3. Write Entrust Profile to token
4. Exit
Select an operation [1]:
Note:
To return to the main menu at any time, enter a period (.).
Enter 1 to generate signature key pairs on a hardware token.

6 A list appears displaying all tokens followed by the prompt:
Enter token slot number:

Note:
If your hardware token does not appear in the list, check the hsmops.config file
to ensure that you specified the correct PKCS #11 v2.01 interface library for your
token. For more information about the configuration file, see “Preparing to use
the Offline Token Creation Utility” on page 237.
From the list of detected tokens, enter the slot number of the hardware token
where you want to generate signature key pairs.
7 You are prompted for the token password or PIN:
Enter the User password/PIN for this token:
Attention:
Some tokens have a built-in security mechanism that locks or zeroes the
hardware token after a certain number of consecutive failed login attempts.
Check with your token vendor for more information about your hardware token.
You may cancel this operation if you do not want to continue the user login
attempt.
Enter the password or PIN for the hardware token user to log in to the token.
8 You are prompted to select a signature algorithm and key length:
Choose a digital signature algorithm and key length:
1. RSA-1024
2. RSA-2048
3. RSA-3072
4. RSA-4096
5. RSA-6144
6. DSA-1024
7. ECDSA
Select desired algorithm and key length [1]:

Enter the number that corresponds to the algorithm set in the Document Signer
Policy (see “Customizing Document Signer certificates” on page 138). For
example, enter 2 to select RSA-2048, or enter 7 to select an elliptic curve.
If your selection does not comply with the policy, it will be rejected by Security
Manager.
For RSA, it is recommended that you select RSA-2048 or higher. RSA-1024 is
weak and will likely be rejected by Security Manager.
9 If you selected ECDSA in the previous step:

a You are prompted to select an elliptic curve domain:
Choose a named elliptic curve domain:
1. brainpoolP160r1
2. brainpoolP192r1
3. brainpoolP224r1
4. brainpoolP256r1
5. ansix9p160k1
6. ansix9p160r1
7. ansix9p160r2
8. ansix9p192k1
9. ansix9p192r1
10. ansix9p224k1
11. ansix9p224r1
12. ansix9p256k1
13. ansix9p256r1
Select the desired named curve [1]:
Enter the number that corresponds to the elliptic curve set in the Document
Signer Policy (see “Customizing Document Signer certificates” on
page 138). For example, enter 9 to select ansix9p192r1.
If your selection does not comply with the policy, it will be rejected by
Security Manager.
b You are asked if you want to use the specified elliptic curve domain
parameters in the public key:
Use 'specified' EC domain parameters in the public key? [n]:
One component of the DER-encoded public key is the elliptic curve domain
parameters. Elliptic curve domain parameters can be represented in ASN.1
using 'specified', 'named' or 'implicitCA' format. Since the most
widely-supported elliptic curve domain parameter format is 'specified', for
interoperability reasons you can force the elliptic curve domain parameters
to be encoded in the public key in ‘specified’ format.
– To encode the elliptic curve domain parameters in the ‘specified’ format,
enter y.
– To encode the elliptic curve domain parameters in the format indicated by
the domain parameters themselves, enter n.
10 You are prompted to enter the path for the certificate request:
Enter the path to write the certificate request to:
Enter the output path for Offline Token Creation Utility Client to write the
resulting certificate request. Enter a forward slash (/) at the end of the path. For
example:
C:/Program Files/
or
/tmp/

11 You are prompted to provide a lifetime for the self-signed protocol encryption
certificate:
Please enter the desired PEC certificate lifetime in days (1-365)
[365]:
Note:
The lifetime of the certificate must be long enough to allow the entire offline
token creation process to complete. The certificate lifetime minimum should be
as long as it takes to complete user enrollment.
Enter the lifetime of the self-signed protocol encryption certificate (in days), from
1 to 365.
12 If the selected hardware token already contains data, you are prompted to
confirm deletion of this data:
**** WARNING ****
This token appears to have existing data on it. If you choose to
continue, any existing keys, certificates, or other data objects
will be deleted from the token.
Do you want to continue [n]:
If the hardware token does not contain any data, the warning prompt does not
appear.
If you continue, all existing data on the token is deleted. Canceling the operation
preserves existing data.
• To cancel the operation, enter n.
• To delete all existing data and start generating key pairs, enter y.
13 The Offline Token Creation Utility Client begins to generate a key pair.
Depending on the capabilities of the hardware token, key generation may take a
few moments.
Once completed, Offline Token Creation Utility Client creates a certificate
request file containing the information needed by Security Manager to issue an
Entrust profile. The file name is a number assigned by the hardware token
followed by a .req file extension. The certificate request file is placed in the
output location you specified earlier.

Note:
For integrity purposes, the utility calculates and displays a hash value of the
certificate request file. You may record this value to confirm the integrity of the
file after you transport it to Security Manager in “Creating the offline Entrust
profile at Security Manager” on page 258.
14 Proceed to “Creating the offline Entrust profile at Security Manager” on

page 258 to create an Entrust profile for the hardware token.

Recovering an offline Entrust profile on a
hardware token
Recovering a profile involves the generation of a new signature key pair, while
restoring the previous encryption key pair and any decryption key history. This
information is securely stored by Security Manager for backup purposes.
Recover a profile when:
• you forget the profile password
• the profile is lost or damaged
• you believe that your keys are compromised or that an attacker possesses the
password or profile
Before you use the Offline Token Creation Utility to recover a profile, an Entrust
administrator must prepare for recovery of the digital ID in Security Manager and
generate activation codes (authorization code and reference number).
Complete the following procedure to recover an Entrust profile.
To recover a profile
1 Set the user account for key recovery:
a Log in to a Security Manager Administration.
b Find the user account for the profile that you want to recover.
c Select the user, then select Users > Selected User > Begin Key Recovery.
d If prompted, authorize the operation.
e Record the new reference number and authorization code.
Main Menu
4. Exit

Note:
Enter 2 to initiate the profile recovery.

Note:
If your hardware token does not appear in the list, check the hsmops.config file
to ensure that you specified the correct PKCS #11 v2.01 interface library for your
token. For more information on the configuration file and property value that
contains this setting, see “Preparing to use the Offline Token Creation Utility” on
page 237.
From the list of detected tokens, enter the slot number of the hardware token
where you want to generate signature key pairs.
Attention:
Some tokens have a built-in security mechanism that locks or zeroes the
hardware token after a certain number of consecutive failed login attempts.
Check with your token vendor for more information about your hardware token.
You may cancel this operation if you do not want to continue the user login
attempt.
8 You are prompted to select a signature algorithm and key length:
Choose a digital signature algorithm and key length:
1. RSA-1024
2. RSA-2048
3. RSA-3072
4. RSA-4096
5. RSA-6144
6. DSA-1024
7. ECDSA

Select desired algorithm and key length [1]:
Enter the number that corresponds to the algorithm set in the Document Signer
Policy (see “Customizing Document Signer certificates” on page 138). For
example, enter 2 to select RSA-2048, or enter 7 to select an elliptic curve.
If your selection does not comply with the policy, it will be rejected by Security
Manager.
9 If you select ECDSA in the previous step:
a You are prompted to select an elliptic curve domain:
Choose a named elliptic curve domain:
1. brainpoolP160r1
2. brainpoolP192r1
3. brainpoolP224r1
4. brainpoolP256r1
5. ansix9p160k1
6. ansix9p160r1
7. ansix9p160r2
8. ansix9p192k1
9. ansix9p192r1
10. ansix9p224k1
11. ansix9p224r1
12. ansix9p256k1
13. ansix9p256r1
Select the desired named curve [1]:
Enter the number that corresponds to the elliptic curve set in the Document
Signer Policy (see “Customizing Document Signer certificates” on
page 138). For example, enter 9 to select ansix9p192r1.
If your selection does not comply with the policy, it will be rejected by
Security Manager.
b You are asked if you want to use the specified elliptic curve domain
parameters in the public key:
Use 'specified' EC domain parameters in the public key? [n]:
One component of the DER-encoded public key is the elliptic curve domain
parameters. Elliptic curve domain parameters can be represented in ASN.1
using 'specified', 'named' or 'implicitCA' format. Since the most
widely-supported elliptic curve domain parameter format is 'specified', for
interoperability reasons you can force the elliptic curve domain parameters
to be encoded in the public key in ‘specified’ format.
– To encode the elliptic curve domain parameters in the ‘specified’ format,
enter y.
– To encode the elliptic curve domain parameters in the format indicated by
the domain parameters themselves, enter n.
10 You are prompted to enter the path for the certificate request:

Enter the path to write the certificate request to:
Enter the output path for Offline Token Creation Utility to write the resulting
certificate request. Enter a forward slash (/) at the end of the path.
11 You are prompted to provide a lifetime for the self-signed protocol encryption
certificate:
Please enter the desired PEC certificate lifetime in days (1-365)
[365]:
Note:
The lifetime of the certificate must be long enough to allow the entire offline
token creation process to complete. The certificate lifetime minimum should be
as long as it takes to complete user enrollment.
Enter the lifetime of the self-signed protocol encryption certificate (in days), from
1 to 365.
12 If the selected hardware token already contains data, you are prompted to
confirm deletion of this data:
**** WARNING ****
This token appears to have existing data on it. If you choose to
continue, any existing keys, certificates, or other data objects
will be deleted from the token.
Do you want to continue [n]:
If the hardware token does not contain any data, the warning prompt does not
appear.
If you continue, all existing data on the token is deleted. Cancelling the operation
preserves existing data.
To cancel the operation, enter n. To delete all existing data and start generating
key pairs, enter y.
13 The Offline Token Creation Utility begins to generate a key pair. Depending on
the capabilities of the hardware token, key generation may take a few moments.
Once completed, Offline Token Creation Utility creates a certificate request file
containing the information needed by Security Manager to issue an Entrust
profile. The file name is a number assigned by the hardware token followed by a
.req file extension. The certificate request file is placed in the output location you
specified earlier.

Note:
certificate request file. You may record this value to confirm the integrity of the
file after you transport it to Security Manager in “Creating the offline Entrust
profile at Security Manager” on page 258.
14 Proceed to “Creating the offline Entrust profile at Security Manager” on

page 258 to create an Entrust profile for the hardware token.

Creating the offline Entrust profile at Security
Manager
The next step in creating or recovering an offline token profile is to transport the
certificate request file generated by Offline Token Creation Utility Client (created in
“Generating a signature key pair on a hardware token” on page 248) to the
computer hosting the Offline Token Creation Utility Server. The Offline Token
Creation Utility Server must have network connectivity to Security Manager’s
Certificate Management Protocol (CMP) service.
Once transported, Security Manager issues an Entrust profile that may then be
written to the hardware token.
Note:
To complete this process, you must use the reference number and authorization
code you obtained by Security Manager when you added the user entry to
Security Manager.
Complete the following procedure to create an offline Entrust profile.
To obtain an Entrust profile from Security Manager

1 Log in to the server hosting the Document Signer Service with the Profile
Creation Utility Server component.
2 Transport the certificate request file (.req) created in “Generating a signature
key pair on a hardware token” on page 248 to the computer.
4 Run the Offline Token Creation Utility Server:
• On Windows, run runEASMServer.bat.
• On Linux, run runEASMServer.sh (enter ./runEASMServer.sh).
5 You are prompted to enter the reference number for the profile:
Enter reference number:
Enter the reference number you obtained from Security Manager for the Entrust
profile you are creating.
6 You are prompted to enter the authorization code for the profile:
Enter authorization code:
Enter the authorization code you obtained from Security Manager for the Entrust
profile you are creating.

7 You are prompted to enter the path and file name of the request file:
Enter the path and filename of the request file:
Enter the path and file name of the certificate request file generated by the
Offline Token Creation Utility Client and transported to this computer from the
client.
The certificate request file is located in the output location you set earlier. The file
name is made up of a number assigned by the hardware token and a .req
extension.
8 Offline Token Creation Utility Server calculates and displays a SHA-1 hash value
for the certificate request file, followed by the prompt:
This value should match the hash value recorded when the request
was generated. If it does not, it is recommended that this process
be cancelled.
Do you want to continue [y]:
If you recorded the value when the file was first created, compare it with the
value after transport to ensure the integrity of the file.
• If the displayed hash value matches the hash value you recorded earlier, enter
y.
• If the values do not match, enter n to cancel.
9 If you chose to continue, you are prompted to enter the path for the Entrust
profile:
Enter the path to write the Entrust Profile to:
Enter the output path for Offline Token Creation Utility Server to write the
resulting Entrust profile. Enter a forward slash (/) at the end of the path. For
example:
C:/Program Files/
or
/tmp/
10 Offline Token Creation Utility Server initiates a Certificate Management Protocol
(CMP) session with Security Manager and writes the Entrust profile (.epf file) to
the output path you set. The file name consists of the same number as the
corresponding certificate request file, but has an .epf file extension.
profile. You can record this value to confirm the integrity of the file transported
back to the client.
11 Proceed to “Writing the Entrust profile to the hardware token” on page 260 to
write the Entrust profile to the hardware token.

Writing the Entrust profile to the hardware
token
The last step in creating or recovering an offline token profile is to transport the
Entrust profile (.epf file) written by Offline Token Creation Utility Server back to the
Offline Token Creation Utility Client. The Offline Token Creation Utility Client can
then write the Entrust profile to the hardware token containing the signature key pair.
Complete the following procedure to write the Entrust profile to the hardware token.
To write the Entrust profile to the hardware token

2 Transport the Entrust profile (.epf) created in “Creating the offline Entrust profile
at Security Manager” on page 258 to the computer.
Main Menu
4. Exit
Note:
Enter 3 to write the Entrust profile to the hardware token.

Enter the slot number of the token where you want to store the profile.

8 You are prompted to enter the path and file name of the Entrust profile:
Enter the path and filename containing the Entrust profile:
Enter the path and file name of the Entrust profile to be written to the hardware
token.
The Entrust profile is located in the output location you set earlier. The file name
is made up of a number assigned by the hardware token and an .epf extension.
9 Offline Token Creation Utility Client calculates and displays a hash value for the
file, followed by the prompt:
This value should match the hash value recorded when the profile
was generated. If it does not, it is recommended that this process
be cancelled.
Do you want to continue [y]:
If you recorded the value when the file was first created, compare it with the
value after transport to ensure the integrity of the file.
• If the displayed hash value matches the hash value you recorded earlier, enter
y.
• If the values do not match, enter n to cancel.
10 If you chose to continue, the Entrust profile is written to the hardware token.
You successfully completed the offline creation or recovery of an Entrust profile on a
hardware token that may be used with Verification Server.
After you finish creating or recovering an offline Entrust profile on a token, use the
Profile Creation Utility to create Server Login credentials for the profile. For
instructions, see the Document Signer Service Verification Server Guide.

10
Using Verification Server

This chapter provides instructions about using Verification Server as part of the
Document Signer Service in an ePassport system.
For more information about configuring and using Verification Server, see the
Document Signer Service Verification Server Guide.
Topics in this chapter:
• “Using secure logging” on page 264
• “Managing the Entrust profiles used by Verification Server” on page 272
• “Accessing Verification Server services from your application” on page 275
• “Where should clients send requests?” on page 276
• “Digital Signature service clients” on page 277
• “Troubleshooting Verification Server” on page 278
263
Using secure logging
You can configure Verification Server to securely log requests for digital signatures so
that you can detect any tampering of the data.
• “Creating a user entry in Security Manager for secure logging” on page 264
• “Creating an Entrust profile and Server Login credentials for secure logging”
on page 265
• “Configuring Verification Server for secure logging” on page 266
• “Viewing and verifying the secure audit log files” on page 269
Creating a user entry in Security Manager for secure logging

To implement secure audit logging, you must create an Entrust profile that
Verification Server can use to secure the log file. You can create the digital ID in the
same way you create other digital IDs. For auditing, the digital ID must contain both
a encryption and signing certificates.
Complete the following procedure to create the user entry for audit logging.
To create the user entry for secure logging

1 Log in to Security Manager Administration (see the Entrust Authority Security
Manager Administration User Guide).
fields appears.
d Leave Create profile deselected. You will use the Profile Creation Utility or
Offline Token Creation Utility to create the profile.
4 Click the General tab, and then complete the following.

a From the User role drop-down list, select Server Login.
b Under User group(s), select All groups. By default, this option should already
be selected.
5 In the User role drop-down list, select Server Login.
6 Click the Certificate Info tab, and then complete the following:
a For Category, select Enterprise.
b For Type, select Default.
7 Click OK.
8 If prompted to authorize the operation, authorize the operation.
authorization code required to create the Digital Signature service profile.
10 Record the authorization code and reference number. You need these activation
codes to generate the profile.
11 Proceed to “Creating an Entrust profile and Server Login credentials for secure
logging” on page 265.
Creating an Entrust profile and Server Login credentials for

secure logging
The secure logging feature requires an Entrust profile and Server Login credentials.
Server Login allows the secure logging feature to log in to the Entrust profile without
outside intervention.
Note:
If you are storing the Entrust profile on a hardware security module (HSM),
ensure you have installed and configured your HSM according to the instructions
provided by your HSM vendor. You must initialize the HSM before creating an
Entrust profile on it. You may also want to test the HSM installation to ensure the
hardware is operational. HSM vendors typically provide a utility you can use to
test the HSM. See your token vendor’s documentation for more information.
To create the Entrust profile and Server Login credentials:

1 Create an Entrust profile for the secure logging feature using one of the following
utilities:
• If Verification Server has network connectivity to Security Manager, create an
Entrust profile using the Profile Creation Utility.
Using Verification Server 265

For instructions, see the Document Signer Service Verification Server Guide.
The Profile Creation Utility can create the profile on a hardware token, or as
an EPF file on software.
When creating an Entrust profile, the Profile Creation Utility can also create
the required Server Login credentials.
• If Verification Server does not have network connectivity to Security
Manager, create an Entrust profile using the Offline Token Creation Utility.
For instructions, see “Using the Offline Token Creation Utility” on page 235.
The Offline Token Creation Utility can only create the profile on a hardware
token.
2 Use the Profile Creation Utility to create the Server Login credentials. For
instructions, see Document Signer Service Verification Server Guide.
If you used the Profile Creation Utility to create the Entrust profile, you may have
already created the Server Login credentials.
After creating an Entrust profile and Server Login credentials for the Digital Signature
service, proceed to “Configuring Verification Server for secure logging” on page 266.
Configuring Verification Server for secure logging

Make changes to the Verification Server entrust-configuration.xml file to
configure secure logging. For more information about the
entrust-configuration.xml file, see “Verification Server entrust-configuration.xml
file” on page 287.
To configure Verification Server for secure logging

2 Open the Verification Server entrust-configuration.xml file in an XML or text
editor. You can find the file in the following location:
3 Locate the settings for the secure logging:
<secure-logging>



<level>info</level>


<max-file-size>1000000</max-file-size>
<entrust-credential>

<profile>file:///C:\Program Files\Entrust\DocumentSignerServic
e/VerificationServer9.0.0/conf/security/auditor.epf</profile>

<ual>file:///C:\Program Files\Entrust\DocumentSignerService/Ve
rificationServer9.0.0/conf/security/auditor.ual</ual>



</entrust-credential>
</secure-logging>
4 For the <file> setting:
a To enable secure logging, uncomment the <file> setting. For example:
<file>file:///C:\Program Files\Entrust\DocumentSignerService/Ve
rificationServer9.0.0/logs/webservices.secure.log</file>
or
<file>file:////opt/entrust/DocumentSignerService/VerificationSe
rver9.0.0/logs/webservices.secure.log</file>
If the <file> setting for secure logging is commented out, missing, or empty,
secure logging is disabled. When secure logging is disabled, Verification
Server does not use the secure logging digital ID.
b The <file> setting specifies the file path and name of the secure audit log.
If required, you change the file path or file name of the secure audit log. It is
recommended that you keep the default file path and name.
5 For <level>, enter the level of detail to record in the secure log file.
The possible choices from most urgent to least urgent: fatal, alert, error,
warn, info, debug, trace. This sets the lowest level of message to show. For
example, info provides messages of info, warn, error, alert, and fatal. See
“Logging levels” on page 279 for more information.
The default is info.
6 For <max-file-size>, enter the maximum size of the secure log file, in bytes.

When the secure log file reaches this size, a new log file is created. Rollover occurs
in the same way as for regular log files (“Customizing the log files” on page 278).
The default is 1000000 bytes:
7 The settings under <entrust-credential> connect to the Entrust profile used
for secure logging:
a For the <profile> setting:
– If the Entrust profile is an EPF file stored on software, ensure that the
<profile> setting provides the full path and file name to the Entrust
profile. For example:
<profile>file:////opt/entrust/DocumentSignerService/Verificatio
nServer9.0.0/conf/security/auditor.epf</profile>
The path must begin with file:///.
– If the Entrust profile is stored on hardware, comment out the <profile>
setting. For example:

b For the <ual> setting, ensure that it has the correct path and file name to the
Server Login credentials. For example:
<ual>file:///C:\Program Files\Entrust\DocumentSignerService/Ver
ificationServer9.0.0/conf/security/auditor.ual</ual>
or
<ual>file:////opt/entrust/DocumentSignerService/VerificationSer
ver9.0.0/conf/security/auditor.ual</ual>
c Comment out the <profile-password> setting. For example:
This setting specifies the profile password when
d For the <hsm-slot> setting:
– If the Entrust profile is stored on hardware, uncomment the <hsm-slot>
setting and change the value to the HSM slot number that contains the
Entrust profile. For example:
<hsm-slot>1</hsm-slot>
– If the Entrust profile is stored on software, comment out the <hsm-slot>
setting. For example:

9 Restart the Document Signer Service. See “Restarting the Document Signer
Service” on page 206.

Viewing and verifying the secure audit log files
Verification Server includes the Entrust Secure Audit Checker utility that checks the
integrity of the secure audit log files.
The Entrust Secure Audit Checker utility:
• checks each secure log file (for example, secure.log, secure.log.0001,
secure.log.0002, and so on) it created to ensure they were not tampered
with
• optionally displays the contents of the log file
To view and verify the integrity of the secure audit log file
1 Open a command prompt.
<DSS-install>/VerificationServer<version>/bin
3 Run checkaudit.bat (Windows) or checkaudit.sh (Linux) as follows:
checkaudit.bat [-noevents] audit-file entrust-ini profile-name [slot-number]
[ual-file]
./checkaudit.sh [-noevents] audit-file entrust-ini profile-name [slot-number]
[ual-file]
Parameters in square brackets are optional parameters. Where:
• -noevents instructs the utility to check only the integrity of the file and not
print out the log data.
• audit-file provides the file path and name of the audit file to be checked,
without the audit file sequence number appended to it.
For example, enter the file name to secure.log to check the secure audit
logs secure.log, secure.log.0001, secure.log.0002, and so on.
The default path and file name of the secure audit log:
<DSS-install>/VerificationServer<version>/logs/webservices.secu
re.log
You can enter the full file path or a file path relative to the current working
directory.
• entrust-ini provides the file path and name of the entrust.ini file
associated with the digital ID used for secure logging.
The Verification Server entrust.ini file location:
<DSS-install>/VerificationServer<version>/conf/security/entrust
.ini
directory.

• profile-name provides the file path and name of the digital ID used for
secure logging.
Use the extension .tkn for an Entrust profile stored on a token.
directory.
• slot-number provides the hardware token slot containing the Entrust profile.
This optional parameter applies only to Entrust profiles stored on hardware.
• ual-file provides the file path and name of the Server Login credentials
(UAL file) file associated with the digital ID. If you do not specify Server Login
credentials, the utility will prompt you for the password of the digital ID.
directory.
For example, to view the contents of the log file, enter:
checkaudit ../logs/webservices.secure.log
../conf/security/entrust.ini ../conf/security/auditor.epf
4 Without the -noevents parameter, you see messages similar to the following:
Audit file 'webservices.secure.log.0001'
------------------------------
Audit sequence numbers: 1 to 64
Audit dates: 8/31/17 1:40 PM to 8/31/17 1:40 PM
Audit Event sequence number = 1

INFO ===> Successfully loaded configuration source:
file:/opt/entrust/DocumentSignerService/VerificationServer9.0.0/webapps/tomcat/v
erificationserver/WEB-INF/classes/entrust-configuration.xml
Thu Aug 31 13:40:16 EDT 2017
com.entrust.wsf.core.WebServiceCoreLog

INFO ===> Log level setting: INFO
Thu Aug 31 13:40:16 EDT 2017

INFO ===> Logfile location:
/opt/entrust/DocumentSignerService/VerificationServer9.0.0/logs/webservices.log
Thu Aug 31 13:40:16 EDT 2017

INFO ===> Secure log level setting: INFO
Thu Aug 31 13:40:16 EDT 2017

INFO ===> Secure logfile location:
/opt/entrust/DocumentSignerService/VerificationServer9.0.0/logs/webservices.secu
re.log
Thu Aug 31 13:40:16 EDT 2017
...
If the audit check fails, the utility returns an error. See the Secure Logger Check Audit
Utility Error messages HTML page for troubleshooting information.

Managing the Entrust profiles used by
Verification Server
This section provides some instructions for managing the Entrust profiles that
Verification Server requires for the Digital Signature service and secure audit logging
feature.
You use the Profile Creation Utility to manage the digital IDs used by Verification
Server. For information about using the Profile Creation Utility, see the Document
Signer Service Verification Server Guide.
• “Recovering Entrust profiles” on page 272
• “Updating expiring Entrust profiles” on page 273
• “Revoking a service certificate” on page 274
• “Changing the password of an Entrust profile” on page 274
Recovering Entrust profiles

The Profile Creation Utility enables you to recover an Entrust profile stored as an EPF
file on disk or on a hardware security module (HSM). To use the Profile Creation
Utility to recover an Entrust profile, Verification Server must have direct access to
Security Manager.
The Offline Token Creation Utility allows you to recover an Entrust profile stored on
an HSM when Verification Server does not have direct access to Security Manager.
Recover a profile when:
• you forget the profile password
• the profile is lost or damaged
• you believe that your keys are compromised or that an attacker possesses the
password or profile
Before you use the Profile Creation Utility to recover a profile, an administrator must
log in to Security Manager Administration and set the user for key recovery. Setting
the user for key recovery generates a new authorization code and reference number
that you use to recover the profile.

Attention:
Use Security Manager Administration only to begin key recovery for the
Verification Server user. You cannot use Security Manager Administration to
completely recover the profile, because the Verification Server user is a V2 key
pair user and Security Manager Administration cannot recover V2 key pair user
profiles. Errors occur if you attempt to recover a V2 key pair user in Security
Manager Administration.
For information about recovering Entrust profiles using the Profile Creation Utility, see
the Document Signer Service Verification Server Guide.
For information about recovering Entrust profiles using the Offline Token Creation
Utility, see “Recovering an offline Entrust profile on a hardware token” on page 253.
Updating expiring Entrust profiles

When Verification Server starts up and is operating online to the CA, a check is made
for any profile updates that may be pending (for example, due to impending key
expiry, a forced key update, or server DN changes). The update is completed
automatically and the new profile is written to disk or to the HSM.
Since updates occur only at login time, restart the server for any pending updates to
take effect. Verification Server updates its keys and certificates at login if there are less
than 100 days remaining before expiry. You should note the certificate expiry dates
that are recorded in the Verification Server log file on startup, and make sure to restart
it sometime during this 100-day period to ensure key updates occur before any
certificates expire.
For details about the Verification Server log file, see “Error logging” on page 278.
Note:
If you enable multiple instances of Verification Server in a load-balancing
environment, you must restart the other Verification Server instances when one
Verification Server updates the keys. Key update notifications are written to the
Verification Server log files.

Revoking a service certificate
If a service’s public verification certificate is revoked for any reason, a Security
Manager administrator should begin key recovery immediately. After key recovery is
complete, restart Verification Server. When the service logs in, a key update occurs.
For more information about recovering Entrust profiles, see the Document Signer
Service Verification Server Guide.
Typically, you would only revoke certificates if you suspect that the keys were
compromised.
Changing the password of an Entrust profile

The Profile Creation Utility allows you to change the password of an Entrust profile
when online with Security Manager.
You can change the password for:
• an Entrust profile stored on disk
If password aging is enabled in Security Manager and your password has an
expiry date, you need to change the profile passwords periodically.
• an Entrust profile stored on a hardware security manager (HSM), if the HSM
does not have a protected authentication path
Consult your HSM documentation for information about changing
passwords.
Note:
You can change the password of an Entrust profile with the Profile Creation
Utility if Verification Server has direct access to Security Manager. If the Entrust
Profile is stored on hardware and Verification does not have direct access to
Security Manager, you must recover the profile using the Offline Token Creation
Utility. For instructions about using the Offline Token Creation Utility to recover
an Entrust profile, see “Recovering an offline Entrust profile on a hardware
token” on page 253.
For information about changing the password of an Entrust profile using the Profile
Creation Utility, see the Document Signer Service Verification Server Guide.

Accessing Verification Server services from
your application
Verification Server includes a home page you can access at the following URL:
http://<host>:<port>/verificationserver/index.jsp
Where:
• <host> is the host name or IP address of the server hosting Verification
Server.
• <port> is the Apache Tomcat port. The default port is 8080.
For example:
http://domain.example.com:8080/verificationserver/index.jsp
This page contains:
• URLs that show where the Verification Server services should send requests
• links to Web Services Description Language (WSDL) files that you can use to
build client applications
• schemas and specifications for the various services

Where should clients send requests?
If the client application sends the request directly to the application server, the request
URL must contain the host name and port number of the application server. The
default port number for Tomcat is 8080.
If the client application sends the request to an external Web server that then uses an
application server connector to forward the request to the application server, the
request URL must contain the host name and port number of the Web server.
Digital Signature CMS clients send requests to the following URLa:
• SOAP interface:
http://<hostname>:<port>/verificationserver/digsig
• Axis2 interface:
http://<hostname>:<port>/verificationserver/services/DigSig

Digital Signature service clients
The Digital Signature service allows client applications (such as the Signature Delivery
Service) to request CMS digital signatures.
You can build a Web service client for use with the Digital Signature service. Web
service clients use the SOAP protocol to access the services. For information on SOAP
1.1, see http://www.w3.org/TR/SOAP/.
Web service clients may make use of the WSDL available for the Verification Server
services. For information on the WSDL 1.1, see http://www.w3.org/TR/wsdl.
To view the Digital Signature service WSDL for the SOAP interface, go to the
following Verification Server URL:
http://<hostname>:<port>/verificationserver/digsig.wsdl
To view the Digital Signature service WSDL for the Axis2 interface, go to the
following Verification Server URL:
http://<hostname>:<port>/verificationserver/services/DigSig/DigSig
.wsdl
Digital Signature client samples

Verification Server includes sample code built upon the WSDL that demonstrates how
a client can call the Digital Signature service. It also includes sample code that
demonstrates how to verify a digital signature obtained from Verification Server. The
verification process takes place entirely at the client—Verification Server is not
involved in the verification process.
A CMS digital signature sample that uses Apache SOAP is located at the following
directory:
<DSS-install>/VerificationServer<version>/samples/digsig/cms/apach
e/soap
This location contains a readme file (readme.txt) that explains how to use the sample
client. The Apache SOAP clients also have JavaDoc documentation.

Troubleshooting Verification Server
This section provides information to help you resolve problems with Verification
Server:
• “Error logging” on page 278
• “Troubleshooting tips” on page 281
Error logging
All services provided by Verification Server write to a single log file. Each entry has an
identifier that indicates its source. If you encounter problems with Verification Server,
check the Verification Server log file. You can view the log file with any text editor.
By default, the Verification Server log file is:
<DSS-install>/VerificationServer<version>/logs/webservices.log
You can also configure Verification Server to write sensitive log file entries to a secure
log file. For details, see “Using secure logging” on page 264.
Note:
If you suspect a problem with Verification Server but do not see errors in the
Verification Server log file, check the system log file for Apache Tomcat.
For information about errors generated by the Profile Creation Utility, see the Profile
Creation Utility Error Messages in the Verification Server documentation ZIP bundle.
For information on errors generated by the check audit utility, see Secure Logger
Check Audit Utility Error Messages in the Verification Server documentation ZIP
bundle.
For more information about error logging, see:
• “Customizing the log files” on page 278
• “Logging levels” on page 279
• “Logging Digital Signature requests” on page 281
Customizing the log files

Verification Server allows you to customize the log file settings through the
entrust-configuration.xml file. You can specify:

You should change this setting if you find that the error messages do not
contain enough information to troubleshoot a problem that you encounter.
For example, you could temporarily change the log level to DEBUG to
produce more detailed error logs.
• the maximum size the file can be before a new file is created
For details about the log file settings, see “Verification Server
entrust-configuration.xml file” on page 287.
The log file contains a header section, followed by a section that contains the log file
entries.
Logging levels
The following shows the available logging levels you can set listed from most urgent
to least urgent:
• fatal indicates a fatal error from which Verification Server cannot recover.
• alert indicates an error occurred for which immediate action may be
required.
• error indicates a recoverable error occurred. Verification Server continues to
operate.
• warn provides a warning message about a particular event. Verification
Server continues to operate.
• info (default) logs information about events such as:
– notification of startup
– incoming Verification Server requests
– success or failure of Verification Server operations
• debug provides detailed information about Verification Server events. It is
typically used when requested by Entrust Customer Support for debugging
purposes.
Note:
Setting the logging level value to debug has an impact on performance. It is
recommended that you use this value only when you require troubleshooting
information, and that you reset the logging level value afterwards.
• off indicates logging is disabled.

When you select a specific level, that level and all levels above it are logged. For
example, if the level is set to info, then all events at level info, warn, error, alert,
and fatal are recorded.
Log file header

The top of the log file contains a header that provides environment parameters, such
as the operating system and version. The log file header has the following format:
Entrust Verification Server
Version: <product version>
Logger version: <logger version>
Operating system: <name and version>

System architecture: <architecture information>
JRE Vendor: <name of JRE vendor>
JRE Version: <JRE version>
JVM Vendor: <name of JVM vendor>
JVM Version: <JVM version>
Classpath in use: <classpath>
User: <username>
Log file entries

Log file entries have the following format:
[date/time][level][component][classname][thread][code] message
Where:
• date/time is the local host time in ISO 8601 format: YYYY-MM-DD
HH:MM:SS.
+hhmm or -hhmm indicates that the local time being used is hh hours and
mm minutes ahead of or behind Coordinated Universal Time (UTC),
respectively.
• level is the priority level for that entry, as defined in “Logging levels” on
page 279.
• component is the name of the component that originated the log entry:
– wsf: the common Web service framework used by Digital Signature
services
– dsig_core is the Digital Signature Service core
– dsig_ws is the Digital Signature Service Web service interface
• classname is always blank.

• thread is the thread ID.
• code is always blank.
• message is the log entry description.
This is a sample log file entry:
[2013-06-25 14:28:46-0400][INFO ][wsf][][Thread-1][] Using
initialization file: C:\Program Files\Entrust\DocumentSignerServic
e\VerificationServer9.0.0\conf\security\entrust.ini
Logging Digital Signature requests

If a client has authenticated, the Digital Signature Service retrieves the client’s user
name using the J2EE function HTTPServletRequest.getRemoteUser() and adds the
user name to the audit log entry that records the digital signature request. If the user
has not authenticated, only the user’s IP address is logged with the request.
Troubleshooting tips
This topic offers tips for solving some common Verification Server problems:
• “Digital ID login problems” on page 281
• “Hardware security module (HSM) problems” on page 282
• “Digital Signature Service problems” on page 283
Digital ID login problems

Table 11 contains solutions to some problems related to the profile login process.
Table 11: Login problems
Problem Solution
The following error appears in the log file, even If password aging is enabled in the user policy
though you entered the correct password: associated with a Verification Server profile,
failure during WebServiceCore.login():
your password may have expired. You must
The password is not valid according to
change the profile password, and recreate the
the password rule, change the password
corresponding Server Login file (UAL file). For
first with the method changePassword()
more information, see “Changing the
before calling this function
password of an Entrust profile” on page 274.
The following error appears in the log file: This error can be caused by an expired CRL.
Could not initialize secure logger:
Re-issue the CRLs at the Certification Authority
Error initializing audit file
(CA) and restart Verification Server.

Hardware security module (HSM) problems
Table 12 contains solutions to problems related to HSMs.
Table 12: HSM problems
Problem Solution
The following error appears in the log file: If you are using the Luna SA device, this may
CKR_DEVICE_ERROR
mean that the PIN you entered on the LunaPED
was incorrect. This error can occur while
creating or recovering a profile using the Profile
Creation Utility or while starting up Verification
Server.
This error can also be caused by a timeout
(approximately one minute) when the
LunaPED is waiting for the user to enter a PIN.
This can occur with the Profile Creation Utility
at profile creation or with Verification Server at
server startup time.
The following error appears in the log file: Verify the settings in the Verification Server
entrust-configuration.xml file and the
no credentials configured (profile or
entrust.ini file related to profiles and HSMs.
HSM)
For information about the Verification Server
entrust-configuration.xml file, see
“Verification Server entrust-configuration.xml
file” on page 287.
For information about the Verification Server
entrust.ini file, see “Configuring the
Verification Server entrust.ini file” on
page 186.

Digital Signature Service problems
Table 13 contains solutions to problems related to the Digital Signature Service.
Table 13: Digital Signature problems
Problem Solution
You see one of the following error messages at The namespace URI for the
the client: SecurityTokenReference element in
keyManager.properties does not match the
iaik.ixsil.exceptions.SignatureExceptio
n: Failure while verifying a signature.
SOAP message being verified. Add these two
lines to keyManager.properties:
iaik.ixsil.exceptions.KeyManagerExcepti
on: No key provider has been registered http://schemas.xmlsoap.org/ws/2002/xx/s
to get the verification key from. ecext:SecurityTokenReference =
com.entrust.webservices.dsig.
or wssecurity.keyinfo.
iaik.ixsil.exceptions.SignatureExceptio KeyProviderImplSecurityTokenRef
n: Instantiating the verification key Subelement.04 =
manager failed. http://schemas.xmlsoap.org/ws/2002/xx/s
iaik.ixsil.exceptions.KeyManagerExcepti ecext:SecurityTokenReference
on: No KeyProviderInterface
implementation class name found for
preferred subelement
http://schemas.xmlsoap.org/ws/2002/xx/s
ecext:SecurityTokenReference.

Table 13: Digital Signature problems (continued)
Problem Solution
You see the following error messages at the This problem can be caused for any of the
client: following reasons:
iaik.ixsil.exceptions.SignatureExceptio • Client.properties is not set to use
n: Instantiating the verification key validating parse.
manager failed.
• The WS-Security utility schema location is
iaik.ixsil.exceptions.KeyManagerExcepti not provided in the document or
on: Initialization with specified Client.properties. To fix this problem,
KeyInfo element failed. open the Client.properties file and add
iaik.ixsil.exceptions.KeyProviderExcept the following schema and location pair to
ion: No exception message specified. the schemaLocations setting:
java.lang.Exception: Could not find http://schemas.xmlsoap.org/ws/2002/07/u
element with ID "X509Token" in DOM tility
Document containing signature. http://schemas.xmlsoap.org/ws/2002/07/u
tility/
• The BinarySecurityToken element uses a
wsu namespace URI that does not point to a
valid schema location. To fix this problem,
change the namespace URI in the SOAP
message being verified:
OLD: wsu:Id="X509Token"
xmlns:wsu="http://schemas.xmlsoap.org/w
s/2002/xx/utility"
NEW: wsu:Id="X509Token"
xmlns:wsu="http://schemas.xmlsoap.org/w
s/2002/07/utility"
You see the following error messages at the
The SOAP envelope schema location is not
client: provided in the document or
Client.properties. To fix this problem, open
iaik.ixsil.exceptions.DOMUtilsException
: Creating a DOM Document from given
the Client.properties file and add the
InputStream failed.
following schema and location pair to the
schemaLocations setting:
org.xml.sax.SAXParseException:
cvc-elt.1: Cannot find the declaration http://schemas.xmlsoap.org/soap/envelop
of element 'env:Envelope'. e/
http://schemas.xmlsoap.org/soap/envelop
e/

Table 13: Digital Signature problems (continued)
Problem Solution
You see the following error messages at the
The exclusive C14N algorithm URI is not listed
client: as a transform algorithm URI in
algorithms.properties. Add the following
iaik.ixsil.exceptions.VerifierException
: Could not create Verifier object from
line to algorithms.properties:
specified XML document. Transform.http\://www.w3.org/2001/10/xm
iaik.ixsil.exceptions.SignatureExceptio l-exc-c14n\# =
n: Could not create Signature object iaik.ixsil.algorithms.TransformImplCano
for verification purpose. nicalXML
iaik.ixsil.exceptions.SignedInfoExcepti
on: Could not create SignedInfo object
for verification purpose.
iaik.ixsil.exceptions.ReferenceExceptio
n: Could not create reference object
for verification purpose.
iaik.ixsil.exceptions.AlgorithmFactoryE
xception: Could not create an Algorithm
for the specified URI
("http://www.w3.org/2001/10/xml-exc-c14
n#").
java.lang.NullPointerException
You see the following error message at the This error can occur when you attempt to run
client: the sample client against signed versions of the
Exception in thread "main"
Entrust Authority Security Toolkit for Java .jar
java.lang.SecurityException: Cannot
files. The scripts to run the sample clients were
verify JCE extension:
written to use the unsigned .jar files.
java.lang.ClassNotFoundException: To fix this problem, make sure the unsigned
javax.crypto.Cipher .jar files are in the classpath, or remove
entjavaxcrypto.jar from the classpath if
using the signed .jar files.

11
Verification Server
entrust-configuration.xml file
Use the entrust-configuration.xml file to configure specific Verification Server
options. The entrust-configuration.xml file contains separate sections for global
settings and the Digital Signature service. The file also contains sections for the
Timestamp service and XKMS Certificate Validation service, which are not applicable
to ePassport.
If you make changes to entrust-configuration.xml, you must restart both the
application server and the Verification Server Web application.
Attention:
Do not leave any of the entries in entrust-configuration.xml blank. Either
specify a value for the entry or comment it out by inserting  at the end of the line.
You can find the entrust-configuration.xml file in the following folder:

This appendix contains the following sections:
• “Changing global settings” on page 288
• “Changing Digital Signature service settings” on page 293.
287
Changing global settings
The settings in the <entrust-configuration><global> section allow you to change
options that affect the general operation of Verification Server. The following table
contains details about the settings.
If you change any settings, you must save the file and restart Verification Server.
Table 14: Global settings
Setting Description and default

<entrust-ini> Sets the location of the entrust.ini file used by
Verification Server, expressed as a URL. For more
information about the entrust.ini file used by
Verification Server, see “Configuring the Verification
Server entrust.ini file” on page 186.
If this entry is missing, Verification Server cannot start.
Default:
file:///<DSS-install>/VerificationService<vers
ion>/conf/security/entrust.ini
<ixsil-ini> Sets the location of the init.properties file used by
Verification Server. The init.properties file controls
initialization of XML encryption and IXSIL.
Attention: Do not modify this setting. Do not modify
the init.properties file unless directed by Customer
Support.
Default:
ion>/conf/ixsil/init.properties

Table 14: Global settings (continued)

<crl-cache-life-secs> By default, when Verification Server operates online to
the Security Manager directory, it caches in memory any
CRLs that it obtains locally.
When checking the revocation status of a recipient
certificate, Verification Server first checks the local cache
for a CRL. If the cache does not have a valid CRL (for
example, the CRL has expired), then Verification Server
fetches a new CRL from the directory.
This setting controls how long CRLs remain cached, in
seconds.
Permitted values:
• -1 to disable CRL caching. Verification Server fetches
new CRLs from the directory each time it checks the
revocation status of a recipient certificate.
• 0 to use the Java Toolkit default value (four hours).
• Any integer greater than 0, indicating the number of
seconds a CRL remains in the cache.
Note: Verification Server does not check CRLs when
operating offline from the directory.
Default: 0
<logging><file> Sets the name and location of the log file generated by
Verification Server, expressed as a URL. A default
location is set during Verification Server installation. If
this entry is missing or empty, logging is disabled.
Default:
ion>/logs/webservices.log
Verification Server entrust-configuration.xml file 289


<logging><level> Sets the level of logging recorded in the log file. The
possible choices, listed from most urgent to least urgent
are:
• fatal
• alert
• error
• warn
• info
• debug
• trace
• off (logging is disabled)
When you select a certain priority, that level and all
levels above it are logged. For example, if the level is set
to info, then all events of level info, warn, error,
alert, and fatal are recorded.
If this setting is missing, no log file is generated.
Default: info
<logging><max-file-size> Sets the maximum size, in bytes, that the log file can
reach before a new log file is created. The old log files
are stored in the same location as the current log file,
with an integer appended to the file name. The file
name with the highest integer is the oldest log.
If set to 0, there is no limit and the file grows as large as
disk space allows. If set to -1, no log file is generated.
Default: 1000000
<logging><max-file-number> Sets the maximum number of archived log files to be
kept. Old log files beyond this number are automatically
deleted.
Default: 10


<secure-logging><file> Sets the name and location of the secure log file
generated by Verification Server, expressed as a URL. A
default location was set during installation. If this entry
is empty, Verification Server cannot start.
Default:
ion>/logs/webservices.secure.log
<secure-logging><level> Sets the level of logging recorded in the secure log file.
The possible choices, listed from most urgent to least
urgent are:
• fatal
• alert
• error
• warn
• info
• debug
• trace
When you select a certain priority, that level and all
levels above it are logged. For example, if the level is set
to info, then all events of level info, warn, error,
alert, and fatal are recorded.
If this entry is missing, Verification Server will not start.
Default: info
<secure-logging><max-file-size> Sets the maximum size, in bytes, that the secure log file
can reach before a new log file is created. The old log
files are stored in the same location as the current secure
log file, with an integer appended to the file name. The
file name with the highest integer is the oldest log.
If you set this entry to a value less than 1024,
Verification Server uses the default value of 1000000.
Default: 1000000
<secure-logging><entrust-credential> Sets the parent element that defines the digital ID used
by the secure logging (auditing) feature.


<profile> Sets the path to the Entrust profile (.epf) used to secure
the log files, expressed as a URL. For more information,
see “Using secure logging” on page 264. A default
value was set during installation.
If you are using an HSM with the secure audit logs,
comment out this setting.
Default:
ion>/conf/security/auditor.epf
<ual> Sets the path to the Server Login file (.ual) for the
profile used to secure the log files, expressed as a URL.
A default value was set during installation.
Default:
ion>/conf/security/auditor.ual
<profile-password> Sets the password that is used if the .ual file is not
present. For security reasons, this setting is not
recommended for production environments. The file is
not protected and the password may be read by
unauthorized individuals.
By default, this setting is commented out. If you want to
use this setting, remove  from the end of the line.
Default: changeme
<hsm-slot> Sets the slot number of the hardware security module
(HSM) used to store the profile for the secure audit logs.
This setting is required only if you are using an HSM. If
you use this setting, you must comment out the
<profile> setting.
By default, this setting is commented out. If you want to
use this setting, remove  from the end of the line.
Default: 1

Changing Digital Signature service settings
The settings in the <entrust-configuration><services><digsig><global>
section allow you to change options that affect the Digital Signature service. The
following table contains details about the settings.
If you change any settings, you must save the file and restart Verification Server.
Table 15: Digital Signature service settings
Setting Description
<entrust-credential> Sets the parent element that defines the digital ID
used by the service.
<profile> Sets the path to either an Entrust profile (.epf) used
by the Digital Signature service. A default value was
set during installation.
If you are using a hardware security module (HSM)
with the Digital Signature service, comment out this
entry.
Default:
file:///<DSS-install>/VerificationService<v
ersion>/conf/security/digsig.epf
<ual> Sets the path to the Server Login file (.ual) used by
the Digital Signature service. A default value was set
during installation.
If you are using a Luna SA hardware token, the
<ual> setting is not required.
Default:
file:///<DSS-install>/VerificationService<v
ersion>/conf/security/digsig.ual
<profile-password> Sets the password used if the .ual file is not present.
For security reasons, this setting is not
recommended for production environments unless
you protect the entrust-configuration.xml file;
otherwise, the password may be read by
unauthorized individuals.
By default, this setting is commented out. If you
want to use this setting, remove  from the end of the
line.
Default: changeme

Table 15: Digital Signature service settings (continued)
Setting Description
<hsm-slot> Sets the slot number of the hardware security
module (HSM) used to store the profile used by the
Digital Signature service.
This setting is required only if you are using an HSM.
If you use this entry, you must comment out the
<profile> entry.
By default, this setting is commented out. If you
want to use this setting, remove  from the end of the
line.
Default: 1
<cms><digest-method> Sets the hashing algorithm for server-calculated
hashes (method rfc2630Sign).
This hashing algorithm is used if you use
rfc2630Sign, where your client sends the entire
data to the server for hashing (using the algorithm
specified in this setting) and signing using the
server’s private signing key.
An alternative to using rfc2630Sign, is to use
rfc2630SignProvideDigest(), where the client
hashes the data, and only sends the hash to the
server for signing. If you use
rfc2630SignProvideDigest(), the hash algorithm
specified in the digest-method setting is ignored.
Possible values are: sha1, sha224, sha256, sha385,
or sha512.
If Verification Server uses DSA as its signing
algorithm, you must use sha1 as your digest
method. The DSA signing algorithm is specified in
the user policy that you set up at the CA that signed
the Verification Server’s digital ID.
Attention: For an e-passport system, change the
digest method to match the key pair algorithm
configured in the Document Signer Policy (see
“Customizing Document Signer certificates” on
page 138). For example, sha1 for RSA-1024 or
sha256 for RSA-2048.
If this setting is absent, it defaults to sha256.
Default: sha256

Setting Description
<cms><include-ca-cert> By default, the digital signatures produced by
rfc2630Sign and rfc2630SignProvideDigest
include both the signer's public verification
certificate and the signer’s issuing Certification
Authority (CA) certificate in the CMS SignedData
certificates field. This setting controls whether the
CA certificate is included in the field or not.
Note: With XML signing, no CA certificate is
included, regardless of how you set the
include-ca-cert setting.
Possible values are: true (include CA certificate),
false (exclude CA certificate).
Attention: For an e-passport system, you must set
this option to false.
Default: true
<cms><include-piv-signer-dn> Determines if Verification Server generates CMS
SignedData that contains the FIPS 201
pivSigner-DN attribute with its value equal to the
DN of the Digital Signature service.
Note: FIPS 201 refers to Personal Identity
Verification of Federal Employees and Contractors.
Possible values are: true (includes the attribute),
false (does not include the attribute).
Default: false
<cms><include-signing-time> Determines if Verification Server generates CMS
SignedData that contains the signing-time attribute.
Leaving this attribute out reduces the size of the
signature.
Possible values are: true (includes the attribute),
false (does not include the attribute).
Default: true

Setting Description
<cms><econtent-type> Determines the embedded content type OID
(applies to all CMS signatures). The default is
id-data.
Note: When the Digital Signature service client
application is Signature Delivery Service, Signature
Delivery Service overrides this setting. By default,
the eContentTypeOID value in the SDS.ini file is
used. If eContentTypeOID is not specified, Signature
Delivery Service uses 2.23.136.1.1.1.
Possible values: any content type OID.
Default: 1.2.840.113549.1.7.1
<cms><timestamp><url> Sets the URL of the Timestamp service RFC 3161
ASN.1 interface used to timestamp a CMS digital
signature.
Default:
http://localhost:8080/verificationserver/rf
c3161timestamp
<cms><timestamp><digest-method> Sets the algorithm for calculating the signature
digest used when timestamping a CMS digital
signature.
or sha512.
Default: sha256
<cms><rsassa-pss-enabled> Automatically configures RSASSA_PSS parameters
based on the digest algorithm.
Possible values: true (turns the feature on), false
(turns the feature off).
Default: false
Attention: For an e-passport system, change this
option to true. Your RSA key must be long enough
to support the larger data sizes (for example, an RSA
key size of 1024 will not support SHA512). This
value must be true if you are using RSA-PSS keys.

Setting Description
<xml><digest-method> Sets the hashing algorithm for XML signatures.
or sha512.
If Verification Server uses DSA as its signing
algorithm, you must use sha1 as your digest
method. The DSA signing algorithm is specified in
the user policy that you set up at the CA that signed
the Verification Server’s digital ID.
If this setting is absent, it defaults to sha256.
Default: sha256

Section 4
PKD Writer section
This section provides instructions for installing a PKD Writer Services CA, installing and
configuring Administration Services, and administering the PKD Writer services.
This section contains the following chapters:
• “Installing a PKD Writer Services CA” on page 301
• “Deploying the PKD Writer Web Service” on page 305
• “Configuring the PKD Writer Web Service” on page 347
• “Administering the PKD Writer services” on page 373
299
12
Installing a PKD Writer Services CA

The PKD Writer Services CA issues profiles required to run the PKD Writer services
provided by Administration Services. Installing a PKD Writer Services CA requires that
you install, configure and initialize Security Manager as a PKD Writer Services CA.
The PKD Writer Services CA can be combined with the PKD Reader Services CA. The
PKD Writer Services CA can be the CSCA or any other CA in an e-passport
environment.
301
Before installing Security Manager, ensure that you read all preinstallation
3166 standard.
Install and configure, and initialize Security Manager according to the instructions in
the Security Manager 8.3 Installation Guide. After installing and configuring Security
Manager, proceed to “Post-configuration steps” on page 303.

After configuring your PKD Writer Services CA, you must perform the following
steps:
4 Deploy Administration Services (see “Deploying the PKD Writer Web Service” on
page 305).
Administration Services provides Web-based services for writing master lists,
CRLs, and Document Signer certificates to the ICAO PKD or a National PKD.
Installing a PKD Writer Services CA 303

13
Deploying the PKD Writer Web

Service
This chapter describes how to deploy the PKD Writer Web Service. The PKD Writer
Web Service is a service provided by Entrust Authority Administration Services.
certificates to the ICAO PKD. The PKD Writer Web service also records and maintains
a history of the materials that have been uploaded, and supports a GUI extension to
the MLS Administration interface.
• “Synchronizing Administration Services and Security Manager time settings”
on page 307
• “Creating PKD Writer Server credentials” on page 308
• “Creating a PKD Writer Client certificate type” on page 311
• “Creating PKD Writer Client credentials” on page 312
• “Obtaining a PKD Access credential for the ICAO PKD” on page 315
• “Checking the entrust.ini file” on page 317
• “Collecting installation information for the PKD Writer” on page 319
• “Installing the PKD Writer Web Service” on page 324
• “Configuring PKD Writer Server authentication to a directory without
anonymous access” on page 344
305
Deployment overview
Deploying the PKD Writer Web Service includes the following steps. Each step is
1 Review list of supported operating systems, Web servers, and Web browsers.
The Entrust Authority Administration Services Release Notes. The most recent
Release Notes are posted on Entrust Datacard TrustedCare.
2 Synchronize the application server and Security Manager Certification Authority
time setting (see “Synchronizing Administration Services and Security Manager
time settings” on page 307).
3 Create Entrust profiles for the PKD Writer Web Service:
• “Creating PKD Writer Server credentials” on page 308
• “Creating a PKD Writer Client certificate type” on page 311
• “Creating PKD Writer Client credentials” on page 312
4 Obtain a PKD Access credential for the ICAO PKD (see “Obtaining a PKD Access
credential for the ICAO PKD” on page 315).
5 Check the settings in the entrust.ini file (see “Checking the entrust.ini file” on
page 317).
6 Collect the information required to install the PKD Writer services (see
“Collecting installation information for the PKD Writer” on page 319).
7 Install the PKD Writer Web Service (see “Installing the PKD Writer Web Service”
on page 324).
8 If the Security Manager directory does not allow anonymous authentication, you
must configure authentication to the directory (see “Configuring PKD Writer
Server authentication to a directory without anonymous access” on page 344).

Synchronizing Administration Services and
Security Manager time settings
Before or after installing Security Manager and Administration Services, you must
synchronize the time settings on all machines. The Timestamp servlet marks all client
browser messages with a time stamp. The local clock on the Administration Services
machine provides the time stamp for the Timestamp servlet.
The Timestamp servlet component of Administration Services requires all machines to
have synchronized time settings, within a five minute window. If Security Manager
and Administration Services time settings are greater than five minutes apart, the
following message may appear:
The XAP message has an expired timestamp. The message contained a
timestamp that was outside the server’s acceptance window. Make
sure that the source used to obtain message timestamps is
synchronized with the server’s time.
You can use Network Time client applications (or another method approved by your
organization) to synchronize the time settings of Security Manager and all
Administration Services machines to within a five minute time window.
Deploying the PKD Writer Web Service 307

Creating PKD Writer Server credentials
Before installing Administration Services, you must create a PKD Writer Server profile.
The PKD Writer Server profile secures SSL connections with clients. The
Administration Services installer will prompt you for this profile.
For details about creating PKD Writer Server profiles, see the following topics:
• “Creating a user entry for an PKD Writer Server profile” on page 308
• “Creating a PKD Writer Server profile” on page 309
• “Updating PKD Writer Server profile keys” on page 310
Creating a user entry for an PKD Writer Server profile

You must create a user entry in Security Manager for the PKD Writer Server profile.
You can use Security Manager Administration to create a user entry for the PKD
Writer Server profile.
To create a user entry for the PKD Writer Server profile using Security
Manager Administration
1 Log in to Security Manager Administration for the PKD Writer Services CA.
fields appears.

a In the Category drop-down list, select Enterprise.
b Under Certificate Type, select Default.
7 Click OK.
reference number and authorization code.
9 You must add the host name of the server hosting the Administration Services
application server to the user entry:
c Click Add.
(FQDN) of the server hosting the Administration Services application server
(for example, appserver.example.com).
details.
You have now created the user entry for the PKD Writer Server profile. Proceed
to “Creating a PKD Writer Server profile” on page 309.
Creating a PKD Writer Server profile

You can store the PKD Writer Server profile on software (as an EPF file) or on a
hardware security module. You can use one of the following applications to create the
PKD Writer Server profile:

The Profile Creation Utility can create the profile on software or hardware.
For instructions, see the Administration Services Installation Guide.
create the profile on software. For instructions, see the following procedure.
To create a PKD Writer Server profile using Security Manager Administration

1 Create a user entry for the PKD Writer Server profile (see “Creating a user entry
for an PKD Writer Server profile” on page 308).
4 In the Name field, enter the file name for the PKD Writer Server profile. Security
5 Click Browse to select a folder where you want to save the PKD Writer Server
profile.
6 In the Password and Confirm fields, enter a password for the PKD Writer Server
profile.
7 Click OK.
You can now use this PKD Writer Server profile with Administration Services. You
need the PKD Writer Server profile, the profile password, and the profile location
Updating PKD Writer Server profile keys

server.

Creating a PKD Writer Client certificate type
You must create a new certificate type in Security Manager for PKD Writer clients.
PKD Writer clients are clients of the PKD Writer Web Service. For more information
about creating certificate types, see the Security Manager Administration User
Guide.
To create a PKD Writer Client certificate type

1 Export the Security Manager certificate specifications.
You can export the certificate specifications from Security Manager
Administration, or from Security Manager using the fcs export command. See
the Security Manager Administration User Guide or Security Manager
Operations Guide for details.
2 Open the certificate specifications file in a text editor.
3 Add the following to the [Certificate Types] section:
;-----------------------------------------------------------------------
; PKD Writer Remote Client Certificate Type
;
------------------------------------------------------------------------
ent_pkd_writer_cli=enterprise,ePassport - PKD Writer Client,Certificate
_continue_= type for clients of the PKD Writer Web Service
4 Add the following to the [Extension Definitions] section:

[ent_pkd_writer_cli Certificate Definitions]
1=Encryption
2=Verification
[ent_pkd_writer_cli Encryption Extensions]

keyusage=2.5.29.15,n,m,BitString,001; keyEncipherment
[ent_pkd_writer_cli Verification Extensions]

keyusage=2.5.29.15,n,m,BitString,1; digitalSignature
certificatePolicies=2.5.29.32,n,m,DER,300D300B06096086480186FA6B0A0F
;2.16.840.1.114027.10.15
;-----------------------------------------------------------------------
You can import the certificate specifications from Security Manager
Administration, or from Security Manager using the fcs import command. See

Creating PKD Writer Client credentials
The PKD Writer Client profile is a SSL client profile, used by client applications for
accessing the PKD Writer Web Service. The Administration Services installer will not
prompt you for this profile when you install the PKD Writer services.
The PKD Writer Web service records and maintains a history of the materials that
have been uploaded, and supports a GUI extension to MLS Administration interface.
Supporting the GUI extension in MLS Administration requires a PKD Writer Client
profile. When installing Administration Services for a Master List Signer (see
“Deploying the Master List Signer services” on page 737), if you choose to enable
the GUI extension, the installer will prompt you for the PKD Writer Client profile.
If you will not enable the GUI extension in MLS Administration, creating a PKD Writer
Client profile is optional.
PKD Writer Client profiles require a PKD Writer Client certificate type. You should
have already created this certificate type in “Creating a PKD Writer Client certificate
type” on page 311.
For details about creating PKD Writer Client profiles, see the following topics:
• “Creating a user entry for a PKD Writer Client profile” on page 312
• “Creating a PKD Writer Client profile” on page 313
• “Updating PKD Writer Client profile keys” on page 314
Creating a user entry for a PKD Writer Client profile

You must create a user entry in Security Manager for the PKD Writer Client profile.
Writer Server profile.
To create a user entry for the PKD Writer Client profile using Security Manager
Administration
1 Log in to Security Manager Administration for the PKD Writer Services CA.

fields appears.
b Under Certificate Type, select ePassport - PKD Writer Client. This is the
certificate type that you created in “Creating a PKD Writer Client certificate
type” on page 311.
7 Click OK.
Reference number and Authorization code. Record these activation codes in a
secure manner, as you will require them later to create and activate the user’s
Entrust digital ID.
You have now created the user entry for the PKD Writer Client profile. Proceed
to “Creating a PKD Writer Client profile” on page 313.
Creating a PKD Writer Client profile

You must store PKD Writer Client profiles on software (as an EPF file); you cannot
store PKD Writer Client profiles on hardware. You can use one of the following
applications to create the PKD Writer Client profile:

To create an PKD Writer Client profile using Security Manager Administration
1 Create a user entry for the PKD Writer Client profile (see “Creating a user entry
for a PKD Writer Client profile” on page 312).
4 In the Name field, enter the file name for the PKD Writer Client profile. Security
5 Click Browse to select a folder where you want to save the PKD Writer Client
profile.
6 In the Password and Confirm fields, enter a password for the PKD Writer Client
profile.
7 Click OK.
Updating PKD Writer Client profile keys

server.

Obtaining a PKD Access credential for the ICAO
PKD
Before you can install the PKD Writer services provided by Administration Services,
you need a PKD Access credential. The PKD Access credential allows Administration
Services to authenticate to the ICAO PKD. Complete the following procedure to
obtain a PKD Access credential from ICAO.
To create and obtain a PKD Access credential for the ICAO PKD
1 Install Administration Services 9.3. See the Administration Services 9.3
Installation Guide for instructions.
When installing Administration Services:
a Select the Distributed installation type to install the application server
components and Web server components on separate servers.
b Select Application Server to install the application server components.
2 On a command line, navigate to the following directory:
<AS-install>/tools/pkdw-create12
createp12 -gen -alg RSA -keylen 2048 -signalg <algorithm> -cn "PKD
Upload" -csr <csr_file> -p12 <p12_file> -email <email_address>
Note:
The algorithm (RSA) and key length (2048) are set by ICAO, and are not related
to the algorithm and key length of your PKD Writer services CA.
Where:
• <algorithm> is the signing algorithm required by ICAO. ICAO requires
SHA256 as the signing algorithm.
• <csr_file> is the file name for a Certificate Signing Request (CSR) file.
• <p12_file> is the file name for a P12 file.
• <email_address> is the email address required by ICAO. ICAO requires the
email address reference@pkd.icao.int.
For example:
createp12 -gen -alg RSA -keylen 2048 -signalg SHA256 -cn "PKD
Upload" -csr pkd-access.csr -p12 pkd-access.p12 -email
reference@pkd.icao.int

The CSR and P12 files are written to the <AS-install>/tools/pkdw-create12
folder.
4 Submit the CSR file to ICAO for processing. ICAO will process the CSR and
generate a response file (the PKD Access credential). Obtain the PKD Access
credential and CA certificate from ICAO.
5 Save the PKD Access credential, CA certificate file, and the P12 file to the
<AS-install>/tools/pkdw-create12 folder.
Note:
ICAO delivers certificates as Base64-encoded in a Microsoft Word document.
Copy the Base64-encoded text into a separate text file for the Administration
Services installer. The Administration Services installer will not recognize the
Microsoft Word document as a valid certificate file.

<AS-install>/tools/pkdw-create12
createp12 -import -cert <cert_file> -cacert <CA_file> -p12
<p12_file>
Where:
• <cert_file> is the file name of the PKD Access credential.
• <CA_file> is the file name for the CA certificate file.
• <p12_file> is the file name for the P12 file.
For example:
createp12 -import -cert pkd-access.cer -cacert CAcert.cer -p12
pkd-access.p12
The CSR and P12 files are written to the <AS-install>/tools/pkdw-create12
folder.

Checking the entrust.ini file
Obtain a copy of the entrust.ini file from a PKD Writer Services CA administrator.
Copy the entrust.ini file to each machine hosting the PKD Writer services. Note
the location of these files. You will enter the path to these files when you install
Administration Services.
Complete the following instructions to ensure the entrust.ini file is properly copied
and configured for your Web server and the Tomcat application server, and
(optionally) Entrust Authority Roaming Server.
To check the entrust.ini file settings

1 Open the entrust.ini file in a text editor.
2 Ensure that the file contains the following lines:
• Server=<directory_machine>+<port>
Where:
– <directory_machine> is the IPv4 address or DNS of the machine hosting
the directory.
– <port> is the LDAP port. The default port is 389.
For example:
• Authority=<Security_Manager_machine>+<port>
Where:
– <Security_Manager_Machine> is the IPv4 address or DNS of the machine
hosting Security Manager.
– <port> is the PKIX-CMP port used by Security Manager. The default port
is 829.
For example:
• XAP=<XAP_server>+<port>
Where:
– <XAP_server> is the IPv4 address or DNS of the XAP server.
– <port> is the port used by the XAP server. The default port is 443 or 1443.
For example:
XAP=securitymanager.example.com+1443
• CA Distinguished Name=<DN_of_CA>
Where <DN_of_CA> is the distinguished name of the Certification Authority.
For example:

CA Distinguished Name=ou=CA Entry,o=Example,c=US
• SearchBase=<DN_of_searchbase>
Where <DN_of_searchbase> is the distinguished name of the default
searchbase. For example:
SearchBase=ou=CA Entry,o=Example,c=US
3 If you are using a PKCS#11 v2 hardware device, ensure that the file contains the
following lines in the [Entrust Settings] section:
CryptokiV2LibraryNT=<pcks11 library path>
Where <pcks11 library path> is the full path to the location of the PKCS#11
library. For example:

Collecting installation information for the PKD
Writer
Before you install the PKD Writer provided by Administration Services, you must
obtain or decide on certain details which you must provide when installing
Administration Services. Collecting this data before you install the software will
greatly simplify these processes by giving you convenient reference sheets with your
configuration data.
Use the following worksheet to compile the data required to install Administration
Services for a PKD Writer. Print or photocopy this section and record your
configuration data on these copies.
Table 16: Information required to install the PKD Writer
PKD Writer service information Description
PKD entrust.ini The file path and name of the entrust.ini file from your
PKD Writer Services CA. You should have already obtained
the file and configured the required settings in “Checking
the entrust.ini file” on page 317.
File path and name of the PKD Writer Services CA
entrust.ini file:

Table 16: Information required to install the PKD Writer (continued)
PKD Writer Profile The PKD Writer Web Service requires a profile. You should
have already created this profile in “Creating PKD Writer
Server credentials” on page 308.
Profile on Token: Yes or No
Profile on hardware:
• Hardware slot:
• Profile Password:
Profile on software:
• Profile path and file name:
PKD Writer command line The PKD Writer service includes a command line application
application credentials that you can use to upload CSCA materials (master lists,
CRLs, and Document Signer certificates) to the ICAO PKD.
The application requires a password each time you use it to
upload CSCA materials.
A strong password contains at least eight characters, and
includes at least one uppercase character, one lowercase
character, one number, and one non-alphanumeric
character.
Password for PKD Writer command line application:
Domestic Country Code The ISO 3166-1 ALPHA-2 country code of your country. For
example, the country code of the United States is US.
Domestic Country Code:

Fully qualified host name of the The fully qualified host name of the ICAO PKD Download
PKD Download Directory Directory server. For example:
PKDDownloadSG.icao.int
Fully qualified host name of the ICAO PKD Download
Directory:
TCP LDAPS port number of the The secure LDAP (LDAPS) port number of the ICAO PKD
PKD Download Directory Download Directory.
ICAO PKD Download Directory LDAPS Port:
PKD Download LDAP ID A credential (such as the distinguished name of an LDAP

user entry) provided by ICAO for connecting to the ICAO
PKD Download Directory.
ICAO PKD Download LDAP ID:
PKD Download LDAP ID The password for the ICAO PKD Download LDAP ID.
Password
ICAO PKD Download LDAP ID Password:
PKD Download LDAP Server The file path and name of the ICAO PKD Download
Certificate Directory’s LDAP server certificate (not the CA certificate).
File path and name of the ICAO PKD Download LDAP
server certificate:
Fully qualified host name of the The fully qualified host name of the ICAO PKD Upload
PKD Upload Directory Directory server. For example:
PKDUploadSG.icao.int
Fully qualified host name of the ICAO PKD Upload
Directory:

PKD Upload Directory LDAPS The secure LDAP (LDAPS) port number of the ICAO PKD
Port Upload Directory.
ICAO PKD Upload Directory LDAPS Port:
PKD Access P12 Credential The file path and name of the ICAO PKD Access P12
credential. You should have already obtained this P12 file in
“Obtaining a PKD Access credential for the ICAO PKD” on
page 315.
File path and name of the ICAO PKD Access credential:
PKD Access P12 Password The password for the ICAO PKD Access P12 credential.
ICAO PKD Access P12 Password:
PKD Upload LDAP ID A credential (such as the distinguished name of an LDAP

user entry) provided for connecting to the ICAO PKD
Upload Directory.
ICAO PKD Upload LDAP ID:
PKD Upload LDAP ID Password The password for the ICAO PKD Upload LDAP ID.
ICAO PKD Upload LDAP ID Password:
PKD Upload LDAP Server The file path and name of the ICAO PKD Upload Directory’s
Certificate LDAP server certificate (not the CA certificate).
File path and name of the ICAO PKD Upload LDAP server
certificate:
Automatic CRL Uploads PKD Writer can automatically upload the CSCA CRL to the
ICAO PKD Upload Directory.
Enable Automatic CRL Uploads: Yes or No

URL of the CRL Source for PKD Writer can automatically upload the CSCA CRL to the
Uploads ICAO PKD Upload Directory from a URL. Supported formats
of the URL are http, https, and ldap.
URL of the CRL Source for Uploads:
Email Notification PKD Writer can send email notification messages for specific
events.
Enable Email Notification for PKD Writer: Yes or No
If you enable email notification, you must also provide the

following information:
• Fully Qualified Domain Name of SMTP Server:
• SMTP Server Port:
• PKD Writer Administrator Email Address:
• PKD Writer Appears From Email Address:

Installing the PKD Writer Web Service
This section outlines the steps required to install the PKD Writer Web Service on
supported Windows operating systems. The PKD Writer Web Service is supported
only on Windows.
When installing Administration Services, you can install both the Web server
components and application server components on a single server, or you can install
the components on separate servers.
• Installing Administration Services on a single server installs both the Web
server components and application server components on the same server.
It is strongly recommended that you do not install Administration Services on
a single server in a production environment, especially if your deployment is
exposed to the Internet. You should only install Administration Services on a
single server for testing purposes.
• Installing Administration Services on separate servers allows you to install the
application server components on one server, and the Web server
components on the server hosting your Web server.
Installing the components on separate servers is more secure than installing
them on the same server. When installing the components on separate
servers, you must select the same services for each server. Note that some
services do not have Web server components.
When you add service instances, you will install the same components (Web server
components, application server components, or both) as you installed on the server
previously. If you install services on separate servers, add the same instances to both
servers. Note that some services do not have Web server components.
The PKD Writer Web Service consists of only application server components.
To install the PKD Writer application server components on Windows

Installation Guide for instructions. You should have already installed
Administration Services in “Obtaining a PKD Access credential for the ICAO
PKD” on page 315.
When installing Administration Services:
2 Configure Administration Services for the first time. See the Administration
Services 9.3 Installation Guide for instructions.
3 If Administration Services is already installed, stop the Administration Services
application server (Apache Tomcat).

4 Double-click the Administration Services installer.
5 The Administration Services Installer - Configuration page appears.
Click Next to continue.

6 The Configured Services page appears.
This page lists all configured services (if any). Click Next to add a new service.

7 If you have not yet configured centralized configuration, the Centralized
Configuration Settings page appears.
a Click Do Not Install Centralized Configuration. The ePassport services do

not use centralized configuration.
b Click Next.

8 The Select Services To Configure page appears.
a Select ePassport Services.

b Select Public Key Directory Services.
c Select Public Key Directory Writer (PKD Writer).
d Click Next to continue.

9 The SSL/TLS Port for PKD Writer Web Service page appears.
a In the SSL/TLS Port Number for PKD Writer Web Service field, enter the port
number for the PKD Writer Web Service (by default 443 or 13443).
b Click Next.

10 The PKD Writer Entrust.ini Location page appears.
a In the text field, enter the full path and file name of the entrust.ini file
from the Entrust CA that issued the PKD Writer Server profile, or click
Choose to locate the file.
b Click Next.

11 If the entrust.ini file includes a setting specifying the full path to a valid
PKCS#11 library, the Select PKD Writer Profile Type page appears.

– If the PKD Writer Server profile is an EPF file stored on the local file system,
select Software Profile.
– If the PKD Writer Server profile is stored on hardware, select Hardware
Token.
b Click Next.

12 If the PKD Writer Server profile is a software profile, the PKD Writer Profile page
appears.
a In the Enter the location of the PKD Writer Profile field, click Choose to
locate and select the PKD Writer Server profile (EPF file).
b In the Enter the Password to login to your PKD Writer Profile field, enter the
password for the EPF file.
c Click Next.

13 If the PKD Writer Server profile is a hardware profile, the PKD Writer Hardware
Token Profile page appears.
a From the Slot List From the PKCS11 Library list, select the hardware slot that
contains the PKD Writer Server profile.
password for the profile.
c Click Next.

14 The PKD Command Line Application Credentials page appears.
a Enter a password for the PKD Writer command line application

The PKD Writer service includes a command line application that you can use
to upload CSCA materials (master lists, CRLs, and Document Signer
certificates) to the ICAO PKD. The application requires a password each time
you use it to upload CSCA materials.
A strong password contains at least eight characters, and includes at least
one uppercase character, one lowercase character, one number, and one
non-alphanumeric character.

15 The Domestic Country Code for PKD Services page appears.
a Enter your two-character country code.


16 The PKD Download Credentials page appears.
Note:
PKD Writer tracks the status of the CSCA materials that have been uploaded to
the ICAO PKD Upload Directory. The status includes when the materials became
available in the ICAO PKD Download Directory. To determine when the materials
became available in the ICAO Download Directory, the PKD Writer Web Service
requires access to the ICAO PKD Download Directory.
a In the Fully Qualified Host Name of the PKD Download Directory field,
enter the fully qualified host name of the ICAO PKD Download Directory
server.
b In the TCP LDAPS Port Number of the PKD Download Directory field, enter
the secure LDAP port of the ICAO PKD Download Directory.
c In the Enter Download LDAP ID field, enter your Download LDAP ID.
d In the Enter the Password for Download LDAP field, enter the password for
your Download LDAP ID.

e In the Enter the Location of the PKD Download LDAP Server Certificate
field, enter the full path and file name of the ICAO PKD Download
Directory’s server certificate, or click Choose to locate the file.
f Click Next to continue.
The installer will attempt to connect to the ICAO PKD Download Directory server
with the information you provided. If an error occurs, a warning will appear. If
you encounter an error, open the
<AS-install>\logs\adminservices_configuration.log for more
information. You can continue installing the PKD Writer services even if an error
occurs.
17 The PKD Upload Credentials page appears.
a In the Fully Qualified Host Name of the PKD Upload Directory field, enter
the fully qualified host name of the ICAO PKD Upload Directory server.
b In the TCP LDAPS Port Number of the PKD Upload Directory field, enter the
secure LDAP port of the ICAO PKD Upload Directory.
c In the Enter the Location of the PKD P12 credential field, enter the full path
and file name of the P12 file you generated earlier, or click Choose to locate
the file.

d In the Enter the Password for the P12 Credential field, enter the password
for the P12 file you generated earlier.
e In the Enter Upload LDAP ID field, enter your Upload LDAP ID.
f In the Enter the Location of the PKD Upload LDAP Server Certificate field,
enter the full path and file name of the ICAO PKD Upload Directory’s server
certificate, click Choose to locate the certificate file.
g To have the PKD Writer automatically upload CRLs to the ICAO PKD Upload
Directory, select Enable Automatic CRL Uploads. By default this option is
already selected.
h If you enabled automatic CRL uploads, enter the full URL of the CSCA CRL
into the Enter the URL of the CRL Source for Uploads field.
PKD Writer can automatically upload the CSCA CRL to the ICAO PKD
Upload Directory from a URL. Supported formats of the URL are http,
https, and ldap.
i Click Next to continue.
The installer will attempt to connect to the ICAO PKD Upload Directory server
information. You can continue installing the PKD Writer services even if an error
occurs.

18 The Configure PKD Writer Email Notification page appears.
a To enable email notification for PKD Writer, select Enable Email Notification
for PKD Writer.
If you select this option, the email notification settings are enabled.
b If you chose to enable email notification for PKD Writer:
– In the Enter the SMTP Server Fully Qualified Domain Name field, enter the
fully qualified domain name of the SMTP server.
– In the SMTP Server Port field, enter the port number used by the SMTP
server (by default 25).
– In the Enter the PKD Writer Administrator Email Address field, enter the
email address where administrators will receive email notification
messages.
The PKD Writer Web Service sends messages to this address only if the
event is not meant for a particular object. For example, if an administrator
performs an action that requires another administrator’s approval, PKD
Writer sends the message to this email address.
– In the Enter the PKD Writer Appears From Email Address field, enter the
email address that will appear in the From field of the email message.
c Click Next.

19 The PKD Writer Configuration page appears with a summary of your installation
selections. For example:

If you need to change anything, click Previous to return to that page and
make your changes.
b Select Configure to configure the service instance.
c Click Next to proceed with the installation.

20 After the installation is complete, the PKD Writer Configuration Status page
appears. For example:
a If the installation is unsuccessful, a dialog box displays errors. See the

Administration Services Configuration Guide for possible solutions, or
contact Entrust Customer Support.
b Click Next.

21 The Configuration Complete page appears.

– If you are finished adding services, select End Configuration Program.
– If you want to add additional services, select Return to Configure Services.
b Click Next.

22 The Start The Service Automatically page appears.
a To use the service you just installed, you must restart the Administration
Services application server.
– To start the service automatically after exiting the installer, select Start the
service automatically. By default, this option is already selected.
– To not start the service after exiting the installer, deselect Start the service
automatically. You must manually restart Administration Services to use the
new service.
b Click Next.
The URL for the PKD Writer Web Service is
https://<server>:<port>/pkdwriter/services/PkdwwsService, where:
• <server> is the host name or IPv4 address of the server hosting the PKD
Writer Web Service.
• <port> is the SSL port for the PKD Writer Web Service (by default 443 or
13443). You specified this port when you installed the PKD Writer Web
Service.
PKD Writer clients need this URL to connect to the PKD Writer Web Service.
You can find the URLs to all installed services in the <AS-install>/services.txt
file.

Configuring PKD Writer Server authentication
to a directory without anonymous access
The following procedure explains how to configure the PKD Writer Server profile to
authenticate to the Security Manager directory when anonymous access is disabled.
The Java Naming and Directory Interface (JNDI) credentials are used for accessing the
Security Manager directory when anonymous bind is not available (for example, the
default setting in Active Directory). When anonymous bind is not available, edit the
Security Manager Directory credentials in the pkdwriter-config.xml files.
To configure directory access credentials

1 Log in to the server hosting the PKD Reader services.
The PKD Reader services are installed on a server hosting the Administration
Services application server components.
2 Open the pkdwriter-config.xml file in a text editor. You can find the file in the
following folder:
<AS-install>\services\pkdwriter\pkdwriter\webapp\WEB-INF\config
3 Locate the <PKDWriterServerTLS> section:
<PKDWriterServerTLS>
<Epf>c:\authdata\manager\epf\PKD Writer Server.epf</Epf>
<Ual></Ual>
<Pkcs11Library></Pkcs11Library>
<Pkcs11Slot></Pkcs11Slot>

<EntrustIni>c:\authdata\manager\entrust.ini</EntrustIni>

<JndiAuthentication>simple</JndiAuthentication>
<JndiPrincipal></JndiPrincipal>

<JndiCredentials></JndiCredentials>
</PKDWriterServerTLS>
4 For the value of <JndiPrincipal>, enter the JNDI Principal that the PKD Writer
Server will use to connect to the directory. For example:
<JndiAuthentication>admin@example.com</JndiAuthentication>
A JNDI Principal is a directory user that can log in to the directory, typically a
directory administrator. Examples include DOMAIN\Administrator,
Administrator@example.com, and cn=Administrator,c=US.
5 For the value of <JndiCredentials>, enter the password for the JNDI Principal.
For example:
<JndiCredentials>Example@1234</JndiCredentials>
When you restart Administration Services, Administration Services will encrypt
the password in the UAL file. Administration Services will replace the password
in the pkdwriter-config.xml file with the phrase “{Password protected by
Entrust Unattended Login}”.
7 Restart Administration Services.

14
Configuring the PKD Writer Web

Service
a history of the materials that have been uploaded, and supports a GUI extension to
the MLS Administration interface.
This chapter describes how to configure various components and features of the PKD
Writer Web Service provided by Administration Services. For more information about
configuring Administration Services, see the Administration Services Configuration
Guide.
• “Configuring email notification for PKD Writer” on page 348
• “Configuring the PKD Access credential expiry notification intervals” on
page 356
• “Configuring the assurance levels for uploading CSCA materials” on
page 357
• “Configuring the PKD Download connection settings” on page 359
• “Configuring the PKD Upload connection settings” on page 362
• “Configuring the CSCA materials upload status folder” on page 365
• “Configuring the PKD Writer Web Service logs” on page 367
• “Configuring the PKD Writer secure audit log” on page 369
• “Configuring automatic uploads” on page 371
347
Configuring email notification for PKD Writer
When you installed PKD Writer, you had the option to enable email notification for
PKD Writer. If you did not enable email notification during the installation, or you
want to configure how email notification works, complete the steps in this section.
For more information about email notification, see the Administration Services
Installation Guide.
• “Configuring SMTP server settings for the PKD Writer” on page 348
• “Email notification files for the PKD Writer” on page 349
• “Enabling and disabling email notification for PKD Writer” on page 350
• “Modifying email notification subject and message text for PKD Writer” on
page 353
• “Modifying PKD Writer email notification to use HTML content templates”
on page 355
Configuring SMTP server settings for the PKD Writer

Configure the SMTP server settings to configure how PKD Writer communicates with
your SMTP server. The settings were configured if you enabled email notification
when you installed PKD Writer.
To configure SMTP server settings for PKD Writer

1 Log in to the Administration Services server hosting the application server
components.
2 Open the configuration.global.xml file for the PKD Writer. You can find the
file in the following folder:
3 Locate the <SMTP> element.
4 In the <SMTP> element, configure the following child elements:
a In the <Charset> element, enter the character set used to forward
notification emails to the SMTP server. For example:
<Charset>UTF-8</Charset>
b In the <Host> element, enter the fully qualified host name of the SMTP
server. For example:
<Host>SMTPserver.company.com</Host>
c In the <Port> element, enter the port (between 0 and 65535) used to
connect to the SMTP host. For example:
<Port>25</Port>

5 If your SMTP server requires authentication, do the following:
a Enter true in the <Authentication> element. For example:
<Authentication>true</Authentication>
b Enter the SMTP server user ID in the <User> element. For example:
<User>SMTPuser</User>
c Enter the password for the SMTP server user ID in the <Password> element.
To configure the email addresses for the PKD Writer

components.
2 Navigate to the following folder:
<AS-install>\services\pkdwriter\pkdwriter\webapp\WEB-INF\ens\xsl\
<locale>
3 Open the common-config.xsl file.
4 To configure the email address that appears in the email message’s From field,
configure the following setting:
<xsl:variable name="lang.from.email">email.address@company.com
</xsl:variable>
5 To configure the email address that Administration Services sends email messages
to, configure the following setting:
<xsl:variable name="lang.admin.email">email.address@company.com
</xsl:variable>
Administration Services sends messages to this address only if the event is not
meant for a particular object. For example, if an administrator creates a user
account, Administration Services sends the message to the user's email address.
If an administrator performs another action that requires another administrator's
approval, Administration Services sends the message to this email address.
Email notification files for the PKD Writer

You can configure Administration Services to notify administrators or users by email
if a specific event occurs.
Table 17 on page 350 lists all the email notification events in the
configuration.global.xml file for PKD Writer. For information about enabling and
disabling email notification, see “Enabling and disabling email notification for PKD
Configuring the PKD Writer Web Service 349

Writer” on page 350.
Table 17: PKD Writer account tasks, event IDs, and email message files
Account tasks/ Event ID in Email message files Enabled

Interface Label configuration.global.xml by default
Upload CRL - upload-success upload-success-content Yes

successfully event
upload-success-subject
Upload CRL - error upload-failure upload-failure-content Yes

event
upload-failure-subject
ICAO Certificate icao-cert-expiring icao-cert-expiring-content Yes

expiry notification -
icao-cert-expiring-subject
expiring event
ICAO Certificate icao-cert-expired icao-cert-expired-content Yes

expiry notification -
icao-cert-expired-subject
expired event
Enabling and disabling email notification for PKD Writer

if a specific event occurs. “Email notification files for the PKD Writer” on page 349
lists all the email notification events in the configuration.global.xml file for PKD
Writer.
Use the following procedures to enable and disable email notification for PKD Writer:
• “To enable or disable email notification for PKD Writer” on page 350
• “To enable or disable email notification for specific events for PKD Writer”
on page 351
• “To configure email notification event settings for PKD Writer” on page 352
To enable or disable email notification for PKD Writer

components.
following folder:
3 Locate the <Notifications> section:
<Notifications>
<Enabled>true</Enabled>

<Configuration>C:/Program Files/Entrust/AdminServices/services/pkd
writer/pkdwriter/webapp/WEB-INF/config/configuration.global.xml</C
onfiguration>
</Notifications>
4 To enable email notification, set <Enabled> to true. To disable email notification,
set <Enabled> to false.
7 Locate the <Notification> element and configure the first <Enabled> element
as follows:
• To enable email notification, set the <Enabled> element to true.
• To disable email notification, set the <Enabled> element to false.
<Enabled>false</Enabled>
8 If required, enable or disable email notification for specific events. See “To enable
or disable email notification for specific events for PKD Writer” on page 351 for
details.
To enable or disable email notification for specific events for PKD Writer
components.
2 Open the configuration.global.xml file for PKD Writer. You can find the file
in the following folder:
3 Locate the <Notification> element.
4 In the <Notification> element, each <Event> child element refers to a specific
event. See “Email notification files for the PKD Writer” on page 349 for a list of
event IDs.
For each event, you can configure email notification as follows:
• To enable email notification for the event, set <Enabled> to true.
• To disable email notification for the event, set <Enabled> to false.

5 If required, configure the email notification event settings. See “To configure
email notification event settings for PKD Writer” on page 352 for details.
If the file contains Unicode characters beyond 7-bit ASCII (Basic Latin), for
languages such as French or Japanese, save the file with UTF-8 encoding.
To configure email notification event settings for PKD Writer

components.
3 Locate the <EmailNotificationEvents> element.
4 In the <EmailNotificationEvents> element, each <EmailNotificationEvent>
child element refers to a specific email notification event. For each event, you can
configure the settings described in the following table.
Table 18: Email notification event settings
Setting Description
<ContentTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the text of the message. See
“Modifying email notification subject and message text for PKD
Writer” on page 353 for details about editing this file.
Note: This is a system setting and should not be modified.
<FromTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the names and email addresses for
the RFC 822 From: and Reply-To: headers.
<Id> Used to declare a unique identifier. This value must match an
identifier of a notification event that is sent by the
XAPNotificationHandler. It is the identifier that is used to
determine which email notification event should handle the
notification event.
<RecipientTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the names and email addresses of
the recipients. The results of the transformation are a
<Recipients> element.

Table 18: Email notification event settings (continued)
Setting Description
<SubjectTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the text of the RFC 822 Subject:
header. The result of the transformation is a <Subject> element.
See “Modifying email notification subject and message text for
PKD Writer” on page 353 for details about editing this file.

Modifying email notification subject and message text for PKD

Writer
Administration Services allows you to modify both the email subject and message text
for each email notification event.
Attention:
Only personnel with knowledge of XSLT should attempt to modify email
notification text. To compare your changes with the default versions of the XSL
files, see the <AS-install>\templates folder for the default files. Do not modify
any of the files in the templates folder.
To modify email notification subject text

components.
2 Go to the following folder:
<AS-install>\services\pkdwriter\pkdwriter\webapp\WEB-INF\ens\xsl
3 In a text editor, open the XSL subject file for the event you want to modify. See
“Email notification files for the PKD Writer” on page 349 for a list of event IDs
and email message files.
For example, to edit the subject line for the user-reactivate event, open the
user-reactivate-subject.xsl file.
4 Find the <Subject> element and modify the subject text.

For example, in the user-reactivate-subject.xsl file, you would modify the
text highlighted in bold:
<Subject>Your digital ID has been reactivated.</Subject>
If the file contains Unicode characters beyond 7-bit ASCII (Basic Latin) for
6 Repeat this procedure for each event you want to modify.
To modify email notification message text

components.
<AS-install>\services\pkdwriter\pkdwriter\webapp\WEB-INF\ens\xsl
3 In a text editor, open the XSL message content file for the event you want to
modify. See “Email notification files for the PKD Writer” on page 349 for a list of
event IDs and email message files.
For example, to edit the message for the user-reactivate event, open the
user-reactivate-content.xsl file.
4 In the file, modify the text in the notification area only.
For example, in the user-reactivate-content.xsl file, you would modify the
<xsl:template match="xap:User">
<xsl:variable name="userName">
<xsl:call-template name="attributeFromDN">
<xsl:with-param name="dn"
select="xap:Properties/xap:DN" />
<xsl:with-param name="attribute" select="'cn'" />
</xsl:call-template>
</xsl:variable>
Dear <xsl:value-of select="$userName" />,
Your Entrust digital ID has been reactivated.
Begin using your digital ID again at any time. If have lost your
digital ID or forgotten your password, please contact your LRA.
<xsl:call-template name="signature"/>

</xsl:template>
Modifying PKD Writer email notification to use HTML content

templates
By default, Administration Services email notifications are formatted to use plaintext
content templates, but you have the option to format the email notifications to also
use HTML content templates.
If an HTML template is specified for an event, both plaintext and HTML message
parts will be added to the email notification message. If the recipient’s email client
supports HTML, it will use the HTML message; if the email recipient’s email client
does not support HTML, the plaintext message will be used.
To modify PKD Writer email notification to use HTML

components.
2 Create an HTML file for every event ID you want to use both plaintext and HTML
content templates. You can give the HTML file any filename you choose, but you
must save it in the same file location as the plaintext version of the template.
5 For every event ID you wish to use both plaintext and HTML content templates,
add <ContentHTMLTemplate>, the HTML template file name, and
</ContentHTMLTemplate> after the <ContentTemplate> line. For example (the
text in bold would be the new text you are adding):
<EmailNotificationEvent>
<ContentTemplate>dv-entity-add-content</ContentTemplate>
<ContentHTMLTemplate>dv-entity-add-content-html</ContentHTMLTem
plate>

Configuring the PKD Access credential expiry
notification intervals
The PKD Writer Web Service requires a PKD Access credential to authenticate to the
ICAO PKD. If email notification is enabled, the PKD Writer Web Service will send
email notification messages when the PKD Access credential is nearing expiry.
By default, the PKD Writer Web Service will send email notification messages when
the PKD Access credential is 30 days away or 5 days away from expiring.
You can configure when the PKD Writer Web Service sends email notification
messages indicating that the PKD Access credential is nearing expiry.
To configure the PKD Access credential expiry notification intervals

1 Log in to the server hosting the PKD Writer services.
The PKD Writer services are installed on a server hosting the Administration
following folder:
3 Locate the <ICAOExpiryNotificationIntervals> setting. By default:
<ICAOExpiryNotificationIntervals>5,30</ICAOExpiryNotificationInter
vals>
4 To change when the PKD Writer Web Service will send email notification
messages indicating that the PKD Access credential is nearing expiry, enter a
comma-separated list of days before the PKD Access credential expires.
For example, to send email notification messages 1, 2, 5, 10, and 30 days before
the PKD Access Credential expires:
<ICAOExpiryNotificationIntervals>1,2,5,10,30</ICAOExpiryNotificati
onIntervals>

Configuring the assurance levels for uploading
CSCA materials
Assurance levels specify the level of trust for CSCA materials (Document Signer
certificates, CRLs, and master lists).
When uploading CSCA materials to the ICAO PKD, the PKD Writer Web Service will
only upload CRLs, Document Signer certificates, and master lists that match or
exceed a minimum assurance level. The PKD Writer Web Service will not upload any
CRL, Document Signer certificate, or master list with an assurance level that is lower
than the required minimum.
By default, PKD Writer Web Service will upload CSCA materials that have a HIGH
assurance level.
You can configure the minimum assurance level of CSCA materials required for PKD
Writer to upload them to the ICAO PKD. You can configure a separate assurance level
requirement for CRLs, Document Signer certificates, and master lists.
To configure the assurance levels for uploading CSCA materials

following folder:
3 Locate the <UploadAssuranceLevel> section.
4 Configure the settings described in the following table.
Table 19: Assurance level settings for uploading CSCA materials
Setting Description
<CRL> This setting controls the minimum assurance level for CRLs that can be
uploaded to the ICAO PKD. CRLs that do not match or exceed the minimum
assurance level will not be uploaded.
Permitted values (in increasing levels of assurance):
• LOW
• MEDIUM
• HIGH
Default: HIGH

Table 19: Assurance level settings for uploading CSCA materials (continued)
Setting Description
<DSC> This setting controls the minimum assurance level for Document Signer
certificates that can be uploaded to the ICAO PKD. Document Signer
certificates that do not match or exceed the minimum assurance level will not
be uploaded.
• LOW
• MEDIUM
• HIGH
Default: HIGH
<ML> This setting controls the minimum assurance level for master lists that can be
uploaded to the ICAO PKD. Master lists that do not match or exceed the
minimum assurance level will not be uploaded.
• LOW
• MEDIUM
• HIGH
Default: HIGH


Configuring the PKD Download connection
settings
PKD Writer tracks the status of the CSCA materials that have been uploaded to the
ICAO PKD Upload Directory. The status includes when the materials became
available in the ICAO PKD Download Directory. To determine when the materials
became available in the ICAO Download Directory, the PKD Writer Web Service
requires access to the ICAO PKD Download Directory.
The PKD Download connection settings are the settings the PKD Writer services use
to connect to the ICAO PKD Download Directory. You specified these settings when
you installed the PKD Writer services. Change these settings if you entered incorrect
information when you installed the PKD Writer services.
Note:
You should change the PKD Download connection settings only if you entered
incorrect information when you installed the PKD Writer services.
To configure the PKD Download connection settings

following folder:
3 Locate the <PKDDownloadConnection> section.
4 Configure the settings described in Table 20 on page 360.

Table 20: PKD Download connection settings
Setting Description
<LDAPAuthType> Specifies the LDAP authentication type to the ICAO PKD Download
Directory.
Permitted values:
• Anonymous for anonymous access
• Simple for simple authentication
• SSLServerAuth for SSL server authentication
• SASLClientAuth for SASL client authentication
By default, SSL server authentication (SSLServerAuth) is required to
connect to the ICAO PKD Download Directory.
<Host> The fully qualified host name of the ICAO PKD Download Directory
server.
For example:
<Host>PKDDownloadSG.icao.int</Host>
<Port> The secure LDAP (LDAPS) port number of the ICAO PKD Download
Directory.
For example:
<Port>636</Port>
<LDAPID> A credential (such as the distinguished name of an LDAP user entry)

provided for connecting to the ICAO PKD Download Directory.
For example:
<LDAPID>cn=CADwnld1,c=CA,o=Dwnld,dc=pkdDwnld</LDAPID>
<ServerCertificate> The file path and name of the ICAO PKD Download Directory’s LDAP
server certificate (not the CA certificate).
For example:
<ServerCertificate>C:\ldap_server.cer</ServerCertificate>

Table 20: PKD Download connection settings (continued)
Setting Description
<P12> If <LDAPAuthType> is set to SASLClientAuth, this setting specifies the

file path and name of the P12 file for SASL client authentication.
By default, SSL Server authentication (SSLServerAuth) is required to
connect to the ICAO PKD Upload Directory; no P12 file is required
for SSL Server authentication.
To create a P12 file, you can use the createp12 tool. See “Obtaining
a PKD Access credential for the ICAO PKD” on page 315 for details.
<UAL> The Unattended Login (UAL) file for the P12 credential. This file
contains the encrypted password for the P12 credential. By default,
this setting contains no value because no P12 is used.
You can create UAL files with the Profile Creation Utility. See the
Administration Services Installation Guide for details.


Configuring the PKD Upload connection
settings
The PKD Upload connection settings are the settings the PKD Writer services use to
connect to the ICAO PKD Upload Directory. You specified these settings when you
installed the PKD Writer services. Change these settings if you entered incorrect
information when you installed the PKD Writer services.
Note:
You should change the PKD Upload connection settings only if you entered
incorrect information when you installed the PKD Writer services.
To configure the PKD Upload connection settings

following folder:
3 Locate the <PKDUploadConnection> section.
4 Configure the settings described in Table 21.
Table 21: PKD Upload connection settings
Setting Description
<LDAPAuthType> Specifies the LDAP authentication type to the ICAO PKD Upload
Directory.
Permitted values:
By default, SASL client authentication (SASLClientAuth) is required
to connect to the ICAO PKD Upload Directory.

Table 21: PKD Upload connection settings (continued)
Setting Description
<Host> The fully qualified host name of the ICAO PKD Upload Directory
server.
For example:
<Host>PKDUploadSG.icao.int</Host>
<Port> The secure LDAP (LDAPS) port number of the ICAO PKD Upload
Directory.
For example:
<Port>636</Port>

provided for connecting to the ICAO PKD Upload Directory.
For example:
<LDAPID>cn=CAUpld1,c=CA,o=Upld,dc=pkdUpld</LDAPID>
<ServerCertificate> The file path and name of the ICAO PKD Upload Directory’s LDAP
For example:

By default, SASL client authentication (SASLClientAuth) is required
to connect to the ICAO PKD Upload Directory.
By default, this setting specifies the file path and name of the ICAO
PKD Access P12 credential. You specified this file when you installed
the PKD Writer services.
For example:
<P12>C:\pkd-access.p12</P12>
For information about creating the ICAO PKD Access P12 credential,
see “Obtaining a PKD Access credential for the ICAO PKD” on
page 315.

Setting Description
the Administration Services installer created this file when you
installed the PKD Writer services.
For example:
<UAL>C:\pkd-access.ual</UAL>


Configuring the CSCA materials upload status
folder
PKD Writer stores information about the CSCA materials it uploads to the ICAO PKD.
The information is stored in a folder on the Administration Services server. The folder
contains one XML file for each material uploaded to the ICAO PKD:
• For each Document Signer certificate:
dsc_<sernum>.xml
Where <sernum> is the serial number of the Document Signer certificate.
The file contains the following information about the Document Signer
certificate: the serial number, the Not Before date, the Not After date, the
upload date, and the upload status.
• For each CRL:
crl_<authKeyId>_<crl_number>.xml
Where <authKeyId> is the CRL certificate’s authorityKeyIdentifier extension
and <crl_number> is the CRL number.
The file contains the following information about the CRL: the CRL number,
the Next Update date, the upload date, and the upload status.
• For each master list:
ml_<date-time>.xml
Where <date-time> is the date and time the master list was signed by the
CSCA. The date and time is in the format of YYMMDDhhmmss.
The file contains the DN of the CSCA, the date the master list was signed,
the upload date, and the upload status.
If required, you can change the location of the CSCA materials upload status folder.
Typically you would change the location of the folder if you are deploying PKD Writer
for High Availability, and you want the CSCA materials folder to be a shared folder
on the file system.
To configure the CSCA materials upload status folder

following folder:
3 Locate the <UploadStateFolder> setting. For example:

<UploadStateFolder>C:\Program Files\Entrust\AdminServices/
services/pkdwriter/pkdwriter/uploadstatus</UploadStateFolder>
4 Change the location of the CSCA materials upload status folder as required. For
example:
<UploadStateFolder>C:\New folder location</UploadStateFolder>
5 Copy all files from the old location to the new location.

Configuring the PKD Writer Web Service logs
Administration Services allows you to customize the log file settings for the PKD
Writer Web Service. You can configure the following log settings:
To configure the PKD Writer Web Service logs

1 Log in to the server hosting the PKD Writer Web Service application server
components.
2 Open the pkdwriter-config.xml file in an XML editor. You can find the file in
3 In the <Logging> section, configure the settings described in Table 22.
Table 22: PKD Writer Web Service log settings
Setting Description
<Level> Sets the level of detail for the logs.
The logging level can be one of (in increasing severity) TRACE, DEBUG, INFO,
WARNING, ERROR, ALERT, or FATAL. This sets the lowest level of message to show.
For example, ERROR provides messages of ERROR, ALERT and FATAL status.
Default: INFO
<FileName> Sets the name (including path) of the log file.
Default:
<AS-install>\services\pkdwriter\pkdwriter\logs\pkdwriter_pkdwriter.
log
<FileSize> Sets the maximum size of a log file, in bytes.
Default: 1000000
Do not set the value to 0, or Apache Tomcat will fail to start.
<Backups> Sets the maximum number of log files to keep. After the last log file reaches the
maximum size, the first log file is overwritten.
Default: 10


Configuring the PKD Writer secure audit log
The PKD Writer maintains a secure audit log of all materials uploaded to the ICAO
PKD. The secure audit log is secured using the PKD Writer Server profile.
Information recorded in the secure audit log includes:
• audit event date and time
• Source: for example the web service client identity from the client certificate
• the type of material uploaded (Document Signer certificate, CRL, or master
list)
• details of the material that was uploaded:
– For Document Signer certificates, details include the certificates Not Before
and Not After dates, the certificate serial number, and the issuer DN.
– For CRLs, details include the issuer DN, the Next Update date, and the CRL
number.
– For master lists, details include the issuer DN, and the signing date and
time.
• success or failure information (such as an LDAP error code)
You can view the PKD Writer secure audit log using the Secure Audit Check Utility.
To configure the PKD Writer secure audit log

following folder:
3 Locate the <SecureAudit> section. For example:
<SecureAudit>

<Filename>C:\Program Files\Entrust\AdminServices/services/pkdwrite
r/pkdwriter/logs/pkdwriter_audit.log</Filename>
</SecureAudit>

4 Configure the settings described Table 23.
Table 23: PKD Writer secure audit log settings
Setting Description
<Filename> The full path and file name of the PKD Writer secure audit log.
Default:
C:\Program Files\Entrust\AdminServices/services/pkdwrite
r/pkdwriter/logs/pkdwriter_audit.log


Configuring automatic uploads
certificates to the ICAO PKD. You manually upload CSCA materials using the PKD
Writer command line utility (see “Administering the PKD Writer services” on
page 373).
PKD Writer can also automatically upload CSCA materials to the ICAO PKD. The
following procedure describes how to configure PKD Writer to automatically upload
CSCA materials to the ICAO PKD.
Note:
Currently, PKD Writer can automatically upload only the current CSCA CRL to
the ICAO PKD from a URL.
To configure automatic uploads

following folder:
3 In the <AutoUpload> section, configure the settings described in the following
table.
Table 24: Automatic upload settings
Setting Description
<Enabled> This setting controls whether PKD Writer will automatically

upload CSCA materials to the ICAO PKD.
Permitted values:
• true to enable automatic uploads.
• false to disable automatic uploads.
You must manually upload CSCA materials using the PKD
Writer command line utility.

Table 24: Automatic upload settings (continued)
Setting Description
<UploadAttempts> When attempting to write CSCA materials to the ICAO PKD, if

PKD Writer cannot establish a connection with the ICAO PKD, it
will attempt to establish a connection again before reporting a
failure.
This setting controls how many times that PKD Writer will
attempt to connect to the ICAO PKD before reporting a failure.
The value must be greater than 0.
Default: 3
<UploadPeriod> This setting controls how often, in hours, that PKD Writer
automatically uploads CSCA materials to the ICAO PKD. The
value must be greater than 0 or an error will occur.
Default: 24
<MaterialSourceLocation> These settings specify source locations of CSCA materials for

automatic uploads to the ICAO PKD.
<CRL> This setting specifies the full URL of the CSCA CRL. Supported
formats of the URL are http, https, and ldap.
For example:
http://webserver.example.com/CRL/crl_file.crl


15
Administering the PKD Writer

services
The PKD Writer command line utility allows you to upload CSCA materials (domestic
master lists, CRLs, and Document Signer certificates) to the ICAO Public Key
Directory (ICAO PKD), or check the status of the CSCA materials that you uploaded.
This chapter describes how to use the PKD Writer command line utility to upload
CSCA materials to the ICAO PKD.
• “Uploading Document Signer certificates to the ICAO PKD” on page 374
• “Uploading CRLs to the ICAO PKD” on page 375
• “Uploading domestic master lists to the ICAO PKD” on page 376
• “Displaying the status of CSCA materials uploaded to the ICAO PKD” on
page 377
373
Uploading Document Signer certificates to the
ICAO PKD
The PKD Writer command line utility allows you to upload Document Signer
certificates to the ICAO PKD.
To upload a Document Signer certificate to the ICAO PKD

2 Obtain the Document Signer certificate that must be uploaded to the ICAO PKD.
Save the certificate to a location on the Administration Services server.
<AS-install>/tools/pkdw-cmd
pkdupload -dsc <dscert>
Where <dscert> is the file path and name of the Document Signer certificate.
For example:
pkdupload -dsc C:/ds_cert.cer
5 When prompted, enter the password for the PKD Writer command line utility.
You specified this password when you installed Administration Services.
The PKD Writer attempts to connect to the ICAO PKD and upload the Document
Signer certificate. If successful a success message appears. If the upload fails, PKD
Writer will display an error message.

Uploading CRLs to the ICAO PKD
The PKD Writer command line utility allows you to upload CRLs to the ICAO PKD.
To upload a CRL to the ICAO PKD

2 Obtain the CRL that must be uploaded to the ICAO PKD. Save the CRL file to a
location on the Administration Services server.
pkdupload -crl <crl>
Where <crl> is the file path and name of the CRL file. For example:
pkdupload -crl C:/crlfile.crl
The PKD Writer attempts to connect to the ICAO PKD and upload the CRL. If
successful a success message appears. If the upload fails, PKD Writer will display an
error message.
Administering the PKD Writer services 375

Uploading domestic master lists to the ICAO
PKD
The PKD Writer command line utility allows you to upload domestic master lists to
the ICAO PKD.
To upload a domestic master list to the ICAO PKD

2 Obtain the domestic master list that must be uploaded to the ICAO PKD. Save
the file to a location on the Administration Services server.
pkdupload -ml <ml_file>
Where <ml_file> is the file path and name of the domestic master list. For
example:
pkdupload -ml C:/US_101121125559Z.der
The PKD Writer attempts to connect to the ICAO PKD and upload the master list. If
successful a success message appears. If the upload fails, PKD Writer will display an
error message.

Displaying the status of CSCA materials
uploaded to the ICAO PKD
The PKD Writer command line utility allows you to display the status of your country’s
CSCA materials that were to the ICAO PKD.
To display the status of domestic CSCA materials uploaded to the ICAO PKD
pkdupload -status
The PKD Writer command line utility displays information about each material
uploaded to the ICAO PKD.
Administering the PKD Writer services 377

Section 5
PKD Reader section
This section provides instructions for installing a PKD Administration CA, installing and
configuring Administration Services, and administering the PKD Reader services.
• “Installing a PKD Reader Services CA” on page 381
• “Deploying the PKD Reader Web Service” on page 385
• “Configuring the PKD Reader Web Service” on page 425
379
16
Installing a PKD Reader Services CA

The PKD Reader Services CA issues profiles required to run the PKD Reader services
provided by Administration Services. Installing a PKD Reader Services CA requires
that you install, configure and initialize Security Manager as a PKD Reader Services
CA.
The PKD Reader Services CA can be combined with the PKD Writer Services CA. The
PKD Reader Services CA can be the CSCA or any other CA in an e-passport
environment.
381
3166 standard.

After configuring your PKD Reader Services CA, you must perform the following
steps:
4 Deploy Administration Services (see “Deploying the PKD Reader Web Service”
on page 385).
Administration Services provides Web-based services for downloading master
lists, CRLs, and Document Signer certificates from the ICAO PKD or a National
PKD.
Installing a PKD Reader Services CA 383

17
Deploying the PKD Reader Web

Service
This chapter describes how to deploy the PKD Reader Web Service. The PKD Reader
Web Service is a service provided by Entrust Authority Administration Services.
The PKD Reader Web service periodically contacts the ICAO PKD and downloads
foreign master lists, Document Signer certificates, and CRLs.
on page 387
• “Creating PKD Reader Server credentials” on page 388
• “Creating PKD Reader Client credentials” on page 391
• “Obtaining a PKD Access P12 credential for retrieving CSCA Registry
information from the ICAO PKD” on page 398
• “Collecting installation information for the PKD Reader” on page 399
• “Installing the PKD Reader Web Service” on page 404
• “Configuring PKD Reader Server authentication to a directory without
385
Deployment overview
Deploying the PKD Reader Web Service includes the following steps. Each step is
3 Create Entrust profiles for the PKD Reader Web Service:
• “Creating PKD Reader Server credentials” on page 388
• “Creating PKD Reader Client credentials” on page 391
page 394).
5 PKD Reader can retrieve CSCA Registry information from the ICAO PKD Upload
Directory. Enabling the CSCA Registry Download feature requires a PKD Access
P12 credential. See “Obtaining a PKD Access P12 credential for retrieving CSCA
Registry information from the ICAO PKD” on page 398.
6 Collect the information required to install the PKD Reader services (see
“Collecting installation information for the PKD Reader” on page 399).
7 Install the PKD Reader Web Service (see “Installing the PKD Reader Web
Service” on page 404).
must configure authentication to the directory (see “Configuring PKD Reader
Server authentication to a directory without anonymous access” on page 422).

Deploying the PKD Reader Web Service 387

Creating PKD Reader Server credentials
Before installing Administration Services, you must create a PKD Reader Server
profile. The PKD Reader Server profile secures SSL connections with clients. The
For details about creating PKD Reader Server profiles, see the following topics:
• “Creating a user entry for an PKD Reader Server profile” on page 388
• “Creating a PKD Reader Server profile” on page 389
• “Updating PKD Reader Server profile keys” on page 390
Creating a user entry for an PKD Reader Server profile

You must create a user entry in Security Manager for the PKD Reader Server profile.
Reader Server profile.
To create a user entry for the PKD Reader Server profile using Security
1 Log in to Security Manager Administration for the PKD Reader Services CA.
fields appears.

7 Click OK.
c Click Add.
details.
You have now created the user entry for the PKD Writer Server profile. Proceed
to “Creating a PKD Reader Server profile” on page 389.
Creating a PKD Reader Server profile

You can store the PKD Reader Server profile on software (as an EPF file) or on a
PKD Reader Server profile:

To create a PKD Reader Server profile using Security Manager Administration

1 Create a user entry for the PKD Reader Server profile (see “Creating a user entry
for an PKD Reader Server profile” on page 388).
4 In the Name field, enter the file name for the PKD Reader Server profile. Security
5 Click Browse to select a folder where you want to save the PKD Reader Server
profile.
6 In the Password and Confirm fields, enter a password for the PKD Reader Server
profile.
7 Click OK.
You can now use this PKD Reader Server profile with Administration Services. You
need the PKD Reader Server profile, the profile password, and the profile location
Updating PKD Reader Server profile keys

server.

Creating PKD Reader Client credentials
The PKD Reader Client profile is a SSL client profile, used by client applications for
accessing the PKD Reader Web Service. The Administration Services installer will not
prompt you for this profile when you install the PKD Reader services.
The PKD Reader Web Service can connect to the NPKD services to import CSCA
materials into the National PKD. Supporting a connection to the NPKD services
requires a PKD Reader Client profile. When installing Administration Services for a
National PKD (see “Deploying the NPKD services” on page 463), if you choose to
enable a connection with PKD Reader, the installer will prompt you for the PKD
Writer Client profile.
If you will not enable a connection between PKD Reader and the NPKD services,
creating a PKD Reader Client profile is optional.
For details about creating PKD Writer Client profiles, see the following topics:
• “Creating a user entry for a PKD Reader Client profile” on page 391
• “Creating a PKD Reader Client profile” on page 392
• “Updating PKD Reader Client profile keys” on page 393
Creating a user entry for a PKD Reader Client profile

You must create a user entry in Security Manager for the PKD Reader Client profile.
Reader Server profile.
To create a user entry for the PKD Reader Client profile using Security
1 Log in to Security Manager Administration for the PKD Reader Services CA.
fields appears.

7 Click OK.
reference number and authorization code. Record these activation codes in a
secure manner, as they are required later to create and activate the user’s Entrust
digital ID. For more details on how the registration number and authorization
codes are used, see the Security Manager Administration User Guide.
You have now created the user entry for the PKD Reader Client profile. Proceed
to “Creating a PKD Reader Client profile” on page 392.
Creating a PKD Reader Client profile

You can store PKD Reader Client profiles on software (as an EPF file) or on hardware.
Storing a PKD Reader Client profile on hardware is supported only for the NPKD
services.
You can use one of the following applications to create the PKD Reader Client profile:
To create an PKD Reader Client profile using Security Manager Administration

1 Create a user entry for the PKD Reader Server profile (see “Creating a user entry
for a PKD Reader Client profile” on page 391).

4 In the Name field, enter the file name for the PKD Reader Client profile. Security
5 Click Browse to select a folder where you want to save the PKD Reader Client
profile.
6 In the Password and Confirm fields, enter a password for the PKD Reader Client
profile.
7 Click OK.
Updating PKD Reader Client profile keys

server. Keys are updated only when the PKD Reader client is run.

Obtain a copy of the entrust.ini file from a PKD Reader Services CA administrator.
Copy the entrust.ini file to each machine hosting the PKD Reader services. Note
the location of these files. You will enter the path to these files when you install
and configured for your Web server and the Tomcat application server, and
(optionally) Entrust Authority Roaming Server.

Where:
the directory.
For example:
Where:
is 829.
For example:
Where:
For example:
For example:

3 If you use Entrust Authority Roaming Server, ensure that the file contains the
following lines:
• ProfileServer=<Roaming_Server_machine>+<port>
Where:
– <Roaming_Server_machine> is the IPv4 address or DNS of the machine
hosting Roaming Server.
– <port> is the Roaming Server listen port. The default port is 640.
For example:
ProfileServer=roamingserver.example.com+640
• ProfileServerDN=<DN_of_Roaming_Server>
Where <DN_of_Roaming_Server> is the distinguished name of Roaming
Server.
For example:
ProfileServerDN=cn=RoamingServer,dc=example,dc=com
• RoamingIDField=<Directory_attribute>
Where <Directory_attribute> is the directory attribute used to search for
users’ roaming digital IDs. The default attribute is uid. The directory attribute
is not case sensitive.
The directory attribute can be one of: cn, commonname, sn, surname, mail,
rfc822mailbox, serialnumber, telephonenumber, name, givename, uid,
userid, unstructuredname, employeenumber.
For example:
RoamingIDField=uid
• RoamSearchBase=<Searchbase_DN>
<Searchbase_DN> is the DN of the searchbase where searches for roaming
users are performed.
For example:
RoamSearchBase=cn=RoamingServer,dc=example,dc=com

Attention:
When using Roaming Server you must set up the searchbases correctly in both
entrust.ini and the Roaming Server LDAP settings. Failing to do so properly
will result in errors when trying to log in to your roaming IDs.
• RoamSearchBase<n>=<Searchbase_DN>
Where <n> is an integer and <Searchbase_DN> is the DN of an additional
searchbase where searches for roaming users are performed.
You can define up to 20 different RoamSearchBase<n> settings. For example,
RoamSearchBase1, RoamSearchBase2, RoamSearchBase3, and so on. <n>
must start at 1, and you must increment <n> by 1 for each additional
RoamSearchBase<n> setting.
For example:
RoamSearchBase1=cn=RoamingServer1,dc=example,dc=com
• (Optional.) RoamSSLPort=<port>
Where <port> is the SSL port number that Roaming Server uses for SSL
communications. Administration Services communicates with Roaming
Server on this port. For example:
RoamSSLPort=443
• (Optional.) ProfileServerKeyType=<key_type>
Where <key_type> is the default symmetric key for all communications with
Roaming Server. The key type must be one of CAST-128, Triple DES, or
IDEA. Roaming Server must be configured to allow communication with this
symmetric key type or Roaming Server will reject all communication
attempts.
For example:
ProfileServerKeyType=Triple DES
Remove any leading or trailing white space from this setting. Roaming login
will fail if this setting contains any leading or trailing white space. Comments
at the end of a setting are considered whitespace.
• (Optional) RoamGetFilesFromServer=<value>
Where <value> is one of:
– 0 (Proxy mode is off)
– 1 (Proxy mode is on)

For example: RoamGetFilesFromServer=1.

Obtaining a PKD Access P12 credential for
retrieving CSCA Registry information from the
ICAO PKD
When installing the PKD Reader services, you can choose to enable the CSCA
Registry Download feature. This feature allows the PKD Reader to retrieve CSCA
Registry information from the ICAO PKD Upload Directory.
Enabling the CSCA Registry Download feature requires a PKD Access P12 credential.
You should have already obtained the PKD Access P12 credential from ICAO when
you deployed Administration Services for a PKD Writer (see “Obtaining a PKD Access
credential for the ICAO PKD” on page 315). You can use the same PKD Access P12
credential for both the PKD Writer services and PKD Reader services.

Collecting installation information for the PKD
Reader
Before you install the PKD Reader provided by Administration Services, you must
obtain or decide on certain details which you must provide when installing
Administration Services. Collecting this data before you install the software will
greatly simplify these processes by giving you convenient reference sheets with your
configuration data.
Use the following worksheet to compile the data required to install Administration
Services for a PKD Reader. Print or photocopy this section and record your
configuration data on these copies.
Table 25: Information required to install the PKD Reader
PKD service information Description
PKD entust.ini The file path and name of the entrust.ini file from your
PKD Reader Services CA. You should have already
obtained the file and configured the required settings in
“Checking the entrust.ini file” on page 394.
File path and name of the PKD Reader Services CA
entrust.ini file:
CSCA Registry Download Specifies whether the PKD Reader can retrieve CSCA
Registry information from the ICAO PKD.
Enabling the PKD Reader to retrieve CSCA Registry
information requires a PKD Access P12 credential. You
should have already obtained the PKD Access P12
credential from ICAO when you deployed Administration
Services for a PKD Writer (see “Obtaining a PKD Access
credential for the ICAO PKD” on page 315). You can use
the same PKD Access P12 credential for both the PKD
Writer services and PKD Reader services.
Enable PKD Reader to retrieve CSCA Registry information:
Yes or No

Table 25: Information required to install the PKD Reader (continued)
PKD Reader Profile The PKD Reader Web Service requires a profile. You should
have already created this profile in “Creating PKD Reader
Server credentials” on page 388.
Profile on Token: Yes or No
Profile on hardware:
• Hardware slot:
• UAL path and file name:
Profile on software:
• Profile path and file name:
Domestic Country Code The ISO 3166-1 ALPHA-2 country code of your country.
For example, the country code of the United States is US.
Domestic Country Code:
Fully qualified host name of the The fully qualified host name of the ICAO PKD Download
PKD Download Directory Directory server. For example:
PKDDownloadSG.icao.int
ICAO will provide this information after you register with
ICAO.
Fully qualified host name of the PKD Download Directory:

PKD Download Directory LDAPS The secure LDAP (LDAPS) port number of the PKD
Port Download Directory.
ICAO.
PKD Download Directory LDAPS Port:
PKD Download LDAP ID A credential (such as the distinguished name of an LDAP

user entry) provided for connecting to the PKD Download
Directory.
ICAO.
PKD Download LDAP ID:
PKD Download LDAP ID The password for the PKD Download LDAP ID.
Password
ICAO.
PKD Download LDAP ID Password:
PKD Download LDAP Server The file path and name of the PKD Download Directory’s
Certificate LDAP server certificate (not the CA certificate).
ICAO.
File path and name of the PKD Download LDAP server
certificate:
Fully qualified host name of the The fully qualified host name of the ICAO PKD Upload
PKD Upload Directory Directory server. For example:
(CSCA Registry Download PKDUploadSG.icao.int
enabled only) Fully qualified host name of the ICAO PKD Upload
Directory:

PKD Upload Directory LDAPS The secure LDAP port number of the ICAO PKD Upload
Port Directory.
(CSCA Registry Download ICAO PKD Upload Directory LDAPS Port:
enabled only)
PKD Access P12 Credential The file path and name of the ICAO PKD Access P12
credential.
(CSCA Registry Download
enabled only) You should have already obtained the PKD Access P12
credential from ICAO when you deployed Administration
Services for a PKD Writer (see “Obtaining a PKD Access
credential for the ICAO PKD” on page 315). You can use
the same PKD Access P12 credential for both the PKD
Writer services and PKD Reader services.
File path and name of the ICAO PKD Access credential:
PKD Access P12 Password The password for the ICAO PKD Access P12 credential.
(CSCA Registry Download ICAO PKD Access P12 Password:
enabled only)
PKD Upload LDAP ID A credential (such as the distinguished name of an LDAP

user entry) provided for connecting to the ICAO PKD
(CSCA Registry Download
Upload Directory.
enabled only)
ICAO PKD Upload LDAP ID:
PKD Upload LDAP ID Password The password for the ICAO PKD Upload LDAP ID.
(CSCA Registry Download ICAO PKD Upload LDAP ID Password:
enabled only)
PKD Upload LDAP Server The file path and name of the ICAO PKD Upload
Certificate Directory’s LDAP server certificate (not the CA certificate).
(CSCA Registry Download File path and name of the ICAO PKD Upload LDAP server
enabled only) certificate:

Email Notification PKD Reader can send email notification messages for
specific events.
Enable Email Notification for PKD Reader: Yes or No
If you enable email notification, you must also provide the

following information:
• Fully Qualified Domain Name of SMTP Server:
• SMTP Server Port:
• PKD Reader Administrator Email Address:
• PKD Reader Appears From Email Address:

Installing the PKD Reader Web Service
This section outlines the steps required to install the PKD Reader Web Service on
supported Windows operating systems. The PKD Reader Web Service is supported
only on Windows.
The PKD Reader Web Service consists of only application server components.
To install the PKD Reader application server components on Windows

Installation Guide for instructions. When installing Administration Services:
2 Configure Administration Services for the first time. See the See the
Administration Services 9.3 Installation Guide for instructions.




b Click Next.


c Select Public Key Directory Reader (PKD Reader).

9 The SSL/TLS Port for PKD Reader Web Service page appears.
a In the SSL/TLS Port Number for PKD Reader Web Service field, enter the port
number for the PKD Writer Web Service (by default 443 or 12443).
b Click Next.

10 The PKD Reader Entrust.ini Location page appears.
from the Entrust CA that issued the PKD Reader Server profile, or click
b Click Next.

PKCS#11 library, the Select PKD Reader Profile Type page appears.

– If the PKD Reader Server profile is an EPF file stored on the local file system,
– If the PKD Reader Server profile is stored on hardware, select Hardware
Token.
b Click Next.

12 If the PKD Reader Server profile is a software profile, the PKD Reader Profile
page appears.
a In the Enter the location of the PKD Reader Profile field, click Choose to
locate and select the PKD Reader Server profile (EPF file).
c Click Next.

13 If the PKD Reader Server profile is a hardware profile, the PKD Reader Hardware
contains the PKD Reader Server profile.
b In the Enter the Password to login to your PKD Reader Profile field, enter
the password for the profile.
c Click Next.

14 The Domestic Country Code for PKD Services page appears.
a Enter your two-character country code.


15 The PKD Download Credentials page appears.
a In the Fully Qualified Host Name of the PKD Download Directory field,
enter the fully qualified host name of the ICAO PKD Download Directory
server.
b In the TCP LDAPS Port Number of the PKD Download Directory field, enter
the secure LDAP port of the ICAO PKD Download Directory.
c In the Enter Download LDAP ID field, enter your Download LDAP ID.
d In the Enter the Password for Download LDAP field, enter the password for
your Download LDAP ID.
e In the Enter the Location of the PKD Download LDAP Server Certificate
field, enter the full path and file name of the ICAO PKD Download
Directory’s server certificate, or click Choose to locate the file.
The installer will attempt to connect to the ICAO PKD Download Directory server
information. You can continue installing the PKD Reader services even if an error
occurs.

16 The PKD Upload Credentials page appears.
a To enable PKD Reader to retrieve CSCA Registry information from the ICAO
PKD, select Enable CSCA registry download.
b If you enabled PKD Reader to retrieve CSCA Registry information:
– In the Fully Qualified Host Name of the PKD Upload Directory field, enter
the fully qualified host name of the ICAO PKD Upload Directory server.
– In the TCP LDAPS Port Number of the PKD Upload Directory field, enter
the secure LDAP port of the ICAO PKD Upload Directory.
– In the Enter the Location of the PKD P12 Credentials Profile field, enter
the full path and file name of the P12 file you generated earlier, or click
– In the Enter the Password to login to your PKD P12 Credentials Profile
field, enter the password for the P12 file you generated earlier.
– In the Enter Upload LDAP ID field, enter your Upload LDAP ID.
– In the Enter the Location of the PKD Upload LDAP Server Certificate field,
enter the full path and file name of the ICAO PKD Upload Directory’s server
certificate, click Choose to locate the certificate file.

If you enabled PKD Reader to retrieve CSCA Registry information, the installer
will attempt to connect to the ICAO PKD Upload Directory server with the
information you provided. If an error occurs, a warning will appear. If you
encounter an error, open the
information. You can continue installing the PKD Reader services even if an error
occurs.
17 The Configure PKD Reader email Notification page appears.
a To enable email notification for PKD Reader, select Enable email Notification
for PKD Reader.
b If you chose to enable email notification for PKD Reader:

– In the Enter the PKD Reader Administrator email Address field, enter the
email address where administrators will receive email notification
messages.
PKD Reader sends messages to this address only if the event is not meant
for a particular object. For example, if a user performs an action that
requires an administrator’s approval, PKD Reader sends the message to this
email address.
– In the Enter the PKD Reader Appears From email Address field, enter the
email address that will appear in the email message’s From field of the email
message.
c Click Next.
18 The PKD Reader Configuration page appears with a summary of your installation

make your changes.

19 After the installation is complete, the PKD Reader Configuration Status page

b Click Next.


b Click Next.

new service.
b Click Next.
The URL for the PKD Reader Web Service is
https://<server>:<port>/pkdreader/services/PkdrwsService, where:
• <server> is the host name or IPv4 address of the server hosting the PKD
Reader Web Service.
• <port> is the SSL port for the PKD Reader Web Service (by default 443 or
12443). You specified this port when you installed the PKD Reader Web
Service.
PKD Reader clients need this URL to connect to the PKD Reader Web Service.
file.

Configuring PKD Reader Server authentication
The following procedure explains how to configure the PKD Reader Server profile to
Security Manager Directory credentials in the pkdwriter-config.xml files.

2 Open the pkdreader-config.xml file in a text editor. You can find the file in the
following folder:
<AS-install>\services\pkdreader\pkdreader\webapp\WEB-INF\config
3 Locate the <PKDReaderServerTLS> section:
<PKDReaderServerTLS>
<Epf>c:\authdata\manager\epf\PKD Reader Server.epf</Epf>
<Ual></Ual>
- for environments where anonymous bind is not available
(e.g. default Active Directory)
credentials that are used for accessing the Security
Manager directory when anonymous bind is not available.
If any of these parameters are blank, then anonymous bind
is used. -->
plaintext.

When service starts, the password will be encrypted and
bound to the hardware using the Unattended Login UAL
capabilities of the Entrust Java Toolkit and stored to a
file.
-->
</PKDReaderServerTLS>
4 For the value of <JndiPrincipal>, enter the JNDI Principal that the PKD Reader
For example:
in the pkdreader-config.xml file with the phrase “{Password protected by

18
Configuring the PKD Reader Web

Service
The PKD Reader Web service periodically contacts the ICAO PKD and downloads
foreign master lists, Document Signer certificates, and CRLs.
This chapter describes how to configure various components and features of the PKD
Reader Web Service provided by Administration Services. For more information about
Guide.
• “Configuring email notification for PKD Reader” on page 426
• “Configuring the PKD Reader Web Service logs” on page 435
• “Configuring the PKD Reader download frequency” on page 437
• “Configuring the PKD Reader download attempts” on page 438
• “Configuring the LDAP page size” on page 439
• “Configuring the PKD Download connection settings” on page 440
• “Configuring the PKD Upload connection settings” on page 442
• “Configuring the CSCA materials storage folders” on page 444
425
Configuring email notification for PKD Reader
When you installed PKD Reader, you had the option to enable email notification for
PKD Reader. If you did not enable email notification during the installation, or you
want to configure how email notification works, complete the steps in this section.
Installation Guide.
• “Configuring SMTP server settings for the PKD Reader” on page 426
• “Email notification files for the PKD Reader” on page 427
• “Enabling and disabling email notification for PKD Reader” on page 428
• “Modifying email notification subject and message text for PKD Reader” on
page 431
• “Modifying PKD Reader email notification to use HTML content templates”
on page 433
Configuring SMTP server settings for the PKD Reader

Configure the SMTP server settings to configure how PKD Reader communicates
with your SMTP server. The settings were configured if you enabled email notification
when you installed PKD Reader.
To configure SMTP server settings for PKD Reader

components.
2 Open the configuration.global.xml file for the PKD Reader. You can find the
<Port>25</Port>

To configure the email addresses for the PKD Reader

components.
<AS-install>\services\pkdreader\pkdreader\webapp\WEB-INF\ens\xsl\
<locale>
</xsl:variable>
</xsl:variable>
Email notification files for the PKD Reader

configuration.global.xml file for PKD Reader. For information about enabling and
disabling email notification, see “Enabling and disabling email notification for PKD
Configuring the PKD Reader Web Service 427

Reader” on page 428.
Table 26: PKD Reader account tasks, event IDs, and email message files

DownloadCSCA - download-success download-success-content Yes

materials
download-success-subject
downloaded
successfully
DownloadCSCA - download-failure download-failure-content Yes

error downloading
download-failure-subject
materials
PKDR Credentials pkd-credential-expiring pkd-credential-expiring-co Yes

Status - the PKD ntent
Reader ICAO
pkd-credential-expiring-su
credential is about to
bject
expire
PKDR Credentials pkd-credential-expired pkd-credential-expired-con Yes

Status - the PKD tent
Reader ICAO
pkd-credential-expired-sub
credential has expired
ject
Enabling and disabling email notification for PKD Reader

if a specific event occurs. “Email notification files for the PKD Reader” on page 427
lists all the email notification events in the configuration.global.xml file for PKD
Reader.
Use the following procedures to enable and disable email notification for PKD Reader:
• “To enable or disable email notification for PKD Reader” on page 428
• “To enable or disable email notification for specific events for PKD Reader”
on page 429
• “To configure email notification event settings for PKD Reader” on page 430
To enable or disable email notification for PKD Reader

components.
following folder:

<Notifications>
<Configuration>C:/Program Files/Entrust/AdminServices/services/pkd
reader/pkdreader/webapp/WEB-INF/config/configuration.global.xml</C
onfiguration>
</Notifications>
as follows:
or disable email notification for specific events for PKD Reader” on page 429 for
details.
To enable or disable email notification for specific events for PKD Reader
components.
2 Open the configuration.global.xml file for PKD Reader. You can find the file
in the following folder:
event. See “Email notification files for the PKD Reader” on page 427 for a list of
event IDs.

email notification event settings for PKD Reader” on page 430 for details.
To configure email notification event settings for PKD Reader

components.
Setting Description
“Modifying email notification subject and message text for PKD
Reader” on page 431 for details about editing this file.

Setting Description
notification event.
PKD Reader” on page 431 for details about editing this file.

Modifying email notification subject and message text for PKD

Reader
Attention:

components.

<AS-install>\services\pkdreader\pkdreader\webapp\WEB-INF\ens\xsl
“Email notification files for the PKD Reader” on page 427 for a list of event IDs

components.
<AS-install>\services\pkdreader\pkdreader\webapp\WEB-INF\ens\xsl
modify. See “Email notification files for the PKD Reader” on page 427 for a list
of event IDs and email message files.
</xsl:variable>

</xsl:template>
Modifying PKD Reader email notification to use HTML content

templates
To modify PKD Reader email notification to use HTML

components.

plate>

Configuring the PKD Reader Web Service logs
Administration Services allows you to customize the log file settings for the PKD
Reader Web Service. You can configure the following log settings:
You can configure the following log settings:
To configure the PKD Reader Web Service logs

1 Log in to the server hosting the PKD Reader Web Service application server
components.
2 Open the pkdreader-config.xml file in an XML editor. You can find the file in
Table 28: PKD Reader Web Service log settings
Setting Description
WARNING, ERROR, ALERT, or FATAL. This sets the lowest level of message to show.
For example, ERROR provides messages of ERROR, ALERT and FATAL status.
Default: INFO
Default:
<AS-install>\services\pkdreader\pkdreader\logs\pkdreader_pkdreader.
log
Default: 1000000
<Backups> Sets the maximum number of log files to keep. After the last log file reaches the
maximum size, the first log file is overwritten.
Default: 10


Configuring the PKD Reader download
frequency
By default, PKD Reader will attempt to download CSCA materials from the ICAO
PKD every 24 hours. You can configure how often PKD Reader will attempt to
download CSCA materials from the ICAO PKD.
To configure the PKD Reader download frequency

following folder:
3 Locate the <DownloadPeriod> setting, and then enter how often (in hours) that
PKD Reader will attempt to download CSCA materials from the ICAO PKD. For
example:
<DownloadPeriod>24</DownloadPeriod>

Configuring the PKD Reader download
attempts
By default, when attempting to download CSCA materials from the ICAO PKD, if
PKD Reader cannot establish a connection with the PKD, it will attempt to establish
a connection again before reporting a failure.
By default, PKD Reader will attempt three connections attempts before reporting a
failure. You can configure how many times that PKD Reader will attempt to connect
to the PKD before reporting a failure.
To configure the PKD Reader download attempts

following folder:
3 Locate the <DownloadAttempts> setting, and then enter the number of times
that PKD Reader will attempt to connect to the ICAO PKD before reporting a
failure. For example:
<DownloadAttempts>3</DownloadAttempts>

Configuring the LDAP page size
The ICAO PKD can contain thousands of master lists, Document Signer certificates,
and CRLs. During PKD Reader startup and periodically thereafter the service
populates a cache of CSCA materials from the ICAO PKD. By default, when
downloading CSCA materials, the PKD Reader will attempt to download all CSCA
materials at once in one LDAP search query. If the LDAP server search limit is ever
reached, not all CSCA materials will be returned.
To ensure that all CSCA materials will be returned from an LDAP search query, you
can configure the LDAP page size the PKD Reader will use when searching the ICAO
PKD and obtaining results. The LDAP page size controls how many entries per page
are returned from an LDAP query; the directory will continue to return pages of
search results until all results are returned.
To configure the LDAP page size

following folder:
3 Locate the <LdapPageSize> setting, and then enter the LDAP page size. The
LDAP page size is the number of search results that will be returned per page.
For example, to limit 1000 results per page:
<LdapPageSize>1000</LdapPageSize>
If 0, the PKD Reader will not use LDAP paging.

Configuring the PKD Download connection
settings
The PKD Download connection settings are the settings the PKD Reader services use
to connect to the ICAO PKD Download Directory. You specified these settings when
you installed the PKD Reader services. Change these settings if you entered incorrect
information when you installed the PKD Reader services.
Note:
You should change the PKD Download connection settings only if you entered
incorrect information when you installed the PKD Reader services.
To configure the PKD Download connection settings

following folder:
3 Locate the <PKDDownloadConnection> section.
Table 29: PKD Download connection settings
Setting Description
<LDAPAuthType> Specifies the LDAP authentication type to the ICAO PKD Download
Directory.
Permitted values:
By default, SSL server authentication (SSLServerAuth) is required to
connect to the ICAO PKD Download Directory.

Table 29: PKD Download connection settings (continued)
Setting Description
<Host> The fully qualified host name of the PKD Download Directory server.
For example:
<Host>PKDDownloadSG.icao.int</Host>
<Port> The secure LDAP (LDAPS) port number of the PKD Download
Directory.
For example:
<Port>636</Port>

provided for connecting to the PKD Download Directory.
For example:
<LDAPID>cn=CADwnld1,c=CA,o=Dwnld,dc=pkdDwnld</LDAPID>
<ServerCertificate> The file path and name of the PKD Download Directory’s LDAP
For example:

By default, SSL Server authentication (SSLServerAuth) is required to
connect to the ICAO PKD Upload Directory; no P12 file is required
for SSL Server authentication.
To create a P12 file, you can use the createp12 tool. See “Obtaining
a PKD Access credential for the ICAO PKD” on page 315 for details.
this setting contains no value because no P12 is used.


Configuring the PKD Upload connection
settings
The PKD Upload connection settings are the settings the PKD Reader services use to
connect to the ICAO PKD Upload Directory to retrieve CSCA Registry information. If
you enabled the CSCA Registry Download feature when you installed the PKD
Reader services, then you already specified these settings. Change these settings if
you entered incorrect information when you installed the PKD Reader services.
To configure the PKD Upload connection settings

following folder:
3 Locate the <PKDUploadConnection> section.
Table 30: PKD Upload connection settings
Setting Description
<LDAPAuthType> Specifies the LDAP authentication type to the ICAO PKD Upload
Directory.
Permitted values:
By default, SASL client authentication (SASLClientAuth) is required to
connect to the ICAO PKD Upload Directory.
<Host> The fully qualified host name of the ICAO PKD Upload Directory server.
For example:
<Host>PKDUploadSG.icao.int</Host>

Setting Description
<Port> The secure LDAP (LDAPS) port number of the ICAO PKD Upload
Directory.
For example:
<Port>636</Port>

provided for connecting to the ICAO PKD Upload Directory.
For example:
<LDAPID>cn=CAUpld1,c=CA,o=Upld,dc=pkdUpld</LDAPID>
<ServerCertificate> The file path and name of the ICAO PKD Upload Directory’s LDAP server
certificate (not the CA certificate).
For example:
<P12> If <LDAPAuthType> is set to SASLClientAuth, this setting specifies the file

path and name of the P12 file for SASL client authentication.
By default, SASL client authentication (SASLClientAuth) is required to
connect to the ICAO PKD Upload Directory.
By default, this setting specifies the file path and name of the ICAO PKD
Access P12 credential. You specified this file when you installed the PKD
Reader services.
For example:
<P12>C:\pkd-access.p12</P12>
For information about creating the ICAO PKD Access P12 credential, see
“Obtaining a PKD Access credential for the ICAO PKD” on page 315.
<UAL> The Unattended Login (UAL) file for the P12 credential. This file contains
the encrypted password for the P12 credential. By default, the
Administration Services installer created this file when you installed the
PKD Reader services.
For example:
<UAL>C:\pkd-access.ual</UAL>


Configuring the CSCA materials storage folders
When PKD Reader downloads foreign master lists, Document Signer certificates, and
CRLs from the ICAO PKD, it saves them to folders on the server hosting the PKD
Reader services.
If PKD Reader was installed on the same server hosting the DV Web Service, the CRLs
and Document Signer certificates are stored in the DV Web Service’s Incoming CSCA
materials folder (see “Configuring the incoming CSCA materials folder” on
page 1508).
You can change the location of the storage folders for the master lists, Document
Signer certificates, and CRLs that PKD Reader downloads from the ICAO PKD.
To configure the CSCA materials storage folders

following folder:
3 To configure the storage folder for foreign master lists:
a Locate the <WriterFolderML> setting. For example:
<WriteFolderML>C:\Program Files\Entrust\AdminServices/services/
pkdreader/pkdreader/foreign-master-lists</WriteFolderML>
b Change the location of the master lists storage folder as required. For
example:
<WriteFolderML>C:\New folder location</WriteFolderML>
4 To configure the storage folder for Document Signer certificates:
a Locate the <WriterFolderDSC> setting. For example:
<WriteFolderDSC>C:\Program Files\Entrust\AdminServices/services
/pkdreader/pkdreader/doc-signer-certificates</WriteFolderDSC>
If PKD Reader was installed on the same server hosting the DV Web Service,
the Document Signer certificates are stored in the DV Web Service’s
Incoming CSCA materials folder (see “Configuring the incoming CSCA
materials folder” on page 1508).
b Change the location of the Document Signer certificates storage folder as
required. For example:
<WriteFolderDSC>C:\New folder location</WriteFolderDSC>
5 To configure the storage folder for CRLs:

a Locate the <WriterFolderCRL> setting. For example:
<WriteFolderCRL>C:\Program Files\Entrust\AdminServices/services
/pkdreader/pkdreader/crls</WriteFolderCRL>
If PKD Reader was installed on the same server hosting the DV Web Service,
the CRLs are stored in the DV Web Service’s Incoming CSCA materials folder
(see “Configuring the incoming CSCA materials folder” on page 1508).
b Change the location of the CRLs storage folder as required. For example:
<WriteFolderCRL>C:\New folder location</WriteFolderCRL>

Section 6
National PKD section
This section provides instructions for installing a NPKD Services CA, installing and
configuring Administration Services, and administering data in the National PKD.
• “Manually deploying a National PKD (optional)” on page 449
• “Installing an NPKD Services CA” on page 459
• “Deploying the NPKD services” on page 463
• “Configuring the NPKD services” on page 545
• “Administering data in the National PKD” on page 571
• “Customizing NPKD Administration” on page 715
• “Localizing NPKD Administration” on page 721
447
19
Manually deploying a National PKD

(optional)
Signer certificates, and CRLs—along with validation test results and metadata. The
data can be imported from the PKD Reader or imported from files.
When deploying the NPKD services provided by Administration Services, you have
the option to deploy a National PKD directory included with Administration Services,
or you can use your own directory.
Note:
Use this chapter only if you will deploy your own directory for the National PKD.
This chapter does not apply to the National PKD directory included with

• “Installing an LDAP directory as the National PKD” on page 450
• “National PKD schema” on page 451
• “Adding required entries to the National PKD” on page 457
• “Information required to install the NPKD services” on page 458
449
Installing an LDAP directory as the National
PKD
For the National PKD, install an LDAP directory. For installation instructions, follow
the directory documentation provided by the directory vendor.
Attention:
Microsoft Active Directory and Microsoft Active Directory Lightweight Directory
Services (AD LDS) are not supported as the National PKD directory.
When installing the directory, the top-level DN of the directory—sometimes called

the directory root DN, directory base DN, or the directory suffix—must use the
following DN:
dc=download,dc=pkd,dc=icao,dc=int
The directory must also contain a standard LDAP schema supporting X.509
certificates and CRLs. Additional schema object classes and attributes required by the
National PKD are outlined in “National PKD schema” on page 451.

National PKD schema
The LDAP directory used for the National PKD must already contain a standard LDAP
schema supporting X.509 certificates and CRLs. This section provides information
about the ICAO and Entrust-defined object classes and attributes required for the
National PKD.
• “Attributes” on page 451
• “Object classes” on page 455
Attributes
This section provides information about ICAO and Entrust-defined attributes required
for the National PKD.
pkdMasterListContent attribute
The pkdMasterListContent attribute contains a master list.
NAME pkdMasterListContent
OID 2.23.136.2.1.1
DESCRIPTION Contains a master list in accordance with the ICAO
Technical Report
SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE
pkdVersion attribute
The pkdVersion attribute identifies the version of the ICAO PKD to which an object
was added.
NAME pkdVersion
OID 2.23.136.2.1.2
DESCRIPTION Identifies the version of the ICAO PKD an object was
added
EQUALITY integerMatch
ORDERING integerOrderingMatch
Manually deploying a National PKD (optional) 451

pkdConformanceCode attribute
The pkdConformanceCode attribute contains a machine-readable ICAO PKD
conformance check result.
NAME pkdConformanceCode
OID 2.23.136.2.1.3
DESCRIPTION Contains a machine-readable ICAO PKD conformance
check result
EQUALITY caseIgnoreMatch
SUBSTRING caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
pkdConformanceText attribute
The pkdConformanceText attribute contains a human-readable ICAO PKD
conformance check result.
NAME pkdConformanceText
OID 2.23.136.2.1.4
DESCRIPTION Contains a human-readable ICAO PKD conformance check
result
EQUALITY caseIgnoreMatch
SUBSTRING caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
pkdPKCS10Content attribute
The pkdPKCS10Content attribute contains a PKCS #10 certificate request.
NAME pkdPKCS10Content
OID 2.23.136.2.1.8
DESCRIPTION Contains a PKCS #10 certification request
pkdDeviationListContent attribute
The pkdDeviationListContent attribute contains a deviation list in accordance with
the ICAO Technical Report.
NAME pkdDeviationListContent
OID 2.23.136.2.1.9
DESCRIPTION Contains a deviation list in accordance with the ICAO
Technical Report

entrustNPKDCSCAMetaData attribute
The entrustNPKDCSCAMetaData attribute is contains additional information about the
CSCA material, such as the source, client DN, hash of the material, and so on.
NAME entrustNPKDCSCAMetaData
OID 1.2.840.113533.7.81.1.0
DESCRIPTION Entrust NPKD CSCA Meta Data
EQUALITY octetStringMatch
entrustNPKDAssuranceLevelPolicy attribute
The entrustNPKDAssuranceLevelPolicy attribute provides a set of rules that map
validation results onto assurance levels.
NAME entrustNPKDAssuranceLevelPolicy
OID 1.2.840.113533.7.81.1.1
DESCRIPTION Entrust NPKD Assurance Level Policy
entrustNPKDAssuranceLevelExp attribute
The entrustNPKDAssuranceLevelExp attribute contains an assurance level
expiration date. The NPKD Services use this expiration date to quickly discover
expiring assurance levels.
NAME entrustNPKDAssuranceLevelExp
OID 1.2.840.113533.7.81.1.2
DESCRIPTION Entrust NPKD Assurance Level Expiration
entrustNPKDAssuranceLevel attribute
The entrustNPKDAssuranceLevel attribute contains the assurance level of a CSCA
material, along with the test results.
NAME entrustNPKDAssuranceLevel
OID 1.2.840.113533.7.81.1.3
DESCRIPTION Entrust NPKD Assurance Level

entrustNPKDSignature attribute
The entrustNPKDSignature attribute contains a signature covering hashes of all
attributes in the entry.
NAME entrustNPKDSignature
OID 1.2.840.113533.7.81.1.4
DESCRIPTION Entrust NPKD Signature
entrustNPKDPublish attribute
The entrustNPKDPublish attribute contains a Boolean flag indicating whether the
CSCA material is eligible for publishing. CSCA materials eligible for publishing can be
distributed to clients through the NPKD Web Service. The attribute value is calculated
based on the validation tests and the assurance level policy. The attribute value can
also be used in searches for quick distribution to clients.
NAME entrustNPKDPublish
OID 1.2.840.113533.7.81.1.5
DESCRIPTION Entrust NPKD Publish
EQUALITY booleanMatch
entrustNPKDCreationDate attribute
The entrustNPKDCreationDate attribute contains the import date of the CSCA
material. The attribute value can be used in searches by the last import date from
clients.
NAME entrustNPKDCreationDate
OID 1.2.840.113533.7.81.1.6
DESCRIPTION Entrust NPKD Creation Date
EQUALITY caseIgnoreIA5Match

Object classes
This section provides information about ICAO and Entrust-defined object classes
required for the National PKD.
pkdMasterList object class

The pkdMasterList object class contains a master list.
NAME pkdMasterList
OID 2.23.136.2.2.1
DESCRIPTION object class containing a master list
SUPERIOR top
KIND auxiliary
MUST CONTAIN pkdMasterListContent
pkdDownload object class

The pkdDownload object class contains the ICAO PKD download attributes.
NAME pkdDownload
OID 2.23.136.2.2.2
DESCRIPTION object class containing ICAO PKD download attributes
SUPERIOR top
KIND auxiliary
MUST CONTAIN pkdVersion
MAY CONTAIN {pkdConformanceCode |
pkdConformanceText}
pkdPKCS10 object class

The pkdPKCS10 object class contains a PKCS #10 certificate request.
NAME pkdPKCS10
OID 2.23.136.2.2.4
DESCRIPTION object class containing a PKCS #10 certification
request
SUPERIOR top
KIND auxiliary
MAY CONTAIN pkdPKCS10Content

pkdDeviationList object class
The pkdDeviationList object class contains a deviation list.
NAME pkdDeviationList
OID 2.23.136.2.2.5
DESCRIPTION object class containing a deviation list
SUPERIOR top
KIND auxiliary
MUST CONTAIN pkdDeviationListContent
entrustNPKDInfo object class

The entrustNPKDInfo object class contains Entrust NPKD-specific information. It
contains Entrust-defined attributes that store information about CSCA materials.
NAME entrustNPKDInfo
OID 1.2.840.113533.7.81.0.0
DESCRIPTION Entrust NPKD Info
SUPERIOR top
KIND auxiliary
MUST CONTAIN {entrustNPKDCSCAMetaData |
entrustNPKDAssuranceLevel |
entrustNPKDAssuranceLevelExp |
entrustNPKDSignature |
entrustNPKDCreationDate |
entrustNPKDPublish}
entrustNPKDPolicy object class

The entrustNPKDPolicy object class contains the Entrust NPKD assurance level
policy.
NAME entrustNPKDPolicy
OID 1.2.840.113533.7.81.0.1
DESCRIPTION Entrust NPKD Policy
SUPERIOR top
KIND auxiliary
MUST CONTAIN entrustNPKDAssuranceLevelPolicy

Adding required entries to the National PKD
Under the top-level directory DN (dc=download,dc=pkd,dc=icao,dc=int), you
must create the following entries in the National PKD:
dc=data,dc=download,dc=pkd,dc=icao,dc=int
dc=npkd-trust-data,dc=download,dc=pkd,dc=icao,dc=int
The dc=data entry

The directory structure of the dc=data entry mirrors the download portion of the
ICAO PKD. The directory structure of the dc=data entry contains entries for
countries, DS certificates, CRLs and master lists. Entries under the dc=data entry
country entries will be created later when importing materials into the National PKD.
The dc=npkd-trust-data entry

The directory structure of the dc=npkd-trust-data entry is specific to the National
PKD. It stores CSCA certificates to server as trust anchors. The NPKD services use
these trust anchors to validate other materials.

Information required to install the NPKD
services
When using your own NAtional PKD, the Administration Services installer will prompt
you for the following information:
• the fully qualified domain name (FQDN) of the server hosting your NPKD
Directory
• the LDAP port of the NPKD Directory (default 389)
• the distinguished name (DN) of a directory user that can access and manage
the NPKD Directory
• the password of the directory user

20
Installing an NPKD Services CA

The NPKD Services CA issues profiles required to run the NPKD services provided by
Administration Services. Installing an NPKD Services CA requires that you install,
configure and initialize Security Manager as an NPKD Services CA.
The NPKD Services CA can be the CSCA or any other CA in an e-passport
environment.
459
3166 standard.

After configuring your NPKD Services CA, you must perform the following steps:
4 Deploy Administration Services (see “Deploying the NPKD services” on
page 463).
Administration Services provides Web-based services for managing materials
found in a National PKD.
Installing an NPKD Services CA 461

21
Deploying the NPKD services

This chapter describes how to deploy the National PKD (NPKD) services provided by
Entrust Authority Administration Services: the NPKD Web Service and NPKD
Administration. The NPKD services allow you to manage master lists, CRLs, and
Document Signer certificates in the National PKD.
The NPKD Web Service retrieves CSCA certificates, master lists, Document Signer
certificates, and CRLs stored in the NPKD Directory, along with their assurance levels
and metadata.
NPKD Administration is a Web-based interface for administering the NPKD services.
NPKD administrators use NPKD Administration to import and manage CSCA
certificates, master lists, Document Signer certificates, and CRLs stored in the NPKD
Directory.
• “Installing and configuring the Web server (optional)” on page 467
on page 470
• “Creating certificate types for NPKD services” on page 471
• “Creating NPKD Server credentials” on page 473
• “Creating NPKD Client credentials” on page 476
• “Obtaining files from the PKD Reader” on page 481
• “Installing the NPKD services” on page 482
• “Configuring NPKD Server authentication to a directory without anonymous
access” on page 515
• “Configuring PKD Reader Client authentication to a directory without
463
• “Completing the Microsoft IIS front-end configuration for the NPKD
services” on page 519
• “Completing the Apache HTTP Server front-end configuration for the NPKD
• “Creating or modifying a user policy for NPKD administrators” on page 535
• “Creating a role for NPKD administrators” on page 537
• “Creating NPKD administrators” on page 538
• “Testing NPKD Administration” on page 543

Deployment overview
Deploying Administration Services for a National PKD includes the following steps.
Each step is described in further detail in this chapter.
2 (Optional.) Install and configure a supported Web server (see “Installing and
configuring the Web server (optional)” on page 467).
The NPKD services consist of application server components and optional Web
server components. The Web server components allow you to configure a
front-end Web server so requests go through a Web server instead of directly to
the application server.
4 Create new certificate types for NPKD clients and administrators (see “Creating
certificate types for NPKD services” on page 471).
5 Create Entrust profiles for Administration Services:
• “Creating NPKD Server credentials” on page 473
• “Creating NPKD Client credentials” on page 476
page 479).
7 (Optional.) The NPKD services can import CSCA materials from the PKD Reader
into the National PKD. To import materials from PKD Reader, the NPKD services
requires files and other information from PKD Reader. Obtain the required files
and information from PKD Reader (see “Obtaining files from the PKD Reader”
on page 481).
8 Install the NPKD services (see “Installing the NPKD services” on page 482).
must configure authentication to the directory:
• “Configuring NPKD Server authentication to a directory without anonymous
• “Configuring PKD Reader Client authentication to a directory without
10 If you configured the NPKD services to use a front-end Web server, you must
complete the front-end configuration:
• “Completing the Microsoft IIS front-end configuration for the NPKD
Deploying the NPKD services 465

• “Completing the Apache HTTP Server front-end configuration for the NPKD
11 Create or modify a user policy for NPKD administrators (see “Creating or
modifying a user policy for NPKD administrators” on page 535).
12 Create a new role for NPKD administrators (see “Creating a role for NPKD
administrators” on page 537).
13 Create profiles for NPKD administrators (see “Creating NPKD administrators” on
page 538).
14 Test Administration Services (see “Testing NPKD Administration” on page 543).

Installing and configuring the Web server
(optional)
The NPKD services consist of application server components and optional Web server
components. The Web server components allow you to configure a front-end Web
server so requests go through a Web server instead of directly to the application
server.
Before installing and configuring a supported Web server, familiarize yourself with the
specific security requirements for Administration Services. For a list of supported Web
servers, see the Administration Services Release Notes.
You must install the Web server software according to the documentation provided
with the product. It is recommended that you create and maintain a dedicated Web
server instance for Administration Services.
After successfully installing the Web server, perform the tasks listed in the following
sections:
• “Enabling SSL on your Web server” on page 467
• “Testing the SSL-enabled Web server” on page 468
• “Microsoft IIS features required for Administration Services” on page 468
• “Configuring the VirtualHost directive on Apache HTTP Server” on
page 469
Enabling SSL on your Web server

Enable Secure Sockets Layer (SSL) encryption on your Web server to secure the
connection between the client’s Web browser and Administration Services. SSL is an
application layer protocol used to protect the confidentiality and security of data
transmitted over the Internet.
Note:
Web Server SSL certificates must be issued by a Certification Authority.
Self-signed certificates are not supported.
You need a Web server certificate to enable SSL on your Web server. You can use the
following Entrust products to obtain Web server certificates:
• To generate large numbers of licensed Web server certificates, use Entrust
Authority Enrollment Server for Web.

on a Web server, and allows you to create Web server certificates that are
signed by your own CA.
• To issue small numbers of licensed Web server certificates, use Entrust
Certificate Management Services.
certificate needs. For more information, see the Web site at
https://www.entrustdatacard.com/products/ssl-certificates/certificate-man
agement.
• You can also use Security Provider for Windows to generate licensed
Enterprise Web server certificates for machines.
Using Entrust Entelligence Security Provider for Windows to generate
Enterprise Web server certificates allows IIS to communicate with Security
Provider to automatically update the Web server certificate. For details, see
the Entrust Entelligence Security Provider for Windows Administration
Guide.
When you configure SSL on your Web server, it is recommended that you enforce
128-bit encryption for Web browsers accessing your Web server. To enable SSL
encryption, enable server authentication on your Web server using the instructions
provided in your Web server documentation.
Testing the SSL-enabled Web server

Test the SSL connection between the Web server and client browser to ensure that
the Web server was properly installed and configured.
To test the Web server

1 Enter your Web site’s URL from your client’s Web browser and use https instead
of http.
2 Check for the secure connection icon—either a solid key or closed lock—at the
bottom of the browser window.
The secure connection icon on your Web site assures you that SSL encryption was
properly enabled on your Web server.
Microsoft IIS features required for Administration Services

To run on Microsoft Internet Information Services (IIS), Administration Services
requires the following IIS features:
• IIS Management Console
• Static Content

• Default Document
• ISAPI Extensions
• ISAPI Filters
See your Microsoft IIS documentation for information about installing these features.
Configuring the VirtualHost directive on Apache HTTP Server

When installing the Administration Services Web components on Apache HTTP
Server, the installer will prompt you to provide the host name and SSL port of the Web
server. The installer will use this host name and SSL port and look for any entries in
the form of <VirtualHost server:port> in the httpd.conf file, followed by the
httpd-ssl.conf file.
If the installer does not find any entries, it will display a warning at the end of the
installation, and you must manually configure the Web server for Administration
Services.
To avoid these errors, you must use the <VirtualHost server:port> format when
configuring SSL as described in the Apache HTTP Server documentation. If the server
or port is absent from the <VirtualHost> directive, the installer cannot configure
Apache HTTP Server for Administration Services.
The search for the <VirtualHost server:port> by the installer is also case-sensitive,
so when entering the fully qualified host name of the Web server into the installer,
enter the host name exactly as it appears in the configuration file.


Creating certificate types for NPKD services
You must create new certificate types in Security Manager for NPKD clients and
NPKD administrators. NPKD clients are clients of the NPKD Web Service. NPKD
administrators use the NPKD Administration interface to manage CSCA materials in
the National PKD.
For the NPKD services, create the following certificate types:
• The ePassport Auditor (ent_epass_auditor) certificate type grants only read
access to CSCA materials in the National PKD. Users with this certificate type
can only view and export data from the National PKD.
This certificate type also grants read access to MLS Administration (see
“Creating an ePassport Auditor certificate type” on page 777), if the CSCA
issues credentials to both the NPKD services and Master List Signer services.
• The National NPKD Service Administrator (ent_npkd_admin) certificate type
grants access to all functionality for managing CSCA materials in the National
PKD. Users with this certificate type can perform all available operations with
the National PKD.
For more information about creating certificate types, see the Security Manager
To create certificate types for the NPKD services

1 From the NPKD Services CA, export the Security Manager certificate
specifications.
; ----------------------------------------------------------------------
; ePassport Auditor Certificate Type
; ----------------------------------------------------------------------
ent_epass_auditor=enterprise,ePassport Auditor,ePassport Auditor
; ----------------------------------------------------------------------
; Authority National PKD Service Certificate Type
; ----------------------------------------------------------------------
ent_npkd_admin=enterprise,National PKD Service Administrator,National PK
_continue_=D Service Administrator

[ent_epass_auditor Certificate Definitions]
1=Encryption
2=Verification
[ent_epass_auditor Common Extensions]

; encodes the id-Entrust-ePassportAuditor policy OID 2.16.840.1.114027.10.19
certificatepolicies=2.5.29.32,n,o,DER,300D300B06096086480186fa6b0a13
[ent_npkd_admin Certificate Definitions]

1=Encryption
2=Verification
[ent_npkd_admin Common Extensions]

; encodes the id-Entrust-NPKDAdmin policy OID 2.16.840.1.114027.10.20


Creating NPKD Server credentials
Before installing Administration Services, you must create an NPKD Server profile.
The NPKD Server profile secures SSL connections with clients. The Administration
Services installer will prompt you for this profile.
For details about creating NPKD Server profiles, see the following topics:
• “Creating a user entry for an NPKD Server profile” on page 473
• “Creating an NPKD Server profile” on page 474
• “Updating NPKD Server profile keys” on page 475
Creating a user entry for an NPKD Server profile

You must create a user entry in Security Manager for the NPKD Server profile. You
can use Security Manager Administration to create a user entry for the NPKD Server
profile.
To create a user entry for the NPKD Server profile using Security Manager
Administration
1 Log in to Security Manager Administration for the NPKD Services CA.
fields appears.

b Under Certificate Type, select ePassport - SPOC Server.
7 Click OK.
c Click Add.
details.
You have now created the user entry for the NPKD Server profile. Proceed to
“Creating an NPKD Server profile” on page 474.
Creating an NPKD Server profile

The NPKD Server profile can be stored on software (as an EPF file) or on a hardware
security module. You can use one of the following applications to create the NPKD
Server profile:

To create an NPKD Server profile using Security Manager Administration

1 Create a user entry for the NPKD Server profile (see “Creating a user entry for an
NPKD Server profile” on page 473).
4 In the Name field, enter the file name for the NPKD Server profile. Security
5 Click Browse to select a folder where you want to save the NPKD Server profile.
6 In the Password and Confirm fields, enter a password for the NPKD Server
profile.
7 Click OK.
You can now use this NPKD Server profile with Administration Services. You need the
NPKD Server profile, the profile password, and the profile location when you install
Updating NPKD Server profile keys

server.

Creating NPKD Client credentials
The NPKD Client profile is a SSL client profile, used by client applications for accessing
the NPKD Web Service. The Administration Services installer will not prompt you for
this profile when you install the NPKD services.
The DV Web Service can connect to the NPKD services to obtain CSCA materials from
the National PKD. Supporting a connection to the NPKD services requires an NPKD
Client profile. When installing the DV Web Service (see “Installing the DV Web
Service” on page 1422), if you choose to enable collecting CSCA materials from the
National PKD, the Administration Services installer will prompt you for the NPKD
Client profile.
If you will not enable the DV Web Service to collect CSCA materials from the National
PKD, creating an NPKD Client profile is optional.
• “Creating a user entry for an NPKD Client profile” on page 476
• “Creating an NPKD Client profile” on page 477
• “Updating NPKD Client profile keys” on page 478
Creating a user entry for an NPKD Client profile

You must create a user entry in Security Manager for the NPKD Client profile. You
can use Security Manager Administration to create a user entry for the NPKD Client
profile.
To create a user entry for the NPKD Client profile using Security Manager
Administration
fields appears.

d Select Create profile.
b Under Certificate Type, select ePassport Auditor. You created this certificate
type in “Creating certificate types for NPKD services” on page 471.
7 Click OK.
You have now created the user entry for the NPKD Client profile. Proceed to
“Creating an NPKD Client profile” on page 477.
Creating an NPKD Client profile

You can store the NPKD Client profile on software (as an EPF file) or on a hardware
security module. Storing an NPKD Client profile on hardware is supported only for
the DV Web Service.
You can use one of the following applications to create the NPKD Client profile:

To create an NPKD Client profile using Security Manager Administration
1 Create a user entry for the NPKD Server profile (see “Creating a user entry for an
NPKD Client profile” on page 476).
4 In the Name field, enter the file name for the NPKD Client profile. Security
5 Click Browse to select a folder where you want to save the NPKD Client profile.
6 In the Password and Confirm fields, enter a password for the NPKD Client
profile.
7 Click OK.
Updating NPKD Client profile keys

server. Keys are updated only when the NPKD client is run.

Obtain a copy of the entrust.ini file from a NPKD Services CA administrator.
Copy the entrust.ini file to each machine that will host the NPKD services. Note
the location of this files. You will enter the path to this files when you install
and configured for Administration Services.

Where:
the directory.
For example:
Where:
is 829.
For example:
Where:
For example:
For example:


Obtaining files from the PKD Reader
When installing the NPKD services, the Administration Services installer will ask if you
want to enable a connection with PKD Reader. PKD Reader can import CSCA
materials into the National PKD.
To support a connection between PKD Reader and the NPKD services, the
Administration Services installer will prompt you for information provided from the
PKD Reader.
Obtain the following files and information from a PKD Reader administrator:
• entrust.ini file
It is recommended that you rename this file to pkdr_entrust.ini to avoid
confusing it with the entrust.ini file provided from the NPKD Services CA.
The PKD Reader Services CA and NPKD Services CA may be the same CA,
and therefore share the same entrust.ini file.
• a PKD Reader Client profile
For information about creating the PKD Reader Client profile at the PKD
Reader Services CA, see “Creating PKD Reader Client credentials” on
page 391. The PKD Reader Client profile can be stored on software (as an
EPF file) or on hardware.
• the PKD Reader Web Service URL
The URL for the PKD Writer Web Service is https://<server>:<port>/
pkdreader/services/PkdrwsService, where:
– <server> is the host name or IPv4 address of the server hosting the PKD
Reader Web Service.
– <port> is the SSL port for the PKD Reader Web Service (by default 443 or
12443).

Installing the NPKD services
This section outlines the steps required to install the NPKD services on supported
Windows operating systems. The NPKD services are supported only on Windows.
The NPKD services consist of application server components and optional Web server
server.
• “To install the NPKD services application server components on Windows”
on page 482
• “To install the NPKD services Web server components on Windows” on
page 504
To install the NPKD services application server components on Windows





b Click Next.


c Select National Public Key Directory Service (NPKD).
d The NPKD services can be installed on Apache Tomcat only (the
Administration Services application server) or on both Tomcat and a Web
server. If you will install the NPKD services on both Tomcat and a Web server,
select Configure the Web Server Front End.
Selecting Configure the Web Server Front End will have the installer
configure Tomcat to accept requests from the JK connector rather than
directly. Some manual configuration changes are still required after installing
the NPKD services.
If you leave Configure the Web Server Front End deselected, you can still
configure the Web server and Tomcat, but more manual steps are required.

9 If you chose to have the installer configure the Web server front end, the Web
Server’s Identifier and SSL Port Number page appears.
a In the Host Name field, enter the fully qualified host name of your Web site.
For example, webserver.example.com.
b In the Port Number field, enter the SSL port number of your Web site (by
default 443).
c Click Next.

10 The Web SSL Ports for NPKD page appears.
a In the Administration Web Application Port Number field, enter the port
number for the NPKD Administration interface (default 23443).
b In the Web Service Port Number field, enter the port number for the NPKD
Web Service (default 24443).
c Click Next.

11 The NPKD Entrust.ini Location page appears.
from the Entrust CA that issued the NPKD Server profile, or click Choose to
locate the file.
b Click Next.

PKCS#11 library, the Select NPKD Profile Type page appears.

– If the NPKD Server profile is an EPF file stored on the local file system, select
Software Profile.
– If the NPKD Server profile is stored on hardware, select Hardware Token.
b Click Next.

13 If the NPKD Server profile is a software profile, the NPKD Profile page appears.
a In the Enter the location of the NPKD Profile field, click Choose to locate and
select the NPKD Server profile (EPF file).
b In the Enter the Password to login to your NPKD Profile field, enter the
c Click Next.

14 If the NPKD Server profile is a hardware profile, the NPKD Hardware Token
Profile page appears.
contains the NPKD Server profile.
b In the Enter the Password to login to your NPKD Profile field, enter the
c Click Next.

15 The NPKD - PKD Reader Entrust.ini Location page appears.
a To enable a connection with PKD Reader, select Enable import from PKD
Reader for NPKD Service.
b If you enabled a connection with PKD Reader:
– In the Enter the location of the PKD Reader entrust.ini field, enter the full
path and file name of the entrust.ini file from the Entrust CA that issued
the PKD Reader Client profile, or click Choose to locate the file.
– In the PKD Reader Web Service URL field, enter the URL of the PKD Reader
Web Service URL.
pkdreader/services/PkdrwsService. Where <server> is the host name
or IPv4 address of the server hosting the PKD Reader Web Service, and
<port> is the SSL port for the PKD Reader Web Service (by default 443 or
12443).
c Click Next.
If you did not enable a connection to PKD Reader, proceed to step Step 19 on
page 497.

16 If the entrust.ini file from the PKD Reader Services CA includes a setting
specifying the full path to a valid PKCS#11 library, the Select NPKD - PKD Reader
Profile Type page appears.

– If the PKD Reader Client profile is an EPF file stored on the local file system,
– If the PKD Reader Client profile is stored on hardware, select Hardware
Token.
b Click Next.

17 If the PKD Reader Client profile is a software profile, the NPKD - PKD Reader
a In the Enter the location of the PKD Reader Profile field, click Choose to
locate and select the PKD Reader Client profile (EPF file).
c Click Next.

18 If the PKD Reader Client profile is a hardware profile, the NPKD - PKD Reader
Hardware Token Profile page appears.
contains the PKD Reader Client profile.
b In the Enter the Password to login to your PKD Reader Profile field, enter
c Click Next.

19 The NPKD Directory Credentials page appears.

– To install a directory provided with the installer as the National PKD, select
Install Provided Directory.
The installer will install and configure an LDAP directory (ForgeRock
OpenDJ) with the required object classes, attributes, and entries for the
NPKD services.
– To use an existing directory as the National PKD, select Use Existing
Directory.
You must have already installed and configured an LDAP directory as the
National PKD as described in “Manually deploying a National PKD
(optional)” on page 449.
b If you are installing the provided directory:

Note:
Administration Services uses ForgeRock OpenDJ as the provided National PKD.
OpenDJ uses port 4444 for some internal operations. This port is configured to
listen only on the loopback address. This port is separate from the LDAP listen
port (default 389).
– In the NPKD Directory port number field, enter the LDAP port to use for
the National PKD (default 389).
– In the Enter the NPKD Directory Password field, enter a password for the
directory user.
For the provided directory, the distinguished name (DN) of the directory
user is cn=Directory Manager. You cannot change this DN.
– In the Enter the NPKD Directory Password Confirmation field, enter the
password again to confirm the password.
c If you are using an existing directory:
– In the Fully qualified host name of the NPKD Directory field, enter the fully
qualified host name of the NPKD Directory server.
– In the NPKD Directory port number field, enter the LDAP port of the
directory (default 389).
– In the NPKD Directory user field, enter the distinguished name (DN) of a
directory user that can access and manage the directory.
– In the Enter the NPKD Directory password field, enter the password of the
directory user.
If you are using an existing directory as the National PKD, the installer will
attempt to connect to the directory with the information you provided. If an error
occurs, a warning will appear. If you encounter an error, open the
information. You can continue installing the NPKD services even if an error
occurs.

20 The Configure NPKD Email Notification page appears.
a To enable email notification for the NPKD services, select Enable Email
Notification for NPKD.
b If you chose to enable email notification for PKD Reader:
– In the Enter the NPKD Administrator Email Address field, enter the email
address where administrators will receive email notification messages.
The NPKD services send messages to this address only if the event is not
meant for a particular object. For example, if a user performs an action that
requires an administrator’s approval, the NPKD services send the message
to this email address.
– In the Enter the NPKD Appears From Email Address field, enter the email
address that will appear in the email message’s From field of the email
message.
c Click Next.

21 The NPKD Configuration page appears with a summary of your installation

make your changes.

22 After the installation is complete, the NPKD Configuration Status page appears.
For example:

b Click Next.


b Click Next.

new service.
b Click Next.
The URL for the NPKD Web Service is
https://<server>:<port>/npkd/services/NpkdServiceV1, where:
• <server> is the host name or IPv4 address of the server hosting the NPKD
Web Service.
• <port> is the SSL port for the NPKD Web Service (by default 24443). You
specified this port when you installed the NPKD services.
NPKD Web Service clients need this URL to connect to the NPKD Web Service.
file.

The directory provided by Administration Services as the National PKD is ForgeRock
OpenDJ. If you are using the directory provided by Administration Services, the
directory is installed in the following location:
<AS-install>\services\npkd\npkd\directory\opendj
See the ForgeRock OpenDJ documentation for information about managing the
directory.
To install the NPKD services Web server components on Windows




c Select National Public Key Directory Service (NPKD).

6 If you are installing a service for the first time, the Select the Web Server page
appears.
a Select the Web server that you will use for Administration Services.
b Click Next.

7 If you are installing a service for the first time, the Web Server’s Identifier and SSL
Port Number page appears.
a In the Web Server’s Fully Qualified Host Name or IP Address field, enter the
fully qualified host name or IPv4 address of your Web site. For example,
webserver.example.com.
b In the Web Server’s SSL Port field, enter the SSL port number of your Web
site (by default 443).
c Click Next.

8 If you selected Apache HTTP Server earlier, the Web Server Configuration File
Location page appears.
a Enter the path to the folder that contains the Web server’s configuration file
(httpd.conf file) or click Choose to select the folder that contains the file.

9 If you are installing a service for the first time, the Application Server’s Identifier
page appears.
a In the text field, enter the fully qualified host name or IPv4 address of the
server hosting the application server components. For example,
appserver.example.com.
b Click Next.

10 The Web SSL Ports for NPKD page appears.
a In the Administration Web Application Port Number field, enter the port
number for the NPKD Administration interface (default 23443).
b In the Web Service Port Number field, enter the port number for the NPKD
Web Service (default 24443).
c Click Next.

11 The NPKD Configuration page appears with a summary of your installation

make your changes.

12 After the installation is complete, the NPKD Configuration Status page appears.
For example:

b Click Next.


b Click Next.
14 Restart your Web server.
• <server> is the host name or IPv4 address of the server hosting the NPKD
Web Service.
• <port> is the SSL port for the NPKD Web Service (by default 24443). You
specified this port when you installed the NPKD services.
NPKD Web Service clients need this URL to connect to the NPKD Web Service.
file.

Configuring NPKD Server authentication to a
directory without anonymous access
The following procedure explains how to configure the NPKD Server profile to
Security Manager Directory credentials in the npkd-config.xml files.

1 Log in to the server hosting the NPKD services.
The NPKD services are installed on a server hosting the Administration Services
application server components.
2 Open the npkd-config.xml file in a text editor. You can find the file in the
following folder:
<AS-install>\services\npkd\npkd\webapp\WEB-INF\config
3 Locate the <EntrustCredentials> section:
<EntrustCredentials>
<Epf>c:\authdata\manager\epf\NPKD Server.epf</Epf>
<Ual></Ual>
used. -->
plaintext.
When service starts, the password will be encrypted and bound
to the hardware using the Unattended Login UAL capabilities of
the Entrust Java Toolkit and stored to a file.

-->
</EntrustCredentials>
4 For the value of <JndiPrincipal>, enter the JNDI Principal that the NPKD Server
will use to connect to the directory. For example:
For example:
in the npkd-config.xml file with the phrase “{Password protected by Entrust
Unattended Login}”.

Configuring PKD Reader Client authentication
The following procedure explains how to configure the PKD Reader Client profile to
Security Manager Directory credentials in the npkd-config.xml files.

following folder:
3 Under <PkdReaderConnection>, locate the <TLSClientCredentials> section:

<PkdReaderConnection>
...
<TLSClientCredentials>

<Epf>c:\authdata\manager\epf\PKDR Client.epf</Epf>
<Ual></Ual>


plaintext. When SCEP starts, the password will be encrypted and
bound to the hardware using the UAL -->
</TLSClientCredentials>
...
</PkdReaderConnection>
4 For the value of <JndiPrincipal>, enter the JNDI Principal that the PKD Reader
Client will use to connect to the directory. For example:

For example:
in the npkd-config.xml file with the phrase “{Password protected by Entrust

Completing the Microsoft IIS front-end
configuration for the NPKD services
If you installed both the application server components and Web server components
of the NPKD services, the installer completed most of the work required to configure
the NPKD services to be front-ended by a Web server:
• On the application server machine, the installer configured the JK connector
to accept requests from a front-end Web server instead of directly.
• On the Web server machine, the installer configured Microsoft IIS for the
NPKD services components and to forward NPKD service requests to the
application server machine. However, some additional steps must be
completed manually on Microsoft IIS to complete the Web Server front-end
configuration.
Complete the following steps in this section to complete the Microsoft IIS front-end
configuration. No additional steps are required on the server hosting the application
server components.
• “Assigning SSL certificates to the npkd Web site in Microsoft IIS” on
page 519
• “Increasing the upload buffer size for the npkd Web site in Microsoft IIS” on
page 522
• “Installing CA certificates in Microsoft IIS for the NPKD services” on
page 524
Assigning SSL certificates to the npkd Web site in Microsoft IIS

When you installed the Web server components of the NPKD services, the installer
created a new npkd Web site in Microsoft Internet Information Services (IIS). The
npkd Web site is for accepting and forwarding connections to NPKD Administration
or the NPKD Web Service. You must assign a valid SSL server certificate to this Web
site.
You should have already configured SSL on the Web server as described in “Installing
and configuring the Web server (optional)” on page 467. You can use the same SSL
server certificate for the new NPKD services Web site.
To assign SSL certificates to the npkd Web site on Microsoft IIS

1 Log in to the server hosting Microsoft IIS.
2 Open Internet Information Services (IIS) Manager by selecting Start, then click
the down arrow to access Apps, then click Internet Information Services (IIS)
Manager.

When listed by name or category, Internet Information Services (IIS) Manager is
listed under Administrative Tools.
The Internet Information Services (IIS) Manager dialog box appears.
3 In the Connections pane, expand <computer> > Sites.

You should see the npkd Web site.
4 In the Connections pane, select npkd.
5 In the Actions pane, under Edit, click Bindings.
The Site Bindings dialog box appears. You should see two https bindings,
typically for ports 24443 and 23443. These ports correspond to the ports you

selected for the NPKD Web Service and NPKD Administration when you installed
the NPKD services.
6 Select the first binding (for example, 24443), and click Edit.
The Edit Site Binding dialog box appears.
7 In the SSL certificate drop-down list, select a valid SSL certificate.

8 Click OK.
9 Select the second binding (for example, 23443), and click Edit.


11 Click OK.
12 Restart the Web server:
a In the Connections pane, select the host name of your computer.
b In the Actions pane, under Manage Server, click Restart.
Increasing the upload buffer size for the npkd Web site in
Microsoft IIS
Microsoft IIS includes a server runtime setting named uploadReadAheadSize. This
setting specifies the number of bytes that a Web server will read into a buffer and
pass to an ISAPI extension or module. By default, Microsoft can read 49152 bytes (48
kilobytes) into a buffer.
Using NPKD Administration, you can import CSCA materials from LDIF files. If an
LDIF file size is larger than the uploadReadAheadSize size, an error can occur and the
file contents will not be imported.
created a new npkd Web site in Microsoft Internet Information Services (IIS). The
npkd Web site is for accepting and forwarding connections to NPKD Administration
or the NPKD Web Service.
Increase the value of the server runtime setting uploadReadAheadSize for the npkd
Web site.

To increase the upload buffer size for the npkd Web site in Microsoft IIS
Manager.

You should see the npkd Web site.
4 In the Connections pane, select npkd.
5 In the npkd Home pane, double-click Configuration Editor.

6 From the Section drop-down list, expand system.webServer, then select
serverRuntime.
7 Increase the value of the uploadReadAheadSize setting. The value must be
between 0 and 2147483647. It is recommended that you set it to 200000000
(200 000 000 bytes, or over 190 MB).
8 In the Actions pane, click Apply.
Installing CA certificates in Microsoft IIS for the NPKD services

For the Web server to trust all client certificates, you must import all CA certificates
from the CA that will issue client certificates.
You should also install the CA certificate that issued the Web server SSL certificate if
you have not installed it already. This is required for IIS to trust the SSL certificate.

To install a CA certificate in Microsoft IIS
1 Export the root CA certificate from the Managed CA to a file and copy the CA
certificate file to the server hosting Microsoft IIS.
2 On the server hosting IIS, double-click the CA certificate file.
A Certificate dialog box appears.
3 Click Install Certificate.

The Certificate Import Wizard dialog box appears.
4 For Store Location, click Local Machine.

5 Click Next.
The Certificate Store screen appears.

6 Click Place all certificates in the following store.
7 Click Browse.
The Select Certificate Store dialog box appears.

8 Select Trusted Root Certification Authorities.
9 Click OK.
10 Click Next.
The Completing the Certificate Import Wizard page appears.
11 Click Finish.

Completing the Apache HTTP Server front-end
configuration for the NPKD services
of the NPKD services, the installer completed most of the work required to configure
the NPKD services to be front-ended by a Web server:
• On the Web server machine, the installer configured Apache HTTP Server for
the NPKD services components and to forward NPKD service requests to the
application server machine. However, some additional steps must be
completed manually on Apache HTTP Server to complete the Web Server
front-end configuration.
Complete the following steps in this section to complete the Apache HTTP Server
front-end configuration. No additional steps are required on the server hosting the
• “Assigning SSL certificates to the NPKD services VirtualHosts in Apache
HTTP Server” on page 529
• “Adding CA certificates to Apache HTTP Server for the NPKD services” on
page 532
Assigning SSL certificates to the NPKD services VirtualHosts in

Apache HTTP Server
created two new <VirtualHost> directives in the Apache HTTP Server httpd.conf
file. These <VirtualHost> directives correspond to NPKD Administration and the
NPKD Web Service. You must assign a valid SSL server certificate, private key file, and
CA certificate to these <VirtualHost> directives.
server certificate, private key file, and CA certificate for the new <VirtualHost>
directives.
To assign SSL certificates to the NPKD services VirtualHosts in Apache HTTP

Server

2 Locate the lines added by the Administration Services installer for the NPKD
services. The lines should look like the following:
# Entrust AdminServices NPKD start
# Please do not remove any lines that contain Entrust
AdminServices, removing these lines may cause problems with the
install/uninstall.
SSLSessionCache none
Listen 23443
<VirtualHost webserver.example.com:23443>
...
</VirtualHost>
Listen 24443
...
</VirtualHost>
# Entrust AdminServices NPKD end
3 Each <VirtualHost> directive added by the installer for the NPKD services
includes the following settings:
SSLCertificateFile conf/ssl/TAG_SERVER_CERT
SSLCertificateKeyFile conf/ssl/TAG_SERVER_KEY
SSLCertificateChainFile conf/ssl/TAG_CA_CERT
SSLCACertificateFile conf/ssl/TAG_CA_CERT
Update all instances of these settings as follows. For more information about any
of these settings, see the Apache HTTP Server documentation.
Note:
If the file referenced by SSLCertificateChainFile or SSLCACertificateFile
contains too many certificates, Apache HTTP Server may fail to load all the
certificates. If the Web server fails to load all the certificates, it may be unable to
successfully maintain a session with the Web browser. To work around this issue,
you can use the SSLCACertificatePath setting instead of the
SSLCertificateChainFile or SSLCACertificateFile settings. For information
about using the SSLCACertificatePath setting, see the Apache HTTP Server
documentation.

• The SSLCertificateFile setting must specify the path and file name of a
PEM-encoded SSL server certificate. The path can be a path relative to the
Apache HTTP Server installation directory. For example:
SSLCertificateFile conf/ssl/server.crt
• The SSLCertificateKeyFile setting must specify the path and file name of
a private key file. The path can be a path relative to the Apache HTTP Server
installation directory. For example:
SSLCertificateKeyFile conf/ssl/server.key
This file should include the private key of the SSL server certificate. If the SSL
server certificate includes the private key, you can omit this setting.
• The SSLCertificateChainFile setting must specify the path and file name
of a PEM-encoded CA certificate chain file. The path can be a path relative
to the Apache HTTP Server installation directory. For example:
SSLCertificateChainFile conf/ssl/ca.crt
The CA certificates in this file form the CA certificate chain of the Web server
SSL certificate, from the issuing CA certificate to the root CA certificate. Each
CA certificate must be entered in PEM-encoded format. For example:
-----BEGIN CERTIFICATE-----
(PEM-encoding of the issuing CA certificate)
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890...
-----END CERTIFICATE-----
(PEM-encoding of the intermediate CA certificate)
0ABCDEFGHIJKLMNOPQRSTUVWXYZ123456789...
(PEM-encoding of the root CA certificate)
• The SSLCACertificateFile setting must specify the path and file name of
a PEM-encoded CA certificates file. The path can be a path relative to the
SSLCACertificateFile conf/ssl/ca-certs.crt
The CA certificates in this file are the CA certificates used for verifying client
certificates. Each CA certificate must be entered in PEM-encoded format. For
example:

The NPKD services will use this setting for verifying client certificates. See
“Adding CA certificates to Apache HTTP Server for the NPKD services” on
page 532 for more information.
For the NPKD services, only the NPKD Services CA will issue client
certificates. The NPKD Services CA issues profiles required to run the NPKD
services provided by Administration Services. The NPKD Services CA can be
the CSCA or any other CA in an e-passport environment.
5 Restart the Web server.
Adding CA certificates to Apache HTTP Server for the NPKD

services
from CAs that will issue client certificates. For the NPKD services, only the NPKD
Services CA will issue client certificates. The NPKD Services CA issues profiles required
to run the NPKD services provided by Administration Services. The NPKD Services CA
can be the CSCA or any other CA in an e-passport environment.
created two new <VirtualHost> directives in the Apache HTTP Server httpd.conf
file. These <VirtualHost> directives correspond to NPKD Administration and the
NPKD Web Service.
Each <VirtualHost> directive added by the installer for the NPKD services includes
a SSLCACertificateFile setting:
The SSLCACertificateFile setting must specify the path and file name of a
PEM-encoded CA certificates file. The path can be a path relative to the Apache HTTP
Server installation directory. The NPKD services will use all the CA certificates in this
file for verifying client certificates.
You must create this file if it does not currently exist, and add all CA certificates to the
file. Apache HTTP Server will then trust all the client certificates issued by the CAs that
are specified in the file.

Note:
If the file referenced by SSLCACertificateFile contains too many certificates,
Apache HTTP Server may fail to load all the certificates. If the Web server fails to
load all the certificates, it may be unable to successfully maintain a session with
the Web browser. To work around this issue, you can use the
SSLCACertificatePath setting instead of the SSLCACertificateFile setting.
For information about using the SSLCACertificatePath setting, see the Apache
HTTP Server documentation.
To add CA certificates to Apache HTTP Server for the NPKD services

1 Export the root CA certificate from the CA to a file. The CA certificate must be in
PEM-encoded format.
2 Copy the CA certificate file to the server hosting Apache HTTP Server.
3 If you previously created a file for the CA certificates, open that file in a text
editor. If you never created a file for CA certificates, create a new file in a text
editor.
If you previously created a file but do not remember the file name or where it is
located, open the Apache HTTP Server httpd.conf file in a text editor and
locate the following lines added by the Administration Services installer for the
NPKD services:
...
The SSLCACertificateFile setting specifies the path and file name of the file:
You can use the same file specified by the SSLCertificateChainFile setting,
however it is recommended that you use a different file for this setting.
4 In the file, add each CA certificate in PEM-encoded format. For example:

6 If you created a new file for CA certificates:
a Open the Apache HTTP Server httpd.conf file in a text editor.
b Locate the lines added by the Administration Services installer for the NPKD
services. The lines should look like the following:
install/uninstall.
Listen 23443
...
</VirtualHost>
Listen 24443
...
</VirtualHost>
c Each <VirtualHost> directive added by the installer for the NPKD services
includes the following setting:
You may have already configured this setting in “Assigning SSL certificates
to the NPKD services VirtualHosts in Apache HTTP Server” on page 529.
The SSLCACertificateFile setting must specify the path and file name of
The NPKD services will use this setting for verifying client certificates.
a Save and close the file.

Creating or modifying a user policy for NPKD
administrators
To access the NPKD Administration interface, NPKD administrators must have a valid
client certificate installed in their Web browser.
Administration Services includes applications that allow users to create a PKCS #12
Security Store. A PKCS #12 Security Store is a digital ID stored in a PKCS #12 (P12)
file that is saved on a local disk. After creating the P12 file, administrators can then
import it into their Web browser and use it to log in to NPKD Administration.
To export the PKCS #12 file, administrators must have a client policy that allows PKCS
#12 export.
You can modify an existing user policy to allow PKCS #12 export and external
authentication, or create a new user policy for NPKD administrators to allow PKCS
#12 export:
• “To modify an existing user policy for NPKD administrators” on page 535
• “To create a new user policy for NPKD administrators” on page 536
To modify an existing user policy for NPKD administrators

3 Select the user policy to modify. For example, select End User Policy to modify
the user policy assigned to the predefined End User role.
The End User role has no administrative permissions. NPKD administrators do not
require administrative permissions to perform operations in NPKD
Administration.
a Select Allow PKCS#12 Export.
This setting allows users to export their digital ID to a PKCS #12 file.
b Select All Exportable.
This setting allows all private keys to be exported.
c (Optional.) Change the value of Minimum PKCS#12 Hash Count.
This setting specifies the minimum number of times that the user-supplied
password for the PKCS #12 file is hashed during export. You can enter a
value between 1 (very weak) to 10000 (very secure). The default value of
2000 is sufficient for most deployments.
5 Click Apply.

The roles assigned to NPKD administrators must be assigned this user policy. For
information about creating a custom role for NPKD administrators, see “Creating a
role for NPKD administrators” on page 537.
To create a new user policy for NPKD administrators

3 Select End User Policy.
4 Select Policies > User Policies > Selected User Policy > Copy.
The Copy User Policy dialog box appears.
5 In the Label field, enter NPKD Administrator Policy.
6 In the Common name field, enter NPKD Administrator Policy.
7 In the Add to drop-down list, select the searchbase where you want to store the
user policy.
8 Under Policy Attributes, configure the following settings:
9 Click OK.
The roles assigned to NPKD administrators must be assigned this user policy. For
information about creating a custom role for NPKD administrators, see “Creating a
role for NPKD administrators” on page 537.

Creating a role for NPKD administrators
Each user in Security Manager requires a role. Each role in Security Manager is
assigned a client policy (user policy). You may have modified or created a new client
policy for NPKD administrators in “Creating or modifying a user policy for NPKD
administrators” on page 535.
If you created a new client policy for NPKD administrators or want to assign a
modified client policy to a role, create a new role for NPKD administrators.
You create roles using Security Manager Administration. For more information about
roles, see the Security Manager Administration User Guide.
To create a new role for NPKD administrators

2 Select Policies > Roles > New.
A role with the name <New Role> and a blue icon appears in the tree view, and
the new role’s properties appear in the right pane.
3 Click the Role tab and then complete the following:
a In the Unique name field, enter NPKD Administrator.
b In the Authorizations field, keep the default value of 1.
c Under the User Policy section, select the user policy you modified or created
in “Creating or modifying a user policy for NPKD administrators” on
page 535, such as NPKD Administrator Policy.
d Select the End User check box.
4 Click Apply.

Creating NPKD administrators
You must create a user entry in Security Manager for each NPKD administrator. You
can use Security Manager Administration or the User Management Service
(Administration Services) to create the user entry.
For more information about creating users with the User Management Service, see
the Administration Services User Administration Guide.
This topic contains the following procedures:
• “To create a user entry for an NPKD administrator using Security Manager
Administration” on page 538
• “To create a user entry for a NPKD administrator using the User
Management Service” on page 540
To create a user entry for an NPKD administrator using Security Manager

Administration
fields appears.
5 From the Role drop-down list, select a role for the NPKD administrator. You may
have created a role in “Creating a role for NPKD administrators” on page 537
named NPKD Administrator.

To create the NPKD administrator credentials as a PKCS #12 security store, the
client policy (user policy) assigned to the role must allow PKCS #12 export. For
details, see “Creating or modifying a user policy for NPKD administrators” on
page 535.
b Under Certificate Type, select one of the following:
– To grant the NPKD administrator read-only access to information, select
ePassport Auditor.
– To grant the NPKD administrator access to all functionality, select National
PKD Service Administrator.
You created these certificate types in “Creating certificate types for NPKD
services” on page 471.
7 Click OK.
For more details on how the Registration number and Authorization codes are
You have created a user entry for a NPKD administrator. The NPKD administrator
must have a valid client certificate to access the NPKD Administration interface.
Securely send the activation codes to the administrator.
NPKD administrators can create their client certificate using the following
applications:
• User Management Service (UMS)
If PKCS #12 enrollment is enabled and configured properly in Administration
Services, administrators can use UMS to create a PKCS #12 digital ID. The
administrators can then import the digital ID into their Web browser and use
it to log in to NPKD Administration.
If SCEP enrollment is enabled and configured properly in Administration
Services, administrators can use UMS to obtain a digital ID using SCEP
(Simple Certificate Enrollment Protocol). SCEP enrollment is intended for
Apple devices, such as Macintosh computers. After obtaining the digital ID,
the digital ID is installed in the keychain, and administrators can use the
digital ID to log in to NPKD Administration.
• User Registration Service (URS)

Services, administrators can use URS to create a PKCS #12 digital ID. The
Services, administrators can use URS to obtain a digital ID using SCEP (Simple
Certificate Enrollment Protocol). SCEP enrollment is intended for Apple
devices, such as Macintosh computers. After obtaining the digital ID, the
digital ID is installed in the keychain, and administrators can use the digital
ID to log in to NPKD Administration.
NPKD administrators can use the Profile Creation Utility to generate a PKCS
#12 digital ID. The administrators can then import the digital ID into their
Web browser and use it to log in to NPKD Administration.
• Entrust Entelligence Security Provider for Windows
NPKD administrators can use Security Provider for Windows to generate a
digital ID. Security Provider for Windows can synchronize the administrator’s
certificates with the Microsoft Cryptographic API (CAPI) security store. Web
browsers that support CAPI can then use the digital ID.
To create a user entry for a NPKD administrator using the User Management
Service
1 Log in to the User Management Service for the NPKD Services CA.
2 Click the Accounts tab.
3 Click the Create Account tab.
4 In the User Type drop-down list, select a user type.
User types determine which attributes and object classes are included in the user’s
distinguished name.
5 In the Certificate Type drop-down list, select one of the following.
• To grant the NPKD administrator read-only access to information, select
Enterprise - ePassport Auditor.
• To grant the NPKD administrator access to all functionality, select Enterprise
- National NPKD Service Administrator.
You created these certificate types in “Creating certificate types for NPKD
services” on page 471.
6 In the available text fields, enter the name that will become the common name
of the user entry. An asterisk (*) appears beside required fields. You must enter
information into all fields marked with asterisks.

7 From the Role drop-down list, select a role for the NPKD administrator. You may
have created a role in “Creating a role for NPKD administrators” on page 537
named NPKD Administrator.
To create the NPKD administrator credentials as a PKCS #12 security store, the
details, see “Creating or modifying a user policy for NPKD administrators” on
page 535.
8 Complete the rest of the information as required. See the Administration Services
User Administration Guide for more information.
9 Click Submit.
The information is sent to Security Manager. Security Manager returns activation
codes (reference number and authorization code) and displays them in the
Account Details page.
For more details about how the Registration number and Authorization codes are
You have created a user entry for a NPKD administrator. The NPKD administrator
must have a valid client certificate to access the NPKD Administration interface.
NPKD administrators can create their client certificate using the following
applications:
digital ID to log in to NPKD Administration.

ID to log in to NPKD Administration.
NPKD administrators can use the Profile Creation Utility to generate a PKCS
Web browser and use it to log in to NPKD Administration.
NPKD administrators can use Security Provider for Windows to generate a

Testing NPKD Administration
After installing the NPKD services, you must ensure that all components were
installed properly and function correctly. To test the installation, open NPKD
Administration in a Web browser.
To test NPKD Administration

1 Open a Web browser.
2 Enter the following URL in your Web browser:
https://<host_name>:<port>/npkd
Where:
• <host_name> is the fully qualified host name of the server hosting the NPKD
services.
• <port> is the SSL port for NPKD Administration (by default 23443).
For example:
https://appserver.example.com:23443/npkd
3 When prompted to select a user certificate, select the user certificate that you
created in “Creating NPKD administrators” on page 538.
4 A security dialog may appear, prompting you to allow the application to access
the private key.
Note:
The security dialog box may appear behind the browser window. Click the dialog
box’s window icon in the taskbar to bring the dialog box to the front.
Click Allow to allow NPKD Administration to access the private key.

If everything was installed correctly and the browser certificate is valid, the NPKD
Administration interface appears.

22
Configuring the NPKD services

Entrust Authority Administration Services provides Web-based administration
applications that allow you to manage master lists, CRLs, and Document Signer
certificates in the National PKD.
This chapter describes how to configure various components and features of the
NPKD services provided by Administration Services. For more information about
Guide.
• “Configuring the NPKD services logs” on page 546
• “Configuring the NPKD Validation Engine logs” on page 548
• “Configuring email notification for the NPKD services” on page 550
• “Configuring the CRL cache timeout” on page 559
• “Configuring the LDAP page size for Document Signer certificate list
operations” on page 560
• “Enabling and disabling automatic CRL discovery from Document Signer
certificates” on page 561
• “Configuring automatic assurance level calculations of CSCA materials in the
National PKD” on page 562
• “Enabling and disabling signature validation when retrieving CSCA materials
from the National PKD” on page 564
• “Configuring automatic signature updates of CSCA materials in the National
PKD” on page 565
• “Configuring automatic imports from PKD Reader” on page 567
• “Configuring the NPKD secure audit log” on page 569
545
Configuring the NPKD services logs
The NPKD services—NPKD Web Service and NPKD Administration—share a log file.
This log file contains messages related to the operation of the NPKD services.
Administration Services allows you to customize the NPKD services log file settings.
To configure the NPKD services logs

2 Open the npkd-config.xml file in an XML editor. You can find the file in the
following folder:
Table 31: NPKD services log settings
Setting Description
The logging level can be one of (in increasing severity) TRACE, DEBUG,
INFO, WARNING, ERROR, ALERT, or FATAL. This sets the lowest level of
message to show. For example, ERROR provides messages of ERROR,
ALERT and FATAL status.
Default: INFO
Default: <AS-install>\services\npkd\npkd\logs\npkd_npkd.log
Default: 1000000
<Backups> Sets the maximum number of log files to keep. After the last log file
reaches the maximum size, the first log file is overwritten.
Default: 10

Configuring the NPKD services 547

Configuring the NPKD Validation Engine logs
The NPKD Validation Engine performs assurance level tests on CSCA materials stored
in the National PKD. The NPKD Validation Engine writes information about these
tests to a log file.
Administration Services allows you to customize the NPKD Validation Engine log file
settings. You can configure the following log settings:
To configure the NPKD Validation Engine logs

2 Open the npkd-config.xml file in an XML editor. You can find the file in the
following folder:
3 In the <ValidationEngineLogging> section, configure the settings described in
Table 32.
Table 32: NPKD Validation Engine log settings
Setting Description
ALERT and FAIL status.
Default: INFO
Default:
<AS-install>\services\npkd\npkd\logs\npkd_validation_engi
ne.log
Default: 1000000

Table 32: NPKD Validation Engine log settings (continued)
Setting Description
Default: 10


Configuring email notification for the NPKD
services
When you installed the NPKD services, you had the option to enable email
notification for the NPKD services. If you did not enable email notification during the
installation, or you want to configure how email notification works, complete the
steps in this section.
Installation Guide.
• “Configuring SMTP server settings for the NPKD services” on page 550
• “Email notification files for the NPKD services” on page 551
• “Enabling and disabling email notification for the NPKD services” on
page 552
• “Modifying email notification subject and message text for the NPKD
• “Modifying the NPKD services email notification to use HTML content
templates” on page 557
Configuring SMTP server settings for the NPKD services

Configure the SMTP server settings to configure how the NPKD services
communicate with your SMTP server. The settings were configured if you enabled
email notification when you installed the NPKD services.
To configure SMTP server settings for the NPKD services

components.
2 Open the configuration.global.xml file for the NPKD services. You can find
the file in the following folder:

<Port>25</Port>
To configure the email addresses for the NPKD services

components.
<AS-install>\services\npkd\npkd\webapp\WEB-INF\ens\xsl\
<locale>
</xsl:variable>
</xsl:variable>
Email notification files for the NPKD services

configuration.global.xml file for the NPKD services. For information about

enabling and disabling email notification, see “Enabling and disabling email
notification for the NPKD services” on page 552.
Table 33: NPKD account tasks, event IDs, and email message files

PKDR Import - pkdr-import-success pkdr-import-success-conte Yes

materials imported nt
successfully
pkdr-import-success-subjec
t
PKDR Import - error pkd-import-failure pkd-import-failure-content Yes

importing materials
pkd-import-failure-subject
Enabling and disabling email notification for the NPKD services

if a specific event occurs. “Email notification files for the NPKD services” on page 551
lists all the email notification events in the configuration.global.xml file for the
NPKD services.
Use the following procedures to enable and disable email notification for the NPKD
services:
• “To enable or disable email notification for the NPKD services” on page 552
• “To enable or disable email notification for specific events for the NPKD
• “To configure email notification event settings for the NPKD services” on
page 554
To enable or disable email notification for the NPKD services

components.
following folder:
<Notifications>

<Configuration>C:/Program Files/Entrust/AdminServices/services/npk
d/npkd/webapp/WEB-INF/config/configuration.global.xml</Configurati
on>
</Notifications>
as follows:
or disable email notification for specific events for the NPKD services” on
page 553 for details.
To enable or disable email notification for specific events for the NPKD
services
components.
event. See “Email notification files for the NPKD services” on page 551 for a list
of event IDs.

email notification event settings for the NPKD services” on page 554 for details.
To configure email notification event settings for the NPKD services

components.
Setting Description
“Modifying email notification subject and message text for the
NPKD services” on page 555 for details about editing this file.
notification event.

Setting Description
the NPKD services” on page 555 for details about editing this file.
<AttachmentsTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the files sent in the email messages
as attachments. The results of the transformation are an
<Attachments> element.

Modifying email notification subject and message text for the

NPKD services
Attention:

components.
<AS-install>\services\npkd\npkd\webapp\WEB-INF\ens\xsl

“Email notification files for the NPKD services” on page 551 for a list of event IDs

components.
modify. See “Email notification files for the NPKD services” on page 551 for a list
of event IDs and email message files.
</xsl:variable>

</xsl:template>
Modifying the NPKD services email notification to use HTML

content templates
To modify the NPKD services email notification to use HTML

components.
3 Open the configuration.global.xml file for the DV Web Service. You can find

plate>

Configuring the CRL cache timeout
NPKD administrators access the NPKD Administration interface using a client
certificate stored in their Web browser. NPKD Administration will verify that the client
certificate is still valid by checking the corresponding Certificate Revocation List (CRL)
to verify that the certificate has not been revoked.
By default, after accessing the CRL, the CRL is cached on the Administration Services
server. Using a cached CRL prevents Administration Services from having to retrieve
the CRL from the directory for every CRL check. By default, CRLs are cached for 10
minutes. You can configure how long a CRL remains in the cache, up to 120 minutes.
To configure the CRL cache timeout

components.
following folder:
3 Locate the <CRLCacheTimeout> setting. For example:
<CRLCacheTimeout>10</CRLCacheTimeout>
4 Set the CRL cache timeout, in minutes, as required. You can set the CRL cache
timeout value from 0 to 120. For example, to set the CRL cache timeout to 15
minutes:
If 0, the CRL is never cached. By not caching the CRL, revoked certificates are
recognized immediately.

Configuring the LDAP page size for Document
Signer certificate list operations
The National PKD can contain thousands of Document Signer certificates. If the LDAP
server search limit is ever reached, not all Document Signer certificates will be
returned in the search results.
To ensure that all Document Signer certificates will be returned from an LDAP search
query, you can configure the LDAP page size the NPKD services will use when
searching the National PKD and obtaining results. The LDAP page size controls how
many entries per page are returned from an LDAP query; the directory will continue
to return pages of search results until all results are returned.
To configure the LDAP page size for Document Signer certificate list
operations
components.
following folder:
3 Locate the <DSC> setting. By default:
<DSC>

<PageSize>50</PageSize>
</DSC>
4 For <PageSize>, enter the number of Document certificates per page to return
from an LDAP query. If 0, NPKD services will not use LDAP paging.
You do not need to restart Administration Services. The changes are applied
immediately.

Enabling and disabling automatic CRL
discovery from Document Signer certificates
The NPKD services can automatically discover and download CRLs when importing
Document Signer certificates and a URL is found in a certificate’s CDP (CRL
distribution point). By default, automatic CRL discovery is enabled.
To enable or disable automatic CRL discovery

components.
following folder:
3 Locate the <AutoDiscoverCRLs> setting. By default:
<AutoDiscoverCRLs>true</AutoDiscoverCRLs>
4 Enable or disable automatic CRL discovery as follows:
• To enable automatic CRL discovery, set <AutoDiscoverCRLs> to true:
<AutoDiscoverCRLs>true</AutoDiscoverCRLs>
• To disable automatic CRL discovery, set <AutoDiscoverCRLs> to false:
<AutoDiscoverCRLs>false</AutoDiscoverCRLs>
immediately.

Configuring automatic assurance level
calculations of CSCA materials in the National
PKD
certificates, CRLs, and master lists). The NPKD Web Service can automatically publish
CSCA materials with a high enough assurance level to DV Web Service clients.
NPKD administrators can change assurance policies on a global level or on a
per-country level. Assurance levels for CSCA materials can be recalculated
automatically on a schedule, or an NPKD administrator can manually recalculate
assurance levels.
The NPKD will also remove expired CRLs from the National PKD when it recalculates
assurance levels.
The following procedure describes how to configure automatic assurance level
calculations.
To configure automatic assurance level calculations

components.
following folder:
3 Locate the following <AutomaticAssuranceLevelCalculation> settings. By
default:
<AutomaticAssuranceLevelCalculation>

<InitialDelay>90</InitialDelay>

<CalculationPeriod>24</CalculationPeriod>
</AutomaticAssuranceLevelCalculation>

Table 35: Automatic assurance level calculations settings
Setting Description
<Enabled> Controls whether the NPKD services can automatically calculate

assurance levels on a schedule.
Permitted values:
• true to enable automatic assurance level calculations.
• false to disable automatic assurance level calculations. NPKD
administrators must manually recalculate assurance levels.
Default: true
<InitialDelay> Specifies the length of time to wait, in seconds, after establishing a

connection with the National PKD before calculating assurance
levels of CSCA materials.
Default: 90
<CalculationPeriod> Specifies the length of time, in hours, between assurance level

calculations.
Default: 24

immediately.

Enabling and disabling signature validation
when retrieving CSCA materials from the
National PKD
All materials in the National PKD are signed with the private key of the NPKD Server
server profile. the NPKD services can validate the signature when retrieving CSCA
materials from the National PKD. NPKD Web Service clients can also validate the
signatures when receiving the materials.
You can enable or disable the NPKD services and NPKD Web Service clients from
validating the signatures of CSCA materials in the National PKD. By default, signature
verification is enabled.
To configure signature validation when retrieving CSCA materials

components.
following folder:
3 Locate the <VerifySignature> setting. By default:
<VerifySignature>true</VerifySignature>
4 Enable or disable signature validation on CSCA materials as follows:
• To enable the signature validation on CSCA materials, set
<VerifySignature> to true:
<VerifySignature>true</VerifySignature>
• To disable signature validation on CSCA materials, set <VerifySignature>
to false:
<VerifySignature>false</VerifySignature>
immediately.

Configuring automatic signature updates of
CSCA materials in the National PKD
All materials in the National PKD are signed with the private key of the NPKD Server
profile. the NPKD services can validate the signature when retrieving CSCA materials
from the National PKD. NPKD Web Service clients can also validate the signatures
when receiving the materials.
When Administration Services starts up, the NPKD services can update the signature
on all CSCA materials in the National PKD. By default, automatic signature updates
are disabled.
Complete the following procedure to configure the automatic signature updates of
CSCA materials in the National PKD.
Note:
It is recommended that you enable automatic signature updates only when the
NPKD Server profile has been updated. You should disable the automatic
signature updates after the signature has been updated on all CSCA materials in
the National PKD.
To configure automatic assurance level calculations

components.
following folder:
3 Locate the <AutomaticSignatureUpdate> setting. By default:
<AutomaticSignatureUpdate>
</AutomaticSignatureUpdate>

Table 36: Signature update settings
Setting Description
<Enabled> Controls whether to update the signature on all CSCA materials in

the National PKD after a service restart.
Permitted values:
• true to enable automatic signature updates.
• false to disable automatic signature updates.
Default: true
<InitialDelay> Specifies the length of time to wait, in seconds, after Administration

Services starts before updating the signature on CSCA materials in
the National PKD.
Default: 10


Configuring automatic imports from PKD
Reader
The PKD Reader Web Service can import CSCA materials into the NPKD services.
When you installing the NPKD services, the Administration Services installer asked if
you want to enable importing of CSCA materials from PKD Reader to the NPKD
Service.
If you chose to enable importing materials from PKD Reader into the NPKD services,
the NPKD services can automatically import materials from PKD Reader. Complete
the following procedure to configure the automatic import settings.
To configure automatic imports from PKD Reader

components.
following folder:
3 Under <PkdReaderConnection>, locate the <AutomaticImport> section. For
example:
<PkdReaderConnection>
...
<AutomaticImport>


<ImportPeriod>24</ImportPeriod>

<ConnectionAttempts>3</ConnectionAttempts>
</AutomaticImport>
</PkdReaderConnection>

Table 37: Automatic imports from PKD Writer settings
Setting Description
<Enabled> Controls whether the NPKD services can automatically import CSCA
materials from PKD Reader.
Permitted values:
• true to enable automatic imports from PKD Reader.
• false to disable automatic imports from PKD Reader.
Default: true
<InitialDelay> Specifies the length of time to wait, in seconds, after establishing a

connection with PKD Reader before downloading CSCA materials.
Default: 30
<ImportPeriod> Specifies the length of time, in hours, between automatic imports.

Default: 24
<ConnectionAttempts> Specifies how many attempts to establish a connection with PKD

Reader before logging a connection failure.
Default: 3


Configuring the NPKD secure audit log
The NPKD services maintain a secure audit log of important events and some
accompanied data. The secure audit log is secured using the NPKD Server profile. The
secure audit log is secured using the NPKD Server profile.
You can view the NPKD secure audit log using the Secure Audit Check Utility.
To configure the NPKD secure audit log

following folder:
3 Locate the <SecureAudit> section. For example:
<SecureAudit>

<Filename>C:\Program Files\Entrust\AdminServices/services/npkd/npk
d/logs/npkd_audit.log</Filename>
</SecureAudit>
Table 38: NPKD secure audit log settings
Setting Description
<Filename> The full path and file name of the PKD Writer secure audit log.
Default:
C:\Program Files\Entrust\AdminServices/services/npkd/npk
d/logs/npkd_audit.log


23
Administering data in the National

PKD
applications that allow you to manage master lists, CRLs, and Document Signer
certificates in the National PKD.
This chapter describes how to use NPKD Administration to administer the data in the
National PKD.
• “Logging in to NPKD Administration” on page 572
• “Using grids in NPKD Administration” on page 573
• “Monitoring the National PKD using the dashboard” on page 588
• “Managing countries in the National PKD” on page 592
• “Managing Document Signer certificates in the National PKD” on page 611
• “Managing CRLs in the National PKD” on page 625
• “Managing master lists in the National PKD” on page 639
• “Managing trust anchors in the National PKD” on page 655
• “Importing CSCA materials into the National PKD from files” on page 668
• “Managing PKD Reader” on page 693
• “Configuring the global assurance policy settings” on page 704
• “Exporting the global and country-specific assurance policies to files” on
page 708
• “Configuring NPKD services settings” on page 710
571
Logging in to NPKD Administration
NPKD Administration is a Web-based interface for administering the NPKD services.
NPKD administrators use NPKD Administration to import and manage CSCA
certificates, master lists, Document Signer certificates, and CRLs stored in the NPKD
Directory.
You are required to log in to the NPKD Administration interface with a certificate
stored in your Web browser (see “Creating NPKD administrators” on page 538).
To log into NPKD Administration

https://<host_name>:<port>/npkd
Where:
• <host_name> is the fully qualified host name of the server hosting the NPKD
services.
• <port> is the Tomcat SSL port for NPKD Administration (by default 23443).
For example:
https://appserver.example.com:23443/npkd
created in “Creating NPKD administrators” on page 538.
the private key.
Note:
Click Allow to allow NPKD Administration to access the private key.

The NPKD Administration interface appears.

Using grids in NPKD Administration
In NPKD Administration, most items—such as Document Signer certificates, CRLs, or
Master Lists—are displayed in a grid. Grids display items in rows and columns, with
each item taking up a row, and each column displaying information or actions for
each item. The following figure shows an example of a grid in NPKD Administration.
Figure 10: Example grid in NPKD Administration
This section describes how to use the various grid features in NPKD Administration
for displaying and managing items in the grid.
• “Navigating pages of items in a grid” on page 574
• “Viewing information that is truncated in a grid cell” on page 576
• “Resizing columns in a grid” on page 576
• “Sorting items in a grid by column” on page 577
• “Moving columns in a grid” on page 578
• “Adding and removing columns in a grid” on page 579
• “Adding and editing filters in a grid” on page 580
• “Removing a filter from a grid column” on page 582
• “Viewing all filters in a grid” on page 583
• “Removing all filters from a grid” on page 583
• “Grouping items in a grid by columns” on page 584
• “Restoring a grid layout” on page 587
Administering data in the National PKD 573

Navigating pages of items in a grid
Grids can contain a lot of items. Most grids display a maximum number of rows. If
more items exist than the maximum number of rows in the grid, the grid will sort the
items across several pages of items. At the bottom of most grids is a page navigation
bar that allows you to browse through pages of items in the grid. The following figure
shows an example of the page navigation bar.
Figure 11: Page navigation bar for grids
The page navigation bar contains the following features:

• The Go To First Page button ( ) goes to the first page of items when
clicked.
• The Previous Page button ( ) goes to the previous page of items when
clicked.
• The Select Page drop-down list displays the current page number in the grid.
You can select a page number from the drop-down list to go to that page in
the grid.
The list displays pages in groups, up to three pages per group. For example,
pages 1 to 3, pages 4 to 6, pages 7 to 9, and so on.
If more pages exist after the currently-shown group of pages, a More Page
option (...) is displayed at the top of the list. Click this More Pages option to
go to the first page in the next group of pages. For example, if you are on
pages 1, 2, or 3, click the More Pages option at the top of the list to go to
page 4.
If more pages exist before the currently-shown group of pages, a More Page
option (...) is displayed at the bottom of the list. Click this More Pages option
to go to the last page in the previous group o pages. For example, if you are

on pages 4, 5, or 6, click the More Pages option at the bottom of the list to
go to page 3.
• The Page Number text field ( ) displays the current page.
You can enter a page number to go to that specific page. The number to the
right of the text field displays the total number of pages.
If you enter a page number out of range, such as 0, the grid stays on the
current page of items.
If you enter a string that starts with a non-numeric character, such as a123
or &amp, the grid stays on the current page of items.
If you enter a string that starts with a number, such as 2abc or 6.5, the grid
goes to the page corresponding to the first integer in the string unless the
that page number is out of range; if that page number is out of range, the
grid stays on the current page of items. For example, if you enter 21abc, the
grid goes to page 21 unless the grid has fewer than 21 pages.
• The Next Page button ( ) goes to the next page of items when clicked.
• The Go To Last Page button ( ) goes to the last page of items when
clicked.
• The Rows per page drop-down list allows you to select the maximum
number of rows to display per page.
• In the bottom right corner of the grid, an item indicator displays the range of
items being viewed, along with the total number of items. For example:

Viewing information that is truncated in a grid cell
If information about an item is too large to display in a grid cell, such as a
distinguished name (DN) or a column heading, the information is truncated to fit in
the cell. Truncated information uses ellipses (...) to indicate that not all the
information can be displayed in the grid cell. The following figure shows some
examples of information that is truncated in the grid.
Figure 12: Grid cells containing truncated information
You can view the full value of the truncated information by pausing the pointer on
the truncated information. When you pause the pointer on the truncated
information, a pop-up window appears that displays the full value of the information.
The following figure shows an example of the pop-up window.
Note:
If you pause the pointer over a link, the pop-up window displays the action that
will occur if you click the link.
Figure 13: Pop-up window showing the full value of truncated information
You can also resize columns in the grid so that fewer information will be truncated.
See “Resizing columns in a grid” on page 576 for details.
Resizing columns in a grid

For most grids, you can resize columns in the grid by shrinking or expanding the width
of the column.

Expanding the width of the column allows you to display more information displayed
in the column. For example, you can expand a column to display the full column
heading or distinguished name (DN) in a column cell instead of a truncated value.
Shrinking the width of a column allows you to display less information displayed in a
column or remove unnecessary space. For example, you can shrink the width of a
column containing a country code or large DN so that other columns have more space
to display information.
When you pause the pointer on a column divider next to a column heading, the
pointer changes shape, indicating that you can resize the column (see the following
figure).
Figure 14: Column before resizing
You can resize the column by clicking and holding the mouse, then dragging it left or
right to shrink or expand the width of the column.
Figure 15: Column after resizing
Sorting items in a grid by column

For most grids, you can sort items in the grid by the values in a column. You can sort
the column values in ascending or descending order.

Note:
You can only sort items in a grid by a single column. You cannot sort items in a
grid by multiple columns. For example, you can only sort items by country code
in ascending order; you cannot sort items by country code in ascending order and
then by serial number in descending order.
By default, grids are sorted by values in the left-most column in ascending order.
To sort items in a grid by a column

1 Click the down arrow next to the column heading, then select one of the
following options:
Figure 16: Sorting items in a grid by column
• To sort the values in ascending order, select Sort Ascending.

• To sort the values in descending order, select Sort Descending.
Moving columns in a grid

For most grids, you can rearrange the order of columns in the grid by moving
columns. You may want to move columns if you want the displayed information in a
different order. For example, you may want to move available actions from the right
side of the grid to the left side of the grid.
To move a column
1 Click and hold the heading of the column you want to move.

2 Move the column left or right to a new location in the grid. Small up and down
arrows indicate the column’s new location in the grid.
Adding and removing columns in a grid

For most grids, you can select which columns to display in the grid. You may want to
remove certain columns if you think you do not need that information in the grid. For
example, you may not want the grid to display both the country code and name of
the country in the grid.
To select which columns to display in a grid

1 Click the down arrow next to any column heading, then select Columns.
A menu lists all the available columns for the grid.

Note:
All grids must have at least one column. Depending on which columns you select
or deselect, the grid may require more than one column.
2 For each column you want to display in the grid, select that column from the list.
By default, all columns are selected.
3 For each column you want to remove from the grid, deselect that column from
the list.
Adding and editing filters in a grid

Some grids may contain dozens, hundreds, or thousands of items. Most grids allow
you to add filters to grid columns, allowing you to filter which items are listed in the
grid. Each column can have only one filter.
For example, you can add a filter to the Country Code or Country Name column to
display only the items from a specific country. For another example, you can add a
filter to the Status column to display only items that do not have a status of OK.
To add or edit a filter in a column

1 For the column whose values you want filter, click the down arrow next to the
column heading, then select Filter.

2 You can define up to two filter conditions. Each filter condition consists of a filter
condition operator and a filter condition value.
To define a filter condition:
a Select a filter condition operator from the drop-down list:
– Select Contains to filter items that contain a specified string somewhere in
the value of the column cell.
For example, filtering for values that contain the string kim will display only
the items that contain the string kim somewhere in the column, such as Kim
Brown, Robert Kim, or Tom Kimball.
– Select Is equal to to filter items that exactly match a specified string in the
value of the column cell.
For example, filtering for values that equal the string False will display only
the items that have the exact value False in the column.
– Select Starts with to filter items that start with a specified string in the value
of column cell.
For example, filtering for values that start with the string Alice will display
only the items that start with the string Alice in the column, such as Alice
Gray or Alice Brown.
– Select Ends with to filter items that end with a specified string in the value
of column cell.
For example, filtering for values that end with the string Gray will display
only the items that end with the string Gray in the column, such as Alice
Gray or Jon Gray.
– Select Is not equal to to filter items that do not match a specified string in
the value of the column cell.
For example, filtering for values that are not equal to YES will display only
the items that do not have the exact value YES in the column, such as NO
and UNDECIDED.
– Select Does not contain to filter items that do not contain a specified string
somewhere in the value of the column cell.
For example, filtering for values that do not contain the string ERROR will
display only the items that do not contain the string ERROR somewhere in
the column, such as SUCCESS or WARN, but not FATAL ERROR or SYNTAX
ERROR.
b In the text field, enter the filter condition value. If no value is entered, the
filter condition is not used.
The string you enter is not case-sensitive. For example, robert, Robert, and
RoBeRt are treated as the same value.
3 If you define two filter conditions, select a filter operator from the drop-down list:
• Select And to display only the items that match both filter conditions.

For example, filtering for values that contain the string John and contain the
string Robert will display the items that contain both the strings John and
Robert in the column, such as John Roberts and Robert Johnson.
• Select Or to display items that match either filter condition.
For example, filtering for values that contain the string Alice or contain the
string Gray will display the items that contain either the string Alice or Gray
(or both) in the column, such as Alice Smith, Alice Gray, or Robert Gray.
4 Click Filter.
The filter is added to the column. A filter icon is also added to the column
heading:
Removing a filter from a grid column

To remove a filter from a column in the grid, complete the following procedure. For
information about removing all filters from a grid, see “Viewing all filters in a grid”
on page 583.
To remove a filter from a grid column

1 For the column whose filter you want to remove, click the down arrow next to
the column heading, then select Filter.

2 Click Clear.
The filter is removed from the grid.
Viewing all filters in a grid

If you have one or more filters active in the grid, you can view all the filters in the grid
without having to look at each filter individually.
To view all filters in the grid

1 Select Grid Options > View Filters.
The View Filters pop-up window appears. The pop-up window lists all the filters
active in the grid.
Removing all filters from a grid

If you have multiple filters active in the grid and no longer want to use them, you can
remove all the filters from the grid at once instead of removing them from each
column individually.

To remove all filters from the grid
1 Select Grid Options > Clear Filters.
The filters are removed from the grid.
Grouping items in a grid by columns

Some grids allow you to group items by column values, allowing you to group similar
items together within a grid. For example, you can group items in a grid by values in
the Country Code or Country Name column, allowing you to group items together
by their country of origin.
To group items in a grid

1 Grids that allow grouping by column values have a Column Groups bar directly
above the column headings.
If the grid has no groups, the bar displays the following message:
Drag a column header and drop it here to group by that column
By default, some grids may already be grouped by one or columns.
2 To group items by values in a column, drag the column to the Column Groups
bar at the top of the grid.

Items in the grid are grouped according to the values in that column. For
example:

3 You can drag multiple columns to the Column Groups bar to further group items
using nested groups. For example:
The preceding example shows a grid that groups items the following order:
a Items are first grouped by Country Code, grouping items their country of
origin. Each country will have its own group, with all items from that country
under that group.
b Under each country group, items are then grouped by Status. All items with
the same status are grouped together, with each status forming a different
group.
c Under Status, items are further grouped by Assurance Level, grouping items
together by their assurance level.
You can show and hide a group by clicking the small black arrow next to the
group.
4 When using multiple groups, groups are ordered from left to right in the Column
Groups bar. You can change the order of the groups by dragging the name of the
column left or right. Small up and down arrows indicate the column’s new group
order.
5 To remove a group, click the X on the group column you want to remove.

Restoring a grid layout
Administration Services keeps track of the changes you make to the grid layout, such
as adding or removing filters, adding or removing columns, grouping items by
columns, and so on. These changes become the new default layout for the grid when
you reload the page, browse to a new page, or close the browser.
As you start to make changes to the default grid layout, you can revert the changes
you made by restoring the grid layout.
Restoring a grid layout does not restore the grid layout to the factory default (the
default grid layout for new installations of Administration Services). It only restores
the grid to the layout that existed at the time you last visited the page.
To restore a grid layout

1 Select Grid Options > Restore Layout.

Monitoring the National PKD using the
dashboard
NPKD Administration includes a dashboard that displays information about
scheduled and manual operations with the National PKD:
• assurance level updates
Assurance levels specify the level of trust for CSCA materials (Document
Signer certificates, CRLs, and master lists). The NPKD Web Service can
automatically publish CSCA materials with a high enough assurance level to
DV Web Service clients.
automatically on a schedule, or an NPKD administrator can manually
recalculate assurance levels.
• LDIF import operations
You can import CSCA certificates, Document Signer certificates, CRLs, and
master lists into the National PKD from LDIF files.
• import operations from PKD Reader
PKD Reader can import Document Signer certificates, CRLs, and master lists
into the National PKD.
To view the dashboard

1 Log in to NPKD Administration (see “Logging in to NPKD Administration” on
page 572).
2 Click Dashboard.
3 The Assurance Level section displays information about scheduled and manual
updates to assurance level calculations.
Assurance level information includes:

• Update Currently In Progress indicates whether an assurance level update is
currently in progress.

If an assurance level update is currently in progress, the value is True. If no
assurance level is update is in progress, the value is False.
• Scheduled Update Enabled indicates whether scheduled assurance level
updates are enabled.
If scheduled assurance level updates are enabled, the value is True. If
scheduled assurance level updates are disabled, the value is False.
• Last Scheduled Update Completed displays the date and time that the
previous scheduled assurance level update was completed.
A value of N/A indicates that no scheduled assurance level update was ever
completed.
• Next Scheduled Update displays the date and time of the next scheduled
assurance level update.
A value of N/A indicates that an automatic assurance level update is not
scheduled.
• Last Manual Update Completed displays the date and time that the previous
manual assurance level update was completed.
A value of N/A indicates that no manual assurance level update was ever
completed.
4 The LDIF Imports section displays information about CSCA material imports from
LDIF files.
LDIF import information includes:

• Import Currently in Progress indicates whether an LDIF import operation is
currently in progress.
If an LDIF import operation is currently in progress, the value is True. If no
LDIF import operation is in progress, the value is False.
• Last Import Completed displays the date and time of the previous LDIF
import operation.
A value of N/A indicates that no LDIF import operations have ever occurred.

5 The PKD Reader Imports section displays information about CSCA material
imports from PKD Reader.
PKD Reader import information includes:

• Import Currently In Progress indicates whether an import operation from
PKD Reader is currently in progress.
If an import operation from PKD Reader is currently in progress, the value is
True. If no import operation from PKD Reader is in progress, the value is
False.
• Scheduled Import Enabled indicates whether scheduled imports from PKD
Reader are enabled.
If scheduled imports from PKD Reader are enabled, the value is True. If
scheduled imports from PKD Reader are disabled, the value is False.
• Last Scheduled Import Completed displays the date and time that the
previous scheduled import from PKD Reader was completed.
A value of N/A indicates that no scheduled import from PKD Reader was
ever completed.
• Next Scheduled Import displays the date and time of the next scheduled
import from PKD Reader.
A value of N/A indicates that an automatic import from PKD Reader is not
scheduled.
• Last Manual Import of DS Certificates Completed displays the date and time
that Document Signer certificates were manually imported from PKD Reader.
A value of N/A indicates that Document Signer certificates have never
manually been imported from PKD Reader.
• Last Manual Import of CRLs Completed displays the date and time that
CRLs. were manually imported from PKD Reader
A value of N/A indicates that CRLs have never manually been imported from
PKD Reader.
• Last Manual Import of MLs Completed displays the date and time that
master lists were manually imported from PKD Reader.

A value of N/A indicates that master lists have never manually been imported
from PKD Reader.
• Last Manual Import of All Materials Completed displays the date and time
that CSCA materials (Document Signer certificates, CRLs, and master lists)
were manually imported from PKD Reader.
A value of N/A indicates that CSCA materials have never manually been
imported from PKD Reader.

Managing countries in the National PKD
Signer certificates, and CRLs—along with validation test results and metadata.
Information. The data is stored in the National PKD by country.
Using NPKD Administration, you can view countries that are in the National PKD,
export all of a country’s CSCA materials to files, and configure the assurance policy
settings for a country.
• “Listing countries in the National PKD” on page 592
• “Viewing detailed information about a country in the National PKD” on
page 596
• “Exporting all CSCA materials from a country to files” on page 601
• “Configuring the assurance policy settings for a country” on page 603
Listing countries in the National PKD

Using NPKD Administration, you can display a list of countries in the National PKD.
To view countries in the National PKD

page 572).
2 Click Countries.
The Countries List page appears.

The Countries List displays a list of countries in the National PKD. Each row in
the grid contains information about a country in the National PKD. Each row
contains the following columns:
• Country Code displays the country code of the country.
• Country Name displays the name of the country.
To view more detailed information about the country, click country name.
See “Viewing detailed information about a country in the National PKD” on
page 596 for information about viewing details about a country.

3 To view information about CSCA materials—CRLs, master lists, and Document
Signer certificates—originating from a country, click the arrow in the far-left
column for that country.
a Number of CRLs displays the number of CRLs in the National PKD

originating from the country. If the country has at least one CRL, a grid
displays information about each CRL.
Each row in the grid contains information about a CRL. Each row contains
the following columns:
– CN displays the distinguished name (DN) of the CSCA that issued the CRL.
This DN forms part of the common name (CN) of the CRL in the National
PKD.
To view detailed information about the CRL, click the DN. See “Viewing
detailed information about a CRL” on page 627 for information about
viewing CRLs.
– DN displays the distinguished name (DN) of the CRL in the National PKD.
– Status displays the status of the CRL.
The value OK indicates that all attribute signatures are valid and the entry
in the directory is not corrupt.
The value ERROR indicates either the entry in the directory is corrupt or the
NPKD services cannot verify the signature on the attributes. An error string
explaining the reason for the error will be displayed.
– Revoked Certificates displays the number of revoked certificates in the
CRL.

– Actions displays a list of available actions you can perform on the CRL.
To export the CRL to a file, click Export CRL. See “Exporting CRLs to files”
on page 634 for more information about exporting CRLs.
b Number of Master Lists displays the number of master lists in the National
PKD originating from the country. If the country has at least one master list,
a grid displays information about each master list.
Each row in the grid contains information about a master list. Each row
– CN displays the distinguished name (DN) of the CSCA that signed the
master list. This DN forms part of the common name (CN) of the master list
in the National PKD.
To view detailed information about the master list, click the DN. See
“Viewing detailed information about a master list” on page 641 for
information about viewing master lists.
– DN displays the distinguished name (DN) of the master list in the National
PKD.
– Status displays the status of the master list.
– CSCA Certificates displays the number of CSCA certificates in the master
list.
– Actions displays a list of available actions you can perform on the master
list.
To export the master list to a file, click Export Master List. See “Exporting
master lists to files” on page 647 for more information about exporting
master lists.
c Number of DS Certificates displays the number of Document Signer
certificates in the National PKD originating from the country. If the country
has at least one Document Signer certificate, a grid displays information
about each Document Signer certificate.
You can hide or show the list of Document Signer certificates. You can hide
the list of Document Signer certificates by clicking Hide Certificates. You can
show the list of Document Signer certificates by clicking Show Certificates.
Each row in the grid contains information about a Document Signer
certificate. Each row contains the following columns:

– SN displays the serial number of the certificate in hexadecimal format.
Click the serial number for a Document Signer certificate to view more
detailed information about that Document Signer certificate.
To view detailed information about the Document Signer certificate, click
the serial number. See “Viewing detailed information about a Document
Signer certificate” on page 613 for information about viewing Document
Signer certificates.
– CN displays the distinguished name (DN) of the CSCA that issued the
Document Signer certificate. This DN forms part of the common name
(CN) of the Document Signer certificate in the National PKD.
– DN displays the distinguished name (DN) of the Document Signer
certificate in the National PKD.
– Status displays the status of the Document Signer certificate.
To export the Document Signer certificate to a file, click Export Certificate.
See “Exporting Document Signer certificates to files” on page 620 for more
information about exporting Document Signer certificates.
Viewing detailed information about a country in the National

PKD
Using NPKD Administration, you can view detailed information about a specific
country in the National PKD, including lists of all CRLs, Document Signer certificates,
and master lists for that country.
To view detailed information about a country in the National PKD

page 572).
2 Click Countries.

The Countries List displays a list of countries in the National PKD. For information
about this page, see “Listing countries in the National PKD” on page 592.
3 Click the name of the country in the Country Name column.
The Country page appears.

4 Click the Country Overview tab.
The Country Overview tab displays information about CSCA materials—CRLs,

master lists, and Document Signer certificates—originating from the country.
5 Number of CRLs displays the number of CRLs in the National PKD originating
from the country. If the country has at least one CRL, a grid displays information
about each CRL.
Each row in the grid contains information about a CRL. Each row contains the
following columns:
• CN displays the distinguished name (DN) of the CSCA that issued the CRL.
PKD.
viewing CRLs.
• DN displays the distinguished name (DN) of the CRL in the National PKD.
• Status displays the status of the CRL.
The value OK indicates that all attribute signatures are valid and the entry in
the directory is not corrupt.
• Assurance Level displays the assurance level of the certificate.
The assurance level, from highest to lowest, can be one of: High Assurance,
Minor Defect, or Low Assurance.

• Publish displays whether the CRL is available for publishing to DV Web
Service clients.
False indicates that the CRL is not available to be published to clients.
True indicates that the CRL is available to be published to clients.
• Revoked Certificates displays the number of revoked certificates in the CRL.
• Actions displays a list of available actions you can perform on the CRL.
6 Number of Master Lists displays the number of master lists in the National PKD
originating from the country. If the country has at least one master list, a grid
displays information about each master list.
Each row in the grid contains information about a master list. Each row contains
• DN displays the distinguished name (DN) of the CSCA that signed the master
list.
information about viewing master lists.
• Status displays the status of the master list.
• Assurance Level displays the assurance level of the master list.
Click the assurance level for a master list to view the results of all assurance
level tests performed on the master list, along with some additional master
list information.
• Publish displays whether the master list is available for publishing to DV Web
Service clients.
False indicates that the master list is not available to be published to clients.
True indicates that the master list is available to be published to clients.

• CSCA Certificates displays the number of CSCA certificates in the master list.
• Actions displays a list of available actions you can perform on the master list.
master lists.
7 Number of DS Certificates displays the number of Document Signer certificates
in the National PKD originating from the country. If the country has at least one
Document Signer certificate, a grid displays information about each Document
Signer certificate.
You can hide or show the list of Document Signer certificates. You can hide the
list of Document Signer certificates by clicking Hide Certificates. You can show
the list of Document Signer certificates by clicking Show Certificates.
Each row in the grid contains information about a Document Signer certificate.
Each row contains the following columns:
• SN displays the serial number of the certificate in hexadecimal format.
To view detailed information about the Document Signer certificate, click the
serial number. See “Viewing detailed information about a Document Signer
certificate” on page 613 for information about viewing Document Signer
certificates.
• CN displays the distinguished name (DN) of the CSCA that issued the
Document Signer certificate. This DN forms part of the common name (CN)
of the Document Signer certificate in the National PKD.
• DN displays the distinguished name (DN) of the Document Signer certificate
• Status displays the status of the Document Signer certificate.

• Publish displays whether the Document Signer certificate is available for
publishing to DV Web Service clients.
False indicates that the certificate is not available to be published to clients.
True indicates that the certificate is available to be published to clients.
Exporting all CSCA materials from a country to files

Using NPKD Administration, you can export all CRLs, master lists, and Document
Signer certificates from a specific country in the National PKD to files. Typically you
would export all CSCA materials from a country if you need to manually import them
into your Inspection System or DV Web Service client.
To export all CSCA materials from a country to files

page 572).
2 Click Countries.

3 From the Country Name column, click the name of the country whose materials
you want to export.
4 Click Export All Materials.

5 When prompted, save the materials to a location on your computer. The
materials are saved in a ZIP file. By default, the ZIP file name is <CC>.zip, where
<CC> is the country code of the originating country. For example, US.zip.

Configuring the assurance policy settings for a country
Assurance policies control the tests performed on CSCA materials to determine the
assurance level, and the minimum assurance level required to publish the materials to
clients. NPKD administrators can change assurance policies on a global level or on a
per-country level.
The global assurance policy is the default assurance policy. By default, the global
assurance policy is assigned to all countries in the National PKD. The following
procedures describe how to assign the global assurance policy to a country, and how
to configure a country-specific assurance policy for a country.
For information about configuring the global assurance policy settings, see
“Configuring the assurance policy settings for a country” on page 603.
• “To assign the global assurance policy to a country” on page 603
• “To configure a country-specific assurance policy for a country” on page 606
To assign the global assurance policy to a country

page 572).
2 Click Countries.

3 From the Country Name column, click the name of the country that you want to
configure to use the global assurance policy.

4 Click the Policy Overview tab.
5 Click Use Global Policy.

The settings displayed under Policy Overview show the values set in the global
assurance policy.
The Policy Tests section displays the policy test values set in the global assurance
policy.
6 To immediately recalculate assurance levels on all CSCA materials for the country,
click Recalculate Assurance Levels.
By default, NPKD automatically recalculates assurance levels every 24 hours (see
“Configuring NPKD services settings” on page 710).

Recalculating assurance levels can take several minutes to complete. You can
view the Dashboard to see when the recalculation is complete (see “Monitoring
the National PKD using the dashboard” on page 588).
To configure a country-specific assurance policy for a country

page 572).
2 Click Countries.
3 From the Country Name column, click the name of the country that you want to
use the global assurance policy.

4 Click the Policy Overview tab.

5 Under Policy Overview:
a Click Use Country Specific Policy.

b For Name, enter a friendly name for the country-specific policy settings. The
default value is default.
c For Description, enter a description for the global policy settings. The default
value is Default assurance level policy.
d Certificate Publish Assurance Level controls the minimum assurance level
required for NPKD to publish Document Signer certificates to DV Web
Service clients.
All tests performed by NPKD on a Document Signer certificate must result in
this assurance level or higher for NPKD to publish the Document Signer
certificate to clients.

From the drop-down list, select the minimum assurance level required for
NPKD to publish Document Signer certificates. You can select the following
values, from highest to lowest: High Assurance, Minor Defect, or Low
Assurance.
The default value is High Assurance.
e CRL Publish Assurance Level controls the minimum assurance level required
for NPKD to publish CRLs to DV Web Service clients.
All tests performed by NPKD on a CRL must result in this assurance level or
higher for NPKD to publish the CRL to clients. You can select the following
Assurance.
f Master List Publish Assurance Level controls the minimum assurance level
required for NPKD to publish master lists to DV Web Service clients.
All tests performed by NPKD on a master list must result in this assurance
level or higher for NPKD to publish the master list to clients. You can select
the following values, from highest to lowest: High Assurance, Minor Defect,
or Low Assurance.
g Available For External Publishing controls whether CSCA materials from the
country are available for publishing to DV Web Service clients.
– To make materials from the country available for publishing, click True.
– To not publish any materials from the country, click False.
If False, NPKD Administration hides the Certificate Publish Assurance
Level, CRL Publish Assurance Level, and Master List Publish Assurance
Level settings, and also hides the Policy Tests section. If materials are not
available for publishing, no assurance tests are performed.

6 The Policy Tests section controls all assurance level tests the NPKD services can
perform on CSCA materials.
By default, tests are grouped by Source Material (CRLs, Document Signer

Certificates, Master Lists, and CSCA Certificates).
Each row corresponds to an assurance level test. Each row can contain the
following columns:
• Test Name is the name of the assurance level test.
• Class is the Java class that the NPKD service uses to perform the test.
• Description is a brief description of the test.
• Source Material displays the type of material on which the test is performed.
The value is one of CRLs, DS Certificates, Master Lists, or CSCA Certificate.
• Result lists all possible test results. Each result corresponds with the adjacent
drop-down list in the Assurance Level column.
– Pass. The test passed.
– Fail. The test failed.
– Undetermined. The NPKD services cannot perform a test to determine the
test result. For example, NPKD services cannot access the appropriate CRL
to determine if the Document Signer certificate was revoked.
– Non-Compliant Value. The test passed, but the value tested is not
compliant with the ICAO standard.
• Assurance Level controls the assurance level assigned to the material based
on the test result. Each drop-down list corresponds to the adjacent test result
in the Result column.

You can select the following values, from highest to lowest: High Assurance,
– The default value for all Pass test results is High Assurance.
– The default value for Fail test results is either Low Assurance or Minor
Defect, depending on the test.
– The default value for all Undetermined test results is Minor Defect.
– The default value for all Non-Compliant Value test results is Minor Defect.
• State controls whether the NPKD services performs the test:
– To enable NPKD services to perform the test, click Enabled. By default, all
tests are enabled.
– To disable NPKD services from performing the test, click Disabled.
7 If you changed any settings and want to save the changes, click Save Policy
Information.
8 To immediately recalculate assurance levels on all CSCA materials for the country,
click Recalculate Assurance Levels.

Managing Document Signer certificates in the
National PKD
Each country has one or more Document Signers. Document Signers are issued
certificates from a Country Signing Certification Authority (CSCA). Document Signers
use the corresponding private keys to sign the Document Security Object on
electronic passports.
Using NPKD Administration, you can view Document Signer certificates that are in
the National PKD, export Document Signer certificates to files, and remove
Document Signer certificates from the National PKD.
• “Listing Document Signer certificates in the National PKD” on page 611
• “Viewing detailed information about a Document Signer certificate” on
page 613
• “Viewing the assurance level details of a Document Signer certificate” on
page 617
• “Exporting Document Signer certificates to files” on page 620
• “Removing Document Signer certificates from the National PKD” on
page 623
Listing Document Signer certificates in the National PKD

Using NPKD Administration, you can display a list of Document Signer certificates
imported into the National PKD.
To list Document Signer certificates in the National PKD

page 572).
2 Click DS Certificates.
The DS Certificates List page appears.

The DS Certificate List displays a list of Document Signer certificates in the
National PKD. The grid contains information about the Document Signer
certificates.
3 NPKD Administration may not retrieve all Document Signer certificates in the
National PKD at once. To load more Document Signer certificates, click Get more
certificates.
In the NPKD configuration settings, the Maximum page size for DS certificates
results setting controls how many Document Signer certificates per page are
returned from an LDAP query. See “Configuring NPKD services settings” on
4 Each row in the grid contains information about a Document Signer certificate.
Each row contains the following columns:
• Country Code displays the country code of the originating country.
• Country Name displays the name of the originating country.
To view detailed information about the country, click the name of the
country. See “Viewing detailed information about a country in the National
PKD” on page 596 for information about viewing countries.
Click the serial number for a Document Signer certificate to view more
detailed information about that Document Signer certificate. See “Viewing
detailed information about a Document Signer certificate” on page 613 for
more information about viewing detailed information about a Document
Signer certificate.

• Status displays the status of the Document Signer certificate.
• Publish displays whether the Document Signer certificate is available for
• Select Certificates provides a check box for selecting the Document Signer
certificate. You can perform actions on all selected Document Signer
certificates.
Viewing detailed information about a Document Signer

certificate
Document Signer certificate in the National PKD.
To view detailed information about a Document Signer certificate in the

National PKD
page 572).


National PKD. For information about this page, see “Listing Document Signer
certificates in the National PKD” on page 611.
3 In the SN column, click the serial number of the Document Signer certificate you
want to view.
Detailed information about the Document Signer certificate appears on a new
page.
4 Certificate Overview displays a brief overview about the Document Signer
certificate.
• Country displays the country code and name of the originating country.

5 Certificate Details displays more detailed information about the Document
Signer certificate.
• Issuer DN displays the distinguished name (DN) of the CSCA that issued the
Document Signer certificate.
• Subject DN displays the distinguished name (DN) of the Document Signer
certificate.
• Serial Number displays the serial number of the Document Signer certificate
in integer format
• Not Valid Before displays the issue date of the certificate.
• Not Valid After displays the expiry date of the certificate.
6 CSCA Material Details displays information about the Document Signer
• Source displays the source of the certificate.

The value Manual indicates that the Document Signer certificate was
manually imported into the National PKD.
The value ICAO indicates that the Document Signer certificate was
downloaded from the ICAO PKD.
• Creation Date displays the date and time the certificate was added to the
National PKD or last updated in the National PKD.
• Submitter displays the DN of the user that added the certificate to the
National PKD.
A value of N/A indicates that the certificate was imported into the National
PKD by the PKD Reader.
• Assurance Level Expiry Date displays the date and time when the assurance
level is no longer valid. The assurance level expiry date is calculated using the
shortest expiration date of the material used to validate the material, such as
a CRL.
• Available for External Publishing displays whether the certificate is available
for publishing to DV Web Service clients.

7 Assurance Level Test Results displays the number of assurance level tests
performed on the Document Signer certificate, along with the results of each test
that was performed.
You can hide or show the test results. You can hide the test results by clicking
Hide Test Results. You can show the test results by clicking Show Test Results.
Viewing the assurance level details of a Document Signer

certificate
per-country level.
Using NPKD Administration, you can view the assurance policy test results for a
Document Signer certificate, along with additional details about the Document Signer
certificate.

To view assurance level details about a Document Signer certificate in the
National PKD
page 572).

National PKD. For information about this page, see “Listing Document Signer
certificates in the National PKD” on page 611.
3 In the Assurance Level column, click the assurance level of the Document Signer
certificate you want to view.
An Assurance Level Details page appears for the Document Signer certificate.
4 Certificate Overview displays a brief overview about the Document Signer

certificate.
• Country displays the country code and name of the originating country.

To view detailed information about the Document Signer certificate, click the
serial number. See “Viewing detailed information about a Document Signer
certificate” on page 613 for information about viewing detailed information
about a Document Signer certificate.
5 CSCA Material Details displays information about the Document Signer
• Source displays the source of the certificate.

The value Manual indicates that the Document Signer certificate was
manually imported into the National PKD.
The value ICAO indicates that the Document Signer certificate was
• Creation Date displays the date and time the certificate was added to the
• Submitter displays the DN of the user that added the certificate to the
National PKD.
A value of N/A indicates that the certificate was imported into the National

a CRL.
• Available for External Publishing displays whether the certificate is available
performed on the Document Signer certificate, along with the results of each test
that was performed.
Exporting Document Signer certificates to files

Using NPKD Administration, you can export one or more Document Signer
certificates in the National PKD to files. Typically you would export Document Signer
certificates if you need to manually import them into your Inspection System or DV
Web Service client. You can export all Document Signer certificates or you can export
a specific Document Signer certificate.
• “To export all Document Signer certificates to files” on page 621

• “To export a specific Document Signer certificate to a file” on page 621
To export all Document Signer certificates to files

page 572).
3 Click Export All DS Certificates.

4 The National PKD may contain thousands of Document Signer certificates. A
dialog box may appear informing you that the export request has been sent, and
that the ZIP file will be downloaded shortly. Click OK.
5 When prompted, save the Document Signer certificates to a location on your
computer. The Document Signer certificates are saved in a ZIP file. By default, the
ZIP file name is dscerts.zip.
To export a specific Document Signer certificate to a file

page 572).

3 From the SN column, click the serial number of the Document Signer certificate
you want to export.
Detailed information about the Document Signer certificate appears on a new
page. For example:
4 Click Export DS Certificate.

5 When prompted, save the Document Signer certificate to a location on your
computer. The certificate is saved as a .crt file. By default, the name of the file
is <CC>_<SN>.crl, where:
• <CC> is the country code of the originating country.
• <SN> is the serial number of the certificate in hexadecimal format.
For example, US_3ba67a1.crl.

Removing Document Signer certificates from the National PKD
Using NPKD Administration, you can remove one or more Document Signer
certificates from the National PKD. Typically you would remove Document Signer
certificates if you no longer want any Document Signer certificates and other CSCA
materials from a specific country in the National PKD.
Note:
If automatic imports from PKD Reader are enabled (see “Configuring NPKD
services settings” on page 710), materials you remove from the National PKD
may be re-added by PKD Reader during a scheduled import operation. To
prevent PKD Reader from re-adding materials you remove from the National
PKD, you must disable automatic imports from PKD Reader. You can then
manually import materials from PKD Reader (see “Importing CSCA materials
from PKD Reader into the National PKD” on page 696). Manually importing
materials from PKD Reader allows you to review the materials in PKD Reader and
remove any unwanted materials before uploading them into the National PKD.
To remove Document Signer certificates from the National PKD

page 572).
3 To remove one or more Document Signer certificates from the DS Certificate List:

a To select all Document Signer certificates on the page, click Select All.
When you click Select All to select all Document Signer certificates, the
button changes to Deselect All. Click Deselect All, to deselect all the
Document Signer certificates.
b To select specific Document Signer certificates, click the Select Certificates
check box for each Document Signer certificate.
Clicking a check box that is already selected will deselect the Document
Signer certificate.
c Click Remove DS Certificates.
A dialog box appears, asking you to confirm that you want to remove the
Document Signer certificates from the National PKD.
d Click OK to confirm the operation and remove the Document Signer
certificates from the National PKD.
The Document Signer certificates are removed from the National PKD and a
success message appears.
4 To view a specific Document Signer certificate before removing it from the
National PKD:
a From the SN column, click the serial number of the Document Signer
certificate you want to remove.
Detailed information about the Document Signer certificate appears on a
new page. For example:
b Review the Document Signer certificate details and verify that it is the
Document Signer certificate you want to remove from the National PKD.
c Click Remove DS certificate.
The Document Signer certificate is removed from the National PKD and a
success message appears.

Managing CRLs in the National PKD
A certificate revocation list (CRL) is a certificate that contains a list of certificates that
were revoked.
Using NPKD Administration, you can view CRLs that are in the National PKD, export
CRLs to files, and remove CRLs from the National PKD.
• “Listing CRLs in the National PKD” on page 625
• “Viewing detailed information about a CRL” on page 627
• “Viewing the assurance level details of a CRL” on page 631
• “Exporting CRLs to files” on page 634
• “Removing CRLs from the National PKD” on page 637
Listing CRLs in the National PKD

Using NPKD Administration, you can display a list of CRLs imported into the National
PKD.
To list CRLs in the National PKD

page 572).
2 Click CRLs.
The CRLs List page appears.

The CRLs List displays a list of CRLs in the National PKD. The grid contains
information about the CRLs.
3 Each row in the grid contains information about a CRL. Each row contains the
following columns:
PKD.
Click the DN certificate to view more detailed information about that CRL.
See “Viewing detailed information about a CRL” on page 627 for more
information about viewing detailed information about a CRL.
• Status displays the status of the CRL.

• Publish displays whether the CRL is available for publishing to DV Web
Service clients.
• Revoked Certificates displays the number of revoked certificates in the CRL.
• Select CRLs provides a check box for selecting the CRL. You can perform
actions on all selected CRLs.
Viewing detailed information about a CRL

Using NPKD Administration, you can view detailed information about a specific CRL
To view detailed information about a CRL in the National PKD

page 572).
2 Click CRLs.

The CRLs List displays a list of CRLs in the National PKD. For information about
this page, see “Listing CRLs in the National PKD” on page 625.
3 In the CN column, click the distinguished name of the CRL you want to view.
Detailed information about the CRL appears on a new page.
4 CRL Overview displays a brief overview about the CRL.
• Country displays the name and country code of the originating country.

5 CRL Details displays more detailed information about the CRL.
• Issuer DN displays the distinguished name (DN) of the CSCA that issued the
CRL.
• Last Update displays the date and time the CRL was last updated.
• Next Update displays the date and time the CRL is scheduled to be updated.
6 CSCA Material Details displays information about the CRL in the National PKD.
• Source displays the source of the CRL.

The value Manual indicates that the CRL was manually imported into the
National PKD.
The value ICAO indicates that the CRL was downloaded from the ICAO
PKD.
The value Discovered indicates that the CRL was discovered and
downloaded by NPKD from a URL in a Document Signer certificate’s CDP
(CRL distribution point).
By default, the NPKD services can automatically discover and download
CRLs when importing Document Signer certificates and a URL is found in a
certificate’s CDP. You can disable automatic discovery of CRLs by editing the
NPKD settings (see “Configuring NPKD services settings” on page 710).
• Creation Date displays the date and time the CRL was added to the National
PKD or last updated in the National PKD.
• Submitter displays the DN of the user that added the CRL to the National
PKD.

A value of N/A indicates that the CRL was imported into the National PKD
by the PKD Reader or discovered from a Document Signer certificate.
• Assurance Level displays the assurance level of the CRL.
a CRL.
• Available for External Publishing displays whether the CRL is available for
performed on the CRL, along with the results of each test that was performed.
8 Number of revoked certificates displays the number of revoked certificates in the
CRL, along with information about each certificate in the CRL.

You can hide or show the list of revoked certificates. You can hide the list by
clicking Hide Revoked Certificates. You can show the list by clicking Show
Revoked Certificates.
Each row contains information about a certificate in the CRL. Each row contains
• Serial Number displays the serial number of the revoked certificate in integer
format.
• Revocation Date displays the date and time the certificate was revoked.
• Revocation Reason displays the reason the certificate was revoked, if a
reason was given.
Viewing the assurance level details of a CRL

per-country level.
Using NPKD Administration, you can view the assurance policy test results for a CRL,
along with additional details about the CRL.
To view the assurance level details of a CRL in the National PKD

page 572).
2 Click CRLs.

The CRLs List displays a list of CRLs in the National PKD. For information about
this page, see “Listing CRLs in the National PKD” on page 625.
3 In the Assurance Level column, click the assurance level of the CRL you want to
view.
An Assurance Level Details page appears for the CRL.
4 CRL Overview displays a brief overview about the CRL.

viewing detailed information about a CRL.

5 CSCA Material Details displays information about the CRL in the National PKD.
• Source displays the source of the CRL.

The value Manual indicates that the CRL was manually imported into the
National PKD.
PKD.
CRLs when importing Document Signer certificates and a URL is found in a
certificate’s CDP. You can disable automatic discovery of CRLs by editing the
NPKD settings (see “Configuring NPKD services settings” on page 710).
• Creation Date displays the date and time the CRL was added to the National
PKD or last updated in the National PKD.
• Submitter displays the DN of the user that added the CRL to the National
PKD.
A value of N/A indicates that the CRL was imported into the National PKD
by the PKD Reader or discovered from a Document Signer certificate.
• Assurance Level displays the assurance level of the CRL.
a CRL.

• Available for External Publishing displays whether the CRL is available for
performed on the CRL, along with the results of each test that was performed.
Exporting CRLs to files

Using NPKD Administration, you can export one or more CRLs in the National PKD
to files. Typically you would export CRLs if you need to manually import them into
your Inspection System or DV Web Service client. You can export all CRLs or you can
export a specific CRL.
• “To export all CRLs to files” on page 634
• “To export a specific CRL to a file” on page 635
To export all CRLs to files

page 572).
2 Click CRLs.

3 Click Export All CRLs.
4 When prompted, save the master lists to a location on your computer. The master
lists are saved in a ZIP file. By default, the ZIP file name is crls.zip.
To export a specific CRL to a file

page 572).
2 Click CRLs.

3 From the CN column, click the distinguished name of the CSCA that issued the
CRL you want to export.
Detailed information about the CRL appears on a new page. For example:
4 Click Export CRL.

5 When prompted, save the master list to a location on your computer. The
certificate is saved as a .crl file. By default, the name of the file is <CC>.crl,
where <CC> is the country code of the originating country. For example, US.crl.

Removing CRLs from the National PKD
Using NPKD Administration, you can remove one or more CRLs from the National
PKD. Typically you would remove CRLs if you no longer want any CRLs and other
CSCA materials from a specific country in the National PKD.
Note:
To remove CRLs from the National PKD

page 572).
2 Click CRLs.

3 To remove one or more CRLs from the CRLs List:
a To select all CRLs on the page, click Select All.
When you click Select All to select all CRLs, the button changes to Deselect
All. Click Deselect All, to deselect all the CRLs.
b To select specific CRLs, click the Select CRLs check box for each CRL.
Clicking a check box that is already selected will deselect the CRL.
c Click Remove CRLs.
CRLs from the National PKD.
d Click OK to confirm the operation and remove the CRLs from the National
PKD.
The CRLs are removed from the National PKD and a success message
appears.
4 To view a specific CRL before removing it from the National PKD:
a From the CN column, click the distinguished name of the CSCA that signed
the CRL you want to remove.
Detailed information about the CRL appears on a new page. For example:
b Review the CRL details and verify that it is the CRL you want to remove from
the National PKD.
c Click Remove CRL.
The CRL is removed from the National PKD and a success message appears.

Managing master lists in the National PKD
A master list is a list of trusted CSCAs. Countries use master lists to trust the CSCAs
from other countries.
Using NPKD Administration, you can view master lists that are in the National PKD,
export master lists to files, remove master lists from the National PKD, and assign
CSCA certificates in master lists as trust anchors.
• “Listing master lists in the National PKD” on page 639
• “Viewing detailed information about a master list” on page 641
• “Viewing the assurance level details of a master list” on page 644
• “Exporting master lists to files” on page 647
• “Removing master lists from the National PKD” on page 649
• “Assigning CSCA certificates in a master list as trust anchors” on page 651
Listing master lists in the National PKD

Using NPKD Administration, you can display a list of master lists imported into the
National PKD.
To list master lists in the National PKD

page 572).
2 Click Master Lists.
The Master Lists List page appears.

The Master Lists List displays a list of master lists in the National PKD. The grid
contains information about the master lists.
3 Each row in the grid contains information about a master list. Each row contains
• CN displays the distinguished name (DN) of the CSCA that signed the master
list. This DN forms part of the common name (CN) of the master list in the
National PKD.
Click the DN to view more detailed information about that master list. See
“Viewing detailed information about a master list” on page 641 for more
information about viewing detailed information about a master list.
• DN displays the distinguished name (DN) of the master list in the National
PKD.
• Status displays the status of the master list.
Click the assurance level for a master list to view the results of all assurance
level tests performed on the master list, along with some additional master
list information.
• Publish displays whether the master list is available for publishing to DV Web
Service clients.
• CSCA Certificates displays the number of CSCA certificates in the master list.
• Actions displays a list of available actions you can perform on the master list.
master lists.

• Select Master Lists provides a check box for selecting the master list. You can
perform actions on all selected master lists.
Viewing detailed information about a master list

master list in the National PKD.
To view detailed information about a master list in the National PKD

page 572).
The Master Lists List displays a list of master lists in the National PKD. For
information about this page, see “Listing master lists in the National PKD” on
page 639.
3 In the CN column, click the distinguished name of the master list you want to
view.
Detailed information about the master list appears on a new page.
4 Master List Overview displays a brief overview about the master list.

list.
5 Master List Details displays more detailed information about the master list.
• Signer DN displays the distinguished name (DN) of the CSCA that signed the
master list.
• Signing Time displays the date and time that the CSCA signed the master list.
6 CSCA Material Details displays information about the master list in the National
PKD.
• Source displays the source of the master list.

The value Manual indicates that the master list was manually imported into
the National PKD.
The value ICAO indicates that the master list was downloaded from the
ICAO PKD.
• Creation Date displays the date and time the master list was added to the
• Submitter displays the DN of the user that added the master list to the
National PKD.
A value of N/A indicates that the master list was imported into the National

a CRL.
• Available for External Publishing displays whether the master list is available
performed on the master list, along with the results of each test that was
performed.

8 Number of CSCA certificates displays the number of CSCA certificates in the
master list, along with information about each CSCA certificate in the master list.
You can hide or show the list of CSCA certificates. You can hide the list by clicking
Hide CSCA Certificates. You can show the list by clicking Show CSCA
Certificates.
Each row contains information about a CSCA certificate in the master list. Each
row contains the following columns:
• Serial Number displays the serial number of the CSCA certificate in integer
format.
• Not Valid Before displays the issue date of the CSCA certificate.
• Not Valid After displays the expiry date of the CSCA certificate.
Viewing the assurance level details of a master list

per-country level.
Using NPKD Administration, you can view the assurance policy test results for a
master list, along with additional details about the master list.
To view the assurance level information about a master list in the National
PKD
page 572).

The Master Lists List displays a list of master lists in the National PKD. For
information about this page, see “Listing master lists in the National PKD” on
page 639.
3 In the Assurance Level column, click the assurance level of the master list you
want to view.
An Assurance Level Details page appears for the master list.
4 Master List Overview displays a brief overview about the master list.
list.
information about viewing detailed information about a master list.

5 CSCA Material Details displays information about the master list in the National
PKD.
• Source displays the source of the master list.

The value Manual indicates that the master list was manually imported into
the National PKD.
The value ICAO indicates that the master list was downloaded from the
ICAO PKD.
• Creation Date displays the date and time the master list was added to the
• Submitter displays the DN of the user that added the master list to the
National PKD.
A value of N/A indicates that the master list was imported into the National
a CRL.
• Available for External Publishing displays whether the master list is available

performed on the master list, along with the results of each test that was
performed.
Exporting master lists to files

Using NPKD Administration, you can export one or more master lists in the National
PKD to files. Typically you would export master lists if you need to manually import
them into your Inspection System or DV Web Service client. You can export all master
lists or you can export a specific master list.
• “To export all master lists to files” on page 647
• “To export a specific master list to a file” on page 648
To export all master lists to files

page 572).

3 Click Export All Master Lists.
4 When prompted, save the master lists to a location on your computer. The master
lists are saved in a ZIP file. By default, the ZIP file name is masterlists.zip.
To export a specific master list to a file

page 572).
3 From the CN column, click the distinguished name of the CSCA that signed the
master list you want to export.

Detailed information about the master list appears on a new page. For example:
4 Click Export Master List.

5 When prompted, save the master list to a location on your computer. The
certificate is saved as a .der file. By default, the name of the file is
<CC>_MasterList.der, where <CC> is the country code of the originating
country. For example, US_MasterList.der.
Removing master lists from the National PKD

Using NPKD Administration, you can remove one or more master lists from the
National PKD. Typically you would remove master lists if you no longer want any
master lists and other CSCA materials from a specific country in the National PKD.
Note:
To remove master lists from the National PKD

page 572).

3 To remove one or more master lists from the Master Lists List:
a To select all master lists on the page, click Select All.
When you click Select All to select all master lists, the button changes to
Deselect All. Click Deselect All, to deselect all the master lists.
b To select specific master lists, click the Select Master Lists check box for each
master list.
Clicking a check box that is already selected will deselect the master list.
c Click Remove Master Lists.
master lists from the National PKD.
d Click OK to confirm the operation and remove the master lists from the
National PKD.
The master lists are removed from the National PKD and a success message
appears.
4 To view a specific master list before removing it from the National PKD:
a From the CN column, click the distinguished name of the CSCA that signed
the master list you want to remove.
Detailed information about the master list appears on a new page. For
example:

b Review the master list details and verify that it is the master list you want to
remove from the National PKD.
c Click Remove Master List.
The master list is removed from the National PKD and a success message
appears.
Assigning CSCA certificates in a master list as trust anchors

In the National PKD, trust anchors are CSCA (Country Signing Certification Authority)
certificates. The NPKD services use CSCA certificates to validate the other materials
in the National PKD: CRLs, Document Signer certificates, and master lists.
Using NPKD Administration, you can assign CSCA certificates that are found in
master lists as trust anchors in the National PKD.
When assigning CSCA certificates from a master list as trust anchors, you can see
which CSCA certificates in the master list are already trust anchors in the National
PKD. You can then add other CSCA certificates in the master list as trust anchors, or
even remove trust anchors from the National PKD.
To assign CSCA certificates in a master list as trust anchors

page 572).

3 From the CN column, click the distinguished name of the CSCA that signed the
master list you want to assign as a trust anchor.
Detailed information about the master list appears on a new page. For example:
4 Click Assign Trust Anchors.

The Master List Assign Trust Anchors page appears.
5 Scroll down to the list of CSCA certificates in the master list. For example:

Each row contains information about a CSCA certificate in the master list. Each
• Issuer DN displays the distinguished name (DN) of the CSCA.
• Serial Number displays the serial number of the CSCA certificate in integer
format.
• Not Valid Before displays the issue date of the CSCA certificate.
• Not Valid After displays the expiry date of the CSCA certificate.
• Assurance Level displays the assurance level of the CSCA certificate.
• Trust Anchor provides a check box for selecting the CSCA certificate.
Selecting a CSCA certificate allows you to add it as a trust anchor in the
National PKD. CSCA certificates that are already trust anchors in the National
PKD are pre-selected.
Deselecting a CSCA certificate will remove it from the National PKD if it
already exists; it will no longer be a trust anchor for validating other CSCA
materials.
6 All selected CSCA certificates will be added as trust anchors in the National PKD.
All deselected CSCA certificates will be removed as trust anchors from the
National PKD.
a To select all CSCA certificates in the list, click Select All.
When you click Select All to select all CSCA certificates, the button changes
to Deselect All.
b To deselect all CSCA certificates in the list, click Deselect All.
When you click Deselect All to deselect all CSCA certificates, the button
changes to Select All.
c To add specific CSCA certificates as trust anchors, select the Trust Anchor
check box for each CSCA certificate you want to add as a trust anchor.
d To remove specific CSCA certificates as trust anchors, deselect the Trust
Anchor check box for each CSCA certificate you want to remove as a trust
anchors.
7 Click Assign Trust Anchors.
All selected CSCA certificates that do not already exist in the National PKD as
trust anchors are uploaded into the National PKD as trust anchors.
All deselected CSCA certificates that exist in the National PKD as trust anchors
are removed from the National PKD.

If CSCA certificates were imported as trust anchors, NPKD Administration displays a
message stating how many CSCA certificates were imported. If errors occurred—for
example, some selected CSCA certificates failed to be imported into the National
PKD—the message will also state how many errors occurred and what caused the
error.
If CSCA certificates were removed from the National PKD, NPKD Administration
displays a message stating how many CSCA certificates were removed. If errors
occurred—for example, some deselected CSCA certificates failed to be removed from
the National PKD—the message will also state how many errors occurred and what
caused the error.

Managing trust anchors in the National PKD
In the National PKD, trust anchors are CSCA (Country Signing Certification Authority)
certificates. The NPKD services use CSCA certificates to validate the other materials
in the National PKD: CRLs, Document Signer certificates, and master lists.
Using NPKD Administration, you can view CSCA certificates that were imported into
the National PKD, export CSCA certificates to files, or remove CSCA certificates from
the National PKD.
For information about importing CSCA certificates into the National PKD, see
“Importing CSCA materials into the National PKD from files” on page 668.
For information about adding CSCA certificates found in master lists as trust anchors
into the National PKD, see “Assigning CSCA certificates in a master list as trust
anchors” on page 651.
• “Listing trust anchors in the National PKD” on page 655
• “Viewing detailed information about a trust anchor” on page 657
• “Viewing the assurance level details of a trust anchor” on page 660
• “Exporting trust anchors to files” on page 663
• “Removing trust anchors from the National PKD” on page 666
Listing trust anchors in the National PKD

Using NPKD Administration, you can display a list of trust anchors (CSCA certificates)
To list CSCA certificates in the National PKD

page 572).
2 Click Trust Anchors.
The Trusted Anchors List page appears.

The Trusted Anchors List displays a list of CSCA certificates in the National PKD.
The grid contains information about the CSCA certificates.
3 Each row in the grid contains information about a CSCA certificate. Each row
• Issuer DN displays the distinguished name (DN) of the CSCA certificate.
• Country displays the name of the originating country.
• Serial Number displays the serial number of the certificate in hexadecimal
format.
Click the serial number of the certificate to view more detailed information
about that CSCA certificate. See “Viewing detailed information about a trust
anchor” on page 657 for more information about viewing detailed
information about a CSCA certificate.
• Status displays the status of the CSCA certificate.

Click the assurance level for a CSCA certificate to view the results of all
assurance level tests performed on the CSCA certificate, along with some
additional CSCA certificate information.
• Actions displays a list of available actions you can perform on the certificate.
To export the CSCA certificate to a file, click Export Certificate. See
“Exporting trust anchors to files” on page 663 for more information about
exporting CSCA certificates.
• Select Certificates provides a check box for selecting the CSCA certificate.
You can perform actions on all selected CSCA certificates.
Viewing detailed information about a trust anchor

Using NPKD Administration, you can view detailed information about a specific trust
anchor (CSCA certificate) imported into the National PKD.
To view detailed information about a CSCA certificate in the National PKD

page 572).
For information about this page, see “Listing trust anchors in the National PKD”
on page 655.

3 In the Serial Number column, click the serial number of the CSCA certificate you
want to view.
The CSCA Certificate page appears.
4 Certificate Overview displays a brief overview about the CSCA certificate.

• DN displays the distinguished name (DN) of the CSCA certificate in the
National PKD.
• CN displays the distinguished name (DN) of the CSCA certificate. This DN
forms part of the common name (CN) of the certificate in the National PKD.
5 Certificate Details displays more detailed information about the CSCA certificate.
• Issuer DN displays the distinguished name (DN) of the entity that issued the
CSCA certificate. (CSCA certificates are self-signed root certificates. The
Issuer DN and subject DN of CSCA certificates should be the same.)
• Subject DN displays the distinguished name (DN) of the CSCA certificate.
• Serial Number displays the serial number of the certificate in integer format.

6 CSCA Material Details displays information about the CSCA certificate in the
National PKD.
• Source displays the source of the CSCA certificate.

The value Manual indicates that the CSCA certificate was manually imported
• Creation Date displays the date and time the CSCA certificate was added to
the National PKD or last updated in the National PKD.
• Submitter displays the DN of the user that added the CSCA certificate to the
National PKD.
a CRL.
• Available for External Publishing displays whether the CSCA certificate is
available for publishing to DV Web Service clients.
False indicates that the CSCA certificate is not available to be published to
clients.

performed on the CSCA certificate, along with the results of each test that was
performed.
Viewing the assurance level details of a trust anchor

per-country level.
Using NPKD Administration, you can view the assurance policy test results for a trust
anchor (CSCA certificate), along with additional details about the CSCA certificate.
To view detailed information about a CSCA certificate in the National PKD

page 572).

For information about this page, see “Listing trust anchors in the National PKD”
on page 655.
3 In the Assurance Level column, click the assurance level of the CSCA certificate
you want to view.
An Assurance Level Details page appears for the CSCA certificate.
4 Certificate Overview displays a brief overview about the CSCA certificate.

To view detailed information about the CSCA certificate, click the serial
number. See “Viewing detailed information about a trust anchor” on
page 657 for information about viewing detailed information about a CSCA
certificate.

• DN displays the distinguished name (DN) of the CSCA certificate in the
National PKD.
• CN displays the distinguished name (DN) of the CSCA certificate. This DN
forms part of the common name (CN) of the certificate in the National PKD.
5 CSCA Material Details displays information about the CSCA certificate in the
National PKD.
• Source displays the source of the CSCA certificate.

The value Manual indicates that the CSCA certificate was manually imported
• Creation Date displays the date and time the CSCA certificate was added to
the National PKD or last updated in the National PKD.
• Submitter displays the DN of the user that added the CSCA certificate to the
National PKD.
a CRL.
• Available for External Publishing displays whether the CSCA certificate is
available for publishing to DV Web Service clients.
False indicates that the CSCA certificate is not available to be published to
clients.

performed on the CSCA certificate, along with the results of each test that was
performed.
Exporting trust anchors to files

Using NPKD Administration, you can export one or more trust anchors (CSCA
certificates) in the National PKD to files. Typically you would export CSCA certificates
if you need to manually import them into your Inspection System or DV Web Service
client. You can export all CSCA certificates or you can export a specific CSCA
certificate.
• “To export all CSCA certificates to files” on page 663
• “To export a specific CSCA certificate to a file” on page 664
To export all CSCA certificates to files

page 572).

3 Click Export All Trusted Certificates.
4 When prompted, save the CSCA certificates to a location on your computer. The
certificates are saved in a ZIP file. By default, the ZIP file name is
trustedcerts.zip.
To export a specific CSCA certificate to a file

page 572).

3 From the Serial Number column, click the serial number of the CSCA certificate
you want to export.
The CSCA Certificate page appears. For example:
4 Click Export CSCA Certificate.

5 When prompted, save the CSCA certificate to a location on your computer. The
certificate is saved as a .cer file. By default, the name of the file is the
integer-encoded serial number of the CSCA certificate. For example, 387332.cer
(not 5e904.cer).

Removing trust anchors from the National PKD
Using NPKD Administration, you can remove one or more trust anchors (CSCA
certificates) from the National PKD. Typically you would remove CSCA certificates if
you no longer want them used as trust anchors for validating Document Signer
certificates, CRLs, or master lists.
To remove CSCA certificates from the National PKD

page 572).
3 To remove one or more CSCA certificates from the Trusted Anchors List:
a To select all CSCA certificates on the page, click Select All.
When you click Select All to select all CSCA certificates, the button changes
to Deselect All. Click Deselect All, to deselect all the CSCA certificates.
b To select specific CSCA certificates, click the Select Certificates check box for
each CSCA certificate.
Clicking a check box that is already selected will deselect the CSCA
certificate.
c Click Remove Trusted Certificates.
CSCA certificates from the National PKD.
d Click OK to confirm the operation and remove the CSCA certificates from the
National PKD.

The CSCA certificates are removed from the National PKD and a success
message appears.
4 To view a specific CSCA certificate before removing it from the National PKD:
a From the Serial Number column, click the serial number of the CSCA
certificate you want to remove.
The CSCA Certificate page appears. For example:
b Review the CSCA certificate details and verify that it is the CSCA certificate
you want to remove from the National PKD.
c Click Remove CSCA Certificate.
The CSCA certificate is removed from the National PKD and a success
message appears.

Importing CSCA materials into the National PKD
from files
The National PKD stores data taken from the ICAO PKD—CSCA certificates, master
lists, Document Signer certificates, and CRLs—along with validation test results and
metadata.
If you configured a connection to PKD Reader, you can import CSCA materials from
PKD Reader into the National PKD (see “Importing CSCA materials from PKD Reader
into the National PKD” on page 696).
If you do not have a PKD Reader connection, you must manually import the CSCA
materials into the National PKD from files. You can use NPKD Administration to
import CSCA materials into the National PKD. You can import CSCA materials from
a single file, or from multiple files.
• “Importing a single CSCA material from a file” on page 668
• “Importing CSCA materials from an LDIF file” on page 676
• “Importing multiple Document Signer certificates from files” on page 681
• “Importing multiple CSCA certificates from files” on page 684
• “Importing multiple CRLs from files” on page 687
• “Importing multiple master lists from files” on page 690
Importing a single CSCA material from a file

You can import a single CSCA certificate, Document Signer certificate, CRL, or master
list from a file into the National PKD. When importing the file, the NPKD services will
attempt to determine the type of material being imported and perform validation
tests on the material.
If the NPKD services determine that the material being imported is not a CSCA
certificate, Document Signer certificate, CRL, or master list, NPKD Administration will
display an error message.
If the NPKD services determine that the type of material being imported is a CSCA
certificate, Document Signer certificate, CRL, or master list, NPKD Administration will
display a preview page. The preview page allows you to inspect the contents of the
material before uploading it into the National PKD.
To import a CSCA material from a single file

page 572).
2 Click Import.

3 Under Import a single file, click Single File.
4 Click Browse to locate and select the CSCA material file.

5 Click Submit. NPKD will attempt to determine if the file is a CRL, CSCA
certificate, Document Signer certificate, or master list.
6 If NPKD determines that the file is not is not a CRL, CSCA certificate, Document
Signer certificate, or master list, NPKD Administration displays an error.

7 If NPKD recognizes the file as a CSCA root or link certificate, the CSCA Certificate
Preview page appears. For example:
a Review the information provided to determine that you want to import the
CSCA certificate into the National PKD:
– Issuer DN displays the distinguished name (DN) of the CSCA certificate.
– Serial Number displays the serial number of the certificate.
– Not Valid Before displays the issue date of the certificate.
– Not Valid After displays the expiry date of the certificate.
– Assurance Level displays the assurance level of the certificate.
The assurance level, from highest to lowest, can be one of: High
Assurance, Minor Defect, or Low Assurance.

– Assurance Level Test Results displays the number of assurance level tests
performed on the certificate, along with the results of each test that was
performed.
You can hide or show the test results. You can hide the test results by
clicking Hide Test Results. You can show the test results by clicking Show
Test Results.
b To import the CSCA certificate into the National PKD, click Submit.
8 If NPKD recognizes the file as a CRL, the CRL Preview page appears. For
example:

CRL into the National PKD:
– Country displays the country code and name of the originating country.
– Issuer DN displays the distinguished name (DN) of the CSCA that issued
the certificate.
– Last Update displays the date and time the CRL was last updated.
– Next Update displays the date and time the CRL is scheduled to be
updated.
– Assurance Level displays the assurance level of the CRL.
– Number of revoked certificates displays the number of revoked certificates
in the CRL, along with a list of the revoked certificates in the CRL.
The list of revoked certificates includes the following information about
each revoked certificate: the serial number of the certificate, the date the
certificate was revoked, and the reason for the revocation.
You can hide or show the list of revoked certificates. You can hide the list
of revoked certificates by clicking Hide revoked certificates. You can show
the list of revoked certificates by clicking Show revoked certificates.
performed on the CRL, along with the results of each test that was
performed.
Test Results.
b To import the CRL into the National PKD, click Submit.

9 If NPKD recognizes the file as a Document Signer certificate, the DS Certificate
Preview page appears. For example:
Document Signer certificate into the National PKD:

the certificate.
– Subject DN the distinguished name (DN) of the Document Signer
certificate.
performed.
Test Results.
b To import the Document Signer certificate into the National PKD, click
Submit.

10 If NPKD recognizes the file as a master list, the Master List Preview page appears.
For example:

master list into the National PKD:
– Signer DN displays the distinguished name (DN) of the CSCA that signed
the master list.
– Signing Time displays the date and time the master list was signed.
– Number of CSCA certificates displays the number of CSCA certificates in
the master list, along with a list of the CSCA certificates in the master list.
The list of CSCA certificates includes the following information about each
CSCA certificate: the DN of the certificate, the serial number of the
certificate, the date the certificate was issued, and the date the certificate
will expire.
You can hide or show the list of CSCA certificates. You can hide the list of
CSCA certificates by clicking Hide CSCA Certificates. You can show the list
of revoked certificates by clicking Show CSCA Certificates.
performed.
Test Results.
b To import the master list into the National PKD, click Submit.
Importing CSCA materials from an LDIF file

You can import one or more CSCA certificates, master lists, Document Signer
certificates, or CRLs into the National PKD from an LDIF (LDAP Data Interchange
Format) file. LDIF files can be created manually, or exported from another directory
such as the ICAO PKD.
When importing the file, you have the option to preview the materials before
uploading them into the National PKD. Previewing the materials allows you to display
information about all materials to import. The preview allows you to inspect the
contents and optionally remove some of the materials before importing them into the
National PKD.
You also have the option to run the import operation as a background thread. Using
a background import thread is recommended for large import operations. Typically,
there is one CRL and one master list per country, but there could be a very large
number of Document Signer certificates.

To import CSCA materials from an LDIF file
page 572).
2 Click Import.
3 Under Import a single file, click LDIF File.
4 To preview the materials before importing them into the National PKD, select
Preview materials before uploading.
Previewing the materials allows you to display information about all materials to
import. The preview allows you to inspect the contents and optionally remove
some of the materials before importing them into the National PKD.
5 To import the materials using a background import thread, click Import in
background.
Using a background import thread is recommended for large import operations.
Typically, there is one CRL and one master list per country, but there could be a
very large number of Document Signer certificates. The PKD Status tab can
display information about how many materials PKD Reader has downloaded
from the ICAO PKD (see “Viewing the status of PKD Reader” on page 693).
6 Click Browse to locate and select the LDIF file.
7 Click Submit.

8 If you chose to preview the materials, the CSCA Materials from LDIF Preview
page appears.
a If the LDIF file included Document Signer certificates, a DS Certificate List
grid contains a list of Document Signer certificates in PKD Reader that you
can import into the National PKD.

– Country Code displays the country code of the originating country.
– Country displays the name of the originating country.
the certificate.
certificate.
To view the results or all assurance level tests performed, click the arrow
next to the country code.
– Actions displays a list of available actions you can perform on the
certificate.
To remove the Document Signer certificate from the list, click Remove
Certificate. The certificate will not be imported into the National PKD.

b If the LDIF file included CRLs, a CRLs List grid contains a list of CRLs in PKD
Reader that you can import into the National PKD.
the certificate.
updated.
– Source displays the source of the CRL.
The value Manual indicates that the CRL was manually imported by an
NPKD administrator.
PKD.
downloaded by NPKD from a URL in A Document Signer certificate’s CDP
CRLs when importing Document Signer certificates and a URL is found in
a certificate’s CDP. You can disable automatic discovery of CRLs by editing
the NPKD settings (see “Configuring NPKD services settings” on
page 710).
– Assurance Level displays the assurance level of the CRL.
– Revoked displays the number of revoked certificates in the CRL.

To remove the CRL from the list, click Remove CRL. The CRL will not be
c If the LDIF file included master lists, a Master Lists List grid contains a list of
master lists in PKD Reader that you can import into the National PKD.
the master list.
list.
list.
To remove the master list from the list, click Remove Master List. The
master list will not be imported into the National PKD.
d To import the materials, click Import CSCA Materials.
9 The import process can take up to several minutes to complete.
• If you chose to import the materials using a background thread, the page will
display the following message:

The import thread has started. This may take several minutes to
complete. Check the Dashboard to verify the import has
completed.
The Dashboard provides information about current and past LDIF imports.
See “Monitoring the National PKD using the dashboard” on page 588 for
details.
• If you are not using a background thread to import the materials, wait until
the import operation finishes. The page will display a success message if the
import was successful, or an error message if the import failed.
Importing multiple Document Signer certificates from files

You can import one or more Document Signer certificates into the National PKD from
a series of files. When importing the certificates, the NPKD services will perform
validation tests on each certificate.
When importing the files, you have the option to preview the Document Signer
certificates before uploading them into the National PKD. Previewing the certificates
allows you to display information about each certificate to import. The preview allows
you to inspect the contents and optionally remove some of the certificates before
importing them into the National PKD.
To import Document Signer certificates from files

page 572).
2 Click Import.

3 Under Import multiple files, click DS Certificates.
4 To preview the Document Signer certificates before importing them into the
National PKD, select Preview materials before uploading.
5 Click Browse to locate and select the one or more Document Signer certificate
files.
6 Click Submit.
NPKD will not upload files it does not recognize as Document Signer certificates.
If no Document Signer certificates were found in the selected files, NPKD
Administration displays an error message.

7 If you chose to preview the materials, a DS Certificates Preview page appears.
For example:
a The DS Certificate List grid contains information about the Document Signer
certificates.
Each row contains information about a Document Signer certificate. Each
the certificate.
certificate.
certificate.
b To import the Document Signer certificates into the National PKD, click
Import DS Certificates.

8 Wait until the import operation finishes. The page will display a success message
if the import was successful, or an error message if the import failed.
Importing multiple CSCA certificates from files

You can import one or more CSCA certificates into the National PKD from a series of
files. When importing the CSCA certificates, the NPKD services will perform
validation tests on each certificate.
The CSCA certificates you import into the National PKD are added to the National
PKD as trust anchors. The NPKD services use trust anchors (CSCA certificates) to
validate the other materials in the National PKD: CRLs, Document Signer certificates,
and master lists.
When importing the files, you have the option to preview the CSCA certificates
before uploading them into the National PKD. Previewing the certificates allows you
to display information about each certificate to import. The preview allows you to
inspect the contents and optionally remove some of the certificates before importing
them into the National PKD.
To import CSCA certificates from files

page 572).
2 Click Import.

3 Under Import multiple files, click CSCA Certificates as Trust Anchors.
4 To preview the CSCA certificates before importing them into the National PKD,
select Preview materials before uploading.
5 Click Browse to locate and select the one or more CSCA certificate files.
6 Click Submit.
NPKD will not upload files it does not recognize as CSCA certificates. If no CSCA
certificates were found in the selected files, NPKD Administration displays an
error message.

7 If you chose to preview the materials, a CSCA Certificates Preview page appears.
For example:
a The grid contains information about the CSCA certificates.

Each row in the grid contains information about a CSCA certificate. Each row
– Issuer DN displays the distinguished name (DN) of the CSCA certificate.
certificate.
To remove the certificate from the list, click Remove Certificate. The CSCA
certificate will not be imported into the National PKD.
b To import the CSCA certificates into the National PKD, click Import Trusted
CA Certificates.

a After successfully importing new CSCA certificates as trust anchors, NPKD
Administration recommends that you recalculate assurance levels.
b To immediately recalculate assurance levels of all CSCA materials in the

National PKD, click Recalculate Assurance Levels.
By default, NPKD automatically recalculates assurance levels every 24 hours
(see “Configuring NPKD services settings” on page 710).
view the Dashboard to see when the recalculation is complete (see
“Monitoring the National PKD using the dashboard” on page 588).
Importing multiple CRLs from files

You can import one or more CRLs into the National PKD from a series of files. When
importing the CRLs, the NPKD services will perform validation tests on each CRL.
When importing the files, you have the option to preview the CRLs before uploading
them into the National PKD. Previewing the CRLs allows you to display information
about each CRL to import. The preview allows you to inspect the contents and
optionally remove some of the CRLs before importing them into the National PKD.
To import CRLs from files

page 572).
2 Click Import.

3 Under Import multiple files, click CRLs.
4 To preview the CRLs before importing them into the National PKD, select
5 Click Browse to locate and select the one or more CRL files.
6 Click Submit.
NPKD will not upload files it does not recognize as CRLs. If no CRLs were found
in the selected files, NPKD Administration displays an error message.

7 If you chose to preview the materials, a CRLs Preview page appears. For
example:
a The CRLs List grid contains information about the CRLs.

the certificate.
updated.
The value Manual indicates that you are manually importing the CRL into
the National PKD.
b To import the CRLs into the National PKD, click Import CRLs.

Importing multiple master lists from files

You can import one or more master lists into the National PKD from a series of files.
When importing the master lists, the NPKD services will perform validation tests on
each master list.
When importing the files, you have the option to preview the master lists before
uploading them into the National PKD. Previewing the master lists allows you to
display information about each master list to import. The preview allows you to
inspect the contents and optionally remove some of the master lists before importing
them into the National PKD.
To import master lists from files

page 572).
2 Click Import.
3 Under Import multiple files, click Master Lists.
4 To preview the master lists before importing them into the National PKD, select

5 Click Browse to locate and select the one or more master list files.
6 Click Submit.
NPKD will not upload files it does not recognize as master lists. If no master lists
were found in the selected files, NPKD Administration displays an error message.
7 If you chose to preview the materials, a Master Lists Preview page appears. For
example:
a The Master Lists List grid contains information about the master lists.
the master list.
list.

list.
b To import the master lists into the National PKD, click Import Master Lists.

Managing PKD Reader
Note:
The PKD Reader page appears in NPKD Administration only if you enable
connections to PKD Reader during installation.
If you enabled a connection to PKD Reader during installation, you can manage the
PKD Reader from the NPKD Administration interface.
From NPKD Administration, you can view the status of PKD Reader, import CSCA
materials from PKD Reader into the National PKD, edit some PKD Reader settings,
and download CSCA materials from the ICAO PKD into PKD Reader.
This section contain the following topics:
• “Viewing the status of PKD Reader” on page 693
• “Importing CSCA materials from PKD Reader into the National PKD” on
page 696
• “Editing PKD Reader settings” on page 700
• “Downloading CSCA materials from ICAO PKD into PKD Reader” on
page 702
Viewing the status of PKD Reader

From NPKD Administration, you can view information about the PKD Reader
credentials used to connect to the ICAO PKD, and statistics about the CSCA materials
To view the status of PKD Reader

page 572).
2 Click PKD Reader.
The PKD Reader page appears.
3 Click the Status tab.

4 If an error occurs—for example, the NPKD services cannot retrieve the PKD
Reader ICAO credential status—the page displays the error code along with the
error message.
5 If the NPKD services can successfully display the status of PKD Reader:
a ICAO Credentials Status displays information about the status of the PKD
Reader’s connection to the ICAO PKD credential.
– Download LDAP ID displays the credential (such as the distinguished name

of an LDAP user entry) provided by ICAO for connecting to the ICAO PKD
Download Directory.

– Upload Certificate DN displays the distinguished name (DN) of the PKD
Access credential used by the PKD Reader to retrieve CSCA Registry
information from the ICAO PKD Upload Directory.
A value of N/A indicates PKD Reader does not have a PKD Access
credential.
– Upload Certificate Serial Number displays the serial number of the PKD
Access credential.
credential.
– Upload Certificate Expiry Date displays the expiry date of the PKD access
credential.
credential.
– Last successful download connection date displays the date and time of
PKD Reader’s last successful connection to the ICAO PKD Download
Directory.
A value of N/A indicates PKD Reader never successfully connected to the
ICAO PKD Download Directory.
– Last successful upload connection date displays the date and time of PKD
Reader’s last successful connection to the ICAO PKD Upload Directory.
A value of N/A indicates PKD Reader never successfully connected to the
ICAO PKD Upload Directory.
b CSCA Materials Download Status displays statistics about the CSCA
materials that PKD Reader downloaded from the ICAO PKD.
– Last successful download displays the date and time of PKD Reader’s last
successful download from the ICAO PKD.
– Time elapsed since last successful download displays the number of hours
since PKD Reader’s last successful download from the ICAO PKD.
– Next scheduled download displays the next date and time that PKD Reader
is scheduled to download materials from the ICAO PKD.
– Downloaded CRLs displays the current number of CRLs downloaded from
the ICAO PKD.

– Downloaded DS Certificates displays the current number of Document
Signer certificates downloaded from the ICAO PKD.
– Downloaded Master Lists displays the current number of master lists
Importing CSCA materials from PKD Reader into the National

PKD
By default, if you enabled a connection from the PKD Reader to the NPKD services,
PKD Reader will automatically import CSCA materials into the National PKD every 24
hours (see “Configuring NPKD services settings” on page 710).
From NPKD Administration, you can manually import CSCA materials from PKD
Reader into the National PKD. Manually import CSCA materials if you disable
automatic imports, or if you want ensure the National PKD has the latest CSCA
materials without waiting for the automatic import.
You can import CRLs, or Document Signer certificates, master lists separately, or
import all CSCA materials at once.
When importing CSCA materials from PKD Reader into the National PKD, identical
materials may already exist in the National PKD. When importing materials from PKD
Reader, NPKD follows these rules:
• For CRLs, NPKD will replace a CRL if not identical or if the source is higher.
• For Document Signer certificates, NPKD will replace a certificate if not
identical or if the source is higher.
• For master lists, NPKD will replace a master list if newer (issued at later date)
or if the source is higher.
The source of CSCA materials can be one of the following, from highest to lowest:
ICAO (found in the ICAO PKD), Manual (imported manually into the National PKD),
or Discovered (CRLs only, discovered from a URL in Document Signer certificates).
To import CSCA materials from PKD Reader into the National PKD
page 572).
2 Click PKD Reader.

3 Click the Import CSCA Materials tab.
4 Under Import CSCA materials from the PKD Reader repository to NPKD:
• To import only certificate revocation lists (CRLs), click CRLs.
• To import all CSCA materials (CRLs, Document Signer certificates, and
master lists), click CSCA Materials.
• To import only Document Signer certificates, click DS Certificates.
• To import only master lists, click Master Lists.
5 To preview the materials before importing them into the National PKD, select
6 To import the materials using a background import thread, click Import in
background.
Using a background import thread is recommended for large import operations.
Typically, there is one CRL and one master list per country, but there could be a
very large number of Document Signer certificates. The PKD Status tab can
display information about how many materials PKD Reader has downloaded
from the ICAO PKD (see “Viewing the status of PKD Reader” on page 693).
7 Click Submit.

8 If you chose to preview the materials, a Preview page appears. For example:
a If importing master lists or all CSCA materials, the DS Certificate List grid
contains a list of Document Signer certificates in PKD Reader that you can
import into the National PKD.
the certificate.
certificate.
certificate.
b If importing CRLs or all CSCA materials, the CRLs List grid contains a list of
CRLs in PKD Reader that you can import into the National PKD.

the certificate.
updated.
PKD.
CRLs when importing Document Signer certificates and a URL is found in
a certificate’s CDP. You can disable automatic discovery of CRLs by editing
the NPKD settings (see “Configuring NPKD services settings” on
page 710).
c If importing master lists or all CSCA materials, the Master Lists List grid
contains a list of master lists in PKD Reader that you can import into the
National PKD.
the master list.
list.

list.
d To import the materials, click the Import button.
The button is labeled either Import CRLs, Import CSCA Materials, Import DS
Certificates, or Import Master Lists, depending on the type of materials you
chose to import.
9 The download process can take up to several minutes to complete.
• If you chose to import the materials using a background thread, the page will
display the following message:
The import thread has started. This may take several minutes to
complete. Check the Dashboard to verify the import has
completed.
The Dashboard provides information about current and past imports from
PKD Reader. See “Monitoring the National PKD using the dashboard” on
• If you are not using a background thread to import the materials, wait until
the import operation finishes. The page will display a success message if the
import was successful, or an error message if the import failed.
Editing PKD Reader settings

NPKD Administration allows you to configure some PKD Reader download settings.
You can change these settings without restarting the PKD Reader services.
For information about configuring PKD Reader by editing configuration files, see
“Configuring the PKD Reader Web Service” on page 425. The configuration files
contain additional settings not available in NPKD Administration.
To edit the PKD Reader settings

page 572).
2 Click PKD Reader.

3 Click the Edit Settings tab.
4 For Number of hours between periodic PKD downloads, enter the frequency (in
hours) that PKD Reader will attempt to download CSCA materials from the ICAO
PKD.
By default, PKD Reader attempts to download materials from the ICAO PKD
every 24 hours.
5 For Number of attempts to establish a PKD connection before reporting the
failure field, enter the number of attempts PKD Reader will take to establish a
connection with the ICAO PKD before reporting a failure.
By default, PKD Reader will attempt to connect to the ICAO PKD three times
before reporting a failure.
6 For PKD LDAP page size, enter the number of entries per page returned from an
LDAP query. If 0, PKD Reader will not use LDAP paging.
The ICAO PKD can contain thousands of master lists, Document Signer
certificates, and CRLs. During PKD Reader startup and periodically thereafter the
service populates a cache of CSCA materials from the ICAO PKD. By default,
when downloading CSCA materials, the PKD Reader will attempt to download
all CSCA materials at once in one LDAP search query. If the LDAP server search
limit is ever reached, not all CSCA materials will be returned.
To ensure that all CSCA materials will be returned from an LDAP search query,
you can configure the LDAP page size the PKD Reader will use when searching
the ICAO PKD and obtaining results. The LDAP page size controls how many
entries per page are returned from an LDAP query; the directory will continue to
return pages of search results until all results are returned.
7 Click Submit.

Downloading CSCA materials from ICAO PKD into PKD Reader
By default, PKD Reader downloads CSCA materials—CRLS, Document Signer
certificates, and master lists—from the ICAO PKD every 24 hours (see “Editing PKD
Reader settings” on page 700).
From NPKD Administration, you can manually download CSCA materials from the
ICAO PKD into PKD Reader. Manually download CSCA materials if you want to
ensure that PKD Reader has the latest CSCA materials without waiting for the
automatic import.
Note:
Downloading CSCA materials from the ICAO PKD only downloads the materials
into the PKD Reader; it does not import the materials into the National PKD. For
information about importing CSCA materials from the PKD Reader into the
National PKD, see “Importing CSCA materials from PKD Reader into the National
PKD” on page 696.
To download CSCA materials from the ICAO PKD into PKD Reader
page 572).
2 Click PKD Reader.
3 Click the Download CSCA Materials tab.
4 Click Download.
The download process can take up to several minutes to complete. If the
download is successful, a success message appears, along with a grid that
displays how many of CRLs, Document Signer certificates, and master lists were
downloaded. For example:

Configuring the global assurance policy
settings
per-country level.
The global assurance policy is the default assurance policy. By default, the global
assurance policy is assigned to all countries in the National PKD. You can override the
global assurance policy on a per-country basis (see “Configuring the assurance policy
settings for a country” on page 603).
The following procedure describes how to configure the global assurance policy.
To configure the global assurance policy

page 572).
2 Click Policy.
3 If you want to restore the global assurance policy settings to the factory default
values, click Restore Default Global Policy Settings.
4 Under the Global Policy section:
a For Name, enter a friendly name for the global policy settings. The default
value is default.

b For Description, enter a description for the global policy settings. The default
value is Default assurance level policy.
c Certificate Publish Assurance Level controls the minimum assurance level
required for NPKD to publish Document Signer certificates to DV Web
Service clients.
All tests performed by NPKD on a Document Signer certificate must result in
this assurance level or higher for NPKD to publish the Document Signer
certificate to clients.
From the drop-down list, select the minimum assurance level required for
NPKD to publish Document Signer certificates. You can select the following
Assurance.
d CRL Publish Assurance Level controls the minimum assurance level required
for NPKD to publish CRLs to DV Web Service clients.
All tests performed by NPKD on a CRL must result in this assurance level or
higher for NPKD to publish the CRL to clients. You can select the following
Assurance.
e Master List Publish Assurance Level controls the minimum assurance level
required for NPKD to publish master lists to DV Web Service clients.
All tests performed by NPKD on a master list must result in this assurance
level or higher for NPKD to publish the master list to clients. You can select
the following values, from highest to lowest: High Assurance, Minor Defect,
or Low Assurance.
5 The Policy Tests section controls all assurance level tests the NPKD services can
perform on CSCA materials.

Each row in the grid corresponds to an assurance level test. Each row can contain
• Test Name is the name of the assurance level test.
• Class is the Java class that the NPKD service uses to perform the test.
• Description is a brief description of the test.
• Source Material displays the type of material on which the test is performed.
The value is one of CRLs, DS Certificates, Master Lists, or CSCA Certificate.
• Result lists all possible test results. Each result corresponds with the adjacent
drop-down list in the Assurance Level column.
– Pass. The test passed.
– Fail. The test failed.
– Undetermined. The NPKD services cannot perform a test to determine the
test result. For example, NPKD services cannot access the appropriate CRL
to determine if the Document Signer certificate was revoked.
– Non-Compliant Value. The test passed, but the value tested is not
compliant with the ICAO standard.
• Assurance Level controls the assurance level assigned to the material based
on the test result. Each drop-down list corresponds to the adjacent test result
in the Result column.
You can select the following values, from highest to lowest: High Assurance,
– The default value for all Pass test results is High Assurance.

– The default value for Fail test results is either Low Assurance or Minor
Defect, depending on the test.
– The default value for all Undetermined test results is Minor Defect.
– The default value for all Non-Compliant Value test results is Minor Defect.
• State controls whether the NPKD services performs the test:
– To enable NPKD services to perform the test, click Enabled. By default, all
tests are enabled.
– To disable NPKD services from performing the test, click Disabled.
6 If you changed any settings and want to save the changes, click Save Global
Policy Settings.
7 To immediately recalculate assurance levels on all CSCA materials for all countries
that use the global assurance policy, click Recalculate Assurance Levels.

Exporting the global and country-specific
assurance policies to files
clients. NPKD administrators can change assurance policies on a global level (see
“Configuring the global assurance policy settings” on page 704) or on a per-country
level (see “Configuring the assurance policy settings for a country” on page 603.)
You can export a summary of the global assurance policy and all country-specific
assurance policies to a series of files within a ZIP file. Each file contains a summary of
the assurance policy.
To export assurance policy settings to files

page 572).
2 Click Policy.
3 Click Export Global and Country Specific Policies.

4 When prompted, save the assurance policy files to a location on your computer.
The policy files are saved in a ZIP file. By default, the ZIP file name is
policies.zip.
In the ZIP file, each assurance policy is written to a text file. The global assurance
policy is written to global_policy.txt. Each country that uses its own assurance

policy has its policy information written to <CC>_policy.txt, where <CC> is the
country code of the country (such as US_policy.txt).

Configuring NPKD services settings
NPKD Administration allows you to configure some NPKD services settings, including
the log level and some email notification settings. You can change these settings
without restarting Administration Services.
For information about configuring the NPKD services by editing configuration files,
see “Configuring the NPKD services” on page 545. The configuration files contain
additional settings not available in NPKD Administration.
To configure NPKD services settings

page 572).
2 Click Configuration.
The Edit NPKD Configuration Settings page appears.
3 For Log Level, select the level of detail to write in the NPKD services logs.
The logging level can be one of (in increasing severity) Trace, Debug,
Information, Warning, Error, Alert, or Fatal. This sets the lowest level of message
to show. For example, Error provides messages of Error, Alert and Fatal status.

The default value is Information.
4 CSCA Automatic Signature Verification Enabled controls whether to validate the
signatures of CSCA materials.
All materials in the National PKD are signed with the private key of the NPKD
Server server profile. The signatures are validated before displaying materials in
NPKD Administration when the flag is enabled. NPKD Web Service clients can
also validate the signatures when receiving the materials.
• To validate the signatures of CSCA materials in the National PKD, select True.
• To not validate the signatures of CSCA materials in the National PKD, select
False.
The default value is True.
5 CSCA Auto-Discover CRLS Enabled controls whether to download CRLs
automatically when importing Document Signer certificates and a URL is found
in a certificate’s CDP (CRL distribution point).
• To download CRLs automatically when importing Document Signer
certificates, select True.
• To not download CRLs automatically when importing Document Signer
certificates, select False.
6 CSCA Assurance Level Auto-Calculation Enabled controls whether to
automatically recalculate the assurance levels in the National PKD.
certificates, CRLs, and master lists). The NPKD Web Service can automatically
publish CSCA materials with a high enough assurance level to DV Web Service
clients.
automatically on a schedule, or an NPKD administrator can manually recalculate
assurance levels.
The NPKD will also remove expired CRLs from the National PKD when it
recalculates assurance levels.
• To automatically recalculate assurance levels in the National PKD, select True.
Additional settings appear:
– For CSCA Assurance Level Calculation Frequency in Hours, enter the
frequency, in hours, that the NPKD will automatically recalculate assurance
levels of CSCA materials in the National PKD. The default value is 24 hours.
• To never automatically recalculate assurance levels in the National PKD,
select False. NPKD administrators must manually recalculate assurance
levels.

7 Email Notifications Enabled controls whether email notification is enabled for the
NPKD services.
• To enable email notification for the NPKD services, select True. Additional
settings appear:
– For SMTP Port, enter the port (between 0 and 65535) used to connect to
the SMTP host. The default port is 25.
– For SMTP Host, enter the fully qualified host name of the SMTP server.
– For From Email Address, enter the email address that appears in the email
message’s From field.
– For To Email Address, enter the email address that Administration Services
sends email messages to.
For more information about configuring email notification for the NPKD
services, see “Configuring email notification for the NPKD services” on
page 550.
If you enable email notification, you must enter values for all email
notification settings.
• To disable email notification, select False.
The default value was set during installation.
8 PKD Reader Auto-Import Enabled controls whether PKD Reader can
automatically import CSCA materials into the National PKD.
Note:
The PKD Reader Auto-import Enabled option appears only if you enabled a
connection with PKD Reader during installation.
If automatic imports from PKD Reader are enabled, it will refresh the materials in
the National PKD. Refreshing the materials may override any modifications that
administrators made between the scheduled imports. For example, PKD may
re-add materials that an administrator previously removed from the National
PKD.
To have full control over materials imported from PKD Reader, you must disable
automatic imports from PKD Reader. You can then manually import materials
from PKD Reader (see “Importing CSCA materials from PKD Reader into the
National PKD” on page 696). Manually importing materials from PKD Reader
allows you to review the materials in PKD Reader and remove any unwanted
materials before uploading them into the National PKD.
• To enable automatic imports from PKD Reader, select True. Additional
settings appear:

– For PKD Reader Import Frequency in Hours, enter the frequency, in hours,
that PKD Reader will import CSCA materials into the National PKD. The
default value is 24 hours.
• To disable automatic imports from PKD Reader, select False.
The default value was set during installation.
9 Maximum page size for DS certificates results controls the number of Document
Signer certificates per page returned from an LDAP query. If 0, NPKD services will
not use LDAP paging.
The National PKD can contain thousands of Document Signer certificates. If the
LDAP server search limit is ever reached, not all Document Signer certificates will
be returned in the search results.
To ensure that all Document Signer certificates will be returned from an LDAP
search query, you can configure the LDAP page size the NPKD services will use
when searching the National PKD and obtaining results. The LDAP page size
controls how many entries per page are returned from an LDAP query; the
directory will continue to return pages of search results until all results are
returned.
10 Click Submit to save the changes.

24
Customizing NPKD Administration

Entrust Authority Administration Services allows you to customize NPKD
Administration. By making changes to specific files, you can customize NPKD
Administration to match your organization’s corporate identity.
• “Customizing the NPKD Administration interface” on page 716
• “Customizing NPKD Administration styles” on page 720
715
Customizing the NPKD Administration
interface
When customizing the NPKD Administration interface, you can make several changes
to reflect the corporate identity of your company. This section provides you with
details about how to apply those changes.
Note:
Any changes you make may require you to complete manual tasks when you
upgrade to the next version of Administration Services. It is recommended that
you keep track of the changes you make.

• “Adding your company logo to NPKD Administration” on page 716
• “Customizing the browser title for NPKD Administration” on page 717
• “Customizing the application title for NPKD Administration” on page 718
Adding your company logo to NPKD Administration

You can add your company logo to all NPKD Administration pages.
To add your company logo to NPKD Administration

components.
2 Save your organization’s logo to the images folder, located at:
<AS-install>\services\npkd\npkd\webapp\images
<AS-install>\services\npkd\npkd\webapp\WEB-INF\jsp
4 Open banner.jsp in a text editor.
5 Locate the placeholder for entrust_logo.gif as shown:
<img class="left-floating" alt=""
src="${pageContext.request.contextPath}/images/entrust_logo.gif"/>
6 Replace entrust_logo.gif with the GIF file name of your logo.
8 Restart Administration Services and clear your browser cache.
Your logo now appears in the banner of NPKD Administration.

Figure 17: Your company logo in NPKD Administration
Customizing the browser title for NPKD Administration

You can replace the browser title with a title of your choice.
To customize the browser title for NPKD Administration

components.
<AS-install>\services\npkd\npkd\webapp\WEB-INF\classes
3 Open npkd-messages_<locale>.properties in a text editor.
Where <locale> is the locale. By default, Administration Services provides
English (en) and French (fr) locales.
4 Locate the page.title variable. By default:
page.title=Entrust NPKD
5 Replace the existing value with the title chosen by your company. For example,
as shown in bold:
page.title=Custom browser title
Your customized title now appears in the browser window title bar of all NPKD
Administration pages.
Customizing NPKD Administration 717

Figure 18: Custom browser title for NPKD Administration
Customizing the application title for NPKD Administration

You can replace the Entrust Authority Administration Services title with your
organization’s name or any other name your organization chooses.
You can replace the "Entrust AuthorityTM NPKD" title with your organization’s name
or any other name your organization chooses.
To change the application title in NPKD Administration

components.
3 Open npkd-messages_<locale>.properties in a text editor.
Where <locale> is the locale. By default, Administration Services provides
English (en) and French (fr) locales.
4 Locate the banner.product.name variable. By default:
banner.product.name=Entrust Authority™ NPKD
5 Replace the existing value with the title chosen by your company. For example:
banner.product.name=Custom Application Title
6 If you want to add a second line to the application title:
a Locate the banner.product.name variable. By default:
banner.product.name=Entrust Authority™ NPKD
b Add <br/> and then enter the second line of the title. For example, as shown
in bold:
banner.product.name=My Company<br/>Custom Application Title
Your customized application title now appears in NPKD Administration.

Figure 19: Custom application title in NPKD Administration
Customizing NPKD Administration 719

Customizing NPKD Administration styles
You can customize the NPKD Administration interface with your choice of colors,
fonts, and styles by changing values in the Cascading Style Sheets (CSS) files. The
settings in the CSS files are assigned by class. You can find the CSS files in the
following folder on the server hosting the application server components:
<AS-install>\services\npkd\npkd\webapp\css
Table 39 briefly describes the different CSS files that control how the NPKD
Administration interface looks.
Table 39: List of CSS files for NPKD Administration
CSS file Description
common.css Defines the styles for elements common to all pages in the
interface, such as the title bar or columns.
entrust-cloud-foyer-2.css Defines the styles for elements common to all pages in the
interface, such as the title bar or columns.
jquery-ui-1.9.2.custom.css Stylesheet for jQuery UI. See the jQuery UI documentation for
information about this file.
jquery-ui-1.9.2.custom.min. Stylesheet for jQuery UI. See the jQuery UI documentation for
css information about this file.
kendo.blueopal.min.css Stylesheet for the Blue Opal theme in Kendo UI. See the Kendo
UI documentation for information about this file.
kendo.common.min.css Common stylesheet for the Kendo UI. See the Kendo UI
documentation for information about this file.
kendo.default.min.css Stylesheet for the default theme in Kendo UI. This file is not
used by NPKD Administration.
Only someone with a good knowledge of CSS should edit the CSS files. When editing
the CSS files, take care not to make any changes that can break the NPKD
Administration interface. Always back up a file before making any edits to the file.

25
Localizing NPKD Administration

NPKD Administration includes the default locale en. The NPKD Administration file
system allows you to add more than one locale folder for each NPKD Administration
instance. This chapter describes how to add a new locale to NPKD Administration.
The preferred language setting in your browser determines the initial locale (the
locale you first access the NPKD Administration interface). Links to all other installed
locales appear in the navigation bar of the NPKD Administration interface login page.
When you switch to a new locale, the Language Preference browser setting no longer
applies. You can specify more than one preferred language in your browser settings,
but only the first one in the list is applied. If your browser's default language is your
localized language, the localized page appears with a link to the English page. If the
browser preferred language is not installed, NPKD Administration always uses the
default locale en.
Note:
Do not remove the en folder. It is the default locale.

• “Localization overview” on page 722
• “Location of NPKD Administration locale folders” on page 723
• “Adding locales to NPKD Administration” on page 724
• “Translating NPKD Administration files” on page 726
• “Troubleshooting localization in NPKD Administration” on page 729
721
Localization overview
Localization is the process of modifying or adapting a software application to fit the
requirements of a particular locale. Localization includes translating application text
to conform with a specific locale, and it might also include modifying the date, time,
and currency formats.
About locales
A locale is specific geographic, political, or cultural region. Locales are generally
specified using a language code combined with a country code.
Language codes are two-letter codes defined by ISO 639 Code for the representation
of the names of languages. By convention, language codes are shown in lower case.
Some common examples include:
• en—English
• fr—French
• ja—Japanese
• ko—Korean
• zh—simplified and traditional Chinese
Country codes are two-letter codes defined by ISO 3166 Country Codes. By
convention, country codes appear in upper case. Some common examples include:
• CA—Canada
• US—United States
• GB—United Kingdom (Great Britain)
• JP—Japan
• CN—China
Defining locales
Locales are generally specified using a combination of a language code and a country
code. The most common interpretation of this standard is the two-letter language
code followed by the two-letter country code, for example:
• fr_CA—French (Canada)
• en_US—English (United States)
• en_GB—English (United Kingdom)
• ja_JP—Japanese (Japan)

Location of NPKD Administration locale folders
You can add locale folders in the following locations on the server hosting the
application server components:
Administration Services looks for locales in the following order:
• lang_country (for example, fr_CA)
• lang only (for example fr)
Localizing NPKD Administration 723

Adding locales to NPKD Administration
To add a locale, you must create new locale folders that contain all contents of the
default en folders, and create copies of existing files for the new locale.
To add a new locale to NPKD Administration

components.
3 Create a copy of the following file:
EntrustAdminServicesResources.properties
and rename the file to
EntrustAdminServicesResources_<locale>.properties, where <locale> is
the new locale (such as es).
npkd-messages_en.properties
and rename the file to npkd-messages_<locale>.properties, where <locale>
is the new locale (such as es).
5 Create a new locale folder (such as es), in each of the following locations:
6 Copy all files from
<AS-install>\services\npkd\npkd\webapp\WEB-INF\ens\xsl\en
to
<AS-install>\services\npkd\npkd\webapp\WEB-INF\ens\xsl\<locale>
7 Open the following file in a text editor:
<AS-install>\services\npkd\npkd\webapp\WEB-INF\jsp\banner.jsp
8 Under <div id="titlebarcontents">:
a Locate <span class="right" id="langSelection">. By default:
<span class="right" id="langSelection"><a href="?lang=en"
id="enLang">English</a> <a href="?lang=fr"
id="frLang">Français</a></span>
b Add a new <a href> setting for your locale. For example, as shown in bold:
<span class="right" id="langSelection"><a href="?lang=en"
id="enLang">English</a> <a href="?lang=fr"
id="frLang">Français</a> <a href="?lang=es"
id="esLang">Española</a></span>

Your new locale link is now available on the NPKD Administration home page.
Before you can view your localized version of NPKD Administration, you must
translate a series of files. See “Translating NPKD Administration files” on page 726
for more information.

Translating NPKD Administration files
After creating the link for the new locale, you must translate a series of files into the
language that matches your new locale. Translate all the NPKD Administration files
listed in the following table to match your new locale.
Table 40: NPKD Administration files to translate for your new locale
NPKD Administration files to Location of files

translate
EntrustAdminServicesResources_< <AS-install>\services\npkd\npkd\webapp\
locale>.properties WEB-INF\classes
Where <locale> is the new locale This file is located on the server hosting the application
you added to NPKD Administration. server components.
This file contains error messages that can be displayed
in NPKD Administration. Translate all strings for
NPKDADM settings.
npkd-messages_<locale>.properti <AS-install>\services\npkd\npkd\webapp\
es WEB-INF\classes
you added to NPKD Administration. server components.
This file contains strings used in NPKD Administration.
The NPKD Administration email <AS-install>\services\npkd\npkd\webapp\

notification templates WEB-INF\ens\xsl\<locale>
These files are located on the server hosting the
To view your localized version of NPKD Administration

1 After translating the required files, restart Administration Services and clear your
browser cache.
2 Log in to NPKD Administration.
Your NPKD Administration locale link is available from the NPKD Administration
interface login page.

Note:
If your browser's default language is your localized language, the localized page
will appear with a link to the English page.
3 Click the locale link.

The NPKD Administration interface is now available in your localized language
setting.

Figure 20: Localized NPKD Administration page

Troubleshooting localization in NPKD
Administration
When you manually integrate translated files into NPKD Administration, incorrect
page encodings may cause the pages to appear with extra white lines or cause some
characters to display in the wrong format.
To avoid these problems, you may need to add or update a few settings depending
on the new language.
The following examples provide you with some troubleshooting tips.
Translating email notification templates

When translating email notification templates for NPKD Administration, by default
the SMTP server character set is UTF-8:

You can find this setting in the configuration.global.xml file located on the server
hosting the application server components:
In some cases you may need to update the <Charset> setting with another value.
Each locale in NPKD Administration shares the same configuration.global.xml
file. If your language requires a special character set, consider installing this locale on
a separate Administration Services instance.
HTML entities referenced by names

When referenced by name, some HTML entities may cause problems. To resolve
these problems, reference the HTML entities by numbers, such as ISO 8859-1
Character Entities. For example, reference é as é and not as &eacute
Broken JavaScript code

In some cases, the apostrophe character (') may break JavaScript code and you must
replace the character with the entity number.
For example, consider the following error string (note the apostrophes):
static final String digidErrorGeneral = "Impossible de terminer
l'opération de gestion de l'ID numérique.";
If the error string is referenced in JavaScript code, such as
alert('<%=digidErrorGeneral%>');

it results in broken JavaScript code because the apostrophe is interpreted as a closing
quote for an alert function call:
alert('Impossible de terminer l'opération de gestion de l'ID
numérique.');
The following shows how to correctly define the error string:
l’opération de gestion de l’ID numérique.";

Section 7
Master List Signer section
This section provides instructions for installing a Master List Signer Services CA,
installing and configuring Administration Services, and administering master lists.
• “Installing a Master List Signer Services CA” on page 733
• “Deploying the Master List Signer services” on page 737
• “Configuring the Master List Signer services” on page 785
• “Administering master lists” on page 797
• “Customizing MLS Administration” on page 875
• “Localizing MLS Administration” on page 881
• “MLS Web Service API reference” on page 889
731
26
Installing a Master List Signer

Services CA
Before you can administer master lists, you must install a Certification Authority (CA)
for the Master List Signer services provided by Administration Services. Installing a
Master List Signer Services CA requires that you install, configure and initialize
Security Manager as a Master List Signer Services CA.
Note:
Do not confuse the Master List Signer Services CA with a Country Signing
Certification Authority (CSCA). The CSCA acts as a root of trust for e-passports
issued within its own country. The CSCA issues a credential to the Master List
Signer for signing master lists of trusted foreign CSCAs. The Master List Signer
Services CA provides profiles required to run the Master List Signer services
provided by Administration Services. For information about installing and
configuring Security Manager as a CSCA, see “Installing a Country Signing CA”
on page 95.
The Master List Signer Services CA can be the CSCA or any other CA in an e-passport
architecture.
733
3166 standard.
Note:
Microsoft Active Directory is not supported for a Master List Signer Services CA.

After configuring your Master List Signer Services CA, you must perform the
following steps:
4 Deploy Administration Services (see “Deploying the Master List Signer services”
on page 737).
Administration Services provides Web-based services for managing a Master List
Signer.
Installing a Master List Signer Services CA 735

27
Deploying the Master List Signer

services
This chapter describes how to deploy the Master List Signer services provided by
Entrust Authority Administration Services: the MLS Web Service and MLS
Administration. The Master List Services provide Web-based administration
applications that allow you to administer master lists of trusted CSCAs.
The MLS Web Service is a Web service designed to create, sign, and retrieve master
lists of trusted foreign CSCAs.
MLS Administration is a Web-based interface for administering a Master List Signer.
Master List Signer administrators use MLS Administration to view and update
domestic master lists of trusted foreign CSCAs, and to view and upload foreign
master lists.
on page 740
• “Creating Master List Server credentials” on page 741
• “Creating Master List Client credentials” on page 744
• “Obtaining files from the CSCA for the Master List Signer services” on
page 749
• “Obtaining files from the PKD Writer” on page 750
• “Installing the Master List Signer services” on page 751
• “Configuring Master List Signer authentication to a directory without
737
• “Configuring Master List Server authentication to a directory without
• “Configuring Master List Signer administrators for PKCS #12 enrollment” on
page 776
• “Creating an ePassport Auditor certificate type” on page 777
• “Creating Master List Signer administrators” on page 779
• “Testing MLS Administration” on page 784

Deployment overview
Deploying Administration Services for a Master List Signer includes the following
steps. Each step is described in further detail in this chapter.
• “Creating Master List Server credentials” on page 741
• “Creating Master List Client credentials” on page 744
page 747).
5 Obtain files from the CSCA that are required to install the Master List Signer
services (see “Obtaining files from the CSCA for the Master List Signer services”
on page 749).
6 Install the Master List Signer services (see “Installing the Master List Signer
services” on page 751).
• “Configuring Master List Signer authentication to a directory without
• “Configuring Master List Server authentication to a directory without
8 Configure Master List Signer administrators for PKCS #12 enrollment (see
“Configuring Master List Signer administrators for PKCS #12 enrollment” on
page 776).
To create the Master List Signer administrator credentials as a PKCS #12 security
store, the client policy (user policy) assigned to Master List Signer administrators
must allow PKCS #12 export.
9 Create a user entry in Security Manager for each Master List Signer administrator
(see “Creating Master List Signer administrators” on page 779).
10 Test Administration Services (see “Testing MLS Administration” on page 784).
Deploying the Master List Signer services 739


Creating Master List Server credentials
Before installing Administration Services, you must create a Master List Server profile.
The Master List Server profile secures SSL connections with clients. The
For details about creating Master List Server profiles, see the following topics:
• “Creating a user entry for a Master List Server profile” on page 741
• “Creating a Master List Server profile” on page 742
• “Updating Master List Server profile keys” on page 743
Creating a user entry for a Master List Server profile

You must create a user entry in Security Manager for the Master List Server profile.
List Server profile.
To create a user entry for the Master List Server profile using Security
1 Log in to Security Manager Administration for the Master List Signer Services CA.
fields appears.

7 Click OK.
c Click Add.
details.
You have now created the user entry for the Master List Server profile. Proceed
to “Creating a Master List Server profile” on page 742.
Creating a Master List Server profile

The Master List Server profile can be stored on software (as an EPF file) or on a
Master List Server profile:

To create an Master List Server profile using Security Manager Administration

1 Create a user entry for the Master List Server profile (see “Creating a user entry
for a Master List Server profile” on page 741).
4 In the Name field, enter the file name for the Master List Server profile. Security
5 Click Browse to select a folder where you want to save the Master List Server
profile.
6 In the Password and Confirm fields, enter a password for the Master List Server
profile.
7 Click OK.
You can now use this Master List Server profile with Administration Services. You
need the Master List Server profile, the profile password, and the profile location
Updating Master List Server profile keys

server.

Creating Master List Client credentials
The Master List Client profile is a SSL client profile, used by client applications for
accessing the Master List Signer Web Service. The Administration Services installer
will not prompt you for this profile. Creating Master List Client profiles is optional.
• “Creating a user entry for a Master List Client profile” on page 744
• “Creating a Master List Client profile” on page 745
• “Updating Master List Client profile keys” on page 746
Creating a user entry for a Master List Client profile

You must create a user entry in Security Manager for the Master List Client profile.
List Client profile.
To create a user entry for the Master List Client profile using Security Manager
Administration
fields appears.

b Under Certificate Type, select ePassport - Master List Signer Administrator.
7 Click OK.
You have now created the user entry for the Master List Client profile. Proceed
to “Creating a Master List Client profile” on page 745.
Creating a Master List Client profile

You must store Master List Client profiles on software (as an EPF file); you cannot
store Master List Client profiles on hardware. You can use one of the following
applications to create the Master List Client profile:
To create an Master List Client profile using Security Manager Administration

1 Create a user entry for the Master List Client profile (see “Creating a user entry
for a Master List Client profile” on page 744).
3 In the Name field, enter the file name for the Master List Client profile. Security
4 Click Browse to select a folder where you want to save the Master List Client
profile.
5 In the Password and Confirm fields, enter a password for the Master List Client
profile.
6 Click OK.

Updating Master List Client profile keys
server.

Obtain a copy of the entrust.ini file and Master List Server profile from a Security
Manager administrator.
Copy the entrust.ini file and the profiles to each machine hosting the Master List
Signer services. Note the location of these files. You will enter the path to these files

Where:
the directory.
For example:
Where:
is 829.
For example:
Where:
For example:
For example:


Obtaining files from the CSCA for the Master
List Signer services
When installing Administration Services for a Master List Signer, the Administration
Services installer will prompt you for files provided from your domestic CSCA.
If your CSCA is a Security Manager CA, obtain the following files from a CSCA
administrator:
• if the CSCA is online, the CSCA entrust.ini file
It is recommended that you rename this file to csca_entrust.ini to avoid
confusing it with the entrust.ini file provided from the Master List Signer
Services CA.
• the Master List Signer profile
For information about creating the Master List Signer profile at the CSCA,
see “Creating Master List Signer credentials” on page 148. The Master List
Signer profile can be an EPF file stored on the local file system, an EPF file
stored on a hardware device, or a PKCS #12 file (P12 or PFX file) stored on
the local file system.
If the profile is stored on a hardware device, you must create Server Login
credentials (UAL file) for the profile on the server hosting Administration
Services. You can create Server Login credentials using the Profile Creation
Utility (see the Administration Services Installation Guide).
The CSCA must be online if the Master List Signer profile is an EPF file.
If your CSCA is third-party CA, obtain the following files from a CSCA administrator:
• the CSCA root certificate
• the Master List Signer profile
The Master List Signer profile can be a PKCS #12 file (P12 or PFX file) file
stored on the local file system, or a PKCS #12 file stored on hardware.
If the profile is stored on hardware, you must create Server Login credentials
(UAL file) for the profile on the server hosting Administration Services. You
can create Server Login credentials using the Profile Creation Utility (see the
Administration Services Installation Guide).

Obtaining files from the PKD Writer
a history of the materials that have been uploaded. The PKD Writer Web Service
supports a GUI extension in MLS Administration that displays the status of CSCA
materials uploaded to the ICAO PKD.
When installing the Master List Signer services, the Administration Services installer
will ask if you want to enable the display of the CSCA materials upload status. This is
the GUI extension supported by the PKD Writer Web Service.
To support the GUI extension that allows the MLS Administration interface to display
the upload status of CSCA materials in the ICAO PKD, the Administration Services
installer will prompt you for information provided from the PKD Writer.
Obtain the following files and information from a PKD Writer administrator:
• the PKD Writer Web Service URL
pkdwriter/services/PkdwwsService, where:
– <server> is the host name or IPv4 address of the server hosting the PKD
Writer Web Service.
– <port> is the SSL port for the PKD Writer Web Service (by default 443 or
13443).
• a PKD Writer Client profile
For information about creating the PKD Writer Client profile at the PKD
Writer Services CA, see “Creating PKD Writer Client credentials” on
page 312. The PKD Writer Client profile is an EPF file stored on the local file
system.

Installing the Master List Signer services
This section describes how to install the Master List Signer services on supported
Windows operating systems. The Master List Signer services are supported only on
Windows.
The Master List Signer services consist of only application server components.
To install Master List Signer application server components on Windows





b Click Next.


b Select Master List Signer (MLS).

9 The SSL/TLS Ports for MLS page appears.
a In the SSL/TLS Port Number for MLS Web Service field, enter the SSL port
number for the MLS Web Service (by default 443 or 10443).
b In the SSL/TLS Port Number for MLS Administration field, enter the SSL port
number for MLS Administration (by default 11443).
c Click Next.

10 The MLS Administration CA Entrust.ini Location page appears.
from the Entrust CA that issued the Master List Server profile, or click Choose
to locate the file.

PKCS#11 library, the Select MLS Server Profile Type page appears.

– If the Master List Server profile is an EPF file stored on the local file system,
– If the Master List Server profile is stored on hardware, select Hardware
Token.
b Click Next.

12 If the Master List Server profile is a software profile, the MLS Server Profile page
appears.
a In the Enter the location of the MLS Server Profile field, click Choose to
locate and select the Master List Server profile (EPF file).
b In the Enter the Password to login to your MLS Server Profile field, enter the
c Click Next.

13 If the Master List Server profile is a hardware profile, the MLS Server Hardware
contains the Master List Server profile.
b In the Enter the Password to login to your MLS Server Profile field, enter the
c Click Next.

14 The MLS Signer Credentials page appears.
a If your Master List Signer profile is an Entrust profile stored on software or

hardware:
– Select Entrust Profile On Software (EPF) Or Hardware.
– In the Enter the location of the entrust.ini file from the MLS Signer CA
(CSCA) field, enter the full path and file name of the entrust.ini file from
your CSCA, or click Choose to locate the file.
b If your Master List Signer profile is a PKCS #12 file (PFX or P12 file) on
software, select PKCS 12 Profile.
c If your Master List Signer profile was issued by a third-party CSCA and stored
on hardware:
– Select Token Profile On Hardware.
– In the Enter The Hardware Library For The Token Profile field, click Choose
to locate and select the library file for the hardware device.
If the profile is an Entrust profile on hardware or software, proceed to the next
step.
If the profile is a PKCS # 12 file on software, proceed to Step 18 on page 765.
If the profile is third-party profile on hardware, proceed to Step 19 on page 766.

PKCS#11 library, the Select MLS Signer Profile Type page appears.

– If the Master List Signer profile is an EPF file stored on the local file system,
– If the Master List Signer profile is stored on hardware, select Hardware
Token.
b Click Next.

16 If the Master List Signer profile is a software profile, the MLS Signer Profile page
appears.
a In the Enter the location of the MLS Signer Profile field, click Choose to
locate and select the Master List Signer profile (EPF file).
b In the Enter the Password to login to your MLS Signer Profile field, enter the
c Click Next.

17 If the Master List Signer profile is a hardware profile, the MLS Signer Hardware
contains the Master List Signer profile.
b In the Enter the Password to login to your MLS Signer Profile field, enter the
c Click Next.
Proceed to Step 20 on page 767.

18 If your Master List Signer profile is a PKCS #12 file (P12 or PFX file) on the local
file system, the MLS Signer PKCS 12 Profile page appears.
a In the Enter the location of the MLS Signer PKCS 12 Profile field, enter the
full path and file name of the Master List Signer PKCS #12 file (PFX or P12
file), or click Choose to locate the file.
b In the Enter the Password login to your MLS Signer PKCS 12 Profile field,
enter the password for the file.
c In the Enter the Location of the CSCA Root Certificate File field, enter the
full path and file name of the CSCA certificate file, or click Choose to locate
the file.
Proceed to Step 20 on page 767.

19 If your Master List Signer profile was issued by a third-party CSCA and stored on
hardware, the MLS Signer Token Profile page appears.
contains the Master List Signer profile.
b In the Enter the Password to login to your MLS Signer Token Profile field,
enter the password for the profile.
c In the Enter the Location of the CSCA Root Certificate File field, enter the
full path and file name of the CSCA certificate file, or click Choose to locate
the file.

20 The CSCA Materials Upload Information page appears.
The PKD Writer Web Service records and maintains a history of the materials that
have been uploaded to the ICAO PKD. MLS Administration can connect to the
PKD Writer Web Service to display the status of CSCA materials uploaded to the
ICAO PKD.
a To enable the GUI extension in MLS Administration to display the status of
CSCA materials uploaded to the ICAO PKD, select Enable the display of the
CSCA materials upload status. By default, this option is selected.
To disable the GUI extension in MLS Administration, deselect Enable the
display of the CSCA materials upload status.
b If you selected Enable the display of the CSCA materials upload status:
– In the PKD Writer Web Service URL field, enter the URL for the PKD Writer
Web Service.
pkdwriter/services/PkdwwsService.
where <server> is the host name or IPv4 address of the server hosting the
PKD Writer Web Service, and <port> is the SSL port for the PKD Writer
Web Service (by default 443 or 13443).

– In the Enter the location of the PKD Writer Profile field, enter the full path
and file name of the PKD Writer Client profile, or click Choose to locate the
profile.
– In the Enter the Password to login to your PKD Writer Profile field, enter
c Enter Next to continue.
21 The MLS Configuration page appears with a summary of your installation

make your changes.

22 After the installation is complete, the MLS Configuration Status page appears.
For example:

b Click Next.


b Click Next.

new service.
b Click Next.
file.

Configuring Master List Signer authentication
The following procedure explains how to configure the Master List Signer profile to
The Master List Signer profile was the profile provided by the CSCA.
Security Manager Directory credentials in the mls-config.xml file.

1 Log in to the server hosting the Master List Signer services.
The Master List Signer services are installed on a server hosting the
Administration Services application server components.
2 Open the mls-config.xml file in a text editor. You can find the file in the
following folder:
<AS-install>\services\mls\mls\webapp\WEB-INF\config
3 Locate the <MLSCredentials> section:
<MLSCredentials>
<Epf>c:\authdata\manager\epf\MLS.epf</Epf>
<Ual></Ual>
<Pkcs12File></Pkcs12File>

<Pkcs12Pwd></Pkcs12Pwd>


used. -->
plaintext.
file.
replaced by the phrase: "{Password protected by Entrust
Unattended Login}".
-->
</MLSCredentials>
4 For the value of <JndiPrincipal>, enter the JNDI Principal that the Master List
Signer profile will use to connect to the directory. For example:
For example:
in the mls-config.xml file with the phrase “{Password protected by Entrust

Configuring Master List Server authentication
The following procedure explains how to configure the Master List Server profile to
Security Manager Directory credentials in the mls-config.xml files.

2 Open the mls-config.xml file in a text editor. You can find the file in the
following folder:
3 Locate the <MLSServerCredentials> section:
<MLSServerCredentials>
<Epf>c:\authdata\manager\epf\ML Server.epf</Epf>
<Ual></Ual>

used. -->
plaintext.
file.
replaced by the phrase: "{Password protected by Entrust

Unattended Login}".
-->
</MLSServerCredentials>
4 For the value of <JndiPrincipal>, enter the JNDI Principal that the Master List
For example:
in the mls-config.xml file with the phrase “{Password protected by Entrust

Configuring Master List Signer administrators
for PKCS #12 enrollment
To access the MLS Administration interface, Master List Signer administrators must
have a valid client certificate installed in their Web browser.
import it into their Web browser and use it to log in to CVCA Administration.
#12 export.
To configure Master List Signer administrators for PKCS #12 enrollment

3 Select Master List Signer Administrator Policy.
The Master List Signer Administrator Policy user policy is the client policy
assigned to the Master List Signer Administrator role, the role for Master List
Signer administrators.
5 Click Apply.

Creating an ePassport Auditor certificate type
By default, Security Manager includes an ePassport - Master List Signer
Administrator (ent_mlist_admin) certificate type. This certificate type allows Master
List Signer administrators to perform all operations in MLS Administration.
MLS Administration supports an ePassport Auditor (ent_epass_auditor) certificate
type. This certificate type contains allows Master List Signer administrators to view
and export data, but not make any changes in MLS Administration.
Note:
The ePassport Auditor (ent_epass_auditor) certificate type also grants read
access to CSCA materials in the National PKD, if the CSCA issues credentials to
both the NPKD services and Master List Signer services. You may have already
created this certificate type for the NPKD services in “Creating certificate types
for NPKD services” on page 471.
To create an ePassport Auditor certificate type

1 From the Master List Signer Services CA, export the Security Manager certificate
specifications.
; ----------------------------------------------------------------------
; ePassport Auditor Certificate Type
; ----------------------------------------------------------------------
ent_epass_auditor=enterprise,ePassport Auditor,ePassport Auditor
[ent_epass_auditor Certificate Definitions]
1=Encryption
2=Verification
[ent_epass_auditor Common Extensions]

; encodes the id-Entrust-ePassportAuditor policy OID 2.16.840.1.114027.10.19


Creating Master List Signer administrators
You must create a user entry in Security Manager for each Master List Signer
administrator. You can use Security Manager Administration or the User
Management Service (Administration Services) to create the user entry.
• “To create a user entry for a Master List Signer administrator using Security
Manager Administration” on page 779
• “To create a user entry for a Master List Signer administrator using the User
To create a user entry for a Master List Signer administrator using Security
fields appears.
5 From the Role drop-down list, select Master List Signer Administrator.
b Under Certificate Type:

– For the administrator to perform all operations, select ePassport - Master
List Signer Administrator.
– For the administrator to only view and export data, select ePassport
Auditor. You must have created this certificate type in “Creating an
ePassport Auditor certificate type” on page 777.
7 Click OK.
You have created a user entry for a Master List Signer administrator. The Master List
Signer administrator must have a valid client certificate to access the MLS
Administration interface. Securely send the activation codes to the administrator.
Master List Signer administrators can create their client certificate using the following
applications:
it to log in to MLS Administration.
digital ID to log in to MLS Administration.

ID to log in to MLS Administration.
Master List Signer administrators can use the Profile Creation Utility to
generate a PKCS #12 digital ID. The administrators can then import the
digital ID into their Web browser and use it to log in to MLS Administration.
Master List Signer administrators can use Security Provider for Windows to
generate a digital ID. Security Provider for Windows can synchronize the
administrator’s certificates with the Microsoft Cryptographic API (CAPI)
security store. Web browsers that support CAPI can then use the digital ID.
To create a user entry for a Master List Signer administrator using the User
Management Service
1 Log in to the User Management Service for the Master List Signer Services CA.
distinguished name.
5 In the Certificate Type drop-down list:
• For the administrator to perform all operations, select Enterprise - ePassport
- Master List Signer Administrator.
• For the administrator to only view and export data, select Enterprise -
ePassport Auditor. You must have created this certificate type in “Creating
an ePassport Auditor certificate type” on page 777.
7 From the Role drop-down list, select Master List Signer Administrator.
To create the Master List Signer administrator credentials as a PKCS #12 security
store, the client policy (user policy) assigned to the role must allow PKCS #12
export. For details, see “Configuring Master List Signer administrators for PKCS
#12 enrollment” on page 776.
9 Click Submit.

You have created a user entry for a Master List Signer administrator. The Master List
Signer administrator must have a valid client certificate to access the MLS
Administration interface. Securely send the activation codes to the administrator.
Master List Signer administrators can create their client certificate using the following
applications:
digital ID to log in to MLS Administration.
ID to log in to MLS Administration.
Master List Signer administrators can use the Profile Creation Utility to
generate a PKCS #12 digital ID. The administrators can then import the
digital ID into their Web browser and use it to log in to MLS Administration.

Master List Signer administrators can use Security Provider for Windows to
generate a digital ID. Security Provider for Windows can synchronize the
administrator’s certificates with the Microsoft Cryptographic API (CAPI)
security store. Web browsers that support CAPI can then use the digital ID.

Testing MLS Administration
After installing the Master List Signer services, you must ensure that all components
were installed properly and function correctly. To test the installation, open MLS
To test MLS Administration

https://<host_name>:<port>/mls/admin
Where:
• <host_name> is the fully qualified host name of the server hosting the Master
List Signer services.
• <port> is the Tomcat SSL port for MLS Administration (by default 11443).
For example:
https://appserver.example.com:11443/mls/admin
3 When prompted to select a user certificate, select a user certificate for a Master
List Signer administrator.
the private key.
Note:
Click Allow to allow MLS Administration to access the private key.

If everything is installed correctly and the browser certificate is valid, the MLS

28
Configuring the Master List Signer

services
applications that allow you to administer master lists of trusted CSCAs.
Master List Signer services provided by Administration Services. For more information
about configuring Administration Services, see the Administration Services
• “Configuring the Master List Signer services logs” on page 786
• “Configuring domestic master lists” on page 788
• “Configuring foreign master lists” on page 790
• “Configuring draft domestic master lists” on page 791
• “Enabling and disabling the Master List Signer Web Service” on page 793
• “Configuring whether MLS Administration can create domestic master lists”
on page 794
• “Changing the password of the trust anchors keystore” on page 795
785
Configuring the Master List Signer services logs
The Master List Signer services—MLS Administration and MLS Web Service—share a
log file. This log file contains messages related to the operation of the Master List
Signer services.
Administration Services allows you to customize the Master List Signer services log
file settings. You can configure the following log settings:
To configure the Master List Signer services logs

2 Open the mls-config.xml file in an XML editor. You can find the file in the
following folder:
Table 41: Master List Signer log settings
Setting Description
Default: INFO
Default: <AS-install>\services\mls\mls\logs\mls_mls.log
Default: 1000000

Table 41: Master List Signer log settings (continued)
Setting Description
Default: 10

Configuring the Master List Signer services 787

Configuring domestic master lists
A master list is a list of trusted CSCAs. Domestic master lists are master lists signed by
your CSCA.
This section describes how to configure various aspects about domestic master lists.
Configuring the location of domestic master lists

By default, Administration Services stores the active domestic master list and archived
domestic master lists in the following folder:
<AS-install>\services\mls\mls\domestic-master-lists
If required, you can change the location where Administration Services stores the
domestic master lists.
To change the location of the domestic master list folder

2 Open the mls-config.xml file in an XML editor. You can find the file in:
3 Locate the <DomesticMLLocation> setting.
The <DomesticMLLocation> setting controls the location of the active and
archived domestic master lists. By default:
<DomesticMLLocation>C:\Program Files\Entrust\AdminServices/
services/mls/mls\domestic-master-lists</DomesticMLLocation>
4 Change the location of the domestic master lists as required. For example:
<DomesticMLLocation>C:\New folder location</DomesticMLLocation>
Configuring the number of archived domestic master lists

Archived domestic master lists are backups of previous domestic master lists. When
you create a new domestic master list, the current active domestic master list is
archived.
By default, Administration Services keeps 10 archived domestic master lists. When
you reach the limit of archived master lists, Administration Services will remove the
oldest archived domestic master list when archiving a new master list.

You can configure how many archived domestic master lists that Administration
Services keeps.
To configure the number of archived domestic master lists

3 Locate the <DomesticMLBackups> setting.
The <DomesticMLBackups> setting controls how many archived domestic master
lists Administration Services keeps. By default, Administration Services keeps 10
archived domestic master lists.
4 Change how many archived domestic master lists that Administration Services
keeps. For example:
<DomesticMLBackups>20</DomesticMLBackups>
Enter a value greater than 1 or Administration Services will not start.

Configuring foreign master lists
A master list is a list of trusted CSCAs. Foreign master lists are master lists signed by
foreign CSCAs.
By default, Administration Services stores the foreign master lists in the following
folder:
<AS-install>\services\mls\mls\foreign-master-lists
foreign master lists.
To change the location of the foreign master list folder

3 Locate the <ForeignMLLocation> setting.
The <ForeignMLLocation> setting controls the location of the foreign master
lists. By default:
<ForeignMLLocation>C:\Program Files\Entrust\AdminServices/
services/mls/mls/foreign-master-lists</ForeignMLLocation>
4 Change the location of the foreign master lists as required. For example:
<ForeignMLLocation>C:\New folder location</ForeignMLLocation>

Configuring draft domestic master lists
When creating a new domestic master list, you can save a draft of the master list. This
section describes how to configure various aspects about domestic master lists.
Configuring the location of draft domestic master lists

By default, Administration Services stores the draft domestic master lists in the
following folder:
<AS-install>\services\mls\mls\draft-master-lists
draft domestic master lists.
To change the location of the draft domestic master list folder

3 Locate the <DraftMLLocation> setting.
The <DraftMLLocation> setting controls the location of the draft domestic
master lists. By default:
<DraftMLLocation>C:\Program Files\Entrust\AdminServices/
services/mls/mls\draft-master-lists</DraftMLLocation>
4 Change the location of the domestic master lists as required. For example:
<DraftMLLocation>C:\New folder location</DraftMLLocation>
Configuring the number of draft domestic master lists

By default, Administration Services keeps 10 draft domestic master lists. When you
reach the limit of draft master lists, Administration Services will remove the oldest
draft master list when you save a new draft master list.
You can configure how many draft domestic master lists that Administration Services
keeps.

To configure the number of draft domestic master lists
3 Locate the <DraftMLBackups> setting.
The <DraftMLBackups> setting controls how many draft domestic master lists
Administration Services keeps. By default, Administration Services keeps 10 draft
domestic master lists.
4 Change how many draft domestic master lists that Administration Services keeps.
For example:
<DraftMLBackups>20</DraftMLBackups>
Enter a value greater than 1 or Administration Services will not start.

Enabling and disabling the Master List Signer
Web Service
You can enable or disable the Master List Signer Web Service. When enabled, you can
use the Master List Signer Web Service to create new domestic master lists. You can
disable the Master List Signer Web Service to prevent the Master List Signer Web
Service clients from creating new domestic master lists. By default, the Master List
Signer Web Service is enabled.
Typically, you disable the Master List Signer Web Service only if you want Master List
Signer administrators to use MLS Administration to create new domestic master lists.
To enable or disable the Master List Signer Web Service

3 Locate the <MLSWSEnabled> setting and change the value as follows:
• To enable the Master List Signer Web Service, change the value to true:
<MLSWSEnabled>true</MLSWSEnabled>
• To enable the Master List Signer Web Service, change the value to false:
<MLSWSEnabled>false</MLSWSEnabled>

Configuring whether MLS Administration can
create domestic master lists
You can configure whether MLS Administration allows Master List Signer
administrators to create domestic master lists. When enabled, administrators can use
MLS Administration to create domestic master lists. When disabled, administrators
can only view the active and archived domestic master lists. By default, MLS
Administration allows administrators to create domestic master lists.
Typically, you disable MLS Administration from creating new domestic master lists
only if you want the Master List Signer Web Service to create new domestic master
lists.
To configure whether MLS Administration can create domestic master lists

3 Locate the <MLSAdminCreateMLEnabled> setting and change the value as
follows:
• To allow MLS Administration to create domestic master lists, change the
value to true:
<MLSAdminCreateMLEnabled>true</MLSAdminCreateMLEnabled>
• To prevent MLS Administration from creating domestic master lists, change
the value to false:
<MLSAdminCreateMLEnabled>false</MLSAdminCreateMLEnabled>

Changing the password of the trust anchors
keystore
In the Master List Signer services, trust anchors are CSCA (Country Signing
Certification Authority) certificates. The Master List Signer services use CSCA
certificates to validate other materials.
The Master List Signer services stores the trust anchors in a password-protected
keystore. When you add a trust anchor to the Master List Signer services for the first
time, Administration Services creates the trust anchor keystore using a default
password.
You can change the keystore password at any time.
To change the trust anchor keystore password

2 On a command line, navigate to the following location:
<AS-install>\services\_jvm\bin
keytool -storepasswd -keystore <keystore>
Where <keystore> is the trust anchors keystore file. The keystore file is:
<AS-install>\services\mls\mls\trust-anchors\trustanchors
For example:
keytool -storepasswd -keystore "C:\Program
Files\Entrust\AdminServices\services\mls\mls\trust-anchors\trustan
chors"
a You are prompted to enter the current keystore password:
Enter keystore password:
Enter the current keystore password. The initial default password for the trust
anchors keystore file is changeit.
b You are prompted to enter a new password for the keystore:
New keystore password:
Enter a new password for the keystore.
c You are prompted to confirm the new password:
Re-enter new keystore password:
Enter the new password again to confirm the new password.

5 Locate the <TrustAnchors> section:
<TrustAnchors>

<Filename>C:\Program Files\Entrust\AdminServices\services\ml
s\mls\trust-anchors\trustanchors</Filename>
<Password>...</Password>
</TrustAnchors>
6 In the <Password> setting, replace the current value with the new keystore
password.
the password. Administration Services will replace the password in the
mls-config.xml file with the phrase "{Password protected by Entrust
Unattended Login}", followed by the encrypted password.

29
Administering master lists

This chapter describes how to administer master lists using the MLS Administration
interface.
• “Logging in to MLS Administration” on page 798
• “Creating and editing domestic master lists” on page 799
• “Managing the active domestic master list” on page 812
• “Managing archived domestic master lists” on page 821
• “Managing foreign master lists” on page 829
• “Managing trust anchors” on page 851
• “Managing PKD Writer uploads” on page 865
797
Logging in to MLS Administration
MLS Administration provides an interface for Master List Signer administrators to
administer their country’s Master List Signer. You are required to log in to the MLS
Administration interface with a certificate stored in your Web browser (see “Creating
Master List Signer administrators” on page 779).
To log in to MLS Administration

https://<host_name>:<port>/mls/admin
Where:
• <host_name> is the fully qualified host name of the server hosting the Master
• <port> is the Tomcat SSL port for MLS Administration (by default 11443).
For example:
https://appserver.example.com:11443/mls/admin
created in “Creating Master List Signer administrators” on page 779.
the private key.
Note:
Click Allow to allow MLS Administration to access the private key.

If everything was installed correctly and the browser certificate is valid, the MLS

Creating and editing domestic master lists
Create a new domestic master list when you want to create a master list of trusted
foreign CSCAs. When you create a new domestic master list, you create a list of
trusted foreign CSCAs by adding trusted foreign CSCA certificates. You can also add
domestic CSCA root and link certificates.
You can create a new domestic master list, or edit an existing domestic master list.
When creating or editing a domestic master list, Administration Services saves a copy
of the master list as you work. Administration Services will keep a copy of the master
list until you save the master list, cancel the edit session, or close your browser.
To create and edit the domestic master list

1 Log in to MLS Administration (see “Logging in to MLS Administration” on
page 798).
2 Click Domestic Master List.
3 Click the Edit Domestic Master List tab.
The Start Edit page appears.
4 Select one of the following options:

• To resume editing a master list, click Resume the previous edit session. This
option only appears if you started to edit a master list but did not save the
master list, cancel the edit, or close your browser.
• To cancel an edit session in progress, click Cancel the previous edit session.
This option only appears if you started to edit a master list but did not save
the master list, cancel the edit, or close your browser.
• To create a new domestic master list, click Create a new domestic master list.
Administering master lists 799

• To edit the active domestic master list, click Use the current active domestic
master list.
• To edit a previously saved draft, click Use a previously saved draft domestic
master list. This option only appears if you started to edit a master list and
saved a draft of the list.
5 Click Submit.
6 If you chose to edit a previously saved draft:
a The Select Draft Domestic Master List page appears.
Draft master lists are saved with the file name

<country_code>_YYMMDDhhmmssZ.der, where:
– <country_code> is the country code of your country.
– YYMMDDhhmmss is the date and time that the master list was signed and
saved.
For example, MM_100630190114Z.der.
b Under the ID column, select the draft master list that you want to edit.

7 The Edit Domestic Master List page appears. For example:
On this page:
• The Assurance Level pane displays the current assurance level of the master
list, and the expiry date of the assurance level.

The assurance level expiry date is calculated using the shortest expiration
date of the material used to validate the material, such as a CRL.
• The Draft Certificate List pane lists all domestic and foreign CSCA
certificates.
• The Domestic Certificates pane lists all domestic CSCA certificates.
Note:
If you are using the current domestic master list to create a new master list, the
current domestic CA certificate will not appear under Domestic Certificates if a
CA key update occurred after the current master list was created. You do not
need to add the current domestic CA certificate to the master list; the current
domestic CA certificate will be added automatically when you save the master list
(click Sign and Save or Save as Draft).
• The Foreign Certificates pane lists all foreign CSCA certificates in the master
list.
If you are creating a new domestic master list, no certificates appear under
Foreign Certificates.
• The Test Results pane displays the results of the assurance policy tests that
Administration Services performed on the master list.
If you click a different tab while editing the master list, Administration Services
will save a copy of the master list as you work. Administration Services will keep
a copy of the master list until you save the master list, cancel the edit session, or
close your browser.
You can cancel the edit at any time by clicking Cancel Edit.
8 You can save a draft of the master list at any time by clicking Save as Draft.
By default, draft master lists are saved to the following location on the server
hosting the Master List Signer services:
<AS-install>\mls\mls\domestic-master-lists
The master list is saved with the file name <country_code>_YYMMDDhhmmssZ.der,
where:
• <country_code> is the country code of your country.
• YYMMDDhhmmss is the date and time that the draft master list was saved.
9 To add a foreign CSCA certificate from a file:
a In the Add Certificate pane, select From a file containing a single certificate,
and then click Browse to select the certificate file.

b After selecting a certificate file, click Submit to add the certificate to the
domestic master list.
The Add Certificate page appears.
On this page:
– Certificate Details displays information about the CSCA certificate.
The Assurance Level was calculated based on the results of the assurance
policy tests. The assurance level, from highest to lowest, can be one of:
High Assurance, Minor Defect, or Low Assurance.

– Validation Details displays the validation strings for the certificate.
– If the CSCA certificate exists in at least one foreign master list, Exists in the
following Foreign Master Lists displays a list of all foreign master lists that
include the CSCA certificate.
– Test Results displays the results of the assurance policy tests that
Administration Services performed on the CSCA certificate.
c Read the certificate details to verify that you selected the correct certificate.
d Under Validation Details:
– If you received a validation string for the CSCA certificate, select Enter
Validation String and enter the validation string into the text field.
– If you validated the CSCA certificate by an out-of-band method (such as
diplomatic courier), click Verified Out-of-band.
e Click Add Certificate to add the certificate to the master list.
10 To add a foreign CSCA certificate from a foreign master list:
a In the Add Certificate pane, select From a foreign master list.
b Click Submit.
The Select Foreign Master List page appears.
c Click the country code corresponding to the foreign master list that includes
the CSCA certificate you want to add to your domestic master list.
The View Foreign Master List page appears.

d Click the distinguished name of the CSCA certificate. The distinguished name
is listed under the Issued By column.
The Add Certificate page appears. For example:

On this page:

e Read the certificate details to verify that you selected the correct certificate,
then click Add Certificate to add the certificate to the master list.
11 To add a foreign CSCA certificate from an archived domestic master list:
a In the Add Certificate pane, click From an archived master list.
b Click Submit.
The Select Archived Master List page appears.
Archived master lists are saved with the file name

– <country_code> is the country code of your country.
– YYMMDDhhmmss is the date and time that the master list was signed and
saved.
c Under the ID column, select the draft master list that you want to edit.
The View Archived Domestic Master List page appears.

d Click the distinguished name of the CSCA certificate. The distinguished name
is listed under the Issued By column.
The Add Certificate page appears. For example:

On this page:

e Read the certificate details to verify that you selected the correct certificate,
then click Add Certificate to add the certificate to the master list.
12 To remove a domestic CSCA certificate from the master list:
a In the Domestic Certificates pane under the Action column, click Delete for
the domestic CSCA that you want to remove. You cannot remove the CSCA
certificate that issued the Master List Signer profile.
A dialog box appears, asking you to confirm the command.
b Click OK to remove the certificate.

13 To remove a foreign CSCA certificate from the master list:
a In the Foreign Certificates pane under the Action column, click Delete for
the foreign CSCA that you want to remove.
b Click OK to remove the certificate.

14 Add or remove additional CSCA certificates as required.
15 After adding all the foreign CSCA certificates to the master list, click Sign and
Save.

16 To sign and save the master list, click OK.

Your CSCA signs the master list. By default, the master list is saved to the following
location on the server hosting the Master List Signer services:
where:
• YYMMDDhhmmss is the date and time that the master list was signed and saved.
The previous domestic master list is archived. For more information about archived
domestic master lists, see “Managing archived domestic master lists” on page 821.

Managing the active domestic master list
The active domestic master list is the most recent domestic master list. Only one
domestic master list can be the active domestic master list.
• “Viewing the active domestic master list” on page 812
• “Exporting the active domestic master list” on page 815
• “Exporting CSCA certificates from the active domestic master list” on
page 817
• “Uploading the active domestic master list to the ICAO PKD” on page 819
Viewing the active domestic master list

You can view the active domestic master list. Viewing the domestic master list allows
you to view a list of all trust foreign CSCA certificates, and view a specific CSCA
certificate.
To view the active domestic master list

page 798).
3 Click the Domestic Master List tab.
The Domestic Master List page appears.

On this page:
• The Domestic Master List Details pane displays information about the
master list.
Assurance Level displays the current assurance level of the master list. The
assurance level, from highest to lowest, can be one of: High Assurance,

Assurance Level Expiry displays the expiry date of the assurance level. The
assurance level expiry date is calculated using the shortest expiration date of
the material used to validate the material, such as a CRL.
list.
If you are creating a new domestic master list, no certificates appear under
Foreign Certificates.
4 To view a specific domestic or foreign CSCA certificate, click the distinguished
name of the CSCA certificate. The distinguished name is listed under the Issued
By column.
The View Certificate page appears. For example:
On this page:
• Certificate Details displays information about the CSCA certificate.
policy tests. The assurance level, from highest to lowest, can be one of: High

• Test Results displays the results of the assurance policy tests that
Exporting the active domestic master list

You can export the active domestic master list to a file.
To export the active domestic master list

page 798).

All domestic CSCA certificates appear under Domestic Certificates. All foreign
CSCA certificates in the master list appear under Foreign Certificates.
4 Click Export.
A File Download dialog box appears.
5 Click Save to save the master list to a file.
The default master list file name is <country_code>_YYMMDDhhmmssZ.der, where:

Exporting CSCA certificates from the active domestic master list

You can export CSCA certificates from the active domestic master list to a file. You
can use these CSCA certificate files to create a new domestic master list (see
“Creating and editing domestic master lists” on page 799).
To export a CSCA certificate from the active domestic master list

page 798).

All domestic CSCA certificates appear under Domestic Certificates. All foreign
CSCA certificates in the master list appear under Foreign Certificates.
4 Click the distinguished name of the CSCA certificate that you want to export. The
distinguished name is listed under the Issued By column.

5 Click Export.
6 Click Save to save the master list to a file.
Uploading the active domestic master list to the ICAO PKD

a history of the materials that have been uploaded. The PKD Writer Web Service
supports a GUI extension in MLS Administration that displays the status of CSCA
materials uploaded to the ICAO PKD.
When you installed the Master List Signer services, the installer included an option to
enable the display of CSCA materials upload status. If you enabled this option, you
can view the status of master lists, CRLs, and Document Signer certificates that were
uploaded to the ICAO PKD (see “Managing PKD Writer uploads” on page 865).
If you enabled the option to display the status of CSCA materials uploaded to the
ICAO PKD, you can also upload the active domestic master list to the ICAO PKD.
To upload the active domestic master list to the ICAO PKD

page 798).

4 Click Upload to PKD.

If the upload was successful, a success message appears. After uploading the master
list to the ICAO PKD, you can track the upload status of the master list in MLS
Administration. See “Viewing the upload status of CSCA materials” on page 865 for
details.

Managing archived domestic master lists
Archived domestic master lists are backups of previous domestic master lists. When
you create a new domestic master list (see “Creating and editing domestic master
lists” on page 799), the current active domestic master list is archived.
• “Viewing archived domestic master lists” on page 821
• “Exporting archived domestic master lists” on page 824
• “Making an archived domestic master list the active domestic master list” on
page 826
Viewing archived domestic master lists

You can view a list of archived domestic master lists and view a specific archived
domestic master list. Viewing an archived domestic master list allows you to:
• view the list of trusted foreign CSCA certificates on the archived domestic
master list
• view a trusted foreign CSCA certificate on the archived domestic master list
• export a trusted foreign CSCA certificate from the archived domestic master
list
To view archived domestic master lists

page 798).
3 Click the Archived Domestic Master Lists tab.
The Archived Domestic Master Lists page appears.

4 Under the ID column, select the draft master list that you want to edit.
On this page:
• The Archived Domestic Master List Details pane displays information about
the archived domestic master list.

Assurance Level displays the current assurance level of the master list. The
assurance level, from highest to lowest, can be one of: High Assurance,
Assurance Level Expiry displays the expiry date of the assurance level. The
assurance level expiry date is calculated using the shortest expiration date of
the material used to validate the material, such as a CRL.
list.
5 To view a specific CSCA certificate, click the distinguished name of the CSCA
certificate. The distinguished name is listed under the Issued By column.
The View Certificate page appears.

On this page:
6 To export the CSCA certificate to a file, click Export.
A File Download dialog box appears. Click Save to save the master list to a file.
Exporting archived domestic master lists

You can export an archived domestic master list to a file. You can use this file to help
create a new domestic master list or send it to foreign CSCA administrators so they
can create their own master lists of trusted CSCAs.
To export an archived domestic master list

page 798).


4 Under the ID column, click the archived master list that you want to export.
5 Verify that you selected the archived master list that you want to export, and
then click Export.
6 Click Export to save the archived master list to a file.
The default master list file name is <country_code>_YYMMDDhhmmssZ.der, where:

Making an archived domestic master list the active domestic

master list
You can make an archived domestic master list the active domestic master list. You
should only make an archived domestic master list the active domestic master list if
an administrator accidentally created a new domestic master list.
To make an archived domestic master list the active domestic master list
page 798).

4 Under the ID column, select the draft master list that you want to make the active
domestic master list.

5 Verify that you selected the archived master list that you want to make the active
domestic master list, and then click Sign and Save.

6 To sign and save the master list, click OK.
Your CSCA signs the master list. By default, the master list is saved to the following
location on the server hosting the Master List Signer services:
where:

Managing foreign master lists
Foreign master lists are master lists from foreign countries. You can add, view, and
delete foreign master lists. You can also export foreign master lists to a file, or export
a CSCA certificate from a foreign master list to a file.
• “Adding foreign master lists” on page 829
• “Viewing foreign master lists” on page 832
• “Changing the assurance level of foreign master lists” on page 836
• “Validating foreign master lists” on page 837
• “Exporting foreign master lists” on page 839
• “Exporting CSCA certificates from a foreign master list” on page 841
• “Adding CSCA certificates in foreign master lists as trust anchors” on
page 844
• “Deleting foreign master lists” on page 847
Adding foreign master lists

You can add foreign master lists. When adding a foreign master list, you can set the
assurance level of the foreign master list. The assurance level allows you to determine
how much you trust the foreign master list.
To add a foreign master list

page 798).
2 Click Foreign Master Lists.
3 Click the Add Foreign Master List tab.
The Add Foreign Master List page appears.

4 In the Add Foreign Master List pane, click Browse to select the certificate file.
5 After selecting a master list file, click Submit.

• Foreign Master List Details displays information about the foreign master
list.

date of the material used to validate the master list, such as a CRL.
• Validation Details displays the validation strings for the master list.
• Certificate List displays information about all the CSCA certificates in the
foreign master list.
6 Under Foreign Master List Details, you can change the Assurance Level of the
master list. The assurance level allows you to determine how much you trust the
The default assurance level was calculated based on the results of the assurance
7 Under Validation Details:
• If you received a validation string for the master list, select Enter Validation
String and enter the validation string into the text field.
• If you validated the master list by an out-of-band method (such as diplomatic
courier), click Verified Out-of-band.
8 Click Add Foreign Master List.
A success message appears, along with a list of all foreign master lists.
Viewing foreign master lists

You can view a list of all foreign master lists that were added, and you can view a
specific master list. Viewing a master list allows you to view the following
information:
• the results of all assurance policy tests performed on the foreign master list

• information about all the CSCA certificates that are included in the foreign
master list
To view a foreign master list

page 798).
3 Click the Foreign Master Lists tab.
The Foreign Master Lists page appears. This page displays a list of all foreign
master lists that you have added.
4 To view a specific master list, click the country code corresponding to the foreign
master list that you want to view.

• Foreign Master List Details displays information about the foreign master
list.
date of the material used to validate the master list, such as a CRL.
• Certificate List displays information about all the CSCA certificates in the

5 To view more detailed information about a CSCA certificate in the master list,
click the distinguished name of the CSCA certificate. The distinguished name is
listed under the Issued By column.

date of the material used to validate the certificate, such as a CRL.
Administration Services performed on the certificate.

Changing the assurance level of foreign master lists
The assurance level of a foreign master list controls how much the foreign master list
is trusted by Administration Services. You may have changed the assurance level of a
foreign master list when adding it as a trust anchor. You can also change the
assurance level of a foreign master list after adding it to the Master List Signer
services.
To change the assurance level of a foreign master list

page 798).
4 To view a specific foreign master list, click the country code corresponding to the
foreign master list that you want to view.

5 Under Foreign Master List Details, you can change the Assurance Level of the
6 Click Save to save the changes.
Validating foreign master lists

The assurance level of a foreign master list controls how much the foreign master list
is trusted by Administration Services. You can change the assurance level of a foreign
master list when adding it to the Master List Signer services, or after adding it to the
Master List Signer services.

You can validate foreign master lists in the Master List Signer services. When
validating a foreign master list, Administration Services performs assurance policy
tests on the foreign master list and recalculates its assurance level.
To validate a foreign master list

page 798).

5 Click Validate.
Administration Services performs assurance policy tests on the foreign master list
and recalculates its assurance level.
Exporting foreign master lists

You can export a foreign master list to a file.
To export a foreign master list

page 798).

4 To view a master list before exporting it, click the country code corresponding to
the foreign master list that you want to view.

5 Click Export.
6 You are prompted to save the file. Save the file to a location on your computer.
Exporting CSCA certificates from a foreign master list

You can export CSCA certificates from a foreign master list to a file. You can use these
CSCA certificate files to add foreign CSCA certificates to your own master list (see
“Creating and editing domestic master lists” on page 799).
To export a CSCA certificate from a foreign master list

page 798).


5 To view a CSCA certificate, click the distinguished name of the CSCA certificate.
The distinguished name is listed under the Issued By column.

6 To export the CSCA certificate, click Export.
You are prompted to save the file. Save the file to a location on your computer.
Adding CSCA certificates in foreign master lists as trust anchors

certificates to validate other materials.
You can add a CSCA certificate in a foreign master list as a trust anchor to the Master
To add a CSCA certificate from a foreign master list as a trust anchor

page 798).


5 To view the CSCA certificate you want to add as a trust anchor, click the
distinguished name of the CSCA certificate. The distinguished name is listed
under the Issued By column.

6 To add the CSCA certificate as a trust anchor, click Make Trust Anchor.
You are prompted to save the file. Save the file to a location on your computer.
Deleting foreign master lists

You can delete foreign master lists. You should only delete a foreign master lists if you
do not need it anymore, or you added the same foreign master list more than once.
To delete a foreign master list

page 798).

4 To view a specific master list before deleting it, click the country code
corresponding to the foreign master list that you want to view.

5 Verify that you selected the correct master list and then click Delete.

6 To delete the master list, click OK.

Managing trust anchors
certificates to validate other materials. You can use MLS Administration to manage
trust anchors.
• “Adding trust anchors” on page 851
• “Viewing trust anchors” on page 854
• “Exporting trust anchors” on page 856
• “Changing the assurance level of trust anchors” on page 858
• “Validating trust anchors” on page 859
• “Deleting trust anchors” on page 861
Adding trust anchors

You can add trust anchors (CSCA certificates) to the Master List Signer services. The
Master List Signer services can then use those CSCA certificates to validate other
materials.
When adding a CSCA certificate as a trust anchor, Administration Services performs
assurance policy tests on the CSCA certificate to determine its assurance level. The
assurance level controls how much the CSCA certificate is trusted by Administration
Services. You can change the assurance level when adding the CSCA certificate as a
trust anchor.
To add a CSCA certificate as a trust anchor

page 798).
3 Click the Add Trust Anchor tab.
The Add Trust Anchor page appears.

4 Click Browse to locate and select the CSCA certificate you want to add as a trust
anchor.
5 Click Submit.
The View Trust Anchor page appears.

• Trust Anchor Details displays information about the CSCA certificate.
• Validation Details displays the validation strings for the certificate.

6 Under Trust Anchor Details, you can change the Assurance Level of the CSCA
certificate.
The default assurance level was calculated based on the results of the assurance
7 Under Validation Details:
• If you received a validation string for the CSCA certificate, select Enter
Validation String and enter the validation string into the text field.
• If you validated the CSCA certificate by an out-of-band method (such as
8 Click Add Trust Anchor to add the CSCA certificate as a trust anchor.
Viewing trust anchors

You can view a list of all CSCA certificates that were added as trust anchors to the
Master List Signer services. From the list, you can also view more detailed information
about a specific CSCA certificate.
To view a trust anchor

page 798).
3 Click the Trust Anchors tab.
The Trust Anchors List page appears.

The Trust Anchors List displays a list of CSCA certificates that were added as trust
anchors to the Master List Signer services.
4 To view more details information about a CSCA certificate, click the county code
of the CSCA certificate you want to view.
5 The page displays the following information:

• Trust Anchor Details displays information about the CSCA certificate.

Exporting trust anchors
You can export a trust anchor (CSCA certificate) to a file. Typically you would export
a CSCA certificate so you can later import it into a domestic master list.
To export a trust anchor

page 798).
4 To view more detailed information about the CSCA certificate before exporting
it, click the county code of the CSCA certificate you want to export.

5 Click Export.
6 When prompted, save the CSCA certificate to a location on your computer. The
certificate is saved as a .der file. By default, the name of the file is:
<country-code>_<serial-number>.der
Where:
• <country-code> is the country code of the CSCA certificate.
• <serial-number> is the serial number of the CSCA certificate.
For example
MM_1531920630.der

Changing the assurance level of trust anchors
The assurance level of a trust anchor (CSCA certificate) controls how much the CSCA
certificate is trusted by Administration Services. You may have changed the assurance
level of a CSCA certificate when adding it as a trust anchor. You can also change the
assurance level of CSCA certificate after adding it as a trust anchor.
To change the assurance level of a trust anchor

page 798).
4 In the Country Code column, click the county code of the trust anchor you want
to edit.

5 Under Trust Anchor Details, you can change the Assurance Level of the CSCA
certificate.
Validating trust anchors

The assurance level of a trust anchor (CSCA certificate) controls how much the CSCA
certificate is trusted by Administration Services. You can change the assurance level
of CSCA certificate when adding it as a trust anchor, or after adding it as a trust
anchor.

You can validate trust anchors in the Master List Signer services. When validating a
trust anchor, Administration Services performs assurance policy tests on the CSCA
certificate and recalculates its assurance level.
To validate a trust anchor

page 798).
to validate.

5 Click Validate.
Administration Services performs assurance policy tests on the CSCA certificate
and recalculates its assurance level.
Deleting trust anchors

You can remove trust anchors (CSCA certificates) from the Master List Signer services.
When you remove a trust anchor, the Master List Signer services can no longer use it
to validate other materials. Remove a trust anchor when you no longer want to use
it to validate other materials.

To delete a trust anchor
page 798).
to delete.
5 To view more detailed information about the trust anchor before deleting it, click
the county code of the trust anchor.

6 Verify that you selected the correct trust anchor and then click Delete.

7 To delete the trust anchor, click OK.

Managing PKD Writer uploads
a history of the materials that have been uploaded. MLS Administration can connect
to the PKD Writer Web Service to display the status of CSCA materials uploaded to
the ICAO PKD.
When you installed the Master List Signer services, the installer included an option to
enable the display of CSCA materials upload status. If you enabled this option, you
can use MLS Administration to view the status of CSCA materials that were uploaded
to the ICAO PKD, view the status of the PKD Access credential, and configure PKD
upload settings.
• “Viewing the upload status of CSCA materials” on page 865
• “Uploading the latest domestic CSCA CRL to the ICAO PKD” on page 870
• “Viewing the status of the PKD Access credential” on page 871
• “Configuring the PKD Writer upload settings” on page 872
Viewing the upload status of CSCA materials

If you enabled a connection between the PKD Writer Web Service and MLS
Administration, you can view the status of master lists, CRLs, and Document Signer
certificates that were uploaded to the ICAO PKD.
To view the upload status of CSCA materials

page 798).
2 Click PKD Uploads.
3 Click the PKD Uploads tab.
The Materials List page appears.

This page displays the status of all master lists, CRLs, and Document Signer
certificates that were uploaded to the ICAO PKD.
For each CRL, Document Signer certificate, and master list uploaded to the ICAO
PKD, the upload status is displayed in the Upload Status column:
• The Available status indicates that the material is now available for
download by foreign states in the ICAO download server.
• The Success status indicates that the material was successfully uploaded to
the ICAO PKD, but has not yet appeared in the ICAO download server.
The Success status does not guarantee that the status will change to
Available and the material will become available in the ICAO download
server. ICAO runs sanity and trust checks on materials uploaded to the ICAO
PKD. If the sanity or trust checks fail, an email will be sent to the email
address registered with ICAO.
• The Failed status indicates that an error occurred during the upload. Specifics
about the error are included, such as an LDAP error code.

4 To display information about a CRL that was uploaded to the ICAO PKD, click
the test results for that CRL.
A Display Test Results page appears for the CRL. For example:
The page displays the following information:

• CRL displays information about the CRL.
Administration Services performed on the CRL.
5 To display information about a Document Signer certificate that was uploaded to
the ICAO PKD, click the test results for that Document Signer certificate.
A Display Test Results page appears for the Document Signer certificate. For
example:

• Document Signer Certificate displays information about the Document
Signer certificate.
Administration Services performed on the Document Signer certificate.
6 To display information about a domestic master list that was uploaded to the
ICAO PKD, click the test results for that master list.
A Display Test Results page appears for the master list. For example:

• Master List displays information about the master list.

Uploading the latest domestic CSCA CRL to the ICAO PKD
Administration, you can upload the latest CRL from your domestic CSCA to the ICAO
PKD.
To upload the latest domestic CSCA CRL to the ICAO PKD

page 798).
3 Click the PKD Uploads tab.
The Materials List page appears.
4 Click Upload Now.

Viewing the status of the PKD Access credential
Administration, you can view the status of the PKD Access credential used by the PKD
Writer Web Service. The PKD Access credential is a credential issued by ICAO that
allows Administration Services to authenticate to the ICAO PKD.
To view the status of the PKD Access credential

page 798).
3 Click the PKD Status tab.
The PKD Status page appears.

• Last successful connection to Download LDAP displays the date and time
that the PKD Writer Web Service connected to the ICAO PKD Download
directory.
• Last successful connection to Upload LDAP displays the date and time that
the PKD Writer Web Service connected to the ICAO PKD Upload directory.
• Upload certificate expires on displays the date and time that the PKD Access
credential expires.

Configuring the PKD Writer upload settings
Administration, you can configure some PKD Writer settings.
To configure the PKD Writer upload settings

page 798).
3 Click the PKD Upload Settings tab.
The PKD Upload Settings page appears.
4 The Automatic Upload Enabled setting controls whether PKD Writer will
automatically upload CSCA materials to the ICAO PKD.
Note:
Currently, PKD Writer can automatically upload only the current CSCA CRL to
the ICAO PKD from a URL.
• Select True to enable automatic uploads.

• Select False to disable automatic uploads.
5 The CRL setting specifies the full URL of the CSCA CRL. The PKD Writer can
automatically upload the CSCA CRL from this URL to the ICAO PKD.

Supported formats of the URL are http, https, and ldap. For example:
http://webserver.example.com/CRL/crl_file.crl
6 The Connection frequency setting controls how often, in hours, that PKD Writer
automatically uploads CSCA materials to the ICAO PKD. The value must be
greater than 0 or an error will occur.
7 The Connection attempts setting controls how many times that PKD Writer will
attempt to connect to the ICAO PKD before reporting a failure. The value must
be greater than 0.
8 The CRLs Assurance Level setting controls the minimum assurance level for CRLs
that can be uploaded to the ICAO PKD. CRLs that do not match or exceed the
minimum assurance level will not be uploaded.
9 The Certificates Assurance Level setting controls the minimum assurance level
for Document Signer certificates that can be uploaded to the ICAO PKD.
Document Signer certificates that do not match or exceed the minimum
assurance level will not be uploaded.
10 The Master Lists Assurance Level setting controls the minimum assurance level
for master lists that can be uploaded to the ICAO PKD. Master lists that do not
match or exceed the minimum assurance level will not be uploaded.
12 You must restart the server hosting PKD Writer for the changes to take effect.

30
Customizing MLS Administration

Entrust Authority Administration Services allows you to customize MLS
Administration. By making changes to specific files, you can customize MLS
• “Customizing the MLS Administration interface” on page 876
• “Customizing MLS Administration styles” on page 880
875
Customizing the MLS Administration interface
When customizing the MLS Administration interface, you can make several changes
Note:

• “Adding your company logo to MLS Administration” on page 876
• “Customizing the application title and browser title for MLS Administration”
on page 877
Adding your company logo to MLS Administration

You can add your company logo to all MLS Administration pages.
To add your company logo to MLS Administration

components.
<AS-install>\services\mls\mls\webapp\admin\<locale>\images
<AS-install>\services\mls\mls\webapp\WEB-INF\xsl\<locale>
4 Open common-page.xsl in a text editor.
src="{$home}/images/entrust_logo.gif"/>
Your logo now appears in the title bar of MLS Administration.

Figure 21: Your company logo in the title bar of MLS Administration
Customizing the application title and browser title for MLS

Administration
You can replace the "MLS Administration" title with your organization’s name or any
other name your organization chooses. Changing the application title will also change
the title shown in the Web browser.
To change application title and browser title for MLS Administration

components.
3 Open common-lang.xsl in a text editor.
4 Locate the appTitle variable. By default:
<xsl:variable name="appTitle">Entrust Authority™ MLS
Administration</xsl:variable>
5 Replace the existing value with the title chosen by your company. For example:
<xsl:variable name="appTitle">Custom Application
Title</xsl:variable>
a Open common-lang.xsl in a text editor.
b Locate the appTitle variable. By default:
Customizing MLS Administration 877

<xsl:variable name="appTitle">Entrust Authority™ MLS
c Replace the existing value with the first line of the title chosen by your
company. For example, as shown in bold:
<xsl:variable name="appTitle">My Company</xsl:variable>
d Add a new variable for the second line of the title. For example (shown in
bold):
<xsl:variable name="appTitle">My Company</xsl:variable>
<xsl:variable name="appSecondTitle">Custom Application
f Open common-page.xsl in a text editor.
g Locate the <title> section:
<title>
<xsl:value-of select="concat($appTitle, ' :: ',
$theTitle)"/>
</title>
These lines control the browser title. By default, it references only the first line
of the application title (the $appTitle variable).
h To change the browser title:
– To change the browser so that it references only the second line of the
application title, change $appTitle to the new variable you created earlier.
For example, as shown in bold:
<title>
<xsl:value-of select="concat($appSecondTitle, ' :: ',
$theTitle)"/>
</title>
– To change the browser so that it references both lines of the application
title, add a reference to the new variable you created earlier. For example,
as shown in bold:
<title>
<xsl:value-of select="concat($appTitle, ' ',
$appSecondTitle, ' :: ', $theTitle)"/>
</title>
i Under <xsl:template name="header">, locate the following lines:
<h1>
<xsl:value-of select="$appTitle"/>
</h1>

j Add <br/> and then add a reference to the new variable. For example, as
shown in bold:
<h1>
<xsl:value-of select="$applTitle"/><br/><xsl:value-of
select="$applicationSecondTitle"/>
</h1>
k Save and close the file.
Your customized title now appears in the browser window title bar of all MLS
Administration dynamic pages.
Your customized application title now appears in MLS Administration, and the
customized title also appears in the browser window title bar
Figure 22: Custom application title and browser title for MLS Administration
Customizing MLS Administration 879

Customizing MLS Administration styles
You can customize the MLS Administration interface with your choice of colors, fonts,
and styles by changing values in the Cascading Style Sheets (CSS) files. The settings
in the CSS files are assigned by class. You can find the CSS files in the following folder
on the server hosting the application server components:
<AS-install>\services\mls\mls\webapp\admin\<locale>\css
Table 42 briefly describes the different CSS files that control how the MLS
Table 42: List of CSS files for MLS Administration
calendar.css Defines the styles for the date selector.
commonpage.css Defines the styles for elements common to all pages in the
interface, such as the title bar.
datagrid.css Defines the styles for grid tables in the interface.
details.css Defines the styles on Details pages.
general.css Defines the styles for elements independent of any page or

template used by the interface.
help.css This file is not currently used by MLS Administration.
passwordrules.css This file is not currently used by MLS Administration.
search.css Defines how search options appear in the interface.
style.css Loads all the CSS files except the help.css file.
the CSS files, take care not to make any changes that can break the MLS

31
Localizing MLS Administration

MLS Administration includes the default locale en_US. The MLS Administration file
system allows you to add more than one locale folder for each MLS Administration
instance. This chapter describes how to add a new locale to MLS Administration.
locale you first access the MLS Administration interface). Links to all other installed
locales appear in the navigation bar of the MLS Administration interface login page.
browser preferred language is not installed, MLS Administration always uses the
default locale en_US.
Note:
Do not remove the en_US folder. It is the default locale.

• “Location of MLS Administration locale folders” on page 883
• “Adding locales to MLS Administration” on page 884
• “Translating MLS Administration files” on page 885
• “Troubleshooting localization in MLS Administration” on page 887
881
About locales
• en—English
• fr—French
• ja—Japanese
• ko—Korean
• CA—Canada
• JP—Japan
• CN—China
Defining locales

Location of MLS Administration locale folders
<AS-install>\services\mls\mls\webapp\admin
<AS-install>\services\mls\mls\webapp\WEB-INF\xsl
Localizing MLS Administration 883

Adding locales to MLS Administration
default en_US folders.
To add a new locale to MLS Administration

components.
2 Create a new locale folder (such as fr_CA), in each of the following locations:
<AS-install>\services\mls\mls\webapp\admin
<AS-install>\services\mls\mls\webapp\WEB-INF\xsl
3 Copy all folders and files from
<AS-install>\services\mls\mls\webapp\admin\en_US
to
<AS-install>\services\mls\mls\webapp\admin\<locale>
<AS-install>\services\mls\mls\webapp\WEB-INF\xsl\en_US
to
Your new locale link is now available on the MLS Administration home page.
Before you can view your localized version of MLS Administration, you must translate
a series of files. See “Translating MLS Administration files” on page 885 for more
information.

Translating MLS Administration files
language that matches your new locale. Translate all the MLS Administration listed in
Table 43 on page 885 files to match your new locale.
Table 43: MLS Administration files to translate for your new locale
MLS Administration files to translate Location of files
The following MLS Administration <AS-install>\services\mls\mls\webapp\admin\

JavaScript files: <locale>\javascript
• validator-lang.js These files are located on the server hosting the
The following MLS Administration <AS-install>\services\mls\mls\webapp\WEB-INF

XSL files: \xsl\<locale>
• common-lang.xsl These files are located on the server hosting the
To view your localized version of MLS Administration

browser cache.
2 Log in to MLS Administration.
Your MLS Administration locale link is available from the MLS Administration

Note:

The MLS Administration interface is now available in your localized language
setting.
Figure 23: Localized MLS Administration page

Troubleshooting localization in MLS
Administration
When you manually integrate translated files into MLS Administration, incorrect page
encodings may cause the pages to appear with extra white lines or cause some


numérique.');
Web browsers cannot display some locale names

On systems supporting some multibyte languages such as Japanese, the Web
browser may not be able to display the locale name in the native language. For
example, Japanese may be displayed as a series of question marks, such as ???.
The easiest fix for this problem is to display the locale in English.

To display the locale for MLS Administration in English
components.
2 Open the common.jsp file. You can find the file in the following location:
<AS-install>\services\mls\mls\webapp\WEB-INF\jsp
3 Change the setting
loc.getDisplayName(loc)
to
loc.getDisplayName(Locale.ENGLISH)

32
MLS Web Service API reference

The MLS Web Service is designed to create, sign, and retrieve master lists of trusted
foreign Country Signing Certification Authorities (CSCAs). MLS Administration uses
the MLS Web Service when an administrator views or updates a domestic master list.
Custom applications can also use the MLS Web Service. Administration Services
provides a Web Service Definition Language (WSDL) for custom applications, and it
can be imported into an Integrated Development Environment (IDE) to generate
client-side stubs.
Note:
The MLS Web Service was designed with the assumption that custom
applications are responsible for submitting the correct certificates. The MLS Web
Service assumes that all certificates being added are valid CSCA certificates. It is
critical that an administrator carefully review the list of certificates being added
by the MLS Web Service to ensure that they are the correct certificates. The
resulting master list should also be carefully reviewed before being published to
the ICAO Public Key Directory.
The MLS Web Service is protected by certificate-based, mutually-authenticated

Secure Sockets Layer (SSL). Clients of the MLS Web Service must have a certificate
suitable for SSL client authentication. For information about issuing a valid MLS Web
Service client profile, see “Creating Master List Client credentials” on page 744. The
client profile must be issued by the Master List Signer Services CA.
You can find the WSDL file for the MLS Web Service in the following location on the
server hosting the Master List Signer services:
<AS-install>/services/mls/mls/webapp/wsdl
The MLS Web Services exports the following methods:
889
GetMlswsVersions
Description: Returns version information about the MLS Web Service.
Request: None
Response: java.lang.String Version
GetMasterList
Description: Returns the current active domestic master list (the last master list
created through either MLS Administration interface or MLS Web Service).
Request: None
Response: javax.activation.DataHandler MasterList
CreateMasterList
Description: Creates a new domestic master list containing the supplied
certificates. The MLS Web Service will take the set of certificates and create a new
master list containing these certificates. The master list is signed by the Master
List Signer profile issued by the CSCA. This master list becomes the new current
active master list.
Request: javax.activation.DataHandler[] CSCACertificates
The content of the request is the set of CSCA root certificates (domestic and
foreign) to be included in the new master list.
Response: javax.activation.DataHandler MasterList

Section 8
Country Verifying CA section
This section provides instructions for installing a Country Verifying Certification

Authority (CVCA), installing and configuring Administration Services, and
administering the CVCA.
• “Installing a Country Verifying CA” on page 893
• “Deploying CVCA Administration” on page 907
• “Configuring CVCA Administration” on page 985
• “Administering a Country Verifying Certification Authority” on page 1005
• “Customizing CVCA Administration” on page 1109
• “Localizing CVCA Administration” on page 1121
• “CVCA command quick reference” on page 1133
891
33
Installing a Country Verifying CA

Before you can administer a Country Verifying Certification Authority (CVCA), you
must install a CVCA. Installing a CVCA requires that you install, configure and
initialize Security Manager as a CVCA.
• “Configuring CVCA license information” on page 903
• “Initializing a CVCA” on page 904
893
3166 standard.

Install, configure, and initialize Security Manager according to the instructions in the
Security Manager 8.3 Installation Guide. Before you can configure Security Manager
as a CVCA, you must configure it as an X.509 Certification Authority (CA). You must
configure it as a CA so you can create users and profiles to administer the CVCA.
The following procedure provides information about installing and configuring
Security Manager as a CVCA, and includes special instructions for deployments that
contain Administration Services.
If you are installing Security Manager as a joint Country Signing Certification
Authority (CSCA) and CVCA, see “Installing a Country Signing CA” on page 95 for
instructions about installing and configuring the CA as a CSCA.
Attention:
To install and configure Security Manager on Windows

1 Install and configure Security Manager as described in the Security Manager 8.3
Installation Guide.
If you are installing Security Manager as a joint Country Signing Certification
Authority (CSCA) and CVCA, see “Installing a Country Signing CA” on page 95
for instructions about installing and configuring the CA as a CSCA.

When configuring Security Manager, configure the following options:
a On the Security Manager License Information page, enter your Security
Manager license information that was provided to you by Entrust.
Note:
If you do not enter CVCA license information, Security Manager does not prompt
you to configure and initialize a CVCA. To configure and initialize a CVCA after
initializing Security Manager, see “Initializing a CVCA” on page 904.
If your CVCA will manage domestic Document Verifiers, enter license

information into the fields under the CVCA for Domestic DVs tab. If your
CVCA will manage foreign Document Verifiers, enter license information into
the fields under the CVCA for Foreign DVs tab.
The DV for Inspection Systems tab is for Document Verifiers that manage
Inspection Systems. If you mistakenly enter license information into this tab,
click Clear Values to reset the license information.
b If you plan on using Administration Services to administer the CVCA, select
algorithms that are supported by Administration Services.
See the Administration Services Release Notes for information about which
algorithms are supported by Administration Services.
c For CA Type, click Root CA to configure the Certification Authority as a root
CA.
You can only configure a root CA as a CVCA. If you entered CVCA license
information earlier, you can only configure a root CA.
Installing a Country Verifying CA 895

2 If you entered CVCA license information, the Configuration Information for
CVCA dialog box appears.
To configure the CVCA:

a In the Country drop-down list, select your country.
Your country’s ISO 3166-1 ALPHA 2 country code appears in the Country
Code field. If you select User Defined Country Code, you can enter your
country code into the Country Code field.
The country code and the mnemonic form the CVCA identity.
b In the Mnemonic Label field, enter a unique label for the CVCA. The label
must be between one and nine ISO 8859-1 Latin-1 characters. The country
code and the mnemonic form the CVCA identity.
When entering a mnemonic label, only characters supported by the Regional
and Language Options can be entered natively. If you want an accented
character but your ANSI code page does not support it, you cannot enter or
paste it into the text field. You must enter it as escaped UTF-8. For example,

enter Liberté as Libert\C3\A9. For more information, see knowledge
article 43715 (formerly TN7478) on Entrust Datacard TrustedCare at
https://trustedcare.entrustdatacard.com.
c In the Terminal Authentication Algorithm drop-down list, select a terminal
authentication algorithm.
d In the Key Type drop-down list, select a key type.
e For Holder Access Rights:
– To allow access rights to iris biometric data, select Iris.
– To allow access rights to fingerprint biometric data, select Fingerprint.
f Under Certificate Lifetime, enter the lifetime of CVCA certificates. The
lifetime must be between one day and 25 years.
g In the Certificate Expiry Warning Threshold (days) field, enter the number
of days before a CVCA certificate expires when Security Manager starts
warning you of the impending expiry. A value of 0 suppresses the warnings.
h Under Sequence Number Algorithm, click Numeric to use a numeric
sequence number algorithm, or click Alphanumeric to use an alphanumeric
sequence number algorithm.
i To include the country code in the sequence number algorithm, select Use
the Country Code in the Sequence Number Algorithm.
j Click Next to continue.
3 Initialize Security Manager as described in the Security Manager 8.3 Installation
Guide.
5 (Optional.) Install Security Manager Administration according to the instructions
in the Security Manager Administration User Guide.
For information about Security Manager Administration, see the Security

as a CVCA, you must configure it as an X.509 Certification Authority (CA). You must
configure it as a CA so you can create users and profiles to administer the CVCA.
Security Manager as a CVCA, and includes special instructions for deployments that
contain Administration Services.

If you are installing Security Manager as a combined Country Signing Certification
Authority (CSCA) and CVCA, see “Installing a Country Signing CA” on page 95 for
instructions about installing and configuring the CA as a CSCA.
Attention:
To install and configure Security Manager on Linux

Installation Guide.
If you are installing Security Manager as a combined Country Signing
Certification Authority (CSCA) and CVCA, see “Installing a Country Signing CA”
on page 95 for instructions about installing and configuring the CA as a CSCA.
a When prompted to enter your licensing information, enter your Security
Note:
If you do not enter CVCA license information, Security Manager does not prompt
you to configure and initialize a CVCA. To configure and initialize a CVCA after
initializing Security Manager, see “Initializing a CVCA” on page 904.
If your CVCA will manage domestic Document Verifiers, enter license

information for the following prompts:
Enter the CVCA licensing information for domestic DVs that
appears on your Entrust licensing card. This is optional at
this time. The information may be added at a later date by
modifying the entmgr.ini file.
Domestic DV Serial Number:
Domestic DV User Limit:
Domestic DV Licensing Code:
If your CVCA will manage foreign Document Verifiers, enter license
information for the following prompts:

Enter the CVCA licensing information for foreign DVs that
Foreign DV Serial Number:
Foreign DV User Limit:
Foreign DV Licensing Code:
b If you plan on using Administration Services to administer the CVCA, select
algorithms that are supported by Administration Services.
c Security Manager will prompt you to configure the CA as a root CA or a
subordinate CA:
A hierarchy of CAs comprises several CAs linked into a tree
structure. There is a single CA which unites the tree into a
single structure. This CA is the "Root CA". A CA which does not
participate in a hierarchy is also referred to as a "Root CA"
since it may have subordinates at some time in the future. Any
other CA in the hierarchy is called a "Subordinate CA".
Choose the type of CA you wish to configure.

1. Root CA
2. Subordinate CA
[1] >
Enter 1 to configure the CA as a root CA.
You can only configure a root CA as a CVCA. If you entered CVCA license
information earlier, you can only configure a root CA.
2 If you entered CVCA license information:
a Security Manager prompts you to configure the CVCA:
The following information is required to initialize your CVCA.
Country Code :
Enter your country’s ISO 3166-1 ALPHA 2 country code. The country code
and the mnemonic form the CVCA identity.
b Security Manager prompts you for a mnemonic label:
Mnemonic Label (1-9 Latin-1 characters) :
Enter a unique label for the CVCA. The label must be between one and nine
ISO 8859-1 Latin-1 characters. The country code and the mnemonic form
the CVCA identity.

If your keyboard layout does not support Latin-1 characters, you must enter
accented characters as escaped UTF-8. For example, enter Liberté as
Libert\C3\A9. If you want to enter a backslash (\) that is not part of an
escaped UTF-8 sequence, you must enter it as two backslashes (\\).
c Security Manager prompts you to select a terminal authentication algorithm:
Enter the Terminal Authentication Algorithm.
1. RSA-SHA1
2. RSA-SHA256
3. RSAPSS-SHA1
4. RSAPSS-SHA256
5. ECDSA-SHA1
6. ECDSA-SHA224
7. ECDSA-SHA256
[7] >
Enter the number corresponding to the algorithm that you want. For
example, enter 1 for RSA-SHA1.
d Security Manager prompts you to select a key type. For example:
Enter the Key Type
1. EC-ansix9p160k1
2. EC-ansix9p160r1
3. EC-ansix9p160r2
4. EC-ansix9p192k1
5. EC-ansix9p192r1
6. EC-ansix9p224k1
7. EC-ansix9p224r1
8. EC-ansix9p256k1
9. EC-ansix9p256r1
10. EC-brainpoolP160r1
11. EC-brainpoolP160t1
[9] >
The options available depend on the terminal authentication algorithm you
selected earlier. If you selected an RSA algorithm, only RSA key types are
available. If you selected an ECDSA algorithm, only EC key types are
available.
Enter the number that corresponds to the signature algorithm for your CA.
For example, for EC key pair types, enter 1 for EC-brainpoolP160rl.

e Security Manager asks if you want to activate holder access rights for iris
biometric data:
Activate Iris holder access rights? (y/n) ? [n]
To allow access rights to iris biometric data, enter y. Otherwise enter n.
f Security Manager asks if you want to activate holder access rights for
fingerprint biometric data:
Activate Fingerprint holder access rights? (y/n) ? [n]
To allow access rights to fingerprint biometric data, enter y. Otherwise enter
n.
g Security Manager prompts you to select a time period for CVCA certificates:
Enter the time period to be used in determining the certificate
lifetime.
1. years
2. months
3. weeks
4. days
[1] >
Enter the number corresponding to the time period that you want. For
example, enter 1 for years.
h Security Manager prompts you to chose a lifetime for CVCA certificates.
Depending on the time period you selected, you see one of the following
prompts:
Valid for this many years [3]:
Valid for this many months [36]:
Valid for this many weeks [156]:
Valid for this many days [1095]:
Enter the lifetime of CVCA certificates. The lifetime must be between one
day and 25 years.
i Security Manager prompts you to provide a warning threshold:
Number of days to warn before certificate expires [100]:
Enter the number of days before a CVCA certificate expires when Security
Manager starts warning you of the impending expiry. A value of 0 suppresses
the warnings.
j Security Manager prompts you for the format of the sequence number
algorithm:
Enter the holder reference sequence number algorithm to use.
1. Numeric

2. Alphanumeric
[1] >
Enter 1 to use a numeric sequence number algorithm, or enter 2 to use an
alphanumeric sequence number algorithm.
k Security Manager asks if you want to include the country code in the
sequence number algorithm:
Use the Country Code in the sequence algorithm? (y/n) ? [n]
Enter y to include the country code in the sequence number algorithm.
Otherwise, enter n.
Guide.

Configuring CVCA license information
If you want to initialize a CVCA and you already initialized Security Manager, or if you
purchased new CVCA license information from Entrust, complete the following
procedure to add or change the CVCA license information.
To configure CVCA license information

1 Open the entmgr.ini file. For information about this file, see the Security
Manager Operations Guide.
2 Find the [Authorization] section.
3 Enter the CVCA license information as follows:
• If you purchased a license for your CVCA to manage domestic Document
Verifiers, then enter your license information into the following settings:
DDVSerialNumber=
DDVUserLimit=
DDVKey=
• If you purchased a license for your CVCA to manage foreign Document
Verifiers, then enter your license information into the following settings:
FDVSerialNumber=
FDVUserLimit=
FDVKey=
5 If Security Manager is running, stop and then start the Security Manager service.
See the Security Manager Operations Guide for details.

Initializing a CVCA
If you are configuring Security Manager as a CVCA, you must initialize the CVCA
after you initialize Security Manager (see the Security Manager Installation Guide).
You cannot initialize both a CVCA and a Document Verifier with the same Security
Manager. You cannot initialize a CVCA on a Security Manager configured as a
subordinate CA.
To initialize a CVCA, you must have CVCA license information in the entmgr.ini file.
See “Configuring CVCA license information” on page 903 for information about
configuring the CVCA license information.
To initialize a CVCA
1 Log in to Security Manager Control Command Shell (see “Logging in to Security
Manager Control Command Shell” on page 1006).
2 At the prompt, enter the following command:
cvca init <country code> <mnemonic> [-taa <value>] [-keytype
<value>] [-ar F|I|FI|""] [-seqAlg A|N|CA|CN] [-lifetime
years|months|weeks|days <value>] [-warn <days>] [-softKey enabled|
disabled]
Parameters in square brackets are optional parameters. Table 44 describes the
parameters.
Table 44: cvca init parameters
Parameter Description
<country code> The ISO 3166-1 ALPHA-2 country code of your country. The
country code and the mnemonic form the CVCA identity.
<mnemonic> Unique label for the CVCA. The label must be between one and nine
ISO 8859-1 Latin-1 characters. The country code and the mnemonic
form the CVCA identity.
-taa <value> Specifies the terminal authentication algorithm. The algorithm must
be one of:
• RSA-SHA1 • ECDSA-SHA1
• RSAPSS-SHA1 • ECDSA-SHA256
• RSAPSS-SHA256
If you do not specify a terminal authentication algorithm, it defaults

to ECDSA-SHA256.

-keytype <value> Specifies the key type (RSA or EC), and the key size (RSA) or domain
parameters (EC). The key type must be one of:
• RSA-1024 • EC-ansix9p160k1
• RSA-1280 • EC-ansix9p160r1
• EC-brainpoolP160r1 • EC-ansix9p224k1
• EC-brainpoolP160t1 • EC-ansix9p256r1
• EC-brainpoolP192t1
• EC-brainpoolP224r1
If you do not specify a key type, it defaults to EC-ansix9p256r1.
-ar F | I | F I ““ Specifies the holder access rights:
• F (fingerprint) • FI (fingerprint and iris)

• I (Iris) • "" (neither)
If you do not specify the holder access rights, it defaults to

fingerprint (F).
-seqAlg A | N | CA | CN Specifies the sequence number algorithm of the CVCA holder

reference:
• A (5-digit alphanumeric) • CA (country code plus 3-digit

alphanumeric)
• N (5-digit numeric)
• CN (country code plus 3-digit
numeric)
If you do not specify the sequence number algorithm, it defaults to

N (5-digit numeric)

-lifetime years | months Specifies the lifetime of the CVCA certificate in years, months,
| weeks | days <value> weeks, or days. Must be between one day and 25 years. If you do
not specify a lifetime, the default is three years.
-warn <days> Specifies the number of days before the certificate expires when
Security Manager starts warning you of the impending expiry. A
value of 0 suppresses the warnings. If you do not specify a the
warning threshold, it defaults to 100 days.
-softKey enabled | Controls whether software is permitted as a storage location for the
disabled CVCA keys. If enabled, you can store the CVCA keys in software. If
disabled, you can only store the CVCA keys on a hardware device.
If you do not specify a value, you can store the CVCA keys in
software.

This will restart the services. proceed (y/n) ? [y]
Enter y to restart the services.
4 Security Manager prompts you to select a destination for the CVCA key. For
example:
Select the destination for the new CVCA key
Choose one of:
1. Software
4. Cancel operation
Enter the number associated with the device or action you want to select. For
example, enter 1 to select Software.
5 If you chose to generate your CVCA keys on a hardware security module (HSM)
and the HSM requires a password, Security Manager prompts you for the
hardware password. Enter the password for the hardware device.
If the services are running, Security Manager restarts the services.
Security Manager displays the CVCA certificate. You have now initialized a CVCA. If
you stored the CVCA key on a hardware device, back up the CVCA key using the
instructions in your hardware documentation.

34
Deploying CVCA Administration

This chapter describes how to deploy CVCA Administration. CVCA Administration is
a service provided by Entrust Authority Administration Services.
CVCA Administration is a Web-based interface for administering a Country Verifying
Certification Authority (CVCA). CVCA administrators use CVCA Administration to
manage domestic and foreign Document Verifiers, DV certificates and certificate
requests.
on page 913
• “Creating CVCA Administration Server credentials” on page 914
• “Creating CVCA Administration XAP credentials” on page 918
• “Creating SPOC Domestic Web Service credentials” on page 921
• “Installing CVCA Administration” on page 926
• “Completing the Microsoft IIS front-end configuration for CVCA
• “Completing the Apache HTTP Server front-end configuration for CVCA
• “Configuring CVCA Administration to connect to the CVCA” on page 970
• “Creating or modifying a user policy for CVCA administrators” on page 974
• “Creating roles for CVCA administrators” on page 977
• “Creating CVCA administrators” on page 979
• “Testing CVCA Administration” on page 984
907
Deployment overview
Deploying Administration Services for a CVCA includes the following steps. Each step
is described in further detail in this chapter.
See the Entrust Authority Administration Services Release Notes. The most
recent Release Notes are posted on Entrust Datacard TrustedCare.
2 (Optional.) Install and configure a supported Web server (see “Installing and
CVCA Administration consist of application server components and optional
Web server components. The Web server components allow you to configure a
front-end Web server so requests go through a Web server instead of directly to
the application server.
• “Creating CVCA Administration Server credentials” on page 914
• “Creating CVCA Administration XAP credentials” on page 918
• “Creating SPOC Domestic Web Service credentials” on page 921
page 924).
6 Install CVCA Administration (see “Installing CVCA Administration” on
page 926).
7 If you configured the CVCA Administration to use a front-end Web server, you
must complete the front-end configuration:
• “Completing the Microsoft IIS front-end configuration for CVCA
• “Completing the Apache HTTP Server front-end configuration for CVCA
8 Create or modify a user policy for CVCA administrators (see “Creating or
modifying a user policy for CVCA administrators” on page 974).
The client policy (user policy) assigned to the roles used by CVCA administrators
must allow external authentication and optionally PKCS #12 export.
9 Create new roles for CVCA administrators (see “Creating roles for CVCA
The operations that administrators can perform in CVCA Administration depends
on the administrator’s role. You can use existing pre-defined roles, or create new
roles for your CVCA administrators.

10 Create a user entry in Security Manager for each CVCA administrator (see
“Creating CVCA administrators” on page 979).
11 Test that CVCA Administration was installed correctly (see “Testing CVCA
Administration” on page 984).
Deploying CVCA Administration 909

(optional)
CVCA Administration consist of application server components and optional Web
server components. The Web server components allow you to configure a front-end
Web server so requests go through a Web server instead of directly to the application
server.
sections:
page 912

Enable Secure Sockets Layer (SSL) encryption on your Web server to secure the
Note:

by your own Certification Authority (CA).
agement.
Guide.
When you configure your Web server, it is recommended that you enforce 128-bit
encryption for Web browsers accessing your Web server. To enable SSL encryption,
enable server authentication on your Web server using the instructions provided in
your Web server documentation.


of http.

• Static Content

• ISAPI Filters

Services.


Creating CVCA Administration Server
credentials
Note:
You need to create a CVCA Administration Server profile only if you will not use
a front-end Web server with CVCA Administration. The Administration Services
installer will not prompt you for a CVCA Administration Server profile if you
configure the application server components for a front-end Web server.
CVCA Administration requires a server profile. The Administration Services installer

will prompt you for the profile when you install CVCA Administration. The CVCA
Administration Server profile is used to terminate SSL connections coming from
clients of the service.
For details about creating CVCA Administration Server profiles, see the following
topics:
• “Creating a user entry for a CVCA Administration Server profile” on
page 914
• “Creating a CVCA Administration Server profile” on page 916
• “Updating the CVCA Administration Server profile keys” on page 917
Creating a user entry for a CVCA Administration Server profile

You must create a user entry in Security Manager for the CVCA Administration Server
profile. You can use Security Manager Administration to create a user entry for the
CVCA Administration Server profile.
To create a user entry for the CVCA Administration Server profile using
Security Manager Administration
1 Log in to Security Manager Administration for the CVCA.
2 Select User > New User.

fields appears.
6 Click the Certificate Info tab.
7 In the Category drop-down list, select Enterprise.
8 Under Certificate Type, select Default.
9 Click the Key Update Options tab.
10 Select Use default key update policy. By default, this option is already selected.
11 Click OK.
authorization code required to create the CVCA Administration Server profile.
Record these activation codes in a secure manner, as you will require them later
to create and activate the user’s Entrust digital ID. For more details about how
the Registration number and Authorization codes are used, see the Security
c Click Add.

details.
You have now created the user entry for the CVCA Administration Server profile.
Proceed to “Creating a CVCA Administration Server profile” on page 916.
Creating a CVCA Administration Server profile

The CVCA Administration Server profile can be stored on software (as an EPF file) or
on a hardware security module. You can use one of the following applications to
create the CVCA Administration Server profile:
To create a CVCA Administration Server profile using Security Manager

Administration
1 Create a user entry for the CVCA Administration Server profile (see “Creating a
user entry for a CVCA Administration Server profile” on page 914).
4 In the Name field, enter the file name for the CVCA Administration Server profile.
Security Manager Administration will append the .epf extension to the file
name.
5 Click Browse to select a folder where you want to save the CVCA Administration
Server profile.
6 In the Password and Confirm fields, enter a password for the CVCA
Administration Server profile.
7 Click OK.
You can now use this profile with CVCA Administration. You need the profile, the
profile password, and the profile location when you install CVCA Administration.

Updating the CVCA Administration Server profile keys
It is not recommended that you copy profiles to other servers. If you do copy a profile
server.
The CVCA Administration Server profile keys are updated only on Administration
Services start up. You may have to schedule server restarts periodically with a
frequency that corresponds to the configured certificate lifetime.

Creating CVCA Administration XAP credentials
CVCA Administration requires a XAP profile to connect to the CVCA's XAP service
and sign XAP messages sent to the CVCA.
The CVCA Administration XAP profile must be an EPF file stored on software;
Administration Services does not support CVCA Administration XAP profiles stored
on hardware. The CVCA Administration XAP profile must be issued by the CVCA.
• “Creating a user entry for a CVCA Administration XAP profile” on page 918
• “Creating a CVCA Administration XAP profile” on page 919
• “Creating Server Login credentials for a CVCA Administration XAP profile”
on page 920
• “Updating the CVCA Administration XAP profile keys” on page 920
Creating a user entry for a CVCA Administration XAP profile

You must create a user entry in Security Manager for the CVCA Administration Server
CVCA Administration XAP profile.
To create a user entry for the CVCA Administration XAP profile using Security
fields appears.

4 Select the General tab.
6 Select the Certificate Info tab.
8 Under Certificate Type, select Admin Services User Management External
Authenticator.
11 Click OK.
authorization code required to create the CVCA Administration XAP profile.
You have now created the user entry for the CVCA Administration XAP profile.
You must now create the profile on software. Storing the profile on a hardware
security module is not supported.
Creating a CVCA Administration XAP profile

The CVCA Administration XAP profile must be an EPF file stored on software;
Administration Services does not support CVCA Administration XAP profiles stored
on hardware.
You can use one of the following applications to create the CVCA Administration XAP
profile:
For instructions, see the following procedure.
To create a CVCA Administration XAP profile using Security Manager

Administration
1 Create a user entry for the CVCA Administration XAP profile (see “Creating a
user entry for a CVCA Administration XAP profile” on page 918).

4 In the Name field, enter the file name for the CVCA Administration XAP profile.
name.
5 Click Browse to select a folder where you want to save the CVCA Administration
XAP profile.
6 In the Password and Confirm fields, enter a password for the CVCA
Administration XAP profile.
7 Click OK.
You can now use this profile with Administration Services. You need the profile when
you add the Managed CA to Administration Services.
Creating Server Login credentials for a CVCA Administration XAP

profile
After creating a CVCA Administration XAP profile, you must create an Unattended
Login file (UAL file) for the CVCA Administration XAP profile. UAL files are also called
Server Login credentials. Server Login credentials allow Administration Services to log
in to the profile without a plaintext password; the profile password is encrypted in the
UAL file.
You can create Server Login credentials using the Profile Creation Utility. See the
When you install CVCA Administration, you can add the CVCA using the installer.
The installer will prompt you for the profile and password, and will create the Server
Login credentials for you. If you add the CVCA manually after installing CVCA
Administration, you must create the Server Login credentials yourself.
Updating the CVCA Administration XAP profile keys

Administration Services will manage the CVCA Administration XAP profile. If the
CVCA Administration XAP profile requires updates, Administration Services will
update the profile automatically and make it available immediately in the service.

Creating SPOC Domestic Web Service
credentials
Before installing Administration Services, create a Security Manager profile for the
SPOC Domestic Web Service. The SPOC Domestic Web Service requires a SPOC
Domestic Web Service profile to communicate with Security Manager.
The SPOC Domestic Web Service profile verifies signatures and signs files used by
CVCA Administration for processing DV certificates and for queuing operations.
The SPOC Domestic Web Service profile is required if you are installing SPOC services
(see “Deploying the SPOC services” on page 1161).
• “Creating a user entry for a SPOC Domestic Web Service” on page 921
• “Creating a SPOC Domestic Web Service profile” on page 922
• “Updating the SPOC Domestic Web Service profile keys” on page 923
Creating a user entry for a SPOC Domestic Web Service

You must create a user entry in Security Manager for the SPOC Domestic Web Service
SPOC Domestic Web Service profile.
To create a user entry for the SPOC Domestic Web Service profile using
Security Manager Administration
fields appears.

5 From the Role drop-down list, select SPOC Self-Service Role.
b Under Certificate Type, select Admin Services User Registration.
7 Click OK.
Entrust digital ID. For more details on how the Registration number and
Authorization codes are used, see the Security Manager Administration User
Guide.
You have now created the user entry for the SPOC Domestic Web Service profile.
Proceed to “Creating a SPOC Domestic Web Service profile” on page 922.
Creating a SPOC Domestic Web Service profile

The SPOC Domestic Web Service profile can be stored on software (as an EPF file) or
on a hardware security module. You can use one of the following applications to
create the SPOC Domestic Web Service profile:
To create a SPOC Domestic Web Service profile using Security Manager

Administration
1 Create a user entry for the SPOC Domestic Web Service profile (see “Creating a
user entry for a SPOC Domestic Web Service” on page 921).

4 In the Name field, enter the file name for the SPOC Domestic Web Service
profile. Security Manager Administration will append the .epf extension to the
file name.
5 Click Browse to select a folder where you want to save the SPOC Domestic Web
Service profile.
6 In the Password and Confirm fields, enter a password for the SPOC Domestic
Web Service profile.
7 Click OK.
You can now use this SPOC Domestic Web Service profile with Administration
Services. You need the SPOC Domestic Web Service profile, the profile password, and
the profile location when you install the SPOC services.
Updating the SPOC Domestic Web Service profile keys

server.

Obtain a copy of the entrust.ini file and CVCA Administration profiles from a
Security Manager administrator.
Copy the entrust.ini file and the profiles to each machine hosting the CVCA
Administration application server components. Note the location of these files. You
will enter the path to these files when you install Administration Services.

Where:
the directory.
For example:
Where:
is 829.
For example:
Where:
For example:
For example:


Installing CVCA Administration
This section describes how to install CVCA Administration on supported Windows
operating systems. CVCA Administration is supported only on Windows.
CVCA Administration consists of application server components and optional Web
server.
• “To install the CVCA Administration application server components on
• “To install the CVCA Administration Web server components on Windows”
on page 945
To install the CVCA Administration application server components on Windows





b Click Next.


b Select Extended Access Control (EAC).
c Select Country Verifying Certification Authority (CVCA).
d Select Country Verifying Certification Authority Administration
(CVCAADMIN).
e Enter the URL path for CVCA Administration into the text field. The URL
cannot contain question marks (?), forward slashes (/), backslashes (\), less
than signs (<), greater than signs (>), or pound signs (#).
For example: CVCAAdmin.
f CVCA Administration can be installed on Apache Tomcat only (the
server. If you will install CVCA Administration on both Tomcat and a Web
server, select Configure the Web Server Front End.
CVCA Administration.

g Click Next to continue.
default 443).
c Click Next.

10 The Port for CVCA Administration Services page appears.
a In the Enter the SSL/TLS port number for the CVCA Administration Service
field, enter the SSL port number for the CVCA Administration instance (by
default 14443).
b Click Next.
If you chose to configure the Web server front-end, proceed to Step 15 on
page 937.

11 The CVCA Administration Entrust.ini Location page appears.
from the Entrust CA that issued the CVCA Administration Server profile, or
click Choose to locate the file.
b Click Next.

PKCS#11 library, the Select CVCA Administration Profile Type page appears.

– If the CVCA Administration Server profile is an EPF file stored on the local
file system, select Software Profile.
– If the CVCA Administration Server profile is stored on hardware, select
Hardware Token.
b Click Next.

13 If the CVCA Administration Server profile is a software profile, the CVCA
Administration Profile page appears.
a In the Enter the location of the CVCA Administration Profile field, click
Choose to locate and select the CVCA Administration Server profile (EPF
file).
b In the Enter the Password to login to your CVCA Administration Profile
field, enter the password for the EPF file.
c Click Next.

14 If the CVCA Administration Server profile is a hardware profile, the CVCA
Administration Hardware Token Profile page appears.
contains the CVCA Administration Server profile.
b In the Enter the Password to login to your CVCA Administration Profile
field, enter the password for the profile.
c Click Next.

15 The Configure Managed CA page appears.
a You can configure connection to the CVCA using the installer.

– To configure the connection to the CVCA using the installer, select
Configure Managed CA Now. By default this option is already selected.
– To manually configure the connection to the CVCA later, deselect
Configure Managed CA Now.
b Click Next.
If you will not configure the connection to the CVCA using the installer, proceed
to Step 19 on page 941.

16 If you chose to configure the connection to the CVCA using the installer, the
CVCA Administration Managed CA Options page appears.
a In the Enter the Managed CA name field, enter a unique name for the CVCA.
Note:
The name is a friendly name to identify the CVCA, not the CVCA identity.
The name must be at least four characters long, and must contain only
letters, numbers, underscores, spaces, and hyphens. At least four characters
must be a combination of uppercase letters, lowercase letters, and numbers.
b Administration Services requires connection information to the CVCA and its
LDAP directory. The installer can take the information from the CVCA’s
entrust.ini file or you can provide the information manually.
– To use the information from the CVCA’s entrust.ini file, select Use
information from entrust.ini, and then enter the full path and file name of
the entrust.ini file into the Enter the location of the entrust.ini field or

– To provide the connection information manually, deselect Use information
from entrust.ini. You must provide this connection information on the next
installer page.
c Click Next.
17 If you chose to enter connection information manually, the Managed CA
Information (non-entrust.ini) page appears.
a In the Enter Manager Host Name field, enter the fully qualified domain name
of the server hosting the CVCA. For example, domain.example.com.
b In the Enter PKI Port Number field, enter the CMP port of the CVCA,
typically 829.
c In the Enter XAP Port Number field, enter the XAP port of the CVCA,
typically 443 or 1443.
d In the Enter LDAP Host Name field, enter the fully qualified domain name of
the CVCA’s LDAP directory. For example, ldap.example.com.
e In the Enter LDAP Port number field, enter the LDAP port of the directory
(typically 389).
f Click Next.

18 The CVCA Administration XAP Profile page appears.
a In the Enter the location of the XAP Profile field, enter the full path and file
name of the CVCA Administration XAP profile issued by the CVCA, or click
Choose to select the file
b In the Enter the Password to login to your XAP Profile field, enter the
password for the CVCA Administration XAP profile.
c Click Next.

19 The Configure CVCA Administration Email Notification page appears.
a To enable email notification for CVCA Administration, select Enable Email

Notification for CVCA Administration.
b If you chose to enable email notification for CVCA Administration:
– In the Enter the CVCA Administration Email Address field, enter the email
CVCA Administration sends messages to this address only if the event is
not meant for a particular object. For example, if an administrator performs
an action that requires another administrator’s approval, CVCA
Administration sends the message to this email address.
– In the Enter the CVCA Administration Appears From Email Address field,
enter the email address that will appear in the From field of the email
message.
c Click Next.

20 The CVCA Administration Configuration page appears with a summary of your
installation selections. For example:

make your changes.

21 After the installation is complete, the CVCA Administration Configuration Status
page appears. For example:

b Click Next.


b Click Next.

new service.
b Click Next.
file.
To install the CVCA Administration Web server components on Windows

b Select Web Server to install the Web server components.




d Select Country Verifying Certification Authority Administration
(CVCAADMIN).
e Enter the URL path for CVCA Administration into the text field. The URL
cannot contain question marks (?), forward slashes (/), backslashes (\), less
than signs (<), greater than signs (>), or pound signs (#).
For example: CVCAAdmin.

appears.
b Click Next.

c Click Next.


page appears.
b Click Next.

10 The Port for CVCA Administration Services page appears.
a In the Enter the SSL/TLS port number for the CVCA Administration Service
field, enter the SSL port number for CVCA Administration (by default
14443).
b Click Next.

11 The CVCA Admin Configuration page appears with a summary of your

make your changes.

12 After the installation is complete, the CVCA Admin Configuration Status page

b Click Next.


b Click Next.
file.

configuration for CVCA Administration
of CVCA Administration, the installer completed most of the work required to
configure CVCA Administration to be front-ended by a Web server:
• On the Web server machine, the installer configured Microsoft IIS for the
CVCA Administration components and to forward CVCA Administration
requests to the application server machine. However, some additional steps
must be completed manually on Microsoft IIS to complete the Web Server
front-end configuration.
server components.
• “Assigning SSL certificates to a CVCA Administration Web site in Microsoft
IIS” on page 957
• “Installing CA certificates in Microsoft IIS for CVCA Administration” on
page 960
Assigning SSL certificates to a CVCA Administration Web site in

Microsoft IIS
When you installed the Web server components of CVCA Administration, the
installer created a new Web site in Microsoft Internet Information Services (IIS) for
the CVCA Administration instance, such as CVCAAdmin. The Web site is for
accepting and forwarding connections to the CVCA Administration instance on the
application server. You must assign a valid SSL server certificate to this Web site.
server certificate for the new CVCA Administration Web site.
To assign SSL certificates to the CVCA Administration Web site on Microsoft IIS
Manager.


You should see the Web site for the CVCA Administration instance, such as
CVCAAdmin.
4 In the Connections pane, select the CVCA Administration Web site (for example,
CVCAAdmin).
The Site Bindings dialog box appears. You should see an https binding, typically
for port 14443. This port corresponds to the port you selected for the CVCA
Administration instance when you installed CVCA Administration.

6 Select the binding (for example, 14443), and click Edit.

8 Click OK.

Installing CA certificates in Microsoft IIS for CVCA Administration



5 Click Next.

7 Click Browse.

9 Click OK.
10 Click Next.
11 Click Finish.

configuration for CVCA Administration
of CVCA Administration, the installer completed most of the work required to
configure CVCA Administration to be front-ended by a Web server:
the CVCA Administration components and to forward CVCA Administration
must be completed manually on Apache HTTP Server to complete the Web
Server front-end configuration.
• “Assigning SSL certificates to a CVCA Administration VirtualHost in Apache
• “Adding CA certificates to Apache HTTP Server for CVCA Administration”
on page 967
Assigning SSL certificates to a CVCA Administration VirtualHost

in Apache HTTP Server
When you installed the Web server components of CVCA Administration, the
installer created a new <VirtualHost> directive in the Apache HTTP Server
httpd.conf file. You must assign a valid SSL server certificate, private key file, and
CA certificate to this <VirtualHost> directive.
directives.
To assign SSL certificates to a CVCA Administration VirtualHost in Apache

HTTP Server
2 Locate the lines added by the Administration Services installer for CVCA
Administration. The lines should look like the following:

# Entrust AdminServices CVCA Admin start - CVCAAdmin
install/uninstall.
Listen 14443
...
</VirtualHost>
# Entrust AdminServices CVCA Admin end - CVCAAdmin
3 The <VirtualHost> directive added by the installer for CVCA Administration
Update these settings as follows. For more information about these settings, see
the Apache HTTP Server documentation.
Note:
documentation.

example:

CVCA Administration will use this setting for verifying client certificates. See
“Adding CA certificates to Apache HTTP Server for CVCA Administration”
on page 967 for more information. For CVCA Administration, only the
CVCA will issue client certificates.
Adding CA certificates to Apache HTTP Server for CVCA

Administration
from CAs that will issue client certificates. For CVCA Administration, only the CVCA
will issue client certificates.
created a new <VirtualHost> directive in the Apache HTTP Server httpd.conf file.
The <VirtualHost> directive added by the installer for CVCA Administration includes
a SSLCACertificateFile setting:
Server installation directory. CVCA Administration will use all the CA certificates in
this file for verifying client certificates.
Note:
To add CA certificates to Apache HTTP Server for CVCA Administration

PEM-encoded format.

editor.
located, open the Apache HTTP Server httpd.conf file in a text editor and locate
the following lines added by the Administration Services installer for CVCA
Administration:
...
b Locate the lines added by the Administration Services installer for CVCA
install/uninstall.
Listen 14443

...
</VirtualHost>
c The <VirtualHost> directive added by the installer for CVCA Administration
to a CVCA Administration VirtualHost in Apache HTTP Server” on page 964.
CVCA Administration will use this setting for verifying client certificates.

Configuring CVCA Administration to connect to
the CVCA
When installing the CVCA Administration application server components, you had
the option to configure CVCA Administration to connect to the CVCA using the
installer. If you did not use the installer to configure CVCA Administration to connect
to the CVCA, you must manually configure the connection settings.
The following procedure describes how to manually configure CVCA Administration
to connect to the CVCA.
To configure CVCA Administration to connect to the CVCA

components.
2 Open the managed-ca.properties file in a text editor. You can find the file in the
following folder:
<AS-install>\services\cvcaadmin\<instance>\webapp\WEB-INF\config
3 Add or configure the following settings:
Table 45: CVCA Administration connection settings to the CVCA
Setting Description
managedca.entrust.0. This setting specifies the unique ID for the CVCA. The value must be
uniqueid 0.
managedca.entrust.0. This setting specifies a unique name for the CVCA.

name
Note: The name is a friendly name to identify the CVCA, not the
CVCA identity.
letters, numbers, underscores, spaces, and hyphens.
managedca.entrust.0. This setting specifies the IPv4 address or fully qualified domain name
host of the server hosting the CVCA.
managedca.entrust.0. This setting specifies the XAP port of the CVCA (typically 443 or
xapport 1443).
managedca.entrust.0. This setting specifies the PKIX-CMP port of the CVCA (typically 829).
pkixport
ldap.host of the server hosting the CVCA’s LDAP directory.

Table 45: CVCA Administration connection settings to the CVCA (continued)
Setting Description
managedca.entrust.0. This setting specifies the LDAP port of the directory (typically 389).
ldap.port
managedca.entrust.0. This setting specifies the full path and file name of the CVCA
xapexternalauthepf Administration XAP profile issued by the CVCA.
For information about creating CVCA Administration XAP profiles for
the CVCA, see “Creating CVCA Administration XAP credentials” on
page 918.
managedca.entrust.0. This setting specifies the digest algorithm used to sign XAP messages.
digest.algorithm
Permitted values:
• sha1 for SHA-1.
• sha256 for SHA-256.
CVCA Administration signs the XAP message using the CVCA
administrator’s profile. If the profile has a DSA or ECDSA key pair, set
the XAP message signing algorithm to SHA-1.
If not specified, the default is SHA1.
managedca.entrust.0. Java Naming and Directory Interface (JNDI) credentials are required to
ldap.principal access the CVCA's LDAP directory when anonymous bind is not
available.
This setting specifies the JNDI Principal used to connect to the

directory.
A JNDI Principal is a directory user that can log in to the directory,
typically a directory administrator. Examples include:
DOMAIN\\Administrator
Administrator@example.com
cn=Administrator,ou=CA Entry,o=Example,c=US
Attention: You must escape backslashes with a backslash. For
example, DOMAIN\\Administrator. Using a backslash as an escape
character is typical for a properties file.
If this setting is absent or has no value, then an anonymous bind is
used to connect to the directory.

Setting Description
ldap.credential access the CVCA's LDAP directory when anonymous bind is not
available.
This setting specifies the password for the JNDI Principal used to
connect to the directory. Administration Services will store the
password as an encrypted value.
managedca.entrust.0. This setting specifies the initial number of XAP connections that CVCA
xap.connections.initia Administration opens with the CVCA when Administration Services
l starts.
The number of XAP connections to the CVCA increases automatically
up to the maximum when the number of administrators concurrently
using Administration Services increases.
If not specified, the default is 4.
managedca.entrust.0. This setting specifies the maximum number of XAP connections that
xap.connections.max CVCA Administration opens with the CVCA.
After reaching the maximum, connections are automatically closed
after use. Since new XAP messages cannot be sent to the CVCA until
a connection is available, repeatedly reaching this maximum may slow
system performance.
managedca.entrust.0. This setting specifies the length of time (in minutes) that CVCA
xap.connections.idle.t Administration allows a XAP connection with the CVCA to remain idle
imeout before closing it and creating a new connection.
If not specified, the default is 30 minutes.
managedca.entrust.0. This setting specifies the maximum length of time (in seconds) that
xap.connections.sock CVCA Administration waits for a CVCA to accept a XAP connection
et.timeout before returning an error.
This setting prevents CVCA Administration from hanging indefinitely
if the CVCA does not accept the connection; for example, if the CVCA
server is too busy to accept the connection.
If not specified, the default is 60 seconds.

Setting Description
managedca.entrust.0. This setting controls whether to display extra SSL debugging

xap.debug information in the console.
Permitted values:
• true to turn on extra SSL debugging information in the console
• false to not log extra SSL debugging information.
Note: Setting the value to false does not turn off XAP message
logging. It only controls whether to display extra SSL debugging
information in the console.
If not specified, the global setting in the cvca-config.xml file is used.
managedca.entrust.0. This setting specifies the XAP cache timeout, in minutes.

xap.cache.timeout
When CVCA Administration starts, it builds a cache of XAP
connections to each of the CVCAs that are configured. If a CVCA is
not available during startup, CVCA Administration does not add it to
the cache. The XAP cache timeout controls how frequently CVCA
Administration checks the CVCA connections, and controls how often
the cache is reconstructed.
If a previously unavailable CVCA becomes available again, it may take
a period of time—up to the value of the XAP cache timeout—before
that CVCA becomes usable in CVCA Administration.
If not specified, the global setting in the cvca-config.xml file is used.

Creating or modifying a user policy for CVCA
administrators
To access the CVCA Administration interface, CVCA administrators must have a valid
client certificate installed in their Web browser and a client policy that allows XAP
external authentication. XAP external authentication is a feature where Security
Manager authorizes XAP messages, but Administration Services authenticates XAP
messages.
#12 export.
authentication, or create a new user policy for CVCA administrators to allow PKCS
#12 export and XAP external authentication:
• “To modify an existing user policy to allow PKCS #12 export and XAP
external authentication” on page 974
• “To create a new user policy to allow PKCS #12 export and XAP external
authentication by copying the Administrator Policy user policy” on page 975
To modify an existing user policy to allow PKCS #12 export and XAP external
authentication
3 Select the user policy to modify. For example, select Administrator Policy to
modify the user policy assigned to the predefined EAC Administrator and EAC
Auditor roles.

d Select Allow use with external authentication.
This setting allows Security Manager to accept externally-authenticated
requests from administrators. Only administrators with this client policy
setting can use CVCA Administration.
5 Click Apply.
The roles assigned to CVCA administrators must be assigned this user policy. For
information about creating custom roles for CVCA administrators, see “Creating roles
for CVCA administrators” on page 977.
To create a new user policy to allow PKCS #12 export and XAP external
authentication by copying the Administrator Policy user policy
1 Log in to Security Manager Administration for the Entrust Managed CA.
3 Select Administrator Policy
5 In the Label field, enter CVCA Administrator Policy.
6 In the Common name field, enter CVCA Administrator Policy.
user policy.

setting can use CVCA Administration.
9 Click Apply.
The roles assigned to CVCA administrators must be assigned this user policy. For
information about creating custom roles for CVCA administrators, see “Creating roles
for CVCA administrators” on page 977.

Creating roles for CVCA administrators
The operations that administrators can perform in CVCA Administration depends on
the administrator’s role.
The predefined EAC Administrator role allows administrators to perform all
operations for a CVCA or DV. The predefined EAC Auditor role allows administrators
only to view information for a CVCA or a DV. You can create custom roles for your
administrators that control which operations an administrator can perform for a
CVCA or DV.
The following procedure describes how to create a new role for CVCA administrators.
You must create new roles in the CVCA. You create new roles using Security Manager
Administration For more information about roles and role permissions, see the
To create a new role for CVCA administrators

a In the Name field, enter a unique name for the new role.
b In the Authorizations field, enter the number of authorizations required
when a sensitive operation is performed by members of this role. The default
is 1.
When you want to queue administrator operations for additional approvals,
you must set the value to 2 or greater. Do not enter a number that exceeds
the total number of administrators, or you will not have enough
administrators to authorize operations.
c In the User Policy drop-down list, select a client policy (user policy) for the
role.
The user policy must allow external authentication and optionally PKCS #12
export. For details, see “Creating or modifying a user policy for CVCA
4 Click the Permissions tab.
5 Under Categories, select Extended Access Control (CVCA) and then click
Properties.
The Administrative Permissions: EAC CVCA dialog box displays.
a Configure the permissions in the following categories:

– Permissions in the Anchor CVCA category specify the operations that role
members can perform on the domestic (anchor) CVCA.
– Permissions in the DV category specify the operations that role members
can perform on trusted Document Verifiers.
– Permissions in the Foreign CVCA category specify the operations that role
members can perform on trusted foreign CVCAs.
For each permission, select Requires Authorization when you want to queue
the user operation for administrator approval. For more information about
these permissions, see the Security Manager Administration User Guide.
b Click OK.
6 Click the Summary tab and then click Check Dependencies.
The Permission Dependencies dialog box appears. The dialog box will display a
success message if no additional permissions may be required, or a list of
additional dependencies you may need to add to the role. Record any additional
permissions required and add those permissions.
7 Click Apply.
You have now created a custom role for CVCA administrators. You assign this role to
your administrators when you create their user accounts.

Creating CVCA administrators
You must create a user entry in Security Manager for each CVCA administrator. You
• “To create a CVCA administrator using Security Manager Administration” on
page 979
• “To create a CVCA administrator using the User Management Service” on
page 981
To create a CVCA administrator using Security Manager Administration

fields appears.
5 From the Role drop-down list, select a role for the CVCA administrator.
operations for a CVCA or DV. The predefined EAC Auditor role allows
administrators only to view information for a CVCA or a DV. You may have
created a custom role for the CVCA administrator in “Creating roles for CVCA

The client policy (user policy) assigned to the role must allow external
authentication and optionally PKCS #12 export. For details, see “Creating or
modifying a user policy for CVCA administrators” on page 974.
7 Click OK.
You have created a user entry for a CVCA administrator. The CVCA administrator
must have a valid client certificate to access the CVCA Administration interface.
CVCA administrators can create their client certificate using the following
applications:
it to log in to CVCA Administration.
digital ID to log in to SPOC Administration.

ID to log in to CVCA Administration.
CVCA administrators can use the Profile Creation Utility to generate a PKCS
Web browser and use it to log in to CVCA Administration.
CVCA administrators can use Security Provider for Windows to generate a
To create a CVCA administrator using the User Management Service

1 Log in to the User Management Service for the CVCA.
distinguished name.
5 In the Certificate Type drop-down list, select Enterprise - Default.
7 From the Role drop-down list, select a role for the CVCA administrator.
created a custom role for the CVCA administrator in “Creating roles for CVCA
modifying a user policy for CVCA administrators” on page 974.
9 Click Submit.

You have created a user entry for a CVCA administrator. The CVCA administrator
must have a valid client certificate to access the CVCA Administration interface.
CVCA administrators can create their client certificate using the following
applications:
digital ID to log in to CVCA Administration.
digital ID to log in to CVCA Administration.
CVCA administrators can use the Profile Creation Utility to generate a PKCS
Web browser and use it to log in to CVCA Administration.

CVCA administrators can use Security Provider for Windows to generate a

Testing CVCA Administration
After installing CVCA Administration, you must ensure that all components were
installed properly and function correctly. To test the installation, open CVCA
To test CVCA Administration

https://<host_name>:<port>/<instance>
Where:
• <host_name> is the fully qualified host name of the server hosting CVCA
Administration.
• <port> is the SSL port for CVCA Administration (by default 14443).
• <instance> is the URL path of the CVCA Administration instance. You
specified the URL path when you installed CVCA Administration. For
example, the default URL path for CVCA Administration is CVCAAdmin.
For example:
https://webserver.example.com:14443/CVCAAdmin
The login page appears.
3 When prompted to select a user certificate, select a user certificate for a CVCA
administrator.
the private key.
Note:
Click Allow to allow CVCA Administration to access the private key.

If everything was installed correctly and the browser certificate is valid, the CVCA

35
Configuring CVCA Administration

CVCA Administration is a Web-based interface for administering a CVCA. CVCA
administrators use CVCA Administration to manage domestic and foreign Document
Verifiers, DV certificates and certificate requests.
This chapter describes how to configure various components and features of CVCA
Administration. For more information about configuring Administration Services, see
the Administration Services Configuration Guide.
• “Configuring CVCA Administration logs” on page 986
• “Configuring list operations in CVCA Administration” on page 989
• “Configuring the date format for CVCA Administration” on page 991
• “Configuring email notification for CVCA Administration” on page 992
985
Configuring CVCA Administration logs
Administration Services allows you to customize the log file settings for CVCA
Administration. You can configure the following log settings:
To configure the CVCA Administration logs

components.
2 Open the cvca-config.xml file in a text editor. You can find the file in the
following folder:
3 In the <Logging> section, configure the following settings:
Table 46: CVCA Administration log settings
Setting Description
<Level> This setting controls the level of detail for the CVCA Administration logs.
The logging level can be one of (in increasing severity):
• TRACE
• DEBUG
• INFO
• WARNING
• ERROR
• ALERT
• FATAL
This sets the lowest level of message to show. For example, ERROR provides
messages of ERROR, ALERT and FATAL status.
Default: INFO
<Filename> This setting specifies the name (including path) of the log file.
Default:
<AS-install>\cvcaadmin\<instance>\logs\cvca_<instance>.log

Table 46: CVCA Administration log settings (continued)
Setting Description
<Filesize> This setting controls the maximum size of a log file, in bytes.
Default: 1000000
<Backups> This setting controls the maximum number of log files to keep. After the last log
file reaches the maximum size, the first log file is overwritten.
Default: 10

Configuring CVCA Administration 987

CVCA administrators access the CVCA Administration interface using a client
certificate stored in their Web browser. CVCA Administration will verify that the client
certificate is still valid by checking the corresponding Certificate Revocation List (CRL)
to verify that the certificate has not been revoked.

components.
2 Open the CVCA Administration instance cvca-config.xml file in a text editor.
You can find the file in the following folder:
minutes:

Configuring list operations in CVCA
Administration
In CVCA Administration, administrators can list the following entities or certificates:
• DV certificates
• domestic CVCA certificates
• foreign CVCAs
• foreign CVCA certificates
CVCA Administration controls the maximum number of results returned in a list
operation, and whether expired certificates are included in the results.
For each type of entity or certificate, you can configure the maximum number of
results returned, and whether expired certificates are included in the results.
Note:
You can set a maximum return limit for XAP searches in Security Manager. If a
maximum return limit is configured in Security Manager, the maximum return
limit at Security Manager takes precedence.
To configure search operations in CVCA Administration

components.
following folder:
3 In the <Search> section, configure the following settings:
Table 47: CVCA Administration search settings
Setting Description
<DvCertificate> These settings control the search operations for DV certificates.
<MaxReturn> This setting specifies the maximum number of certificates to return
in a DV certificate list operation. If 0, CVCA Administration uses
the Security Manager default XAP return limit (default is 100).
Default: 1000

Table 47: CVCA Administration search settings (continued)
Setting Description
<IncludeExpired> This setting controls whether to include expired certificates in the
results.
Default: true
<CvcaCertificate> These settings control the search operations for domestic CVCA
certificates.
in a domestic CVCA certificate list operation. If 0, CVCA
Administration uses the Security Manager default XAP return limit
(default is 100).
Default: 1000
results.
Default: true
<FCvcaEntity> These settings control the search operations for foreign CVCAs.
<MaxReturn> This setting specifies the maximum number of foreign CVCAs to
return in a foreign CVCA list operation. If 0, CVCA Administration
uses the Security Manager default XAP return limit (default is
100).
Default: 1000
<FCvcaCertificate> These settings control the search operations for foreign CVCA
certificates.
in a foreign CVCA certificate list operation. If 0, CVCA
(default is 100).
Default: 1000
results.
Default: true


Configuring the date format for CVCA
Administration
The following procedure describes how to configure the date format for CVCA
Administration to meet your organization’s date format requirements.
To configure the formatting functions for CVCA Administration

components.
2 Open the commonpage.js file in a text editor. You can find the file in the following
folder:
<AS-install>\services\cvcaadmin\<instance>\webapp\<locale>\
javascript
3 Customize one of the following formatting functions:
• getLocalDateTime()
• rfc3339DateToJavaScript()

Configuring email notification for CVCA
Administration
When you installed Administration Services, you had the option to enable email
notification for each instance of the services that you installed. If you did not enable
email notification during the installation, or you want to configure how email
notification works, complete the steps in this section.
Installation Guide.
• “Configuring SMTP server settings for CVCA Administration” on page 992
• “Changing the email format for CVCA Administration” on page 994
• “Email notification files for CVCA Administration” on page 994
• “Enabling and disabling email notification for CVCA Administration” on
page 998
• “Modifying email notification subject and message text for CVCA
• “Modifying CVCA Administration email notification to use HTML content
Configuring SMTP server settings for CVCA Administration

Configure the SMTP server settings to configure how Administration Services
communicates with your SMTP server. The settings were configured if you enabled
email notification when you installed Administration Services.
To configure SMTP server settings for CVCA Administration

components.
2 Open the configuration.global.xml file for the CVCA Administration
instance. You can find the file in the following folder:

<Port>25</Port>
5 If your SMTP server requires authentication:
To configure the email addresses for CVCA Administration

components.
<AS-install>\services\cvcaadmin\<instance>\webapp\WEB-INF\ens\xsl\
<locale>
<xsl:variable name=”lang.from.email”>email.address@company.com
</xsl:variable>
<xsl:variable name=”lang.admin.email”>email.address@company.com
</xsl:variable>
meant for a particular object. For example, if a CVCA administrator performs an
action that requires another administrator's approval, Administration Services
sends the message to this email address.
7 To configure the email address that CVCA Administration uses when the
Document Verifier policy changes:
a Open the dv-global-customemail-recipients.xsl file in a text editor.
b Locate the following lines:
<Email>

TAG_DV_GLOBAL_EMAIL
</Email>
c Replace TAG_DV_GLOBAL_EMAIL with the valid email address.
d Save and close the file.
Changing the email format for CVCA Administration

Notification email addresses entered by administrators in the CVCA Administration
interface are checked to ensure that the format matches that of most Internet email
addresses. The format is checked using the following expression:
var regex=/^([a-zA-Z0-9\!\#\$\%\&\'\*\+\-\/\=\?\^\_\`\{\|\}\~]+(\.
[a-zA-Z0-9\!\#\$\%\&\'\*\+\-\/\=\?\^\_\`\{\|\}\~]+)*)@([a-zA-Z0-9\
-]+\.)+[a-zA-Z0-9]{2,}$/;
If your organization uses a different format for email addresses, Administration
Services will not accept your email addresses as valid. If you use a different format,
you must configure Administration Services to recognize the format.
Configure the new email format in the following file, located on the server hosting
the application server components:
<AS-install>\services\cvcaadmin\<instance>\webapp\<locale>\
javascript\validator.js
Email notification files for CVCA Administration

if a specific event occurs. Table 48 lists all the email notification events in the
configuration.global.xml file for CVCA Administration. For information about
notification for CVCA Administration” on page 998.
Table 48: CVCA Administration account tasks, event IDs, and email message files
Account task/ Event ID in Email message files Enabled

Add DV dv-add dv-entity-add-subject.xsl Yes

dv-entity-add-content.xsl
dv-entity-add-attachments.xsl
Delete DV dv-delete dv-entity-delete-subject.xsl Yes

dv-entity-delete-content.xsl

Table 48: CVCA Administration account tasks, event IDs, and email message files (continued)

Disable DV dv-disable dv-entity-disable-subject.xsl Yes

dv-entity-disable-content.xsl
Edit DV dv-edit dv-entity-edit-subject.xsl No

dv-entity-edit-content.xsl
Enable DV dv-enable dv-entity-enable-subject.xsl Yes

dv-entity-enable-content.xsl
Edit DV Policy dv-policy-edit dv-policy-edit-subject.xsl No

dv-policy-edit-content.xsl
DV Certificate dv-cert-req-process-erro dv-entity-cert-req-process-error- Yes

Request Process r content.xsl
Error
dv-entity-cert-req-process-subje
ct.xsl
DV dv-auth-cert-req-process dv-entity-auth-cert-req-process- Yes

Authenticated content.xsl
Certificate
Request Process
ct.xsl
dv-entity-cert-req-process-attac
hments.xsl
DV dv-auth-cert-req-process dv-entity-auth-cert-req-process- Yes

Authenticated -approved approved-content.xsl
Certificate
Request Process
ct.xsl
Approved
dv-entity-cert-req-process-appro
ved-attachments.xsl
DV dv-unauth-cert-req-proc dv-entity-unauth-cert-req-proce Yes

Unauthenticated ess ss-content.xsl
Certificate
Request Process
ct.xsl
dv-entity-cert-req-process-attac
hments-xsl


DV dv-unauth-cert-req-proc dv-entity-unauth-cert-req-proce Yes

Unauthenticated ess-approved ss-approved-content.xsl
Certificate
Request Process
ct.xsl
Approved
dv-entity-cert-req-process-appro
ved-attachments.xsl
DV dv-auth-cert-req-counte dv-entity-auth-cert-req-counters Yes

Authenticated rsign ign-content.xsl
Certificate
dv-entity-cert-req-countersign-s
Request
ubject.xsl
Countersign
dv-entity-cert-req-countersign-a
ttachments.xsl
DV dv-auth-cert-req-counte dv-entity-auth-cert-req-counters Yes

Authenticated rsign-approved ign-approved-content.xsl
Certificate
Request
ubject.xsl
Countersign
Approved dv-entity-cert-req-countersign-a
pproved-attachments.xsl
DV dv-unauth-cert-req-cou dv-entity-unauth-cert-req-count Yes

Unauthenticated ntersign ersign-content.xsl
Certificate
Request
ubject.xsl
Countersign
dv-entity-cert-req-countersign-a
ttachments.xsl
DV dv-unauth-cert-req-cou dv-entity-unauth-cert-req-count Yes

Unauthenticated ntersign-approved ersign-approved-content.xsl
Certificate
Request
ubject.xsl
Countersign
Approved dv-entity-cert-req-countersign-a
pproved-attachments.xsl


DV queued-dv-auth-cert-re queued-dv-entity-auth-cert-req- Yes

Authenticated q-countersign countersign-content.xsl
Certificate
queued-dv-entity-auth-cert-req-
Request
countersign-subject.xsl
Countersign
Queued
DV queued-dv-unauth-cert- queued-dv-entity-unauth-cert-r Yes

Unauthenticated req-countersign eq-countersign-content.xsl
Certificate
queued-dv-entity-unauth-cert-r
Request
eq-countersign-subject.xsl
Countersign
Queued
Foreign CVCA queued-foreign-cvca-roo queued-fcvca-entity-root-cert-i Yes

Root Certificate t-cert-import mport-content.xsl
Import Queued
queued-fcvca-entity-root-cert-i
mport-subject.xsl
Foreign CVCA queued-foreign-cvca-lin queued-fcvca-entity-link-cert-im Yes

Link Certificate k-cert-import port-content.xsl
Import Queued
queued-fcvca-entity-link-cert-im
port-subject.xsl
DV queued-dv-auth-cert-re queued-dv-entity-auth-cert-req- Yes

Authenticated q-process process-content.xsl
Certificate
queued-dv-entity-cert-req-proce
Request Process
ss-subject.xsl
Queued
ss-attachments.xsl
DV queued-dv-unauth-cert- queued-dv-entity-unauth-cert-r Yes

Unauthenticated req-process eq-process-content.xsl
Certificate
Request Process
ss-subject.xsl
Queued
ss-attachments.xsl

Enabling and disabling email notification for CVCA
Administration
if a specific event occurs. “Email notification files for CVCA Administration” on
page 994 lists all the email notification events in the configuration.global.xml file
for CVCA Administration.
Use the following procedures to enable and disable email notification for CVCA
Administration:
• “To enable or disable email notification for CVCA Administration” on
page 998
• “To enable or disable email notification for specific events for CVCA
• “To configure email notification event settings for CVCA Administration” on
page 1000
To enable or disable email notification for CVCA Administration

components.
following folder:
3 Locate the <Notifications> element and configure the <Enabled> child
element as follows:
5 Open the CVCA Administration instance configuration.global.xml file in a
text editor. You can find the file in the following folder:
as follows:

or disable email notification for specific events for CVCA Administration” on
To enable or disable email notification for specific events for CVCA

Administration
components.
event. See “Email notification files for CVCA Administration” on page 994 for a
list of event IDs.
email notification event settings for CVCA Administration” on page 1000 for
details.
Note:
You cannot configure email notification to notify DV administrators that a CVCA
key update occurred. After CVCA keys are updated, CVCA administrators must
inform DV administrators that the CVCA keys updated and send the latest CVCA
certificate.

To configure email notification event settings for CVCA Administration
components.
Setting Description
“Modifying email notification subject and message text for CVCA
Administration” on page 1001 for details about editing this file.
notification event.
CVCA Administration” on page 1001 for details about editing this
file.

Setting Description

Modifying email notification subject and message text for CVCA

Administration
Attention:
To modify email notification subject text for CVCA Administration

components.
<AS-install>\services\cvcaadmin\<instance>\webapp\WEB-INF\ens\xsl
“Email notification files for CVCA Administration” on page 994 for a list of event
IDs and email message files.

To modify email notification message text for CVCA Administration

components.
modify. See “Email notification files for CVCA Administration” on page 994 for
a list of event IDs and email message files.
</xsl:variable>
</xsl:template>

Modifying CVCA Administration email notification to use HTML

content templates
To modify CVCA Administration email notification to use HTML

components.
plate>

36
Administering a Country Verifying

Certification Authority
CVCA acts as the root of trust for access to biometrics stored on e-passports issued
by the CVCA’s home country. The CVCA also acts as the authority that determines
which Document Verifiers (both domestic and foreign) are authorized to access the
biometrics stored on e-passports.
This chapter describes how to administer a CVCA using the Security Manager Control
Command Shell and the CVCA Administration interface.
• “Getting started in Security Manager Control Command Shell” on
page 1006
• “Getting started in CVCA Administration” on page 1011
• “Viewing the CVCA holder identity” on page 1015
• “Managing domestic CVCA certificates” on page 1017
• “Updating the CVCA keys” on page 1026
• “Managing foreign CVCAs” on page 1032
• “Managing foreign CVCA certificates” on page 1042
• “Configuring the Document Verifier policy” on page 1056
• “Managing Document Verifiers” on page 1060
• “Managing Document Verifier certificate requests” on page 1084
• “Managing Document Verifier certificates” on page 1096
• “Previewing EAC certificates and certificate requests” on page 1103
• “Queued operations” on page 1105
1005
Getting started in Security Manager Control
Command Shell
Master Users are highly trusted people responsible for installing and configuring
Security Manager, and for managing various aspects of Security Manager, such as
certificates, the database, and the directory.
Security Manager Control Command Shell is a command line utility for Master Users
to manage Security Manager. In Security Manager Control Command Shell, a Master
User can do everything from logging in to setting encryption algorithms.
Note:
This section only provides information about starting and stopping, logging in,
and logging out of Security Manager Control Command Shell. For more
information about getting started in Security Manager Control Command Shell,
including important information about character encoding and using special
characters, see the Security Manager Operations Guide.

• “Logging in to Security Manager Control Command Shell” on page 1006
• “Logging out of Security Manager Control Command Shell” on page 1010
Logging in to Security Manager Control Command Shell

Logging in to Security Manager Control Command Shell authenticates you to
Security Manager and allows you to access operations, including starting and
stopping the Security Manager service.
Security Manager Control Command Shell automatically logs you out if there is no
activity in five minutes. If you try to log in while your Security Manager Control
Command Shell session is still active, the message "You are logged in to Security
Manager Control Command Shell" appears.
You usually need to log in to Security Manager Control Command Shell before you
can perform Master User tasks. However, if autologin is enabled, you may not have
to log in. See the Security Manager Operations Guide for information about
configuring autologin.
• “To log in to Security Manager Control Command Shell on Windows” on
page 1007
• “To log in to Security Manager Control Command Shell on Linux” on
page 1008

To log in to Security Manager Control Command Shell on Windows
1 Log in to Windows as the Windows user who installed Security Manager.
Note:
If you log in to Windows as a different Windows user, you cannot log in to
Security Manager Control Command Shell or run any commands.
2 Open the Security Manager Control Command Shell using one of the following
methods:
• Double-click the shortcut icon on the desktop.
• From the Start menu by clicking Start, then click the down arrow to access
Apps, then click Security Manager Control Command Shell.
When listed by name or category, Security Manager Control Command Shell
is listed under Entrust.
The Security Manager Control Command Shell window appears. The window
presents copyright information about Security Manager, information about
getting help in Security Manager Control Command Shell, and the default
Security Manager Control Command Shell prompt (entsh$).
login
4 If you are using hardware-based database protection (see the Security Manager
Operations Guide), Security Manager Control Command Shell prompts you for
the password of the hardware device:
A password is required to log into 'CAHdwareVendor01 SN :
99ERT-A7-00-1'.
Password:
Enter the password of the hardware device.
5 Security Manager Control Command Shell prompts you for your Master User
user name:
Master User Name:
Enter your Master User user name.
The predefined Master User names (Master1, Master2, and Master3) are
case-sensitive. Names of custom Master Users (see the Security Manager
Operations Guide) are not case-sensitive.
password:
Password:
Administering a Country Verifying Certification Authority 1007

Enter your Master User password.
7 If Security Manager has been idle for more than seven days, you are prompted
to approve the time change:
Time now is 'Mon Nov 10 14:32:30 2014', last date Key Management
Service was started approximately 'Sat Oct 18 15:24:03 2014'.
Warning: once you set the clock forward, you cannot set it back
again.
If you later want to set the time back, you will have to restore
your CA from backup.
Do you want to approve the time change (y/n) ? [n]
To approve the time change, enter y. You must restart Security Manager within
one hour or you will have to acknowledge the time change again.
The message You are logged in to Security Manager Control Command Shell
appears, and the prompt changes to specify the distinguished name of the
Certification Authority and your Master User user name.
To log in to Security Manager Control Command Shell on Linux

1 Switch to a user with the proper group membership to use Security Manager.
When you installed Security Manager, you assigned ownership of the Security
Manager installation to a user and group. Switch to a user who belongs to the
same group that owns the Security Manager installation. For PostgreSQL, the
user must also belong to the easm_entrust_pg group. See the Security Manager
Database Configuration Guide.
2 Start the Security Manager Control Command Shell:
Note:
If you include these commands in your startup script, you do not need to enter
them each time you log in to your server to run Security Manager Control
Command Shell.
a Navigate to the Certification Authority (CA) data directory, typically:

/opt/entrust/authdata/CA
b Source the Security Manager environment variables:
– If you are in a C shell, enter:
source ./env_settings.csh
– If you are not in a C shell, enter:
. ./env_settings.sh
c Enter the following command:

entsh
Copyright information about Security Manager appears, followed by
information about getting help in Security Manager Control Command Shell,
and the default Security Manager Control Command Shell prompt (entsh$).
login
99ERT-A7-00-1'.
Password:
user name:
Master User Name:
password:
Password:
again.

Logging out of Security Manager Control Command Shell
When you have finished your Master User operations, log out of Security Manager
Control Command Shell. This is a standard security measure.
To log out of Security Manager Control Command Shell on Windows

1 To log out of Security Manager Control Command Shell, enter:
logout
The prompt entsh$ appears.
2 To exit Security Manager Control Command Shell, at the prompt, enter the
following:
exit
To log out of Security Manager Control Command Shell on Linux

logout
2 To exit Security Manager Control Command Shell, enter:
3 exit

Getting started in CVCA Administration
CVCA Administration provides an interface for CVCA administrators to administer
their country’s Country Verifying Certification Authority (CVCA). CVCA
administrators with appropriate permissions can configure the Document Verifier
policy, manage Document Verifiers, and manage certificates and certificate requests.
• “Logging in to CVCA Administration” on page 1011
• “How the role assigned to the CVCA administrator affects the CVCA
Administration interface” on page 1012
• “Using the CVCA Administration interface” on page 1013
Logging in to CVCA Administration

You are required to log in to the CVCA Administration interface with a certificate
stored in your Web browser (see “Creating CVCA administrators” on page 979).
Note:
You can customize the CVCA Administration interface to reflect the corporate
identity of your company. For details, see “Customizing CVCA Administration”
on page 1109.
To log in to CVCA Administration

Where:
• <host_name> is the fully qualified host name of the server hosting CVCA
Administration.
• <port> is the SSL port for CVCA Administration (by default 14443).
• <instance> is the URL path of the CVCA Administration instance. You
specified the URL path when you installed CVCA Administration. For
example, the default URL path for CVCA Administration is CVCAAdmin.
For example:
https://webserver.example.com:14443/CVCAAdmin

3 When prompted to select a user certificate, select a user certificate for a CVCA
administrator.
the private key.
Note:
Click Allow to allow CVCA Administration to access the private key.

The CVCA Administration interface appears.
How the role assigned to the CVCA administrator affects the

CVCA Administration interface
Roles and their policies are defined in Security Manager. When a person is assigned
the function of administrator for CVCA Administration, you assign a specific role to
this person in Security Manager.
The role determines whether the administrator is permitted to perform administrative
tasks on the CVCA Administration interface. The following predefined roles are
available for CVCA Administration users:
• EAC Auditor
The EAC Auditor role has permissions only to view information available in
the CVCA Administration interface.
• EAC Administrator
The EAC Administrator has all EAC permissions. The EAC Administrator role
has permissions to perform all operations in the CVCA Administration
interface.
You can create new custom roles to assign to your CVCA administrators. You assign
administrators a role when you create their digital IDs. The tasks that an administrator
can perform in the CVCA Administration interface depend on the permissions the
administrator’s role contains. (Some existing PKI roles—such as Security Officer—also
include the permissions to perform modifications using the CVCA Administration
interface.) For more information about roles and permissions, see the Security

Using the CVCA Administration interface
This topic describes various elements found in the CVCA Administration interface.
Information bar
The information bar in the CVCA Administration interface displays the distinguished
name (DN) of the currently logged in administrator on the left. On the right, the
following links are available:
• About
Click About to view the version and legal information for the Entrust
Authority EAC systems.
• Help
Click Help on any page to view the Help documentation for that page. A link
to the help index is available on each Help page. A link to browser
requirements is available in the help index.
• locales (main page only)
Click a locale link to change the language used in the interface. By default,
CVCA Administration provides English and French locales.
Taskbar
The taskbar has links to the main task areas available to the currently logged-in
administrator. For example, if you are logged in as EAC Administrator, the Country
Verifying CAs, Document Verifiers, Certificate Request, Queued Operations, and
My Account tasks appear. The current task is emphasized by a white background.
Action bar
The action bar has tabs that indicate subtasks or actions available for the particular
task. The current tab is emphasized in darker blue. The action bar displays the current
action within the task.
The bread crumb trail allows administrators to easily see where they are within a task
and navigate back to previous steps.
Tables
When administrators retrieve results, the results are displayed in a table.
Administrators can sort the results in the table:
• Click the column header link in a results table to sort the table by that
column.

• Each table has default sorting criteria, but if the administrator sorts using a
different column, the administrator’s sorting preference is then saved in a
cookie.
• The currently-sorted column is shown with a graphic indicator.
Other interface elements

• Link items are displayed in bold. Click the link, and a details page appears.
• Help titles appear on mouse-over in a yellow pop-up.
• Action links appear in a command bar.
• Upon completion of an action, a message displays in the page indicating
failure or success.
• Where possible, input is verified using JavaScript. If an error is found, a
pop-up appears. The field label turns red and a red X is added to the input
field.

Viewing the CVCA holder identity
A holder identity consists of a two-character country code (such as GB for the United
Kingdom, or US for the United States of America), followed by a mnemonic label,
which is a character string of one to nine characters. For example, GBcvca or
UScountry are examples of a holder identity.
You specified the holder identity of the CVCA during the initialization process (see
“Initializing a CVCA” on page 904). You can view the holder identity at any time.
See the following procedures for more information:
• “To view the CVCA holder identity using Security Manager Control
Command Shell” on page 1015
• “To view the CVCA holder identity using the CVCA Administration
Interface” on page 1015
To view the CVCA holder identity using Security Manager Control Command
Shell
2 At the prompt, enter
cvca identity
Security Manager displays the holder identity of the CVCA.
To view the CVCA holder identity using the CVCA Administration Interface
1 Log in to the CVCA Administration interface (see “Logging in to CVCA
2 Click Country Verifying CAs.
3 Click the Country Verifying CA tab.
The CVCA holder identity is listed on the View Details page.

Managing domestic CVCA certificates
The following topics describe how to view, import, and export your domestic CVCA
certificates.
• “Viewing domestic CVCA certificates” on page 1017
• “Exporting domestic CVCA certificates” on page 1020
Viewing domestic CVCA certificates

You can view root and link CVCA certificates issued by your CVCA. Typically, you
view domestic CVCA certificates to determine which certificates you want to export
(see “Exporting domestic CVCA certificates” on page 1020), or to determine if you
need to update the CVCA keys (see “Updating the CVCA keys” on page 1026).
• “To view domestic CVCA certificates in the Security Manager Control
• “To view domestic CVCA certificates in CVCA Administration” on
page 1018
To view domestic CVCA certificates in the Security Manager Control Command

Shell
2 To list all domestic CVCA certificates, enter:
cvca cert list
Security Manager displays a list of all domestic CVCA certificates. For example:
Holder Authority Effective Expiration Validity
Reference Reference Date (GMT) Date (GMT) Status
------------------------------------------------------------------
CAcvca00001 CAcvca00001 2009/02/10 2012/02/10 Valid
3 To view a specific root CVCA certificate, enter:

cvca cert view -root <holder reference>
Where <holder reference> is the holder reference of the CVCA certificate.
4 To view a specific link CVCA certificate, enter:
cvca cert view -link <holder reference>

To view domestic CVCA certificates in CVCA Administration
Administration”).
3 Click the Country Verifying CA tab.
The View Details page appears displaying a list of all CVCA certificates.
Note:
A warning message appears on the View Details page if a CVCA certificate is set
to expire within the expiry warning threshold. An error message appears if the
CVCA certificate has expired.
4 To view a specific CVCA certificate, click the holder reference of the CVCA
certificate that you want to view.
The View Certificate pane displays the certificate details.

Exporting domestic CVCA certificates
Export CVCA certificates whenever you add new Document Verifiers to the CVCA,
or whenever you update the CVCA keys (see “Updating the CVCA keys” on
page 1026).
You must export CVCA certificates so you can give them to Document Verifier
administrators. Document Verifiers need CVCA certificates for the following reasons:
• to generate a Document Verifier certificate request with a key compatible
with the latest CVCA certificate
• to verify the Document Verifier certificate issued by the CVCA
• to distribute to Inspection Systems, enabling the Inspection System to
assemble a certificate chain that an e-passport can read
Document Verifiers require the initial root CVCA certificate and all subsequent link
certificates. Document Verifiers do not require subsequent self-signed root CVCA
certificates, and you should not send them to Document Verifier administrators.
You must also export CVCA certificates so you can give them to foreign CVCA
administrators. Foreign CVCAs need your domestic CVCA certificates so that the
foreign CVCA can establish trust with your CVCA, and process DV certificate requests
countersigned by your CVCA (see also “Countersigning Document Verifier certificate
requests” on page 1085). Foreign CVCAs require the initial root CVCA certificate and
all subsequent link certificates.
You must also export CVCA certificates so you can store them in the latest e-passport
RFID (radio frequency identification) chips issued by your country. If your e-passport
system can verify certificate chains, export the latest link CVCA certificate. Otherwise,
export the latest root certificate. The first e-passports your country issues require the
initial root CVCA certificate.
You can export a single root or link CVCA certificate, or you can export a chain of
CVCA certificates. When you export a single certificate, you export it to a single file.
When you export a CVCA certificate chain, you export the certificates to a series of
files.
When you choose to export a certificate chain, you can choose to export the entire
chain of CVCA certificates (from the initial root CVCA certificate to the latest link
certificate), or only a partial chain. You can only export a certificate chain from the
Security Manager Control Command Shell.
• “To export a domestic CVCA certificate from the Security Manager Control
• “To export a domestic CVCA certificate chain from the Security Manager
Control Command Shell” on page 1022
• “To export a domestic CVCA certificate from CVCA Administration” on
page 1023

To export a domestic CVCA certificate from the Security Manager Control
Command Shell
2 To list all CVCA certificates, enter:
cvca cert list
Security Manager displays a list of all CVCA certificates. Note the holder
reference of the certificate that you want to export.
3 To export the certificate (in DER-TLV format), enter:
cvca cert export [-overwrite] -root|-link <outputFile> <holder
reference>
command parameters.
Table 50: cvca cert export command parameters
-overwrite Overwrites the output file if it already exists.
-root | -link Specifies whether the certificate is a root certificate (-root) or a link
certificate (-link).
A CVCA certificate is a root certificate if its holder reference and
authority reference are the same. Otherwise, it is a link certificate.
<outputFile> Specifies the name of the output file.
<holder reference> Specifies the holder reference of the CVCA certificate.
Security Manager displays validation strings when exporting a root CVCA

certificate.
For the validation strings, the "SHA1:" and "SHA256:" portions are not part of
the actual validation strings. The "SHA1:" and "SHA256:" portions only indicate
which validation string is the SHA1 string and which validation string is the
SHA256 string.
You have now exported the CVCA certificate. For the inital root CVCA certificate,
send the certificate and the validation strings to the Document Verifier administrator
using a secure method, such as secure email or diplomatic courier. It is strongly
recommended that you send the certificate and validation strings separately to avoid
undetectable tampering.
You do not need validation strings for link CVCA certificates, since Document
Verifiers can cryptographically verify link CVCA certificates.

To export a domestic CVCA certificate chain from the Security Manager
Control Command Shell
cvca cert list
Security Manager displays a list of all CVCA certificates. Note the holder
references of the certificates that you want to export.
3 To export the certificates (in DER-TLV format), enter:
cvca cert export-chain [-overwrite] [-root|-link] <outputFile>
[<leaf holder reference> [<trust point holder reference>]]
command parameters.
Table 51: cvca cert export-chain command parameters
-overwrite Overwrites files if they already exist.
-root | -link Specifies whether the first certificate in the certificate chain is a root
certificate (-root) or a link certificate (-link). If not specified, -root
is assumed.
Use the <trust point holder reference> parameter to identify
the CVCA certificate that starts the certificate chain. If you do not
specify the <trust point holder reference> parameter, this
option is ignored and the certificate chain starts with the initial root
CVCA certificate.
<outputFile> Specifies a file name template for the output files.

Security Manager appends a number (starting at 1) to each file name
when it exports the certificates. For example: cert1.cer, cert2.cer,
cert3.cer and so on.
<leaf holder reference> Specifies the holder reference of the CVCA certificate that ends the
CVCA certificate chain.
If not specified, the most recent CVCA link certificate ends the
certificate chain.

Table 51: cvca cert export-chain command parameters (continued)
<trust point holder Specifies the holder reference of the CVCA certificate that starts the
reference> CVCA certificate chain.
If not specified, the [-root|-link] option is ignored and the initial
root CVCA certificate starts the certificate chain.
You have now exported the CVCA certificate chain. If you included a root CVCA
certificate in the chain, Security Manager displays validation strings.
SHA256 string.
Send the CVCA certificates to the Document Verifier administrator using a secure
method, such as secure email or diplomatic courier. If you include a root CVCA
certificate, it is strongly recommended that you send the validation string separately
to protect against tampering.
To export a domestic CVCA certificate from CVCA Administration

Administration”).
2 Find the CVCA certificate that you want to export (see “Viewing domestic CVCA
The View Certificate pane appears.

SHA256 string.
3 Verify that this is the correct certificate and click Export.
The File Download dialog box appears.

Note:
Depending on your browser’s configuration, you may be asked to log in to the
interface a second time.
4 In the File Download dialog box, click Save.

The Save As dialog box appears.
5 Choose a file name and location for the file and then click Save.
The Download complete dialog box appears.
6 Click Close to close the dialog box.
Send the CVCA certificates to the Document Verifier administrator using a secure
method, such as secure email or diplomatic courier. If you include a root CVCA
certificate, it is strongly recommended that you send the validation string separately
to protect against tampering.

Updating the CVCA keys
Before the CVCA certificate expires, update the CVCA keys. When you update the
CVCA keys, Security Manager creates a new self-signed CVCA certificate, and a new
link CVCA certificate signed by the previous CVCA key.
After updating the CVCA keys, you must export the latest CVCA certificates. See
“Exporting domestic CVCA certificates” on page 1020 for details.
You can still update a CVCA even if the CVCA certificate expired. Security Manager
destroys the old private key four hours after you update the CVCA.
You can only update the CVCA keys in the Security Manager Control Command
Shell.
• “Viewing the current CVCA signing key” on page 1026
• “Configuring CVCA key updates” on page 1027
• “Updating the CVCA key pair” on page 1030
Viewing the current CVCA signing key

You can view information about the current CVCA signing key—including key
characteristics—and various hardware information if the key is stored on a hardware
device.
To view the current CVCA signing key

cvca cert show-keys
Security Manager displays information about the current CVCA signing key. For
example:
**** Active Anchor CVCA Signing Keys (1 keys) ****
Internal key index: 1
Key Owner: Anchor CVCA : 'CAcvca'
Key Type: EC-ansix9p256r1
Term Auth Alg: ECDSA-SHA256
Key on hardware: Y
Key ID (hardware CKA_ID): qnwxbIeolSkzc+MPqL9LHPkxS00=
Hardware load error: N
Hardware status: Loaded >> Safenet, Inc. LunaSA SN : 65080003
SLOT : 1
**** End of active key report ****

Configuring CVCA key updates
Before you update the CVCA keys, you can configure various settings for the next
CVCA certificate. For example, you can change the next CVCA certificate’s lifetime,
the holder access rights, or the cryptographic algorithm.
Changing the settings for the next certificate does not change the settings for the
current certificate. You cannot change the settings for the current certificate.
To view the CVCA key update settings

cvca config view
Security Manager displays the CVCA policy settings, and the software default
settings.
Global Policy Settings (these override the software default
settings):
Access Rights: Fingerprint only
Sequence Algorithm: Fixed Width (5) Numeric
Certificate Lifetime: 3 years
Certificate Warning: 100 days before expiry
Software Default Policy Settings (used if no custom or global

settings):
Sequence Algorithm: Fixed Width (5) Numeric
Certificate Lifetime: 3 years
Software Key Storage: enabled
To change the CVCA key update settings

cvca config set [-reset] [-taa <value>] [-keytype <value>] [-ar
F|I|FI|""] [-seqAlg A|N|CA|CN] [-lifetime years|months|weeks|days
<value>] [-warn <days>] [-softKey enabled|disabled]

Parameters in square brackets are optional parameters. Table 52 on page 1028
describes the command parameters.
Table 52: cvca config set parameters
-reset Resets the existing policy settings to the software defaults.

Note: If you specify new policy settings, the new settings replace the
existing values.
-taa <value> Specifies the terminal authentication algorithm. The terminal

authentication algorithm identifies the digital signature algorithm
used to authenticate to e-passports issued by your country. The
algorithm must be one of:
• RSAPSS-SHA1 • ECDSA-SHA256
• RSAPSS-SHA256
If you do not specify a terminal authentication algorithm, it defaults

to ECDSA-SHA256.

Table 52: cvca config set parameters (continued)
-keytype <value> Specifies the key type (RSA or EC), and the key size (RSA) or domain
parameters (EC). The key type must be one of:
• EC-brainpoolP160t1 • EC-ansix9p256r1
If you do not specify a key type, it defaults to EC-ansix9p256r1.
-ar F | I | F I "" Specifies the holder access rights:
• F (fingerprint) • FI (fingerprint and iris)

• I (Iris) • "" (none)

fingerprint (F).
-seqAlg A | N | CA | CN Specifies the sequence number algorithm of the CVCA holder

reference:
• A (5-digit alphanumeric) • CA (country code plus 3-digit

alphanumeric)
• CN (country code plus 3-digit
numeric)
If you do not specify the sequence number algorithm, it defaults to

N (5-digit numeric)

Table 52: cvca config set parameters (continued)
-lifetime years | months Specifies the lifetime of the CVCA certificate in years, months,
| weeks | days <value> weeks, or days. Must be between one day and 25 years. If you do
not specify a lifetime, the default is three years.
value of 0 suppresses the warnings. If you do not specify the warning
threshold, it defaults to 100 days.
To change the frequency at which the messages are logged, edit the
EntCvcaCertExpiryCheckNotBefore,
EntCvcaCertExpiryCheckNotAfter and
EntCvcaCertExpiryCheckPeriod settings in the entmgr.ini file. By
default, warning messages are logged daily. For more information
about these settings, see the Security Manager Operations Guide.
disabled CVCA keys. If enabled, you can store the CVCA keys in software. If
disabled, you can only store the CVCA keys on a hardware device.
If you do not specify a value, you can store the CVCA keys in
software.
Updating the CVCA key pair

Update the CVCA keys before the CVCA certificate expires. By default, Security
Manager begins logging ALARM audit messages 100 days before the CVCA
certificate expires. For more information about audit logging, see the Security
Manager Operations Guide. Also see “Configuring CVCA key updates” on
page 1027.
When you update the keys, you can choose to store the new key in the Security
Manager database (software), or on a hardware security module. You do not have to
store the new CVCA key in the same location as the old CVCA key. Even if you stored
the old CVCA key in the Security Manager database, you can store the new keys on
a hardware security module (HSM) if desired.
To update the CVCA keys

cvca key update

Security Manager prompts you to select a destination for the CVCA keys. For
example:
Choose one of:
1. Software
4. Cancel operation
from the previous example, enter 2 to update the key on CAHdwareVendor01,
or 4 to cancel the update operation.
Security Manager updates the CVCA keys and displays the CVCA root and link
certificate.
You have now updated the CVCA keys. If you updated the keys on a hardware
security module, back up the key using the procedure outlined by your hardware
vendor.
After updating the CVCA keys, inform Document Verifier administrators that you
updated the CVCA keys and send them the latest CVCA link certificate. See
“Exporting domestic CVCA certificates” on page 1020 for details about exporting
CVCA certificates.

Managing foreign CVCAs
You can add, change, or remove foreign Country Verifying Certification Authorities
(CVCAs). See the following topics for details:
• “Adding foreign Country Verifying Certification Authorities” on page 1032
• “Viewing foreign Country Verifying Certification Authorities” on page 1033
• “Disabling or suspending foreign Country Verifying Certification
Authorities” on page 1035
• “Enabling or activating foreign Country Verifying Certification Authorities”
on page 1037
• “Deleting foreign Country Verifying Certification Authorities” on page 1039
Adding foreign Country Verifying Certification Authorities

Before you can import certificates from a foreign Country Verifying Certification
Authority, you must add the foreign CVCA to your CVCA. Adding a foreign CVCA to
your CVCA allows your CVCA to recognize the foreign CVCA. Recognizing the
foreign CVCA allows your CVCA to countersign DV certificate requests for the
foreign CVCA, and accept countersigned DV certificate requests from the foreign
CVCA.
• “To add a foreign CVCA using Security Manager Control Command Shell”
on page 1032
• “To add a foreign CVCA using the CVCA Administration Interface” on
page 1032
To add a foreign CVCA using Security Manager Control Command Shell

cvca fcvca add <fcvca identity>
Where <fcvca identity> is the holder identity of the foreign CVCA. The holder
identity must start with the ISO 3166-1 ALPHA-2 country code, followed by a
one to nine ISO 8859-1 Latin-1 character label. For example, GBcvca.
To add a foreign CVCA using the CVCA Administration Interface


3 Click the Add Foreign Country Verifying CA tab.
4 Enter the information indicated in the fields on the page. An asterisk is used to
indicate mandatory fields (in this case, the Holder Identity of the foreign CVCA).
The holder identity must start with the ISO 3166-1 ALPHA-2 country code,
followed by a one to nine ISO 8859-1 Latin-1 character label. For example,
GBcvca.
In the URL field, enter the URL of the CVCA’s Web Service if you are configuring
the automatic key and certificate update feature.
5 Click Submit.
Viewing foreign Country Verifying Certification Authorities

You can display a list of all foreign CVCAs that you added to your CVCA. You can
also view information about a specific foreign CVCA, such as its holder identity,
friendly name and state (enabled or disabled).
• “To view a foreign CVCA in Security Manager Control Command Shell” on
page 1033
• “To view a foreign CVCA from the CVCA Administration Interface” on
page 1034
To view a foreign CVCA in Security Manager Control Command Shell

2 To display a list of all foreign CVCAs, enter:

cvca fcvca list [-state enabled|disabled]
Parameters in brackets are optional parameters, where:
• -state enabled lists only enabled foreign CVCAs.
• -state disabled lists only disabled foreign CVCAs.
Security Manager displays a list of all foreign CVCAs. For example:
Category Identity Status Friendly-Name
-------------------------------------------------------------
Foreign CVCA UScvca (3) Enabled <unset>
Foreign CVCA GBcvca (11) Enabled <unset>
Foreign CVCA CNcvca (12) Enabled <unset>
3 To view information about a specific foreign CVCA, enter:

cvca fcvca view <fcvca identity>
Where <fcvca identity> is the holder identity of the foreign CVCA.
Security Manager displays information about the CVCA. For example:
Entity Category: Foreign CVCA
Holder Identity: UScvca
Friendly Name: <unset>
Email Address: <unset>
Entity Status: Enabled
Internal Database Id: 2
Last Modified: 05/22/08 11:43:04
Added: 05/22/08 11:43:04
To view a foreign CVCA from the CVCA Administration Interface

3 Click the Foreign Country Verifying CAs tab.

The Foreign Country Verifying CAs List page appears, displaying a list of foreign
CVCAs.
4 From the list, click the Holder Identity of the foreign CVCA you want to view.
The View Details page opens, revealing information about the foreign CVCA.
Disabling or suspending foreign Country Verifying Certification

Authorities
You can disable (suspend) a foreign CVCA in your chain of trust at any time. For
example, you can disable a foreign CVCA if you think it is compromised. When you
disable a foreign CVCA, Security Manager rejects all Document Verifier certificate

requests that are countersigned by the foreign CVCA, and your CVCA cannot
countersign Document Verifier certificate requests intended for the foreign CVCA.
You should only disable a foreign CVCA as a temporary measure. You can enable
(activate) a disabled foreign CVCA (see “Enabling or activating foreign Country
Verifying Certification Authorities” on page 1037).
• “To disable a foreign CVCA from Security Manager Control Command Shell”
on page 1036
• “To suspend a foreign CVCA from the CVCA Administration Interface” on
page 1036
To disable a foreign CVCA from Security Manager Control Command Shell

2 If required, find the foreign CVCA that you want to disable (see “Viewing foreign
Country Verifying Certification Authorities” on page 1033).
cvca fcvca disable <fcvca identity>
To suspend a foreign CVCA from the CVCA Administration Interface

CVCAs.
4 Click the holder identity of the foreign CVCA you want to suspend.

The View Details page appears, revealing information about the foreign CVCA.
5 Click Suspend to suspend the foreign CVCA.
Enabling or activating foreign Country Verifying Certification

Authorities
If you disabled (suspended) a foreign CVCA, you can enable (activate) it again. When
you enable a foreign CVCA, the CVCA can resume processing DV certificate requests
that were countersigned by the foreign CVCA.
• “To enable a foreign CVCA from the Security Manager Control Command
Shell” on page 1037
• “To activate a foreign CVCA from the CVCA Administration Interface” on
page 1038
To enable a foreign CVCA from the Security Manager Control Command Shell
2 If required, find the foreign CVCA that you want to enable (see “Viewing foreign
cvca fcvca enable <fcvca identity>

To activate a foreign CVCA from the CVCA Administration Interface

CVCAs.
4 Click the holder identity of the foreign CVCA you want to activate.

5 Click Activate to enable trust for the foreign CVCA.
Deleting foreign Country Verifying Certification Authorities

You can delete a foreign CVCA at any time or in any state (enabled or disabled). It is
recommended that you delete a foreign CVCA if you entered an incorrect foreign
CVCA holder identity, or if the foreign CVCA was compromised. If you delete a
foreign CVCA, you also delete all root and link certificates for the foreign CVCA.
• “To delete a foreign CVCA in Security Manager Control Command Shell” on
page 1039
• “To delete a foreign CVCA from the CVCA Administration Interface” on
page 1040
To delete a foreign CVCA in Security Manager Control Command Shell

2 If required, find the foreign CVCA that you want to delete (see “Viewing foreign
cvca fcvca delete <fcvca identity>

Security Manager warns you that deleting the foreign CVCA will remove all of its
imported certificates:
Warning: deleting this foreign CVCA will remove all of its
imported certificates. Proceed (y/n) ? [n]
4 Enter y to delete the foreign CVCA.
To delete a foreign CVCA from the CVCA Administration Interface

CVCAs.
4 Click the holder identity of the foreign CVCA you want to delete.

5 The View Details page opens, revealing information about the foreign CVCA.
6 Click Delete.
You are prompted to confirm the operation.
7 Click OK to remove the foreign CVCA and all associated root and link certificates
for that foreign CVCA.

Managing foreign CVCA certificates
The following topics describe how to view, import, and export foreign CVCA
certificates.
• “Importing foreign CVCA certificates” on page 1042
• “Viewing foreign CVCA certificates” on page 1047
• “Exporting foreign CVCA certificates” on page 1050
Importing foreign CVCA certificates

Other CVCA administrators periodically send CVCA certificates that you must import.
Import these foreign CVCA certificates to establish trust with the foreign CVCA.
Foreign CVCA certificates allow you to process certificate requests from foreign
Document Verifiers that were countersigned by a foreign CVCA (see also
“Countersigning Document Verifier certificate requests” on page 1085). Importing
foreign CVCA certificates allow you to export them to your domestic Document
Verifiers (see also “Exporting foreign CVCA certificates” on page 1050).
To establish a chain of trust with the foreign CVCA, you must first import the initial
root CVCA certificate then import each subsequent link certificate in the certificate
chain. You do not need to import any foreign CVCA root certificate other than the
initial root certificate.
Before you can import CVCA certificates from a foreign CVCA, you must add the
foreign CVCA to your CVCA. See “Adding foreign Country Verifying Certification
Authorities” on page 1032 for details.
Note:
Administration Services cannot import files with file names longer than 3000
characters.
• “To import a foreign CVCA certificate in the Security Manager Control

• “To import a certificate from a foreign CVCA using the CVCA Administration
interface” on page 1043
To import a foreign CVCA certificate in the Security Manager Control

Command Shell
2 To preview the foreign CVCA certificate, enter:

cvca util cert preview <input file>
Where <input file> is the file name of the foreign CVCA certificate file. Security
Manager displays the foreign CVCA certificate.
When you preview a root foreign CVCA certificate, Security Manager also
displays the validation strings of the certificate. If the foreign CVCA administrator
provided you with validation strings, you can compare the validation strings to
ensure that no one tampered with the certificate.
cvca fcvca cert import [-oobAuth|-valStrAuth <validationString>]
<input file>
• <input file> is the file name of the CVCA certificate file.
• -oobAuth specifies that you authenticated the certificate by an out-of-band
method, such as diplomatic courier.
• -valStrAuth allows you to enter the validation string of the CVCA
certificate, and <validationString> is the validation string.
You must specify the -oobAuth or -valStrAuth parameter only for the initial
foreign CVCA certificate to authenticate the CVCA certificate’s signature. For
subsequent CVCA link certificates, Security Manager authenticates the new
CVCA certificate's signature using the previously imported CVCA certificate.
The validation string you received may include "SHA1:" or "SHA256:" at the
beginning of the string. Do not include "SHA1:" or "SHA256:" when
entering the validation string. The "SHA1:" or "SHA256:" portion only
indicates if the validation string is a SHA1 string or a SHA256 string, and is
not an actual part of the validation string.
You have now imported the foreign CVCA certificate.
To import a certificate from a foreign CVCA using the CVCA Administration

interface

CVCAs.
4 Click the holder identity of the foreign CVCA.

5 Click Import.

The Import Certificate page appears.
6 Click Browse to locate and select the certificate.

7 Click Submit.
A View Certificate page appears.

8 Verify the validation string:
• If you received a validation string from the foreign CVCA administrator (for
example, by telephone, diplomatic pouch, or secure email), click Enter
Validation String and enter the validation string in the text field.
• If you validated the certificate request by an out-of-band method (such as
9 Click Accept to import the certificate.

Viewing foreign CVCA certificates
You can display a list of all imported foreign CVCA certificates, and view a specific
foreign CVCA certificate. Typically, you list or view foreign CVCA certificates to
determine which certificates you want to export (see “Exporting foreign CVCA
To view foreign CVCA certificates in the Security Manager Control Command

Shell
2 If required, find the foreign CVCA whose certificates you want view (see
“Viewing foreign Country Verifying Certification Authorities” on page 1033).
3 To display a list of foreign CVCA certificates, enter:
cvca fcvca cert list <fcvca identity>
Security Manager displays a list of all foreign CVCA certificates. For example:
------------------------------------------------------------------
UScvca00001 UScvca00001 2009/02/10 2012/02/10 Valid
4 To view a specific CVCA root certificate, enter:

cvca fcvca cert view -root <holder reference>
Where <holder reference> is the holder reference of the foreign CVCA
certificate.
5 To view a specific CVCA link certificate, enter:
cvca fcvca cert view -link <holder reference>
Where <holder reference> is the holder reference of the foreign CVCA
certificate.
To view certificates from a foreign CVCA using the CVCA Administration

interface

CVCAs.

The View Details page opens, revealing information about the foreign CVCA
with a list of certificates.
5 In the Certificates list, click the Holder of the certificate you want to view.

A Certificate Details page appears.

Exporting foreign CVCA certificates
Export foreign CVCA certificates whenever you add new Document Verifiers to your
CVCA (see “Adding Document Verifiers” on page 1060), or whenever a foreign
CVCA administrator sends new CVCA certificates (see “Importing foreign CVCA
You must export foreign CVCA certificates so you can give them to Document Verifier
administrators. Document Verifiers need foreign CVCA certificates for the following
reasons:
• to generate a Document Verifier certificate request with a key compatible
with the latest foreign CVCA link certificate
• to verify the Document Verifier certificate issued by the foreign CVCA
• to distribute to Inspection Systems, enabling the Inspection System to
assemble a certificate chain that an e-passport can read
Document Verifiers require the initial foreign CVCA root certificate and all subsequent
link certificates. Document Verifiers do not require subsequent self-signed foreign
CVCA root certificates, and you should not send them to Document Verifier
administrators.
You can export a single root or link foreign CVCA certificate, or you can export a
chain of foreign CVCA certificates. When you export a single certificate, you export
it to a single file. When you export a certificate chain, you export the certificates to a
series of files.
When you choose to export a certificate chain you can choose to export the entire
chain of foreign CVCA certificates (from the initial foreign CVCA root certificate to
the latest link certificate), or only a partial chain. You can only export a certificate
chain from the Security Manager Control Command Shell.
• “To export a foreign CVCA certificate from the Security Manager Control
• “To export a foreign CVCA certificate chain from the Security Manager
• “To export a foreign CVCA certificate using the CVCA Administration
To export a foreign CVCA certificate from the Security Manager Control

Command Shell
2 If required, find the foreign CVCA whose certificates you want to export (see

3 To list all foreign CVCA certificates, enter:
Security Manager displays a list of all foreign CVCA certificates. Note the holder
reference of the certificate that you want to export.
cvca fcvca cert export [-overwrite] -root|-link <outputFile>
<holder reference>
command parameters.
Table 53: cvca fcvca cert export command parameters
A foreign CVCA certificate is a root certificate if its holder reference
and authority reference are the same. Otherwise it is a link
certificate.
<holder reference> Specifies the holder reference of the foreign CVCA certificate.
Security Manager displays validation strings when exporting a foreign CVCA root
certificate.
SHA256 string.
You have now exported the foreign CVCA certificate. For the the inital foreign CVCA
root certificate, send the certificate and the validation strings to the Document
Verifier administrator using a secure method, such as secure email or diplomatic
courier. It is strongly recommended that you send the certificate and validation strings
separately to avoid undetectable tampering.
You do not need validation strings for link CVCA certificates, since Document
Verifiers can cryptographically verify link CVCA certificates.

To export a foreign CVCA certificate chain from the Security Manager Control
Command Shell
2 If required, find the foreign CVCA whose certificates you want to export (see
3 To list all foreign CVCA certificates, enter:
Security Manager displays a list of all foreign CVCA certificates. Note the holder
references of the certificates that you want to export.
cvca fcvca cert export-chain [-overwrite] [-root|-link]
<outputFile> <leaf holder reference> [<trust point holder
reference>]
command parameters.
Table 54: cvca fcvca cert export-chain command parameters
-overwrite Overwrites files if they already exist.
is assumed.
A foreign CVCA certificate is a root certificate if its holder reference
and authority reference are the same. Otherwise it is a link
certificate.
the foreign CVCA certificate that starts the certificate chain.

when it exports the certificates. For example: cert1.cer, cert2.cer,
cert3.cer and so on.
<leaf holder reference> Specifies the holder reference of the foreign CVCA certificate that
ends the CVCA certificate chain.

Table 54: cvca fcvca cert export-chain command parameters (continued)
<trust point holder Specifies the holder reference of the foreign CVCA certificate that
reference> starts the CVCA certificate chain.
If not specified, the initial foreign CVCA root certificate starts the
certificate chain.
You have now exported the foreign CVCA certificate chain. If you included a root
CVCA certificate in the chain, Security Manager displays validation strings.
SHA256 string.
Send the foreign CVCA certificates to the Document Verifier administrator using a
secure method, such as secure email or diplomatic courier. If you include the initial
foreign CVCA root certificate, it is strongly recommended that you send the
validation string separately to protect against tampering.
To export a foreign CVCA certificate using the CVCA Administration interface

CVCAs.

The View Details page opens, revealing information about the foreign CVCA
with a list of certificates.
5 In the Certificates list, click the Holder of the certificate you want to export.
A Certificate Details page appears.

6 Click Export.
SHA256 string.
7 Download and save the certificate.

Configuring the Document Verifier policy
The CVCA defines the Document Verifier policy. The Document Verifier policy
determines the default certificate lifetime and holder access rights (the biometric
information Document Verifiers can access) for all Document Verifier certificates. The
Document Verifier policy also determines whether Document Verifiers can use a
self-service mechanism to exchange certificates with the CVCA, and whether to
queue self-service operations.
• “To configure the Document Verifier policy from Security Manager Control
• “To configure the Document Verifier policy from CVCA Administration” on
page 1058
To configure the Document Verifier policy from Security Manager Control

Command Shell
2 To view the Document Verifier policy, enter:
cvca dv config view
Security Manager displays the Document Verifier policy settings and the software
default settings. For example:
settings):
None configured. The software default settings will be used.
settings):
Certificate Lifetime: 3 months
Allow Self-Service: yes
Queue Self-Service: no
3 To change the Document Verifier policy, enter:

cvca dv config set [-reset] [-ar F|I|FI|""] [-selfSvc yes|no]
[-queueSelfSvc yes|no] [-lifetime years|months|weeks|days <value>]

Table 55: cvca dv config set command parameters

existing values.
-ar F | I | FI | "" Specifies the holder access rights (the biometric information
Document Verifiers can access):
• F (fingerprint only)
• I (iris only)
• FI (fingerprint and iris)
• "" (none)
fingerprint.
Note: The access rights for a Document Verifier cannot exceed the
access rights held by the CVCA. If you specify access rights for a
Document Verifier that the CVCA does not hold, the CVCA will not
add those access rights when issuing a certificate to the Document
Verifier.
-selfSvc yes | no Specifies whether the Document Verifier can use the SPOC Domestic
Web Service to request certificates from the CVCA.
If not specified, Document Verifiers can use the SPOC Domestic
Web Service.
-queueSelfSvc yes | no Specifies whether the Document Verifier can queue operations
performed over the SPOC Domestic Web Service. Queuing
operations performed over the SPOC Domestic Web Service allows
Document Verifier administrators to authorize the operations.
If not specified, Document Verifiers do not queue operations
performed over the SPOC Domestic Web Service.

Table 55: cvca dv config set command parameters (continued)
-lifetime years | months Specifies the lifetime of the Document Verifier certificate in years,
| weeks | days <value> months, weeks, or days.
Enter a lifetime between one day and 25 years.
If you do not specify a lifetime, it defaults to three months.
Note: Document Verifier certificates cannot exceed the lifetime of
the issuing CVCA certificate. When issuing a Document Verifier
certificate, the CVCA will truncate the lifetime of the Document
Verifier certificate if it is set to exceed the lifetime of the CVCA
certificate.
To configure the Document Verifier policy from CVCA Administration

2 Click Document Verifiers.
3 Click the Document Verifier Policy tab.
The Default Policy Settings page appears.
4 To change the read access rights (the biometric information Document Verifiers
can access), click one of the following options:
• Allow Fingerprint
• Allow Iris
• Allow Fingerprint and Iris
• No Access Rights

The access rights for a Document Verifier cannot exceed the access rights held by
the CVCA. CVCA Administration will display only the access rights that you can
set for the Document Verifier that will not exceed the access rights held by the
CVCA.
5 To set the default lifetime of Document Verifier certificates (in years, months,
weeks, or days), enter a lifetime in the Certificate Lifetime Frequency text field
and drop-down list.
Document Verifier certificates cannot exceed the lifetime of the issuing CVCA
certificate. When issuing a Document Verifier certificate, the CVCA will truncate
the lifetime of the Document Verifier certificate if it is set to exceed the lifetime
of the CVCA certificate.
6 To save your changes, click Save.

Managing Document Verifiers
The first step in establishing trust between a CVCA and a Document Verifier is to add
a Document Verifier to the CVCA (see “Establishing trust between a CVCA and a
Document Verifier” on page 88). After adding a Document Verifier, you can change
it or remove it from the CVCA. See the following topics for details:
• “Adding Document Verifiers” on page 1060
• “Viewing Document Verifiers” on page 1066
• “Finding Document Verifiers” on page 1069
• “Modifying Document Verifiers” on page 1071
• “Disabling or suspending Document Verifiers” on page 1076
• “Enabling or activating Document Verifiers” on page 1079
• “Deleting Document Verifiers” on page 1081
Adding Document Verifiers

Before you can issue certificates to a Document Verifier, you must add the Document
Verifier to the CVCA. You cannot add more domestic or foreign Document Verifiers
than your Security Manager license allows. If you reach your license limit, you must
delete Document Verifiers (see “Deleting Document Verifiers” on page 1081) or
purchase a new license before you can add more Document Verifiers.
• “To add a Document Verifier using the Security Manager Control Command
• “To add a Document Verifier using CVCA Administration” on page 1062
To add a Document Verifier using the Security Manager Control Command

Shell
cvca dv add <dv identity> [-ar F|I|FI|""] [-selfScv yes|no]
[-queueSelfScv yes|no] [-lifetime years|months|weeks|days <value>]
[-super <value>]

Table 56: cvca dv add command parameters
<dv identity> The holder identity of the Document Verifier. The holder identity
must start with the ISO 3166-1 ALPHA-2 country code, followed by
a one to nine ISO 8859-1 Latin-1 character label. For example,
GBcvca.
-ar F | I | FI | "" Specifies custom holder access rights for the Document Verifier:
• I (iris only)
• "" (none)
If you do not specify custom holder access rights, it defaults to the
setting in the Document Verifier policy. See “Configuring the
Document Verifier policy” on page 1056 for information about
viewing and changing the Document Verifier policy.
Verifier.
If not specified, it defaults to the setting in the Document Verifier
policy. See “Configuring the Document Verifier policy” on
page 1056 for information about viewing and changing the
Document Verifier policy.

Table 56: cvca dv add command parameters (continued)
-lifetime years | months Specifies a custom certificate lifetime for the Document Verifier
| weeks | days <value> certificates in years, months, weeks, or days. Must be between one
day and 25 years.
If you do not specify a custom certificate lifetime, it defaults to the
setting in the Document Verifer policy. See “Configuring the
certificate.
-super <value> Specifies the holder identity of the Document Verifier’s domestic
CVCA. Specify a domestic CVCA if more than one CVCA uses the
same country code, or if the domestic CVCA uses a different country
code.
If the CVCA holder identity does not exist, an error occurs and the
operation fails.
If you do not specify a domestic CVCA, Security Manager
determines if the Document Verifier is a domestic or foreign
Document Verifier based on the country code in the holder identity:
• If the country code matches your CVCA’s country code, it is a
domestic Document Verifier, regardless of whether other CVCAs
exist with the same country code.
• If the country code is different than your CVCA’s country code, it
is a foreign Document Verifier.
Note: If the country code of the Document Verifier matches your
CVCA’s country code, the Document Verifier uses a Domestic DV
license. If the country code is different than your CVCA’s country
code, the Document Verifier uses a Foreign DV license. Specifying a
domestic CVCA does not determine which license to use.
To add a Document Verifier using CVCA Administration

Administration”).
3 Click the Add Document Verifier tab.

The New Document Verifier Information page appears. Required fields are
marked with an asterisk (*).
4 In the Holder Identity field, enter the holder identity of the Document Verifier.
The identity must begin with an ISO 3166-1 ALPHA-2 country code consisting
of two uppercase alphabetic characters, followed by a maximum of nine Latin-1
characters.
5 (Optional.) In the Supervising CVCA Identity field, enter the holder identity of
the Document Verifier’s domestic CVCA. Specify a domestic CVCA if more than
one CVCA uses the same country code, or if the domestic CVCA uses a different
country code.
If the CVCA holder identity does not exist, an error occurs and the operation fails.
If you do not specify a domestic CVCA, Security Manager determines if the
Document Verifier is a domestic or foreign Document Verifier based on the
country code in the holder identity:
• If the country code matches your CVCA’s country code, it is a domestic
Document Verifier, regardless of whether other CVCAs exist with the same
country code.
• If the country code is different than your CVCA’s country code, it is a foreign
Document Verifier.

Note:
If the country code of the Document Verifier matches your CVCA’s country code,
the Document Verifier uses a Domestic DV license. If the country code is different
than your CVCA’s country code, the Document Verifier uses a Foreign DV license.
Specifying a domestic CVCA does not determine which license to use.
6 (Optional.) In the Friendly Name field, enter a descriptive string to identify the
Document Verifier.
7 (Optional.) In the E-mail address field, enter an email address associated with the
contact person for the Document Verifier.
8 For Read Access Rights, specify the read access rights (the biometric information
Document Verifiers can access) as follows:
• To use the default read access rights, click Use Global Default Value.
The default read access rights are configured in the Document Verifier policy.
See “Configuring the Document Verifier policy” on page 1056 for details.
• To specify custom read access rights, click Custom Settings and then click
one of the following:
– Allow Fingerprint
– Allow Iris
– Allow Fingerprint and Iris
– No Access Rights
CVCA.
9 For Certificate Lifetime, specify the certificate lifetime of the Document Verifier
certificates as follows:
• To use the default certificate lifetime, click Use Global Default Value.
The default certificate lifetime is configured in the Document Verifier policy.
• To specify a custom certificate lifetime, click Custom Settings and then enter
a lifetime (in years, months, weeks, or days), in the Certificate Lifetime
Frequency text field and drop-down list.

10 (Optional.) In the Contact Name field, enter a contact name for the Document
Verifier.
11 (Optional.) In the Phone number field, enter a phone number associated with the
12 (Optional.) In the URL field, enter an Internet address associated with the
jurisdiction of the Document Verifier.
13 (Optional.) In the Description field, enter a description for the Document Verifier.
14 After entering the Document Verifier details, click Submit.
A confirmation that you successfully added the Document Verifier appears.

Viewing Document Verifiers
You can display a list of all Document Verifiers that you added to your CVCA. You can
also view information about a specific Document Verifier, such as its holder identity,
friendly name, state (enabled or disabled), and any custom policy settings.
• “To view a Document Verifier in Security Manager Control Command Shell”
on page 1066
• “To view a Document Verifier in CVCA Administration” on page 1067
To view a Document Verifier in Security Manager Control Command Shell

2 To display a list of Document Verifiers, enter:
cvca dv list [-state enabled|disabled]
• -state enabled lists only enabled Document Verifiers.
• -state disabled lists only disabled Document Verifiers.
Security Manager displays a list of all Document Verifiers. For example:
-------------------------------------------------------------
DV CAdv1 (7) Enabled <unset>
DV CAdv2 (8) Enabled <unset>
DV USdv1 (9) Enabled <unset>
DV USdv2 (10) Enabled <unset>
3 To view information about a specific Document Verifier, enter:

cvca dv view <dv identity>
Where <dv identity> is the holder identity of the Document Verifier.
Security Manager displays information about the Document Verifier. For
example:
Entity Category: DV
Holder Identity: CAdv
Last Modified: 05/22/08 11:43:04
Added: 05/22/08 11:43:04
Custom Policy Settings (these override the global settings):
None configured. The global and software default settings will
be used.

To view a Document Verifier in CVCA Administration
Administration”).
3 Click the Document Verifiers tab.
4 Under Holder Identity:

• Click All to find all Document Verifiers.
• Click Starts With to find all Document Verifiers whose holder identity begins
with a particular string. Enter the string into the field that appears. Wildcard
values are not supported.
• Click Contains to find all Document Verifiers whose holder identity contains
a particular string. Enter the string into the field that appears. Wildcard values
are not supported.
5 In the Account State drop-down list:
• Select All to find Document Verifiers in all states.
• Select Enabled to find only enabled Document Verifiers.
• Select Disabled to find only disabled Document Verifiers.
6 In the Maximum Results drop-down list, select the maximum number of results
you want returned.

Note:
If the number of returned results is greater than the value in the Maximum
Results drop-down list, a warning appears to inform you that there are more
search results available than the maximum returned. Select a higher value in the
Maximum Results field and re-enter your search to display more results.
7 Click Submit to find all Document Verifiers that meet your search criteria.
The results are returned in a table on the Search Results pane.
8 Click the column header link in a results table to sort the table by that parameter.
9 To view a specific Document Verifier, click the holder identity of the Document
Verifier.

CVCA Administration displays the Document Verifier details and a list of
certificates for the Document Verifier.
Finding Document Verifiers

You can search for Document Verifiers using different criteria, such as state, holder
access rights, and certificate lifetimes. After specifying the criteria to search for,
Security Manager displays information about each Document Verifier that matches
your criteria.
You can only search for Document Verifiers in the Security Manager Control
Command Shell
To find Document Verifiers in Security Manager Control Command Shell


cvca dv search [-state enabled|disabled] [-ar] [-ar <value>]
[-selfSvc] [-selfSvc yes|no] [-queueSelfSvc] [-queueSelfSvc
yes|no] [-lifetime] [-lifetime years|months|weeks|days <value>]
[-super] [-super <value>]
command parameters.
Table 57: cvca dv search command parameters
-state enabled Finds Document Verifiers in the enabled state (-state enabled) or
Document Verifiers in the disabled state (-state disabled).
-state disabled
-ar Finds Document Verifiers with custom holder access rights.
-ar <value> Finds Document Verifiers with specific holder access rights, where
<value> is one of:
• I (iris only)
• "" (none)
-selfSvc Finds Document Verifiers with a custom self-service policy.
-selfSvc yes Finds Document Verifiers that can use the SPOC Domestic Web
Service to request certificates from the CVCA (-selfSvc yes) or
-selfSvc no
Document Verifiers that require administrators to request certificates
from the CVCA (-selfSvc no).
-queueSelfSvc Finds Document Verifiers with a custom queue self-service policy.
-queueSelfSvc yes Finds Document Verifiers that can queue operations performed over
the SPOC Domestic Web Service (-queueSelfSvc yes) or
-queueSelfSvc no
Document Verifiers that cannot queue operations performed over
the SPOC Domestic Web Service (-queueSelfSvc no).
-lifetime Finds Document Verifiers with custom certificate lifetimes.
-lifetime years | months Finds Document Verifiers with a specific certificate lifetime in years,
| weeks | days <value> months, weeks, or days. Must be between one day and 25 years.
-super Finds Document Verifiers with a custom domestic CVCA.
-super <value> Finds Document Verifiers with a specific custom domestic CVCA,
where <value> is the holder identity of the CVCA.

Security Manager displays information about each Document Verifier that matches
the criteria you specified. For example:
Entity Category: DV
Holder Identity: CAdv
Last Modified: 02/13/09 13:28:29
Added: 02/13/09 13:28:29
None configured. The global and software default settings will be
used.
Modifying Document Verifiers

Modify a Document Verifier when you need to change the custom holder access
rights or the certificate lifetime. Changes take effect when you process the next
certificate request from the Document Verifier.
• “To modify a Document Verifier from the Security Manager Control
• “To modify a Document Verifier from CVCA Administration” on page 1073
To modify a Document Verifier from the Security Manager Control Command

Shell
cvca dv modify <dv identity> [-reset] [-ar F|I|FI|""] [-selfScv
yes|no] [-queueSelfScv yes|no] [-lifetime years|months|weeks|days
<value>] [-super <value>]
command parameters.
Table 58: cvca dv modify command parameters
<dv identity> The holder identity of the Document Verifier.

Table 58: cvca dv modify command parameters (continued)
-reset Resets the existing custom Document Verifier policy settings to the
Document Verifier policy defaults.
Note: If you specify new custom policy settings, the new custom
settings replace the existing values.
-ar F | I | FI | "" Specifies the custom holder access rights for the Document Verifier:
• I (iris only)
• "" (none)
setting in the Document Verifier policy. See “Configuring the
Verifier.

Table 58: cvca dv modify command parameters (continued)
-lifetime years | months Specifies the custom lifetime of the Document Verifier certificates in
| weeks | days <value> years, months, weeks, or days. Must be between one day and 25
years.
setting in the Document Verifer policy. See “Configuring the
certificate.
CVCA. Specify a domestic CVCA if more than one CVCA uses the
same country code, or if the domestic CVCA uses a different country
code.
operation fails.
If you do not specify a domestic CVCA, Security Manager
determines if the Document Verifier is a domestic or foreign
Document Verifier based on the country code in the holder identity:
• If the country code matches your CVCA’s country code, it is a
domestic Document Verifier, regardless of whether other CVCAs
exist with the same country code.
• If the country code is different than your CVCA’s country code, it
is a foreign Document Verifier.
Note: If the country code of the Document Verifier matches your
CVCA’s country code, the Document Verifier uses a Domestic DV
license. If the country code is different than your CVCA’s country
code, the Document Verifier uses a Foreign DV license. Specifying a
domestic CVCA does not determine which license to use.
You have now modified a Document Verifier. The changes take effect the next time
you process a Document Verifier certificate request (see “Processing Document
Verifier certificate requests” on page 1091).
To modify a Document Verifier from CVCA Administration

Administration”).

2 Find the Document Verifier that you want to modify (see “Viewing Document
Verifiers” on page 1066).
The View Details page appears.
3 Click Edit.
The Document Verifier Information page appears.
4 (Optional.) In the Supervising CVCA Identity field, enter the holder identity of
the Document Verifier’s domestic CVCA. Specify a domestic CVCA if more than
one CVCA uses the same country code, or if the domestic CVCA uses a different
country code.
If you do not specify a domestic CVCA, Security Manager determines if the
Document Verifier is a domestic or foreign Document Verifier based on the
country code in the holder identity:
• If the country code matches your CVCA’s country code, it is a domestic
Document Verifier, regardless of whether other CVCAs exist with the same
country code.
• If the country code is different than your CVCA’s country code, it is a foreign
Document Verifier.

If the country code of the Document Verifier matches your CVCA’s country code,
the Document Verifier uses a Domestic DV license. If the country code is different
than your CVCA’s country code, the Document Verifier uses a Foreign DV license.
Specifying a domestic CVCA does not determine which license to use.
5 To change the friendly name, enter a new name into the Friendly Name field.
6 To change the email address, enter a new email address into the E-mail address
field.
Document Verifiers can access) as follows:
The default read access rights are configured in the Document Verifier policy.
– Allow Iris
CVCA.
8 For Certificate Lifetime, specify the certificate lifetime of the Document Verifier
The default certificate lifetime is configured in the Document Verifier policy.
9 To change the contact name, enter a new contact name into the Contact Name
field.
10 To change the phone number, enter a new phone number into the Phone number
field.

11 To enter a new URL, enter a new URL into the URL field.
12 To change the description, enter a new description into the Description field.
13 After entering the Document Verifier details, click Submit.
A confirmation that you successfully added the Document Verifier appears.
Disabling or suspending Document Verifiers

You can disable (suspend) a Document Verifier at any time, for example, if you think
that it is compromised. When you disable a Document Verifier, Security Manager
rejects all certificate requests coming from the Document Verifier. A disabled
Document Verifier still counts against your domestic or foreign Document Verifier
license limit.
You should only disable a Document Verifier as a temporary measure. You can enable
(activate) a disabled Document Verifier (see “Enabling or activating Document
• “To disable a Document Verifier from the Security Manager Control
• “To suspend a Document Verifier from CVCA Administration” on page 1077

To disable a Document Verifier from the Security Manager Control Command
Shell
2 If required, find the Document Verifier that you want to disable (see “Viewing
Document Verifiers” on page 1066).
3 Verify that you want to disable the Document Verifier, and then enter:
cvca dv disable <dv identity>
To suspend a Document Verifier from CVCA Administration

Administration”).
2 Find the Document Verifier that you want to disable (see “Viewing Document
The View Details pane appears.

3 Verify that you want to suspend the Document Verifier and then click Suspend.

A confirmation that the Document Verifier was successfully suspended appears.
Enabling or activating Document Verifiers

If you previously disabled (suspended) a Document Verifier, you can enable (activate)
it again. When you enable a Document Verifier, you can resume processing certificate
requests coming from that Document Verifier.
• “To enable a Document Verifier from Security Manager Control Command
• “To activate a Document Verifier from CVCA Administration” on page 1080
To enable a Document Verifier from Security Manager Control Command Shell


2 If required, find the Document Verifier that you want to enable (see “Viewing
3 Verify that you want to enable the Document Verifier, and then enter:
cvca dv enable <dv identity>
To activate a Document Verifier from CVCA Administration

Administration”).
2 Find the Document Verifier that you want to activate (see “Viewing Document
3 Verify that you want to activate the Document Verifier and then click Activate.

A confirmation that the DV was successfully activated appears.
Deleting Document Verifiers

You can delete a Document Verifier at any time or in any state (enabled or disabled).
It is recommended that you delete a Document Verifier only if you entered an
incorrect Document Verifier holder identity, or if the Document Verifier is being
decommissioned.
• “To delete a Document Verifier from the Security Manager Control
• “To delete a DV from CVCA Administration” on page 1082

To delete a Document Verifier from the Security Manager Control Command
Shell
2 If required, find the Document Verifier that you want to delete (see “Viewing
3 Verify that you want to delete the Document Verifier, and then enter:
cvca dv delete <dv identity>
Security Manager warns you that deleting the Document Verifier will remove all
certificates issued to the Document Verifier:
Warning: deleting this DV will remove all of the certificates
issued to it. Proceed (y/n) ? [n]
4 Enter y to delete the Document Verifier.
To delete a DV from CVCA Administration

Administration”).
2 Find the Document Verifier that you want to delete (see “Viewing Document

3 Verify that you want to delete the Document Verifier and then click Delete.
A confirmation dialog box appears.
4 Click OK to delete the Document Verifier.

Managing Document Verifier certificate
requests
The following topics describe how to preview and process Document Verifier
certificate requests.
• “Previewing Document Verifier certificate requests for countersigning” on
page 1084
• “Countersigning Document Verifier certificate requests” on page 1085
• “Previewing Document Verifier certificate requests for processing” on
page 1090
• “Processing Document Verifier certificate requests” on page 1091
Previewing Document Verifier certificate requests for

countersigning
You can preview a Document Verifier certificate request before you countersign it.
When you preview the certificate request, Security Manager verifies the certificate
request’s inner signature, confirms that the requesting Document Verifier exists and
is a domestic Document Verifier, and confirms that the target CVCA is a foreign
CVCA.
Note:
By default, a Document Verifier is a foreign Document Verifier if the country code
in the Document Verifier holder identity is different from the country code in the
CVCA holder identity. However, more than one CVCA can share a country code
and a CVCA can use a different code than the domestic Document Verifier. If
required, modify a Document Verifier to specify its domestic CVCA (see
“Modifying Document Verifiers” on page 1071).
If the certificate request contains an outer signature, Security Manager confirms that
the certificate request was signed by the requesting Document Verifier, ensures that
the Document Verifier certificate that authenticated the certificate request was issued
by the CVCA and is valid, and verifies the outer signature.
If the certificate request does not contain an outer signature, Security Manager
generates and displays validation strings.

To preview a Document Verifier certificate request for countersigning in the
Security Manager Control Command Shell
cvca dv certreq presign <input file>
Where <input file> is the file name of the Document Verifier certificate request
file.
If the certificate request does not contain an outer signature, Security Manager
generates and displays validation strings.
SHA256 string.
Countersigning Document Verifier certificate requests

When a Document Verifier creates a certificate request intended for a foreign CVCA,
it can send the certificate request to the domestic CVCA for countersigning. When
you countersign a Document Verifier certificate request, the CVCA wraps the
certificate request with an outer signature generated by the CVCA's current signing
key.
If the foreign CVCA has the latest certificate from the domestic CVCA, the foreign
CVCA can validate the certificate request cryptographically without requiring an
alternate form of validation, such as a validation string.
You should only countersign a Document Verifier certificate request to obtain the
initial Document Verifier certificate in a certificate stream. You do not need to
countersign subsequent certificate requests since the outer signature is generated by
the Document Verifier and the foreign CVCA can validate the signature.
Note:
You cannot countersign a DVs certificate request unless the DV has been added
to the CVCA (see “Adding Document Verifiers” on page 1060).
• “To countersign a Document Verifier certificate request in the Security

Manager Control Command Shell” on page 1086
• “To countersign a Document Verifier certificate request using CVCA

To countersign a Document Verifier certificate request in the Security
Manager Control Command Shell
2 If required, preview the Document Verifier certificate request (see “Previewing
Document Verifier certificate requests for countersigning” on page 1084).
3 To countersign the certificate request, enter:
cvca dv certreq countersign [-overwrite] [-oobAuth|-valStrAuth
<validationString>] <input file> <output file>
command parameters.
Table 59: cvca dv certreq countersign command parameters
-oobAuth Specifies that you authenticated the request by an out-of-band

method, such as diplomatic courier. You only need to specify this
parameter for unauthenticated certificate requests.
-valStrAuth Specifies the validation string of the Document Verifier certificate

<validationString> request. You only need to specify this parameter for unauthenticated
The validation string you received may include "SHA1:" or
"SHA256:" at the beginning of the string. Do not include "SHA1:"
or "SHA256:" when entering the validation string. The "SHA1:" or
"SHA256:" portion only indicates if the validation string is a SHA1
string or a SHA256 string, and is not an actual part of the validation
string.
<inputFile> The file name of the file containing the Document Verifier certificate
request.
<ouputFile> The file name of the file where Security Manager writes the
countersigned Document Verifier certificate request.
If Security Manager successfully exported the countersigned Document Verifier

certificate request to a file, send the certificate request to the intended foreign CVCA
using a secure method, such as secure email or diplomatic courier.

To countersign a Document Verifier certificate request using CVCA
Administration
2 Click Certificates.
3 Click the Countersign Certificate Request tab.
4 Browse to the location of the certificate request and click Submit.

The Certificate Request Details pane appears.
5 Click Countersign.
The Countersigned Certificate Request Details pane appears.

6 Click Export to export the countersigned certificate request.
If Administration Services successfully exports the countersigned Document Verifier
certificate request to a file, send the certificate request to the intended foreign CVCA
using a secure method, such as secure email or diplomatic courier.

Previewing Document Verifier certificate requests for
processing
You can preview a Document Verifier certificate request before you process it. When
you preview an unauthenticated Document Verifier certificate request, Security
Manager displays the validation strings of the certificate request. If the Document
Verifier administrator provided you with validation strings, you can compare the
validation strings to ensure that no one tampered with the certificate request.
When you preview a Document Verifier certificate request, Security Manager also
displays the signature validation status. The signature validation status indicates
whether the signatures contained in the certificate request are valid and trusted.
To preview a Document Verifier certificate request for processing in Security

Manager Control Command Shell
cvca dv certreq preview [-allow expired|unauthenticated|
countersigned] <input file>
command parameters.
Table 60: cvca dv certreq preview command parameters
-allow expired By default, the certificate request is only valid if it is signed by a

trusted signer with a valid key.
-allow unauthenticated
If a Document Verifier loses its key, the Document Verifier must
-allowed countersigned
produce a subsequent certificate request without an outer signature.
The -allow unauthenticated parameter allows the CVCA to
accept a subsequent certificate request without an outer signature.
If a Document Verifier allows all its certificates to expire, the
Document Verifier must produce an authenticated certificate
request, or a certificate request authenticated by an expired
certificate. The -allow expired parameter allows the CVCA to
accept a certificate request authenticated by an expired certificate.
A foreign CVCA can countersign a Document Verifier certificate
request intended for another CVCA (see “Countersigning
Document Verifier certificate requests” on page 1085). The
-allowed countersigned parameter allows the CVCA to accept a
subsequent certificate request countersigned by a foreign CVCA.

Table 60: cvca dv certreq preview command parameters (continued)
<input file> The file name of the Document Verifier certificate request file.
Processing Document Verifier certificate requests

You can issue Document Verifier certificates only in response to certificate requests.
To issue a Document Verifier certificate, you must process a certificate request from
the Document Verifier. When you process the certificate request, Security Manager
generates and returns the Document Verifier certificate.
You cannot process a Document Verifier certificate request if the CVCA is expired, or
if the request is intended for a different CVCA.
Note:
You cannot countersign a DVs certificate request unless the DV has been added
to the CVCA (see “Adding Document Verifiers” on page 1060).
• “To process a Document Verifier certificate request in the Security Manager

• “To process a Document Verifier certificate request in CVCA Administration”
on page 1093
To process a Document Verifier certificate request in the Security Manager

2 If required, preview the certificate request (see “Previewing Document Verifier
certificate requests for processing” on page 1090).
cvca dv certreq process [-allow expired|unauthenticated|
countersigned] [-overwrite] [-oobAuth|-valStrAuth
<validationString>] <inputFile> <outputFile>

Table 61: cvca dv certreq process command parameters
-allow expired If a Document Verifier loses its key, the Document Verifier must
produce a subsequent certificate request without an outer signature.
Use the -allow unauthenticated parameter to process a
-allow countersigned subsequent certificate request without an outer signature. You must
also specify either the -oobAuth or -valStrAuth parameter.
If a Document Verifier allows all its certificates to expire, the
Document Verifier must produce an unauthenticated certificate
certificate. Use the -allow expired parameter to process a
certificate request produced by an expired certificate.
A foreign CVCA can countersign a Document Verifier certificate
request intended for another CVCA (see “Countersigning
Document Verifier certificate requests” on page 1085). The
-allowed countersigned parameter allows the CVCA to accept a
subsequent certificate request countersigned by a foreign CVCA.
-oobAuth Specifies that you authenticated the request by an out-of-band

method, such as diplomatic courier. You only need to specify this
parameter for unauthenticated certificate requests.
-valStrAuth Specifies the validation string of the Document Verifier certificate

<validationString> request. You only need to specify this parameter for unauthenticated
string.
<inputFile> The file name of the file containing the Document Verifier certificate
request.
Document Verifier certificate.
You have now processed the Document Verifier certificate request and generated a
new Document Verifier certificate. If Security Manager fails to write the Document
Verifier certificate to the local file system, Security Manager displays an error, and you

must use the cvca cert export command (see “Exporting Document Verifier
If Security Manager successfully exported the Document Verifier certificate to a file,
send the Document Verifier certificate to the Document Verifier administrator using
a secure method, such as secure email or diplomatic courier.
To process a Document Verifier certificate request in CVCA Administration

Administration”).
2 Click the Certificates.
3 Click the Import Certificate Request tab.
The Import Certificate Request page appears.
Note:
The file containing the certificate request must be in DER format.
4 Click Browse to locate the file containing the certificate request.

5 Click Submit.
The Certificate Request Details pane appears.

• If you received a validation string from the DV administrator (for example,
by telephone, diplomatic pouch, or secure email), click Enter Validation
String and enter the validation string in the text field.

Note:
Validation strings are only required for certificate requests without an outer
signature. The CVCA can cryptographically verify certificate requests with an
outer signature.
7 Click Accept to import and issue the DV certificate.
You successfully processed a certificate request.

The CVCA issues the DV certificate. If you enabled email notification, the
certificate request is sent as an email attachment to the DV. If you did not enable
email notification, proceed to “Exporting Document Verifier certificates” on
page 1099.

Managing Document Verifier certificates
The following topics describe how to list, view, and export Document Verifier
certificates.
• “Viewing Document Verifier certificates” on page 1096
• “Exporting Document Verifier certificates” on page 1099
Viewing Document Verifier certificates

You can display a list of all certificates issued to a specific Document Verifier, and you
can view a specific certificate issued to a Document Verifier. Typically, you view a
Document Verifier certificate to verify that it is the certificate that you want to export
(see “Exporting Document Verifier certificates” on page 1099).
• “To view Document Verifier certificates in the Security Manager Control
• “To view Document Verifier certificates in CVCA Administration” on
page 1097
To view Document Verifier certificates in the Security Manager Control

Command Shell
2 If required, find the Document Verifier whose certificates you want to view (see
“Viewing Document Verifiers” on page 1066).
3 To list all certificates issued to a specific Document Verifier, enter:
cvca dv cert list <dv identity>
Where <dv identity> is the holder identity of the Document Verifier. For
example:
cvca dv cert list CAdv
Security Manager displays a list of all certificates issued to the Document Verifier.
For example:
------------------------------------------------------------------
CAdvCA001 CAcvca00001 2009/02/10 2012/02/10 Valid
4 To view a specific Document Verifier certificate, enter:

cvca dv cert view <holder reference> <authority reference>
Where:

• <holder reference> is the holder reference of the Document Verifier
certificate.
• <authority reference> is the authority reference of the Document Verifier
certificate.
For example:
cvca dv cert view CAdvCA001 CAcvca00001
Security Manager displays the DV certificate. For example:
Note:
DV certificates do not contain elliptic curve domain parameters. When displaying
the key type for elliptic curves, Security Manager will display the elliptic curve
size. For example, if the key type is EC-ansix9p256r1, Security Manager will
display EC-256 as the key type.
CV Certificate:
Certificate Body:
Profile Identifier: 0
Authority Reference: CAcvca00001
Public Key: EC Public Key (CV format)
OID: id-TA-ECDSA-SHA-256 (0.4.0.127.0.7.2.2.2.2.3)
Key Type: EC-256
Public Point: 044518AEF85A20C9E24107E2750D0CB886275D4A713095F61
5405275B51333000F39141EB3830186BF9E91FE3C31BBB2EC
27FBF0E889E4543786759CC1E450FCD9
Holder Reference: CAdvCA001
Holder Authorization: ePassport Terminal Authentication
OID: id-EAC-ePassport (0.4.0.127.0.7.3.1.2.1)
Discretionary Data: 81
Role: DV (domestic)
Effective Date: February 10, 2009 GMT (090210)
Expiration Date: February 10, 2012 GMT (120210)
Signature: C2EFF6F5C663BB8BE8724F6564EE5EF8EA53033FD193FD284
7C1DE437F5B6FD39FC0745E702F156CBD01025A1209D9D5BE
13AB6BD5F9397F73525A563774787D
Validity Status: Valid
To view Document Verifier certificates in CVCA Administration

Administration”).

2 If required, find the Document Verifier whose certificates you want to view (see
“Viewing Document Verifiers” on page 1066).
The View Details pane appears. A list of certificates issued to the Document
Verifier appears under Document Verifier Certificates.
3 To view a specific Document Verifier certificate, click the holder reference of the
certificate that you want to view.
Note:
DV certificates do not contain elliptic curve domain parameters. When displaying
the key type for elliptic curves, Security Manager will display the elliptic curve
size. For example, if the key type is EC-ansix9p256r1, Security Manager will
display EC-256 as the key type.

Exporting Document Verifier certificates
After processing a certificate request and generating the Document Verifier certificate
(see “Processing Document Verifier certificate requests” on page 1091), you can
export the Document Verifier certificate so you can send it to the Document Verifier
administrator.
Typically, you only need to export Document Verifier certificates if Security Manager
or Administration Services failed to write the Document Verifier certificate to a file
when you processed the Document Verifier certificate request.

To export a Document Verifier certificate from Security Manager Control
Command Shell
2 If required, find the Document Verifier certificate that you want to export (see
“Viewing Document Verifier certificates” on page 1096).
cvca dv cert export [-overwrite] <output file> <holder reference>
<authority reference>
command parameters.
Table 62: cvca dv cert export command parameters
-overwrite Overwrites a file if it already exists.
<output file> The file name of the file where Security Manager writes the
<holder reference> Holder reference of the Document Verifier certificate.
<authority reference> Authority reference of the Document Verifier certificate.
You have now exported a Document Verifier certificate. Send the Document Verifier
certificate to the Document Verifier administrator using a secure method, such as
secure email or diplomatic courier.
To export a DV certificate from CVCA Administration

Administration”).
2 Find the Document Verifier whose certificate you want to export (see “Viewing

3 Under Document Verifier Certificates, click the holder reference of the
Document Verifier certificate that you want to export.

4 Click Export.
5 In the File Download dialog box, click Save.
6 Choose a file name and location for the file and then click Save.
You successfully exported the Document Verifier certificate to your local system.

Previewing EAC certificates and certificate
requests
This section describes how to preview any CVCA, Document Verifier, or Inspection
System certificate or certificate request.
• “Previewing EAC certificates” on page 1103
• “Previewing EAC certificate requests” on page 1103
Previewing EAC certificates

You can preview any CVCA, Document Verifier, or Inspection System certificate from
a file. When you preview the certificate, Security Manager displays the certificate, the
signature validation status, and the certificate’s validation strings.
For root CVCA certificates, the signature is valid if Security Manager can verify it
using the public key in the certificate. For other CVCA, Document Verifier, or
Inspection System certificates, the signature is valid if the CVCA has an appropriate
certificate in the database that can verify the signature.
To preview an EAC certificate using Security Manager Control Command Shell

Where <input file> is the file name of the file containing the certificate.
Security Manager displays the certificate, validation status, and validation strings.
SHA256 string.
Previewing EAC certificate requests

You can preview any Document Verifier or Inspection System certificate request from
a file. When you preview the certificate request, Security Manager displays the
certificate request and the validation strings.
Security Manager does not attempt to validate the certificate request’s outer
signature using certificates stored in the database. If you need to validate the
signature on a Document Verifier certificate request, use the cvca dv certreq
preview command (see “Previewing Document Verifier certificate requests for
processing” on page 1090).

To preview an EAC certificate request using Security Manager Control
Command Shell
cvca util certreq preview <input file>
SHA256 string.

Queued operations
Sensitive operations may require approval by more than one user with the required
permissions. If a user requests an operation that requires authorization by more than
one user, CVCA Administration automatically determines that authorization is
required and queues the operation is until another user with the necessary
permissions can review it.
For example, if a user deletes a DV from the list of DVs trusted by the CVCA, the
operation may be queued until a second user with the required permissions is able to
review and approve (or cancel) the operation.
Notification messages are sent to the email addresses that you configured when you
installed the software when an operation requires approval or if approval has been
obtained.
The user performing (or approving) a sensitive operation must have the required
permissions. When a user’s profile is created, the permissions associated with that
profile determine if the user has the ability to perform or approve various operations
and if another approval is required. Detailed information about default profiles and
how to create custom profiles is available in the Security Manager Administration
User Guide.
Sensitive operations that may be queued for approval include:
• Countersign authenticated DV certificate request
• Countersign unauthenticated DV certificate request
• Import foreign CVCA link certificate
• Import foreign CVCA root certificate
• Process authenticated DV certificate request
• Process expired DV certificate request
• Process unauthenticated DV certificate request
Queuing has both search and list functions. The list interface displays up to one
hundred of the most recently queued items.
• “To manage queued operations” on page 1105
• “To search queued operations” on page 1106
• “To list queued operations” on page 1107
To manage queued operations

2 Click Queued Operations.

3 Click the Approve Queued Operations tab.
The Approve Queued Operations page is displayed.
Only operations that you can approve or cancel are displayed in this pane.
Approve adds an approval to the operation. If this completes the number of
approvals required, the operation proceeds.
Cancel changes the status of the request to canceled. You must supply a reason
for canceling the request. The request will remain in the queue with its new
status.
Cancel and Delete cancels the request and deletes it from the queue.
To search queued operations

Administration”).
3 Click the Search Queued Operations tab.

The Search Queued Operations page is displayed.
4 Set the search options to return the results that you require. For example, All
queued operations that I can approve or all queued operations submitted on a
particular date. Use the options in combination create the list of search results
that fits your needs.
5 Click Submit.
To list queued operations

Administration”).

3 Click the List Queued Operations tab.
The List Queued Operations page is displayed.

37
Customizing CVCA Administration

Entrust Authority Administration Services allows you to customize CVCA
Administration. By making changes to specific files, you can customize CVCA
• “Customizing the CVCA Administration interface” on page 1110
• “Customizing the online help for CVCA Administration” on page 1114
• “Customizing CVCA Administration styles” on page 1118
• “Adding a custom notification service” on page 1119
1109
Customizing the CVCA Administration interface
When customizing the CVCA Administration interface, you can make several
changes to reflect the corporate identity of your company. This section provides you
with details about how to apply those changes.
Note:

• “Adding your company logo to CVCA Administration” on page 1110
• “Customizing the browser title for CVCA Administration” on page 1111
• “Customizing the application title for CVCA Administration” on page 1112
Adding your company logo to CVCA Administration

You can add your company logo to all CVCA Administration pages.
To add your company logo to CVCA Administration

components.
2 Add your organization’s logo to the images folder located at:
<AS-install>\services\cvcaadmin\<instance>\webapp\<locale>\images
<AS-install>\services\cvcaadmin\<instance>\webapp\WEB-INF\xsl\
<locale>
8 Restart your Tomcat server and clear your browser cache.
Your logo now appears in the banner of CVCA Administration dynamic pages.

Figure 24: Your company logo in CVCA Administration
Customizing the browser title for CVCA Administration

You can replace the browser title of CVCA Administration with a title of your choice.
To customize the browser title of CVCA Administration

components.
<AS-install>\services\cvcaadmin\<instance>\webapp
3 Open browserTitleLang.jsp in a text editor.
4 Locate the browserTitle variable. By default:
<%! final String browserTitle="Entrust Authority CVCA
Administration"; %>
as shown in bold:
<%! final String browserTitle="Custom browser title"; %>
Customizing CVCA Administration 1111

Your customized title now appears in the browser window title bar of all CVCA
Administration static and dynamic pages.
Figure 25: Custom browser title for CVCA Administration
Customizing the application title for CVCA Administration

You can replace the CVCA Administration title with your organization’s name or any
other name your organization chooses.
To change the application title in CVCA Administration

components.
<locale>
3 Open cvca-lang.xsl in a text editor.
4 Locate the title variable. By default:
<xsl:variable name="title">Entrust Authority CVCA
as shown in bold:
<xsl:variable name="title">Custom Application Title</xsl:variable>
a Open cvca-lang.xsl in a text editor.
b Locate the title variable. By default:
<xsl:variable name="title">Entrust Authority CVCA
<xsl:variable name="title">My Company</xsl:variable>
d Add a new variable for the second line of the title. For example, as shown in
bold:

<xsl:variable name="second.title">Custom Application
g Locate the <xsl:template name="header"> section. By default:
<xsl:template name="header">
<img class="right-floating" alt=""
src="{$home}/images/auth_logo.gif"/>
<h1>
<xsl:value-of select="$title"/>
</h1>
</xsl:template>
h Before the closing </h1> tag, add <br/> and then a reference to the new
variable you added. For example, as shown in bold:
<h1>
<xsl:value-of select="$title"/><br/><xsl:value-of
select="$second.title"/>
</h1>
i Save and close the file.
Your custom application title now appears in the CVCA Administration dynamic
pages.
Figure 26: Custom application title for CVCA Administration dynamic pages

Customizing the online help for CVCA
Administration
You can customize the online help for CVCA Administration. This section describes
how to customize the CVCA Administration online help, including how to add new
help files.
• “Location of the CVCA Administration online help files” on page 1114
• “Editing the content of the CVCA Administration online help files” on
page 1115
• “Updating the browser title of the CVCA Administration online help” on
page 1115
• “Updating the application title of the CVCA Administration online help” on
page 1116
Location of the CVCA Administration online help files

The help files are JSP files that are called by CVCA Administration by their file name.
You can find the help files in the following folder on the server hosting the application
server components.:
<AS-install>\services\cvcaadmin\<instance>\webapp\<locale>\help
The following table lists the CVCA Administration online help files.
Table 63: CVCA Administration online help files
File name Description

certificate-request-help.jsp Import Certificate Request help page
countersign-certificate-request-help.jsp Countersign Certificate Request help page
cvca-export-certificate-help.jsp Export CVCA Certificate help page
documentation-help.jsp CVCA Administration online help table of contents
dv-add-help.jsp Add Document Verifier help page
dv-delete-help.jsp Delete Document Verifier help page
dv-display-help.jsp Display Document Verifier help page
dv-export-certificate-help.jsp Export Document Verifier help page
dv-operations-help.jsp Enable or Disable Document Verifier help page
dv-policy-help.jsp Document Verifier Policy help page

Table 63: CVCA Administration online help files (continued)

dv-view-certificate-help.jsp View Document Verifier help page
fcvca-add-help.jsp Add Foreign CVCA Certificate help page
fcvca-import-certificate-help.jsp Import Foreign CVCA Certificate help page
glossary-help.jsp Glossary of terms
queued-approve-help.jsp Approve Queued Operations help page
queued-list-help.jsp List Queued Operations help page
queued-search-help.jsp Search Queued Operations help page
Editing the content of the CVCA Administration online help files

You can edit the content in the existing JSP help files. Always back up the file before
you edit the file.
To edit the content of a CVCA Administration help file

components.
2 Using any text editor, open the <help_topic>.jsp file you want to edit.
3 Locate and change the text you want to update. Change only the help text so
you do not corrupt any of the code strings.
The following sample shows customized text to display your organization or
product name in the documentation-help.jsp file.

<P CLASS="help-p-app-subtitle"><%=titleHelpIndex%></P>
<P CLASS="help-p-inst-text">For information on using
<%=title%> click on any of the following help topics:</P>
<BR>
Updating the browser title of the CVCA Administration online

help

To change the browser title of the CVCA Administration online help
components.
<AS-install>\services\cvcaadmin\<instance>\webapp\<locale>
3 Open titleBarLang.jsp in a text editor.
static final String title="Entrust Authority CVCA
Administration";
5 To change the application title, replace the value of title with the title chosen
by your company. For example, as shown in bold:
static final String title="Custom Application Title";
Updating the application title of the CVCA Administration online

help
You can replace the application title of the CVCA Administration online help (by
default, Entrust Authority CVCA Administration Help) with your own title.
To change the application title of the CVCA Administration help pages

components.
4 Locate the titleHelp and titleHelpIndex variables. By default:
static final String titleHelp="Entrust Authority CVCA
Administration Help";
static final String titleHelpIndex="Entrust Authority CVCA
Administration Help Index";
5 To change the application title, replace the value of titleHelp with the title
chosen by your company. For example, as shown in bold:
static final String titleHelp="Custom Application Title Help";
If you want to add a second line to the application title, add <br/> and then enter
the second line of the title. For example, as shown in bold:
static final String titleHelp="My Company<br/>Custom Application
Title";

6 To change the title of the table of contents, replace the value of titleHelpIndex
with the title chosen by your company. For example, as shown in bold:
static final String titleHelpIndex="Custom Application Title Help
Index";
Your custom title now appears on all help pages.
Figure 27: Custom application title on a CVCA Administration help pages

Customizing CVCA Administration styles
You can customize the CVCA Administration interface with your choice of colors,
<AS-install>\services\cvcaadmin\<instance>\webapp\<locale>\css
The following table briefly describes the different CSS files that control how the CVCA
Table 64: List of CSS files for CVCA Administration

help.css Defines the styles for the CVCA Administration online help.
the CSS files, take care not to make any changes that can break the CVCA

Adding a custom notification service
Email notification is an optional feature that sends email messages to administrators
or users when specific events occur.
Administration Services allows you to install your own custom notification service that
you can chain to the default email notification service, or replace the default email
notification service altogether.
To add a custom notification service

components.
2 Provide a Java class that implements the
com.entrust.adminservices.xapnotify.NotificationService interface and
add it to the classpath of your CVCA Administration instance at
<AS-install>/services/cvcaadmin/<instance>/webapp/WEB-INF/classes
3 Configure your custom notification service by editing the
configuration.global.xml file at
<AS-install>/services/cvcaadmin/<instance>\webapp\WEB-INF\
You can configure your custom notification service to invoke for all, or for only
some, administration events.
See <AS-install>\examples\javadocs\index.html for more details about how to
configure a custom notification service.
For more information about configuring email notification, see the Entrust Authority

38
Localizing CVCA Administration

CVCA Administration includes the default locale en_US. The CVCA Administration file
system allows you to add more than one locale folder for each CVCA Administration
instance. This chapter describes how to add a new locale to CVCA Administration.
locale you first access the CVCA Administration interface). Links to all other installed
locales appear in the navigation bar of the CVCA Administration interface login page.
browser preferred language is not installed, CVCA Administration always uses the
Note:
Do not remove the en_US folder. It is the default locale.

• “Location of CVCA Administration locale folders” on page 1123
• “Adding a CVCA Administration locale” on page 1124
• “Translating CVCA Administration files” on page 1126
• “Troubleshooting localization in CVCA Administration” on page 1129
1121
About locales
• en—English
• fr—French
• ja—Japanese
• ko—Korean
• CA—Canada
• JP—Japan
• CN—China
Defining locales

Location of CVCA Administration locale folders
<AS-install>\services\cvcaadmin\<instance>\webapp\WEB-INF\xsl
Localizing CVCA Administration 1123

Adding a CVCA Administration locale
To add a new locale to CVCA Administration

components.
<AS-install>\services\cvcaadmin\<instance>\webapp\WEB-INF\xsl
<AS-install>\services\cvcaadmin\<instance>\webapp\en_US
to
en_US
to
<locale>
en_US
to
<AS-install>\services\cvcaadmin\<instance>\WEB-INF\xsl\<locale>
<AS-install>\services\cvcaadmin\<instance>\webapp\WEB-INF\classes
and rename the file to:
EntrustAdminServicesResources_<locale>.properties
where <locale> is the new locale (such as es).
Your new locale link is now available on the CVCA Administration home page.

Before you can view your localized version of CVCA Administration, you must
translate a series of files. See “Translating CVCA Administration files” on page 1126

Translating CVCA Administration files
language that matches your new locale. Translate all the CVCA Administration files
listed in the following table to match your new locale.
Table 65: CVCA Administration files to translate for your new locale
CVCA Administration files to translate Location of files
The following CVCA Administration <AS-install>\services\cvcaadmin\<instance>\

JSP files: webapp\<locale>
• errorLang.jsp These files are located on the server hosting the
• titleBarLang.jsp
All CVCA Administration help files <AS-install>\services\cvcaadmin\<instance>\

webapp\<locale>\help

JavaScript files: webapp\<locale>\javascript
EntrustAdminServicesResources_<l <AS-install>\services\cvcaadmin\<instance>\
ocale>.properties webapp\WEB-INF\classes
Where <locale> is the new locale you This file is located on the server hosting the
added to CVCA Administration. application server components.
This file contains error messages that can be
displayed in CVCA Administration. Translate all
strings for EAC settings.

XSL files: webapp\WEB-INF\xsl\<locale>
• cvca-lang.xsl
The CVCA Administration email <AS-install>\services\cvcaadmin\<instance>\

notification templates webapp\WEB-INF\ens\xsl\<locale>

To view your localized version of CVCA Administration
browser cache.
2 In a Web browser, browse to the CVCA Administration login page.
Your CVCA Administration locale link is available from the CVCA Administration
Note:

The CVCA Administration interface is now available in your localized language
setting.

Figure 28: Localized CVCA Administration page

Troubleshooting localization in CVCA
Administration
When you manually integrate translated files into CVCA Administration, incorrect

When translating email notification templates for CVCA Administration, by default
the SMTP server character set is UTF-8:
hosting the CVCA Administration application server components:
Each locale in the CVCA Administration instance shares the same
configuration.global.xml file. If your language requires a special character set,
consider installing this locale on a separate CVCA Administration instance.
Translating JSP pages

When translating JSP pages, you may need to add a page encoding directive, as in
the following example of titleBarLang.jsp (French):
<%@ page pageEncoding="ISO-8859-1" %>
<%--
Component: Entrust Authority - CVCA Administration Service
Description: language strings for the titles
--%>
<%!
// Titles
static final String title="Entrust Authority CVCA
Administration";
static final String titleHelp="Entrust Authority CVCA
static final String titleHelpIndex="Entrust Authority CVCA

%>


numérique.');

To display the locale for CVCA Administration in English

components.
<AS-install>\services\cvcaadmin\<instance>\webapp\WEB-INF\jsp

to

39
CVCA command quick reference

This quick reference appendix lists all the Security Manager Control Command Shell
commands for administering a Country Verifying Certification Authority, providing a
description and parameters of each command.
How to use this quick reference

<> Indicate variables, for example, <subsys>
[] Indicates options, for example, [-ldap]
| Indicates either/or parameters, for example, all | list
+ Indicates multiple values can be configured in one command
Security classes
3 Commands with no key icon are non-harmful commands not
requiring access to the database. Require no authorization.
2 Non-harmful commands. Autologin must be enabled or you must be
logged in to an active Security Manager Control Command Shell
session.
1 Commands requiring access to the database but not causing
irreversible change. You must be logged in to an active Security
Manager Control Command Shell session.
0 Commands causing a policy change or update that may be
irreversible. Requires one additional Master User password if policy
has been set to require multiple authorizations.
1133
Table 66: cvca commands
Command Description Class

cvca init <country code> <mnemonic> [-taa <value>] [-keytype <value>] [-ar
F|I|FI|""] [-seqAlg A|N|CA|CN] [-lifetime years|months|weeks|days <value>]
[-warn <days>] [-softKey enabled|disabled]
initialize the CVCA 0
You can only perform this command once.
• <country code> • ISO 3166-1 ALPHA-2 country code
• <mnemonic> • unique label for the CVCA certificate
• Label must be between one and nine ISO
8859-1 Latin-1 characters.
• [-taa <value>] • terminal authentication algorithm
The algorithm must be one of:
RSA-SHA1
RSA-SHA256
RSAPSS-SHA1
RSAPSS-SHA256
ECDSA-SHA1
ECDSA-SHA224
ECDSA-SHA256
Default is ECDSA-SHA256.

Table 66: cvca commands (continued)

• [-keytype <value>] • the key type (RSA or EC), and the key size
(RSA) or domain parameters (EC)
The key type must be one of:
RSA-1024
RSA-1280
RSA-1536
RSA-2048
RSA-3072
RSA-4096
EC-brainpoolP160r1
EC-brainpoolP160t1
EC-brainpoolP192r1
EC-brainpoolP192t1
EC-brainpoolP224r1
EC-brainpoolP224t1
EC-brainpoolP256r1
EC-brainpoolP256t1
EC-ansix9p160k1
EC-ansix9p160r1
EC-ansix9p160r2
EC-ansix9p192r1
EC-ansix9p192k1
EC-ansix9p224r1
EC-ansix9p224k1
EC-ansix9p256r1
EC-ansix9p256k1
Default is EC-ansix9p256r1.
CVCA command quick reference 1135


• [-ar F|I|FI|""] • specifies the holder access rights
fingerprint (F), iris (I), fingerprint and iris
(FI), or none ("")
Default is fingerprint (F).
• [-seqAlg • sequence number algorithm of the CVCA
A|N|CA|CN] holder reference
5-digit alphanumeric (A), 5-digit numeric
(N), country code plus 3-digit
alphanumeric (CA), or country code plus
3-digit numeric (CN).
Default is 5-digit numeric (N).
• [-lifetime years| • lifetime of the CVCA certificate in years,
months|weeks| months, weeks, or days
days <value>] Must be between one day and 25 years.
Default is three years.
• [-warn]
• number of days before the certificate
expires when Security Manager starts
warning you of the impending expiry
A value of 0 suppresses the warnings.
Default is 100 days.
• [-softKey enabled
| disabled] • controls whether software is permitted as
a storage location for the CVCA keys
By default, software is permitted as a
storage location.
cvca identity view the holder identity of the CVCA 1
cvca cert export [-overwrite] -root|-link <outputFile> <holder reference>
export a particular CVCA root or link 1
certificate to a file
• [-overwrite] • overwrites the information currently in
the output file
• <outputFile> • fully qualified file name of the output file
• -root|-link • specifies whether the CVCA certificate is
a root certificate (-root), or a link
certificate (-link)
• <holder reference> • holder reference of the CVCA certificate


cvca cert export-chain [-overwrite] [-root|-link] <outputFile>
[<leaf holder reference> [<trust holder reference>]]
export a certificate chain, from a CVCA trust 1
point to the CVCA leaf, to a series of files
the output files
• [-root|-link] • specifies whether the first certificate in
the certificate chain is a root certificate
(-root), or a link certificate (-link)
If not specified, -root is assumed.
Security Manager appends a number
(starting at 1) to each file name when it
exports the certificates.
• [<leaf holder • holder reference of the CVCA certificate
reference>] that ends the certificate chain
If not specified, the most recent CVCA
link certificate ends the certificate chain.
• [<trust holder • holder reference of the CVCA certificate
reference>] that starts the certificate chain
If not specified, the [-root|-link]
option is ignored and the initial root
CVCA certificate starts the certificate
chain.
cvca cert list list all self-issued certificates of the CVCA 1
cvca cert show-keys view a report of active CVCA signing keys 0
cvca cert view -root|-link <holder reference>
view the contents of a stored CVCA 1
certificate
certificate (-link)
cvca config set [-reset] [-taa <value>] [-keytype <value>] [-ar F|I|FI|""]
[-seqAlg A|N|CA|CN] [-lifetime years|months|weeks|days <value>] [-warn <days>]
[-softKey enabled | disabled]


set policy that affects CVCA key/certificate 1
generation and update
• [-reset] • resets the existing policy settings to the
software defaults
If new policy settings are specified, the
new values replace the existing values.
• [-taa <value>] • terminal authentication algorithm
The algorithm must be one of:
RSA-SHA1
RSA-SHA256
RSAPSS-SHA1
RSAPSS-SHA256
ECDSA-SHA1
ECDSA-SHA224
ECDSA-SHA256


• [-keytype <value>] • the key type (RSA or EC), and the key size
(RSA) or domain parameters (EC)
The key type must be one of:
RSA-1024
RSA-1280
RSA-1536
RSA-2048
RSA-3072
RSA-4096
EC-brainpoolP160r1
EC-brainpoolP160t1
EC-brainpoolP192r1
EC-brainpoolP192t1
EC-brainpoolP224r1
EC-brainpoolP224t1
EC-brainpoolP256r1
EC-brainpoolP256t1
EC-ansix9p160k1
EC-ansix9p160r1
EC-ansix9p160r2
EC-ansix9p192r1
EC-ansix9p192k1
EC-ansix9p224r1
EC-ansix9p224k1
EC-ansix9p256r1
EC-ansix9p256k1


• [-ar F|I|FI|""] • specifies the holder access rights
(FI), or none ("")
• [-seqAlg • sequence number algorithm of the CVCA
A|N|CA|CN] holder reference
• [-lifetime years| • lifetime of the CVCA certificate in years,
days <value>] Must be between one day and 25 years.
• [-warn]
• number of days before the certificate
• [-softKey enabled
| disabled] • controls whether software is permitted as
a storage location for the CVCA keys
storage location.
cvca config view view the policy that affects CVCA 1
key/certificate generation and update
cvca dv add <dv identity> [-ar F|I|FI|""] [-selfSvc yes|no] [-queueSelfSvc
yes|no] [-lifetime years|months|weeks|days <value>] [-super <value>]
add a Document Verifier (DV) 1


• <dv identity> • holder identity of the DV
• [-ar F|I|FI|""] • specifies the DV holder access rights:
(FI), or none ("")
• [-selfSvc yes|no] • specifies whether to allow automated
self-service requests
• [-queueSelfSvc
yes|no] • specifies whether to queue automated
• [-lifetime years|
months|weeks| • lifetime of the DV certificates in years,
days <value>] months, weeks, or days
• [-super <value>]
Must be between one day and 25 years.
• the DV’s domestic CVCA
cvca dv delete <dv identity> delete a Document Verifier 1
cvca dv disable <dv identity> disable a Document Verifier 1
cvca dv enable <dv identity> enable a Document Verifier 1
cvca dv list [-state enabled|disabled]
list all Document Verifiers (DVs) 1
• [-state enabled| • list all DVs in a specific state (enabled or
disabled] disabled)
cvca dv modify <dv identity> [-reset] [-ar F|I|FI|""] [-selfSvc yes|no]
[-queueSelfSvc yes|no] [-lifetime years|months|weeks|days <value>] [-super
<value>]
modify a Document Verifier (DV) 1


• <dv identity> • holder identity of the DV
• [-reset] • resets the existing parameters to the DV
global policy defaults
If new parameters are specified, the new
values replace the existing values.
(FI), or none ("")
• [-queueSelfSvc
months|weeks| • lifetime of the DV certificates in years,
• the DV’s domestic CVCA
cvca dv search [-state enabled|disabled] [-ar] [-ar F|I|FI|""] [-selfSvc]
[-selfSvc yes|no] [-queueSelfSvc] [-queueSelfSvc yes|no] [-lifetime] [-lifetime
years|months|weeks|days <value>] [-super] [-super <value>]
finds all Document Verifiers (DVs) that meet 1
specific search criteria


• [-state enabled| • find all DVs in a specific state (enabled or
disabled] disabled)
• [-ar] • find DVs with custom holder access rights
• [-ar F|I|FI|""] • find DVs with specific holder access
rights:
(FI), or none ("")
• [-selfSvc] • find DVs with a custom self-service policy
• [-selfSvc yes|no] • find DVs that can (-selfSvc yes) or
cannot (-selfSvc no) perform
automated self-service operations
• [-queueSelfSvc]
• find DVs with a custom queue
self-service policy
• [-queueSelfSvc
yes|no] • find DVs that can (-queueSelfSvc yes)
or cannot (-queueSelfSvc no) queue
self-service operations
• [-lifetime]
• find DVs with a custom certificate lifetime
months|weeks| • find DVs with a specific certificate lifetime
days <value>] in years, months, weeks, or days
• [-super]
• find DVs with a custom domestic CVCA
• find DVs with a specific domestic CVCA
cvca dv view <dv identity> view a Document Verifier 1
cvca dv cert export [-overwrite] <outputFile> <holder reference> <authority
reference>
export a particular Document Verifier 1
certificate to a file
the output file
• <holder reference> • holder reference of the DV certificate
• <authority
reference> • authority reference of the DV certificate


cvca dv cert list <dv identity> list all certificates issued to a particular 1
Document Verifier by the CVCA
cvca dv cert view <holder reference> <authority reference>
view the contents of a stored Document 1
Verifier (DV) certificate
• <authority
cvca dv certreq preview [-allow expired|unauthenticated|countersigned] <input
file>
preview an external Document Verifier (DV) 1
certificate request and determine whether an
attempt to process the certificate request will
succeed
• [-allow expired| • allows you to preview a certificate
unauthenticated| request if it was produced by an expired
countersigned] certificate, it lacks an outer signature
(unauthenticated), or if it was
countersigned by a foreign CVCA.
• <input file> • the fully qualified file name of the file
containing the certificate request
cvca dv certreq process [-allow expired|unauthenticated|countersigned]
[-overwrite] [-oobAuth|-valStrAuth <validationString>] <inputFile> <outputFile>
process a Document Verifier (DV) certificate 0
request and issue the DV certificate


• [-allow expired| • allows you to view a certificate request if
unauthenticated|co it was produced by an expired certificate,
untersigned] it lacks an outer signature
(unauthenticated), or if it was
countersigned by a foreign CVCA.
the output file
• [-oobAuth] • indicates that the request was
authenticated by an out-of-band method
• [-valStrAuth • allows you to input the validation string
<validation of the DV certificate request
String>]
• <inputFile> • the fully qualified file name of the file
• <outputFile> • the fully qualified file name of the output
file (the DV certificate)
cvca dv certreq presign <input file>
preview an external certificate request from a 1
domestic Document Verifier (DV) intended
for a foreign CVCA, and determine whether
an attempt to countersign the certificate
request will succeed
cvca dv certreq countersign [-overwrite] [-oobAuth|-valStrAuth
<validationString>] <inputFile> <outputFile>
countersign an external certificate request 0
from a domestic Document Verifier (DV)
intended for a foreign CVCA, and issue a
countersigned certificate request


the output file
• [-oobAuth] • indicates that the request was
authenticated by an out-of-band method
• [-valStrAuth • allows you to input the validation string
<validation of the DV certificate request
String>]
• <outputFile> • the fully qualified file name of the output
file (the countersigned DV certificate
request)
cvca dv config set [-reset] [-ar F|I|FI|""] [-selfSvc yes|no] [-queueSelfSvc
yes|no] [-lifetime years|months|weeks|days <value>]
set the global Document Verifier (DV) policy 1
settings
software defaults
(FI), or none ("")
• [-queueSelfSvc
months|weeks| • lifetime of DV certificates in years,
cvca dv config view view the global Document Verifier policy 1
settings


cvca fcvca add <fcvca identity> add a foreign CVCA 1
The foreign CVCA holder identity must
begin with an ISO 3166-1 ALPHA-2 country
code, followed by one to nine ISO 8859-1
Latin-1 characters.
cvca fcvca delete <fcvca identity> delete a particular foreign CVCA 1
cvca fcvca disable <fcvca identity> disable a particular foreign CVCA 1
cvca fcvca enable <fcvca identity> enable a particular foreign CVCA 1
cvca fcvca view <fcvca identity> view the details of a particular foreign CVCA 1
cvca fcvca list [-state enabled|disabled]
list all foreign CVCAs 1
• [-state enabled| • list all foreign CVCAs with a specific state
disabled] (enabled or disabled)
cvca fcvca cert export [-overwrite] -root|-link <output file> <holder
reference>
export a particular root or link foreign CVCA 1
certificate
the output file
• -root|-link • specifies whether the foreign CVCA
certificate is a root certificate (-root), or
a link certificate (-link)
• <output file> • fully qualified file name of the output file
• <holder reference> • holder reference of the foreign CVCA
certificate
cvca fcvca cert export-chain [-overwrite] [-root|link] <output file> <leaf
holder reference> [<trust point holder reference>]
export a foreign CVCA certificate chain, from 1
a CVCA trust point to the CVCA leaf, to a
series of files


the output file
• [-root|-link] • specifies whether the foreign CVCA
certificate that starts the certificate chain
is a root certificate (-root), or a link
certificate (-link)
• <leaf holder • holder reference of the CVCA certificate
reference> that ends the CVCA certificate chain
• [<trust point • holder reference of the CVCA certificate
holder reference>] that starts the CVCA certificate chain
If not specified, the initial root CVCA
certificate is assumed
cvca fcvca cert import [-oobAuth|-valStrAuth <validation string>] <input file>
import a foreign CVCA certificate 1
• [-oobAuth] • indicates that the CVCA certificate was
already authenticated by an out-of-band
method, such as diplomatic courier
This option is ignored for link certificates.
• [-valStrAuth • (root CVCA certificates only) allows you
<validation to authenticate the CVCA certificate by
String>] providing the validation string of the
CVCA certificate
containing the foreign CVCA certificate
cvca fcvca cert list <fcvca list self-issued certificates of a particular 1
identity> foreign CVCA
cvca fcvca cert view -root|-link <holder reference>
view the contents of a stored foreign CVCA 1
certificate


• -root|-link • specifies whether the foreign CVCA
certificate is a root certificate (-root), or
a link certificate (-link)
cvca key update update the CVCA key and certificate 0
preview an external certificate 1
containing the certificate
cvca util certreq preview <input file>
preview an external certificate request 1

Section 9
Single Point of Contact section
This section provides instructions for installing a Single Point of Contact (SPOC),
installing and configuring Administration Services, and administering the SPOC.
• “Installing a SPOC CA” on page 1153
• “Deploying the SPOC services” on page 1161
• “Configuring the SPOC services” on page 1213
• “Administering a Single Point of Contact” on page 1223
• “Customizing SPOC Administration” on page 1277
• “Localizing SPOC Administration” on page 1283
• “SPOC Domestic Web Service API reference” on page 1291
1151
40
Installing a SPOC CA
Before you can administer a Single Point of Contact (SPOC), you must install a SPOC
Certification Authority (CA). Installing a SPOC CA requires that you install, configure
and initialize Security Manager as a SPOC CA.
• “Configuring the SPOC CA” on page 1157
1153
Note:
The distinguished name (DN) of the SPOC CA must include c=<country>, where
<country> is the country code of the country represented by the SPOC. For
example, the DN for a Canada SPOC CA must include c=CA. When installing and
configuring the Security Manager directory, ensure that the directory suffix or CA
DN includes c=<country>. The two-letter country code must be in uppercase
characters to meet the ISO 3166 standard.
Microsoft Active Directory is not supported for a SPOC CA.

Security Manager 8.3 Installation Guide. The following procedure provides
information about installing and configuring Security Manager as a SPOC CA, and
includes special instructions for deployments that contain Administration Services.
If you are installing Security Manager as a joint Country Verification Certification
Authority (CVCA) and SPOC CA, see “Installing a Country Verifying CA” on
page 893 for instructions about installing and configuring the CA as a CVCA.
Attention:
1 For CA Type:
• If the SPOC CA will be a root CA, click Root CA.
• If the SPOC CA will be an intermediate CA (called a subordinate CA in
Security Manager), click Subordinate CA.

The Country Signing CA (CSCA) option is for CSCAs only. A SPOC CA cannot be
a Country Signing CA.
2 On the CRL Configuration page, click Yes and then select Make combined CRLs
compatible with applications on any Microsoft OS from the drop-down list.
Do not select Make partitioned CRLs compatible with applications on Windows
XP or 2003 from the drop-down list or the SPOC services provided by Entrust
Authority Administration Services will not work properly.
When you make combined CRLs compatible with applications on any Microsoft
operating system, the Enabled Combined CRL option is automatically selected
and disabled (grayed out).
Note:
If you will configure your CA as an intermediate CA (called a subordinate CA in
Security Manager), ensure that the root CA is configured for the same level of
Microsoft compatibility. The root CA certificate must include an HTTP CRL
distribution point (CDP).
3 On the CRL Distribution Point Information page:

a To work with Microsoft client applications, Security Manager must write the
combined CRL to a shared folder on the network. This folder appears in the
Combined CRL field. By default, the folder is named CRL and is located on
the server where you are configuring Security Manager. The Security
Manager configuration wizard will create this folder.
To change the default server, click Change and then select a folder from your
network connections. The folder must be named CRL.
Security Manager can only write to a network location if the account used
by the Security Manager services has direct write privileges to that location.
b For URL Type, select http.
The SPOC certificate revocation list (CRL) must be published with an HTTP
CRL Distribution Point (CDP).
c In the URL Host field, enter the fully qualified host name or IPv4 address of
your Web server. This is the Web server where you will host the SPOC CA’s
CRL.
d Click Create from Settings.
The CDP Definition field is filled with a CDP URL based on the CDP type and
host information you provided. For example:
http://domain.example.com/CRL/ca_entry_example_mm_<number>.crl
Installing a SPOC CA 1155

Where <number> is a token that Security Manager will replace with a value
e If desired, you can edit the CDP URL in the CDP Definition field before
adding it to the list of CDPs.
The file name must end with a .crl extension. The file name must include
<number>. <number> is a token that Security Manager will replace with a
value.
f Click Add to add the CDP URL specified in the CDP Definition field to the
Default CDP URLs list.
g If you need to add additional CDPs for other protocols (such as FTP, LDAP,
or FILE), add the additional CDPs.
Note:
After you configure Security Manager, but before you initialize Security Manager,
you can customize the CDP information by editing the [CDP] section of the
entmgr.ini file. After initializing Security Manager, you customize CDP
information by editing the certificate specifications.
4 On the Configuration Complete page, deselect Run Security Manager Control

Command Shell.
You want to deselect this option so you do not initialize your CA. Initializing the
CA at this point will result in an incorrectly-configured SPOC CA.
You have installed and configured Security Manager, but only partially configured
your SPOC CA. Proceed to “Configuring the SPOC CA” on page 1157 to finish
configuring your SPOC CA.

Configuring the SPOC CA
After installing and configuring Security Manager, you must configure your SPOC CA
further to conform to SPOC requirements. Configuring the SPOC CA requires that
you configure publish CRLs to the Web, configure CRL Distribution Point (CDP)
information, configure the SPOC CA root certificate, and add SPOC certificate types.
• “Publishing CRLs to the Web server” on page 1157
• “Configuring the SPOC CA certificate” on page 1157
Publishing CRLs to the Web server

The SPOC certificate revocation lists (CRLs) must be published to a Web server.
Foreign SPOCs will read the CRLs from this Web server. Ensure that the Web server
is accessible to foreign SPOCs so that they can read the published CRLs. The domestic
SPOC accesses CRLs from the Security Manager directory. Ensure that Administration
Services—which will host the SPOC services—can access the Security Manager
directory so it can access the CRLs.
To publish the CRLs to the Web server, you must:
1 Create a shared folder on the network.
The account used by the Security Manager services must have direct write
privileges to this location. You should have already performed this step if you
installed and configured Security Manager on Windows.
2 For domain users to access the CRL file in the folder, you must grant read
permission for the CRL folder to the Domain Users group on your server. For
foreign SPOCs to access the file, ensure that the file will be freely accessible on
the Internet without any access controls.
3 Add the folder to the default Web site (share to the Web) with the alias CRL. See
the documentation for your Web server or operating system.
To publish the CRLs to Microsoft Internet Information Services (IIS), create a new
virtual directory IIS with the alias CRL. Ensure that the virtual directory has Read
and Write permissions.
After publishing the CRLs to the Web server, proceed to “Configuring the SPOC CA
certificate” on page 1157 to configure the SPOC CA root certificate.
Configuring the SPOC CA certificate

You must configure the SPOC CA certificate to conform to SPOC standards.
Complete the following procedure to configure the SPOC CA certificate.

To configure the SPOC CA certificate
1 If your SPOC CA is a root CA:
a Open the initial.certspec file. By default, you can find the file:
– on Windows, C:\Program Files\Entrust\Security
Manager\<version>\etc
b Locate the [cacert_default Advanced] section.
c Comment out the setting noCRLDistPoints=1. To comment out the setting,
add a semicolon at the beginning of the line:
;noCRLDistPoints=1
Commenting out this setting instructs Security Manager to include CDPs in
the SPOC CA root certificate.
2 If your SPOC CA is a subordinate CA, the SPOC CA does not issue its own CA
certificates. A subordinate CA is issued CA certificates from its superior CA.
Ensure the CA certificates that the superior CA issues to the subordinate CA
conform to ICAO standards.
If the superior CA is a Security Manager CA:
a At the superior CA, export the certificate specifications.
You can export the certificate specifications using the Security Manager
Control Command Shell or Security Manager Administration. See the
documentation for details. If you export the certificate specifications from
Security Manager Administration, the default file name is master.certspec.
b Security Manager issues cross-certificates to subordinate CAs. By default,
Security Manager includes two cross-certificates in the certificate
specifications: Default Cross-Certificates (xcert_default) and PKIX Compliant
Cross-Certificates (xcert_pkix). You may have added additional
cross-certificate types.
Ensure that the cross-certificate types allow CDP extensions in the
cross-certificates. Locate the [xcert_default Advanced] and [xcert_pkix
Advanced] sections and ensure that the setting noCRLDistPoints=1 is
absent or commented out. If you created a custom cross-certificate type,
ensure that the setting noCRLDistPoints=1 is absent or commented out for
that certificate type.
If you require that the default cross-certificates (or any custom
cross-certificates) exclude CDPs, create a new cross-certificate type
specifically for your SPOC CA. Ensure that this new SPOC CA
cross-certificate type allows CDPs.
c Save and close the file.
d Import the certificate specifications back into Security Manager.

You can import the certificate specifications using the Security Manager
Control Command Shell or Security Manager Administration. See the
documentation for details.
After configuring the SPOC CA root certificate, proceed to “Post-configuration
steps” on page 1160 to initialize Security Manager.

After configuring your SPOC CA, you must perform the following steps:
4 Deploy Administration Services (see “Deploying the SPOC services” on
page 1161).
Administration Services provides Web-based services for managing a Single Point
of Contact.

41
Deploying the SPOC services

This chapter describes how to deploy the SPOC services provided by Entrust
Authority Administration Services: SPOC Administration, the SPOC Web Service, and
the SPOC Domestic Web Service.
SPOC Administration is a Web-based interface for administering a Single Point of
Contact. SPOC administrators use SPOC Administration to manage certificate
requests from foreign SPOCs and domestic Document Verifiers.
The SPOC Web Service is a Web service designed to automatically send and receive
certificate requests with foreign SPOCs.
The SPOC Domestic Web Service is a Web service designed to automatically submit
certificate requests from domestic Document Verifiers to the domestic CVCA, or to
foreign SPOCs to be processed by foreign CVCAs.
on page 1164
• “Creating new certificate types for SPOC profiles that will be stored on
hardware” on page 1165
• “Creating SPOC Server credentials” on page 1169
• “Creating SPOC Client credentials” on page 1172
• “Obtaining files from the CVCA for SPOC” on page 1177
• “Installing the SPOC services” on page 1178
• “Configuring SPOC Client authentication to a directory without anonymous
• “Configuring SPOC Server authentication to a directory without anonymous
1161
• “Configuring SPOC Domestic Web Service authentication to a directory
without anonymous access” on page 1205
• “Configuring SPOC administrators for PKCS #12 enrollment” on page 1207
• “Creating SPOC administrators” on page 1208
• “Testing the SPOC Services” on page 1212

Deployment overview
Deploying Administration Services for a Single Point of Contact (SPOC) includes the
following steps. Each step is described in further detail in this chapter.
3 If you will be storing the required Entrust profiles on hardware, you must create
a new certificate type for the SPOC Server profile (see “Creating new certificate
types for SPOC profiles that will be stored on hardware” on page 1165).
• “Creating SPOC Server credentials” on page 1169
• “Creating SPOC Client credentials” on page 1172
page 1175).
6 Obtain files from the CVCA that are required to install SPOC services (see
“Obtaining files from the CVCA for SPOC” on page 1177).
7 Install Administration Services (see “Installing the SPOC services” on
page 1178).
• “Configuring SPOC Client authentication to a directory without anonymous
• “Configuring SPOC Server authentication to a directory without anonymous
• “Configuring SPOC Domestic Web Service authentication to a directory
without anonymous access” on page 1205
9 Configure SPOC administrators for PKCS #12 enrollment (see “Configuring
SPOC administrators for PKCS #12 enrollment” on page 1207).
To create the SPOC administrator credentials as a PKCS #12 security store, the
client policy (user policy) assigned to SPOC administrators must allow PKCS #12
export.
10 Create a user entry in Security Manager for each SPOC administrator (see
“Creating SPOC administrators” on page 1208).
11 Test Administration Services (see “Testing the SPOC Services” on page 1212).
Deploying the SPOC services 1163


Creating new certificate types for SPOC
profiles that will be stored on hardware
The SPOC Server profile receives requests from foreign SPOCs. By default, Security
Manager includes the certificate type ePassport - SPOC Server (ent_spoc_server) for
the SPOC Server profile. When the SPOC Server profile uses this certificate type and
the profile is stored on hardware, errors can occur when attempting to connect with
foreign SPOCs.
SPOC Client profile sends requests to foreign SPOCs. By default, Security Manager
includes the certificate type ePassport - SPOC Client (ent_spoc_client) for the SPOC
Client profile. When the SPOC Client profile uses this certificate type and the profile
is stored on hardware, errors can occur when attempting to connect with foreign
SPOCs.
To avoid these errors, you must create new certificate types as described in this
section.
To create a new certificate types for SPOC Server and SPOC Client profiles
1 From the SPOC CA, export the Security Manager certificate specifications.
Administration, or from the Security Manager Control Command Shell using the
fcs export command. See the Security Manager Administration User Guide or
Security Manager Operations Guide for details.
ent_spoc_tls_2kp=enterprise,ePassport - SPOC TLS Server 2-Key-Pair User,
_continue_=2-Key-Pair user for SPOC TLS Server.
ent_spoc_client_2kp=enterprise,ePassport - SPOC TLS Client 2-Key-Pair User,
_continue_=2-Key-Pair user for SPOC TLS Client.
[ent_spoc_tls_2kp Certificate Definitions]
1=Dual Usage
2=Verification
[ent_spoc_tls_2kp Dual Usage Extensions]

;Key Usage: RFC 5280 digitalSignature(0), keyEncipherment(2), keyAgreement(4)
keyusage=2.5.29.15,n,m,BitString,10101
;Extended Key Usage: id-csn-369791-tls-server id_kp_serverAuth

extkeyusage=2.5.29.37,n,m,SeqOfObjectIdentifier,1.2.203.7064.1.1.369791.2
_continue_= 1.3.6.1.5.5.7.3.1
[ent_spoc_tls_2kp Verification Extensions]

;RFC 5280 digitalSignature(0)
[ent_spoc_client_2kp Certificate Definitions]

1=Dual Usage
2=Verification
[ent_spoc_client_2kp Dual Usage Extensions]

;Key Usage: RFC 5280 digitalSignature(0), keyEncipherment(2), keyAgreement(4)
extkeyusage=2.5.29.37,n,m,SeqOfObjectIdentifier,1.2.203.7064.1.1.369791.1
_continue_= 1.3.6.1.5.5.7.3.2
[ent_spoc_client_2kp Verification Extensions]

;RFC 5280 digitalSignature(0)

Administration, or from the Security Manager Control Command Shell using the
fcs import command. See the Security Manager Administration User Guide or
You have now defined new two-key-pair certificate types ePassport - SPOC TLS
Server 2-Key-Pair User (ent_spoc_tls_2kp) and ePassport - SPOC TLS Client
2-Key-Pair User (ent_spoc_client_2kp).
7 You must create a new certificate definition policy for these new certificate types.
Proceed to “To create a new certificate definition policy for the new certificate
types” on page 1166.
To create a new certificate definition policy for the new certificate types
1 Log in to Security Manager Administration for the SPOC CA.

3 Select Dual Usage Policy and then select Policies > User Policies > Selected User
Policy > Copy.
4 In the Label field, enter SPOC Dual Usage.
5 In the Common name field, enter SPOC Dual Usage.
user policy.
7 Click OK.
• Deselect Back up private key.
• Ensure that Generate key at client is selected.
• Ensure that Key usage policy is set to both.
9 Click Apply.
11 Assign this new user policy to the ePassport - SPOC TLS Server 2-Key-Pair User
certificate type that you created in the previous step:
a In the tree view, expand Security Policy > Certificate Categories > Enterprise
> Certificate Types > ePassport - SPOC TLS Server 2-Key-Pair User
(2-Key-Pair user for SPOC TLS Server).
Note that the certificate type has two key pairs:
– Dual Usage, used to terminate the TLS
– Verification, used to authenticate PKIX-CMP communication with Security
Manager as part of periodic renewal and management of the SPOC Server
certificates
You must assign the new policy SPOC Dual Usage Policy to the Dual Usage
certificate definition. Leave the Verification certificate definition without a
certificate definition policy.
b Under ePassport - SPOC TLS Server 2-Key-Pair User (2-Key-Pair user for
SPOC TLS Server), select the Dual Usage certificate definition.
c In the Certificate definition policy drop-down list, select SPOC Dual Usage
Policy.
d Click Apply.
e If prompted, authorize the operation. The operation may require more than
details.
12 Assign this new user policy to the ePassport - SPOC TLS Client 2-Key-Pair User
certificate type that you created in the previous step:

a In the tree view, expand Security Policy > Certificate Categories > Enterprise
> Certificate Types > ePassport - SPOC TLS Client 2-Key-Pair User
(2-Key-Pair user for SPOC TLS Client).
Note that the certificate type has two key pairs:
– Dual Usage, used to terminate the TLS
– Verification, used to authenticate PKIX-CMP communication with Security
Manager as part of periodic renewal and management of the SPOC Client
certificates
You must assign the new policy SPOC Dual Usage Policy to the Dual Usage
certificate definition. Leave the Verification certificate definition without a
certificate definition policy.
b Under ePassport - SPOC TLS Client 2-Key-Pair User (2-Key-Pair user for
SPOC TLS Client), select the Dual Usage certificate definition.
c In the Certificate definition policy drop-down list, select SPOC Dual Usage
Policy.
d Click Apply.
e If prompted, authorize the operation. The operation may require more than
details.

Creating SPOC Server credentials
SPOC Server. The SPOC Server profile receives requests from foreign SPOCs. You can
create a SPOC Server profile with Security Manager Administration.
For details about creating SPOC Server profiles, see the following topics:
• “Creating a user entry for an SPOC Server profile” on page 1169
• “Creating a SPOC Server profile” on page 1171
• “Updating SPOC Server profile keys” on page 1171
Creating a user entry for an SPOC Server profile

You must create a user entry in Security Manager for the SPOC Server profile. You
can use Security Manager Administration to create a user entry for the SPOC Server
profile.
To create a user entry for the SPOC Server profile using Security Manager
Administration
fields appears.
5 From the Role drop-down list, select SPOC Role.

– If you will store the profile on software, select ePassport - SPOC Server.
– If you will store the profile on hardware, select ePassport - SPOC TLS
Server 2-Key-Pair User. This is the certificate type you created for the SPOC
Server profile in “Creating new certificate types for SPOC profiles that will
be stored on hardware” on page 1165.
7 Click OK.
to create and activate the user’s Entrust digital ID.
c Click Add.
details.
You have now created the user entry for the SPOC Server profile. Proceed to
“Creating a SPOC Server profile” on page 1171.

Creating a SPOC Server profile
You can store the SPOC Server profile on software (as an EPF file) or on a hardware
security module. You can use one of the following applications to create the SPOC
Server profile:
To create a SPOC Server profile using Security Manager Administration

1 Create a user entry for the SPOC Server profile (see “Creating a user entry for an
SPOC Server profile” on page 1169).
4 In the Name field, enter the file name for the SPOC Server profile. Security
5 Click Browse to select the folder where you want to save the SPOC Server profile.
6 In the Password and Confirm fields, enter a password for the SPOC Server
profile.
7 Click OK.
You can now use this SPOC Server profile with Administration Services. You need the
SPOC Server profile, the profile password, and the profile location when you install
Updating SPOC Server profile keys

server.

Creating SPOC Client credentials
SPOC Client. The SPOC Client profile sends requests to foreign SPOCs.
For details about creating SPOC Client profiles, see the following topics:
• “Creating a user entry for a SPOC Client profile” on page 1172
• “Creating a SPOC Client profile” on page 1173
• “Updating SPOC Client profile keys” on page 1174
Creating a user entry for a SPOC Client profile

You must create a user entry in Security Manager for the SPOC Client profile. You can
use Security Manager Administration to create a user entry for the SPOC Server
profile.
To create a user entry for the SPOC Client profile using Security Manager
Administration
fields appears.

– If you will store the profile on software, select ePassport - SPOC Client.
– If you will store the profile on hardware, select ePassport - SPOC TLS
Client 2-Key-Pair User. This is the certificate type you created for the SPOC
Client profile in “Creating new certificate types for SPOC profiles that will
be stored on hardware” on page 1165.
7 Click OK.
Entrust digital ID.
You have now created the user entry for the SPOC Client profile. Proceed to
“Creating a SPOC Client profile” on page 1173.
Creating a SPOC Client profile

You can store the SPOC Client profile on software (as an EPF file) or on a hardware
security module. You can use one of the following applications to create the SPOC
Client profile:
To create an SPOC Client profile using Security Manager Administration

1 Create a user entry for the SPOC Client profile (see “Creating a user entry for a
SPOC Client profile” on page 1172).
4 In the Name field, enter the file name for the SPOC Client profile. Security
5 Click Browse to select a folder where you want to save the SPOC Client profile.

6 In the Password and Confirm fields, enter a password for the SPOC Client profile.
7 Click OK.
You can now use this SPOC Client profile with Administration Services. You need the
SPOC Client profile, the profile password, and the profile location when you install
Updating SPOC Client profile keys

server.

Obtain a copy of the entrust.ini file, SPOC Server profile, and SPOC Web Server
client profile from a SPOC CA administrator.
Copy the entrust.ini file and the profiles to each machine hosting the SPOC
services. Note the location of these files. You will enter the path to these files when
you install Administration Services.

Where:
the directory.
For example:
Where:
is 829.
For example:
Where:
For example:
For example:


Obtaining files from the CVCA for SPOC
When installing Administration Services for SPOC, the Administration Services
installer will prompt you for files provided from your domestic CVCA. Obtain the
following files from a CVCA administrator:
• if the CVCA is online, entrust.ini file
It is recommended that you rename this file to cvca_entrust.ini to avoid
confusing it with the entrust.ini file provided from the SPOC CA.
• if the CVCA is online, the SPOC Domestic Web Service profile
For information about creating the SPOC Domestic Web Service profile at
the CVCA, see “Creating SPOC Domestic Web Service credentials” on
page 921. The SPOC Domestic Web Service profile can be an EPF file stored
on the local file system or on a hardware device.
• if the CVCA is offline, the entire chain of CVCA certificates
For information about exporting the CVCA certificates, see “Exporting
domestic CVCA certificates” on page 1020. The CVCA cannot be offline if
you install CVCA Administration or any X.509 service.

Installing the SPOC services
This section describes how to install the SPOC services on supported Windows
operating systems. The SPOC services are supported only on Windows.
The SPOC services consist of only application server components.
Note:
If CVCA Administration or any non-ePassport service is already installed, the
CVCA must be an online CVCA.
To install SPOC application server components on Windows





b Click Next.


d Select Single Point of Contact (SPOC).

9 The Tomcat SSL/TLS Port Numbers for SPOC Services page appears.
a In the SSL/TLS Port for SPOC Web Service field, enter the SSL port number
for the SPOC Web Service (by default 443 or 7443).
This is the port that foreign SPOCs will use to access your SPOC Web Service.
b In the SSL/TLS Port for SPOC Domestic CVCA Web Service field, enter the
SSL port number for the SPOC Domestic Web Service (by default 6443).
c In the SSL/TLS Port for SPOC Administration Web Service field, enter the
SSL port number for SPOC Administration (by default 8443).
d Click Next.

10 If CVCA Administration or any non-ePassport service has not been installed, the
CVCA page appears.
a If your CVCA is online, select CVCA is online.

b If your CVCA is offline:
– Select CVCA is offline.
– In the Enter the Location of your CVCA Certificate File Name field, enter
the full path and file name of the root CVCA certificate file, or click Choose
to locate and select the file.
Note:
You may have obtained an entire chain of CVCA certificates from your domestic
CVCA. The instructions for adding additional domestic CVCA certificates to
SPOC are included at the end of this procedure.
c Click Next.
If the CVCA is offline, proceed to Step 15 on page 1189.

11 If the CVCA is online, the SPOC Domestic CVCA Entrust_ini Location page
appears.
you obtained from your domestic CVCA, or click Choose to locate the file.
b Click Next.

12 If the CVCA entrust.ini file includes a setting specifying the full path to a valid
PKCS#11 library, the Select SPOC Domestic CVCA Web Service Profile Type
page appears.

– If the SPOC Domestic Web Service profile is an EPF file stored on the local
file system, select Software Profile.
– If the SPOC Domestic Web Service profile is stored on hardware, select
Hardware Token.
b Click Next.

13 If the SPOC Domestic Web Service profile is a software profile, the SPOC
Domestic CVCA Web Service Profile page appears.
a In the Enter the location of the SPOC Domestic CVCA Profile field, click
Choose to locate and select the SPOC Domestic Web Service profile (EPF
file).
b In the Enter the Password to login to your SPOC Domestic CVCA Profile
field, enter the password for the EPF file.
c Click Next.

14 If the SPOC Domestic Web Service profile is a hardware profile, the SPOC
Domestic CVCA Web Service Hardware Token Profile page appears.
contains the SPOC Domestic Web Service profile.
b In the Enter the Password to login to your SPOC Domestic CVCA Profile
field, enter the password for the profile.
c Click Next.

15 The SPOC Entrust.ini Location page appears.
you obtained from your SPOC CA, or click Choose to locate the file.
b Click Next.

16 If the SPOC entrust.ini file includes a setting specifying the full path to a valid
PKCS#11 library, the Select SPOC Web Service Profile Type page appears.

– If the SPOC Server profile is an EPF file stored on the local file system, select
Software Profile.
– If the SPOC Server profile is stored on hardware, select Hardware Token.
b Click Next.

17 If the SPOC Server profile is a software profile, the SPOC Web Service Profile
page appears.
a In the Enter the location of the SPOC Profile field, click Choose to locate and
select the SPOC Server profile (EPF file).
b In the Enter the Password to login to your SPOC Profile field, enter the
c Click Next.

18 If the SPOC Server profile is a hardware profile, the SPOC Web Service Hardware
contains the SPOC Server profile.
b In the Enter the Password to login to your SPOC Profile field, enter the
c Click Next.

19 If the SPOC entrust.ini file includes a setting specifying the full path to a valid
PKCS#11 library, the Select SPOC Client Web Service Profile Type page appears.

– If the SPOC Client profile is an EPF file stored on the local file system, select
Software Profile.
– If the SPOC Client profile is stored on hardware, select Hardware Token.
b Click Next.

20 If the SPOC Client profile is a software profile, the SPOC Client Web Service
a In the Enter the location of the SPOC Client Profile field, click Choose to
locate and select the SPOC Client profile (EPF file).
b In the Enter the Password to login to your SPOC Client Profile field, enter
the password for the EPF file.
c Click Next.

21 If the SPOC Client profile is a hardware profile, the SPOC Client Web Service
contains the SPOC Client profile.
b In the Enter the Password to login to your SPOC Client Profile field, enter
c Click Next.

22 The SPOC Configuration page appears with a summary of your installation

make your changes.

23 After the installation is complete, the SPOC Configuration Status page appears.
For example:

b Click Next.


b Click Next.

new service.
b Click Next.
26 If your domestic CVCA is offline and you obtained an entire chain of CVCA
certificates:
a Save the CVCA certificates you obtained from your domestic CVCA to the
following location:
<AS-install>\services\spoc\spoc\domestic-cvca-certs
b Restart Administration Services.
The URL to the SPOC WSDL (Web Service Definition Language) file is
https://<host_name>:<port>/spoc/wsdl/spoc.wsdl, where:
• <host_name> is the fully qualified host name of the server hosting the SPOC
services.

• <port> is the Tomcat SSL port for SPOC Administration (by default 8443).
Foreign SPOC administrators need the URL to the SPOC WSDL file to add your SPOC
to their foreign SPOC.
The SPOC Domestic Web Service URL is https://<FQDN>:<port>/spoc/services/
CvcaService, where:
• <FQDN> is the fully qualified domain name of the server hosting the SPOC
Domestic Web Service.
• <port> is the secure port that the SPOC Domestic Web Service listens on,
typically 9443.
Domestic DV administrators need the SPOC Domestic Web Service URL if they will
install the DVCKM. The DVCKM uses the SPOC Domestic Web Service to connect to
the SPOC and exchange certificates.
file.

Configuring SPOC Client authentication to a
The following procedure explains how to configure the SPOC Client profile to
Security Manager Directory credentials in the spoc-config.xml files.

components.
2 Open the spoc-config.xml file in a text editor. You can find the file in the
following folder:
<AS-install>\services\spoc\spoc\webapp\WEB-INF\config
3 Locate the <SpocTLSClientCredentials> section:

<SpocTLSClientCipherSuite>TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA
_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WIT
H_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECD
SA_WITH_AES_256_CBC_SHA</SpocTLSClientCipherSuite>
<SpocTLSClientCredentials>
<Epf>c:\authdata\manager\epf\SPOC Client.epf</Epf>
<Ual></Ual>
<Keystore></Keystore>
used. -->
plaintext.
When SPOC starts, the password will be encrypted and bound to
the hardware using the Unattended Login UAL capabilities of
the Entrust Java Toolkit and stored to a file. The plaintext

password in this configuration file will be replaced by the
phrase: "{Password protected by Entrust Unattended Login}".
Subsequent starts of SPOC will extract the password from the
previously created UAL file.
-->
</SpocTLSClientCredentials>
4 For the value of <JndiPrincipal>, enter the JNDI Principal that the SPOC Client
For example:
in the spoc-config.xml file with the phrase “{Password protected by Entrust

Configuring SPOC Server authentication to a
The following procedure explains how to configure the SPOC Server profile to

components.
following folder:
3 Locate the <SpocTLSServerCredentials> section:

<SpocTLSServerCredentials>
<Epf>c:\authdata\manager\epf\SPOC Server.epf</Epf>
<Ual></Ual>
<Keystore>c:\authdata\manager\epf\SPOC Server.ks</Keystore>
used. -->
plaintext.

-->
</SpocTLSServerCredentials>
4 For the value of <JndiPrincipal>, enter the JNDI Principal that the SPOC Server
For example:

Configuring SPOC Domestic Web Service
authentication to a directory without
anonymous access
The following procedure explains how to configure the SPOC Domestic Web Service
profile to authenticate to the Security Manager directory when anonymous access is
disabled.

components.
following folder:

<Epf>c:\authdata\manager\epf\SPOC Domestic.epf</Epf>
<Ual></Ual>
<Keystore></Keystore>
used. -->
plaintext.

-->
4 For the value of <JndiPrincipal>, enter the JNDI Principal that the SPOC
Domestic Web Service will use to connect to the directory. For example:
For example:

Configuring SPOC administrators for PKCS #12
enrollment
To access the SPOC Administration interface, SPOC administrators must have a valid
client certificate installed in their Web browser.
#12 export.
To configure SPOC administrators for PKCS #12 enrollment

3 Select SPOC Administrator Policy.
The SPOC Administrator Policy user policy is the client policy assigned to the
SPOC Administrator role, the role for SPOC administrators.
5 Click Apply.

Creating SPOC administrators
You must create a user entry in Security Manager for each SPOC administrator. You
• “To create a user entry for a SPOC administrator using Security Manager
• “To create a user entry for a SPOC administrator using the User
To create a user entry for a SPOC administrator using Security Manager

Administration
fields appears.
5 From the Role drop-down list, select SPOC Administrator.
details, see “Configuring SPOC administrators for PKCS #12 enrollment” on

page 1207.
b Under Certificate Type, select ePassport - SPOC Administrator.
7 Click OK.
You have created a user entry for a SPOC administrator. The SPOC administrator
must have a valid client certificate to access the SPOC Administration interface.
SPOC administrators can create their client certificate using the following
applications:
it to log in to SPOC Administration.

ID to log in to SPOC Administration.
SPOC administrators can use the Profile Creation Utility to generate a PKCS
Web browser and use it to log in to SPOC Administration.
SPOC administrators can use Security Provider for Windows to generate a
To create a user entry for a SPOC administrator using the User Management
Service
1 Log in to the User Management Service for the SPOC CA.
distinguished name.
5 In the Certificate Type drop-down list, select Enterprise - ePassport - SPOC
Administrator.
7 From the Role drop-down list, select SPOC Administrator.
details, see “Configuring SPOC administrators for PKCS #12 enrollment” on
page 1207.
9 Click Submit.

You have created a user entry for a SPOC administrator. The SPOC administrator
must have a valid client certificate to access the SPOC Administration interface.
SPOC administrators can create their client certificate using the following
applications:
ID to log in to SPOC Administration.
SPOC administrators can use the Profile Creation Utility to generate a PKCS
Web browser and use it to log in to SPOC Administration.
SPOC administrators can use Security Provider for Windows to generate a

Testing the SPOC Services
After installing the SPOC services, you must ensure that all components were
installed properly and function correctly. To test the installation, open the SPOC
Administration login page in a Web browser.
To test SPOC Administration

https://<host_name>:<port>/spoc/admin
Where:
services.
For example:
https://appserver.example.com:8443/spoc/admin
3 When prompted to select a user certificate, select a user certificate for a SPOC
administrator.
the private key.
Note:
Click Allow to allow SPOC Administration to access the private key.

If everything is installed correctly and the browser certificate is valid, the SPOC

42
Configuring the SPOC services

applications that interact with Entrust Authority Security Manager to manage Card
Verifiable certificates.
This chapter describes how to configure various components and features of
Administration Services. For more information about configuring Administration
Services, see the Administration Services Configuration Guide.
• “Configuring SPOC services logs” on page 1214
• “Configuring the XAP connection settings for the SPOC services” on
page 1216
• “Configuring the SPOC message threads” on page 1218
• “Configuring the HTTP header for client certificates” on page 1220
• “Restricting SPOC service ports to the applicable service URLs” on
page 1221
1213
Configuring SPOC services logs
The SPOC services—SPOC Administration, SPOC Web Service, and SPOC Domestic
Web Service—share a log file. This log file contains messages related to the operation
of the SPOC services.
Administration Services allows you to customize the SPOC services log file settings.
To configure the SPOC logs

components.
2 Open the spoc-config.xml file in an XML editor. You can find the file in the
following folder:
Table 67: SPOC log settings
Setting Description
Default: INFO
Default: <AS-install>\services\spoc\spoc\logs\spoc_spoc.log
Default: 1000000
Default: 10

Configuring the SPOC services 1215

Configuring the XAP connection settings for
the SPOC services
Communication between SPOC and Security Manager is through the XML
Administration Protocol (XAP) server, running as part of Security Manager.
Communication between these components is secured over HTTPS.
You can configure various XAP connection settings for SPOC. Configuring these
settings can help you troubleshoot or resolve connection issues between SPOC and
Security Manager.
To configure the XAP connection settings for SPOC

components.
2 Open the spoc-config.xml file in an XML or text editor. You can find the file in
3 Locate the <XAPConnection> section:
<XAPConnection>
<Server>https://domain.example.com:443</Server>
<Connections>2</Connections>
<IdleTimeout>30</IdleTimeout>
<Debug>false</Debug>
<MaxConnections>50</MaxConnections>
<CacheTemplates>true</CacheTemplates>
<DefaultLanguage>en-us</DefaultLanguage>
</XAPConnection>
4 Configure the settings as described in Table 68.
Table 68: XAP connection settings for SPOC
Setting Description
<Server> An instance setting that sets the Uniform Resource Locator (URL)
address for the XAP Server. SPOC sends requests to this URL.
Note: This setting is defined during installation and should not be
changed.

Table 68: XAP connection settings for SPOC (continued)
Setting Description
<Connections> The initial number of connections that SPOC opens with the XAP
server when Administration Services starts. The number of
connections to the XAP server increases automatically up to the
maximum when the number of users concurrently using
Administration Services increases.
Default value: 2
<IdleTimeout> Specifies the length of time (in minutes) that SPOC allows a
connection with the XAP server to remain idle before closing it
and creating a new connection.
Default value: 30
<Debug> Controls whether SPOC writes SSL connection diagnostic

information to the stdout.log file of the Tomcat application
server. If true, SPOC writes SSL connection diagnostic
information to the stdout.log file.
Default value: false
<MaxConnections> The maximum number of connections SPOC opens with the XAP
Server. After reaching the maximum, connections are
automatically closed after use. Since new messages cannot be
sent to the XAP server until a connection is available, repeatedly
reaching this maximum may slow system performance.
Default value: 50


Configuring the SPOC message threads
The SPOC has two message threads that monitor inbound and outbound requests:
• The outgoing message thread monitors outbound requests that are not yet
in the Completed state and tries to advance their state.
For example, when a SPOC administrator generates an outbound request,
the outbound request starts in the New state. If the foreign SPOC is
unavailable, the outbound request stays in the New state. The outgoing
message thread will periodically attempt to send the outbound request to the
foreign SPOC until the foreign SPOC successfully receives the outbound
request. When the foreign SPOC receives the outbound request, the state
will change from New to Sent.
For more information about outbound request states, see “Viewing
outbound requests” on page 1249.
• The incoming message thread monitors inbound requests that are not yet in
the Completed state and tries to advance their state.
For example, when a Certificate Request inbound request is in the Queued
state, the inbound request stays in the Queued state until Security Manager
returns the requested certificate.
The incoming message thread will periodically poll Security Manager for the
certificate until Security Manager returns the certificate. When Security
Manager returns the certificate, the state will change from Queued to
Processed.
For more information about inbound request states, see “Viewing inbound
requests” on page 1258.
For each message thread, you can configure how often the thread checks for requests
not yet in the Completed state and tries to advance their state. By default, the
outgoing message thread checks for outbound requests every minute, and the
incoming message thread checks for inbound requests every five minutes.
To configure the SPOC message threads

components.
3 Configure the settings described in Table 69 on page 1219.

Table 69: SPOC message thread settings
Setting Description
<OutgoingThreadTime> Controls how often (in minutes) the outgoing message thread
checks for outbound requests not yet in the Completed state and
tries to advance their state. For example:
<OutgoingThreadTime>1</OutgoingThreadTime>
For example, a value of 5 indicates that the outgoing message
thread checks the outbound requests every five minutes. If you
enter a value of 0, the outgoing message thread continuously
monitors the outbound requests.
Default: 1
<IncomingThreadTime> Controls how often (in minutes) the incoming message thread
checks for inbound requests not yet in the Completed state and
tries to advance their state. For example:
<IncomingThreadTime>5</IncomingThreadTime>
For example, a value of 5 indicates that the incoming message
thread checks the inbound requests every five minutes. If you enter
a value of 0, the incoming message thread continuously monitors
the inbound requests.
Default: 5


Configuring the HTTP header for client
certificates
By default, the SPOC service consist of only application server components. The
Apache Tomcat application server that hosts the SPOC services also terminates the
SSL.
After installing SPOC, you can configure a front-end Web server to terminate the SSL.
In this split architecture, the Web server proxies requests to the application server.
Communication between the Web server and application server goes through a JK
connector using Apache JServ Protocol (AJP). For a split architecture, you can also use
an SSL hardware device to terminate the SSL instead of a Web server.
However, the hardware device or Web server may not support AJP and instead
forward HTTP requests intact, and none of the metadata that AJP includes is
included. Specifically, the AJP request metadata includes the client certificate. SPOC
performs many checks on the client certificate.
As long as the hardware device or Web server used as the front-end proxy can send
the client certificate as a header in the HTTP request, SPOC can still receive the client
certificate. You can configure the HTTP header SPOC will use to receive the client
certificate when receiving HTTP requests.
To configure the HTTP header used for client certificates

1 On your front-end hardware device or Web server, configure the HTTP header
that will be used to send client certificates. See your hardware or Web server
documentation for details.
components.
4 Locate the <ClientCertificateHttpHeaderName> setting, and then enter the
name of the HTTP header that SPOC will use to receive client certificates. For
example:
<ClientCertificateHttpHeaderName>Certificate</ClientCertificateHtt
pHeaderName>
If no header is specified, SPOC will look for the client certificate in AJP metadata.

Restricting SPOC service ports to the
applicable service URLs
By default, it is possible to retrieve URLs from SPOC’s other services from each port
that it opens. Multiple ports are opened to allow different cipher suites, but they do
not restrict the URLs that can be accessed through them. Note that each SPOC
service does require specific policy OIDs in client certificates in order for clients to
access the service.
To restrict the SPOC service ports to the applicable service URLs

components.
3 Add the following settings:
<SpocWebServicePort><SpocWebServicePort>
<SpocDomesticWebServicePort><SpocDomesticWebServicePort>
<SpocAdminPort><SpocAdminPort>
Use these settings to specify the ports to the SPOC Web Service
(<SpocWebServicePort>), SPOC Domestic Web Service
(<SpocDomesticWebServicePort>), and SPOC Administration
(<SpocAdminPort>).
For example, if you use the default ports:
<SpocWebServicePort>443<SpocWebServicePort>
<SpocDomesticWebServicePort>6443<SpocDomesticWebServicePort>
<SpocAdminPort>8443<SpocAdminPort>
If these settings are absent or have no value, then the behavior remains the same
as before (no checking of ports or URLs).

43
Administering a Single Point of

Contact
Each country has one Single Point of Contact (SPOC). All international EAC certificate
requests and responses are communicated directly between SPOCs. Each SPOC
receives certificate requests from other SPOCs and delivers them to the domestic
CVCA for handling. The SPOC then communicates responses back to the requesting
SPOC, on behalf of its domestic CVCA.
Each SPOC also receives certificate requests from domestic Document Verifiers (DVs)
and forwards them to foreign SPOCs for processing. The SPOC then receives the
responses from the foreign SPOCs and forwards the responses to the domestic DV
that initiated the request.
This chapter describes how to administer a SPOC using the SPOC Administration
interface.
• “Creating SPOC DVCKM Client credentials for Document Verifiers” on
page 1224
• “Providing the SPOC with domestic CVCA certificates” on page 1227
• “Logging in to SPOC Administration” on page 1228
• “Managing foreign SPOCs” on page 1229
• “Generating outbound requests” on page 1236
• “Managing outbound requests” on page 1249
• “Managing inbound requests” on page 1258
• “Using the Keystore-Manager tool to manage foreign SPOC certificates” on
page 1272
1223
Creating SPOC DVCKM Client credentials for
Document Verifiers
When installing the DVCKM (see “Installing the DVCKM” on page 1388), the
installer prompts for a SPOC DVCKM Client profile. The SPOC DVCKM Client profile
secures SSL communications between the DVCKM and the SPOC Domestic Web
Service to automatically receive Document Verifier (DV) certificate requests without
intervention from an administrator.
A PKI administrator at the SPOC CA must create a SPOC DVCKM Client profile for
each domestic DV. Do not create SPOC DVCKM Client profiles for foreign DVs. Only
domestic DVs communicate with the domestic SPOC.
Note:
There can be only one SPOC DVCKM Client instance for each Document Verifier.
For details about creating SPOC DVCKM Client profiles, see the following:
• “Creating a user entry for a SPOC DVCKM Client profile” on page 1224
• “Creating a SPOC DVCKM Client profile” on page 1225
• “Updating the SPOC DVCKM Client profile keys” on page 1226
Creating a user entry for a SPOC DVCKM Client profile

You must create a user entry in Security Manager for the SPOC DVCKM Client
SPOC DVCKM Client profile.
To create a user entry for the SPOC DVCKM Client profile using Security

fields appears.
The SPOC DVCKM Client profile uses the same role as the SPOC Web Service
profiles.
b Under Certificate Type, select ePassport - SPOC DV Client.
7 Click OK.
Security Manager Administration displays the Reference number and
Authorization code. Record these activation codes in a secure manner, as they are
required later to create and activate the user’s Entrust digital ID. For more details
on how the Registration number and Authorization codes are used, see the
You have now created the user entry for the DVCKM profile. Proceed to
“Creating a SPOC DVCKM Client profile” on page 1225.
Creating a SPOC DVCKM Client profile

The SPOC DVDKM Client profile can be stored on software (as an EPF file) or on a
DVCKM profile:
Administering a Single Point of Contact 1225

To create a SPOC DVCKM Client profile using Security Manager Administration
1 Create a user entry for the SPOC DVCKM Client profile (see “Creating a user
entry for a SPOC DVCKM Client profile” on page 1224).
4 In the Name field, enter the file name for the SPOC DVCKM Client profile.
name.
5 Click Browse to select a folder where you want to save the SPOC DVCKM Client
profile.
6 In the Password and Confirm fields, enter a password for the SPOC DVCKM
Client profile.
7 Click OK.
You can now use this SPOC DVCKM Client profile with Administration Services. You
need the SPOC DVCKM Client profile, the profile password, and the profile location
Updating the SPOC DVCKM Client profile keys

server.

Providing the SPOC with domestic CVCA
certificates
If the domestic CVCA is offline, your SPOC requires the entire chain of domestic
CVCA certificates. Your SPOC needs the entire chain of domestic CVCA certificates
when a foreign SPOC requests CVCA certificates from your SPOC (see “Viewing
outbound requests” on page 1249).
If the domestic CVCA is online, SPOC retrieves the domestic CVCA certificates from
the domestic CVCA directly from the CVCA.
Note:
The CVCA cannot be offline if you install CVCA Administration or any X.509
service. You specified whether the CVCA was online or offline when you installed
Administration Services (see “Installing the SPOC services” on page 1178).
If the domestic CVCA is offline, you already provided your SPOC with the initial root
CVCA certificate when you install Administration Services (see “Installing the SPOC
services” on page 1178). If the domestic CVCA keys were updated, then your SPOC
requires the entire chain of domestic CVCA certificates, from the initial root CVCA
certificate to the latest link certificate.
To provide the SPOC with domestic CVCA certificates

components.
2 Obtain the latest domestic CVCA certificates from your domestic CVCA.
For information about exporting domestic CVCA certificates from the domestic
CVCA, see “Exporting domestic CVCA certificates” on page 1020.
3 Save the CVCA certificates to the following location:
<AS-install>\services\spoc\spoc\domestic-cvca-certs

Logging in to SPOC Administration
SPOC Administration provides an interface for Single Point of Contact (SPOC)
administrators to administer their country’s Single Point Of Contact. You are required
to log in to the SPOC Administration interface with a certificate stored in your Web
browser (see “Creating SPOC administrators” on page 1208).
To log in to SPOC Administration

https://<host_name>:<port>/spoc/admin
Where:
services.
For example:
https://appserver.example.com:8443/spoc/admin
created in “Creating SPOC administrators” on page 1208.
the private key.
Note:
Click Allow to allow SPOC Administration to access the private key.

The SPOC Administration interface appears.

Managing foreign SPOCs
You can add, view, or remove foreign Single Point of Contacts (SPOCs). See the
following topics for details:
• “Adding foreign SPOCs” on page 1229
• “Viewing foreign SPOCs” on page 1231
• “Editing foreign SPOCs” on page 1232
• “Deleting foreign SPOCs” on page 1234
Adding foreign SPOCs

Before you can accept or send requests with a foreign Single Point of Contact (SPOC),
you must first add the foreign SPOC to your SPOC. Adding a foreign SPOC to your
SPOC allows your SPOC to recognize the foreign SPOC. Recognizing the foreign
SPOC allows your SPOC to send an6d receive requests with the foreign SPOC.
To add a foreign SPOC

1 Obtain the following information from the foreign SPOC administrator:
• the ISO 3166-1 ALPHA-2 country code of the foreign SPOC
• the URL to the foreign SPOC’s WSDL (Web Service Definition Language) file
• the foreign SPOC CA root certificate
You are prompted for this information when you add the foreign SPOC to your
SPOC.
2 Log in to SPOC Administration (see “Logging in to SPOC Administration” on
page 1228).
3 Click Foreign SPOCs.
4 Click the Add a Foreign SPOC tab.
The Add a Foreign SPOC pane appears.

5 In the Country Code field, enter the country code of the foreign SPOC.
6 In the URL field, enter the URL to the foreign SPOC’s WSDL file.
7 For the Foreign SPOC CA Root Certificate field, click Browse to select the file
containing the foreign SPOC’s Certification Authority (CA) root certificate.
8 Click Submit.
If the foreign SPOC was successfully added, the Add a Foreign SPOC Details
page appears, along with a success message. For example:
9 Restart Administration Services. If you do not restart Administration Services, the

foreign SPOC will not appear in the list of foreign SPOCs.

For information about viewing foreign SPOCS, see “Viewing foreign SPOCs” on
page 1231.
Viewing foreign SPOCs

You can display a list of foreign SPOCs that you have added to your SPOC. The list
includes the ISO 3166-1 ALPHA-2 country code of the foreign SPOC, and the URL
to the foreign SPOC Web Service.
To view foreign SPOCs

page 1228).
3 Click the Foreign SPOCs tab.
A list of all foreign SPOCs that you have added appear. For example:
For each foreign SPOC, the list includes the country code of the foreign SPOC
and the URL of the foreign SPOC Web Service. If the URL is listed as Pending,
then the foreign SPOC is currently offline or has not yet added your SPOC to its
list of foreign SPOCs.
Note:
A URL of Pending may also indicate that your SPOC CA was incorrectly
configured (see “Installing a SPOC CA” on page 1153 for information about
configuring a SPOC CA). It is recommended that you contact the foreign SPOC
administrator to confirm whether your SPOC is still pending. You may need to
restart Administration Services.

Editing foreign SPOCs
You can edit a foreign SPOC at any time. Edit a foreign SPOC when one of the
following scenarios occurs:
• You entered an incorrect URL or selected the wrong CA certificate when you
added the foreign SPOC. You must enter the correct URL or import the
correct CA certificate for the foreign SPOC.
If you entered an incorrect country code, you must delete the foreign SPOC
(see “Deleting foreign SPOCs” on page 1234) and then add the foreign
SPOC again (see “Adding foreign SPOCs” on page 1229).
• The foreign SPOC CA peformed a key update, generating a new CA
certificate. You must import the new CA certificate for the foreign SPOC.
• The foreign SPOC changed service locations, requiring a new URL to the
fooreign SPOC WSDL file. You must enter the new URL for the foreign
SPOC.
To edit the information for a foreign SPOC

page 1228).
4 In the Foreign SPOC ID column, click the country code of the foreign SPOC you
want to edit.
The Edit Foreign SPOC pane appears.

5 In the URL field, enter the URL to the foreign SPOC’s WSDL file.
6 For the Foreign SPOC CA Certificate field, click Browse to select the file
containing the foreign SPOC’s Certification Authority (CA) root certificate.
7 Click Submit.
If the foreign SPOC was successfully edited, the Edit Foreign SPOC Details page
appears, along with a success message. For example:

Deleting foreign SPOCs
You can delete a foreign SPOC at any time. It is recommended that you delete a
foreign SPOC only if you added the foreign SPOC incorrectly.
To delete a foreign SPOC

page 1228).
4 In the row corresponding to the foreign SPOC that you want to delete, click
Delete.
5 Click OK to confirm the operation and delete the foreign SPOC.

If the foreign SPOC was successfully deleted, the Delete Foreign SPOC page
appears, along with a success message. For example:

Generating outbound requests
Outbound requests are messages sent from your SPOC to foreign SPOCs. You can
request Country Verifying Certification Authority (CVCA) certificates from a foreign
CVCA, request Document Verifier (DV) certificates from a foreign CVCA, send CVCA
certificates to a foreign CVCA, or send a general message to a foreign SPOC.
• “Requesting CVCA certificates from foreign CVCAs” on page 1236
• “Requesting Document Verifier certificates from a foreign CVCA” on
page 1240
• “Sending CVCA certificates to a foreign CVCA” on page 1243
• “Sending general messages to foreign SPOCs” on page 1247
Requesting CVCA certificates from foreign CVCAs

For your domestic CVCA and DVs to establish trust with a foreign CVCA, they require
CVCA certificates from the foreign CVCA (see “Importing foreign CVCA certificates”
on page 1042). You can request foreign CVCA certificates from SPOC.
To request CVCA certificates from a foreign CVCA

page 1228).
2 Click Manage SPOC Requests.
3 Click the Generate Outbound Message tab.
The Generate Outbound Message page appears.

4 In the Foreign SPOC ID drop-down list, select the country code of the foreign
SPOC that will receive the outbound message.
5 Under Message Type, click Request CVCA certificates.
6 Click Submit.
If the outbound request was sent successfully, the Generate Outbound Message
Details page appears, along with a success message. For example:

The Outbound Message Details pane provides details about the outbound
message you sent to the foreign SPOC. The Inbound Response Details pane
provides details received from the foreign SPOC.
7 If the foreign SPOC automatically replied to the request with a CVCA certificate,
you can view and export the CVCA certificate:
a Click View Certificate to view the CVCA certificate. You must view the
certificate before you can export it to a file.

b To export the CVCA certificate to a file, click Export Certificate.

Requesting Document Verifier certificates from a foreign CVCA
To obtain DV certificates from a CVCA, a Document Verifier must create a certificate
request and send it to the CVCA for processing (see “Creating DV certificate
requests” on page 1565). You can send DV certificate requests from your domestic
Document Verifiers to foreign CVCAs through SPOC.
Note:
A Document Verifier will automatically request DV certificates from a CVCA if
you configured it to automatically exchange certificates with the SPOC through
the DVCKM and SPOC Domestic Web Service (see “Configuring
communications between the DVCKM and SPOC Domestic Web Service” on
page 1492).
To request a DV certificate from a foreign CVCA

page 1228).

5 Under Message Type, click Request a DV certificate.
A Certificate Request Filename field appears at the bottom of the pane.
6 For the Certificate Request Filename field, click Browse to select the file
containing the DV certificate request.
7 Click Submit.
If the outbound request was sent successfully, the Generate Outbound Message
Details page appears, along with a success message. For example:
The Outbound Message Details pane provides details about the outbound message
you sent to the foreign SPOC. The Inbound Response Details pane provides details
received from the foreign SPOC.
8 If the foreign SPOC automatically replied to the request with a DV certificate, you
can view and export the CVCA certificate:
a Click View Certificate to view the DV certificate. You must view the

b To export the DV certificate to a file, click Export Certificate.
9 If required, you can view and export the DV certificate request:
a Click View Certificate Request to view the DV certificate request. You must
view the certificate before you can export it to a file.
The View Certificate Request page appears.

b To export the DV certificate request to a file, click Export Certificate Request.
Sending CVCA certificates to a foreign CVCA

To establish trust with a foreign CVCA, your domestic CVCA, Domument Verifiers,
and Inspection Systems require CVCA certificates from the foreign CVCA (see
“Importing foreign CVCA certificates” on page 1042). Likewise, foreign CVCAs,
Document Verifiers, and Inspection Systems require your domestic CVCA certificates
to establish trust with your domestic CVCA. Foreign CVCAs require the initial root
CVCA certificate and all subsequent link certificates.
You can send domestic CVCA certificates to foreign CVCAs through SPOC.

To send CVCA certificates to a foreign CVCA
page 1228).
5 Under Message Type, click Send new CVCA certificates.
A Certificate Filename field and Attach another certificate command appear at
the bottom of the pane.
6 For the Certificate Filename field, click Browse to select the file containing the
CVCA certificate.
7 To attach another certificate to the outbound request, click Attach another
certificate to add another field under Certificate Filename. Repeat the previous
step to attach another certificate to the outbound request.
8 Click Submit.

If the outbound request was sent successfully, a details pane appears, along with
a success message. For example:
The Outbound Message Details pane provides details about the outbound message
you sent to the foreign SPOC. The Inbound Response Details pane provides details
If you sent more than one CVCA certificate, the chain of CVCA certificates sent
appears in a Certificate List pane. The initial root CVCA certificate is listed as
Certificate 1. Subsequent link and root certificates are listed as Certificate 2,
Certificate 3, and so on.
9 If required, you can view and export any CVCA certificates you sent to the
foreign CVCA.

b To export the CVCA certificate to a file, click Export Certificate.

Sending general messages to foreign SPOCs
You can send a general message from your SPOC to a foreign SPOC. A general
message is similar to an email message. A general message requires a subject and
message body.
To send a general message to a foreign SPOC

page 1228).
5 Under Message Type, click Send a general message.
A Subject field and Body text box appear at the bottom of the page.
6 In the Subject field, enter a subject for your message.

7 In the Body text box, enter your message.
8 Click Submit.
If the message was sent successfully, the Generate Outbound Message Details
pane appears, along with a success message. For example:

Managing outbound requests
Outbound requests are messages sent from your SPOC to foreign SPOCs (see
“Generating outbound requests” on page 1236 for information about generating
outbound requests). You can display a list of outbound requests, view a specific
outbound request, and delete outbound requests.
• “Viewing outbound requests” on page 1249
• “Deleting outbound requests” on page 1253
Viewing outbound requests

You can display a list of outbound requests or view a specific outbound request.
Outbound requests can have one of the following states:
• New. The request has been uploaded or initiated at the SPOC.
• Sent. The SPOC has sent the request to a foreign SPOC.
• Final Response. A final response was received from the foreign SPOC.
• Completed. The final response received from the foreign SPOC has been
processed.
To view outbound requests

page 1228).
3 Click the Outbound Requests tab.
A list of all outbound requests appear. For example:

By default, outbound requests are sorted by the date the request was created,
from the latest to the earliest. To sort outbound request by a new column or to
change the sorting order of the column, click the column title.
4 To view a specific outbound request, click the country code corresponding to the
outbound request that you want to view.
The View Details page appears. For example:

The Outbound Request Details pane provides details about the outbound
request you sent to the foreign SPOC. The Inbound Response Details pane
provides details received from the foreign SPOC.
5 If the foreign SPOC automatically replied to the request with a certificate, or you
sent a certificate to the foreign SPOC, you can view and export the certificate:
a Click View Certificate to view the certificate. You must view the certificate
before you can export it to a file.

b To export the certificate to a file, click Export Certificate.
6 If the outbound request was a request for a DV certificate, you can view and
export the DV certificate request:
a Click View Certificate Request to view the DV certificate request. You must
view the certificate before you can export it to a file.
The View Certificate Request page appears.

b To export the DV certificate request to a file, click Export Certificate Request.
Deleting outbound requests

You can delete an outbound request at any time, and you can delete an outbound
request in any state. You can delete all outbound requests, or you can delete a specific
outbound request. Deleting an outbound request only removes the outbound request
from your SPOC; deleting an outbound request does not remove the request from
the foreign SPOC.
Deleting an outbound request is permanent. Do not delete an outbound request
unless you are completely sure you no longer need the outbound request.
• “To delete all outbound requests” on page 1254

• “To delete a specific outbound request” on page 1255
To delete all outbound requests

page 1228).
4 Click Delete All outbound requests.

5 Click OK to confirm the operation and delete all outbound requests.

If the outbound request was successfully deleted, the Delete Outbound Requests
page appears, along with a success message:

To delete a specific outbound request
page 1228).
4 Click the country code corresponding to the outbound request that you want to
delete.
The View Details page appears. For example:

5 Click Delete Request.
6 Click OK to confirm the operation and delete the outbound request.

If the outbound request was successfully deleted, the Delete Outbound Request
page appears, along with a success message. For example:

Managing inbound requests
Inbound requests are messages sent from foreign SPOCs to your SPOC. Messages are
typically requests for DV, CVCA, or CA certificates. You can view inbound requests
and delete inbound requests.
• “Viewing inbound requests” on page 1258
• “Deleting inbound requests” on page 1270
Viewing inbound requests

You can display a list of inbound requests and view a specific inbound request.
Inbound requests can have one of the following states:
• Manual. The SPOC is not configured to process requests automatically and
the request has not been processed. An inbound request can also have this
state if an error occurred while the SPOC was attempting to automatically
process the request, and the error cannot be automatically resolved.
• Pending. The manual request has been downloaded by a SPOC
administrator for processing.
• Received. The SPOC is configured to process requests automatically but the
request has not been processed.
• Queued. The SPOC is configured to process requests automatically, and the
request is queued at the CVCA for administrator approval.
• Processed. A request has been processed successfully, but the response has
not been sent to the foreign SPOC.
• Completed. A response was successfully received by the foreign SPOC.
To view inbound requests

page 1228).
3 Click the Inbound Requests tab.
A list of all inbound requests appears. For example:

By default, inbound requests are sorted by the date the request was created, from
the latest to the earliest. To sort inbound request by a new column or to change
the sorting order of the column, click the column title.
4 To view a specific inbound message, click the country code corresponding to the
inbound request that you want to view.
If the inbound request is a Get CVCA Certificates operation, proceed to Step 5.
If the inbound request is a General Message operation, proceed to Step 6 on
page 1261.
If the inbound request is a Send CVCA Certificates operation, proceed to Step 7
on page 1263.
If the inbound request is a Certificate Request operation, proceed to Step 8 on
page 1265.
5 If the inbound request is a Get CVCA Certificates operation, the View Details

The Inbound Request Details pane provides details about the inbound request
Each time a foreign SPOC requests CVCA certificates from your SPOC, your
SPOC will send the CVCA certificates to the foreign SPOC. The inbound request
includes the CVCA certificates sent to the foreign SPOC.
If your SPOC sent only one CVCA certificate, a View Certificate link appears in
the Commands bar. If your SPOC sent more than one CVCA certificate, the chain
of CVCA certificates sent appears in a Certificate List pane. The initial root CA
certificate is listed as Certificate 1. Subsequent link and root certificates are listed
as Certificate 2, Certificate 3, and so on.
You can view and export any of the CVCA certificates sent to the foreign SPOC:

6 If the inbound request is a General Message operation, the View Details page

The Inbound Request Details pane provides details received from the foreign
SPOC.
To reply to an inbound request:
a Click Send Response.
The Send Response pane appears. For example:

b Under Message Type, select the type of message to you want to send to the
foreign SPOC. Sending a response is very similar to generating an outbound
request. For information about generating an outbound request, see
“Generating outbound requests” on page 1236.
c Click Submit to send the response.
7 If the inbound request is a Send CVCA Certificates operation, the View Details
pane appears. For example:

The Inbound Request Details pane provides details about the inbound request
If the foreign SPOC sent only one CVCA certificate, a View Certificate link
appears in the Commands bar. If the foreign SPOC sent more than one CVCA
certificate, the chain of CVCA certificates sent appears in a Certificate List pane.
The initial root CA certificate is listed as Certificate 1. Subsequent link and root
certificates are listed as Certificate 2, Certificate 3, and so on.
You can view and export any of the foreign CVCA certificates sent from the
foreign SPOC:
a Click View Certificate to view the foreign CVCA certificate. You must view
the certificate before you can export it to a file.

8 If the inbound request is a Certificate Request operation, the View Details page

The Inbound Request Details pane provides details received from the foreign
SPOC. Depending on the state of the inbound request, different commands
appear in the Commands bar:
• For all states, you can view and then export the DV certificate request to a
file by clicking View Certificate Request.
The CVCA must process the DV certificate request to generate the DV
certificate. If your domestic CVCA is offline, you must view and then export
the DV certificate request to a file, and give the file to your domestic CVCA
for processing.
If you click View Certificate Request, the View Certificate Request page

To export the certificate request to a file, click Export Certificate Request.
• For Received, Manual, or Pending states, you can import the DV certificate
by clicking Import Certificate.
When you import the DV certificate, your SPOC will send the certificate to
the foreign SPOC.
If you click Import Certificate, the Import Certificate page appears. For
example:

For the Filename field, or click Browse to select the file containing the DV
certificate. Click Submit to continue.
The Import Certificate Details page appears. For example:
• For the Manual state, you can send a failure response by clicking Send Failure
Response.
You may need to send a failure response if a problem occurred when
manually processing a request at the domestic CVCA. It is recommended
that you contact the foreign SPOC (see “Sending general messages to
foreign SPOCs” on page 1247) and request help to resolve the problem.
If you select Send Failure Response, the Send Failure Response page

In the Send Failure Response Details page, select the reason for the failure,
and then click Submit to send the failure response. The Send Failure
Response Details page appears.

Deleting inbound requests
You can delete an inbound request at any time, and you can delete an inbound
request in any state. Deleting an inbound request only removes the inbound request
from your SPOC; deleting an inbound request does not remove the request from the
foreign SPOC.
Deleting an inbound request is permanent. Do not delete an inbound request unless
you are completely sure you no longer need the inbound request.
To delete an inbound request

page 1228).
3 Click the Inbound Requests tab.
A list of all inbound requests appears. For example:
4 To delete an specific inbound message, click the Delete action corresponding to

the inbound request that you want to delete.

5 Click OK to confirm the operation and delete the outbound request.
If the outbound request was successfully deleted, the Delete Inbound Request
Details pane appears, along with a success message. For example:

Using the Keystore-Manager tool to manage
foreign SPOC certificates
As with other Web services provided by Administration Services, the SPOC Web
Service is secured by SSL and terminated by Apache Tomcat. The SPOC Web Service
differs from the other Web services because it must accept and trust connections from
clients that have credentials issued from foreign Certification Authorities (CAs). Each
foreign SPOC has its own client credentials, which are issued from a CA operated
from within its own jurisdiction. This means that the Java keystore that is used to
terminate the SPOC Web Service needs to be extended to trust foreign CA root
certificates.
Ordinarily this is achieved through the Add a Foreign SPOC tab of the SPOC
Administration interface. When a foreign SPOC is registered, its details (ISO country
code and foreign SPOC URL) are entered along with the country's SPOC CA root
certificate. SPOC then uses this information to verify the foreign certificate of a client
when it attempts to make a connection.
You can update the details of foreign SPOC at any point through the SPOC
Administration interface. In the event that the SPOC Administration interface is not
available, you can use the Keystore-Manager tool view, add, or delete trust in a
foreign SPOC certificate if for some reason the trust relationship changes or a new
certificate is issued from that country.
You cannot use the Keystore-Manager tool to add a foreign SPOC. Adding a foreign
SPOC requires additional information—such as the URL to the foreign SPOC’s
WSDL—that you cannot provide using the Keystore-Manager tool. You must add
foreign SPOCs using the SPOC Administration interface (see “Adding foreign
SPOCs” on page 1229).
• “To list all trusted foreign SPOC certificates” on page 1272
• “To view trusted foreign SPOC certificates” on page 1273
• “To add a SPOC CA root certificate to the keystore” on page 1274
• “To delete a foreign SPOC CA certificates from the keystore” on page 1275
To list all trusted foreign SPOC certificates

1 Log in to the server hosting SPOC.
SPOC services are installed on a server hosting the Administration Services
<AS-install>/tools/keystore-manager

KeystoreManager -list [-v] [-update] -e <EPF> -u <UAL> -k <KS> -i
<INI> [-p11slot <P11SlotId>]
• -v provides extra debug output information (verbose mode).
• -update writes any key updates to the SPOC Web Service server profile if
updates are required.
• <EPF> is the full path and file name of the SPOC Web Service server profile.
If the profile is stored on software, enter the full path and file name of the
.epf file. If the profile is stored on hardware, enter the full path and file name
of the .tk file; this file was created when you stored the profile on the
hardware token.
• <UAL> is the full path and file name of the SPOC Web Service server Server
Login file (.ual file).
• <KS> is the full path and file name of the SPOC Web Service server keystore
file (.ks file).
• <INI> is the full path and file name of the SPOC server’s entrust.ini file.
• <P11SlotId> is the hardware slot, if the SPOC Web Service server profile is
stored on a hardware device.
For example:
KeystoreManager -list -e "C:/SPOC Server.epf" -u "C:/SPOC
Server.ual" -k "C:/SPOC Server.ks" -i "C:/entrust.ini"
The Keystore-Manager tools displays a list of trusted certificates. For example:
Found 3 certificates in the [Certificate Store] section of the
Entrust keystore.
PG : c:\PG.p12
US : c:\US.p12
GB : c:\GB.p12
To view trusted foreign SPOC certificates

KeystoreManager -list [-v] [-update] -e <EPF> -u <UAL> -k <KS> -i
<INI> [-p11slot <P11SlotId>] [<alias>]

hardware token.
file (.ks file).
• <alias> is the ISO 3166-1 ALPHA-2 country code of a specific country. For
example, US for the United States of America. Include this parameter to view
only certificates from a specific foreign SPOC CA. Exclude this parameter to
view all trusted certificates.
For example:
KeystoreManager -list -e "C:/SPOC Server.epf" -u "C:/SPOC
Server.ual" -k "C:/SPOC Server.ks" -i "C:/entrust.ini" US
The Keystore-Manager displays the contents of trusted certificates. If you
specified a country code (you specified the <alias> paramater), only certificates
from the specified country are displayed.
To add a SPOC CA root certificate to the keystore

KeystoreManager -add [-v] [-update] -e <EPF> -u <UAL> -k <KS> -i
<INI> [-p11slot <P11SlotId>] <registration file>

hardware token.
file (.ks file).
• <registration file> is the full path and file name to the foreign country
registration XML file. The file is named with the ISO 3166-1 ALPHA-2
country code of the country, such as US.xml. By default, registration files are
located in the following folder:
<AS-install>/services/spoc/spoc/registration-store
For example:
KeystoreManager -add -e "C:/SPOC Server.epf" -u "C:/SPOC
Server.ual" -k "C:/SPOC Server.ks" -i "C:/entrust.ini" "C:/Program
Files/Entrust/AdminServices/services/spoc/spoc/registration-store/
US.xml"
The Keystore-Manager tool creates a certificate file and adds it to the registration
file. For example:
Created certificate file with alias US in C:\US.p12
Added C:\US.p12 to C:\SPOC Server.ks
Enabled registration file.
Updated registration file: C:\Program
Files\Entrust\AdminServices\services\spoc\spoc\registration-store\
US.xml
To delete a foreign SPOC CA certificates from the keystore


Note:
Deleting foreign SPOC CA certificates removes the foreign SPOC from the
keystore, stopping the foreign SPOC from connecting to your SPOC.

KeystoreManager -delete [-v] [-update] -e <EPF> -u <UAL> -k <KS>
-i <INI> [-p11slot <P11SlotId>] <alias>
hardware token.
file (.ks file).
• <alias> is the ISO 3166-1 ALPHA-2 country code of the country you want
to remove. For example, US for the United States of America.
For example:
KeystoreManager -delete -e "C:/SPOC Server.epf" -u "C:/SPOC
Server.ual" -k "C:/SPOC Server.ks" -i "C:/entrust.ini" US
The Keystore-Manager tool removes the certificates from the keystore and
deletes the certificate files. For example:
Removed "C:\US.p12" entry from keystore.
Updated keystore: C:\SPOC Server.ks
Deleted the file: C:\US.p12

44
Customizing SPOC Administration

Entrust Authority Administration Services allows you to customize SPOC
Administration. By making changes to specific files, you can customize SPOC
• “Customizing the SPOC Administration interface” on page 1278
• “Customizing SPOC Administration styles” on page 1282
1277
Customizing the SPOC Administration interface
When customizing the SPOC Administration interface, you can make several changes
Note:

• “Adding your company logo to SPOC Administration” on page 1278
• “Customizing the application title and browser title for SPOC
Adding your company logo to SPOC Administration

You can add your company logo to all SPOC Administration pages.
To add your company logo to SPOC Administration

components.
<AS-install>\services\spoc\spoc\webapp\admin\<locale>\images
<AS-install>\services\spoc\spoc\webapp\admin\<locale>\jspf
4 Open pre-panecontent.jspf in a text editor.
<img src="<%=home%>/images/entrust_logo.gif"
alt="<%=companyName%>" class="left-floating"/>
Your logo now appears in the title bar of SPOC Administration.

Figure 29: Your company logo in the title bar of SPOC Administration
Customizing the application title and browser title for SPOC

Administration
You can replace the “SPOC Administration” title with your organization’s name or
any other name your organization chooses. Changing the application title will also
change the title shown in the Web browser.
To change application title and browser title for SPOC Administration

components.
<AS-install>\services\spoc\spoc\webapp\admin\<locale>\jsp
3 Open common-strings.jsp in a text editor.
4 Locate the componentName variable. By default:
static final String componentName = "Entrust Authority™ SPOC
Administration";
as shown in bold:
static final String componentName = "Custom application title";
a Open common-strings.jsp in a text editor.
b Locate the componentName variable. By default:
Customizing SPOC Administration 1279

static final String componentName = "Entrust Authority™
SPOC Administration";
static final String componentName = "My Company";
bold:
static final String componentName = "My Company";
static final String componentSecondName = "Custom application
title";
f Navigate to the following folder:
<AS-install>\services\spoc\spoc\webapp\admin\<locale>\jspf
g Open pre-panecontent.jspf in a text editor.
h Locate the <title> tag. By default:
<title><%=componentName%><%=dash%><%=domesticCallerID%></title>
The <title> tag controls the browser title.
i By default, the browser title references the componentName variable, which is
the first line in the application title. To change the browser title:
– To change the browser title so it uses the second line of the application title
instead of the first line, change componentName to the name of the new
variable you added earlier. For example, as shown in bold:
<title><%=componentSecondName%><%=dash%><%=domesticCallerID
%></title>
– To change the browser title so that it references both lines of the application
title, add a reference to the new variable you added earlier. For example,
as shown in bold:
<title><%=componentName%> <%=componentSecondName%><%=dash%><
%=domesticCallerID%></title>
Ensure that you include a space between the title variables as shown in the
preceding example.
j Locate the <h1> tag. By default:
<h1><%=componentName%><%=dash%><%=domesticCallerID%></h1>
The <h1> tag controls the application title.
k Between <%=componentName%> and <%=dash%>, add <br/> then a reference
to the new variable you added earlier. For example, as shown in bold:
<h1><%=componentName%><br/><%=componentSecondName%><%=dash%><%=
domesticCallerID%></h1>

l Save and close the file
Your customized title now appears in the browser window title bar of all SPOC
Your customized application title now appears in SPOC Administration, and the
customized title also appears in the browser window title bar
Figure 30: Custom application title and browser title for SPOC Administration
Customizing SPOC Administration 1281

Customizing SPOC Administration styles
You can customize the SPOC Administration interface with your choice of colors,
<AS-install>\services\spoc\spoc\webapp\admin\<locale>\css
Table 70 briefly describes the different CSS files that control how the SPOC
Table 70: List of CSS files for SPOC Administration

help.css This file is not currently used by SPOC Administration.
passwordrules.css This file is not currently used by SPOC Administration.
the CSS files, take care not to make any changes that can break the SPOC

45
Localizing SPOC Administration

SPOC Administration includes the default locale en_US. The SPOC Administration file
system allows you to add more than one locale folder for each SPOC Administration
instance. This chapter describes how to add a new locale to SPOC Administration.
locale you first access the SPOC Administration interface). Links to all other installed
locales appear in the navigation bar of the SPOC Administration interface login page.
browser preferred language is not installed, SPOC Administration always uses the
Note:
Do not remove en_US as it is the default locale.

• “Location of SPOC Administration locale folders” on page 1285
• “Adding locales to SPOC Administration” on page 1286
• “Translating SPOC Administration files” on page 1287
• “Troubleshooting localization in SPOC Administration” on page 1289
1283
About locales
• en—English
• fr—French
• ja—Japanese
• ko—Korean
• CA—Canada
• JP—Japan
• CN—China
Defining locales

Location of SPOC Administration locale folders
<AS-install>\services\spoc\spoc\webapp\admin
Localizing SPOC Administration 1285

Adding locales to SPOC Administration
To add a new locale to SPOC Administration

components.
<AS-install>\services\spoc\spoc\webapp\admin
<AS-install>\services\spoc\spoc\webapp\admin\en_US
to
<AS-install>\services\spoc\spoc\webapp\admin\<locale>
Your new locale link is now available on the SPOC Administration home page.
Before you can access your localized version of SPOC Administration, you must
translate a series of files. See “Translating SPOC Administration files” on page 1287

Translating SPOC Administration files
language that matches your new locale. Translate all the SPOC Administration listed
in Table 71 on page 1287 files to match your new locale.
Table 71: SPOC Administration files to translate for your new locale
SPOC Administration files to translate Location of files
The following MLS Administration <AS-install>\services\spoc\spoc\webapp\

JavaScript files: admin\<locale>\javascript
The following SPOC Administration <AS-install>\services\spoc\spoc\webapp\

JavaScript files: admin\<locale>\javascript
To access your localized version of SPOC Administration

browser cache.
2 Log in to SPOC Administration.
Your SPOC Administration locale link is available from the SPOC Administration

Note:

The SPOC Administration interface is now available in your localized language
setting.
Figure 31: Localized SPOC Administration page

Troubleshooting localization in SPOC
Administration
When you manually integrate translated files into SPOC Administration, incorrect


numérique.');


To display the locale for SPOC Administration in English
components.
<AS-install>\services\spoc\spoc\webapp\WEB-INF\jsp
to

46
SPOC Domestic Web Service API

reference
The SPOC Domestic Web Service is designed to automatically submit certificate
requests from domestic Document Verifiers to the domestic CVCA, or to foreign
SPOCs to be processed by foreign CVCAs. The SPOC Domestic Web Service is
distinct from the SPOC Web Service. The SPOC Web Service is defined by ICAO and
implements SPOC-to-SPOC intercountry communication. Entrust defines the SPOC
Domestic Web Service, which is invoked only by domestic DVCAs.
Custom applications can use the SPOC Domestic Web Service. A WSDL is available
for custom applications that are designed to submit certificate requests. The WSDL
for the SPOC Domestic Web Service does not reside on the file system of
Administration Services. However the WSDL is reproduced below.
The SPOC Domestic Web Service is protected by certificate-based,
mutually-authenticated Secure Sockets Layer (SSL). Clients of the SPOC Domestic
Web Service must have a certificate suitable for SSL client authentication. For
information about issuing a valid client profile, see “Creating SPOC DVCKM Client
credentials for Document Verifiers” on page 1224. The client profile must be issued
by the SPOC CA.
The SPOC Domestic Web Service exports the following methods:
GetCACertificates
Description: Returns a CVCA certificate chain, ensuring that the caller has the
most recent CVCA certificate chain for the desired country.
Request: javax.activation.DataHandler Certificate
This request parameter is optional. It contains a sample CVCA certificate. The
country will be derived from that sample certificate. All CVCA link certificates that
post date the sample certificate are returned. No self-signed root CVCA
1291
certificates are returned, as only the link certificates are required to form a chain
of trust.
If omitted, all domestic CVCA certificates are returned.
Response: javax.activation.DataHandler[] certificateChain
RequestCertificate
Description: Submits a DVCA certificate request for processing.
The certificate request can be for any country registered at the domestic SPOC.
The SPOC service will route it accordingly.
Request processing may be synchronous or asynchronous (pending result), and
the calling application must cope with either result. Pending results occur because
not all jurisdictions support automatic processing of DVCA certificate requests,
particularly initial certificate requests.
Request: javax.activation.DataHandler CertificationRequest
Response:
com.entrust.cvcaws.axis2.ResultCode. Returns one of the following:
– ResultCode.success
Indicates the certificate was returned successfully.
– ResultCode.pending
Indicates the request is being processed asynchronously. The calling routine
should poll the Web service (repeat the request) until a certificate is
returned.
– ResultCode.failure
The certificate was not returned.
org.apache.axis2.databinding.types.PositiveInteger PollingInterval. If polling is
required, this returns the recommended time in seconds to wait before retrying a
certificate request.
javax.activation.DataHandler Certificate

Section 10
Document Verifier section
This section provides instructions for installing a Document Verifier (DV), installing
and configuring Administration Services, and administering the Document Verifier.
• “Installing a Document Verifier” on page 1295
• “Deploying DV Administration” on page 1305
• “Deploying the DV Certificate Key Management Service” on page 1379
• “Deploying the DV Web Service” on page 1411
• “Configuring DV Administration” on page 1447
• “Configuring the DV Certificate Key Management Service” on page 1475
• “Configuring the DV Web Service” on page 1493
• “Administering a Document Verifier” on page 1517
• “Customizing DV Administration” on page 1633
• “Localizing DV Administration” on page 1645
• “DV command quick reference” on page 1655
1293
47
Installing a Document Verifier

Before you can administer a Document Verifier, you must install a Document Verifier.
Installing a Document Verifier requires that you install, configure and initialize
Security Manager as a Document Verifier.
Note:
Configuring Security Manager as a Document Verifier is required for an Extended
Access Control (EAC) system. For a Basic Access Control (BAC)-only system, you
only need to configure Security Manager as an X.509 CA. In an Entrust BAC
system, you use the X.509 CA to create a profile for the DV Web Service, a DV
service provided by Administration Services.
This chapter includes the following topics:

• “Configuring Document Verifier license information” on page 1302
• “Initializing a Document Verifier” on page 1303
1295
3166 standard.

as a Document Verifier (DV), you must configure it as an X.509 Certification
Authority (CA). You must configure it as a CA so you can create users and profiles to
administer the Document Verifier.
Security Manager as a Document Verifier, and includes special instructions for
deployments that contain Administration Services.
Attention:
To install and configure Security Manager on Windows

Installation Guide.
a On the Security Manager License Information page, enter your Security

Note:
If you do not enter DV license information, Security Manager does not prompt
you to configure and initialize a DV. To configure and initialize a DV after
initializing Security Manager, see “Initializing a Document Verifier” on
page 1303.
For Document Verifiers, enter the DV license information into the DV for
Inspection Systems tab.
The CVCA for Domestic DVs and CVCA for Foreign DVs tabs are for CVCAs
that manage Document Verifiers. If you mistakenly enter license information
into these tabs, click Clear Values to reset the license information.
b If you plan on using Administration Services to administer the Document
Verifier, select algorithms that are supported by Administration Services.
c For CA Type, click Root CA to configure the Certification Authority as a root
CA.
You can only configure a root CA as a Document Verifier. If you entered DV
license information earlier, you can only configure a root CA.
2 If you entered DV license information, the Configuration Information for DV
dialog box appears.
To configure the Document Verifier:

a In the Country drop-down list, select your country.
Installing a Document Verifier 1297

Your country’s ISO 3166-1 ALPHA 2 country code appears in the Country
Code field. If you select User Defined Country Code, you can enter your
country code into the Country Code field.
The country code and the mnemonic form the Document Verifier identity.
b In the Mnemonic Label field, enter a unique label for the Document Verifier.
The label must be between one and nine ISO 8859-1 Latin-1 characters. The
country code and the mnemonic form the Document Verifier identity.
When entering a mnemonic label, only characters supported by the Regional
and Language Options can be entered natively. If you want an accented
character but your ANSI code page does not support it, you cannot enter or
paste it into the text field. You must enter it as escaped UTF-8. For example,
enter Liberté as Libert\C3\A9. For more information, see knowledge
article 43715 (formerly TN7478) on Entrust Datacard TrustedCare at
https://trustedcare.entrustdatacard.com.
c In the Terminal Authentication Algorithm drop-down list, select a terminal
authentication algorithm.
Guide.

as a Document Verifier (DV), you must configure it as an X.509 Certification
Authority (CA). You must configure it as a CA so you can create users and profiles to
administer the Document Verifier.
Security Manager as a Document Verifier, and includes special instructions for
deployments that contain Administration Services.

Attention:
To install and configure Security Manager on Linux

Installation Guide.
a When prompted to enter your licensing information, enter your Security
Note:
If you do not enter DV license information, Security Manager does not prompt
you to configure and initialize a DV. To configure and initialize a DV after
initializing Security Manager, see “Initializing a Document Verifier” on
page 1303.
Do not enter license information for the following prompts. These prompts
are for CVCA licenses. If you enter information into these prompts, you
cannot configure a Document Verifier.
Enter the CVCA licensing information for domestic DVs that
Domestic DV Serial Number:
Domestic DV User Limit:
Domestic DV Licensing Code:
Enter the CVCA licensing information for foreign DVs that

Foreign DV Serial Number:
Foreign DV User Limit:

Foreign DV Licensing Code:
Enter license information for the following prompts. These prompts are for
your Document Verifier license.
Enter the DV licensing information for Inspection Systems that
IS Serial Number:
IS User Limit:
IS Licensing Code:
b If you plan on using Administration Services to administer the Document
Verifier, select algorithms that are supported by Administration Services.
c Security Manager will prompt you to configure the CA as a root CA or a
subordinate CA:
A hierarchy of CAs comprises several CAs linked into a tree
structure. There is a single CA which unites the tree into a
single structure. This CA is the "Root CA". A CA which does not
participate in a hierarchy is also referred to as a "Root CA"
since it may have subordinates at some time in the future. Any
other CA in the hierarchy is called a "Subordinate CA".
Choose the type of CA you wish to configure.

1. Root CA
2. Subordinate CA
[1] >
Enter 1 to configure the CA as a root CA.
You can only configure a root CA as a Document Verifier. If you entered
Document Verifier license information earlier, you can only configure a root
CA.
2 If you entered DV license information:
a Security Manager prompts you to configure the Document Verifier:
The following information is required to initialize your DV.
Country Code :
Enter your country’s ISO 3166-1 ALPHA 2 country code. The country code
and the mnemonic form the DV identity.
b Security Manager prompts you for a mnemonic label:

Mnemonic Label (1-9 Latin-1 characters) :
Enter a unique label for the Document Verifier. The label must be between
one and nine ISO 8859-1 Latin-1 characters. The country code and the
mnemonic form the DV identity.
If your keyboard layout does not support Latin-1 characters, you must enter
accented characters as escaped UTF-8. For example, enter Liberté as
Libert\C3\A9. If you want enter a backslash (\) that is not part of an
escaped UTF-8 sequence, you must enter it as two backslashes (\\).
Guide.

Configuring Document Verifier license
information
If you want to initialize a Document Verifier (DV) and you already initialized Security
Manager, or if you purchased new DV license information from Entrust, complete the
following procedure to add or change the DV license information.
To configure Document Verifier license information

1 Open the entmgr.ini file. For information about this file, see the Security
2 Find the [Authorization] section.
3 Enter the Document Verifier license into the following settings:
ISSerialNumber=
ISUserLimit=
ISKey=
5 If Security Manager is running, stop and then start the Security Manager service.
See the Security Manager Operations Guide for details.

Initializing a Document Verifier
If you are configuring Security Manager as a Document Verifier (DV), you must
initialize the DV after you initialize Security Manager (see the Security Manager
Installation Guide). You cannot initialize both a DV and a CVCA with the same
Security Manager. You cannot initialize a DV on a Security Manager configured as a
subordinate CA.
To initialize a Document Verifier, you must have DV license information in the
entmgr.ini file. See “Configuring Document Verifier license information” on
page 1302 for information about configuring the DV license information.
To initialize a DV
2 At the prompt, enter
dv init <country code> <mnemonic>
Where:
• <country code> is an ISO 3166-1 ALPHA-2 country code.
• <mnemonic> is a unique label for the DV certificate. The label must be
between one and nine ISO 8859-1 Latin-1 characters.
3 If the services are running, Security Manager prompts you to restart the services:
This will restart the services. proceed (y/n) ? [y]
Enter y to restart the services.
You have now initialized a DV.

48
Deploying DV Administration
This chapter describes how to deploy DV Administration. DV Administration is a
service provided by Entrust Authority Administration Services.
DV Administration is a Web-based interface for administering a Document Verifier.
DV administrators use DV Administration to manage DV certificates and certificate
requests, Inspection Systems, and Inspection System certificates and certificate
requests.
on page 1310
• “Creating DV Administration Server credentials” on page 1311
• “Creating DV Administration XAP credentials” on page 1315
• “Installing DV Administration” on page 1320
• “Completing the Microsoft IIS front-end configuration for DV
• “Completing the Apache HTTP Server front-end configuration for DV
• “Configuring DV Administration to connect to the DVCA” on page 1364
• “Creating or modifying a user policy for DV administrators” on page 1368
• “Creating roles for DV administrators” on page 1371
• “Creating DV administrators” on page 1373
• “Testing DV Administration” on page 1377
1305
Deployment overview
Deploying DV Administration includes the following steps. Each step is described in
further detail in this chapter.
See the Entrust Authority Administration Services Release Notes. The most
recent Release Notes are posted on Entrust Datacard TrustedCare.
2 Install, configure, and test a supported Web server (see “Installing and
• “Creating DV Administration Server credentials” on page 1311
• “Creating DV Administration XAP credentials” on page 1315
page 1318).
6 Install DV Administration (see “Installing DV Administration” on page 1320).
7 If you configured the CVCA Administration to use a front-end Web server, you
must complete the front-end configuration:
• “Completing the Microsoft IIS front-end configuration for DV
• “Completing the Apache HTTP Server front-end configuration for DV
8 Create or modify a user policy for DV administrators (see “Creating or modifying
a user policy for DV administrators” on page 1368).
The client policy (user policy) assigned to the roles used by DV administrators
must allow external authentication and optionally PKCS #12 export.
9 Create new roles for DV administrators (see “Creating roles for DV
The operations that administrators can perform in DV Administration depends on
the administrator’s role. You can use existing pre-defined roles, or create new
roles for your DV administrators.
10 Create a user entry in Security Manager for each DV administrator (see “Creating
DV administrators” on page 1373).
11 Test that DV Administration was installed correctly (see “Testing DV

(optional)
DV Administration consist of application server components and optional Web server
server.
sections:
page 1309

Enable Secure Sockets Layer (SSL encryption on your Web server to secure the
Note:
Deploying DV Administration 1307

by your own CA.
agement.
Guide.
When you configure your Web server, it is recommended that you enforce 128-bit
encryption for Web browsers accessing your Web server. To enable SSL encryption,
enable server authentication on your Web server using the instructions provided in
your Web server documentation.


of http.

• Static Content

• ISAPI Filters

Services.


Creating DV Administration Server credentials
Note:
You need to create a DV Administration Server profile only if you will not use a
front-end Web server with DV Administration. The Administration Services
installer will not prompt you for a DV Administration Server profile if you
configure the application server components for a front-end Web server.
DV Administration requires a server profile. The Administration Services installer will

prompt you for the profile when you install DV Administration. The DV
Administration Server profile is used to terminate SSL connections coming from
clients of the service.
For details about creating DV Administration Server profiles, see the following topics:
• “Creating a user entry for a DV Administration Server profile” on page 1311
• “Creating a DV Administration Server profile” on page 1313
• “Updating the DV Administration Server profile keys” on page 1314
Creating a user entry for a DV Administration Server profile

You must create a user entry in Security Manager for the DV Administration Server
DV Administration Server profile.
To create a user entry for the DV Administration Server profile using Security
1 Log in to Security Manager Administration for the DVCA.
2 Select User > New User.
fields appears.

6 Click the Certificate Info tab.
8 Under Certificate Type, select Default.
11 Click OK.
authorization code required to create the DV Administration Server profile.
to create and activate the user’s Entrust digital ID. For more details about how
the Registration number and Authorization codes are used, see the Security
c Click Add.

details.
You have now created the user entry for the DV Administration Server profile.
Proceed to “Creating a DV Administration Server profile” on page 1313.
Creating a DV Administration Server profile

The DV Administration Server profile can be stored on software (as an EPF file) or on
a hardware security module. You can use one of the following applications to create
the DV Administration Server profile:
To create a DV Administration Server profile using Security Manager

Administration
1 Create a user entry for the DV Administration Server profile (see “Creating a user
entry for a DV Administration Server profile” on page 1311).
4 In the Name field, enter the file name for the DV Administration Server profile.
name.
5 Click Browse to select a folder where you want to save the DV Administration
Server profile.
6 In the Password and Confirm fields, enter a password for the DV Administration
Server profile.
7 Click OK.
You can now use this profile with DV Administration. You need the profile, the profile
password, and the profile location when you install DV Administration.

Updating the DV Administration Server profile keys
It is not recommended that you copy profiles to other servers. If you do copy a profile
server.
The DV Administration Server profile keys are updated only on Administration
Services start up. You may have to schedule server restarts periodically with a
frequency that corresponds to the configured certificate lifetime.

Creating DV Administration XAP credentials
DV Administration requires a XAP profile to connect to the DVCA's XAP service and
sign XAP messages sent to the DVCA.
The DV Administration XAP profile must be an EPF file stored on software;
Administration Services does not support DV Administration XAP profiles stored on
hardware. The DV Administration XAP profile must be issued by the DVCA.
• “Creating a user entry for a DV Administration XAP profile” on page 1315
• “Creating a DV Administration XAP profile” on page 1316
• “Creating Server Login credentials for a DV Administration XAP profile” on
page 1317
• “Updating the DV Administration XAP profile keys” on page 1317
Creating a user entry for a DV Administration XAP profile

You must create a user entry in Security Manager for the DV Administration Server
DV Administration XAP profile.
To create a user entry for the DV Administration XAP profile using Security
fields appears.

6 Select the Certificate Info tab.
8 Under Certificate Type, select Admin Services User Management External
Authenticator.
11 Click OK.
authorization code required to create the DV Administration XAP profile.
You have now created the user entry for the DV Administration XAP profile. You
must now create the profile on software. Storing the profile on a hardware
security module is not supported.
Creating a DV Administration XAP profile

The DV Administration XAP profile must be an EPF file stored on software;
Administration Services does not support DV Administration XAP profiles stored on
hardware.
You can use one of the following applications to create the DV Administration XAP
profile:
For instructions, see the following procedure.
To create a DV Administration XAP profile using Security Manager

Administration
1 Create a user entry for the DV Administration XAP profile (see “Creating a user
entry for a DV Administration XAP profile” on page 1315).

4 In the Name field, enter the file name for the DV Administration XAP profile.
name.
5 Click Browse to select a folder where you want to save the DV Administration
XAP profile.
6 In the Password and Confirm fields, enter a password for the DV Administration
XAP profile.
7 Click OK.
You can now use this profile with Administration Services. You need the profile when
you add the Managed CA to Administration Services.
Creating Server Login credentials for a DV Administration XAP

profile
After creating a DV Administration XAP profile, you must create an Unattended Login
file (UAL file) for the DV Administration XAP profile. UAL files are also called Server
Login credentials. Server Login credentials allow Administration Services to log in to
the profile without a plaintext password; the profile password is encrypted in the UAL
file.
You can create Server Login credentials using the Profile Creation Utility. See the
When you install DV Administration, you can add the DVCA using the installer. The
installer will prompt you for the profile and password, and will create the Server Login
credentials for you. If you add the DVCA manually after installing DV Administration,
you must create the Server Login credentials yourself.
Updating the DV Administration XAP profile keys

Administration Services will manage the DV Administration XAP profile. If the DV
Administration XAP profile requires updates, Administration Services will update the
profile automatically and make it available immediately in the service.

Obtain a copy of the entrust.ini file from a DVCA administrator.
Copy the entrust.ini file to each machine hosting the DV Administration
application server components. Note the location of this files. You will enter the path
to this files when you install Administration Services.

Where:
the directory.
For example:
Where:
is 829.
For example:
Where:
For example:
For example:


Installing DV Administration
This section describes how to install DV Administration on supported Windows
operating systems. DV Administration is supported only on Windows.
DV Administration consists of application server components and optional Web
server.
• “To install DV Administration application server components on Windows”
on page 1320
• “To install DV Administration Web server components on Windows” on
page 1339
To install DV Administration application server components on Windows





b Click Next.


c Select Document Verifier (DV).
d Select Document Verifier Administration (DVADMIN).
e Enter the URL path for the DV Administration service into the text field. The
URL cannot contain question marks (?), forward slashes (/), backslashes (\),
less than (<), greater than (>), or pound signs (#).
For example: DVAdmin.
f DV Administration can be installed on Apache Tomcat only (the
server. If you will install DV Administration on both Tomcat and a Web server,
select Configure the Web Server Front End.
DV Administration.
g Click Next to continue.

default 443).
c Click Next.

10 The Port for DV Administration Services page appears.
a In the Enter the SSL/TLS port number for the DV Administration Service
field, enter the SSL port number for the DV Administration instance (by
default 14443).
b Click Next.
If you chose to configure the Web server front-end, proceed to Step 15 on
page 1331.

11 The DV Administration Entrust.ini Location page appears.
from the Entrust CA that issued the DV Administration Server profile, or click
b Click Next.

PKCS#11 library, the Select DV Administration Profile Type page appears.

– If the DV Administration Server profile is an EPF file stored on the local file
system, select Software Profile.
– If the DV Administration Server profile is stored on hardware, select
Hardware Token.
b Click Next.

13 If the DV Administration Server profile is a software profile, the DV
Administration Profile page appears.
a In the Enter the location of the DV Administration Profile field, click Choose
to locate and select the DV Administration Server profile (EPF file).
b In the Enter the Password to login to your DV Administration Profile field,
enter the password for the EPF file.
c Click Next.

14 If the DV Administration Server profile is a hardware profile, the DV
Administration Hardware Token Profile page appears.
contains the DV Administration Server profile.
b In the Enter the Password to login to your DV Administration Profile field,
c Click Next.

15 The Configure Managed CA page appears.
a You can configure connection to the DVCA using the installer.

– To configure the connection to the DVCA using the installer, select
Configure Managed CA Now. By default this option is already selected.
– To manually configure the connection to the DVCA later, deselect
Configure Managed CA Now.
b Click Next.
If you will not configure the connection to the DVCA using the installer, proceed

16 If you chose to configure the connection to the DVCA using the installer, the DV
Administration Managed CA Options page appears.
a In the Enter the Managed CA name field, enter a unique name for the DVCA.
Note:
The name is a friendly name to identify the DVCA, not the DV identity.
letters, numbers, underscores, spaces, and hyphens. At least four characters
must be a combination of uppercase letters, lowercase letters, and numbers.
b Administration Services requires connection information to the DVCA and its
LDAP directory. The installer can take the information from the DVCA’s
entrust.ini file or you can provide the information manually.
– To use the information from the DVCA’s entrust.ini file, select Use
information from entrust.ini, and then enter the full path and file name of
the entrust.ini file into the Enter the location of the entrust.ini field or

– To provide the connection information manually, deselect Use information
from entrust.ini. You must provide this connection information on the next
installer page.
c Click Next.
17 If you chose to enter connection information manually, the Managed CA
Information (non-entrust.ini) page appears.
a In the Enter Manager Host Name field, enter the fully qualified domain name
of the server hosting the DVCA. For example, domain.example.com.
b In the Enter PKI Port Number field, enter the CMP port of the DVCA,
typically 829.
c In the Enter XAP Port Number field, enter the XAP port of the DVCA,
typically 443 or 1443.
d In the Enter LDAP Host Name field, enter the fully qualified domain name of
the DVCA’s LDAP directory. For example, ldap.example.com.
e In the Enter LDAP Port number field, enter the LDAP port of the directory
(typically 389).
f Click Next.

18 The DV Administration XAP Profile page appears.
a In the Enter the location of the XAP Profile field, enter the full path and file
name of the DV Administration XAP profile issued by the DVCA, or click
Choose to select the file
b In the Enter the Password to login to your XAP Profile field, enter the
password for the DV Administration XAP profile.
c Click Next.

19 The Configure DV Administration Email Notification page appears.
a To enable email notification for DV Administration, select Enable Email

Notification for DV Administration.
b If you chose to enable email notification for DV Administration:
– In the Enter the DV Administration Email Address field, enter the email
DV Administration sends messages to this address only if the event is not
meant for a particular object. For example, if an administrator performs an
action that requires another administrator’s approval, DV Administration
sends the message to this email address.
– In the Enter the DV Administration Appears From Email Address field,
enter the email address that will appear in the From field of the email
message.
c Click Next.

20 The DV Administration Configuration page appears with a summary of your

make your changes.

21 After the installation is complete, the DV Administration Configuration Status

b Click Next.


b Click Next.

new service.
b Click Next.
file.
To install DV Administration Web server components on Windows

b Select Web Server to install the Web server components.




d Select Document Verifier Administration (DVADMIN).
e Enter the URL path for the DV Administration service into the text field. The
URL cannot contain question marks (?), forward slashes (/), backslashes (\),
less than (<), greater than (>), or pound signs (#).
For example: DVAdmin.

appears.
b Click Next.

c Click Next.


page appears.
b Click Next.

10 The Port for DV Administration Services page appears.
a In the Enter the SSL/TLS port number for the DV Administration Service
field, enter the SSL port number for DV Administration (by default 14443).
b Click Next.

11 The DV Administration Configuration page appears with a summary of your

make your changes.

12 After the installation is complete, the DV Administration Configuration Status

b Click Next.


b Click Next.
file.

configuration for DV Administration
of DV Administration, the installer completed most of the work required to configure
DV Administration to be front-ended by a Web server:
• On the Web server machine, the installer configured Microsoft IIS for the DV
Administration components and to forward DV Administration requests to
the application server machine. However, some additional steps must be
completed manually on Microsoft IIS to complete the Web Server front-end
configuration.
server components.
• “Assigning SSL certificates to a DV Administration Web site in Microsoft IIS”
on page 1351
• “Installing CA certificates in Microsoft IIS for DV Administration” on
page 1354
Assigning SSL certificates to a DV Administration Web site in

Microsoft IIS
When you installed the Web server components of DV Administration, the installer
created a new Web site in Microsoft Internet Information Services (IIS) for the DV
Administration instance, such as DVAdmin. The Web site is for accepting and
forwarding connections to the DV Administration instance on the application server.
You must assign a valid SSL server certificate to this Web site.
server certificate for the new DV Administration Web site.
To assign SSL certificates to the DV Administration Web site on Microsoft IIS

Manager.


You should see the Web site for the DV Administration instance, such as
DVAdmin.
4 In the Connections pane, select the DV Administration Web site (for example,
DVAdmin).
The Site Bindings dialog box appears. You should see an https binding, typically
for port 14443. This port corresponds to the port you selected for the DV
Administration instance when you installed DV Administration.

6 Select the binding (for example, 14443), and click Edit.

8 Click OK.

Installing CA certificates in Microsoft IIS for DV Administration



5 Click Next.

7 Click Browse.

9 Click OK.
10 Click Next.
11 Click Finish.

configuration for DV Administration
of DV Administration, the installer completed most of the work required to configure
DV Administration to be front-ended by a Web server:
the DV Administration components and to forward DV Administration
must be completed manually on Apache HTTP Server to complete the Web
Server front-end configuration.
• “Assigning SSL certificates to a DV Administration VirtualHost in Apache
• “Adding CA certificates to Apache HTTP Server for DV Administration” on
page 1361
Assigning SSL certificates to a DV Administration VirtualHost in

Apache HTTP Server
When you installed the Web server components of DV Administration, the installer
You must assign a valid SSL server certificate, private key file, and CA certificate to
this <VirtualHost> directive.
directives.
To assign SSL certificates to a DV Administration VirtualHost in Apache HTTP

Server
2 Locate the lines added by the Administration Services installer for DV

# Entrust AdminServices DV Admin start - DVAdmin
install/uninstall.
Listen 14443
...
</VirtualHost>
# Entrust AdminServices DV Admin end - DVAdmin
3 The <VirtualHost> directive added by the installer for DV Administration
Update these settings as follows. For more information about these settings, see
the Apache HTTP Server documentation.
Note:
documentation.

example:

DV Administration will use this setting for verifying client certificates. See
“Adding CA certificates to Apache HTTP Server for DV Administration” on
page 1361 for more information. For DV Administration, only the DVCA will
issue client certificates.
Adding CA certificates to Apache HTTP Server for DV

Administration
from CAs that will issue client certificates. For DV Administration, only the DVCA will
issue client certificates.
The <VirtualHost> directive added by the installer for DV Administration includes a
SSLCACertificateFile setting:
Server installation directory. DV Administration will use all the CA certificates in this
file for verifying client certificates.
Note:
To add CA certificates to Apache HTTP Server for DV Administration

PEM-encoded format.

editor.
located, open the Apache HTTP Server httpd.conf file in a text editor and locate
the following lines added by the Administration Services installer for DV
Administration:
...
b Locate the lines added by the Administration Services installer for DV
install/uninstall.
Listen 14443

...
</VirtualHost>
c The <VirtualHost> directive added by the installer for DV Administration
to a DV Administration VirtualHost in Apache HTTP Server” on page 1358.
DV Administration will use this setting for verifying client certificates.

Configuring DV Administration to connect to
the DVCA
When installing the DV Administration application server components, you had the
option to configure DV Administration to connect to the DVCA using the installer. If
you did not use the installer to configure DV Administration to connect to the DVCA,
you must manually configure the connection settings.
The following procedure describes how to manually configure DV Administration to
connect to the DVCA.
To configure DV Administration to connect to the DVCA

components.
2 Open the managed-ca.properties file in a text editor. You can find the file in the
following folder:
<AS-install>\services\dvadmin\<instance>\webapp\WEB-INF\config
3 Add or configure the following settings:
Table 72: DV Administration connection settings to the DVCA
Setting Description
managedca.entrust.0. This setting specifies the unique ID for the DVCA. The value must be
uniqueid 0.
managedca.entrust.0. This setting specifies a unique name for the DVCA.

name
Note: The name is a friendly name to identify the DVCA, not the DV
identity.
letters, numbers, underscores, spaces, and hyphens.
host of the server hosting the DVCA.
managedca.entrust.0. This setting specifies the XAP port of the DVCA (typically 443 or
xapport 1443).
managedca.entrust.0. This setting specifies the PKIX-CMP port of the DVCA (typically 829).
pkixport
ldap.host of the server hosting the DVCA’s LDAP directory.

Table 72: DV Administration connection settings to the DVCA (continued)
Setting Description
managedca.entrust.0. This setting specifies the LDAP port of the directory (typically 389).
ldap.port
managedca.entrust.0. This setting specifies the full path and file name of the DV
xapexternalauthepf Administration XAP profile issued by the DVCA.
For information about creating DV Administration XAP profiles for the
DVCA, see “Creating DV Administration XAP credentials” on
page 1315.
managedca.entrust.0. This setting specifies the digest algorithm used to sign XAP messages.
digest.algorithm
Permitted values:
• sha1 for SHA-1.
• sha256 for SHA-256.
DV Administration signs the XAP message using the DV
administrator’s profile. If the profile has a DSA or ECDSA key pair, set
the XAP message signing algorithm to SHA-1.
If not specified, the default is SHA1.
ldap.principal access the DVCA's LDAP directory when anonymous bind is not
available.
This setting specifies the JNDI Principal used to connect to the

directory.
A JNDI Principal is a directory user that can log in to the directory,
typically a directory administrator. Examples include:
DOMAIN\\Administrator
Administrator@example.com
cn=Administrator,ou=CA Entry,o=Example,c=US
Attention: You must escape backslashes with a backslash. For
example, DOMAIN\\Administrator. Using a backslash as an escape
character is typical for a properties file.

Setting Description
ldap.credential access the DVCA's LDAP directory when anonymous bind is not
available.
This setting specifies the password for the JNDI Principal used to
connect to the directory. Administration Services will store the
password as an encrypted value.
managedca.entrust.0. This setting specifies the initial number of XAP connections that DV
xap.connections.initia Administration opens with the DVCA when Administration Services
l starts.
The number of XAP connections to the DVCA increases automatically
up to the maximum when the number of administrators concurrently
using Administration Services increases.
managedca.entrust.0. This setting specifies the maximum number of XAP connections that
xap.connections.max DV Administration opens with the DVCA.
After reaching the maximum, connections are automatically closed
after use. Since new XAP messages cannot be sent to the DVCA until
a connection is available, repeatedly reaching this maximum may slow
system performance.
managedca.entrust.0. This setting specifies the length of time (in minutes) that DV
xap.connections.idle.t Administration allows a XAP connection with the DVCA to remain idle
imeout before closing it and creating a new connection.
If not specified, the default is 30 minutes.
managedca.entrust.0. This setting specifies the maximum length of time (in seconds) that DV
xap.connections.sock Administration waits for a DVCA to accept a XAP connection before
et.timeout returning an error.
This setting prevents DV Administration from hanging indefinitely if
the DVCA does not accept the connection; for example, if the DVCA
server is too busy to accept the connection.
If not specified, the default is 60 seconds.

Setting Description
managedca.entrust.0. This setting controls whether to display extra SSL debugging

xap.debug information in the console.
Permitted values:
• true to turn on extra SSL debugging information in the console
• false to not log extra SSL debugging information.
Note: Setting the value to false does not turn off XAP message
logging. It only controls whether to display extra SSL debugging
information in the console.
If not specified, the global setting in the dv-config.xml file is used.
managedca.entrust.0. This setting specifies the XAP cache timeout, in minutes.

xap.cache.timeout
When DV Administration starts, it builds a cache of XAP connections
to each of the DVCAs that are configured. If a DVCA is not available
during startup, DV Administration does not add it to the cache. The
XAP cache timeout controls how frequently DV Administration checks
the DVCA connections, and controls how often the cache is
reconstructed.
If a previously unavailable DVCA becomes available again, it may take
a period of time—up to the value of the XAP cache timeout—before
that DVCA becomes usable in DV Administration.
If not specified, the global setting in the dv-config.xml file is used.

Creating or modifying a user policy for DV
administrators
To access the DV Administration interface, DV administrators must have a valid client
certificate installed in their Web browser and a client policy that allows XAP external
authentication. XAP external authentication is a feature where Security Manager
authorizes XAP messages, but Administration Services authenticates XAP messages.
import it into their Web browser and use it to log in to DV Administration.
#12 export.
authentication, or create a new user policy for DV administrators to allow PKCS #12
export and XAP external authentication:
• “To modify an existing user policy to allow PKCS #12 export and XAP
external authentication” on page 1368
• “To create a new user policy to allow PKCS #12 export and XAP external
authentication by copying the Administrator Policy user policy” on
page 1369
To modify an existing user policy to allow PKCS #12 export and XAP external
authentication
3 Select the user policy to modify. For example, select Administrator Policy to
modify the user policy assigned to the predefined EAC Administrator and EAC
Auditor roles.

setting can use DV Administration.
5 Click Apply.
The roles assigned to DV administrators must be assigned this user policy. For
information about creating custom roles for DV administrators, see “Creating roles
for DV administrators” on page 1371.
To create a new user policy to allow PKCS #12 export and XAP external
authentication by copying the Administrator Policy user policy
1 Log in to Security Manager Administration for the Entrust Managed CA.
3 Select Administrator Policy.
5 In the Label field, enter DV Administrator Policy.
6 In the Common name field, enter DV Administrator Policy.
user policy.

setting can use DV Administration.
9 Click Apply.
The roles assigned to DV administrators must be assigned this user policy. For
information about creating custom roles for DV administrators, see “Creating roles
for DV administrators” on page 1371.

Creating roles for DV administrators
The operations that administrators can perform in DV Administration depends on the
administrator’s role.
CVCA or DV.
The following procedure describes how to create a new role for DV administrators.
You must create new roles in the DVCA. You create new roles using Security Manager
Administration For more information about roles and role permissions, see the
To create a new role for DV administrators

a In the Name field, enter a unique name for the new role.
b In the Authorizations field, enter the number of authorizations required
when a sensitive operation is performed by members of this role. The default
is 1.
When you want to queue administrator operations for additional approvals,
you must set the value to 2 or greater. Do not enter a number that exceeds
the total number of administrators, or you will not have enough
administrators to authorize operations.
c In the User Policy drop-down list, select a client policy (user policy) for the
role.
The user policy must allow external authentication and optionally PKCS #12
export. For details, see “Creating or modifying a user policy for DV
5 Under Categories, select Extended Access Control (DV) and then click
Properties.
The Administrative Permissions: EAC DV dialog box displays.
a Configure the permissions in the following categories:

– Permissions in the Anchor DV category specify the operations that role
members can perform on the anchor Document Verifier.
– Permissions in the CVCA category specify the operations that role members
can perform on trusted Country Verifying Certification Authorities
(CVCAs).
– Permissions in the IS category specify the operations that role members can
perform on trusted Inspection Systems.
For each permission, select Requires Authorization when you want to queue
the user operation for administrator approval. For more information about
these permissions, see the Security Manager Administration User Guide.
b Click OK.
6 Click the Summary tab and then click Check Dependencies.
The Permission Dependencies dialog box appears. The dialog box will display a
success message if no additional permissions may be required, or a list of
additional dependencies you may need to add to the role. Record any additional
permissions required and add those permissions.
7 Click Apply.
You have now created a custom role for DV administrators. You assign this role to
your administrators when you create their user accounts.

Creating DV administrators
You must create a user entry in Security Manager for each DV administrator. You can
use Security Manager Administration or the User Management Service
To create a DV administrator using Security Manager Administration

fields appears.
5 From the Role drop-down list, select a role for the DV administrator.
created a custom role for the DV administrator in “Creating roles for DV
modifying a user policy for DV administrators” on page 1368.

7 Click OK.
You have created a user entry for a DV administrator. The DV administrator must
have a valid client certificate to access the DV Administration interface. Securely send
the activation codes to the administrator.
DV administrators can create their client certificate using the following applications:
it to log in to DV Administration.
digital ID to log in to DV Administration.
ID to log in to DV Administration.

DV administrators can use the Profile Creation Utility to generate a PKCS #12
digital ID. The administrators can then import the digital ID into their Web
browser and use it to log in to DV Administration.
DV administrators can use Security Provider for Windows to generate a
To create a DV administrator using the User Management Service

1 Log in to the User Management Service for the DVCA.
distinguished name.
5 In the Certificate Type drop-down list, select Enterprise - Default.
7 From the Role drop-down list, select a role for the DV administrator.
created a custom role for the DV administrator in “Creating roles for DV
modifying a user policy for DV administrators” on page 1368.
9 Click Submit.

You have created a user entry for a DV administrator. The DV administrator must
have a valid client certificate to access the DV Administration interface. Securely send
the activation codes to the administrator.
DV administrators can create their client certificate using the following applications:
digital ID to log in to DV Administration.
ID to log in to DV Administration.
DV administrators can use the Profile Creation Utility to generate a PKCS #12
digital ID. The administrators can then import the digital ID into their Web
browser and use it to log in to DV Administration.
DV administrators can use Security Provider for Windows to generate a

Testing DV Administration
After installing DV Administration, you must ensure that all components were
installed properly and function correctly. To test the installation, open DV
To test DV Administration
Where:
• <host_name> is the fully qualified host name of the server hosting DV
Administration.
• <port> is the SSL port for DV Administration (by default 14443).
• <instance> is the URL path of the DV Administration instance. You specified
the URL path when you installed DV Administration. For example, the
default URL path for DV Administration is DVAdmin.
For example:
https://webserver.example.com:14443/DVAdmin
3 When prompted to select a user certificate, select a user certificate for a DV
administrator.
the private key.
Note:
Click Allow to allow DV Administration to access the private key.

If everything was installed correctly and the browser certificate is valid, the DV

49
Deploying the DV Certificate Key

Management Service
This chapter describes how to deploy the DV Certificate Key Management Service
(DVCKM). The DVCKM is a service provided by Entrust Authority Administration
Services.
The DVCKM is a service designed to automatically request DV certificates from one
or more CVCAs through the domestic SPOC without intervention from an
administrator.
on page 1381
• “Creating DVCKM credentials” on page 1382
• “Obtaining files from the domestic SPOC for the DVCKM” on page 1387
• “Installing the DVCKM” on page 1388
• “Configuring DVCKM authentication to a directory without anonymous
• “Configuring SPOC DVCKM Client authentication to a directory without
1379
Deployment overview
Deploying the DVCKM includes the following steps. Each step is described in further
detail in this chapter.
3 Create an Entrust profile for the DVCKM (see “Creating DVCKM credentials” on
page 1382).
page 1385).
5 Obtain files from the domestic SPOC that are required to install the DVCKM (see
“Obtaining files from the domestic SPOC for the DVCKM” on page 1387).
6 Install the DVCKM (see “Installing the DVCKM” on page 1388).
• “Configuring DVCKM authentication to a directory without anonymous
• “Configuring SPOC DVCKM Client authentication to a directory without

Deploying the DV Certificate Key Management Service 1381

Creating DVCKM credentials
Before installing Administration Services, create a profile for the DVCKM. DVCKM
requires a DVCKM profile to communicate with the Security Manager.
The DVCKM profile verifies signatures and signs files used by DV Administration.
For details about creating DVCKM profiles, see the following topics:
• “Creating a user entry for a DVCKM profile” on page 1382
• “Creating a DVCKM profile” on page 1383
• “Updating the DVCKM profile keys” on page 1384
Creating a user entry for a DVCKM profile

You must create a user entry in Security Manager for the DVCKM profile. You can use
Security Manager Administration to create a user entry for the DVCKM profile.
To create a user entry for the DVCKM profile using Security Manager
Administration
fields appears.
5 From the Role drop-down list, select EAC DV CKM Administrator.

7 Click OK.
Security Manager Administration displays the Reference number and
Authorization code. Record these activation codes in a secure manner, as you will
require them later to create and activate the user’s Entrust digital ID. For more
details on how the Registration number and Authorization codes are used, see
You have now created the user entry for the DVCKM profile. Proceed to
“Creating a DVCKM profile” on page 1383.
Creating a DVCKM profile

The DVCKM profile can be stored on software (as an EPF file) or on a hardware
security module. You can use one of the following applications to create the DVCKM
profile:
To create a DVCKM profile using Security Manager Administration

1 Create a user entry for the DVCKM profile (see “Creating a user entry for a
DVCKM profile” on page 1382).
4 In the Name field, enter the file name for the DVCKM profile. Security Manager
Administration will append the .epf extension to the file name.
5 Click Browse to select a folder where you want to save the DVCKM profile.
6 In the Password and Confirm fields, enter a password for the DVCKM profile.
7 Click OK.

You can now use this DVCKM profile with Administration Services. You need the
DVCKM profile, the profile password, and the profile location when you install
Updating the DVCKM profile keys


Obtain a copy of the entrust.ini file and the DVCKM profile from the Security
Copy the entrust.ini file and the profile to each machine hosting the DVCKM.
Note the location of these files. You will enter the path to these files when you install

Where:
the directory.
For example:
Where:
is 829.
For example:
Where:
For example:
For example:


Obtaining files from the domestic SPOC for the
DVCKM
When you are installing the DVCKM, the Administration Services installer will prompt
you for files provided from your domestic Single Point of Contact (SPOC). Obtain the
following files from a SPOC administrator:
It is recommended that you rename this file to spoc_entrust.ini to avoid
confusing it with the entrust.ini file provided from the DV CA.
• the SPOC DVCKM Client profile
For information about creating the SPOC DVCKM Client profile at the
SPOC, see “Creating SPOC DVCKM Client credentials for Document
Verifiers” on page 1224. The SPOC DVCKM Client profile can be an EPF file
stored on the local file system, or stored on a hardware device.
• the URL of the SPOC Domestic Web Service

Installing the DVCKM
This section describes how to install the Automatic DV Certificate Key Management
Service (DVCKM) on supported Windows operating systems. The DVCKM is
supported only on Windows.
The DVCKM consists of only application server components.
To install DVCKM application server components on Windows





b Click Next.


Note:
The Document Verifier Certificate Key Management (DVCKM) option is disabled
if DV Administration has not been installed. You must install DV Administration
before you can install the DVCKM. See “Deploying DV Administration” on
page 1305 for information about deploying DV Administration.
d Select Document Verifier Certificate Key Management (DVCKM).


8 The DVCKM Entrust.ini Location page appears.
from the Entrust CA that issued the DVCKM profile, or click Choose to locate
the file.
b Click Next.

PKCS#11 library, the Select DVCKM Profile Type page appears.

– If the DVCKM profile is an EPF file stored on the local file system, select
Software Profile.
– If the DVCKM profile is stored on hardware, select Hardware Token.
b Click Next.

10 If the DVCKM profile is a software profile, the DVCKM Profile page appears.
a In the Enter the location of the DVCKM Profile field, click Choose to locate
and select the DVCKM profile (EPF file).
b In the Enter the Password to login to your DVCKM Profile field, enter the
c Click Next.

11 If the DVCKM profile is a hardware profile, the DVCKM Hardware Token Profile
page appears.
contains the DVCKM profile.
b In the Enter the Password to login to your DVCKM Profile field, enter the
c Click Next.

12 The SPOC Entrust.ini Location page appears.
that you obtained from your domestic SPOC CA, or click Choose to locate
the file.
b Click Next.

13 If the entrust.ini file from the SPOC CA includes a setting specifying the full
path to a valid PKCS#11 library, the Select SPOC DVCKM Client Profile Type
page appears.

– If the SPOC DVCKM Client profile is an EPF file stored on the local file
system, select Software Profile.
– If the SPOC DVCKM Client profile is stored on hardware, select Hardware
Token.
b Click Next.

14 If the SPOC DVCKM Client profile is a software profile, the SPOC DVCKM Client
a In the Enter the location of the SPOC DVCKM Client Profile field, click
Choose to locate and select the SPOC DVCKM Client profile (EPF file).
b In the Enter the Password to login to your SPOC DVCKM Client Profile field,
enter the password for the EPF file.
c Click Next.

15 If the SPOC DVCKM Client profile is a hardware profile, the SPOC DVCKM
contains the SPOC DVCKM Client profile.
b In the Enter the Password to login to your SPOC DVCKM Client Profile field,
c Click Next.

16 The SPOC Domestic Web Service URL dialog box appears.
a In the text field, enter the URL to the SPOC Domestic Web Service.
The SPOC Domestic Web Service URL is in the form of
https://<FQDN>:<port>/spoc/services/CvcaService, where:
– <FQDN> is the fully qualified domain name of the server hosting the SPOC
– <port> is the secure port that the SPOC Domestic Web Service listens on,
typically 9443.
For example:
https://spoc.example.com:9443/spoc/services/CvcaService
b Click Next.

17 The Configure DVCKM Email Notification page appears.
a To enable email notification for DVCKM, select Enable Email Notification for
DVCKM.
b If you chose to enable email notification for DVCKM:
– In the Enter the DVCKM Administrator Email Address field, enter the email
DVCKM sends messages to this address only if the event is not meant for
a particular object. For example, if a user performs an action that requires
an administrator’s approval, DVCKM sends the message to this email
address.
– In the Enter the DVCKM Appears From Email Address field, enter the email
message.
c Click Next.

18 The DVCKM Configuration page appears with a summary of your installation

make your changes.

19 After the installation is complete, the DVCKM Configuration Status page

b Click Next.


b Click Next.

new service.
b Click Next.
file.

Configuring DVCKM authentication to a
The following procedure explains how to configure the DVCKM profile to
Security Manager Directory credentials in the dvckm-config.xml files.

components.
2 Open the dvckm-config.xml file in a text editor. You can find the file in the
following folder:
<AS-install>\services\dvckm\dvckm\webapp\WEB-INF\config
<Epf>c:\authdata\manager\epf\DVCKM.epf</Epf>
<Ual></Ual>
used. -->
<JndiAuthentication></JndiAuthentication>
plaintext.
When DVCKM starts, the password will be encrypted and bound to
Subsequent starts of DVCKM will extract the password from the
-->

4 For the value of <JndiPrincipal>, enter the JNDI Principal that the DVCKM will
use to connect to the directory. For example:
For example:
in the dvckm-config.xml file with the phrase “{Password protected by

Configuring SPOC DVCKM Client authentication
The following procedure explains how to configure the SPOC DVCKM Client profile
to authenticate to the Security Manager directory when anonymous access is
disabled.
Security Manager Directory credentials in the dvckm-config.xml files.

components.
following folder:
3 Locate the <SpocTLSClientCredentials> section:

<SpocTLSClientCredentials>

<Url>https://example.com:9443/spoc/services/CvcaService</Url>
<EntrustIni>c:\spoc_entrust.ini</EntrustIni>
<Epf>C:\SPOC DV Client.epf</Epf>
<Ual></Ual>
<Pkcs11Slot>TAG_SPOC_PKCS11_SLOT</Pkcs11Slot>
used. -->
plaintext.
When DVCKM starts, the password will be encrypted and bound to

Subsequent starts of DVCKM will extract the password from the
-->
</SpocTLSClientCredentials>
4 For the value of <JndiPrincipal>, enter the JNDI Principal that the SPOC
DVCKM Client will use to connect to the directory. For example:
For example:
in the dvckm-config.xml file with the phrase “{Password protected by

50
Deploying the DV Web Service

This chapter describes how to deploy the DV Web Service. The DV Web Service is a
service provided by Entrust Authority Administration Services. The DV Web Service is
required to communicate with an IS Concentrator or IS Client.
In a BAC system, the DV Web Service is a Web service designed to provide CSCA
certificates, master lists, CRLs, and Document Signer certificates to Inspection
Systems.
In an EAC system, the DV Web Service is a Web service designed to automatically
process Inspection System certificate requests without intervention from an
administrator.
on page 1413
• “Creating DV Web Service credentials” on page 1414
• “Obtaining files from the domestic CSCA for the DV Web Service” on
page 1420
• “Obtaining files from the National PKD for the DV Web Service” on
page 1421
• “Installing the DV Web Service” on page 1422
• “Configuring DV Web Service authentication to a directory without
1411
Deployment overview
Deploying the DV Web Service includes the following steps. Each step is described in
further detail in this chapter.
3 Create an Entrust profile for the DV Web Service (see “Creating DV Web Service
credentials” on page 1414).
page 1418).
5 If you plan to install the DV Web Service for distributing CSCA materials to
Inspection Systems, obtain files from the domestic CSCA that are required to
install the DV Web Service (see “Obtaining files from the domestic CSCA for the
DV Web Service” on page 1420).
6 The DV Web Service can obtain CSCA materials from the NPKD Web Service. If
the DV Web Service will obtain materials from the NPKD Web Service, obtain
files from the NPKD services that are required to install the DV Web Service (see
“Obtaining files from the National PKD for the DV Web Service” on page 1421).
7 Install the DV Web Service (see “Installing the DV Web Service” on page 1422).
must configure authentication to the directory (see “Configuring DV Web
Service authentication to a directory without anonymous access” on page 1444).

Deploying the DV Web Service 1413

Creating DV Web Service credentials
Before installing Administration Services, create a profile for the DV Web Service. DV
Web Service requires a DV Web Service profile to communicate with the Security
Manager. Each DV Web service instance requires its own profile.
The DV Web Service profile communicates with the Document Verifier in response to
requests from Inspection Systems.
For details about creating DV Web Service profiles, see the following topics:
• “Modifying the role for DV Web Service profiles” on page 1414
• “Creating a user entry for a DV Web Service profile” on page 1415
• “Creating a DV Web Service profile” on page 1417
• “Updating the DV Web Service profile keys” on page 1417
Modifying the role for DV Web Service profiles

By default, the EAC Self-Service role does not allow role members to process
unauthenticated Inspection System certificate requests. The initial Inspection System
certificate requests are always unauthenticated. The DV Web Service uses the EAC
Self-Service role. To allow the DV Web Service to automatically process
unauthenticated Inspection System certificate requests, you must modify the EAC
Self-Service role.
If you do not allow the DV Web Service to automatically process unauthenticated
Inspection System certificate requests, a DV administrator must manually process the
certificate request. The DV Web Service will automatically send the Inspection System
certificate to the IS Concentrator or IS Client.
To modify the role for the DV Web Service

2 In the tree view, expand Security Policy > Roles.
3 Select EAC Self-Service.
5 In the Categories drop-down list, select Extended Access Control (DV) and then
click Properties.
The Administrative Permissions: EAC DV dialog box appears.
6 Click the IS tab.
7 To allow the DV Web Service to process unauthenticated Inspection System
certificate requests, select Process Unauth IS Certreq.
For the Process Unauth IS Certreq permission, it is strongly recommended that
you select the Requires Authorization check box. The Requires Authorization

check box makes the operation a sensitive operation that requires authorization
from one or more administrators. The DV Web Service acts as one administrator.
Note:
Do not modify any other permissions for this role or the DV Web Service will fail
to process and send certificates and certificate requests.
8 Click OK to close the Administrative Permissions: EAC DV dialog box.

9 Click OK to save the changes to the role.
Creating a user entry for a DV Web Service profile

You must create a user entry in Security Manager for the DV Web Service profile. You
can use Security Manager Administration to create a user entry for the DV Web
Service profile.
To create a user entry for the DV Web Service profile using Security Manager
Administration
fields appears.

5 From the Role drop-down list, select EAC Self-Service.
7 Click OK.
to create and activate the user’s Entrust digital ID.
used, see the documentation that accompanies Security Manager
Administration.
9 Click OK.
The new user now appears in the list of users.
c Click Add.
(FQDN) of the server hosting the Administration Services server (for
example, appserver.entrust.com).
details.
You have now created the user entry for the DV Web Service profile. Proceed to
“Creating a DV Web Service profile” on page 1417.

Creating a DV Web Service profile
The DV Web Service profile can be stored on software (as an EPF file) or on a
DV Web Service profile:
To create a DV Web Service profile using Security Manager Administration

1 Create a user entry for the DV Web Service profile (see “Creating a user entry for
a DV Web Service profile” on page 1415).
4 In the Name field, enter the file name for the DV Web Service profile. Security
5 Click Browse to select a folder where you want to save the DV Web Service
profile.
6 In the Password and Confirm fields, enter a password for the DV Web Service
profile.
7 Click OK.
You can now use this DV Web Service profile with Administration Services. You need
the DV Web Service profile, the profile password, and the profile location when you
install Administration Services.
Updating the DV Web Service profile keys


Obtain a copy of the entrust.ini file and DV Web Service profile from the Security
Copy the entrust.ini file and the profile to each machine hosting the DV Web
Service. Note the location of these files. You will enter the path to these files when
you install Administration Services.

Where:
the directory.
For example:
Where:
is 829.
For example:
Where:
For example:
For example:


Obtaining files from the domestic CSCA for the
DV Web Service
You can use the DV Web Service to distribute master lists, CRLs, and document signer
certificates published by trusted CSCAs to Inspection Systems. To allow the DV Web
Service to distribute CSCA materials to Inspection Systems, you must obtain the
following files:
• domestic root CSCA certificate
This certificate will be the trust anchor for all CSCA materials distributed by
the DV Web Service.

Obtaining files from the National PKD for the
DV Web Service
You can use the DV Web Service to distribute master lists, CRLs, and document signer
certificates published by trusted CSCAs to Inspection Systems. The DV Web Service
can obtain these materials from the NPKD Web Service.
To allow the DV Web Service to obtain materials from the NPKD Web Service, you
must obtain the following files from an National PKD administrator:
It is recommended that you rename this file to npkd_entrust.ini to avoid
confusing it with the entrust.ini file provided from the DV CA.
• an NPKD Client profile
For information about creating the NPKD Client profile at the NPKD services,
see “Creating NPKD Client credentials” on page 476. The NPKD Client
profile can be an EPF file stored on the local file system, or stored on a
hardware device.
• the URL of the NPKD Web Service

Installing the DV Web Service
This section describes how to install the DV Web Service on supported Windows
operating systems. The DV Web Service is supported only on Windows.
The DV Web Service consists of only application server components.
To install DV Web Service application server components on Windows





b Click Next.


d Select Document Verifier Web Service (DVWS).

8 The DVWS SSL/TLS Port page appears.
a In the SSL/TLS Port Number for DVWS field, enter the port number for the
DV Web service (by default 9443).
b Click Next.

9 The DVWS Entrust.ini Location page appears.
from the Entrust CA that issued the DV Web Service profile, or click Choose
to locate the file.
b Click Next.

PKCS#11 library, the Select DVWS Profile Type page appears.

– If the DV Web Service profile is an EPF file stored on the local file system,
– If the DV Web Service profile is stored on hardware, select Hardware
Token.
b Click Next.

11 If the DV Web Service profile is a software profile, the DVWS Profile page
appears.
a In the Enter the location of the DVWS Profile field, click Choose to locate
and select the DV Web Service profile (EPF file).
b In the Enter the Password to login to your DVWS Profile field, enter the
c Click Next.

12 If the DV Web Service profile is a hardware profile, the DVWS Hardware Token
contains the DV Web Service profile.
b In the Enter the Password to login to your DVWS Profile field, enter the
c Click Next.

13 The DVWS Options page appears.
a To distribute master lists, CRLs, and document signer certificates published

by trusted CSCAs to Inspection Systems, select Enable CSCA Materials
Distribution and then configure the following options.
– In the Enter the Location of the CSCA Root Certificate field, enter the full
path and file name of the domestic root CSCA certificate, or click Choose
to locate the file.
– To enable collecting CSCA materials from the National PKD, select Enable
NPKD Materials Collection.
b Click Next.
If you did not enable collecting CSCA materials from the National PKD, proceed

14 If you chose to enable collecting CSCA materials from the National PKD, the
DVWS NPKD Entrust.ini Location page appears.
that you obtained from a National PKD administrator, or click Choose to
locate the file.
b Click Next.

PKCS#11 library, the Select DVWS NPKD Profile Type page appears.

– If the NPKD Client profile is an EPF file stored on the local file system, select
Software Profile.
– If the NPKD Client profile is stored on hardware, select Hardware Token.
b Click Next.

16 If the NPKD Client profile is a software profile, the DVWS NPKD Profile page
appears.
a In the Enter the location of the DVWS NPKD Profile field, click Choose to
locate and select the NPKD Client profile (EPF file).
b In the Enter the Password to login to your DVWS NPKD Profile field, enter
the password for the EPF file.
c Click Next.

17 If the NPKD Client profile is a hardware profile, the DVWS NPKD Hardware
contains the NPKD Client profile.
b In the Enter the Password to login to your DVWS NPKD Profile field, enter
c Click Next.

18 The DVWS NPKD Client Web Server URL page appears.
a In the DVWS NPKD Client Web Service URL field, enter the URL of the
NPKD Web Service.
– <server> is the host name or IPv4 address of the server hosting the NPKD
Web Service.
– <port> is the SSL port for the NPKD Web Service (by default 24443). You
specified this port when you installed the PKD Writer Web Service.
For example:
https://npkd.example.com:24443/npkd/services/NpkdServiceV1
b In the Specify the Polling Interval in Minutes field, enter the frequency, in
minutes, that the DV Web Service will poll the NPKD Web Service for new
CSCA materials. The default frequency is 120 minutes (2 hours).
c Click Next.

19 The Configure DVWS email Notification page appears.
a To enable email notification for the DV Web Service, select Enable Email
Notification for DVWS.
b If you chose to enable email notification for the DV Web Service:
– In the Enter the DVWS Administrator Email Address field, enter the email
The DV Web Service sends messages to this address only if the event is not
meant for a particular object. For example, if a user performs an action that
requires an administrator’s approval, the DV Web Service sends the
message to this email address.
– In the Enter the DVWS Appears From Email Address field, enter the email
message.
c Click Next.

20 The DVWS Configuration page appears with a summary of your installation

make your changes.

21 After the installation is complete, the DVWS Configuration Status page appears.
For example:

b Click Next.


b Click Next.

new service.
b Click Next.
24 If you installed the DV Web Service, and if the DV Web Service profile is stored
on a hardware token and you enabled CSCA material distribution:
a On a command line, navigate to the following folder:
<AS-install>\tools\csca-cert-update
csca-cert-update <password> <certificate-file>
Where:
– <password> is the password of the hardware token that contains the DV
Web Service profile.

– <certificate-file> is the path and file name of the CSCA certificate.
For example:
csca-cert-update Example@1234 "c:/csca-certificate.cer"
If you installed the DV Web Service, the URL for the DV Web Service is
https://<server>:<port>/dvws/services/DvwsService, where:
• <server> is the host name or IPv4 address of the server hosting the DV Web
Service.
• <port> is the SSL port for the DV Web Service (by default 9443). You
specified this port when you installed the DV Web Service.
Inspection System administrators need the DV Web Service URL to install the IS
Concentrator or IS Client. IS Concentrator and IS Client use the DV Web Service to
connect to the DV and exchange certificates.
file.

Configuring DV Web Service authentication to
a directory without anonymous access
The following procedure explains how to configure the DV Web Service profile to
Security Manager Directory credentials in the dvws-config.xml files.

components.
2 Open the dvws-config.xml file in a text editor. You can find the file in the
following folder:
<AS-install>\services\dvws\dvws\webapp\WEB-INF\config
<Epf>c:\authdata\manager\epf\DV Web Service.epf</Epf>
<Ual></Ual>
used. -->
<JndiAuthentication></JndiAuthentication>
plaintext.
When DVWS starts, the password will be encrypted and bound to
Subsequent starts of DVWS will extract the password from the
-->

4 For the value of <JndiPrincipal>, enter the JNDI Principal that the DV Web
Service will use to connect to the directory. For example:
For example:
in the dvws-config.xml file with the phrase “{Password protected by Entrust

51
Configuring DV Administration
DV Administration is a Web-based interface for administering a Document Verifier.
DV administrators use DV Administration to manage DV certificates and certificate
requests, Inspection Systems, and Inspection System certificates and certificate
requests.
This chapter describes how to configure various components and features of DV
Administration. For more information about configuring Administration Services, see
• “Configuring DV Administration logs” on page 1448
• “Configuring list operations in DV Administration” on page 1451
• “Configuring the date format for DV Administration” on page 1454
• “Configuring email notification for DV Administration” on page 1455
• “Configuring a jurisdiction policy” on page 1471
1447
Configuring DV Administration logs
Administration Services allows you to customize the log file settings for DV
Administration. You can configure the following log settings:
To configure the DV Administration logs

components.
2 Open the dv-config.xml file in a text editor. You can find the file in the following
folder:
3 In the <Logging> section, configure the following settings:
Table 73: DV Administration log settings
Setting Description
<Level> This setting controls the level of detail for the DV Administration logs.
The logging level can be one of (in increasing severity):
• TRACE
• DEBUG
• INFO
• WARNING
• ERROR
• ALERT
• FATAL
This sets the lowest level of message to show. For example, ERROR provides
messages of ERROR, ALERT and FATAL status.
Default: INFO
<Filename> This setting specifies the name (including path) of the log file.
Default:
<AS-install>\dvadmin\<instance>\logs\dv_<instance>.log

Table 73: DV Administration log settings (continued)
Setting Description
<Filesize> This setting controls the maximum size of a log file, in bytes.
Default: 1000000
<Backups> This setting controls the maximum number of log files to keep. After the last log
file reaches the maximum size, the first log file is overwritten.
Default: 10

Configuring DV Administration 1449

DV administrators access the DV Administration interface using a client certificate
stored in their Web browser. DV Administration will verify that the client certificate is
still valid by checking the corresponding Certificate Revocation List (CRL) to verify
that the certificate has not been revoked.

components.
2 Open the DV Administration instance dv-config.xml file in a text editor. You can
find the file in the following folder:
minutes:

Configuring list operations in DV
Administration
In DV Administration, administrators can list the following entities, certificates, or
certificate requests:
• DV certificates
• DV certificate requests
• CVCAs
• CVCA certificates
• Inspection Systems
• Inspection System certificates
DV Administration controls the maximum number of results returned in a list
operation, and whether expired certificates are included in the results.
For each type of entity, certificate, or certificate request, you can configure the
maximum number of results returned, and whether expired certificates are included
in the results.
Note:
You can set a maximum return limit for XAP searches in Security Manager. If a
maximum return limit is configured in Security Manager, the maximum return
limit at Security Manager takes precedence.
To configure search operations in DV Administration

components.
following folder:
3 In the <Search> section, configure the following settings:
Table 74: DV Administration search settings
Setting Description
<DvCertificate> These settings control the search operations for DV certificates.

Table 74: DV Administration search settings (continued)
Setting Description
in a DV certificate list operation. If 0, DV Administration uses the
Security Manager default XAP return limit (default is 100).
Default: 1000
results.
Default: true
<DvCertificateRequest> These settings control the search operations for DV certificate
requests.
<MaxReturn> This setting specifies the maximum number of certificate requests
to return in a DV certificate request list operation. If 0, DV
(default is 100).
Default: 1000
<CvcaEntity> These settings control the search operations for CVCAs.
<MaxReturn> This setting specifies the maximum number of CVCAs to return in
a CVCA list operation. If 0, DV Administration uses the Security
Manager default XAP return limit (default is 100).
Default: 1000
<CvcaCertificate> These settings control the search operations for CVCA certificates.
in a CVCA certificate list operation. If 0, DV Administration uses
the Security Manager default XAP return limit (default is 100).
Default: 1000
results.
Default: true
<IsEntity> These settings control the search operations for Inspection
Systems.
<MaxReturn> This setting specifies the maximum number of Inspection Systems
to return in an Inspection System list operation. If 0, DV
(default is 100).
Default: 1000

Table 74: DV Administration search settings (continued)
Setting Description
<IsCertificate> These settings control the search operations for Inspection System
certificates.
in an Inspection System certificate list operation. If 0, DV
(default is 100).
Default: 1000
results.
Default: true


Configuring the date format for DV
Administration
The following procedure describes how to configure the date format for DV
Administration to meet your organization’s date format requirements.
To configure the formatting functions for DV Administration

components.
2 Open the commonpage.js file in a text editor. You can find the file in the following
folder:
<AS-install>\services\dvadmin\<instance>\webapp\<locale>\
javascript
3 Customize one of the following formatting functions:
• getLocalDateTime()
• rfc3339DateToJavaScript()

Configuring email notification for DV
Administration
When you installed DV Administration, you had the option to enable email
notification for DV Administration. If you did not enable email notification during the
installation, or you want to configure how email notification works, complete the
Installation Guide.
• “Configuring SMTP server settings for DV Administration” on page 1455
• “Changing the email format for DV Administration” on page 1457
• “Email notification files for DV Administration” on page 1457
• “Enabling and disabling email notification for DV Administration” on
page 1461
• “Enabling email notification for the initial Document Verifier certificate
request for a foreign CVCA” on page 1464
• “Modifying email notification subject and message text for DV
• “Modifying DV Administration email notification to use HTML content
Configuring SMTP server settings for DV Administration

Configure the SMTP server settings to configure how DV Administration
email notification when you installed DV Administration.
To configure the SMTP server settings for DV Administration

components.
2 Open the configuration.global.xml file for the DV Administration instance.
You can find the file in the following folder:

<Port>25</Port>
To configure the email addresses for DV Administration

components.
<AS-install>\services\dvadmin\<instance>\webapp\WEB-INF\ens\xsl\
<locale>
</xsl:variable>
6 To configure the email address that Administration Services uses when the
Inspection System policy changes:
a Open the is-global-customemail-recipients.xsl file in a text editor.
b Locate the following lines:
<Email>
TAG_IS_GLOBAL_EMAIL
</Email>
c Replace TAG_DV_GLOBAL_EMAIL with the valid email address.

Changing the email format for DV Administration
Notification email addresses entered by administrators in the DV Administration
interface are checked to ensure that the format matches that of most Internet email
addresses. The format is checked using the following expression:
var regex=/^([a-zA-Z0-9\!\#\$\%\&\'\*\+\-\/\=\?\^\_\`\{\|\}\~]+(\.
[a-zA-Z0-9\!\#\$\%\&\'\*\+\-\/\=\?\^\_\`\{\|\}\~]+)*)@([a-zA-Z0-9\
-]+\.)+[a-zA-Z0-9]{2,}$/;
If your organization uses a different format for email addresses, Administration
Services will not accept your email addresses as valid. If you use a different format,
you must configure Administration Services to recognize the format.
Configure the new email format in the following file on the server hosting the
<AS-install>\services\dvadmin\<instance>\webapp\<locale>\
javascript\validator.js
Email notification files for DV Administration

if a specific event occurs. Table 75 lists all the email notification events in the
configuration.global.xml file for DV Administration. For information about
notification for DV Administration” on page 1461.
Table 75: DV Administration account tasks, event IDs, and email message files

Import Certificate dv-cert-import dv-cert-import-subject.xsl No

from CVCA
dv-cert-import-content.xsl
DV Certificate dv-cert-import-approved dv-cert-import-approved-c No

Import Approved ontent.xsl
dv-cert-import-subject.xsl
Add IS is-add is-entity-add-subject.xsl Yes

is-entity-add-content.xsl
is-entity-add-attachments.
xsl
Delete IS is-delete is-entity-delete-subject.xsl Yes

is-entity-delete-content.xsl

Table 75: DV Administration account tasks, event IDs, and email message files (continued)

Disable IS is-disable is-entity-disable-subject.xsl Yes

is-entity-disable-content.xs
l
Edit IS is-edit is-entity-edit-subject.xsl No

is-entity-edit-content.xsl
IS Authenticated is-auth-cert-req-process is-entity-auth-cert-req-proc Yes

Certificate Request ess-content.xsl
Process
is-entity-auth-cert-req-proc
ess-subject.xsl
IS Authenticated is-auth-cert-req-process-a is-entity-auth-cert-req-proc Yes

Certificate Request pproved ess-approved-content.xsl
Process Approved
is-entity-auth-cert-req-proc
ess-subject.xsl
IS Unauthenticated is-unauth-cert-req-process is-entity-unauth-cert-req-p Yes

Certificate Request rocess-content.xsl
Process
is-entity-unauth-cert-req-p
rocess-subject.xsl
IS Unauthenticated is-unauth-cert-req-process is-entity-unauth-cert-req-p Yes

Certificate Request -approved rocess-approved-content.x
Process Approved sl
is-entity-unauth-cert-req-p
rocess-subject.xsl
Enable IS is-enable is-entity-enable-subject.xsl Yes

is-entity-enable-content.xsl
Edit IS Policy is-policy-edit is-policy-edit-subject.xsl No

is-policy-edit-content.xsl
DV Certificate queued-dv-cert-req-create queued-dv-cert-req-create- Yes

Request Create content.xsl
Queued
queued-dv-cert-req-create-
subject.xsl


DV Certificate queued-dv-cert-req-cancel queued-dv-cert-req-cancel Yes

Request Cancel -content.xsl
Queued
queued-dv-cert-req-cancel
-subject.xsl
DV Certificate queued-dv-cert-import queued-dv-cert-import-co Yes

Import Queued ntent.xsl
queued-dv-cert-import-sub
ject.xsl
CVCA Root queued-cvca-root-cert-im queued-cvca-entity-root-c Yes

Certificate Import port ert-import-content.xsl
Queued
queued-cvca-entity-root-c
ert-import-subject.xsl
CVCA Link queued-cvca-link-cert-imp queued-cvca-entity-link-ce Yes

Certificate Import ort rt-import-content.xsl
Queued
queued-cvca-entity-link-ce
rt-import-subject.xsl
CVCA Delete queued-cvca-delete queued-cvca-entity-delete- Yes

Queued content.xsl
queued-cvca-entity-delete-
subject.xsl
IS Authenticated queued-is-auth-cert-req-p queued-is-entity-auth-cert- Yes

Certificate Request rocess req-process-content.xsl
Process Queued
queued-is-entity-auth-cert-
req-process-subject.xsl
IS Unauthenticated queued-is-unauth-cert-req queued-is-entity-unauth-c Yes

Certificate Request -process ert-req-process-content.xsl
Process Queued
queued-is-entity-unauth-c
ert-req-process-subject.xsl


DV Authenticated dv-auth-cert-req-create dv-auth-cert-req-create-co Yes

Certificate Request ntent.xsl
Create
dv-cert-req-create-subject.
xsl
dv-cert-req-create-attachm
ents.xsl
DV Authenticated dv-auth-cert-req-create-ap dv-auth-cert-req-create-ap Yes

Certificate Request proved proved-content.xsl
Create Approved
xsl
dv-cert-req-create-approve
d-attachments.xsl
DV Authenticated dv-auth-cert-req-countersi dv-cert-req-create-counter Yes

Certificate Request gn-create sign-content.xsl
Create for
dv-cert-req-create-counter
Countersigning
sign-subject.xsl
ents.xsl
DV Authenticated dv-auth-cert-req-countersi dv-cert-req-create-counter Yes

Certificate Request gn-create-approved sign-approved-content.xsl
Create for
Countersigning
sign-subject.xsl
Approved
d-attachments.xsl
DV Unauthenticated dv-unauth-cert-req-foreig dv-cert-req-create-counter No

Certificate Request n-create sign-content.xsl
Create for
Countersigning for
sign-subject.xsl
Foreign CVCA
ents.xsl


DV Unauthenticated dv-unauth-cert-req-foreig dv-cert-req-create-counter No

Certificate Request n-create-approved sign-approved-content.xsl
Create for
Countersigning
sign-subject.xsl
Approved for
Foreign CVCA dv-cert-req-create-approve
d-attachments.xsl
DV Unauthenticated dv-unauth-cert-req-create dv-unauth-cert-req-create- Yes

Certificate Request content.xsl
Create
xsl
ents.xsl
DV Unauthenticated dv-unauth-cert-req-create dv-unauth-cert-req-create- Yes

Certificate Request -approved approved-content.xsl
Create Approved
d-attachments.xsl
Enabling and disabling email notification for DV Administration

if a specific event occurs. “Email notification files for DV Administration” on
page 1457 lists all the email notification events in the configuration.global.xml
file for DV Administration.
Use the following procedures to enable and disable email notification for DV
Administration:
• “To enable or disable email notification for DV Administration” on
page 1461
• “To enable or disable email notification for specific events for DV
• “To configure email notification event settings for DV Administration” on
page 1463
To enable or disable email notification for DV Administration

components.

2 Open the dvca-config.xml file in a text editor. You can find the file in the
following folder:
3 Locate the <Notifications> element and configure the <Enabled> child
element as follows:
5 Open the DV Administration instance configuration.global.xml file in a text
editor. You can find the file in the following folder:
as follows:
or disable email notification for specific events for DV Administration” on
To enable or disable email notification for specific events for DV

Administration
components.
event. See “Email notification files for DV Administration” on page 1457 for a list
of event IDs.

email notification event settings for DV Administration” on page 1463 for
details.
To configure email notification event settings for DV Administration

components.
Setting Description
“Modifying email notification subject and message text for DV
Administration” on page 1468 for details about editing this file.

Setting Description
notification event.
DV Administration” on page 1468 for details about editing this
file.

Enabling email notification for the initial Document Verifier

certificate request for a foreign CVCA
When creating the initial Document Verifier certificate request for a foreign CVCA,
you can send the certificate request to the foreign CVCA for processing, or send it to
your domestic CVCA for countersigning. If you enabled the email notification event
for creating unauthenticated DV certificate requests for a foreign CVCA, you can
choose to send the email notification to the foreign CVCA or the domestic CVCA.
By default, if you enabled email notification for creating unauthenticated DV
certificate requests for a foreign CVCA, an email notification is sent to your domestic
CVCA for countersigning.
Choosing between these two sets of templates is only possible for the initial
(unauthorized) certificate creation request for foreign CVCAs. Subsequent

(authorized) certificate requests can be created either for countersigning or for
processing, and therefore, email notification is specific in those cases.
• “To enable email notification for countersigning” on page 1465
• “To enable email notification for processing” on page 1466
To enable email notification for countersigning

components.
2 Enable email notification for the dv-unauth-cert-req-foreign-create and
dv-unauth-cert-req-foreign-create-approved event IDs.
See “Enabling and disabling email notification for DV Administration” on
child element refers to a specific email notification event.
a If required, comment out the following <EmailNotificationEvents>
elements:
<ContentTemplate>dv-unauth-cert-req-create-content</Con
tentTemplate>
<FromTemplate>dv-admin-default-from</FromTemplate>
<Id>dv-unauth-cert-req-foreign-create</Id>
<RecipientTemplate>cvca-entity-cert-customemail-recipien
ts</RecipientTemplate>
<SubjectTemplate>dv-cert-req-create-subject</SubjectTemp
late>
<AttachmentsTemplate>dv-cert-req-create-attachments</Att
achmentsTemplate>
</EmailNotificationEvent>
<ContentTemplate>dv-unauth-cert-req-create-approved-con
tent</ContentTemplate>
<Id>dv-unauth-cert-req-foreign-create-approved</Id>
<RecipientTemplate>queued-approved-customemail-recipien
<SubjectTemplate>dv-cert-req-create-subject</SubjectTem
plate>
<AttachmentsTemplate>dv-cert-req-create-approved-attach
ments</AttachmentsTemplate>

b If required, remove the comment tags from the following
<EmailNotificationEvents> elements:
<ContentTemplate>dv-cert-req-create-countersign-content
</ContentTemplate>
<RecipientTemplate>cvca-countersign-entity-cert-custome
mail-recipients</RecipientTemplate>
<SubjectTemplate>dv-cert-req-create-countersign-subject
</SubjectTemplate>
<AttachmentsTemplate>dv-cert-req-create-attachments</At
tachmentsTemplate>
<ContentTemplate>dv-cert-req-create-countersign-approve
d-content</ContentTemplate>
<RecipientTemplate>queued-countersign-approved-customem
ail-recipients</RecipientTemplate>
</SubjectTemplate>
c For each email notification event, you can configure the settings described in
Table 76 on page 1463.
To enable email notification for processing

components.
2 Enable email notification for the dv-unauth-cert-req-foreign-create and
dv-unauth-cert-req-foreign-create-approved event IDs.
See “Enabling and disabling email notification for DV Administration” on

child element refers to a specific email notification event.
a If required, comment out the following <EmailNotificationEvents>
elements:
<ContentTemplate>dv-cert-req-create-countersign-content
</ContentTemplate>
<RecipientTemplate>cvca-countersign-entity-cert-custome
mail-recipients</RecipientTemplate>
</SubjectTemplate>
<AttachmentsTemplate>dv-cert-req-create-attachments</At
tachmentsTemplate>
<ContentTemplate>dv-cert-req-create-countersign-approve
d-content</ContentTemplate>
<RecipientTemplate>queued-countersign-approved-customem
ail-recipients</RecipientTemplate>
</SubjectTemplate>
b If required, remove the comment tags from the following
<EmailNotificationEvents> elements:
<ContentTemplate>dv-unauth-cert-req-create-content</Con
tentTemplate>
<RecipientTemplate>cvca-entity-cert-customemail-recipien
<SubjectTemplate>dv-cert-req-create-subject</SubjectTemp
late>
<AttachmentsTemplate>dv-cert-req-create-attachments</Att
achmentsTemplate>
<ContentTemplate>dv-unauth-cert-req-create-approved-con

tent</ContentTemplate>
<RecipientTemplate>queued-approved-customemail-recipien
<SubjectTemplate>dv-cert-req-create-subject</SubjectTem
plate>
c For each email notification event, you can configure the settings described in
Table 76 on page 1463.
Modifying email notification subject and message text for DV

Administration
Attention:
To modify email notification subject text for DV Administration

components.
<AS-install>\services\dvadmin\<instance>\webapp\WEB-INF\ens\xsl
“Email notification files for DV Administration” on page 1457 for a list of event

To modify email notification message text for DV Administration

components.
modify. See “Email notification files for DV Administration” on page 1457 for a
list of event IDs and email message files.
</xsl:variable>

</xsl:template>
Modifying DV Administration email notification to use HTML

content templates
To modify DV Administration email notification to use HTML

components.
plate>

Configuring a jurisdiction policy
A CVCA issues DV certificates to Document Verifiers. In turn, Document Verifiers
issue Inspection System certificates anchored by the CVCA to Inspection Systems. By
default, a Document Verifier will issue Inspection System certificates anchored by
each CVCA it trusts to all trusted Inspection Systems.
However, you may want to restrict which certificates are issued to an Inspection
System. For example, you may want to only issue certificates anchored at foreign
CVCAs to Inspection Systems located at immigration offices. Likewise, you may want
to only issue certificates anchored at the domestic CVCA to Inspection Systems
located at police stations.
To restrict which certificates the Document Verifier can issue to an Inspection System,
you must configure a jurisdiction policy. A jurisdiction can be any service, office,
department, or organization that requires an Inspection System to read e-passports.
You can add as many jurisdictions as you require. For example, you may require four
jurisdictions: Border Control, Immigration, Police, and Secret Service.
When you add or modify a CVCA at the Document Verifier, you can assign one or
more jurisdictions to the CVCA. When you add or modify an Inspection System at the
DV, you can assign a single jurisdiction to the Inspection System. The DV will then
issue certificates to the Inspection System that are anchored only by CVCAs that can
administer the jurisdiction assigned to the Inspection System. For example, if an
Inspection System is assigned an Immigration jurisdiction, the DV will issue certificates
anchored only from CVCAs that can administer the Immigration jurisdiction.
Note:
A CVCA with no jurisdictions assigned can administer any jurisdiction. Inspection
Systems that do not have a jurisdiction assigned can only be issued certificates
anchored by CVCAs that have no jurisdictions assigned.
You define jurisdictions in the Security Manager certificate specifications. For more
information about modifying certificate specifications, see the Security Manager
You can only assign jurisdictions using DV Administration. You cannot assign
jurisdictions using the Security Manager Control Command Shell.

Attention:
You can modify the certificate specifications more than once. Modifying or
removing a jurisdiction that is assigned to a CVCA or Inspection System may have
undesired effects. If you need to modify or remove a jurisdiction from the
certificate specifications, it is strongly recommended that you remove that
jurisdiction from affected CVCAs and Inspections Systems before modifying the
certificate specifications. You can reassign the jurisdiction after modifying the
certificate specifications.
To configure a jurisdiction policy

1 From the DVCA, export the Security Manager certificate specifications.
Administration, or using the Security Manager Control Command Shell using the
fcs export command. See the Security Manager Administration User Guide or
3 Under the [eaccvca_default Database Fields] section, add the following line:
allowedjurisdictions=n,o,<eacjurisdictionsvar>
The o indicates that the jurisdiction policy is optional. To make the jurisdiction
policy mandatory, change the o to m:
allowedjurisdictions=n,m,<eacjurisdictionsvar>
4 Under the [eacis_default Database Fields] section, add the following line:
allowedjurisdictions=n,o,<eacjurisdictionvar>
The o indicates that the jurisdiction policy is optional. To make the jurisdiction
policy mandatory, change the o to m:
allowedjurisdictions=n,m,<eacjurisdictionvar>
5 In the Variables for Extended Access Control Database Fields section,
add the following lines to add a list of jurisdictions:
eacjurisdictionsvar=TextStringList,Jurisdictions:,Jurisdictions
_continue_= allowed to read passports from this country.,OneOf,
_continue_=<list_of_jurisdictions>
eacjurisdictionvar=TextString,Jurisdiction:,The jurisdiction to
_continue_= which this Inspection System belongs.,OneOf,
_continue_=<list_of_jurisdictions>
Where <list_of_jurisdictions> is a list of jurisdictions. When entering a list
of jurisdictions:

• Each jurisdiction must be enclosed in quotation marks. For example:
"Police"
• Separate jurisdictions with a comma. For example:
"Police","Immigration"
• Jurisdictions cannot contain spaces. If a jurisdiction contains a space, errors
will occur when you import the certificate specifications into Security
Manager.
For example, if you want to add a Secret Service jurisdiction, you must enter
"SecretService".
• The list of jurisdictions must be identical for eacjurisdictionsvar and
eacjurisdictionvar.
For example, to add Border Control, Immigration, Police, and Secret Service
jurisdictions:
eacjurisdictionsvar=TextStringList,Jurisdictions:,Jurisdictions
_continue_= allowed to read passports from this country.,OneOf,
_continue_="BorderControl","Immigration","Police","SecretService"
eacjurisdictionvar=TextString,Jurisdiction:,The jurisdiction to
_continue_= which this Inspection System belongs.,OneOf,
_continue_="BorderControl","Immigration","Police","SecretService"
Administration, or using the Security Manager Control Command Shell using the
fcs import command. See the Security Manager Administration User Guide or
8 When adding a CVCA (see “Adding Country Verifying Certification Authorities”
on page 1530), select one or more jurisdictions.
You can also assign jurisdictions by modifying the CVCA (see “Modifying
Country Verifying Certification Authorities” on page 1537). You can only assign
jurisdictions using DV Administration. You cannot assign jurisdictions using the
Security Manager Control Command Shell.
9 When adding an Inspection System (see “Adding Inspection Systems” on
page 1594), select a jurisdiction for the Inspection System.
You can only select one jurisdiction for each Inspection System. You can also
modify jurisdiction policy the Inspection System later (see “Modifying Inspection
Systems” on page 1602). You can only assign jurisdictions using DV
Administration. You cannot assign jurisdictions using the Security Manager
Control Command Shell.

52
Configuring the DV Certificate Key

Management Service
The DV Certificate Key Management Service (DVCKM) is a service designed to
automatically request DV certificates from one or more CVCAs through the domestic
SPOC without intervention from an administrator.
DVCKM service. For more information about configuring Administration Services, see
• “Configuring DVCKM logs” on page 1476
• “Configuring email notification for DVCKM” on page 1478
• “Configuring the XAP connection settings for DVCKM” on page 1487
• “Configuring the XAP message signing algorithm for DVCKM” on
page 1489
• “Configuring the DVCKM protocol settings” on page 1490
• “Configuring communications between the DVCKM and SPOC Domestic
Web Service” on page 1492
1475
Configuring DVCKM logs
Administration Services allows you to customize the log file settings for the DVCKM.
To configure the DVCKM logs

components.
2 Open the dvckm-config.xml file in an XML editor. You can find the file in the
following folder:
3 In the <Logging> section, configure the values for the parameters described in
Table 77.
Table 77: DVCKM log settings
Parameter name Description

WARNING, ERROR, ALERT, or FATAL. This sets the lowest level of message to
show. For example, ERROR provides messages of ERROR, ALERT and FATAL
status.
Default: INFO
<Filename> Sets the name (including path) of the log file.
Default: <AS-install>\services\dvckm\dvckm\logs\dvckm_dvckm.log
<Filesize> Sets the maximum size of a log file, in bytes.
Default: 1000000
<Backups> Sets the maximum number of log files to keep. After the last log file reaches
the maximum size, the first log file is overwritten.
Default: 10

Configuring the DV Certificate Key Management Service 1477

Configuring email notification for DVCKM
When you installed DVCKM, you had the option to enable email notification for
DVCKM. If you did not enable email notification during the installation, or you want
to configure how email notification works, complete the steps in this section.
Installation Guide.
• “Configuring SMTP server settings for DVCKM” on page 1478
• “Email notification files for DVCKM” on page 1479
• “Enabling and disabling email notification for DVCKM” on page 1481
• “Modifying email notification subject and message text for DVCKM” on
page 1484
• “Modifying DVCKM email notification to use HTML content templates” on
page 1486
Configuring SMTP server settings for DVCKM

Configure the SMTP server settings to configure how Administration Services
email notification when you installed Administration Services.
To configure SMTP server settings for DVCKM

components.
2 Open the configuration.global.xml file for DVCKM. You can find the file in
<Port>25</Port>

To configure the email addresses for DVCKM

components.
<AS-install>\services\dvckm\dvckm\webapp\WEB-INF\ens\xsl\
<locale>
</xsl:variable>
</xsl:variable>
Email notification files for DVCKM

if a specific event occurs. Table 78 on page 1480 lists all the email notification events
in the configuration.global.xml file for DVCKM. For information about enabling
and disabling email notification, see “Enabling and disabling email notification for
DVCKM” on page 1481.

Table 78: DVCKM account tasks, event IDs, and email message files

CVCA Link cvca_cert_import_link cvca_cert_import_link-cont Yes

Certificate Import ent.xsl
cvca_cert_import_link-subje
ct.xsl
CVCA Link cvca_cert_import_link_error cvca_cert_import_link_error Yes

Certificate Import -content.xsl
Failure
cvca_cert_import_link_error
-subject.xsl
DV Certificate cert_req_create cert_req_create-content.xsl Yes

Request Creation
cert_req_create-subject.xsl
DV Certificate cert_req_create_error cert_req_create_error-conte Yes

Request Creation nt.xsl
Failure
cert_req_create_error-subje
ct.xsl
DV Certificate dv_cert_import dv_cert_import-content.xsl Yes

Import
dv_cert_import-subject.xsl
DV Certificate dv_cert_import_error dv_cert_import_error-conte Yes

Import Failure nt.xsl
dv_cert_import_error-subjec
t.xsl
DV Certificate cert_expired cert_expired-content.xsl Yes

Expired
cert_expired-subject.xsl
SPOC Connection spoc_connection_error spoc_connection_error-cont Yes

Error ent.xsl
spoc_connection_error-subj
ect.xsl
SPOC Connection spoc_denied spoc_denied-content.xsl Yes

Denied
spoc_denied-subject.xsl

Table 78: DVCKM account tasks, event IDs, and email message files (continued)

SPOC spoc_get_certs_error spoc_get_certs_error-conte Yes

GetCACertificates nt.xsl
Web Service Error
spoc_get_certs_error-subjec
t.xsl
SPOC spoc_request_cert_error spoc_request_cert_error-co Yes

RequestCertificates ntent.xsl
Web Service Error
spoc_request_cert_error-sub
ject.xsl
Enabling and disabling email notification for DVCKM

if a specific event occurs. “Email notification files for DVCKM” on page 1479 lists all
the email notification events in the configuration.global.xml file for DVCKM.
Use the following procedures to enable and disable email notification for DVCKM:
• “To enable or disable email notification for DVCKM” on page 1481
• “To enable or disable email notification for specific events in DVCKM” on
page 1482
• “To configure email notification event settings for DVCKM” on page 1483
To enable or disable email notification for DVCKM

components.
following folder:
<Notifications>
<Configuration>C:/Program Files/Entrust/AdminServices/services/dvc
km/dvckm/webapp/WEB-INF/config/configuration.global.xml</Configura
tion>
</Notifications>

as follows:
or disable email notification for specific events in DVCKM” on page 1482 for
details.
To enable or disable email notification for specific events in DVCKM

components.
event. See “Email notification files for DVCKM” on page 1479 for a list of event
IDs.
email notification event settings for DVCKM” on page 1483 for details.

To configure email notification event settings for DVCKM
components.
Setting Description
“Modifying email notification subject and message text for
DVCKM” on page 1484 for details about editing this file.
notification event.
DVCKM” on page 1484 for details about editing this file.

Setting Description

Modifying email notification subject and message text for

DVCKM
Attention:
To modify email notification subject text for DVCKM

components.
<AS-install>\services\dvckm\dvckm\webapp\WEB-INF\ens\xsl
“Email notification files for DVCKM” on page 1479 for a list of event IDs and
email message files.


components.
<AS-install>\services\dvckm\dvckm\webapp\WEB-INF\ens\xsl
modify. See “Email notification files for DVCKM” on page 1479 for a list of event
</xsl:variable>
</xsl:template>

Modifying DVCKM email notification to use HTML content

templates
To modify email notification to use HTML

components.
plate>

DVCKM
Communication between DVCKM and Security Manager is through the XML
Administration Protocol (XAP) server, running as part of Security Manager.
You can configure various XAP connection settings for DVCKM. Configuring these
settings can help you troubleshoot or resolve connection issues between DVCKM and
Security Manager.
To configure the XAP connection settings for the DVCKM

components.
following folder:
<XAPConnection>

<SigningDigestAlgorithm>sha1</SigningDigestAlgorithm>
</XAPConnection>
Table 80: XAP connection settings for the DVCKM
Setting Description
address for the XAP Server. The DVCKM sends requests to this
URL.
changed.

Table 80: XAP connection settings for the DVCKM (continued)
Setting Description
<Connections> The initial number of connections that the DVCKM opens with
the XAP server when Administration Services starts. The number
of connections to the XAP server increases automatically up to
the maximum when the number of users concurrently using
Default value: 2
<IdleTimeout> Specifies the length of time (in minutes) that the DVCKM allows
a connection with the XAP server to remain idle before closing it
and creating a new connection.
Default value: 30
<Debug> Controls whether the DVCKM writes SSL connection diagnostic

information to the stdout.log file of the Tomcat application
server. If true, the DVCKM writes SSL connection diagnostic
information to the stdout.log file.
<MaxConnections> The maximum number of connections the DVCKM opens with

the XAP Server. After reaching the maximum, connections are
automatically closed after use. Since new messages cannot be
Default value: 50
<SigningDigestAlgorithm> The algorithm Administration Services uses when signing XAP

messages for the DVCKM.
See “Configuring the XAP message signing algorithm for
DVCKM” on page 1489 for details.


Configuring the XAP message signing algorithm
for DVCKM
You can configure the algorithm Administration Services uses when signing XAP
messages for the DVCKM. Administration Services supports only the SHA-1 and
SHA-256 algorithms when signing XAP messages for the DVCKM.
For the DVCKM, Administration Services signs the XAP message using the service
profile. If any profiles have DSA or ECDSA key pairs, set the XAP message signing
algorithm to SHA-1. If the profile is stored on a token or the Microsoft Cryptographic
API (the Microsoft security framework), the XAP message signing algorithm is
automatically SHA-1 and you cannot change the algorithm.
To configure the XAP message signature algorithm

components.
following folder:
3 Locate the following setting:
4 Configure the value to sha1 or sha256.

Configuring the DVCKM protocol settings
The DVCKM is a service designed to automatically request DV certificates from one
or more CVCAs through the domestic SPOC.
The DVCKM protocol settings control
To configure the DVCKM protocol settings

components.
following folder:
3 In the <Ckmp> section, configure the values for the parameters described in
Table 81.
Table 81: DVCKM protocol settings

<CKMPeriod> Specifies how often (in hours) the DVCKM checks for DV
certificates that are nearing expiry.
Note: It is strongly recommended that you enter a value of 24
hours or greater. The dates in DV certificates (the effective
date and the expiration date) do not contain a time value. DV
Certificates will expire at the end of the day on the expiration
date. If you enter a value less than 24 hours, the DVCKM will
attempt to renew an expiring DV certificate multiple times
before it expires, which can result in multiple unnecessary DV
certificates.
Default: 24
<AutomaticRenewalPercentage> Specifies the percentage of a DV certificate lifetime before the
DVCKM attempts to renew a DV certificate.
For example, if set to 80, the DVCKM will attempt to renew
a DV certificate when it reaches 80% of its lifetime.
Default: 80

Table 81: DVCKM protocol settings (continued)

<SPOCWSAttempts> Specifies how many times the DVCKM will attempt to
establish a connection with the domestic SPOC before
notifying a DV Administrator that the connection failed.
The number of attempts will be spread out across the
<CKMPeriod> value. For example, if <CKMPeriod> is 24 hours,
the DVCKM will spread out its connection attempts over a 24
hour period.
Default: 10
<TransactionIdLifetime> The DVCKM maintains a repository of state information for
transaction IDs used to request DV certificates. Only one
transaction ID can exist for each CVCA. The DVCKM deletes
transaction IDs when it creates a new certificate request for a
CVCA or after a specified number of days.
This setting specifies how long (in days) that the DVCKM will
keep a transaction ID after a certificate request has been
completed.
Default: 7
<DefaultKeyStoreLocation> Specifies the default key store location for DV certificate
requests.
Default: slot 0


Configuring communications between the
DVCKM and SPOC Domestic Web Service
The DV Certificate Key Management Service (DVCKM) communicates with the
SPOC Domestic Web Service so that the DV and a CVCA can exchange certificates
automatically through a Single Point of Contact (SPOC). The SPOC Domestic Web
Service is installed as a SPOC service (see “Deploying the SPOC services” on
page 1161). Configuring the DVCKM to communicate with the SPOC Domestic Web
Service requires the following steps:
1 Install the DVCKM.
You can install the DVCKM when you first install Administration Services or after
as an additional instance (see “Installing the DVCKM” on page 1388).
The Administration Services installer will prompt you for the SPOC entrust.ini
file, the SPOC Domestic Web Service URL and a SPOC DVKM Client profile. You
must obtain this information from a SPOC administrator (see “Obtaining files
from the domestic SPOC for the DVCKM” on page 1387).
2 To allow the Document Verifier to use the DVCKM to exchange certificates with
all CVCAs, modify the CVCA policy (see “Configuring the CVCA policy” on
page 1529).
By default, the CVCA policy prevents the Document Verifier from using the
DVCKM to exchange certificates with all CVCAs. You can override the policy
setting for each CVCA when you first add the CVCA, or by modifying the CVCA
later.
3 Add the CVCA to the Document Verifier (see “Adding Country Verifying
Certification Authorities” on page 1530).
If you did not modify the CVCA policy in the previous step, you must configure
the CVCA to allow the Document Verifier to use the DVCKM to exchange
certificates with the CVCA. If you do not configure the CVCA when you first add
it to the Document Verifier, you can modify the CVCA later (see “Modifying

53
Configuring the DV Web Service

The DV Web Service is required to communicate with an IS Concentrator or IS Client.
In a Basic Access Control (BAC) system, the DV Web Service can provide CSCA
certificates, master lists, CRLs, and Document Signer certificates to Inspection
Systems.
In an Extended Access Control (EAC) system, the DV Web Service is a Web service
designed to automatically process Inspection System certificate requests without
intervention from an administrator.
This chapter describes how to configure various components and features of DV Web
Service. For more information about configuring Administration Services, see the
Administration Services Configuration Guide.
• “Configuring DV Web Service logs” on page 1494
• “Configuring email notification for the DV Web Service” on page 1495
• “Configuring the XAP connection settings for the DV Web Service” on
page 1504
• “Configuring the XAP message signing algorithm for the DV Web Service”
on page 1506
• “Configuring CSCA materials distribution” on page 1507
• “Providing the latest domestic CSCA root certificate to the DV Web Service”
on page 1513
• “Providing CSCA materials to the DV Web Service” on page 1514
1493
Configuring DV Web Service logs
Administration Services allows you to customize the log file settings for the DV Web
Service. You can configure the following log settings:
To configure the DV Web Service logs

components.
following folder:
Table 82: DV Web Service log settings
Setting Description
Default: INFO
Default: <AS-install>\services\dvws\dvws\logs\dvws_dvws.log
Default: 1000000
Default: 10


Configuring email notification for the DV Web
Service
When you installed the DV Web Service, you had the option to enable email
notification for the DV Web Service. If you did not enable email notification during
the installation, or you want to configure how email notification works, complete the
Installation Guide.
• “Configuring SMTP server settings for the DV Web Service” on page 1495
• “Email notification files for the DV Web Service” on page 1496
• “Enabling and disabling email notification for the DV Web Service” on
page 1497
• “Modifying email notification subject and message text for the DV Web
Service” on page 1500
• “Modifying DV Web Service email notification to use HTML content
Configuring SMTP server settings for the DV Web Service

Configure the SMTP server settings to configure how the DV Web Service
email notification when you installed the DV Web Service.
To configure SMTP server settings for the DV Web Service

components.
Configuring the DV Web Service 1495

<Port>25</Port>
To configure the email addresses for the DV Web Service

components.
<AS-install>\services\dvws\dvws\webapp\WEB-INF\ens\xsl\
<locale>
</xsl:variable>
</xsl:variable>
Email notification files for the DV Web Service

configuration.global.xml file for DV WS. For information about enabling and

disabling email notification, see “Enabling and disabling email notification for the DV
Web Service” on page 1497.
Table 83: DV Web Service account tasks, event IDs, and email message files

ProcessISCertRequest proc_iscertreq-success proc_iscertreq-success-con Yes

- Certificate Issued tent
proc_iscertreq-success-subj
ect
ProcessISCertRequest proc_iscertreq-is_disabled proc_iscertreq-is_disabled- Yes

- Rejected: IS is content
disabled or CVCA
proc_iscertreq-rejected-sub
stream disabled
ject
ProcessISCertRequest proc_iscertreq-invalid_req proc_iscertreq-invalid_req- Yes

- Rejected: Invalid content
DER-TLV or invalid
proc_iscertreq-invalid_req-
signature(s)
subject
ProcessISCertRequest proc_iscertreq-expired_si proc_iscertreq-expired_sig Yes

- Rejected: Expired gning_key ning_key-content
signing key
proc_iscertreq-rejected-sub
ject
Enabling and disabling email notification for the DV Web Service

if a specific event occurs. “Email notification files for the DV Web Service” on
page 1496 lists all the email notification events in the configuration.global.xml
file for the DV Web Service.
Use the following procedures to enable and disable email notification for the DV Web
Service:
• “To enable or disable email notification for the DV Web Service” on
page 1498
• “To enable or disable email notification for specific events for the DV Web
Service” on page 1498
• “To configure email notification event settings for the DV Web Service” on
page 1499

To enable or disable email notification for the DV Web Service
components.
following folder:
<Notifications>
<Configuration>C:/Program Files/Entrust/AdminServices/services/dvw
s/dvws/webapp/WEB-INF/config/configuration.global.xml</Configurati
on>
</Notifications>
as follows:
or disable email notification for specific events for the DV Web Service” on
To enable or disable email notification for specific events for the DV Web
Service
components.

event. See “Email notification files for the DV Web Service” on page 1496 for a
list of event IDs.
email notification event settings for the DV Web Service” on page 1499 for
details.
To configure email notification event settings for the DV Web Service

components.
Setting Description
“Modifying email notification subject and message text for the
DV Web Service” on page 1500 for details about editing this file.

Setting Description
notification event.
the DV Web Service” on page 1500 for details about editing this
file.

Modifying email notification subject and message text for the

DV Web Service

Attention:

components.
<AS-install>\services\dvws\dvws\webapp\WEB-INF\ens\xsl
“Email notification files for the DV Web Service” on page 1496 for a list of event

components.
<AS-install>\services\dvws\dvws\webapp\WEB-INF\ens\xsl
modify. See “Email notification files for the DV Web Service” on page 1496 for
a list of event IDs and email message files.

</xsl:variable>
</xsl:template>
Modifying DV Web Service email notification to use HTML

content templates

To modify DV Web Service email notification to use HTML
components.
plate>

the DV Web Service
Communication between the DV Web Service and Security Manager is through the
XML Administration Protocol (XAP) server, running as part of Security Manager.
You can configure various XAP connection settings for the DV Web Service.
Configuring these settings can help you troubleshoot or resolve connection issues
between the DV Web Service and Security Manager.
To configure the XAP connection settings for the DV Web Service

components.
following folder:
<XAPConnection>

</XAPConnection>
Table 85: XAP connection settings for the DV Web Service
Setting Description
address for the XAP Server. The DV Web Service sends requests
to this URL.
changed.

Table 85: XAP connection settings for the DV Web Service (continued)
Setting Description
<Connections> The initial number of connections that the DV Web Service opens
with the XAP server when Administration Services starts. The
number of connections to the XAP server increases automatically
up to the maximum when the number of users concurrently using
Default value: 2
<IdleTimeout> Specifies the length of time (in minutes) that the DV Web Service
allows a connection with the XAP server to remain idle before
closing it and creating a new connection.
Default value: 30
<Debug> Controls whether the DV Web Service writes SSL connection

diagnostic information to the stdout.log file of the Tomcat
application server. If true, the DV Web Service writes SSL
connection diagnostic information to the stdout.log file.
<MaxConnections> The maximum number of connections the DV Web Service opens

with the XAP Server. After reaching the maximum, connections
are automatically closed after use. Since new messages cannot be
Default value: 50
<SigningDigestAlgorithm> The algorithm Administration Services uses when signing XAP

messages for the DV Web Service.
See “Configuring the XAP message signing algorithm for the DV
Web Service” on page 1506 for details.


Configuring the XAP message signing algorithm
for the DV Web Service
You can configure the algorithm Administration Services uses when signing XAP
messages for the DV Web Service. Administration Services supports only the SHA-1
and SHA-256 algorithms when signing XAP messages for the DV Web Service.
For the DV Web Service, Administration Services signs the XAP message using the
service profile. If any profiles have DSA or ECDSA key pairs, set the XAP message
signing algorithm to SHA-1. If the profile is stored on a token or the Microsoft
Cryptographic API (the Microsoft security framework), the XAP message signing
algorithm is automatically SHA-1 and you cannot change the algorithm.
To configure the XAP message signing algorithm for the DV Web Service
components.
following folder:
3 Locate the following setting:
4 Configure the value to sha1 or sha256.

Configuring CSCA materials distribution
You can use the DV Web Service to provide CSCA materials to Inspection Systems.
CSCA materials include master lists, CRLs and document signer certificates published
by trusted CSCAs.
• “Enabling and disabling CSCA materials distribution” on page 1507
• “Configuring the incoming CSCA materials folder” on page 1508
• “Configuring the CSCA materials storage folder” on page 1509
• “Configuring how often the DV Web Service checks for new CSCA
materials” on page 1510
• “Configuring CRL checking of CSCA materials” on page 1511
Enabling and disabling CSCA materials distribution

When you installed the DV Web Service, you had the option to enable CSCA
materials distribution (see “Installing the DV Web Service” on page 1422). You can
enable or disable CSCA materials distribution at any time.
To enable or disable CSCA materials distribution

components.
2 Open the dvws-config.xml file in a text editor. You can find the file in:
3 Locate the <CSCAMaterialDistribution> section. For example:
<CSCAMaterialDistribution>
<IncomingFolder>C:\Program Files\Entrust\AdminServices/
services/dvws/dvws/webapp/incoming-csca-materials</IncomingFolder>
<StorageFolder>C:\Program Files\Entrust\AdminServices/
services/dvws/dvws/webapp/csca-store</StorageFolder>
<MonitorThreadIntervalMinutes>10</MonitorThreadIntervalMinutes>
<RevocationCheckMaterials>true</RevocationCheckMaterials>
<FailIfNoCRL>false</FailIfNoCRL>
</CSCAMaterialDistribution>
4 Change the <Enabled> setting as follows:
• To enable CSCA materials distribution, change the value to true:
• To disable CSCA materials distribution, change the value to false:

6 If you are enabling CSCA materials distribution for the first time, you must
provide the DV Web Service with the latest domestic CSCA root certificate. See
“Providing the latest domestic CSCA root certificate to the DV Web Service” on
Configuring the incoming CSCA materials folder

The incoming CSCA materials folder is the folder where you store the CSCA materials
for the DV Web Service. By default, the incoming CSCA material folder is in the
following location:
<AS-install>\services\dvws\dvws\webapp\incoming-csca-materials
If required, you can change the incoming CSCA materials folder.
To change the location of the incoming CSCA materials folder

components.
2 Open the dvws-config.xml file. You can find the file in:
4 The <IncomingFolder> setting controls the location of the incoming CSCA
material folder. Change the value of the <IncomingFolder> as required. For
example:
<IncomingFolder>C:\New folder location</IncomingFolder>
5 Copy all files and folders from the old location to the new location. The new
location must contain the following folders:
• A crls folder for domestic and foreign CRLs.
• A doc-signer-certificates folder for domestic and foreign document
signer certificates.

• A master-list folder for the domestic master lists.
• A rejected-files folder. The DV Web Service writes certificates and CRLs
it rejects into this folder. For example, if the DV Web Service cannot parse a
certificate or a certificate was revoked, the DV Web Service will write the
certificate into this folder.
Configuring the CSCA materials storage folder

The CSCA materials storage folder is the folder where the DV Web Service stores
CSCA materials for distribution to Inspection Systems. The DV Web Service monitors
the incoming CSCA materials folder (see “Configuring the incoming CSCA materials
folder” on page 1508) and saves copies of the files into the CSCA materials storage
folder.
By default, the CSCA materials storage folder is in the following location:
<AS-install>\services\dvws\dvws\webapp\csca-store
If required, you can change the CSCA materials storage folder.
To change the location of the CSCA materials storage folder

components.
4 The <Storage Folder> setting controls the location of the incoming CSCA
material folder. Change the value of the <StorageFolder> as required. For
example:
<StorageFolder>C:\New folder location</StorageFolder>
5 Copy all files and folders from the old location to the new location. The new
location must contain the following folders:

• A doc-signer-certs folder for domestic and foreign document signer
certificates.
• A domestic-root-cert folder for the domestic CSCA root certificates.
This folder contains a secured copy of the domestic CSCA root certificate that
serves as the trust anchor for the CSCA materials distribution process. It is
very important that you copy this folder and its contents to the new location.
• A ml folder for the domestic master lists.
Configuring how often the DV Web Service checks for new CSCA
materials
The DV Web Service will periodically check the incoming CSCA materials folder (see
“Configuring the incoming CSCA materials folder” on page 1508) for new CSCA
materials. By default, the DV Web Service checks every 10 minutes for new CSCA
materials.
You can configure how often the DV Web Service checks the incoming CSCA
materials folder for new CSCA materials. When the DV Web Service finds new CSCA
materials, it saves copies of the materials to the CSCA materials storage folder
(see“Configuring the CSCA materials storage folder” on page 1509).
To configure how often the DV Web Service checks for new CSCA materials
components.

4 The <MonitorThreadIntervalMinutes> setting controls how often (in minutes)
the DV Web Service will check the incoming CSCA materials folder for new CSCA
materials.
Enter a new value (in minutes) as required. For example, to configure the DV
Web Service to check for new CSCA materials every 5 minutes:
Configuring CRL checking of CSCA materials

By default, the DV Web Service will check document signer certificates against a CRL
before sending them to Inspection Systems. You can configure whether the DV Web
Service checks document signer certificates against a CRL before sending them to
Inspection systems. You can also configure whether the DV Web Service will send
document signer certificates to Inspection Systems if no CRL is available.
To configure CRL checking of CSCA materials

components.
4 The <RevocationCheckMaterials> setting controls whether the DV Web Service
will check document signer certificates against a CRL, if a CRL is available.
• To check document signer certificates against a CRL, set the value to true:
• To prevent checking document signer certificates against a CRL, set the value
to false:
<RevocationCheckMaterials>false</RevocationCheckMaterials>

5 The <FailIfNoCRL> setting controls whether the DV Web Service will send
document signer certificates to the Inspection if no CRL is available.
• To prevent the DV Web Service from sending document signer certificates if
no CRL is available, set the value to true:
<FailIfNoCRL>true</FailIfNoCRL>
• To allow the DV Web Service to send document signer certificates even if no
CRL is available, set the value to false:

Providing the latest domestic CSCA root
certificate to the DV Web Service
CSCA materials include master lists, CRLs, and document signer certificates published
by trusted CSCAs.
To provide CSCA materials to Inspection Systems, the DV Web Service requires the
latest domestic CSCA root certificate. You must provide the DV Web Service with the
latest CSCA root certificate if you are enabling CSCA materials distribution for the first
time (see “Enabling and disabling CSCA materials distribution” on page 1507), or
after a CSCA key rollover.
To provide the latest domestic CSCA root certificate to the DV Web Service
components.
2 Obtain the latest domestic CSCA root certificate from your CSCA administrator.
3 On a command line, navigate to the following folder:
<AS-install>\tools\csca-cert-update
csca-cert-update <password> <certificate-file>
Where:
• <password> is the password for the DV Web Service profile. If the DV Web
Service profile is stored on hardware, then <password> is the password of the
hardware token.
• <certificate-file> is the path and file name of the CSCA certificate.
For example:
csca-cert-update Example@1234 "c:/csca-certificate.cer"
5 If you previously provided a domestic master list to the DV Web Service, delete
the stored master list from the following folder:
<AS-install>\services\dvws\dvws\webapp\csca-store\ml
The stored master list was signed by the previous CSCA certificate, and can no
longer be verified by the DV Web Service with the new CSCA certificate.
6 Provide any updated CSCA materials (such as a new master list signed by the
latest CSCA) to the DV Web Service. See “Providing CSCA materials to the DV
Web Service” on page 1514 for details.

Providing CSCA materials to the DV Web
Service
CSCA materials include master lists, CRLs, and document signer certificates published
by trusted CSCAs. You must enable CSCA materials distribution before the DV Web
Service can provide CSCA materials to Inspection Systems (see “Enabling and
disabling CSCA materials distribution” on page 1507). You must manually provide
master list, CRLs, and document signer certificates to the DV Web Service.
To provide CSCA materials to the DV Web Service

components.
2 Obtain the following files:
• all domestic and foreign CRLs required to verify passports
• all domestic and foreign document signer certificates
Most countries are expected to include the document signer certificates in
the security object on the passport. You do not need to obtain document
signer certificates from countries that will include them in the security object
on passports.
• a domestic master list
The domestic master list does not have to be the current active domestic
master list. You may choose to use a master list that is different than the
master list available to foreign countries.
You do not need to provide a domestic master list if your Inspection Systems
only validate domestic identity documents and you have never updated your
domestic CSCA root certificate.
3 Navigate to the incoming CSCA materials folder. By default:
<AS-install>\services\dvws\dvws\webapp\incoming-csca-materials
You may have changed the location of the incoming CSCA materials folder (see
“Configuring the incoming CSCA materials folder” on page 1508).
The incoming CSCA materials folder should contain the following folders:
• A doc-signer-certificates folder for domestic and foreign document
signer certificates.
• A master-list folder for the domestic master lists.
4 Save the CRLs into the crls folder:
5 Save the document signer certificates into the doc-signer-certificates folder.

6 Save the active domestic master list into the master-list folder.
You do not need to restart Administration Services. The DV Web Service checks
periodically for new CSCA materials in these folders (see “Configuring how often the
DV Web Service checks for new CSCA materials” on page 1510).

54
Administering a Document Verifier

Each country has one or more Document Verifiers (DVs). Each Document Verifier
handles multiple Inspection Systems, and recognizes multiple Country Verifying
Certification Authorities (CVCAs). The Document Verifier authorizes the Inspection
Systems to examine the contents of e-passports.
This chapter describes how to administer a Document Verifier using the Security
Manager Control Command Shell and the DV Administration interface.
• “Getting started in Security Manager Control Command Shell” on
page 1518
• “Getting started in DV Administration” on page 1523
• “Viewing the Document Verifier holder identity” on page 1527
• “Viewing the domestic CVCA holder identity” on page 1528
• “Configuring the CVCA policy” on page 1529
• “Managing Country Verifying Certification Authorities” on page 1530
• “Managing CVCA certificates” on page 1546
• “Configuring the Document Verifier policy” on page 1559
• “Managing Document Verifier certificate requests” on page 1565
• “Managing Document Verifier certificates” on page 1578
• “Viewing the current Document Verifier signing keys” on page 1589
• “Configuring Inspection System policy” on page 1590
• “Managing Inspection Systems” on page 1594
• “Managing Inspection System certificate requests” on page 1613
• “Managing Inspection System certificates” on page 1619
• “Queued operations” on page 1629
1517
Getting started in Security Manager Control
Command Shell
Master Users are highly trusted people responsible for installing and configuring
Security Manager, and for managing various aspects of Security Manager, such as
certificates, the database, and the directory.
Security Manager Control Command Shell is a command line utility for Master Users
to manage Security Manager. In Security Manager Control Command Shell, a Master
User can do everything from logging in to setting encryption algorithms.
Note:
This section only provides information about starting and stopping, logging in,
and logging out of Security Manager Control Command Shell. For more
information about getting started in Security Manager Control Command Shell
including important information about character encoding and using special
characters, see the Security Manager Operations Guide.

• “Logging in to Security Manager Control Command Shell” on page 1518
• “Logging out of Security Manager Control Command Shell” on page 1522
Logging in to Security Manager Control Command Shell

Logging in to Security Manager Control Command Shell authenticates you to
Security Manager and allows you to access operations including starting and stopping
the Security Manager service.
Security Manager Control Command Shell automatically logs you out if there is no
activity in five minutes. If you try to log in while your Security Manager Control
Command Shell session is still active, the message "You are logged in to Security
Manager Control Command Shell" appears.
You usually need to log in to Security Manager Control Command Shell before you
can perform Master User tasks. However, if autologin is enabled, you may not have
to log in. See the Security Manager Operations Guide for information about
configuring autologin.
• “To log in to Security Manager Control Command Shell on Windows” on
page 1519
• “To log in to Security Manager Control Command Shell on Linux” on
page 1520

To log in to Security Manager Control Command Shell on Windows
1 Log in to Windows as the Windows user who installed Security Manager.
Note:
If you log in to Windows as a different Windows user, you cannot log in to
Security Manager Control Command Shell or run any commands.
2 Open the Security Manager Control Command Shell using one of the following
methods:
• Double-click the shortcut icon on the desktop.
• From the Start menu by clicking Start, then click the down arrow to access
Apps, then click Security Manager Control Command Shell.
When listed by name or category, Security Manager Control Command Shell
is listed under Entrust.
The Security Manager Control Command Shell window appears. The window
presents copyright information about Security Manager, information about
getting help in Security Manager Control Command Shell, and the default
Security Manager Control Command Shell prompt (entsh$).
login
99ERT-A7-00-1'.
Password:
user name:
Master User Name:
password:
Password:
Administering a Document Verifier 1519

again.
To log in to Security Manager Control Command Shell on Linux

1 Switch to a user with the proper group membership to use Security Manager.
When you installed Security Manager, you assigned ownership of the Security
Manager installation to a user and group. Switch to a user who belongs to the
same group that owns the Security Manager installation. For PostgreSQL, the
user must also belong to the easm_entrust_pg group. See the Security Manager
Database Configuration Guide.
2 Start the Security Manager Control Command Shell:
Note:
If you include these commands in your startup script, you do not need to enter
them each time you log in to your server to run Security Manager Control
Command Shell.
a Navigate to the Certification Authority (CA) data directory, typically:

/opt/entrust/authdata/CA
b Source the Security Manager environment variables:
– If you are in a C shell, enter:
source ./env_settings.csh
– If you are not in a C shell, enter:
. ./env_settings.sh
c Enter the following command:

entsh
Copyright information about Security Manager appears, followed by
information about getting help in Security Manager Control Command Shell,
and the default Security Manager Control Command Shell prompt (entsh$).
login
99ERT-A7-00-1'.
Password:
user name:
Master User Name:
password:
Password:
again.

Logging out of Security Manager Control Command Shell
When you have finished all the Master User operations you need to perform, log out
of Security Manager Control Command Shell. This is a standard security measure.
To log out of Security Manager Control Command Shell on Windows

logout
2 To exit Security Manager Control Command Shell, at the prompt, enter the
following:
exit
To log out of Security Manager Control Command Shell on Linux

logout
2 To exit Security Manager Control Command Shell, enter:
3 exit

Getting started in DV Administration
DV Administration provides an interface for Document Verifier (DV) administrators to
administer their country’s Document Verifiers. DV administrators with appropriate
permissions can manage CVCAs, CVCA certificates, Document Verifier certificates
and certificate requests, Inspection System policy, Inspection Systems, and Inspection
System certificates and certificate requests.
• “Logging in to DV Administration” on page 1523
• “How the role assigned to the DV administrator affects DV Administration
• “Using the DV Administration interface” on page 1525
Logging in to DV Administration
You are required to log in to the CVCA Administration interface with a certificate
stored in your Web browser (see “Creating DV administrators” on page 1373).
Note:
You can customize the DV Administration interface to reflect the corporate
identity of your company. For details, see “Customizing DV Administration” on
page 1633.
To test DV Administration
Where:
• <host_name> is the fully qualified host name of the server hosting DV
Administration.
• <port> is the SSL port for DV Administration (by default 14443).
• <instance> is the URL path of the DV Administration instance. You specified
the URL path when you installed DV Administration. For example, the
default URL path for DV Administration is DVAdmin.
For example:
https://webserver.example.com:14443/DVAdmin

3 When prompted to select a user certificate, select a user certificate for a DV
administrator.
the private key.
Note:
Click Allow to allow DV Administration to access the private key.

The DV Administration interface appears.
How the role assigned to the DV administrator affects DV

Administration interface
Roles and their policies are defined in Security Manager. When a person is assigned
the function of administrator for DV Administration, you assign a specific role to this
person in Security Manager.
The role determines whether the administrator has permission to perform
administrative tasks on the DV Administration interface. The following predefined
roles are available for DV Administration users:
• EAC Auditor
The EAC Auditor role has permissions only to view information available in
the DV Administration interface.
• EAC Administrator
The EAC Administrator has all EAC permissions. The EAC Administrator role
has permissions to perform all operations in the CVCA Administration
interface.
You can create new custom roles to assign to your DV administrators. You assign
administrators a role when you create their digital IDs. The tasks that an administrator
can perform in the DV Administration interface depend on the permissions the
administrator’s role contains. (Some existing PKI roles—such as Security Officer—also
include the permissions to perform modifications using the CVCA Administration
interface.) For more information about roles and permissions, see the Security

Using the DV Administration interface
This topic describes various elements found in the DV Administration interface.
Information bar
The information bar in the DV Administration interface displays the distinguished
name (DN) of the currently logged in administrator on the left. On the right, the
following links are available:
• About
Click About to view the version and legal information for the Entrust
Authority EAC systems.
• Help
Click Help on any page to view the Help documentation for that page. A link
to the help index is available on each Help page. A link to browser
requirements is available in the help index.
• locales (main page only)
Click a locale link to change the language used in the interface. By default,
DV Administration provides English and French locales.
Taskbar
The taskbar has links to the main task areas available to the currently logged-in
administrator. For example, if you are logged in as EAC Administrator, the Document
Verifier, Country Verifying CAs, Inspection Systems, Certificates, Queued
operations, and My Account tasks appear. The current task is emphasized by a white
background.
Action bar
The action bar has tabs that indicate subtasks or actions available for the particular
task. The current tab is emphasized in darker blue. The action bar displays the current
action within the task.
The bread crumb trail allows administrators to easily see where they are within a task
and navigate back to previous steps.
Tables
When administrators retrieve results, the results are displayed in a table.
Administrators can sort the results in the table:
• Click the column header link in a results table to sort the table by that
column.

• Each table has default sorting criteria, but if the administrator sorts using a
different column, the administrator’s sorting preference is then saved in a
cookie.
• The currently-sorted column is shown with a graphic indicator.
Other interface elements

• Link items are displayed in bold. Click the link, and a details page appears.
• Help titles appear on mouse-over in a yellow pop-up.
• Action links appear in a command bar.
• Upon completion of an action, a message displays in the page indicating
failure or success.
• Where possible, input is verified using JavaScript. If an error is found, a
pop-up appears. The field label turns red and a red X is added to the input
field.

Viewing the Document Verifier holder identity
You specified the holder identity of the Document Verifier during the initialization
process (see “Initializing a Document Verifier” on page 1303). You can display the
holder identity at any time.
To display the Document Verifier holder identity using the Security Manager
dv identity
Security Manager displays the holder identity of the Document Verifier.

Viewing the domestic CVCA holder identity
You can display the holder identity of your Document Verifier’s domestic CVCA. By
default, the domestic CVCA has the same country code as your Document Verifier.
However, the domestic CVCA may have a different country code, or more than one
CVCA may use the same country code. If more than one CVCA uses the same
country code as your Document, or if no CVCA uses the same country code as your
Document Verifier, Security Manager cannot display the holder identity of the
domestic CVCA.
You can set the domestic CVCA by modifying the Document Verifier policy (see
“Configuring the Document Verifier policy” on page 1559).
To display the domestic CVCA holder identity

dv domestic-cvca
Security Manager displays the holder identity of the domestic CVCA.

Configuring the CVCA policy
The Document Verifier determines the CVCA policy. The CVCA policy determines
whether the Document Verifier can use the DVCKM to exchange certificates with all
CVCAs. The DVCKM is a service provided by Administration Services.
To configure the CVCA policy in Security Manager Control Command Shell

2 To view the current Document Verifier policy settings, enter:
dv cvca config view
Security Manager displays the CVCA policy settings, and the software default
settings. For example:
settings):
settings):
Attempt Self-Service: no
3 To change the CVCA policy settings, enter:

dv cvca config set [-reset] [-selfSvc yes|no]
command parameters.
Table 86: dv cvca config set command parameters

existing values.
-selfSvc yes | no Specifies whether the Document Verifier can use the DVCKM to
exchange certificates with all CVCAs. The DVCKM is a service
provided by Administration Services. If yes, The Document Verifier
can use the DVCKM. If no, the Document Verifier cannot use the
DVCKM.
If not specified, CVCAs cannot use the DVCKM. You can override
this setting for each CVCA when you add or modify a CVCA.
You have now changed the CVCA policy settings.

Managing Country Verifying Certification
Authorities
You can add, change, or remove Country Verifying Certification Authorities (CVCAs).
See the following topics for details:
• “Adding Country Verifying Certification Authorities” on page 1530
• “Viewing Country Verifying Certification Authorities” on page 1534
• “Finding Country Verifying Certification Authorities” on page 1536
• “Modifying Country Verifying Certification Authorities” on page 1537
• “Disabling or suspending Country Verifying Certification Authorities” on
page 1541
• “Enabling or activating Country Verifying Certification Authorities” on
page 1542
• “Deleting Country Verifying Certification Authorities” on page 1545
Adding Country Verifying Certification Authorities

Before you can import certificates from a Country Verifying Certification Authority
(CVCA), you must add the CVCA to your Document Verifier. Adding a CVCA to the
Document Verifier allows the Document Verifier to recognize the CVCA.
• “To add a CVCA using the Security Manager Control Command Shell” on
page 1530
• “To add a CVCA using DV Administration” on page 1531
To add a CVCA using the Security Manager Control Command Shell

dv cvca add <cvca identity> [-selfSvc yes|no]
Table 87: dv cvca add command parameters
<cvca identity> The holder identity of the CVCA. The holder identity must start with
the ISO 3166-1 ALPHA-2 country code, followed by a one to nine
ISO 8859-1 Latin-1 character label. For example, GBcvca.

Table 87: dv cvca add command parameters
exchange certificates with the CVCA. The DVCKM is a service
DVCKM.
If not specified, it defaults to the setting in the CVCA policy. See
“Configuring the CVCA policy” on page 1529 for information about
viewing and changing the CVCA policy.
You have now added a Country Verifying Certification Authority.
To add a CVCA using DV Administration

1 Log in to the DV Administration interface (see “Logging in to DV
3 Click the Add Country Verifying CA tab.
The Add Country Verifying CA pane appears. Required fields are marked with an
asterisk (*).

4 In the Holder Identity field, enter the holder identity of the CVCA.
characters.
CVCA.
contact person for the CVCA.
7 (Optional.) In the Contact Name field, enter a contact name for the CVCA.
9 (Optional.) In the URL field, enter an Internet address associated with the CVCA.
10 (Optional.) In the Description field, enter a description for the CVCA.
11 If you configured a jurisdiction policy (see “Configuring a jurisdiction policy” on
page 1471), select one or more jurisdictions from the Jurisdictions list.
Depending on how you configured your jurisdiction policy, selecting at least one
jurisdiction may be required. If you do not select any jurisdictions, then only

Inspection Systems without any jurisdictions assigned can be issued certificates
anchored at this CVCA.
12 For DV Certificate Key Management:
• Select Manual if you prefer or are required to manually generate certificate
requests and manage certificates and keys.
• Select Automatic to allow the Document Verifier can use the DV Certificate
Key Management Service (DVCKM) to exchange certificates with the CVCA.
The DVCKM will communicate with the SPOC Domestic Web Service at the
domestic Single Point of Contact (SPOC) to manage keys and certificates.
Note:
The Document Verifier must have the root certificate of the CVCA installed if you
choose automatic key management.
13 After entering the CVCA details, click Submit.

A confirmation that you successfully added a CVCA appears.

Viewing Country Verifying Certification Authorities
You can display a list of CVCAs that you added to your Document Verifier, and you
can view information about a specific CVCA, such as its holder identity, friendly name
and state (enabled or disabled).
• “To view a CVCA in Security Manager Control Command Shell” on
page 1534
• “To view a CVCA in DV Administration” on page 1535
To view a CVCA in Security Manager Control Command Shell

2 To display a list of CVCAs, enter:
dv cvca list [-state enabled|disabled]
• -state enabled lists only enabled CVCAs.
• -state disabled lists only disabled CVCAs.
Security Manager displays a list of all CVCAs. For example:
-------------------------------------------------------------
CVCA CAcvca (3) Enabled <unset>
CVCA GBcvca (11) Enabled <unset>
CVCA CNcvca (12) Enabled <unset>
3 To view information about a specific CVCA, enter:

dv cvca view <cvca identity>
Where <cvca identity> is the holder identity of the CVCA.
Security Manager displays information about the CVCA. For example:
Entity Category: CVCA
Holder Identity: CAcvca
Last Modified: 05/22/08 11:43:04
Added: 05/22/08 11:43:04
be used.

To view a CVCA in DV Administration
3 Click the Country Verifying CAs tab.
The Country Verifying CAs List pane appears. This pane provides a list of all
CVCAs you added to your Document Verifier.
4 To view information about a specific CVCA, click holder identity of the CVCA you
want to view.

Finding Country Verifying Certification Authorities
You can search for CVCAs using different criteria, such as state and whether the
CVCA can use a self-service mechanism to exchange certificates with the Document
Verifier. After specifying the criteria to search for, Security Manager displays
information about each CVCA that matches your criteria.
You can only search for CVCAs in the Security Manager Control Command Shell.

To find Document Verifiers in Security Manager Control Command Shell
dv cvca search [-state enabled|disabled] [-selfSvc] [-selfSvc
yes|no]
command parameters.
Table 88: dv cvca search command parameters
-state enabled Finds CVCAs in the enabled state (-state enabled) or CVCAs in the
disabled state (-state disabled).
-state disabled
-selfSvc Finds CVCAs with a custom self-service policy.
-selfSvc yes Finds CVCAs that can allow the Document Verifier to use the
DVCKM to exchange certificates with the CVCA (-selfSvc yes) or
-selfSvc no
CVCAs that require administrators to exchange certificates manually
(-selfSvc no).
Security Manager displays information about each CVCA that matches the criteria
you specified. For example:
Entity Category: CVCA
Holder Identity: CAcvca
Last Modified: 05/22/08 11:43:04
Added: 05/22/08 11:43:04
be used.
Modifying Country Verifying Certification Authorities

If required, you can change details about a CVCA, such as the email address or
description. You should only change a CVCA’s details if any of the information
changes, such as a new contact email address or phone number. You cannot change
the holder identity of a CVCA.

• “To modify a CVCA using the Security Manager Control Command Shell”
on page 1538
• “To modify a CVCA in the CVCA Administration interface” on page 1538
To modify a CVCA using the Security Manager Control Command Shell

dv cvca add <cvca identity> [-reset] [-selfSvc yes|no]
Table 89: dv cvca modify command parameters
<cvca identity> The holder identity of the CVCA.
-reset Resets the existing custom CVCA policy settings to the CVCA policy
defaults.
Note: If you specify new custom policy settings, the new custom
settings replace the existing values.
exchange certificates with the CVCA. The DVCKM is a service
DVCKM.
If not specified, it defaults to the setting in the CVCA policy. See
“Configuring the CVCA policy” on page 1529 for information about
viewing and changing the CVCA policy.
You have now modified a Country Verifying Certification Authority. The changes take
effect immediately.
To modify a CVCA in the CVCA Administration interface

2 Find the CVCA whose details you want to change (see “Viewing Country

3 Click Edit.
The Edit Country Verifying CA pane appears. For more information about any
CVCA properties, see “Adding Country Verifying Certification Authorities” on
page 1530.

field.
field.
field.
8 (Optional.) In the URL field, enter an Internet address associated with the CVCA.
page 1471), select one or more jurisdictions from the Jurisdictions list.
Depending on how you configured your jurisdiction policy, selecting at least one
jurisdiction may be required. If you do not select any jurisdictions, then only
Inspection Systems without any jurisdictions assigned can be issued certificates
anchored at this CVCA.
11 For DV Certificate Key Management:

• Select Manual if you prefer or are required to manually generate certificate
requests and manage certificates and keys.
• Select Automatic to allow the Document Verifier can use the DV Certificate
Key Management Service (DVCKM) to exchange certificates with the CVCA.
The DVCKM will communicate with the SPOC Domestic Web Service at the
domestic Single Point of Contact (SPOC) to manage keys and certificates.
12 Verify your changes and then click Submit to apply your changes.
You successfully edited CVCA details.
Disabling or suspending Country Verifying Certification

Authorities
You can disable (suspend) a CVCA at any time. For example, you can disable a CVCA
if you think it is compromised. When you disable a CVCA, the DV does not use the
DV certificates issued by that CVCA to process Inspection System certificate requests.
When Inspection System certificates expire, the Inspection Systems cannot retrieve
biometric data from e-passports issued by the disabled CVCA’s country.
Additionally, the Document Verifier cannot create a certificate request for a disabled
CVCA, and cannot create a certificate request for countersigning if the domestic
CVCA is disabled.
You should only disable a CVCA as a temporary measure. You can enable (activate)
a disabled CVCA (see “Enabling or activating Country Verifying Certification
Authorities” on page 1542).
• “To disable a CVCA from Security Manager Control Command Shell” on
page 1541
• “To suspend a CVCA from DV Administration” on page 1541
To disable a CVCA from Security Manager Control Command Shell

2 If required, find the CVCA that you want to disable (see “Viewing Country
dv cvca disable <cvca identity>
To suspend a CVCA from DV Administration


2 Find the CVCA that you want to suspend (see “Viewing Country Verifying
3 Verify that you want to suspend the CVCA and then click Suspend.
A confirmation that the CVCA is suspended appears.
Enabling or activating Country Verifying Certification

Authorities
If you previously disabled (suspended) a CVCA, you can enable (activate) it again.
When you enable a CVCA, the DV can resume using the DV certificates issued by
that CVCA, and Inspection Systems can begin requesting new certificates that allow

them to retrieve the biometric data from e-passports issued by the
previously-disabled CVCA’s country.
• “To enable a CVCA from the Security Manager Control Command Shell” on
page 1543
• “To activate a CVCA from the DV Administration” on page 1543
To enable a CVCA from the Security Manager Control Command Shell

2 If required, find the CVCA that you want to enable (see “Viewing Country
dv cvca enable <cvca identity>
To activate a CVCA from the DV Administration

2 Find the CVCA that you want to activate (see “Viewing Country Verifying

3 Verify that you want to activate the CVCA and then click Activate.
A confirmation that the CVCA is activated appears.

Deleting Country Verifying Certification Authorities
You can delete a CVCA at any time or in any state (enabled or disabled). It is
recommended that you delete a CVCA if you entered an incorrect CVCA holder
identity, or if the CVCA was compromised. If you delete a CVCA, you also delete all
root and link certificates for the CVCA, all DV certificates issued by the CVCA and the
keys associated with those certificates, and all Inspection System certificates anchored
by the CVCA.
• “To delete a CVCA in Security Manager Control Command Shell” on
page 1545
• “To delete a CVCA in DV Administration” on page 1545
To delete a CVCA in Security Manager Control Command Shell

2 If required, find the CVCA that you want to delete (see “Viewing Country
dv cvca delete <cvca identity>
Security Manager warns you that deleting the CVCA removes all certificates
anchored to the CVCA:
Warning: deleting this CVCA will remove all DV and IS certificates
anchored by the CVCA. Proceed (y/n) ? [n]
4 Enter y to delete the CVCA.
To delete a CVCA in DV Administration

2 Find the CVCA that you want to disable (see “Viewing Country Verifying
3 Verify that you want to delete the CVCA and then click Delete.
You are asked to confirm that you want to permanently delete the CVCA.
4 Click OK to confirm and delete the CVCA.

Managing CVCA certificates
You can import, view, and export CVCA certificates.
• “Importing CVCA certificates” on page 1546
• “Viewing CVCA certificates” on page 1550
• “Exporting CVCA certificates” on page 1553
Importing CVCA certificates

CVCA administrators periodically send CVCA certificates that you must import.
Import these CVCA certificates to:
• generate a Document Verifier certificate request with a key compatible with
the latest CVCA link certificate
• verify the Document Verifier certificate issued by the CVCA
• distribute to Inspection Systems, enabling the Inspection System to assemble
a certificate chain that an e-passport can validate
When importing multiple certificates from a given CVCA into a DV, you must import
them in chronological order. Import the original self-signed CVCA certificate first,
then the first link certificate, the second root certificate, and so on.
Note:
characters.

• “To import a CVCA certificate from the Security Manager Control Command
• “To import a CVCA certificate from DV Administration” on page 1547
To import a CVCA certificate from the Security Manager Control Command

Shell
2 To preview the CVCA certificate, enter:
dv util cert preview <input file>
Where <input file> is the file name of the CVCA certificate file. Security
Manager displays the CVCA certificate.

When you preview a root CVCA certificate, Security Manager also displays the
validation strings of the certificate. If the CVCA administrator provided you with
validation strings, you can compare the validation strings to ensure that no one
tampered with the certificate.
SHA256 string.
dv cvca cert import [-oobAuth|-valStrAuth <validationString>]
<input file>
• <input file> is the file name of the CVCA certificate file.
• -oobAuth specifies that you authenticated the certificate by an out-of-band
method, such as diplomatic courier.
• -valStrAuth allows you to enter the validation string of the CVCA
certificate, and <validationString> is the validation string.
You must specify the -oobAuth or -valStrAuth parameter only for the initial
CVCA certificate to authenticate the CVCA certificate. For subsequent CVCA
link certificates, Security Manager authenticates the new CVCA certificate
using the previously imported CVCA certificate.
You have now imported the CVCA certificate.
To import a CVCA certificate from DV Administration

3 Click the Import CVCA Certificate tab.

The Import Certificate pane appears.
4 Click Browse to locate the CVCA certificate file.

5 Click Submit.


a If you received a validation string from the CVCA administrator (for example,
b If you validated the certificate request by an out-of-band method (such as
Note:
Validation strings are only required for the initial root CVCA certificate request.
The Document Verifier can cryptographically verify subsequent link CVCA
certificates.

A confirmation that the import was successful appears. If you want to import
another certificate, click Import Another Certificate at the bottom of the page.
Viewing CVCA certificates

You can display a list of all certificates for a specific CVCA, and you can view a specific
CVCA certificate. Typically, you list or view CVCA certificates to determine which
CVCA certificates that you want to export (see “Exporting CVCA certificates” on
page 1553).
• “To view a specific CVCA certificate in Security Manager Control Command
• “To view a certificate for a CVCA from DV Administration” on page 1551
To view a specific CVCA certificate in Security Manager Control Command

Shell
2 If required, find the CVCA whose certificates you want view (see “Viewing
3 To list all certificates for a specific CVCA, enter:
dv cvca cert list <cvca identity>

Security Manager displays a list of all CVCA certificates for the CVCA. For
example:
------------------------------------------------------------------
CAcvca00001 CAcvca00001 2009/02/10 2012/02/10 Valid
4 To view a specific CVCA root certificate, enter:

dv cvca cert view -root <holder reference>
5 To view a specific CVCA link certificate, enter:
dv cvca cert view -link <holder reference>
To view a certificate for a CVCA from DV Administration

4 Select the CVCA from the list.
The CVCA View Details page opens.

5 Under Country Verifying CA Certificates, click the holder reference of the CVCA
certificate you want to view.
The View Certificate page opens.

Exporting CVCA certificates
You must export CVCA certificates so you can give distribute them to Inspection
Systems, enabling the Inspection System to assemble a certificate chain that an
e-passport can read.
You can export a single CVCA certificate, or you can export a chain of CVCA
certificates.

When you choose to export a certificate chain you can choose to export the entire
chain of CVCA certificates, or only a partial chain. When you export a single
certificate, you export it to a single file. When you export a CVCA certificate chain,
you export the certificates to a series of files. You can only export a certificate chain
from the Security Manager Control Command Shell.
• “To export a CVCA certificate from Security Manager Control Command
• “To export a CVCA certificate chain from Security Manager Control
To export a CVCA certificate from Security Manager Control Command Shell

Where <cvca identity> is the holder identity of the CVCA. Security Manager
displays a list of all CVCA certificates.
3 Note the holder reference of the certificate that you want to export.
dv cvca cert export [-overwrite] -root|-link <outputFile> <holder
reference>
command parameters.
Table 90: dv cvca cert export command parameters
-overwrite Overwrites a file if it already exists.
authority reference are the same. Otherwise it is a link certificate.
<holder reference> Specifies the holder reference of the CVCA certificate.
Security Manager displays validation strings when exporting a root CVCA

certificate.

SHA256 string.
You have now exported the CVCA certificate. For a root CVCA certificate, send the
certificate and validation strings to the Inspection System using a secure method, such
as secure email or diplomatic courier. It is strongly recommended that you send the
certificate and validation strings separately to avoid undetectable tampering.
To export a CVCA certificate chain from Security Manager Control Command

Shell
Where <cvca identity> is the holder identity of the CVCA. Security Manager
displays a list of all CVCA certificates.
3 Note the holder references of the certificates that you want to export.
dv cvca cert export-chain [-overwrite] [-root|-link] <outputFile>
<leaf holder reference> [<trust point holder reference>]
command parameters.
Table 91: dv cvca cert export-chain command parameters
-overwrite Overwrites files that already exist.
is assumed.
CVCA certificate.

Table 91: dv cvca cert export-chain command parameters (continued)

when it exports the certificates.
<leaf holder reference> Specifies the holder reference of the CVCA certificate that ends the
CVCA certificate chain.
You have now exported the CVCA certificate chain. If you included a root CVCA
SHA256 string.
Send the CVCA certificates to the Inspection System using a secure method, such as
secure email or diplomatic courier. If you include a root CVCA certificate, it is strongly
recommended that you send the validation string separately to protect against
tampering.
To export a CVCA certificate from DV Administration

4 Select the CVCA from the list.
The CVCA View Details page opens. A list of certificates is displayed near the
bottom of the page.

5 Under Country Verifying CA Certificates, click the holder reference of the CVCA
certificate you want to export.
The View Certificate page opens.

SHA256 string.
6 Click Export.
You are presented with a dialog box allowing you to download the file.

Configuring the Document Verifier policy
The Document Verifier (DV) policy determines the certificate sequence algorithm, the
certificate warning threshold, and the domestic CVCA. The DV certificate lifetime and
holder access rights (the biometric information DVs can access) are assigned by the
issuing CVCA.
Note:
You only need to specify the domestic CVCA if the domestic CVCA has a
different country code than your Document Verifier, or if more than one CVCA
uses the same country code as your Document Verifier.
If you change the warning threshold or domestic CVCA, it takes effect immediately.
If you change the sequence algorithm, it takes effect in the next Document Verifier
certificate request.
• “To configure the Document Verifier policy in Security Manager Control
• “To configure the Document Verifier policy in DV Administration” on
page 1561
To configure the Document Verifier policy in Security Manager Control

Command Shell
2 To view the current Document Verifier policy settings, enter:
dv config view
Security Manager displays the Document Verifier policy settings, and the
software default settings. For example:
settings):
settings):
Sequence Alogorithm: Country Code and 3 Numeric
Software Key Storage: enabled
3 To change the Document Verifier policy settings, enter:

dv config set [-reset] [-warn <days>] [-seqAlg A|N|CA|CN]
[-softKey enabled|disabled]
command parameters.
Table 92: dv config set command parameters

existing values.
value of 0 suppresses the warnings.
If you do not specify a warning threshold, it defaults to 14 days.
To change the frequency at which the messages are logged, edit the
EntDvCertExpiryCheckNotBefore,
EntDvCertExpiryCheckNotAfter and
EntDvCertExpiryCheckPeriod settings in the entmgr.ini file. By
default, warning messages are logged daily. For more information
about these settings, see the Security Manager Operations Guide.
-seqAlg A | N | CA | CN Specifies the sequence number algorithm of the DV holder

reference:
• A (5-digit alphanumeric)
• CA (country code plus 3-digit alphanumeric)
• CN (country code plus 3-digit numeric)
If you do not specify a sequence number algorithm, it defaults to
CN.

Table 92: dv config set command parameters (continued)
CVCA. You only need to specify a domestic CVCA if more than one
CVCA uses the same country code as your Document Verifier, or if
the domestic CVCA uses a different country code than your
Document Verifier.
operation fails. To add a CVCA holder identity, see “Adding Country
Verifying Certification Authorities” on page 1530.
If you do not specify a CVCA holder identity, the domestic CVCA is
the CVCA with a country code that matches the country code of
your Document Verifier.
Attention: If more than one CVCA uses the same country code as
your DV or if the domestic CVCA uses a different country code,
some operations may fail if you do not specify the domestic CVCA
in the Document Verifier policy.
disabled DV keys. If enabled, you can store the DV keys in software. If
disabled, you can only store the DV keys on a hardware device.
If you do not specify a value, you can store the DV keys in software.
You have now changed the Document Verifier policy settings.
To configure the Document Verifier policy in DV Administration

2 Click Document Verifier.
3 Click the Document Verifier tab.

4 Click Edit.
The Global Policy Settings pane appears.

5 To configure the holder identity of the Document Verifier’s domestic CVCA, enter
a CVCA holder identity in the Supervising CVCA Identity field. You only need to
specify a domestic CVCA if more than one CVCA uses the same country code as
your Document Verifier, or if the domestic CVCA uses a different country code
than your Document Verifier.
To add a CVCA holder identity, see “Adding Country Verifying Certification
Authorities” on page 1530. If you do not specify a CVCA holder identity, the
domestic CVCA is the CVCA with a country code that matches the country code
of your Document Verifier.
Attention:
If more than one CVCA uses the same country code as your DV or if the domestic
CVCA uses a different country code, some operations may fail if you do not
specify the domestic CVCA in the Document Verifier policy.
6 To change the certificate expiry warning threshold, enter a new warning

threshold (in days) in the Expiry Warning Threshold (in days) field. A value of 0
suppresses the warnings.
7 To change the sequence number algorithm of the DV holder reference, select a
new option for Sequence Algorithm Format (either Country Code Numeric,
Country Code Alphanumeric, Numeric, or Alphanumeric).
8 To save your changes, click Save.

A confirmation that your changes were saved appears.

Managing Document Verifier certificate
requests
Note:
By default, the domestic CVCA has the same country code as your Document
Verifier. However, the domestic CVCA may have a different country code, or
more than one CVCA may use the same country code. If more than one CVCA
uses the same country code as your Document, or if no CVCA uses the same
country code as your Document Verifier, ensure that you set the domestic CVCA
by modifying the Document Verifier policy (see“Configuring the Document
Verifier policy” on page 1559).
The following topics describe how to create, list, view, cancel, and export DV
• “Creating DV certificate requests” on page 1565
• “Viewing DV certificate requests” on page 1571
• “Canceling DV certificate requests” on page 1573
• “Exporting DV certificate requests” on page 1575
Creating DV certificate requests

Create a DV certificate request whenever you need a DV certificate from a CVCA.
You need a new DV certificate from each CVCA you add, and whenever a DV
certificate is about to expire.
By default, Security Manager begins logging ALARM audit messages 15 days before
the DV certificate expires. For more information about audit logging, see the Security
You cannot create a DV certificate request for a CVCA if a DV certificate request
already exists for that CVCA. You cannot create a certificate request for a CVCA if the
DV does not have a valid certificate from the CVCA.
If you want to use a XAP client (such as Entrust Authority Administration Services) to
generate a Document Verifier certificate request using a hardware device, you must
set the hardware password in Security Manager Control Command Shell (see the
Security Manager Operations Guide). If you do not set the password using Security
Manager Control Command Shell, you cannot use the device over XAP.
• “To create and export a DV certificate request from the Security Manager

• “To create and export a DV certificate request from DV Administration” on
page 1568
To create and export a DV certificate request from the Security Manager

2 If required, find the CVCA that will receive the certificate request (see “Viewing
dv certreq create [-allow expired|unauthenticated|xstream]
[-overwrite] <output file> <cvca identity>
command parameters.
Table 93: dv certreq create command parameters
-allow expired The -allow expired parameter creates an authenticated certificate

request signed by an expired DV certificate. By default, the
Document Verifier does not create a subsequent certificate request if
-allow xstream all existing certificates issued to it by the CVCA have expired.
The -allow unauthenticated parameter creates an
unauthenticated certificate request, even if the latest DV certificate
issued from the CVCA has not expired. Create an unauthenticated
certificate request if the Document Verifier keys were compromised,
or if the DV keys on a hardware device and the device failed and you
did not back up the keys.
The -allow xstream parameter creates a certificate request for
countersigning. You must then send the certificate request to the
domestic CVCA for countersigning. A foreign CVCA will reject a DV
certificate request signed with the current domestic DV keys, since
the foreign CVCA does not have the domestic DV certificate to verify
the outer signature.
Note: You can send an unauthenticated certificate request to the
domestic CVCA for countersigning, but a CVCA administrator must
validate the unauthenticated certificate request. Creating a
certificate request suitable for countersigning signs the certificate
request with the current domestic Document Verifier signing keys,
allowing the CVCA to cryptographically validate the request.

Table 93: dv certreq create command parameters (continued)
Document Verifier certificate request.
<cvca identity> The holder identity of the CVCA that will issue the DV certificate.
Security Manager prompts you to select a destination for the new DV keys. For
example:
Select the destination for the new DV key
Choose one of:
1. Software
4. Cancel operation
4 Enter the number associated with the device or action you want to select. For
example, from the previous example, enter 3 to select CAHdwareVendor02, or 4
to cancel the update operation.
5 If you chose to generate your DV keys on a hardware security module (HSM) and
the HSM requires a password, Security Manager prompts you for the hardware
password. Enter the password for the hardware device.
If the certificate request is an unauthenticated certificate request, Security Manager
displays validation strings. The certificate request is unauthenticated if it is the first
certificate request for a CVCA or you specified the -allow unauthenticated
parameter.
For the validation strings, the "SHA1:" and "SHA256:" portions are not part of the
actual validation strings. The "SHA1:" and "SHA256:" portions only indicate which
validation string is the SHA1 string and which validation string is the SHA256 string.
If Security Manager fails to write the DV certificate request to the local file system,
Security Manager displays an error and you must use the dv certreq export
command (see “Exporting DV certificate requests” on page 1575).
If Security Manager successfully exported the DV certificate request to a file, send the
DV certificate request to the CVCA administrator using a secure method, such as
secure email or diplomatic courier. If you created an unauthenticated certificate
request, it is strongly recommended that you send the certificate request and
validation strings separately to avoid undetectable tampering.

Note:
If you are storing the keys on an HSM, back up the key using the procedure
outlined by your hardware vendor. If you are storing the keys on an HSM and the
device fails and you did not back up the key, you must submit an unauthenticated
certificate request to the CVCA.
To create and export a DV certificate request from DV Administration

2 Select the CVCA that will receive the certificate request (see “Viewing Country
3 Click Generate Certificate Request to generate a certificate request for the

CVCA, or click Generate Certificate Request for Countersigning to generate a
certificate request for countersigning by the domestic CVCA.

4 The Certificate Key Store Location pane appears. For example:
For hardware devices, Administration Services displays an option for each

hardware device with a valid password. Administration Services will not display
an option for any hardware device with a wrong or missing password. You can
update the password for a hardware device in Security Manager by running the
ca key set-hwpw command (see the Security Manager Operations Guide).
5 Choose the location where you want to store the key information for the
certificate request and then click Submit.

A confirmation that the request was successfully created appears.
SHA256 string.

Note:
If you are storing the keys on an HSM, back up the key using the procedure
outlined by your hardware vendor. If you are storing the keys on an HSM and the
device fails and you did not back up the key, you must submit an unauthenticated
certificate request to the CVCA.
6 Click Export.
7 Save the request.
Viewing DV certificate requests

When you create a DV certificate request, Security Manager keeps a record of that
request until you import the requested DV certificate or cancel the request. You can
display a list of all DV certificate requests to see which DV certificates have not yet
been imported into the DV, and you can view a specific DV certificate request.
For details about importing DV certificates, see “Importing DV certificates” on
page 1578. For details about canceling DV certificate requests, see “Canceling DV
certificate requests” on page 1573.
To view DV certificate requests in Security Manager Control Command Shell

2 To display a list of all DV certificate requests, enter:
dv certreq list
Security Manager displays a list of all certificate requests. For example:
Holder Authority Creation Status
Reference Reference Date (GMT) Fields
------------------------------------------------------------
CAdvCA001 CAcvca00001 2009/02/17 U:P
The Status Fields column indicates whether a certificate request is

authenticated (A) or unauthenticated (U), and whether it can be countersigned
(C) or processed (P).
If the outer signature on a certificate request was generated by the target
certificate stream, the certificate request is suitable for processing; otherwise, it is
suitable for countersigning. An unauthenticated certificate request is always

suitable for processing, and is suitable for countersigning if the target certificate
stream is not the domestic certificate stream.
3 To view a specific DV certificate request, enter:
dv certreq view <cvca identity>
Where <cvca identity> is the holder identity of the CVCA you created the DV
certificate request for. Security Manager displays the certificate request.
To list pending DV Certificate Requests in DV Administration

The list of pending requests appears on the page.
4 Select the certificate request from the list to view it.

Canceling DV certificate requests
You can cancel a DV certificate request after you create it, but before you import the
requested certificate. Cancel a certificate request if:
• the certificate request is based on an old CVCA link certificate whose key
characteristics are out-of-date
• the certificate used to authenticate the certificate request expires before the
CVCA can process the certificate request
• you think the certificate request is compromised
• “To cancel a DV certificate request in Security Manager Control Command

• “To cancel a DV Certificate Request in DV Administration” on page 1574
To cancel a DV certificate request in Security Manager Control Command Shell

2 If required, find the DV certificate request that you want to cancel (see “Viewing
DV certificate requests” on page 1571).
dv certreq cancel <cvca identity>
Where <cvca identity> is the holder identity of the CVCA you requested the
certificate from.
To cancel a DV Certificate Request in DV Administration


4 Under Pending Certificate Requests, click Cancel for the certificate request you
want to cancel.
A message appears, confirming that the certificate request was successfully
cancelled.
Exporting DV certificate requests

After creating a DV certificate request, you must export the DV certificate request so
you can send it to the CVCA administrator. The CVCA administrator will process the
request and send you a DV certificate.
• “To export a DV certificate request from Security Manager Control
• “To export a DV certificate request from DV Administration” on page 1576
To export a DV certificate request from Security Manager Control Command

Shell
2 If required, find the DV certificate request that you want to export (see “Viewing
dv certreq export [-overwrite] <output file> <cvca identity>
command parameters.
Table 94: dv certreq export command parameters
Document Verifier certificate request.
<cvca identity> The holder identity of the CVCA.

You have now exported the DV certificate request. Send the DV certificate request
and validation strings to the CVCA administrator using a secure method, such as
secure email or diplomatic courier. It is strongly recommended that you send the
certificate request and validation strings separately to prevent tampering.
To export a DV certificate request from DV Administration

2 Find the DV certificate request that you want to export (see “Viewing DV
certificate requests” on page 1571).

SHA256 string.
3 Click Export.
4 Click Save.
5 Choose a file name and location to save the file and then click Save.
When the file containing the CVCA certificate is saved to your local system, the
Download Complete dialog box appears.
6 Click Close.
You successfully exported the certificate request to your system. Send the
certificate request to the intended CVCA (for example, shipped by diplomatic
pouch, or delivered using secure email).

Managing Document Verifier certificates
Note:
By default, the domestic CVCA has the same country code as your Document
Verifier. However, the domestic CVCA may have a different country code, or
more than one CVCA may use the same country code. If more than one CVCA
uses the same country code as your Document, or if no CVCA uses the same
country code as your Document Verifier, ensure that you set the domestic CVCA
by modifying the Document Verifier policy (see “Configuring the Document
Verifier policy” on page 1559).
The following topics describe how to import, list, view, and export DV certificates:
• “Importing DV certificates” on page 1578
• “Viewing DV certificates” on page 1581
• “Exporting DV certificates” on page 1585
Importing DV certificates
After you send a DV certificate request to a CVCA administrator and the CVCA
administrator sends you a DV certificate in return, import the DV certificate.
Note:
characters.
• “To import a DV certificate in the Security Manager Control Command

• “To import a DV certificate in DV Administration” on page 1579
To import a DV certificate in the Security Manager Control Command Shell

dv certreq finish <input file>
Where <input file> is the file containing the DV certificate.

You have now imported the DV certificate. After importing the DV certificate, inform
Inspection System administrators that you imported a new DV certificate and then
send them the latest DV certificate. See “Exporting DV certificates” on page 1585 for
details about exporting DV certificates.
To import a DV certificate in DV Administration

3 Click the Import DV Certificate tab.
4 Click Browse to select the file containing the Document Verifier certificate.
5 Click Submit.

• If you received a validation string from the CVCA administrator (for example,

A confirmation that the DV certificate was imported successfully appears.
You have now imported the DV certificate. After importing the DV certificate, inform
Inspection System administrators that you imported a new DV certificate and then
send them the latest DV certificate. See “Exporting DV certificates” on page 1585 for
details about exporting DV certificates.
Viewing DV certificates
You can display a list of Document Verifier certificates and you can view a specific
Document Verifier certificate. Typically, you list or view Document Verifier certificates
to determine which certificates you want to export (see “Exporting DV certificates”
on page 1585), or to determine if the latest Document Verifier certificates are nearing
expiry and you need to request a new Document Verifier certificate (see “Creating
• “To view DV certificates in Security Manager Control Command Shell” on
page 1581
• “To view DV certificates in DV Administration” on page 1583
To view DV certificates in Security Manager Control Command Shell

2 To list all Document Verifier certificates, enter:
dv cert list
Security Manager displays a list of all DV certificates. For example:
------------------------------------------------------------------
CAdvGB001 GBcvca00001 2009/02/10 2012/02/10 Valid
3 To list all DV certificates issued by a specific CVCA, enter:

dv cert list <cvca identity>

Where <cvca identity> is the identity of the CVCA. (For information about
viewing CVCA identities, see “Viewing Country Verifying Certification
Authorities” on page 1534.) For example:
dv cert list CAcvca
Security Manager displays a list of all DV certificates issued by the CVCA. For
example:
------------------------------------------------------------------
4 To view a specific DV certificate, enter:

dv cert view <holder reference> <authority reference>
Where:
• <holder reference> is the holder reference of the DV certificate.
• <authority reference> is the authority reference of the DV certificate.
For example:
dv cert view CAdvCA001 CAcvca00001
Security Manager displays the DV certificate. For example:
Note:
DV certificates do not contains elliptic curve domain parameters. When
displaying the key type for elliptic curves, Security Manager will display the
elliptic curve size. For example, if the key type is EC-ansix9p256r1, Security
Manager will display EC-256 as the key type.
Security Manager displays the DV certificate.

CV Certificate:
Certificate Body:
Authority Reference: CAcvca00001
Key Type: EC-256
Public Point: 044518AEF85A20C9E24107E2750D0CB886275D4A713095F61
5405275B51333000F39141EB3830186BF9E91FE3C31BBB2EC
27FBF0E889E4543786759CC1E450FCD9
Holder Reference: CAdvCA001

Role: DV (domestic)
Effective Date: February 10, 2009 GMT (090210)
Expiration Date: February 10, 2012 GMT (120210)
Signature: C2EFF6F5C663BB8BE8724F6564EE5EF8EA53033FD193FD284
7C1DE437F5B6FD39FC0745E702F156CBD01025A1209D9D5BE
13AB6BD5F9397F73525A563774787D
To view DV certificates in DV Administration


The View Details page appears. By default, only certificates in the following
states are listed:
• Pending

The CVCA has received a certificate request from the DV and is in the process
of validating the request. The DV has no certificate.
• Near Expiry
The DV certificate’s expiry date is within the warning threshold.
• Expired
The DV certificate has expired. A new certificate is required.
If the DV has not requested a DV certificate, a warning that the DV has no
certificates displays.
4 By default, certificates in the Valid state are not included in the list of certificates.
To view all certificates, including valid certificates, click List All Certificates.
5 To view a specific DV certificates, click the holder reference of the DV certificate
that you want to view.

Note:
DV certificates do not contains elliptic curve domain parameters. When
displaying the key type for elliptic curves, Security Manager will display the
Exporting DV certificates
You must export Document Verifier certificates so you can give distribute them to
Inspection Systems, enabling the Inspection System to assemble a certificate chain
that an e-passport can read.
You can export a single Document Verifier certificate, or you can export a certificate
chain.

When you choose to export a certificate chain, you export the chain of certificates to
a series of files. The first file contains the oldest certificate in the chain (a CVCA
certificate), and the last file contains the latest certificate in the chain (a DV
certificate). You can only export a certificate chain from the Security Manager Control
Command Shell.
• “To export a DV certificate from Security Manager Control Command Shell”
on page 1586
• “To export a DV certificate chain from the Security Manager Control
• “To export a DV certificate from DV Administration” on page 1588
To export a DV certificate from Security Manager Control Command Shell

2 If required, find the Document Verifier certificate that you want to export (see
“Viewing DV certificates” on page 1581).
dv cert export [-overwrite] <outputFile> <holder reference>
command parameters.
Table 95: dv cert export command parameters
<holder reference> The holder reference of the Document Verifier certificate.
<authority reference> The authority reference of the Document Verifier certificate.
You have now exported the Document Verifier certificate.
To export a DV certificate chain from the Security Manager Control Command

Shell

dv cert export-chain [-overwrite] [-root|-link] <outputFile> <leaf
holder reference> <leaf authority reference> [<trust point holder
reference>]
command parameters.
Table 96: dv cert export-chain command parameters
-overwrite Overwrites files that already exist.
is assumed.
CVCA certificate.

<leaf holder reference> Specifies the holder reference of the Document Verifier certificate
that ends the certificate chain.
<leaf authority Specifies the authority reference of the Document Verifier certificate
reference> that ends the certificate chain.
You have now exported the DV certificate chain. If you included a root CVCA

To export a DV certificate from DV Administration
2 Find the Document Verifier certificate that you want to export (see “Viewing DV
3 Click Export.
4 Click Save.
5 Choose a file name and location to save the file, and then click Save.
You successfully exported the certificate to your system.

Viewing the current Document Verifier signing
keys
You can view information about the current DV signing keys, including key
characteristics, and various hardware information if the keys are stored on a hardware
device.
To view the current DV signing keys

dv cert show-keys
Security Manager displays the current DV signing key and related information.
For example:
**** Active Anchor DV Signing Keys (1 keys) ****
Internal key index: 1
Key Owner: Anchor DV : 'CAdv'
Key on hardware: Y
Key ID (hardware CKA_ID): qnwxbIeolSkzc+MPqL9LHPkxS00=
Hardware load error: N
Hardware status: Loaded >> Safenet, Inc. LunaSA SN : 65080003
SLOT : 1
**** End of active key report ****

Configuring Inspection System policy
The Document Verifier defines the Inspection System policy. The Inspection System
policy determines the default Inspection System certificate lifetime, the default holder
access rights (the biometric information Inspection Systems can access), and the
default certificate request options.
The Inspection System policy determines the Inspection System settings if you do not
specify any custom settings for an Inspection System.
• “To configure the Inspection System policy in Security Manager Control
• “To configure the Inspection System policy in DV Administration” on
page 1592
To configure the Inspection System policy in Security Manager Control

Command Shell
2 To view the current Inspection System policy, enter:
dv is config view
Security Manager displays the current Inspection System policy settings, and the
software default settings. For example:
settings):
settings):
Certificate Lifetime: 3 months
Certreq Options Cross-stream
3 To change the Inspection System policy, enter:
dv is config set [-reset] [-ar F|I|FI|"" ] [-lifetime
years|months|weeks|days <value>] [-crOpts xstream|none]

Table 97: dv is config set command parameters

existing values.
-ar F | I | FI | "" Specifies the holder access rights (the biometric information
Inspection Systems can access):
• I (iris only)
• "" (none)
If you do not specify holder access rights, it defaults to fingerprint.
Note: The access rights for an Inspection System cannot exceed the
access rights held by the Document Verifier. If you specify access
rights for an Inspection System that the issuing Document Verifier
does not hold, the Document Verifier will not add those access rights
when issuing a certificate to the Inspection System.
-lifetime years | months Specifies the lifetime of Inspection System certificates in years,
If you do not specify a lifetime, it defaults to one month.
Note: Inspection System certificates cannot exceed the lifetime of
the issuing Document Verifier certificate. When issuing an Inspection
System certificate, the Document Verifier will truncate the lifetime of
the Inspection System certificate if it is set to exceed the lifetime of
the Document Verifier certificate.
-crOpts xstream | none Specifies whether the Document Verifier can accept foreign
certificate requests signed by the domestic certificate stream
(xstream), or not (none).
If not specified, the default is xstream.
See “Certificate streams” on page 85 for information about
certificate streams.
You have now changed the Inspection System policy settings.

To configure the Inspection System policy in DV Administration
2 Click Inspection Systems.
3 Click the Inspection System Policy tab.
The Default Policy Settings pane appears.
4 To change the read access rights (the biometric information Inspection Systems
can access), choose one of the following options:
• Allow Fingerprint
• Allow Iris
• Allow Fingerprint and Iris
• No Access Rights
The access rights for an Inspection System cannot exceed the access rights held
by the Document Verifier. DV Administration will display only the access rights
that you can set for the Inspection System that will not exceed the access rights
held by the Document Verifier.
5 To set the default lifetime of Inspection System certificates (in years, months,
weeks, or days), enter a lifetime in the Certificate Lifetime Frequency text field
and drop-down list.
Inspection System certificates cannot exceed the lifetime of the issuing
Document Verifier certificate. When issuing an Inspection System certificate, the
Document Verifier will truncate the lifetime of the Inspection System certificate if
it is set to exceed the lifetime of the Document Verifier certificate.

6 Verify your changes and then click Save.
A confirmation that your changes were saved appears.

Managing Inspection Systems
You can add, change, or remove Inspection Systems. See the following sections for
details:
• “Adding Inspection Systems” on page 1594
• “Viewing Inspection Systems” on page 1598
• “Finding Inspection Systems” on page 1601
• “Modifying Inspection Systems” on page 1602
• “Disabling or suspending Inspection Systems” on page 1607
• “Enabling or activating Inspection Systems” on page 1609
• “Deleting Inspection Systems” on page 1611
Adding Inspection Systems

Before you can issue Inspection System certificates, you must add the Inspection
System to the Document Verifier. You cannot add more Inspection Systems than your
Security Manager license allows. If you reach your license limit, you must delete
Inspection Systems (see “Deleting Inspection Systems” on page 1611) or purchase a
new license before you can add more Inspection Systems.
You can only add Inspection Systems from your own country. If you attempt to add
an Inspection System from a foreign country, Security Manager returns an error.
• “To add an Inspection System in Security Manager Control Command Shell”
on page 1594
• “To add an Inspection System in DV Administration” on page 1596
To add an Inspection System in Security Manager Control Command Shell

dv is add <is identity> [-ar F|I|FI|""] [-lifetime
years|months|weeks|days <value>]

Table 98: dv is add command parameters
<is identity> The holder identity of the Inspection System. The holder identity
must start with the ISO 3166-1 ALPHA-2 country code, followed by
a one to nine ISO 8859-1 Latin-1 character label. For example,
GBinspect.
The country code must match the country code of your Document
Verifier, otherwise Security Manager returns an error.
-ar F | I | FI | "" Specifies the custom holder access rights for the Inspection System:
• I (iris only)
• "" (none)
setting in the Inspection System policy (see “Configuring Inspection
System policy” on page 1590).
access rights held by the Document Verifier. If you specify access
rights for an Inspection System that the issuing Document Verifier
does not hold, the Document Verifier will not add those access rights
when issuing a certificate to the Inspection System.
-lifetime years | months Specifies a custom lifetime for the Inspection System certificates in
years.
setting in the Inspection System policy (see “Configuring Inspection
System policy” on page 1590).
You have now added an Inspection System.

To add an Inspection System in DV Administration
3 Click the Add Inspection System tab.
The New Inspection System pane appears. Required fields are marked with an
asterisk (*).
4 In the Holder Identity field, enter the holder identity of the Inspection System.
characters.
Inspection System.
contact person for the Inspection System.
Inspection Systems can access) as follows:

The default read access rights are configured in the Inspection System policy.
See “Configuring Inspection System policy” on page 1590 for details.
– Allow Iris
by the Document Verifier. DV Administration will display only the access rights
that you can set for the Inspection System that will not exceed the access rights
held by the Document Verifier.
8 For Certificate Lifetime, specify the certificate lifetime of the Inspection System
The default certificate lifetime is configured in the Inspection System policy.
9 (Optional.) In the Contact Name field, enter a contact name for the Inspection
System.
contact person for the Inspection System.
11 (Optional.) In the URL field, enter an Internet address associated with the
jurisdiction of the Inspection System.
12 (Optional.) In the Description field, enter a description for the Inspection System.
page 1471), select a jurisdiction from the Jurisdictions list.
Select -- NA -- (Not Applicable) to not assign any jurisdiction to the Inspection
System. If you select this option, then the DV Web Service can only issue
certificates to the Inspection System that are anchored at CVCAs without any
jurisdictions assigned. You can still issue certificates from any CVCA using DV

Administration. Depending on how you configured your jurisdiction policy, the
Not Applicable option may be unavailable.
14 After entering the Inspection System details, click Submit.
A confirmation that you successfully added the Inspection System appears.
You successfully added an Inspection System at the DV Administration interface.
Viewing Inspection Systems

You can display a list of Inspection Systems that you added to your Document Verifier,
and you can view information about a specific Inspection System such as its holder
identity, friendly name, state (enabled or disabled), and any custom policy settings.
• “To view an Inspection System in Security Manager Control Command
• “To view Inspection Systems in DV Administration” on page 1599

To view an Inspection System in Security Manager Control Command Shell
2 To display a list of Inspection Systems, enter:
dv is list [-state enabled|disabled]
• -state enabled lists only enabled Inspection Systems.
• -state disabled lists only disabled Inspection Systems.
Security Manager displays a list of all Inspection Systems. For example:
-------------------------------------------------------------
IS CAinspect1 (7) Enabled <unset>
3 To view a specific Inspection System, enter:

dv is view <is identity>
Where <is identity> is the holder identity of the Inspection System.
Security Manager displays information about the Inspection System. For
example:
Entity Category: IS
Holder Identity: CAis
Last Modified: 05/22/08 11:43:04
Added: 05/22/08 11:43:04
be used.
To view Inspection Systems in DV Administration

3 Click the Inspection Systems tab.

The Inspection Systems Search Options pane appears.
4 Under Holder Identity:

• Click All to find all Inspection Systems.
• Click Starts With to find all Inspection Systems whose holder identity begins
with a particular string. Enter the string into the field that appears. Wildcard
values are not supported.
• Click Contains to find all Inspection Systems whose holder identity contains
a particular string. Enter the string into the field that appears. Wildcard values
are not supported.
5 In the Account State drop-down list:
• Select All to find Inspection Systems in all states.
• Select Enabled to find only enabled Inspection Systems.
• Select Disabled to find only disabled Inspection Systems.
6 In the Maximum Results drop-down list, select the maximum number of results
you want returned.
Note:
If the number of returned results is greater than the value in the Maximum
Results drop-down list, a warning appears to inform you that there are more
search results available than the maximum returned. Select a higher value in the
Maximum Results field and re-enter your search to display more results.
7 Click Submit to find all Inspection Systems that meet your search criteria.

The results are returned in a table on the Search Results pane.
8 To view a specific Inspection System, click the holder identity of the Inspection
System.
Finding Inspection Systems

You can search for Inspection Systems using different criteria, such as state, holder
access rights, and certificate lifetimes. After specifying the criteria to search for,
Security Manager displays information about each Inspection System that matches
your criteria.
You can only search for Inspection Systems in the Security Manager Control
Command Shell.
To find Inspection Systems in Security Manager Control Command Shell

dv is search [-state enabled|disabled] [-ar] [-ar <value>]
[-lifetime] [-lifetime years|months|weeks|days <value>]
command parameters.
Table 99: dv is search command parameters
-state enabled Finds Inspection Systems in the enabled state (-state enabled) or
Inspection Systems in the disabled state (-state disabled).
-state disabled
-ar Finds Inspection Systems with custom holder access rights.

Table 99: dv is search command parameters (continued)
-ar <value> Finds Inspection Systems with specific holder access rights, where
<value> is one of:
• I (iris only)
• "" (none)
-lifetime Finds Inspection Systems with custom certificate lifetimes.
-lifetime years | months Finds Inspection Systems with a specific certificate lifetime in years,
Security Manager displays information about each Inspection System that matches
the criteria you specified. For example:
Entity Category: IS
Holder Identity: CAis
Last Modified: 05/22/08 11:43:04
Added: 05/22/08 11:43:04
be used.
Modifying Inspection Systems

Modify an Inspection System when you need to change the holder access rights or
the certificate lifetime. Changing the information for an Inspection System takes
effect after you process the next certificate request from the Inspection System. You
cannot change the holder identity of an Inspection System.
• “To modify an Inspection System in Security Manager Control Command
• “To modify an Inspection System in DV Administration” on page 1604
To modify an Inspection System in Security Manager Control Command Shell


2 If required, find the Inspection System that you want to modify (see “Viewing
Inspection Systems” on page 1598).
dv is modify <is identity> [-reset] [-ar F|I|FI|""] [-lifetime
command parameters.
Table 100: dv is modify command parameters
<is identity> The holder identity of the Inspection System.
-reset Resets the existing Inspection System parameters to the defaults.

If new parameters are specified, the new values replace the existing
values.
-ar F | I | FI | "" Specifies the custom holder access rights for the Inspection System:
• I (iris only)
• "" (none)
Inspection System policy default. See “Configuring Inspection
System policy” on page 1590 for information about viewing and
changing the Inspection System policy.
access rights held by the issuing Document Verifier. If you specify
access rights for an Inspection System that the issuing Document
Verifier does not hold, the Document Verifier will not add those
access rights when issuing a certificate to the Inspection System.

Table 100: dv is modify command parameters (continued)
-lifetime years | months Specifies a custom lifetime for the Inspection System certificates in
years.
Inspection System policy default. See “Configuring Inspection
System policy” on page 1590 for information about viewing and
changing the Inspection System policy.
You have now modified an Inspection System. The changes take effect after you
process the next certificate request from the Inspection System (see “Processing
Inspection System certificate requests” on page 1614).
To modify an Inspection System in DV Administration

2 Find the Inspection System that you want to modify (see “Viewing Inspection
Systems” on page 1598).
3 Click Edit.
The Edit Inspection System page appears.

field.
Inspection Systems can access) as follows:
The default read access rights are configured in the Inspection System policy.
– Allow Iris
by the issuing Document Verifier. DV Administration will display only the access
rights that you can set for the Inspection System that will not exceed the access
rights held by the Document Verifier.

7 For Certificate Lifetime, specify the certificate lifetime of the Inspection System
The default certificate lifetime is configured in the Inspection System policy.
field.
field.
10 To enter a new URL, enter a new URL into the URL field.
page 1471), select a jurisdiction from the Jurisdictions list.
Select -- NA -- (Not Applicable) to not assign any jurisdiction to the Inspection
System. If you select this option, then the DV Web Service can only issue
certificates to the Inspection System that are anchored at CVCAs without any
jurisdictions assigned. You can still issue certificates from any CVCA using DV
Administration. Depending on how you configured your jurisdiction policy, the
Not Applicable option may be unavailable.
13 Verify your changes and then click Submit to apply your changes.

A confirmation that the Inspection System was successfully modified appears.
Disabling or suspending Inspection Systems

You can disable (suspend) an Inspection System at any time, for example, if you think
it is compromised. When you disable a Inspection System, Security Manager rejects
all certificate requests coming from the Inspection System.
A disabled Inspection System still counts against your Security Manager license.
• “To disable an Inspection System in Security Manager Control Command
• “To suspend an Inspection System in DV Administration” on page 1608
To disable an Inspection System in Security Manager Control Command Shell

2 If required, find the Inspection System that you want to disable (see “Viewing

dv is disable <is identity>
To suspend an Inspection System in DV Administration

2 Find the Inspection System that you want to suspend (see “Viewing Inspection
3 Verify that you want to suspend the Inspection System and then click Suspend.
A confirmation that the Inspection System was successfully suspended appears.

Enabling or activating Inspection Systems
If you disabled (suspended) an Inspection System, you can enable (activate) it again.
When you enable an Inspection System, you can resume processing certificate
requests coming from that Inspection System.
• “To enable an Inspection System in Security Manager Control Command
• “To activate an Inspection System in DV Administration” on page 1609
To enable an Inspection System in Security Manager Control Command Shell

2 If required, find the Inspection System that you want to enable (see “Viewing
dv is enable <is identity>
To activate an Inspection System in DV Administration

2 Find the Inspection System that you want to activate (see “Viewing Inspection

3 Verify that you want to activate the Inspection System and then click Activate.
A confirmation that the Inspection System was successfully activated appears.

Deleting Inspection Systems
You can delete an Inspection System at any time or in any state (enabled or disabled).
It is recommended that you delete an Inspection System only if you entered an
incorrect Inspection System holder identity, or if the Inspection System is being
decommissioned.
• “To delete an Inspection System in Security Manager Control Command
• “To delete an Inspection System in DV Administration” on page 1611
To delete an Inspection System in Security Manager Control Command Shell

2 If required, find the Inspection System that you want to delete (see “Viewing
dv is delete <is identity>
Where <is identity> is the identity of the Inspection System. Security Manager
then issues the following warning:
Warning: deleting this IS will remove all of the certificates
issued to it. Proceed (y/n)? [n]
4 Enter y to delete the Inspection System.
To delete an Inspection System in DV Administration

1 Ensure you are logged in to the DV Administration interface. For details, please
see “Logging in to DV Administration” on page 1523.
2 Find the Inspection System that you want to delete (see “Viewing Inspection

3 Verify that you want to delete the Inspection System and then click Delete.
You are asked to confirm that you want to permanently delete the Inspection
System.
4 Click OK to confirm and delete the Inspection System.

Managing Inspection System certificate
requests
The following topics describe how to preview and process Inspection System
• “Previewing Inspection System certificate requests” on page 1613
• “Processing Inspection System certificate requests” on page 1614
Previewing Inspection System certificate requests

You can preview the Inspection System certificate request before you process it.
When you preview an unauthenticated Inspection System certificate request, Security
Manager also displays the validation strings of the certificate request. If the Inspection
System administrator provided you with validation strings, you can compare the
validation strings to ensure that no one tampered with the certificate request.
When you preview an Inspection System certificate request, Security Manager also
displays the signature validation status. The signature validation status indicates
whether the signatures contained in the certificate request are valid.
To preview an Inspection System certificate request

dv is certreq preview [-allow expired|unauthenticated] <input
file> [<cvca identity>]
Table 101: dv is certreq preview command parameters

trusted signer.
Use these parameters to preview whether the dv is certreq
process -allow expired|unauthenticated command will
determine that the certificate request contains a valid outer
signature.
For details about the dv is certreq process command, see
“Processing Inspection System certificate requests” on page 1614.

Table 101: dv is certreq preview command parameters (continued)
<input file> The file name of the Inspection System certificate request file.
<cvca identity> The holder identity of the CVCA for the target certificate stream.
You must include this parameter if the Inspection System certificate
request does not include a target certificate stream.
Security Manager displays the Inspection System certificate request.
Processing Inspection System certificate requests

When you process an Inspection System certificate request, Security Manager reads
the certificate request and then generates an Inspection System certificate. If you
disabled either the Inspection System or the CVCA in the target certificate stream,
Security Manager rejects the certificate request.
Note:
You cannot process a certificate request from an Inspection System that has not
been added to the DV. You must add the Inspection System to the DV before
importing the certificate.
• “To process an Inspection System certificate request in Security Manager

• “To process an Inspection System certificate request in DV Administration”
on page 1616
To process an Inspection System certificate request in Security Manager

2 If required, preview the Inspection System certificate request (see “Previewing
Inspection System certificate requests” on page 1613).
dv is certreq process [-allow expired|unauthenticated]
[-overwrite] [-oobAuth|-valStrAuth <validationString>] <inputFile>
<outputFile> [<cvca identity>]

Table 102: dv is certreq process command parameters

trusted signer with a valid key.
If an Inspection System loses its keys, the Inspection System must
produce a certificate request without an outer signature. Use the
-allow unauthenticated parameter to process a certificate request
without an outer signature. You must also specify either the
-oobAuth or -valStrAuth parameter.
If an Inspection System allows all its certificates to expire, the
Inspection System must produce an unauthenticated certificate
certificate. Use the -allow expired parameter to process a
certificate request authenticated by an expired certificate.
-oobAuth Specifies that you authenticated the certificate request by an

out-of-band method, such as diplomatic courier.
You only need to specify this parameter for unauthenticated
-valStrAuth Allows you to enter the validation string of the Inspection System
<validationString> certificate request.
You only need to specify this parameter for unauthenticated
string.
<inputFile> The file name of the file containing the Inspection System certificate
request.
Inspection System certificate.

Table 102: dv is certreq process command parameters (continued)
<cvca identity> The holder identity of the CVCA for the target certificate stream. You
must include this parameter if the Inspection System certificate
request does not identify the target certificate stream.
If you configured the Inspection System policy to reject foreign
certificate requests signed by the domestic certificate stream (see
“Configuring Inspection System policy” on page 1590), then the
Document Verifier rejects the certificate request’s signature.
Security Manager displays the Inspection System certificate and exports it to the
output file that you specified. If Security Manager fails to write the Inspection
System certificate to the local file system, Security Manager displays an error, and
you must use the dv is cert export command (see “Exporting Inspection
System certificates” on page 1622.)
To process an Inspection System certificate request in DV Administration

3 Click the Import IS Certificate Request tab.
The Import Certificate Request pane appears.
4 Click Browse to locate the file containing the certificate request. The certificate
must be in DER format.

5 if more than one CVCA uses the same country code, enter the CVCA identity of
the target certificate stream into the CVCA identity field.
6 Click Submit.
The View Certificate Request pane appears.

a If you received a validation string from the CVCA administrator (for example,
b If you validated the certificate request by an out-of-band method (such as
Note:
Validation strings are only required for self-signed certificate requests since these
certificate request do not have built-in trust. This includes root certificates and
unauthenticated certificate requests. Link certificates and authenticated
certificates have built-in trust since they are signed by a trusted key.
8 if more than one CVCA uses the same country code, enter the CVCA identity of
the target certificate stream into the CVCA identity field.
9 Click Accept to import the certificate request.
A confirmation that the certificate request imported successfully and that the
certificate was issued appears.

Managing Inspection System certificates
The following topics describe how to list, view, and export Inspection System
certificates:
• “Viewing Inspection System certificates” on page 1619
• “Exporting Inspection System certificates” on page 1622
Viewing Inspection System certificates

You can display a list of certificates issued to Inspection Systems, and you can view a
specific Inspection System certificates. Typically, you list or view Inspection System
certificates to verify which certificates that you want to export (see “Exporting
Inspection System certificates” on page 1622).
To view Inspection System certificates in the Security Manager Control

Command Shell
2 To display a list of Inspection System certificates, enter:
dv is cert list <is identity> [<cvca identity>]
• <is identity> is the holder identity of the Inspection System.
• <cvca identity> is the identity of the CVCA trust point.
For example:
dv is cert list CAis1 CAcvca
Security Manager displays a list of all Inspection System certificates. For example:
------------------------------------------------------------------
CAis1CA001 CAdvCA001 2012/07/09 2012/08/09 Valid
3 To view a specific Inspection System certificate, enter:
dv is cert view <holder reference> <authority reference>
Where:
• <holder reference> is the holder reference of the Inspection System
certificate.
• <authority reference> is the authority reference of the Inspection System
certificate.
For example:

dv is cert view CAis1CA001 CAdvCA001
Security Manager displays the Inspection System certificate. For example:
Note:
Inspection System certificates do not contains elliptic curve domain parameters.
When displaying the key type for elliptic curves, Security Manager will display the
CV Certificate:
Certificate Body:
Authority Reference: CAdvCA001
Key Type: EC-256
Public Point: 046FE879AD5167249E91253BF833B9A14F808D2A436A7EB96
C27B2B3DC5740238F06822A278C288DA1BE005E8381AD3A2D
630937F9DFB2734F0C2F30D15F34EAD6
Holder Reference: CAis1CA001
Role: IS
Effective Date: July 09, 2012 GMT (120709)
Expiration Date: August 09, 2012 GMT (120809)
Signature: FC8A7DC72353E0D0466C15A87C2C1EE2CAA23FC3B14B8FD60
8FF4F5598F9C135DC7EE07F07845A9BF0A4D7801CF59E9105
4556C6B1050BB7C73E14A90D600082
To view an Inspection System certificate in DV Administration

2 Find the Inspection System with the certificate you want to view (see “Viewing

The View Details page appears. Inspection system certificates are listed near the
bottom of the page.
3 Select the certificate to view.

Note:
Inspection System certificates do not contain elliptic curve domain parameters.
When displaying the key type for elliptic curves, Security Manager will display the

Exporting Inspection System certificates
After processing a certificate request, you must export the Inspection System
certificate so you can send it to the Inspection System administrator. You can export
a single Inspection System certificate, or you can export a certificate chain. You can
only export a certificate chain in the Security Manager Control Command Shell.
When you choose to export a certificate chain, you export the chain of certificates to
a series of files. The first file contains the oldest certificate in the chain (a CVCA
certificate), and the last file contains the latest certificate in the chain (an Inspection
System certificate).
• “To export an Inspection System certificate in Security Manager Control
• “To export an Inspection System certificate chain in Security Manager

• “To export an Inspection System certificate in DV Administration” on
page 1624
To export an Inspection System certificate in Security Manager Control

Command Shell
2 If required, find the Inspection System certificate that you want to export (see
“Viewing Inspection System certificates” on page 1619).
dv is cert export [-overwrite] <outputFile> <holder reference>
command parameters.
Table 103: dv is cert export command parameters
Inspection System certificate.
<holder reference> The holder reference of the Inspection System certificate.
<authority reference> The authority reference of the Inspection System certificate.
You have now exported the Inspection System certificate.
To export an Inspection System certificate chain in Security Manager Control

Command Shell
dv is cert export-chain [-overwrite] [-root|-link] <outputFile>
<leaf holder reference> <leaf authority reference> [<trust point
holder reference>]

command parameters.
Table 104: dv is cert export-chain command parameters
-overwrite Overwrites files that already exists.
is assumed.
CVCA certificate.

<leaf holder reference> Specifies the holder reference of the Inspection System certificate
that ends the certificate chain.
<leaf authority Specifies the authority reference of the Inspection System certificate
reference> that ends the certificate chain.
You have now exported the Inspection System certificate chain. If you included a root
CVCA certificate in the chain, Security Manager displays validation strings.
To export an Inspection System certificate in DV Administration


2 Find the Inspection System whose certificate you want to export (see “Viewing
3 In the Inspection System Certificates list, click the holder reference of the
Inspection System certificate that you want to export.

4 Click Export.
5 Click Save.
6 Choose a file name and location to save the file, and then click Save.
You successfully exported the file containing the Inspection System certificate to
your system.

Previewing EAC certificates and certificate
requests
This section describes how to preview any CVCA, Document Verifier, or Inspection
System certificate or certificate request.
• “Previewing EAC certificate requests” on page 1627
Previewing EAC certificates

You can preview any CVCA, Document Verifier, or Inspection System certificate from
a file. When you preview the certificate, Security Manager displays the certificate, the
signature validation status, and the certificate’s validation strings.
For root CVCA certificates, the signature is valid if Security Manager can verify it
using the public key in the certificate. For other certificates, the signature is valid if
the Document Verifier has an appropriate certificate in the database that can verify
the signature.
To preview an EAC certificate using Security Manager Control Command Shell

SHA256 string.
Previewing EAC certificate requests

You can preview any Document Verifier or Inspection System certificate request from
a file. When you preview the certificate request, Security Manager displays the
certificate request and the validation strings.
Security Manager does not attempt to validate the certificate request’s outer
signature using certificates stored in the database. If you need to validate the
signature on an Inspection System certificate request, use the dv is certreq
preview command (see “Previewing Inspection System certificate requests” on
page 1613).

To preview an EAC certificate request using Security Manager Control
Command Shell
dv util certreq preview <input file>
SHA256 string.

Queued operations
Sensitive operations may require approval by more than one user with the required
permissions. If a user requests an operation that requires authorization by more than
one user, DV Administration automatically determines that authorization is required
and the operation is queued until a second user with the necessary permissions can
review it.
For example, if a user deletes a CVCA from the list of CVCAs used by the DV, the
operation may be queued until a second user with the required permissions is able to
review and approve (or cancel) the operation.
Notification messages are sent to the email addresses that you configured when you
installed the DV Administration software when an operation requires approval or if
approval has been obtained.
The user performing (or approving) a sensitive operation must have the required
permissions. When a user’s profile is created, the permissions associated with that
profile determine if the user has the ability to perform or approve various operations
and if another approval is required. Detailed information about default profiles and
how to create custom profiles is available in the Security Manager Administration
User Guide.
Sensitive operations that may be queued for approval include:
• Generate DV Certificate Request
• Complete DV Certificate Request
• Cancel DV Certificate Request
• Import CVCA Link Certificate
• Import CVCA Root Certificate
• Delete CVCA
• Process Authenticated IS Certificate Request
• Process Expired IS Certificate Request
• Process Unauthenticated IS Certificate Request
Queuing has both search and list functions. The list interface displays up to one
hundred of the most recently queued items.
• “To manage queued operations” on page 1630
• “To search queued operations” on page 1630
• “Listing queued operations” on page 1631

To manage queued operations
3 Click the Approve Queued Operations tab.
The Approve Queued Operations page is displayed.
Only operations that you can approve or cancel are displayed in this pane.
• Approve adds an approval to the operation. If this completes the number of
approvals required, the operation proceeds.
• Cancel changes the status of the request to canceled. You must supply a
reason for canceling the request. The request will remain in the queue with
its new status.
• Cancel and Delete cancels the request and deletes it from the queue.
To search queued operations

3 Click the Search Queued Operations tab.

The Search Queued Operations page is displayed.
4 Set the search options to return the results that you require. For example, All
queued operations that I can approve or all queued operations submitted on a
particular date. Use the options in combination create the list of search results
that fits your needs.
5 Click Submit.
Listing queued operations


3 Click the List Queued Operations tab.
The List Queued Operations page is displayed.

55
Customizing DV Administration
Entrust Authority Administration Services allows you to customize DV Administration.
By making changes to specific files, you can customize DV Administration to match
your organization’s corporate identity.
• “Customizing the DV Administration interface” on page 1634
• “Customizing the online help for DV Administration” on page 1638
• “Customizing DV Administration styles” on page 1643
• “Adding a custom notification service” on page 1644
1633
Customizing the DV Administration interface
When customizing the DV Administration interface, you can make several changes
Note:

• “Adding your company logo to DV Administration” on page 1634
• “Customizing the browser title for DV Administration” on page 1635
• “Customizing the application title for DV Administration” on page 1636
Adding your company logo to DV Administration

You can add your company logo to all DV Administration pages.
To add your company logo to DV Administration

components.
2 Add your organization’s logo to the images folder located at:
<AS-install>\services\dvadmin\<instance>\webapp\<locale>\images
<AS-install>\services\dvadmin\<instance>\webapp\WEB-INF\xsl\
<locale>
Your logo now appears in the title bar of DV Administration dynamic pages.

Figure 32: Your company logo in DV Administration
Customizing the browser title for DV Administration

You can replace the browser title of DV Administration with a title of your choice.
To customize the browser title for DV Administration

components.
<AS-install>\services\dvadmin\<instance>\webapp
3 Open browserTitleLang.jsp in a text editor.
4 Locate the browserTitle variable. By default:
<%! final String browserTitle="Entrust Authority DV
Administration"; %>
as shown in bold:
<%! final String browserTitle="Custom browser title"; %>
Customizing DV Administration 1635

Your customized title now appears in the browser window title bar of all DV
Figure 33: Custom browser title for DV Administration
Customizing the application title for DV Administration

You can replace the DV Administration title with your organization’s name or any
other name your organization chooses.
To change the application title in CVCA Administration

components.
<AS-install>\services\dvadmin\<instance>\webapp\WEB-INF\xsl\
<locale>
3 Open dv-lang.xsl in a text editor.
<xsl:variable name="title">Entrust Authority DV
as shown in bold:
<xsl:variable name="title">Custom Application Title</xsl:variable>
a Open dv-lang.xsl in a text editor.
b Locate the title variable. By default:
<xsl:variable name="title">Entrust Authority DV
bold:

<xsl:variable name="second.title">Custom Application
g Locate the <xsl:template name="header"> section. By default:
<xsl:template name="header">
<img class="right-floating" alt=""
src="{$home}/images/auth_logo.gif"/>
<h1>
<xsl:value-of select="$title"/>
</h1>
</xsl:template>
h Before the closing </h1> tag, add <br/> and then a reference to the new
variable you added. For example, as shown in bold:
<h1>
<xsl:value-of select="$title"/><br/><xsl:value-of
select="$second.title"/>
</h1>
i Save and close the file.
Your custom application title now appears in the DV Administration dynamic pages.
Figure 34: Custom application title for DV Administration dynamic pages

Customizing the online help for DV
Administration
You can customize the online help for DV Administration. This section describes how
to customize the DV Administration online help, including how to add new help files.
• “Location of the DV Administration help files” on page 1638
• “Editing the content of the DV Administration help files” on page 1639
• “Updating the browser title of the DV Administration online help” on
page 1640
• “Updating the application title of the DV Administration online help” on
page 1640
Location of the DV Administration help files

The help files are JSP files that are called by DV Administration by their file name. You
can find the help files in the following folder on the server hosting the application
server components:
<AS-install>\services\dvadmin\<instance>\webapp\<locale>\help
To make changes to the DV Administration help pages, edit the following files:
• <help_topic>.jsp
Edit any of the help files to change the content.
Edit this file to customize the title and information bar of the DV
Administration help pages.
• help.css
Edit this file to change colors, fonts, and styles. See “Customizing DV
Administration styles” on page 1643 for details.
The following table lists the DV Administration online help files.
Table 105: DV Administration online help files

certificate-cvca-dv-help.jsp Import CVCA/DV Certificate Request help page
certificate-request-help.jsp Certificate Request help page
cvca-add-help.jsp Add Country Verification CA help page
cvca-delete-help.jsp Delete Country Verification CA help page

Table 105: DV Administration online help files (continued)

cvca-display-help.jsp Display Country Verification CA help page
cvca-export-certificate-help.jsp Export CVCA Certificate help page
cvca-operations-help.jsp Enable or Disable Country Verification CA help page
cvca-view-certificate-help.jsp View Country Verification CA Certificate help page
documentation-help.jsp DV Administration online help table of contents
dv-export-certificate-help.jsp Export Document Verifier Certificate help page
generate-certificate-request-help.jsp Generate Certficate Request help page
generate-countersign-certificate-request- Generate Certficate Request for Countersigning
help.jsp help page
glossary-help.jsp Glossary of terms
is-add-help.jsp Add Inspection System help page
is-delete-help.jsp Delete Inspection System help page
is-display-help.jsp Display Inspection System help page
is-export-certificate-help.jsp Export Inspection System help page
is-operations-help.jsp Enable or Disable Inspection System help page
is-policy-help.jsp Inspection System Policy help page
is-view-certificate-help.jsp View Inspection System Certificate help page
queued-approve-help.jsp Approve Queued Operations help page
queued-list-help.jsp List Queued Operations help page
queued-search-help.jsp Search Queued Operations help page
Editing the content of the DV Administration help files

You can edit the content in the existing JSP help files. Always back up the file before
you edit the file.
To edit the content of a DV Administration help file

components.
2 Using any text editor, open the <help_topic>.jsp file you want to edit.

3 Locate and change the text you want to update. Change only the help text so
you do not corrupt any of the code strings.
The following sample shows customized text to display your organization or
product name in the documentation-help.jsp file.

<P CLASS="help-p-app-subtitle"><%=titleHelpIndex%></P>
<P CLASS="help-p-inst-text">For information on using
<%=title%> click on any of the following help topics:</P>
<BR>
Updating the browser title of the DV Administration online help

To change the browser title of the CVCA Administration online help

components.
<AS-install>\services\dvadmin\<instance>\webapp\<locale>
static final String title="Entrust Authority DV
Administration";
5 To change the application title, replace the value of title with the title chosen
by your company. For example, as shown in bold:
static final String title="Custom Application Title";
Updating the application title of the DV Administration online

help
You can replace the title (Entrust Authority DV Administration Help) with your own
title.
To change the application title of the DV Administration help pages

components.

4 Locate the titleHelp and titleHelpIndex variables. By default:
static final String titleHelp="Entrust Authority DV
static final String titleHelpIndex="Entrust Authority DV
5 To change the application title, replace the value of titleHelp with the title
chosen by your company. For example, as shown in bold:
static final String titleHelp="Custom Application Title Help";
If you want to add a second line to the application title, add <br/> and then enter
the second line of the title. For example, as shown in bold:
static final String titleHelp="My Company<br/>Custom Application
Title";
6 To change the title of the table of contents, replace the value of titleHelpIndex
with the title chosen by your company. For example, as shown in bold:
static final String titleHelpIndex="Custom Application Title Help
Index";
Your custom title now appears on all help pages.

Figure 35: Custom application title on a DV Administration help pages

Customizing DV Administration styles
You can customize the DV Administration interface with your choice of colors, fonts,
and styles by changing values in the Cascading Style Sheets (CSS) files. The settings
in the CSS files are assigned by class. You can find the CSS files in the following folder
on the server hosting the application server components:
<AS-install>\services\dvadmin\<instance>\webapp\<locale>\css
The following table briefly describes the different CSS files that control how the DV
Table 106: List of CSS files for DV Administration

help.css Defines the styles for the DV Administration online help.
the CSS files, take care not to make any changes that can break the DV

Adding a custom notification service
Email notification is an optional feature that sends email messages to administrators
or users when specific events occur.
Administration Services allows you to install your own custom notification service that
you can chain to the default email notification service, or replace the default email
notification service altogether.
To add a custom notification service

components.
2 Provide a Java class that implements the
com.entrust.adminservices.xapnotify.NotificationService interface and
add it to the classpath of your DV Administration instance at
<AS-install>\services\dvadmin\<instance>\webapp\WEB-INF\classes
3 Configure your custom notification service by editing the
configuration.global.xml file at
You can configure your custom notification service to invoke for all, or for only
some, administration events.
See <AS-install>\examples\javadocs\index.html for more details about how to
configure a custom notification service.
For more information about configuring email notification, see the Entrust Authority
Administration Services Configuration Guide.

56
Localizing DV Administration
DV Administration includes the default locale en_US. The DV Administration file
system allows you to add more than one locale folder for each DV Administration
instance. This chapter describes how to add a new locale to DV Administration.
locale you first access the DV Administration interface). Links to all other installed
locales appear in the navigation bar of the DV Administration interface login page.
browser preferred language is not installed, DV Administration always uses the
Note:
Do not remove en_US as it is the default locale.

• “Location of DV Administration locale folders” on page 1647
• “Adding a DV Administration locale” on page 1648
• “Translating DV Administration files” on page 1649
• “Troubleshooting localization in DV Administration” on page 1652
1645
About locales
• en—English
• fr—French
• ja—Japanese
• ko—Korean
• CA—Canada
• JP—Japan
• CN—China
Defining locales

Location of DV Administration locale folders
<AS-install>\services\dvadmin\<instance>\webapp\WEB-INF\xsl
Localizing DV Administration 1647

Adding a DV Administration locale
To add a new locale to DV Administration

components.
<AS-install>\services\dvadmin\<instance>\webapp\WEB-INF\xsl
<AS-install>\services\dvadmin\<instance>\webapp\en_US
to
en_US
to
<locale>
en_US
to
<AS-install>\services\dvadmin\<instance>\WEB-INF\xsl\<locale>
<AS-install>\services\dvadmin\<instance>\webapp\WEB-INF\classes
and rename the file to:
EntrustAdminServicesResources_<locale>.properties
where <locale> is the new locale (such as es).
Before you can access your localized version of DV Administration, you must translate
a series of files. See “Translating DV Administration files” on page 1649 for more
information.

Translating DV Administration files
language that matches your new locale. Translate all the DV Administration files listed
in the following table to match your new locale.
Table 107: DV Administration files to translate for your new locale
DV Administration files to translate Location of files
The following DV Administration JSP <AS-install>\services\dvadmin\<instance>\

files: webapp\<locale>
• errorLang.jsp These files are located on the server hosting the
All DV Administration help files <AS-install>\services\dvadmin\<instance>\

webapp\<locale>\help
The following DV Administration <AS-install>\services\dvadmin\<instance>\

JavaScript files: webapp\<locale>\javascript
EntrustAdminServicesResources_< <AS-install>\services\cvcaadmin\<instance>\
locale>.properties webapp\WEB-INF\classes
you added to DV Administration. server components.
This file contains error messages that can be displayed
in DV Administration. Translate all strings for EAC
settings.
The following DV Administration XSL <AS-install>\services\dvadmin\<instance>\

files: webapp\WEB-INF\xsl\<locale>
• dv-lang.xsl
The DV Administration email <AS-install>\services\dvadmin\<instance>\

notification templates webapp\WEB-INF\ens\xsl\<locale>

To access your localized version of DV Administration
browser cache.
2 In a Web browser, browse to the DV Administration login page.
Your DV Administration locale link is available from the DV Administration
Note:

The DV Administration interface is now available in your localized language
setting.

Figure 36: Localized DV Administration page

Troubleshooting localization in DV
Administration
When you manually integrate translated files into the Administration Services
installation, incorrect page encodings may cause the pages to appear with extra white
lines or cause some characters to display in the wrong format.

When translating email notification templates for DV Administration, by default the
SMTP server character set is UTF-8:
hosting the DV Administration application server components:
Each locale in the DV Administration instance shares the same
configuration.global.xml file. If your language requires a special character set,
consider installing this locale on a separate DV Administration instance.
Translating JSP pages

When translating JSP pages, you may need to add a page encoding directive, as in
the following example of titleBarLang.jsp (French):
<%@ page pageEncoding="ISO-8859-1" %>
<%--
Component: Entrust Authority - DV Administration Service
Description: language strings for the titles
--%>
<%!
// Titles
static final String title="Entrust Authority DV
Administration";
static final String titleHelp="Entrust Authority DV
static final String titleHelpIndex="Entrust Authority DV

%>


numérique.');

To display the locale for DV Administration in English

components.
<AS-install>\services\dvadmin\<instance>\webapp\WEB-INF\jsp

to

57
DV command quick reference

This quick reference appendix lists all the Security Manager Control Command Shell
commands for administering a Document Verifier, providing a description and
parameters of each command.
How to use this quick reference

<> Indicate variables, for example, <subsys>
[] Indicates options, for example, [-ldap]
| Indicates either/or parameters, for example, all | list
+ Indicates multiple values can be configured in one command
Security classes
3 Commands with no key icon are non-harmful commands not
requiring access to the database. Require no authorization.
2 Non-harmful commands. Autologin must be enabled or you must be
logged in to an active Security Manager Control Command Shell
session.
1 Commands requiring access to the database but not causing
irreversible change. You must be logged in to an active Security
Manager Control Command Shell session.
0 Commands causing a policy change or update that may be
irreversible. Requires one additional Master User password if policy
has been set to require multiple authorizations.
1655
Table 108: dv commands

dv init <country code> <mnemonic>
initialize the DV 1
• <country code> • ISO 3166-1 ALPHA-2 country code
• <mnemonic> • unique label for the DV certificate
Label must be between one and nine ISO
dv identity view the holder identity of the DV 1
dv domestic-cvca view the holder identity of the Document 1
Verifier’s domestic CVCA
dv cert export [-overwrite] <output file> <holder reference> <authority
reference>
export a DV certificate 1
the output file
• <authority
dv cert export-chain [-overwrite] [-root|-link] <output file> <leaf holder
reference> <leaf authority reference> [<trust point holder reference>]
export a DV certificate chain, from a root or 1
link CVCA trust point to a DV leaf

Table 108: dv commands (continued)

the output files
• [-root|-link] • specifies whether the CVCA certificate is
certificate (-link)
• <leaf holder • holder reference of the DV certificate that
reference> ends the certificate chain
• <leaf authority • authority reference of the DV certificate
reference> that ends the certificate chain
holder reference>] that starts the certificate chain
chain.
dv cert list [<cvca identity>]
list all certificates issued to the DV 1
• [<cvca identity>] • holder identity of a particular CVCA
Allows you to list all DV certificates from
a particular CVCA.
dv cert show-keys view a report of active DV signing keys 0
dv cert view <holder reference> <authority reference>
view the contents of a stored DV certificate 1
• <authority
dv certreq create [-allow expired|unauthenticated|xstream] [-overwrite] <output
file> <cvca identity>
create a DV certificate request 0
DV command quick reference 1657


• [-allow expired| • allows you to create a certificate request
unauthenticated| signed by an expired certificate, create an
xstream] unauthenticated certificate request, or if
you want to sign the certificate request
with the current domestic DV signing
keys.
the output file
• <cvca identity> • holder identity of the CVCA that will
process the request
dv certreq cancel <cvca identity> cancel a particular DV certificate request 0
dv certreq export [-overwrite] <output file> <cvca identity>
export a DV certificate request to a file 1
the output file
• <cvca identity> • holder identity of the CVCA that will
process the request
dv certreq finish <input file>
finish a DV certificate request by importing 0
the DV certificate
containing the DV certificate
dv certreq list list all DV certificate requests 1
dv certreq view <cvca identity> view the contents of a stored DV certificate 1
request
dv config set [-reset] [-warn <days>] [-seqAlg A|N|CA|CN] [-super <value>]
[-softKey enabled|disabled]
set the global DV policy settings 1


software defaults
• [-warn <days>] • number of days before the certificate
• [-seqAlg • sequence number algorithm
A|N|CA|CN]
• [-super <value>] • holder identity of the Document Verifier’s
domestic CVCA
• [-softKey enabled • controls whether software is permitted as
| disabled] a storage location for the DV keys
storage location.
dv config view view the global DV policy settings 1
dv cvca add <cvca identity> [-selfSvc yes|no]
add a CVCA 1
• <cvca identity> • holder identity of the CVCA
The CVCA holder identity must begin
with an ISO 3166-1 ALPHA-2 country
code, followed by one to nine ISO
• [selfSvc yes|no] • specifies whether to allow automated
dv cvca delete <cvca identity> delete a particular CVCA 0
dv cvca disable <cvca identity> disable a particular CVCA 1
dv cvca enable <cvca identity> enable a particular CVCA 1
dv cvca list [-state enabled|disabled]
list all CVCAs 1


• [-state enabled| • list all CVCAs with a specific state
disabled] (enabled or disabled)
dv cvca modify <cvca identity> [-reset] [-selfSvc yes|no]
add a CVCA 1
• <cvca identity> • holder identity of the CVCA
The CVCA holder identity must begin
with an ISO 3166-1 ALPHA-2 country
code, followed by one to nine ISO
global CVCA policy defaults
• [selfSvc yes|no] • specifies whether to allow automated
dv cvca search [-state enabled|disabled] [-selfSvc] [-selfSvc yes|no]
finds all CVCAs that meet specific search 1
criteria
• [-state enabled| • find all CVCAs in a specific state (enabled
disabled] or disabled)
• [-selfSvc] • find CVCAs with a custom self-service
policy
• [-selfSvc yes|no] • find CVCAs that can (-selfSvc yes) or
cannot (-selfSvc no) perform
automated self-service operations
dv cvca view <cvca identity> view the details of a particular CVCA 1
dv cvca cert export [-overwrite] -root|-link <output file> <holder reference>
export a particular root or link CVCA 1
certificate


the output file
certificate (-link)
dv cvca cert export-chain [-overwrite] [-root|link] <output file> <leaf holder
reference> [<trust point holder reference>]
export a CVCA certificate chain, from a 1
CVCA trust point to the CVCA leaf, to a
series of files
the output file
certificate (-link)
• <leaf holder • holder reference of the CVCA certificate
reference> that ends the CVCA certificate chain
holder reference>] that starts the CVCA certificate chain
chain.
dv cvca cert import [-oobAuth|-valStrAuth <validation string>] <input file>
import a CVCA certificate 1


• [-oobAuth] • indicates that the CVCA was already
authenticated by an out-of-band
method, such as diplomatic courier
• [-valStrAuth • (root CVCA certificates only) allows you
<validation to authenticate the CVCA certificate by
String>] providing the validation string of the
CVCA certificate
containing the CVCA certificate
dv cvca cert list <cvca identity> list self-issued certificates of a particular 1
CVCA
dv cvca cert view -root|-link <holder reference>
view the contents of a stored CVCA 1
certificate
certificate (-link)
dv cvca config set [-reset] [-selfSvc yes|no]
set the global CVCA policy settings 1
software defaults
dv cvca config view view the global CVCA policy settings 1
dv is add <is identity> [-ar F|I|FI|""] [-lifetime years|months|weeks|days
<value>]
Add an Inspection System (IS) 1


• <is identity> • holder identity of the Inspection System
• [-ar F|I|FI|""] • specifies the IS holder access rights:
(FI), or none ("")
• [-lifetime years| • lifetime of the IS certificates in years,
days <value>]
dv is delete <is identity> delete a particular Inspection System 1
dv is disable <is identity> disable a particular Inspection System 1
dv is enable <is identity> enable a particular Inspection System 1
dv is list [-state enabled|disabled]
list all Inspection Systems 1
• [-state enabled| • list all Inspection Systems with a specific
disabled] state (enabled or disabled)
dv is modify <is identity> [-reset] [-ar F|I|FI|""] [-lifetime
modify an Inspection System (IS) 1
• [-reset] • resets the existing policy settings to the IS
global policy defaults
(FI), or none ("")
days <value>]
dv is search [-state enabled|disabled] [-ar] [-ar F|I|FI|""] [-lifetime]
[-lifetime years|months|weeks|days <value>]
finds all Inspection Systems that meet 1
specific search criteria


• [-state enabled| • find all Inspection Systems in a specific
disabled] state (enabled or disabled)
• [-ar] • find Inspection Systems with custom
holder access rights
• [-ar F|I|FI|""] • find Inspection Systems with specific
holder access rights:
(FI), or none ("")
• [-lifetime] • find Inspection Systems with a custom
certificate lifetime
• [-lifetime years| • find Inspection Systems with a specific
months|weeks| certificate lifetime in years, months,
days <value>] weeks, or days
dv is view <is identity> view the details about a particular Inspection 1
System
dv is cert export [-overwrite] <output file> <holder reference> <authority
reference>
export an Inspection System (IS) certificate 1
the output file
• <holder reference> • holder reference of the IS certificate
• <authority
reference> • authority reference of the IS certificate
dv is cert export-chain [-overwrite] [-root|-link] <output file> <leaf holder
reference> <leaf authority reference> [<trust point holder reference>]
export an Inspection System (IS) certificate 1
chain, from a root or link CVCA trust point to
an IS leaf


the output files
certificate (-link)
• <output file> • fully qualified file name of the output files
• <leaf holder • holder reference of the IS certificate that
reference> ends the certificate chain
• <leaf authority • authority reference of the IS certificate
reference> that ends the certificate chain
holder reference>] that starts the certificate chain
chain.
dv is cert list <is identity> [<cvca identity>]
list all certificates issued to an Inspection 1
System by the Document Verifier
• [<cvca identity>] • holder identity of the CVCA that
identifies a certificate stream
dv is cert view <holder reference> <authority reference>
view the contents of a stored Inspection 1
System certificate
• <holder reference> • holder reference of the IS certificate
• <authority
reference> • authority reference of the IS certificate
dv is certreq preview [-allow expired|unauthenticated] <input file> [<cvca
identity>]


preview an external Inspection System 1
certificate request determine whether an
attempt to process the certificate request will
succeed
• [-allow expired| • allows you to preview whether the dv is
unauthenticated] certreq process -allow
expired|unauthenticated command
will determine that the certificate request
contains a valid outer signature
• fully qualified file name of the file
• <input file> containing the certificate request
• the holder identity of the CVCA
• [<cvca identity>] certificate for the target certificate stream
dv is certreq process [-allow expired|unauthenticated] [-overwrite]
[-oobAuth|-valStrAuth <validationString>] <input file> <output file> [<cvca
identity>]
process an Inspection System certificate 0
request and issue the Inspection System
certificate


• [-allow expired| • allows you to process a certificate request
unauthenticated] if it lacks an signature (unauthenticated)
or if it was signed by an expired certificate
• overwrites the information currently in
• [-overwrite] the output file
• indicates that the request was already
• [-oobAuth] authenticated by an out-of-band method
You only need to specify this parameter
for unauthenticated certificate requests.
• allows you to input the validation string
of the Inspection System certificate
• [-valStrAuth request
<validation
You only need to specify this parameter
String>]
for unauthenticated certificate requests.
• the fully qualified file name of the file
• <input file>
• the fully qualified file name of the output
file
• <output file>
• the holder identity of the CVCA
certificate for the target certificate stream
• [<cvca identity>]
dv is config set [-reset] [-ar F|I|FI|""] [-lifetime years|months|weeks|days
<value>] [-crOpts xstream|none]
set the policy for Inspection System (IS) 1
request processing


software defaults
(FI), or none ("")
days <value>]
• [-crOpts xstream
| -crOpts none] • accept foreign certificate requests signed
by the domestic stream (-crOpts
xstream), or not (-crOpts none)
dv is config view view the policy for Inspection System 1
certificate request processing
preview an external certificate 1
containing the certificate
dv util certreq preview <input file>
preview an external certificate request 1

Section 11
Appendix section
This section provides additional information about the Entrust ePassport Solution.
This section includes the following appendices:
• “Assurance policy tests performed on CSCA materials” on page 1671
• “Verifying the integrity of secure audit logs” on page 1675
• “Extended Access Control audit logs” on page 1677
• “Credentials for Administration Services” on page 1687
• “Glossary” on page 1701
1669
58
Assurance policy tests performed on

CSCA materials
The following table lists and describes the assurance policy tests that Administration
Services can perform on CSCA materials. The following services perform assurance
policy tests: NPKD services, Master List Signer services, and PKD Writer.
Table 109: Assurance policy tests performed on CSCA materials
Test Applicable materials Description
com.entrust.eid.validationengine.tests. Document Signer Checks if the Authority Key

AuthorityKeyIdentifierCritical certificates Identifier is present and not
critical.
Master lists
Authority Key Identifier Extension
Present/Not Critical
com.entrust.eid.validationengine.tests. Document Signer Checks if the Basic

BasicConstraintsCritical certificates Constraints extension is
present and critical.
Master lists
For CSCA certificates, the
Basic Constraints Present and Critical CSCA certificates
Basic Constraints extension
must be present and critical.
For master lists and
Document Signer certificates,
the Basic Constraints
extension must be absent.
1671
Table 109: Assurance policy tests performed on CSCA materials (continued)
com.entrust.eid.validationengine.tests. Document Signer Checks if the certificate has

CertificateExpired certificates expired.
Master lists
Certificate Expired CSCA certificates
com.entrust.eid.validationengine.tests. CRLs Checks if the CRL has

crl.CrlExpired expired.
CRL Expired
com.entrust.eid.validationengine.tests. CRLs Checks if the CRL Next

crl.CrlHasNextUpdate Update date is present.
CRL Next Update Present
com.entrust.eid.validationengine.tests. CRLs Checks if the CRL Number is

crl.CrlNumberPresent present.
CRL Number Present
com.entrust.eid.validationengine.tests. CRLs Checks if the CRL is version

crl.CrlVersion 2.
CRL Version 2
com.entrust.eid.validationengine.tests. CSCA certificates Checks if the cryptographic

CryptographicValidationTest signature is valid.
Cryptographic Validation
com.entrust.eid.validationengine.tests. Document Signer Checks if the subject country

dsc.DscSubjectIssuerMatch certificates code and the issuer country
code match.
Master lists
Subject and Issuer ISO Country Code CSCA certificates
Match

com.entrust.eid.validationengine.tests. Document Signer Checks if the Key Usage

KeyUsagePresent certificates extension is present and
critical.
Master lists
Key Usage Extension Present and CSCA certificates
Critical
com.entrust.eid.validationengine.tests. Master lists Checks if the signature on the

ml.SignatureValidation master list is valid.
Master List Signature Validation
com.entrust.eid.validationengine.tests. Document Signer Checks if the Private Key

PrivateKeyUsagePeriodNonCritical certificates Update extension is present
and not critical.
Master lists
Private Key Usage Period Extension CSCA certificates
Present/Not Critical
com.entrust.eid.validationengine.tests. Document Signer Checks if the public key

PublicKeyAlgorithmComplianceTest certificates algorithm complies with
ICAO standards.
Master lists
Public Key Algorithm Compliance CSCA certificates
com.entrust.eid.validationengine.tests. Document Signer Checks if the certificate is on

RevocationTest certificates the country’s most recent
CRL.
Master lists
Revocation
com.entrust.eid.validationengine.tests. Document Signer Checks if the certificate is

StrictRFC5280ValidationTest certificates valid according to RFC 3280
X.509 rules.
Master lists
Strict RFC5280 Validation
com.entrust.eid.validationengine.tests. Document Signer Checks if the subject format

SubjectFormatComplianceTest certificates complies with the ICAO
standard.
Master lists
Subject Format Compliance CSCA certificates
Assurance policy tests performed on CSCA materials 1673

com.entrust.eid.validationengine.tests. Document Signer Checks if the certificate can

TrustChainTest certificates chain up to a valid trust
anchor.
Master lists
Valid Trust Chain CSCA certificates
com.entrust.eid.validationengine.tests. Document Signer Checks if the certificate is

X509Version certificates version 3.
Master lists
X.509 Certificate Version 3 CSCA certificates

59
Verifying the integrity of secure

audit logs
The following services in Administration Services maintain a secure audit log:
• PKD Writer
The PKD Writer maintains a secure audit log of all materials uploaded to the
ICAO PKD. The secure audit log is secured using the PKD Writer Server
profile.
• NPKD
NPKD maintains a secure audit log of important events and some
accompanied data. The secure audit log is secured using the NPKD Server
profile.
Administration Services includes the Secure Audit Check Utility. You can use this
utility to verify the integrity of secure audit logs to ensure no one has tampered with
the secure audit logs.
To verify the integrity of a secure audit log

components.
<AS-install>/tools/audit-check
checkaudit.bat [-noevents] <audit-file> <entrust.ini>
<profile-name> [<ual-file>]
• -noevents checks only the integrity of the secure audit file, and does not
print out individual event data.
1675
• <audit-file> is the full path and file name of the secure audit log, without
the audit file sequence number appended to the file name.
Administration Services will append a sequence number to the file name,
such as pkdwriter_audit.log.0001. Do not include the sequence number
when specifying the file name.
• <entrust.ini> is an entrust.ini file from the Certification Authority (CA)
that issued the server profile.
• <profile-name> is the full path and file name of the server profile.
• <ual-file> is the full path and file name of the UAL file (Server Login
credentials for the server profile). If not specified, you must enter the profile
password when prompted.
For example:
checkaudit.bat "C:/Program Files/Entrust/AdminServices/services/pk
dwriter/pkdwriter/logs/pkdwriter_audit.log" "C:/entrust.ini"
"C:/PKD Writer Server.epf" "C:/PKD Writer Server.ual"
4 If you did not specify the path and file name of the UAL file, you are prompted
to provide the profile password:
Enter your profile password:
Enter the profile password.
The secure audit check utility verifies the integrity of the security audit log.
If an error occurs verifying the integrity on an audit, an error similar to the following
will be displayed:
Error parsing audits: org.xml.sax.SAXException: MAC on entry
failed

60
Extended Access Control audit logs

The following table lists all Security Manager audit logs relating to Extended Access
Control (EAC) and briefly explains what they mean. For more information about audit
logs, see the Security Manager Operations Guide and the Security Manager
An audit record may have one of three severity ratings. In order of increasing
importance, they are: Log, Event, and ALARM.
Note:
If your organization has customized the severity rating of any of the audit
records, the severity rating that appears in the table below may not match the
severity rating that appears in the audit published in third-party application files.
For details, see the Security Manager Operations Guide.
1677
Table 110: Security Manager audit logs related to Extended Access Control
Audit Severity Audit log message and information

27952 Event EAC: A DV certificate request was resubmitted (it had already
been processed). A new certificate was not issued. The
existing certificate with matching holder reference and public
key was instead returned.
Indicates that a CVCA administrator attempted to submit a Document
Verifier certificate request that was already submitted. The audit includes:
• the DV identity
• the holder and authority reference of the DV certificate
• the holder access rights of the DV certificate
• the effective and expiration date of the DV certificate
• name of the Master User or the DN of the administrator
27953 Event EAC: An IS certificate request was resubmitted (it had already
been processed). A new certificate was not issued. The
existing certificate with matching holder reference and public
key was instead returned.
Indicates that a Document Verifier administrator attempted to submit an
Inspection System certificate request that was already submitted. The audit
includes:
• the Inspection System identity
• the holder and authority reference of the Inspection System certificate
• the holder access rights of the Inspection System certificate
• the effective and expiration date of the Inspection System certificate
27954 Event EAC: The CVCA global policy has been updated.
Indicates that a Document Verifier administrator changed the CVCA policy.
The audit displays the policy settings that were changed, and the name of
the Master User or the DN of the administrator who changed the policy.
27955 Event EAC: An expired IS certificate has been deleted.
When the Document Verifier issues a new Inspection system certificate for
a certificate stream, the Document Verifier deletes all expired Inspection
System certificates in that certificate stream, except the most recently
expired certificate. The audit displays the holder reference and authority
reference of the certificate that was deleted, and the name of the Master
User or the DN of the administrator who deleted the certificate.

Table 110: Security Manager audit logs related to Extended Access Control (continued)

27956 Event EAC: An expired DV certificate has been deleted.
When the CVCA issues a new Document Verifier certificate for a certificate
stream, the CVCA deletes all expired Document Verifier certificates in that
certificate stream, except the most recently expired certificate.
When the Document Verifier imports a new Document Verifier certificate
for a certificate stream, the Document Verifier deletes all expired Document
Verifier certificates in that certificate stream, except the most recently
expired certificate.
The audit displays the holder reference and authority reference of the
certificate that was deleted, and the name of the Master User or the DN of
the administrator who deleted the certificate.
27957 Event EAC: A foreign CVCA certificate was imported.
A CVCA administrator imported a foreign CVCA certificate. The audit
includes the CVCA identity, the holder reference and authority reference of
the CVCA certificate, and the name of the Master User or the DN of the
administrator who imported the certificate.
27958 Event EAC: A foreign CVCA was deleted.
Indicates that a CVCA administrator deleted a foreign CVCA. The audit
displays the identity of the foreign CVCA, and the name of the Master User
or the DN of the administrator who deleted the foreign CVCA.
27959 Event EAC: A foreign CVCA was enabled.
Indicates that a CVCA administrator enabled a foreign CVCA. The audit
or the DN of the administrator who enabled the foreign CVCA.
27960 Event EAC: A foreign CVCA was disabled.
Indicates that a CVCA administrator disabled a foreign CVCA. The audit
or the DN of the administrator who disabled the foreign CVCA.
27961 Event EAC: A foreign CVCA was modified.
Indicates that a CVCA administrator modified a foreign CVCA. The audit
displays the identity of the foreign CVCA, the DN of the administrator who
modified the foreign CVCA, and the attributes that changed.
27962 Event EAC: A foreign CVCA was added.
Indicates that a CVCA administrator added a foreign CVCA. The audit
includes the CVCA identity and attributes. The audit also includes the name
of the Master User or the DN of the administrator who added the foreign
CVCA.
Extended Access Control audit logs 1679


27963 Event EAC: A DV certificate request was countersigned.
The CVCA successfully countersigned a Document Verifier certificate
request. The audit includes the holder reference and authority reference of
the certificate request, and the name of the Master User or the DN of the
administrator who processed the request.
27964 Event EAC: Global Policy has been updated.
Indicates that a Document Verifier administrator changed at least two of the
CVCA, Document Verifier, and the Inspection System policy at the same
time. The audit also displays the administrator’s DN and the policy settings
the administrator changed.
A Document Verifier administrator can only change these policies at the
same time using Administration Services. See also audits 27954, 27978, and
27977.
27965 ALARM EAC: A DV certificate is expired. A key update is required.
Alerts you that the latest Document Verifier certificate in a certificate stream
has expired. The audit also displays the expired certificate. You must send a
certificate request to the CVCA administrator to obtain an updated
27966 ALARM EAC: A DV certificate is nearing expiry. A key update is
required.
Alerts you that the latest Document Verifier certificate in a certificate stream
is about to expire. The audit also displays the certificate. You must send a
certificate request to the CVCA administrator to obtain an updated
27967 ALARM EAC: The CVCA certificate is expired. A key update is
required.
Alerts you that the latest CVCA certificate has expired. The audit also
displays the expired CVCA certificate. Update the CVCA certificate.
27968 ALARM EAC: The CVCA certificate is nearing expiry. A key update is
required.
Warns you that the latest CVCA certificate is about to expire. The audit also
displays the CVCA certificate. Update the CVCA certificate before it expires.


27969 Event EAC: An error occurred deleting a private key from a hardware
device. You may wish to delete the key manually using the
CKA_ID value.
When updating a CVCA or DV key on a hardware device, Security Manager
deletes the old key after creating the new key. If Security Manager cannot
delete the old key, Security Manager produces this audit.
The audit includes:
• hardware description
• internal key index (key ID)
• PKCS#11 CKA_ID
• key owner
• hardware error description
If Security Manager cannot delete the key, you must delete the key
manually using your hardware device tools.
27970 Event EAC: An IS certificate request was rejected.
The Document Verifier rejected an Inspection System certificate request,
and did not issue an Inspection System certificate. The audit includes the
holder reference of the certificate request, and name of the Master User or
the DN of the administrator who attempted to process the certificate
request.
If you receive a large number of these audits, it may indicate an attack.
27971 Event EAC: An IS certificate was issued.
The Document Verifier successfully processed an Inspection System
certificate request and issued a certificate. The audit includes:
• the Inspection System identity
• the holder and authority reference of the Inspection System certificate
• the holder access rights of the Inspection System certificate
• the effective and expiration date of the Inspection System certificate


27972 Event EAC: A DV certificate request operation was cancelled.
A Document Verifier administrator canceled a Document Verifier certificate
request. The audit includes the CVCA identity, hardware information (if the
DV keys reside on a hardware device), and the name of the Master User or
the DN of the administrator who canceled the request.
When you delete a DV certificate request at the DV, Security Manager
deletes the certificate request and the key pair. Even if a CVCA
administrator processes the certificate request, the DV certificate is useless
without the private key.
27973 Event EAC: A DV certificate request operation was finished.
A Document Verifier administrator imported a DV certificate that was issued
from a CVCA. The audit includes the CVCA identity, the holder reference
and authority reference of the certificate, and the name of the Master User
or the DN of the administrator who imported the certificate.
27974 Event EAC: A DV certificate request was created.
A Document Verifier administrator created a DV certificate request. The
audit includes:
• the CVCA identity
• the holder reference of the certificate request
• hardware information (if the DV keys reside on a hardware device)
• the name of the Master User or the DN of the administrator who created
the request.
Note: If you are storing the DV keys on hardware, back up the key using
the procedure outlined by your hardware vendor. If you are storing the keys
on an HSM and the device fails and you did not back up the key, you must
submit an unauthenticated certificate request to the CVCA.
27975 Log EAC: Issuer of imported certificate was not valid at time of
issue
When importing a DV certificate into the Document Verifier, Security
Manager checks whether the CVCA certificate that issued the DV certificate
was valid when the CVCA created the DV certificate. If the effective date
of the DV certificate is outside the range of the CVCA certificate's validity
period, Security Manager generates this audit. The DV certificate was
imported successfully.


27976 Event EAC: A CVCA certificate was imported.
A Document Verifier administrator imported a CVCA certificate. The audit
includes the CVCA identity, the holder reference and authority reference of
the CVCA certificate, and the name of the Master User or the DN of the
administrator who imported the certificate.
27977 Event EAC: The IS global policy has been updated.
Indicates that a Document Verifier administrator changed the Inspection
System policy. The audit displays the policy settings that were changed, and
the name of the Master User or the DN of the administrator who changed
the policy.
27978 Event EAC: The anchor DV policy has been updated.
Indicates that a Document Verifier administrator changed the Document
Verifier policy. The audit displays the policy settings the administrator
changed, and the name of the Master User or the DN of the administrator
who changed the policy.
27979 Event EAC: A CVCA was disabled.
Indicates that a Document Verifier administrator disabled a CVCA. The
audit displays the identity of the CVCA, and the name of the Master User
or the DN of the administrator who disabled the CVCA.
27980 Event EAC: A CVCA was deleted.
Indicates that a Document Verifier administrator deleted a CVCA. The audit
displays the identity of the CVCA, and the name of the Master User or the
DN of the administrator who deleted the CVCA.
27981 Event EAC: A CVCA was enabled.
Indicates that a Document Verifier administrator enabled a CVCA. The audit
displays the identity of the CVCA, and the name of the Master User or the
DN of the administrator who enabled the CVCA.
27982 Event EAC: A CVCA was modified.
Indicates that a Document Verifier administrator modified a CVCA. The
audit displays the identity of the CVCA, the DN of the administrator who
modified the CVCA, and the attributes that changed.
27983 Event EAC: A CVCA was added.
Indicates that a Document Verifier administrator added a CVCA. The audit
includes the CVCA identity and attributes. The audit also includes the name
of the Master User or the DN of the administrator who added the CVCA


27984 Event EAC: An IS was disabled.
Indicates that a Document Verifier administrator disabled an Inspection
System. The audit displays the identity of the Inspection System, and the
name of the Master User or the DN of the administrator who disabled the
Inspection System.
27985 Event EAC: An IS was deleted.
Indicates that a Document Verifier administrator deleted an Inspection
name of the Master User or the DN of the administrator who deleted the
Inspection System.
27986 Event EAC: An IS was enabled.
Indicates that a Document Verifier administrator enabled an Inspection
name of the Master User or the DN of the administrator who enabled the
Inspection System.
27987 Event EAC: An IS was modified.
Indicates that a Document Verifier administrator changed an Inspection
System. The audit includes the Inspection System identity and any changed
attributes and custom policy settings. It also includes the name of the
Master User or the DN of the administrator who changed the Inspection
System.
27988 Event EAC: An IS was added.
Indicates that a Document Verifier administrator added an Inspection
System. The audit includes the Inspection System identity, attributes, and
custom policy settings. It also includes the name of the Master User or the
DN of the administrator who added the Inspection System.
27989 Event EAC: The DV has been initialized.
Indicates that a Master User initialized a Document Verifier. The audit
includes the DV identity and the name of the Master User who initialized
the DV.
27990 Event EAC: The anchor CVCA policy has been updated.
Indicates that a Master User changed the CVCA policy settings. The audit
includes the settings that changed and the name of the Master User who
changed the settings.


27991 Event EAC: The CVCA signing key has been updated.
When you update the CVCA keys, Security Manager produces a new CVCA
key, self-signed certificate, and link certificate. This audit displays the new
CVCA certificate, CVCA link certificate, and characteristics of the CVCA
key. It also includes the name of the Master User who updated the CVCA
keys.
Note: If you updated the keys on a hardware security module, back up the
key using the procedure outlined by your hardware vendor.
27992 Event EAC: The CVCA has been initialized.
Indicates that a Master User initialized a CVCA. The audit includes the
CVCA certificate, CVCA key characteristics, and the name of the Master
User who initialized the CVCA.
27993 Event EAC: A DV was disabled.
Indicates that a CVCA administrator disabled a Document Verifier. The
audit includes the identity of the Document Verifier, and the name of the
Master User or the DN of the administrator who disabled the Document
Verifier.
27994 Event EAC: A DV certificate request was rejected.
Indicates that a CVCA administrator attempted to process a DV certificate
request, and did not produce a DV certificate. The audit includes the holder
reference of the certificate request, and the name of the Master User or the
DN of the administrator.
If you receive a large number of these audits, it may indicate an attack.
27995 Event EAC: A DV certificate was issued.
The CVCA successfully processed a DV certificate request and issued a
certificate. The audit includes:
• the DV identity
• the holder and authority reference of the DV certificate
• the holder access rights of the DV certificate
• the effective and expiration date of the DV certificate
27996 Event EAC: The DV global policy has been updated.
Indicates that a CVCA administrator changed the DV policy settings. The
audit includes the CVCA identity, the changed settings, and the name of the
Master User or the DN of the administrator who changed the settings.


27997 Event EAC: A DV was deleted.
Indicates that a CVCA administrator deleted a Document Verifier. The audit
displays the identity of the Document Verifier, and the name of the Master
User or the DN of the administrator who deleted the Inspection System.
27998 Event EAC: A DV was enabled.
Indicates that a CVCA administrator enabled a Document Verifier. The audit
displays the identity of the Document Verifier, and the name of the Master
User or the DN of the administrator who enabled the Document Verifier.
27999 Event EAC: A DV was modified.
Indicates that a CVCA administrator changed a Document Verifier. The
audit includes the Document Verifier identity and any changed attributes
and custom policy settings. It also includes the name of the Master User or
the DN of the administrator who changed the Document Verifier.
28000 Event EAC: A DV was added.
Indicates that a CVCA administrator added a Document Verifier. The audit
includes the Document Verifier identity, attributes, and custom policy
settings. It also includes the name of the Master User or the DN of the
administrator who added the Document Verifier.

61
Credentials for Administration

Services
This appendix lists the required and optional credentials for the ePassport services
This appendix contains the following sections:
• “Credentials for the PKD Writer services” on page 1688
• “Credentials for the PKD Reader services” on page 1689
• “Credentials for the NPKD services” on page 1690
• “Credentials for the Master List Signer services” on page 1692
• “Credentials for CVCA Administration” on page 1694
• “Credentials for the SPOC services” on page 1696
• “Credentials for DV Administration” on page 1698
• “Credentials for the DV Web Service” on page 1699
• “Credentials for DVCKM” on page 1700
1687
Credentials for the PKD Writer services
This section lists the required and optional credentials for the PKD Writer services
PKD Writer Server profile

Required to install Administration Services: Yes.
Issuing CA: PKD Writer Services CA.
Role: Server Login.
Certificate type: (Enterprise) Default.
SubjectAltName: DNS Name of the server hosting the Administration Services
application server.
See “Creating PKD Writer Server credentials” on page 308 for details.
PKD Writer Client profile

Required to install Administration Services: No. Used by PKD Writer Web Service
clients.
Role: Server Login.
Certificate type: ePassport - PKD Writer Client. You must create this certificate type
(see “Creating a PKD Writer Client certificate type” on page 311).
SubjectAltName: None.
See “Creating PKD Writer Client credentials” on page 312 for details.
PKD Access credential

Issuing CA: ICAO.
Role: None.
Certificate type: None.
See “Obtaining a PKD Access credential for the ICAO PKD” on page 315 for details.

Credentials for the PKD Reader services
This section lists the required and optional credentials for the PKD Reader services
PKD Reader Server profile

Issuing CA: PKD Reader Services CA.
Role: Server Login.
application server.
See “Creating PKD Reader Server credentials” on page 388 for details.
PKD Reader Client profile

Required to install Administration Services: No. Used by PKD Reader Web Service
clients.
Role: Server Login.
See “Creating PKD Reader Client credentials” on page 391 for details.
PKD Access credential

Issuing CA: ICAO.
Role: None.
You can use the same PKD Access Credential you obtained for the PKD Writer
services. See “Obtaining a PKD Access credential for the ICAO PKD” on page 315
for details.
Credentials for Administration Services 1689

Credentials for the NPKD services
This section lists the required and optional credentials for the NPKD services provided
by Administration Services.
NPKD Server profile

Issuing CA: NPKD Services CA.
Role: Server Login.
Certificate type: ePassport - SPOC Server.
application server.
See “Creating NPKD Server credentials” on page 473 for details.
PKD Reader Client profile

Required to install Administration Services: Yes, if you choose to enable a
connection with PKD Reader.
Role: Server Login.
See “Creating PKD Reader Client credentials” on page 391 for details.
NPKD Client profile

Required to install Administration Services: No.
Role: End User.
Certificate type: ePassport Auditor. You must create this certificate type (see
“Creating certificate types for NPKD services” on page 471).
See “Creating NPKD Client credentials” on page 476 for details.

NPKD administrator certificate
Role: End User or a custom role (see “Creating a role for NPKD administrators” on
page 537).
Certificate type: ePassport Auditor or National NPKD Service Administrator. You must
create these certificate types (see “Creating certificate types for NPKD services” on
page 471).
See “Creating NPKD administrators” on page 538 for details.

Credentials for the Master List Signer services
This section lists the required and optional credentials for the Master List Signer
Country Signing Certification Authority (CSCA) root certificate

Required to install Administration Services: Yes, if the CSCA is a third-party CA.
Issuing CA: CSCA.
Role: None.
Master List Signer profile

If the CSCA is a third-party CSCA, the Master List Signer profile must be a PKCS #12
file stored on the local file system or on hardware.
If the CSCA is a Security Manager CA, the Master List Signer profile can be an EPF
file or a PKCS #12 file. If the CSCA is online, the Master List Signer services also
require the CSCA’s entrust.ini file.
Issuing CA: CSCA.
Role: Server Login.
Certificate type: ePassport - Master List Signer.
SubjectAltName: Either an email address associated with the CSCA, or a DNS Name
associated with the CSCA.
See “Creating Master List Signer credentials” on page 148 for details.
Master List Server profile

Issuing CA: Master List Signer Services CA.
Role: Server Login.
application server.
See “Creating Master List Server credentials” on page 741 for details.

Master List Client
Required to install Administration Services: No. Used by MLS Web Service clients.
Role: Server Login.
Certificate type: ePassport - Master List Signer Administrator.
See “Creating Master List Client credentials” on page 744 for details.
PKD Writer Client profile

Required to install Administration Services: Yes, if you choose to enable the CSCA
Materials Upload Status feature.
Role: Server Login.
Certificate type: ePassport - PKD Writer Client. You must create this certificate type
(see “Creating a PKD Writer Client certificate type” on page 311).
See “Creating PKD Writer Client credentials” on page 312 for details.
Master List Signer administrator certificate

Role: Master List Signer Administrator.
Certificate type: ePassport - Master List Signer Administrator.
See “Creating Master List Signer administrators” on page 779 for details.

Credentials for CVCA Administration
This section lists the required and optional credentials for the CVCA Administration
CVCA Administration Server profile

Required to install Administration Services: Yes, if not using a front-end Web server.
Issuing CA: CVCA.
Role: Server Login.
Certificate type: Default.
application server.
See “Creating CVCA Administration Server credentials” on page 914 for details.
CVCA Administration XAP profile

Required to install Administration Services: Yes, if you choose to configure the
connection to the CVCA using the installer.
Issuing CA: CVCA.
Role: Server Login.
Certificate type: Admin Services User Management External Authenticator.
See “Creating CVCA Administration XAP credentials” on page 918 for details.
CVCA administrator certificate

Issuing CA: CVCA.
Role: EAC Administrator, EAC Auditor, or a custom role.
CVCA or DV.
The client policy (user policy) assigned to the role must allow external authentication,
and optionally PKCS #12 export. See “Creating or modifying a user policy for CVCA
administrators” on page 974 for details.

See “Creating CVCA administrators” on page 979 for details.

Credentials for the SPOC services
This section lists the required and optional credentials for the Single Point of Contact
(SPOC) services provided by Administration Services.
SPOC Server profile

Issuing CA: SPOC CA.
Role: SPOC Role.
Certificate type:
• If storing the profile on software, ePassport - SPOC Server.
• If storing the profile on hardware, ePassport - SPOC TLS Server 2-Key-Pair
User. You must create this certificate type (see “Creating new certificate
types for SPOC profiles that will be stored on hardware” on page 1165).
application server.
See “Creating SPOC Server credentials” on page 1169 for details.
SPOC Client profile

Role: SPOC Role.
Certificate type: ePassport - SPOC Client.
See “Creating SPOC Client credentials” on page 1172 for details.
SPOC Domestic Web Service profile

Required to install Administration Services: Yes, if the domestic CVCA is online.
The CVCA must be online if you install CVCA Administration or any X.509 service.
The profile also requires the domestic CVCA’s entrust.ini file.
Issuing CA: Domestic CVCA.
Role: SPOC Self-Service Role.
Certificate type: Admin Services User Registration.
See “Creating SPOC Domestic Web Service credentials” on page 921 for details.

Entire chain of CVCA certificates
Required to install Administration Services: Yes, if the domestic CVCA is offline. The
CVCA cannot be offline if you install CVCA Administration or any X.509 service.
Issuing CA: Domestic CVCA.
Role: None.
SPOC administrator certificate

Role: SPOC Administrator.
Certificate type: ePassport - SPOC Administrator.
See “Creating SPOC administrators” on page 1208 for details.

Credentials for DV Administration
This section lists the required and optional credentials for the DV Administration
DV Administration Server profile

Required to install Administration Services: Yes, if not using a front-end Web server.
Issuing CA: DVCA.
Role: Server Login.
Certificate type: Default.
application server.
See “Creating DV Administration Server credentials” on page 1311 for details.
DV Administration XAP profile

Required to install Administration Services: No, but recommended.
Issuing CA: DVCA.
Role: Server Login.
Certificate type: Admin Services User Management External Authenticator.
See “Creating DV Administration XAP credentials” on page 1315 for details.
DV administrator certificate
Issuing CA: DVCA.
Role: EAC Administrator, EAC Auditor, or a custom role.
CVCA or DV.

Credentials for the DV Web Service
This section lists the required and optional credentials for the DV Web Service
DV Web Service profile

Issuing CA: DVCA.
Role: EAC Self-Service.
To allow the DV Web Service to automatically process unauthenticated Inspection
System certificate requests, you must add the Process Unauth IS Certreq permission
to the role. See “Modifying the role for DV Web Service profiles” on page 1414 for
details.
application server.
See “Creating DV Web Service credentials” on page 1414 for details.
Country Signing Certification Authority (CSCA) root certificate

Required to install Administration Services: Yes, if you choose to enable CSCA
material distribution.
Issuing CA: CSCA.
Role: None.
NPKD Client profile

Required to install Administration Services: Yes, if you choose to collect CSCA
materials from the National PKD.
Role: NPKD Client Role. You must create this role (see “Creating a role for NPKD
Certificate type: ePassport Auditor. You must create this certificate type (see
“Creating certificate types for NPKD services” on page 471).
See “Creating NPKD Client credentials” on page 476 for details.

Credentials for DVCKM
This section lists the required and optional credentials for the DV Certificate Key
Management service (DVCKM) provided by Administration Services.
DVCKM profile
Issuing CA: DVCA.
Role: EAC DV CKM Administrator.
See “Creating DVCKM credentials” on page 1382 for details.
SPOC DVCKM Client profile

The profile also requires the SPOC CA’s entrust.ini file and the URL of the SPOC
Role: SPOC Role.
Certificate type: ePassport - SPOC DV Client.
See “Creating SPOC DVCKM Client credentials for Document Verifiers” on

62
Glossary
Term Definition
activation codes When an Entrust PKI administrator adds a user to Security Manager, a
reference number and authorization code are generated. Together, the
reference number and authorization code are called activation codes. You
can use the activation codes to create an Entrust profile.
ASN.1 Abstract Syntax Notation One. A language that enables different
communication systems to exchange data.
authentication The process of proving your identity. In a Security Manager system,
authentication works through a password-protected encrypted file, called a
digital ID.
authorization A code (for example, CMTJ-8VOR-VFNS), obtained from an Entrust PKI
code administrator. It is required along with its corresponding reference number
to create a new Entrust profile or to recover an existing profile. An
authorization code and its corresponding reference number are called
activation codes. Authorization codes can only be used once.
BAC See Basic Access Control.
Basic Access The mechanism used to ensure the integrity and authenticity of MRTD chips
Control and to prevent eavesdropping on the communication between the MRTD
and the Inspection System.
CA See Certification Authority.
1701
Term Definition
certificate A certificate is a collection of publicly available information about an entity
that is signed by a Certification Authority.
The type of information contained in a certificate depends on the type of
certificate. For example, a user’s public key certificate contains the user’s
distinguished name, a unique serial number, the user’s encryption or
verification public key, and the date the key will expire. The CA’s signature,
which appears on all certificates, ensures the integrity of this information.
Other types of certificates include policy certificates, cross-certificates,
certificate revocation lists, and authority revocation lists.
certificate Signed certificate containing the serial numbers of public key certificates
revocation list that were revoked, and a reason for each revocation.
Verification Server accesses this information from the directory to check the
trustworthiness of certificates it receives.
certificate request A file generated by an application (such as a Web server) that contains
information another application uses (such as Security Manager) to create a
certificate required by the application.
certificate signing See certificate request.
request
certificate stream The set of all certificates issued to an EAC entity that are anchored by a
particular Country Verifying Certification Authority.
Certification The part of Security Manager that ensures the trustworthiness of users’
Authority electronic identities. The Certification Authority (CA) issues electronic
identities in the form of public key certificates, and signs the certificates with
its signing key, which ensures the integrity of the electronic identity.
All other types of certificates are issued and signed by the CA as well, such
as policy certificates, cross-certificates, certificate revocation lists (CRLs),
and authority revocation lists (ARLs).
client application An application running that receives information from a server application
and requests a service provided by the server application. For example,
Administration Services is a client application of Security Manager.
CMS See Cryptographic Message Syntax.
countersigning When a Country Verifying Certification Authority signs a Document Verifier
certificate request intended for a foreign CVCA.
Country Signing The root of trust for e-passports issued within its own country. The CSCA
Certification issues certificates to one or more Document Signers.
Authority

Term Definition
Country Verifying The root of trust for e-passports issued within its own country. It determines
Certification which countries and which Document Verifiers within those countries can
Authority access the biometrics stored on the passports issued by the CVCA's home
country.
cross-stream When a Document Verifier accepts foreign certificate requests signed by the
signing domestic certificate stream.
Cryptographic One of the types of digital signatures produced by the Digital Signature
Message Syntax Service, in accordance with RFC 3369, Cryptographic Message Syntax,
available at http://www.ietf.org/rfc/rfc3369.txt.
CRL See certificate revocation list.
CSCA See Country Signing Certification Authority.
CSR Certificate signing request. See certificate request.
CVCA See Country Verifying Certification Authority.
digital signature A digital signature allows you to associate an identity with a piece of data.
It also provides proof that the data was not altered since it was signed.
directory An LDAP-compliant directory service that contains the names of all Security
Manager users and acts as a repository for users’ encryption public key
certificates.
distinguished The complete name of a directory entry that uniquely identifies a person or
name entity. The distinguished names (DNs) of all Security Manager users are
stored in the directory. For more information about DNs, see the Security
Manager documentation.
DN See distinguished name.
Document Signed Logical Data Structure Security Object.
Security Object
Document Signer An application that is issued certificates from a Country Signing Certification
Authority to sign the Document Security Object on electronic passports.
Document Verifier An EAC entity that issues certificates to Inspection Systems. These
certificates authenticate the Inspection System to e-passport chips, and also
specify which biometrics the Inspection System can access.
DV See Document Verifier.
EAC See Extended Access Control.
EF.SOD See Elementary File Document Security Object.
Glossary 1703
Term Definition
Elementary File Contains the Document Security Object, which contains the Logical Data
Document Structure Security Object. It is represented as an Elementary File. This is used
Security Object by the vendor to wrap the data before it is placed on the MRTD.
encrypt To encrypt a file is to render the file completely unreadable. This means no
one, including the owner of the file, can read the file’s contents until it is
decrypted. Only the owner and the authorized recipients can decrypt the
file. The owner determines authorized recipients.
Entrust PKI An administrative user who uses Security Manager Administration to add
administrator users to Security Manager and to do other frequent operations such as
deactivate users, revoke users’ keys, set up users for key recovery, and create
new encryption key pairs for users.
Entrust profile A set of user credentials that an Entrust client application creates and
manages. It is stored in a proprietary Entrust profile format and is the
cornerstone of the user identity within the Entrust PKI. The Entrust profile—
among other important data—may contain: the user’s distinguished name,
decryption private keys, signing keys, and the CA certificate.
Extended Access The mechanism used to unlock the biometric data stored in the e-passport
Control chip. It ensures that only authorized entities can access the biometric data.
hardware token See hardware security module.
hash value A unique string (for example, a series of numbers) that is applied to a unique
piece of data, such as a document. If even so much as a single letter in the
document is altered, the hash produces a completely different value when
applied again to the document.
hardware security A physical external device, such as a hardware token, that secures
module cryptographic and sensitive data material. For information about security
hardware support and Entrust products, see the Entrust Datacard
TrustedCare Web site.
holder identity A two-character country code (such as GB for the United Kingdom, or US
for the United States of America), followed by a character string—called a
mnemonic—of one to nine characters. For example, GBcountry or USairport
are examples of a holder identity.
HSM See hardware security module.
IETF Internet Engineering Task Force
Inspection System An application that validates e-passports and accesses their biometric data.
LDS See Logical Data Structure.
Logical Data A standardized organization of data recorded to an MRTD.
Structure

Term Definition
Logical Data An ASN.1 object that is encoded using the Distinguished Encoding Rules as
Structure Security specified in ISO/IEC 8825-1:2002 Information technology ASN.1 encoding
Object rules: Specification of Basic Encoding Rules (BER), Canonical Encoding
Rules (CER) and Distinguished Encoding Rules (DER).
Master List Signer An application that signs a Master List of trusted foreign CVCAs.
nonrepudiation Irrefutable evidence that makes it impossible to reject the validity of a
signature on a file or transaction.
Once a contract or transaction is digitally signed, the signer cannot disclaim
(or repudiate) the signature after the fact. This means, for example, that
both parties to an online purchase are bound to the terms of the deal and
both parties are protected from online fraud.
OID Object identifiers (OIDs) provide a standard mechanism for uniquely
identifying things, or objects, such as certificate policies, encryption
algorithms, and directory attributes.
For details about OIDs, see the Security Manager documentation.
MRTD A Machine Readable Travel Document (MRTD) issuance system uses the
Document Signer Service to create and add digital signatures to the Logical
Data Structure Security Object in order to create the Document Security
Object (SOD). The SOD is located in the Elementary File Document Security
Object on an MRTD, such as a passport.
PKCS #11 library The PKCS #11 library is an industry standard interface between an
application such as Security Manager and hardware security module (HSM).
It is supplied by the HSM vendor and exists as a DLL for Windows. Consult
the documentation that came with your HSM to determine the name and
location of the library.
private key The portion of a key pair that is kept secret by the owner of the key pair.
public key The portion of a key pair that is publicly accessible.
reference number A number (for example, 91480165), obtained from an Entrust PKI
administrator, which is used along with an authorization code to create a
new Entrust profile or to recover a lost or corrupt profile. A reference
number can only be used once.
RFC 3369 RFC 3369, Cryptographic Message Syntax. For details see:
http://www.ietf.org/rfc/rfc3369.txt.
Server Login Entrust Server Login is designed for computers, usually servers, that run
Entrust applications as services or as background applications. These
computers, running 24 hours a day, seven days a week, are generally
unattended, and are often in a physically secure area that has restricted
access.
Glossary 1705
Term Definition
servlet A small program that runs on a server.
signing private The key that encrypts a hash value that is decrypted with the corresponding
key verification public key
SOAP Simple Object Access Protocol. SOAP provides a way for programs running
in different languages (such as Java and C#) to exchange information, using
HTTP and XML.
SOD See Document Security Object.
SOLDS See Logical Data Structure Security Object.
UAL file Server Login credential file.
.ual file
user Any entry in the Security Manager database or directory. Users can be actual
end users or Entrust PKI administrators in your organization, or non-human
entries such as Web servers or Security Manager client applications.
validation string A string of alphanumeric characters representing the hash of a certificate or
certificate request. Validation strings allow administrators to verify the
authenticity of a certificate or certificate request.
verification public The public key portion of a signing key pair used to verify data signed by the
key corresponding signing private key. The verification public key is stored in a
certificate called the verification public key certificate. This certificate is
digitally signed by the Certification Authority to verify that the public key
within it is the authentic public key of the identified entity.
Web service There are many different definitions of a Web service. In this document, a
Web service is a program that runs within an application server that
communicates with other requesting components using the SOAP protocol.
Web services have the following advantages:
• The SOAP protocol provides a standard way for the Web service and its
client application to encode and decode (or parse) the object code so
that programmers do not have to write their own. The standard also
means that programs written by different companies can communicate
with the Web service.
• SOAP envelopes are sent within HTTP requests so you do not have to
open additional ports in your firewall for clients to communicate with the
Web service.
WSDL Web Services Description Language
X.509 A standard digital certificate format.
XML Extensible Markup Language. A W3C specification for structured data. Also
one of the signature types produced by the Digital Signature Service.

Index
- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -
A DV 1517
master lists 797
accessing NPKD services 571
Verification Server 275 PKD Writer services 373
activating SPOC 1223
DVs 1079 Administration Services
foreign CVCAs 1037 administering NPKD services 571
Inspection Systems 1609 broken JavaScript code 729, 887, 1130, 1289, 1653
activation codes 1701 browsers cannot display some locale names 887, 1130,
active domestic master list 1289, 1653
exporting 815 configuring CVCA Administration 985
exporting CSCA certificates 817 configuring DV Administration 1447
uploading to the ICAO PKD 819 configuring Master List Signer services 785
viewing 812 configuring NPKD services 545
adding configuring SPOC services 1213
CA certificates to Apache HTTP Server for CVCA configuring the DV Web Service 1493
Administration 967 configuring the DVCKM 1475
CA certificates to Apache HTTP Server for DV configuring the PKD Reader Web Service 425
Administration 1361 configuring the PKD Writer Web Service 347
CA certificates to Apache HTTP Server for the NPKD CVCA Administration 79
services 532 deploying CVCA Administration 907
company logo to CVCA Administration 1110 deploying DV Administration 1305
company logo to DV Administration 1634 deploying PKD Writer DV Web Service 305
company logo to MLS Administration 716, 876 deploying the DV Web Service 1411
company logo to SPOC Administration 1278 deploying the DVCKM 1379
CSCA certificate from a foreign master list as a trust deploying the Master List Signer services 737
anchor 844 deploying the NPKD services 463
custom email notification service 1119, 1644 deploying the PKD Reader Web Service 385
CVCA Administration locale 1124 deploying the SPOC services 1161
CVCAs 1530 deployment overview 306, 386, 465, 739, 908, 1163,
DV Administration locale 1648 1306, 1380, 1412
DVs 1060 DV Web Service 56, 80
foreign CVCAs 1032 DVCKM 80
foreign master lists 829 HTML entities referenced by names 729, 887, 1130,
foreign SPOCs 1229 1289, 1653
Inspection Systems 1594 in a BAC system 55
locales to MLS Administration locale 884 in an EAC system 79
locales to NPKD Administration 724 installing CVCA Administration 926
locales to SPOC Administration locale 1286 installing DV Administration 1320
user for Verification Server 189 installing for a Master List Signer 751
administering installing the DV Web Service 1422
CVCA 1005 installing the DVCKM 1388
1707
installing the NPKD services 482 ASN.1
installing the PKD Reader Web Service 404 definition 1701
installing the PKD Writer Web Service 324 profile for Logical Data Structure Security Object 227
installing the SPOC services 1178 structure of Document Security Object 229
list of credentials 1687 assigning
MLS Administration 55 SSL certificates to a CVCA Administration Web site in
MLS Web Service 55 Microsoft IIS 957
NPKD Administration 56 SSL certificates to a DV Administration Web site in
NPKD Web Service 56 Microsoft IIS 1351
PKD Reader Web Service 55 SSL certificates to the CVCA Administration VirtualHost
PKD Writer Web Service 55 in Apache HTTP Server 964
queued operations 1105, 1629 SSL certificates to the DV Administration VirtualHost in
required Microsoft IIS features 468 Apache HTTP Server 1358
SPOC Administration 79 SSL certificates to the NPKD services VirtualHosts in
SPOC Domestic Web Service 80 Apache HTTP Server 529
SPOC Web Service 79 SSL certificates to the npkd Web site in Microsoft
synchronizing time settings with Security IIS 519, 522
Manager 307, 387, 470, 740, 913, 1164, assigning CSCA certificates in a master list as trust
1310, 1381, 1413 anchors 651
translating JSP services 1129, 1652 audit logs 1677
Apache HTTP Server audits 1677
adding CA certificates for CVCA Administration 967 authentication 1701
adding CA certificates for DV Administration 1361 authority reference 83
adding CA certificates for the NPKD services 532 for CVCA certificates 85
assigning SSL certificates to the CVCA Administration for DV certificates 85
VirtualHost 964 for Inspection System certificates 85
assigning SSL certificates to the DV Administration authorization code 1701
VirtualHost 1358 automatic CLR discovery from Document Signer
assigning SSL certificates to the NPKD services certificates
VirtualHosts 529 disabling 561
completing configuration for CVCA enabling 561
Administration 964
completing configuration for DV Administration 1358
completing configuration for the NPKD services 529 B
configuring SSL 201 BAC
configuring the VirtualHost directive 469, 912, 1309 Administration Services 55
Apache Tomcat architecture 50
component of Verification Server 62 CSCA 51
configuring SSL 199 definition 1701
security 197 Document Signer 51
architecture Document Signer Service 56, 59
BAC 50 Entrust products 53
EAC 74 ICAO Public Key Directory 51
archived domestic master lists Inspection Systems 52
exporting 824 Master List Signer 51
making the active domestic master list 826 master lists 51
viewing 821 overview 49
AS-install 42 Security Manager 54

system components 53 changing
Basic Access Control. See BAC DN of the CSCA 155
broken JavaScript code 729, 887, 1130, 1289, 1653 email format for CVCA Administration 994
browser. See Web browser email format for DV Administration 1457
profile password using Verification Server 274
checking entrust.ini for Administration Services 317, 394,
C 479, 747, 924, 1175, 1318, 1385, 1418
CA client application 1702
configuring CRLs for a CSCA 123 CMS. See Cryptographic Message Syntax
configuring policy settings for a CSCA 131 commands 1133, 1655
configuring the CSCA root certificate 117 completing
definition 1701, 1702 Apache HTTP Server configuration for CVCA
reconfiguring as a CSCA 111 Administration 964
recovering all users 134 Apache HTTP Server configuration for DV
revoking the previous CA certificate 134 Administration 1358
updating the CA certificate 133 Apache HTTP Server configuration for the NPKD
updating the CA keys 133 services 529
ca cert list 134 Microsoft IIS configuration for CVCA
ca cert query 132 Administrations 957, 1351
ca cert revoke 135 Microsoft IIS configuration for the NPKD services 519
ca key config 131 completing configuration for CVCA Administration 957
ca key update 133, 153 completing configuration for DV Administration 1351
ca keyrecover-all 135 completing configuration for the NPKD services 519
canceling DV certificate requests 1573 configuring 186
Card Verifiable certificates. See CV certificates assurance policy settings for a country in the National
Cascading Style Sheets PKD 603
customizing for CVCA Administration 1118 automatic assurance level calculations of CSCA
customizing for DV Administration 1643 materials 562
customizing for MLS Administration 880 automatic imports from PKD Reader into the National
customizing for NPKD Administration 720 PKD 567
customizing for SPOC Administration 1282 automatic signature updates of CSCA materials 565
certificate lifetimes 82 CA policy settings for a CSCA 131
certificate requests communications between DVCKM and SPOC Domestic
definition 1702 Web Service 1492
see DV certificate requests CRL cache timeout for NPKD services 559
see Inspection System certificate requests CRL checking of CSCA materials 1511
certificate signing request. See certificate request CRLs for a CSCA 123
certificate status 82 CSCA materials distribution 1507
certificate streams 85, 1702 CSCA materials storage folder 1509
certificates CSCA root certificate 117
definition 1702 CVCA Administration 985
revoking 152 CVCA Administration to connect to the CVCA 970
revoking a service certificate 274 CVCA key updates 1027
see CV certificates CVCA license information 903
see CVCA certificates CVCA policy 1529
see DV certificates data format for CVCA Administration 991
see Inspection System certificates data format for DV Administration 1454
Certification Authority. See CA domestic master lists 788
Index 1709
draft domestic master lists 791 Offline Token Creation Utility logging 244
DV Administration 1447 PKD Reader Client authentication to a directory without
DV Administration to connect to the DVCA 1364 anonymous access 517
DV license information 1302 PKD Reader Server authentication to a directory
DV policy 1056, 1559 without anonymous access 422
DV Web Service 1493 PKD Reader settings using NPKD Administration 700
DV Web Service authentication to a directory without PKD Reader Web Service 425
anonymous access 1444 PKD Writer Server authentication to a directory without
DVCKM 1475 anonymous access 344
DVCKM authentication to a directory without PKD Writer Web Service 347
anonymous access 1407 secure audit log for NPKD services 569
email notification for CVCA Administration 992 Security Manager as a Master List Signer Services
email notification for DV Administration 1455 CA 734
email notification for DV Web Service 1495 Security Manager as a PKD Reader Services CA 382
email notification for DVCKM 1478 Security Manager as a PKD Writer Services CA 302,
email notification for PKD Reader 426 460
email notification for PKD Writer 348 Security Manager as a SPOC CA 1154
email notification for the NPKD services 550 Security Manager as CSCA 99
entrust.ini file for Verification Server 186 Security Manager as CVCA 894
foreign master lists 790 Security Manager as DV 1296
global assurance policy settings 704 Signature Delivery Service 212
how often DV Web Service checks for CSCA SMTP server settings for CVCA Administration 992
materials 1510 SMTP server settings for DV Administration 1455
incoming CSCA materials folder 1508 SMTP server settings for DV Web Service 1495
Inspection System policy 1590 SMTP server settings for DVCKM 1478
jurisdiction policy 1471 SMTP server settings for PKD Reader 426
LDAP page size for Document Signer certificate list SMTP server settings for PKD Writer 348
operations 560 SMTP server settings for the NPKD services 550
list operations in CVCA Administration 989 SPOC CA 1157
list operations in DVAdministration 1451 SPOC CA certificate 1157
logs for CVCA Administration 986 SPOC Client authentication to a directory without
logs for DV Administration 1448 anonymous access 1201
logs for DV Web Service 1494 SPOC Domestic Web Service authentication to a
logs for DVCKM 1476 directory without anonymous access 1205
logs for Master List Signer services 786 SPOC DVCKM Client authentication to a directory
logs for NPKD services 546 without anonymous access 1409
logs for PKD Reader services 435 SPOC message threads 1218
logs for PKD Writer Web Service 367 SPOC Server authentication to a directory without
logs for SPOC services 1214 anonymous access 1203
logs for the NPKD Validation Engine 548 SPOC services 1213
Master List Server authentication to a directory without SSL on Apache HTTP Server 201
anonymous access 774 SSL on Apache Tomcat 199
Master List Signer authentication to a directory without Verification Server for auditing 266
anonymous access 772 VirtualHost directive on Apache HTTP Server 469, 912,
Master List Signer services 785 1309
NPKD Server authentication to a directory without whether MLS Administration can create domestic
anonymous access 515 master lists 794
NPKD services 545, 710

XAP message signing algorithm for DV Web user policy for DV administrators 1368
Service 1506 user policy for NPKD administrators 535
XAP message signing algorithm for DVCKM 1489 CRL cache timeout
connecting CVCA Administration 988
CVCA Administration to the CVCA 970 DV Administration 1450
DV Administration to the DVCA 1364 CRL cache timeout for NPKD services 559
countersigning CRLs
definition 1702 configuring for a CSCA 123
DV certificate requests 1085 definition 1702, 1703
overview 90 exporting from the National PKD 634
Country Signing Certification Authority. See CSCA importing into the National PKD 687
Country Verifying Certification Authority. See CVCA listing in the National PKD 625
creating managing in the National PKD 625
CVCA Administration Server credentials 914 removing from the National PKD 637
CVCA Administration XAP credentials 918 viewing assurance level details in the National PKD 631
CVCA administrators 979 viewing detailed information in the National PKD 627
domestic master lists 799 cross-stream signing 1703
DV Administration Server credentials 1311 Cryptographic Message Syntax 1703
DV Administration XAP credentials 1315 CSCA
DV administrators 1373 changing the DN 155
DV certificate requests 1565 configuring Security Manager 99
DV Web Service credentials 1414 customizing Document Signer certificates 138
DVCKM credentials 1382 customizing Master List Signer certificates 143
Master List Client credentials 744 definition 1702, 1703
Master List Server credentials 741 files for the DV Web Service 1420
Master List Signer administrators 779 files for the Master List Signer services 749
Master List Signer credentials 148 installing 95
NPKD administrators 538 installing Security Manager 99
NPKD Client credentials 476 managing 137
NPKD Server credentials 473 overview 51
PKD Reader Client credentials 391 post-configuration steps 109
PKD Reader Server credentials 388 reconfiguring a CA 111
PKD Writer Client credentials 312 revoking certificates 152
PKD Writer Server credentials 308 updating the CSCA certificate 153
profile 191 updating the CSCA keys 153
profile for secure logging 265 CSCA certificates
profiles using Offline Token Creation Utility 258 adding as trust anchors from foreign master lists 844
roles for CVCA administrators 977 exporting from the National PKD 663
roles for DV administrators 1371 importing into the National PKD 684
Server Login credentials 191 listing in the National PKD 655
Server Login credentials for secure logging 265 managing in the National PKD 655
SPOC administrators 1208 removing from the National PKD 666
SPOC Client credentials 1172 viewing assurance level details in the National PKD 660
SPOC Domestic Web Service profiles 921 viewing detailed information in the National PKD 657
SPOC DVCKM Client credentials 1224 CSCA materials distribution
SPOC Server credentials 1169 configuring 1507
user for Verification Server audit logging 264 configuring CRL checking 1511
user policy for CVCA administrators 974
Index 1711
configuring how often DV Web Service checks for new administering 1005
CSCA materials 1510 configuring key updates 1027
configuring the CSCA materials storage folder 1509 configuring license information 903
configuring the incoming CSCA materials folder 1508 configuring Security Manager 894
disabling 1507 configuring the DV policy 1056
enabling 1507 countersigning DV certificate requests 1085
providing latest domestic CSCA root certificate to DV definition 1703
Web Service 1513 deleting 1545
providing materials to DV Web Service 1514 deleting DVs 1081
CSR. See certificate request deleting foreign CVCAs 1039
customer support 45 deploying CVCA Administration 907
customizing disabling 1541
browser title 717, 877, 1111, 1279, 1635 disabling DVs 1076
CVCA Administration application title 1112 disabling foreign CVCAs 1035
CVCA Administration interface 1110 DV certificates 75
CVCA Administration online help 1114 enabling 1542
CVCA Administration styles 1118 enabling CVCAs 1079
Document Signer certificates 138 enabling foreign CVCAs 1037
DV Administration application title 1636 establishing trust with a DV 88
DV Administration interface 1634 exporting domestic CVCA certificates 1020
DV Administration online help 1638 exporting DV certificates 1099
DV Administration styles 1643 exporting foreign CVCA certificates 1050
Master List Signer certificates 143 files for the SPOC services 1177
MLS Administration application title 877 finding 1536
MLS Administration interface 876 finding DVs 1069
MLS Administration styles 880 importing foreign CVCA certificates 1042
NPKD Administration application title 718 initializing 904
NPKD Administration interface 716 installing 893
NPKD Administration styles 720 installing Security Manager 894
SPOC Administration application title 1279 link CVCA certificates 75
SPOC Administration interface 1278 listing 1534
SPOC Administration styles 1282 listing domestic CVCA certificates 1017
Verification Server log files 278 listing DV certificates 1096
CV certificates listing DVs 1066
authority reference 83 listing foreign CVCA certificates 1047
certificate lifetimes 82 listing foreign CVCAs 1033
certificate streams 85 modifying 1537
holder reference 83 modifying DVs 1071
overview 82 overview 75
sequence number algorithm 84 previewing DV certificate requests for
status 82 countersigning 1084
validation strings 86 previewing DV certificate requests for processing 1090
CVCA previewing EAC certificate requests 1103, 1627
activating CVCAs 1079 previewing EAC certificates 1103, 1627
activating foreign CVCAs 1037 processing DV certificate requests 1091
adding 1530 root CVCA certificates 75
adding DVs 1060 suspending 1541
adding foreign CVCAs 1032 suspending DVs 1076

suspending foreign CVCAs 1035 installing 926
updating the CVCA key pair 1030 installing CA certificates in Microsoft IIS 960
viewing 1534 list operations 989
viewing domestic CVCA certificates 1017 local folders 1123
viewing DV certificates 1096 localizing 1121
viewing DVs 1066 logging in 1011
viewing foreign CVCA certificates 1047 modifying email notification message text 1001
viewing foreign CVCAs 1033 modifying email notification subject text 1001
viewing the current signing key 1026 modifying user policy for CVCA administrators 974
viewing the CVCA holder identity 1015 overview 79
CVCA Administration 1011 testing 984
add a custom notification service 1119 translating 1126
adding a company logo 1110 troubleshooting localization 1129
adding CA certificates to Apache HTTP Server 967 updating CVCA Administration Server profile keys 917
affected by roles 1012 updating CVCA Administration XAP profile keys 920
assigning SSL certificates to a CVCA Administration using 1013
Web site in Microsoft IIS 957 CVCA Administration Server credentials 914
assigning SSL certificates to the CVCA Administration creating a profile 916
VirtualHost in Apache HTTP Server 964 creating a user entry 914
changing the email format 994 updating profile keys 917
completing the Apache HTTP Server front-end CVCA Administration XAP credentials 918
configuration 964 creating a profile 919
completing the Microsoft IIS front-end creating a user entry 918
configuration 957 creating Server Login credentials 920
configuring 985 updating profile keys 920
configuring email notification 992 CVCA administrators
configuring list operations 989 creating 979
configuring logs 986 creating a user policy for CVCA administrators 974
configuring SMTP server settings 992 creating roles for CVCA administrators 977
configuring the date format 991 modifying a user policy for CVCA administrators 974
connecting to the CVCA 970 cvca cert export 1021, 1136
creating CVCA administrators 979 cvca cert export-chain 1022, 1137
creating roles for CVCA administrators 977 cvca cert list 1017, 1021, 1022, 1137
creating user policy for CVCA administrators 974 cvca cert show-keys 1026, 1137
CRL cache timeout 988 cvca cert view 1017, 1137
customizing styles 1118 CVCA certificates
customizing the application title 1112 authority reference 85
customizing the browser title 1111 exporting 1553
customizing the interface 1110 exporting domestic CVCA certificates 1020
customizing the online help 1114 exporting foreign CVCA certificates 1050
CVCA Administration Server credentials 914 holder reference 85
CVCA Administration XAP credentials 918 importing 1546
deploying 907 importing foreign CVCA certificates 1042
disabling email notification 998 link certificates 75
editing the online help 1115 listing 1550
email notification files 994 listing domestic CVCA certificates 1017
enabling email notification 998 listing foreign CVCA certificates 1047
help files 1114 providing to SPOC 1227
Index 1713
requesting from foreign CVCAs 1236 defining locales 722, 882, 1122, 1284, 1646
root certificates 75 deleting
sending to a foreign CVCA 1243 CVCAs 1545
viewing 1550 DVs 1081
viewing domestic CVCA certificates 1017 foreign CVCAs 1039
viewing foreign CVCA certificates 1047 foreign master lists 847
cvca config set 1027, 1137 foreign SPOCs 1234
cvca config view 1027, 1140 inbound requests 1270
cvca dv add 1060, 1140 Inspection Systems 1611
cvca dv cert export 1100, 1143 outbound requests 1253
cvca dv cert list 1096, 1144 deploying
cvca dv cert view 1096, 1144 CVCA Administration 907
cvca dv certreq countersign 1086, 1145 Document Signer Service 163
cvca dv certreq presign 1085, 1145 DV Administration 1305
cvca dv certreq preview 1090, 1144 DV Web Service 1411
cvca dv certreq process 1091, 1144 DVCKM 1379
cvca dv config set 1056, 1146 Master List Signer services 737
cvca dv config view 1056, 1146 NPKD services 463
cvca dv delete 1082, 1141 PKD Reader Web Service 385
cvca dv disable 1077, 1141 PKD Writer Web Service 305
cvca dv enable 1080, 1141 SPOC services 1161
cvca dv list 1066, 1141 digital signature 1703
cvca dv modify 1071, 1141 Digital Signature Service 61
cvca dv search 1070, 1142 client samples 277
cvca dv view 1066, 1143 problems with Verification Server 283
cvca fcvca add 1032, 1147 securing access 197
cvca fcvca cert export 1051, 1147 security 197
cvca fcvca cert export-chain 1052, 1147 Digital Signature service
cvca fcvca cert import 1043, 1148 accessing 277
cvca fcvca cert list 1047, 1051, 1052, 1148 enabling 189
cvca fcvca cert view 1047, 1148 logging user names 198
cvca fcvca delete 1039, 1147 protecting 198
cvca fcvca disable 1036, 1147 directory 1703
cvca fcvca enable 1037, 1147 disabling
cvca fcvca list 1034, 1147 automatic CRL discovery from Document Signer
cvca fcvca view 1034, 1147 certificates 561
cvca identity 1015, 1136 CSCA materials distribution 1507
cvca init 904, 1134 CVCAs 1541
cvca key update 1030, 1149 DVs 1076
CVCA policy 1529 email notification for CVCA Administration 998
cvca util cert preview 1043, 1103, 1149 email notification for DV Administration 1461
cvca util certreq preview 1104, 1149 email notification for DV Web Service 1497
email notification for DVCKM 1481
email notification for PKD Reader 428
D email notification for PKD Writer 350
DDVKey 903 email notification for the NPKD services 552
DDVSerialNumber 903 foreign CVCAs 1035
DDVUserLimit 903 Inspection Systems 1607

Master List Signer Web Service 793 number of draft domestic master lists 791
signature validation when retrieving CSCA downloading CSCA materials from ICAO PKD into PKD
materials 564 Reader 702
distinguished name 1703 DSS-install 42
DN. See distinguished name DV
Document Security Object activating 1079
ASN.1 structure 229 activating Inspection Systems 1609
definition 1703 adding 1060
Document Signer adding CVCAs 1530
certificates 138 adding Inspection Systems 1594
definition 1703 administering 1517
overview 51 canceling DV certificate requests 1573
see also Document Signer Service configuring license information 1302
Document Signer certificates configuring Security Manager 1296
exporting from the National PKD 620 configuring the CVCA policy 1529
importing into the National PKD 681 configuring the DV policy 1559
listing in the National PKD 611 creating DV certificates requests 1565
managing in the National PKD 611 definition 1703
removing from the National PKD 623 deleting 1081
viewing assurance level details in the National PKD 617 deleting CVCAs 1545
viewing detailed information in the National PKD 613 deleting Inspection Systems 1611
Document Signer Policy 141 deploying DV Administration 1305
Document Signer Service deploying the DV Web Service 1411
adding a user for Verification Server 189 deploying the DVCKM 1379
configuring Verification Server 186 disabling 1076
creating a profile 191 disabling CVCAs 1541
deploying 163 disabling Inspection Systems 1607
in a BAC system 56 enabling 1079
Offline Token Creation Utility 57 enabling CVCAs 1542
overview 59 enabling Inspection Systems 1609
Profile Creation Utility 57 establishing trust with a CVCA 88
securing access to the Digital Signature Service 197 establishing trust with an Inspection System 91
Signature Delivery Service 57 exporting CVCA certificates 1553
Verification Server 56 exporting DV certificate requests 1575
Document Verifier certificates. See DV certificates exporting DV certificates 1585
Document Verifier. See DV exporting Inspection System certificates 1622
documentation finding 1069
conventions 41 finding CVCAs 1536
feedback 44 finding Inspection Systems 1601
obtaining 44 importing CVCA certificates 1546
related documentation 43 importing DV certificates 1578
revision information 38 initializing 1303
domestic master lists installing 1295
creating 799 installing CVCA Administration 926
draft location 791 installing DV Administration 1320
editing 799 installing Security Manager 1296
location 788 installing the DV Web Service 1422
number of archived domestic master lists 788 installing the DVCKM 1388
Index 1715
listing 1066 creating DV administrators 1373
listing CVCA certificates 1550 creating roles for DV administrators 1371
listing CVCAs 1534 creating user policy for DV administrators 1368
listing DV certificate requests 1571 CRL cache timeout 1450
listing DV certificates 1581 customizing styles 1643
listing Inspection System certificates 1619 customizing the application title 1636
listing Inspection Systems 1598 customizing the browser title 1635
modifying 1071 customizing the interface 1634
modifying CVCAs 1537 customizing the online help 1638
modifying Inspection Systems 1602 deploying 1305
overview 76 disabling email notification 1461
previewing DV certificate requests 1613 DV Administration Server credentials 1311
processing DV certificate requests 1614 DV Administration XAP credentials 1315
suspending 1076 editing the online help 1639
suspending CVCAs 1541 email notification files 1457
suspending Inspection Systems 1607 enabling email notification 1461
viewing 1066 enabling email notification for the initial DV certificate
viewing CVCA certificates 1550 request for a foreign CVCA 1464
viewing CVCAs 1534 help files 1638
viewing DV certificate requests 1571 installing 1320
viewing DV certificates 1581 installing CA certificates in Microsoft IIS 1354
viewing Inspection System certificates 1619 list operations 1451
viewing Inspection Systems 1598 local folders 1647
viewing the current signing keys 1589 localizing 1645
viewing the domestic CVCA holder identity 1528 logging in 1523
viewing the DV holder identity 1527 modifying email notification message text 1468
DV Administration 1523 modifying email notification subject text 1468
add a custom notification service 1644 modifying user policy for DV administrators 1368
adding a company logo 1634 overview 80
adding CA certificates to Apache HTTP Server 1361 testing 1377
affected by roles 1524 translating 1649
assigning SSL certificates to a DV Administration Web troubleshooting localization 1652
site in Microsoft IIS 1351 updating DV Administration Server profile keys 1314
assigning SSL certificates to the DV Administration updating DV Administration XAP profile keys 1317
VirtualHost in Apache HTTP Server 1358 using 1525
changing the email format 1457 DV Administration Server credentials 1311
completing the Apache HTTP Server front-end creating a profile 1313
configuration 1358 creating a user entry 1311
completing the Microsoft IIS front-end updating profile keys 1314
configuration 1351 DV Administration XAP credentials 1315
configuring 1447 creating a profile 1316
configuring a jurisdiction policy 1471 creating a user entry 1315
configuring email notification 1455 creating Server Login credentials 1317
configuring list operations 1451 updating profile keys 1317
configuring logs 1448 DV administrators
configuring SMTP server settings 1455 creating 1373
configuring the date format 1454 creating a user policy for DV administrators 1368
connecting to the DVCA 1364 creating roles for DV administrators 1371

modifying a user policy for DV administrators 1368 dv domestic-cvca 1528, 1656
dv cert export 1586, 1656 dv identity 1527, 1656
dv cert export-chain 1587, 1656 dv init 1303, 1656
dv cert list 1581, 1657 dv is add 1594, 1662
dv cert show-keys 1589, 1657 dv is cert export 1623, 1664
dv cert view 1582, 1657 dv is cert export-chain 1623, 1664
DV Certificate Key Management Service. See DVCKM dv is cert list 1619, 1665
DV certificate requests dv is cert view 1619, 1665
canceling 1573 dv is certreq preview 1613, 1665
countersigning 1085 dv is certreq process 1614, 1666
creating 1565 dv is config set 1590, 1667
exporting 1575 dv is config view 1590, 1668
listing 1571 dv is delete 1611, 1663
previewing for countersigning 1084 dv is disable 1608, 1663
previewing for processing 1090 dv is enable 1609, 1663
processing 1091 dv is list 1599, 1663
viewing 1571 dv is modify 1603, 1663
DV certificates 75 dv is search 1601, 1663
authority reference 85 dv is view 1599, 1664
exporting 1099, 1585 DV policy
holder reference 85 configuring at the CVCA 1056
importing 1578 configuring at the DV 1559
listing 1096, 1581 dv util cert preview 1546, 1627, 1668
requesting from a foreign CVCA 1240 dv util certreq preview 1628, 1668
viewing 1096, 1581 DV Web Service 56
dv certreq cancel 1574, 1658 configuring 1493
dv certreq create 1566, 1657 configuring authentication to a directory without
dv certreq export 1575, 1658 anonymous access 1444
dv certreq finish 1578, 1658 configuring CRL checking of CSCA materials 1511
dv certreq list 1571, 1658 configuring CSCA materials distribution 1507
dv certreq view 1572, 1658 configuring email notification 1495
dv config set 1560, 1658 configuring how often DV Web Service checks for
dv config view 1559, 1659 CSCA materials 1510
dv cvca add 1530, 1538, 1659 configuring incoming CSCA materials folder 1508
dv cvca cert export 1554, 1660 configuring logs 1494
dv cvca cert export-chain 1555, 1661 configuring SMTP server settings 1495
dv cvca cert import 1547, 1661 configuring the CSCA materials storage folder 1509
dv cvca cert list 1550, 1554, 1555, 1662 configuring the XAP message signing algorithm 1506
dv cvca cert view 1551, 1662 deploying 1411
dv cvca config set 1529, 1662 disabling CSCA materials distribution 1507
dv cvca config view 1529, 1662 disabling email notification 1497
dv cvca delete 1545, 1659 DV Web Service credentials 1414
dv cvca disable 1541, 1659 email notification files 1496
dv cvca enable 1543, 1659 enabling CSCA materials distribution 1507
dv cvca list 1534, 1659 enabling email notification 1497
dv cvca modify 1660 files from the domestic CSCA 1420
dv cvca search 1537, 1660 files from the National PKD 1421
dv cvca view 1534, 1660 installing 1422
Index 1717
modifying email notification message text 1500 certificates. See also CV certificates 82
modifying email notification subject text 1500 CVCA 75
overview 80 definition 1703, 1704
providing CSCA materials 1514 DV 76
providing the latest domestic CSCA certificate 1513 Entrust products 78
updating DV Web Service profile keys 1417 holder identity 77
URL 1443 holder reference 83
DV Web Service credentials 1414 Inspection Systems 76
creating a profile 1417 overview 73
creating a user entry 1415 Security Manager 79
modifying the role 1414 sequence number algorithm 84
updating profile keys 1417 SPOC 76
DVCKM system components 78
configuring 1475 validation strings 86
configuring authentication to a directory without EAC certificate requests
anonymous access 1407 previewing at the CVCA 1103
configuring communications with SPOC Domestic Web previewing at the DV 1627
Service 1492 see also CV certificates
configuring email notification 1478 EAC certificate requests. See also CV certificates
configuring logs 1476 EAC certificates
configuring SMTP server settings 1478 previewing at the CVCA 1103
configuring the XAP message signing algorithm 1489 previewing at the DV 1627
deploying 1379 see also CV certificates
disabling email notification 1481 EAC certificates. See also CV certificates
DVCKM credentials 1382 editing
email notification files 1479 domestic master lists 799
enabling email notification 1481 foreign SPOCs 1232
files from the domestic SPOC 1387 EF.SOD. See Elementary File Document Security Object
installing 1388 Elementary File Document Security Object 1704
modifying email notification message text 1484 email notification
modifying email notification subject text 1484 adding a custom notification service 1119, 1644
overview 80 changing the email format for CVCA
updating DVCKM profile keys 1384 Administration 994
DVCKM credentials 1382 changing the email format for DV Administration 1457
creating a profile 1383 configuring for CVCA Administration 992
creating a user entry 1382 configuring for DV Administration 1455
updating profile keys 1384 configuring for DV Web Service 1495
configuring for DVCKM 1478
configuring for PKD Reader 426
E configuring for PKD Writer 348
EAC configuring for the NPKD services 550
Administration Services 79 configuring SMTP server settings for CVCA
architecture 74 Administration 992
audit logs 1677 configuring SMTP server settings for DV
authority reference 83 Administration 1455
certificate lifetimes 82 configuring SMTP server settings for DV Web
certificate status 82 Service 1495
certificate streams 85 configuring SMTP server settings for DVCKM 1478

configuring SMTP server settings for PKD Reader 426 modifying email notification subject text for
configuring SMTP server settings for PKD Writer 348 DVCKM 1484
configuring SMTP server settings for the NPKD modifying email notification subject text for PKD
services 550 Reader 431
disabling for CVCA Administration 998 modifying email notification subject text for PKD
disabling for DV Administration 1461 Writer 353
disabling for DV Web Service 1497 modifying email notification subject text for the NPKD
disabling for DVCKM 1481 services 555
disabling for PKD Reader 428 translating templates 729, 1129, 1652
disabling for PKD Writer 350 using HTML content templates for CVCA
disabling for the NPKD services 552 Administration 1003
email notification files for CVCA Administration 994 using HTML content templates for DV
email notification files for DV Administration 1457 Administration 1470
email notification files for DV Web Service 1496 using HTML content templates for DV Web
email notification files for DVCKM 1479 Service 1502
email notification files for PKD Reader 427 using HTML content templates for DVCKM 1486
email notification files for PKD Writer 349 using HTML content templates for PKD Reader 433
email notification files for the NPKD services 551 using HTML content templates for PKD Writer 355
enabling for CVCA Administration 998 using HTML content templates for the NPKD
enabling for DV Administration 1461 services 557
enabling for DV Web Service 1497 enabling
enabling for DVCKM 1481 automatic CRL discovery from Document Signer
enabling for PKD Reader 428 certificates 561
enabling for PKD Writer 350 CSCA materials distribution 1507
enabling for the initial DV certificate request for a CVCAs 1542
foreign CVCA 1464 Digital Signature service 189
enabling for the NPKD services 552 DVs 1079
modifying email notification message text for CVCA email notification for CVCA Administration 998
Administration 1001 email notification for DV Administration 1461
modifying email notification message text for DV email notification for DV Web Service 1497
Administration 1468 email notification for DVCKM 1481
modifying email notification message text for DV Web email notification for PKD Reader 428
Service 1500 email notification for PKD Writer 350
modifying email notification message text for email notification for the initial DV certificate request for
DVCKM 1484 a foreign CVCA 1464
modifying email notification message text for PKD email notification for the NPKD services 552
Reader 431 foreign CVCAs 1037
modifying email notification message text for PKD Inspection Systems 1609
Writer 353 Master List Signer Web Service 793
modifying email notification message text for the NPKD signature validation when retrieving CSCA
services 555 materials 564
modifying email notification subject text for CVCA SSL 910, 1307
Administration 1001 SSL on the Web server 467
modifying email notification subject text for DV encrypt 1704
Administration 1468 Entrust Authority Administration Services. See
modifying email notification subject text for DV Web Administration Services
Service 1500 Entrust Authority Document Signer Service. See Document
Signer Service
Index 1719
Entrust Authority IS Client. See IS Client DV certificate requests 1575
Entrust Authority IS Concentrator. See IS Concentrator DV certificates 1099, 1585
Entrust Authority Security Manager. See Security Manager foreign CVCA certificates 1050
Entrust Datacard foreign master lists 839
Customer Support 45 Inspection System certificates 1622
Professional Services 45 master lists from the National PKD 647
Training 46 trust anchors from the National PKD 663
Entrust PKI administrator 1704 Extended Access Control. See EAC
Entrust products
BAC 53
EAC 78 F
Entrust profiles 64, 1704 FDVKey 903
expiry 273 FDVSerialNumber 903
see also profiles FDVUserLimit 903
updating 273 feedback 44
entrust.ini finding
checking for Administration Services 317, 394, 479, CVCAs 1536
747, 924, 1175, 1318, 1385, 1418 DVs 1069
configuring for Verification Server 186 Inspection Systems 1601
entrust-configuration.xml foreign CVCAs
Digital Signature service settings 293 activating 1037
global settings 288 adding 1032
location 287 deleting 1039
values 287 disabling 1035
entsh. See Security Manager Control Command Shell enabling 1037
ePassport - Document Signer 138, 141, 190 listing 1033
ePassport - Master List Signer 143, 146 suspending 1035
error format in Signature Delivery Service 223 viewing 1033
error logging 278 foreign master lists
establishing adding 829
trust between a CVCA and a DV 88 adding CSCA certificates as trust anchors 844
trust between a DV and an Inspection System 91 deleting 847
exit 1010, 1522 exporting 839
exporting exporting CSCA certificates 841
active domestic master list 815 location 790
all CSCA materials from a country in the National viewing 832
PKD 601 front-end Web server
archived domestic master lists 824 adding CA certificates to Apache HTTP Server for CVCA
assurance policies 708 Administration 967
CRLs from the National PKD 634 adding CA certificates to Apache HTTP Server for DV
CSCA certificates from foreign master lists 841 Administration 1361
CSCA certificates from the active domestic master adding CA certificates to Apache HTTP Server for the
list 817 NPKD services 532
CSCA certificates from the National PKD 663 assigning SSL certificates to a CVCA Administration
CVCA certificates 1553 Web site in Microsoft IIS 957
Document Signer certificates from the National assigning SSL certificates to a DV Administration Web
PKD 620 site in Microsoft IIS 1351
domestic CVCA certificates 1020

assigning SSL certificates to the CVCA Administration problems with Verification Server 282
VirtualHost in Apache HTTP Server 964 writing profiles to an HSM using Offline Token Creation
assigning SSL certificates to the DV Administration Utility 260
VirtualHost in Apache HTTP Server 1358
assigning SSL certificates to the NPKD services
VirtualHosts in Apache HTTP Server 529 I
assigning SSL certificates to the NPKD Web site in ICAO Public Key Directory 51
Microsoft IIS 519, 522 IETF 1704
completing Apache HTTP Server configuration for implementing the Signature Delivery Service sample client
CVCA Administration 964 code 226
completing Apache HTTP Server configuration for DV importing
Administration 1358 a single CSCA material into the National PKD 668
completing Apache HTTP Server configuration for the CSCA materials from PKD Reader into the National
NPKD services 529 PKD 696
completing Microsoft IIS configuration for CVCA CSCA materials into the National PKD 668
Administration 957 CSCA materials into the National PKD from an LDIF
completing Microsoft IIS configuration for DV file 676
Administration 1351 CVCA certificates 1546
completing Microsoft IIS configuration for the NPKD DV certificates 1578
services 519 foreign CVCA certificates 1042
installing CA certificates for Microsoft IIS for CVCA multiple CRLs from files 687
Administration 960 multiple CSCA certificates from files 684
installing CA certificates for Microsoft IIS for DV multiple Document Signer certificates from files 681
Administration 1354 multiple master lists from files 690
installing CA certificates for Microsoft IIS for the NPKD multiple trust anchors from files 684
services 524 inbound requests
deleting 1270
viewing 1258
G initializing
general messages 1247 CVCA 904
generating key pairs using Offline Token Creation DV 1303
Utility 248 Inspection System
generating outbound requests 1236 definition 1704
establishing trust with a DV 91
overview 52, 76
H Inspection System certificate requests
hardware security module. See HSM previewing 1613
hash value 1704 processing 1614
health query 225 Inspection System certificates
hierarchy. See architecture authority reference 85
holder identities 1704 exporting 1622
holder identity 77 holder reference 85
holder reference 83 listing 1619
for CVCA certificates 85 viewing 1619
for DV certificates 85 Inspection System policy
for Inspection System certificates 85 configuring 1590
HSM 65 Inspection Systems
definition 1704 activating 1609
Index 1721
adding 1594 ISKey 1302
deleting 1611 ISSerialNumber 1302
disabling 1607 ISUserLimit 1302
enabling 1609
finding 1601
listing 1598 J
modifying 1602 JavaScript code 729, 887, 1130, 1289, 1653
suspending 1607 jurisdiction policy 1471
viewing 1598
installing
Administration Services for a Master List Signer 751 L
CA certificates in Microsoft IIS for the CVCA
LDAP page size for Document Signer certificate list
Administration 960
operations 560
CA certificates in Microsoft IIS for the DV
LDS. See Logical Data Structure
Administration 1354
license information
CA certificates in Microsoft IIS for the NPKD
CVCA 903
services 524
DV 1302
CSCA 95
listing
CVCA 893
countries in the National PKD 592
CVCA Administration 926
CRLs in the National PKD 625
DV 1295
CSCA certificates in the National PKD 655
DV Administration 1320
CVCA certificates 1550
DV Web Service 1422
CVCAs 1534
DVCKM 1388
Document Signer certificates in the National PKD 611
LDAP directory as the National PKD 450
domestic CVCA certificates 1017
Master List Signer Services CA 733
DV certificate requests 1571
National PKD manually 450
DV certificates 1096, 1581
NPKD services 482
DVs 1066
NPKD Services CA 459
foreign CVCA certificates 1047
PKD Reader Services CA 381
foreign CVCAs 1033
PKD Reader Web Service 404
Inspection System certificates 1619
PKD Writer Services CA 301
Inspection Systems 1598
PKD Writer Web Service 324
master lists in the National PKD 639
Security Manager as a CSCA 99
trust anchors in the National PKD 655
Security Manager as a CVCA 894
locale
Security Manager as a DV 1296
adding to CVCA Administration 1124
Security Manager as a Master List Signer Services
adding to DV Administration 1648
CA 734
adding to MLS Administration 884
Security Manager as a PKD Reader Services CA 382
adding to NPKD Administration 724
Security Manager as a PKD Writer Services CA 302,
adding to SPOC Administration 1286
460
cannot display in some Web browsers 887, 1130,
Security Manager as a SPOC CA 1154
1289, 1653
SPOC CA 1153
CVCA Administration locale folders 1123
SPOC services 1178
defining 722, 882, 1122, 1284, 1646
Web server for Administration Services 467, 910, 1307
DV Administration locale folders 1647
Internet Engineering Task Force 1704
MLS Administration locale folders 883
IS Client 58, 81
NPKD Administration locale folders 723
IS Concentrator 58, 81
overview 722, 882, 1122, 1284, 1646

SPOC Administration locale folders 1285 definition 1705
localization login 1007, 1009, 1519, 1521
definition 722, 882, 1122, 1284, 1646 problems with Verification Server 281
troubleshooting in CVCA Administration 1129 logout 1010, 1522
troubleshooting in DV Administration 1652 logs
troubleshooting in MLS Administration 887 configuring for CVCA Administration 986
troubleshooting in NPKD Administration 729 configuring for DV Administration 1448
troubleshooting in SPOC Administration 1289 configuring for DV Web Service 1494
localizing configuring for DVCKM 1476
broken JavaScript code 729, 887, 1130, 1289, 1653 configuring for Master List Signer services 786
CVCA Administration 1121 configuring for NPKD services 546
DV Administration 1645 configuring for PKD Reader services 435
HTML entities referenced by name 729, 887, 1130, configuring for SPOC services 1214
1289, 1653 configuring for the NPKD Validation Engine 548
locale 722, 882, 1122, 1284, 1646 configuring for the PKD Writer Web Service 367
MLS Administration 881 configuring the NPKD secure audit log 569
NPKD Administration 721
overview 722, 882, 1122, 1284, 1646
SPOC Administration 1283 M
translating JSP pages 1129, 1652 managing
troubleshooting CVCA Administration 1129 countries in the National PKD 592
troubleshooting DV Administration 1652 CRLs in the National PKD 625
troubleshooting in MLS Administration 887 CSCA 137
troubleshooting in NPKD Administration 729 CSCA certificates in the National PKD 655
troubleshooting SPOC Administration 1289 Document Signer certificates in the National PKD 611
Web browsers cannot display some locale names 887, master lists in the National PKD 639
1130, 1289, 1653 trust anchors in the National PKD 655
log files mast lists
entries 280 assigning CSCA certificates as trust anchors 651
headers 280 Master List Client
logging profile 744
Digital Signature requests 281 updating profile keys 746
levels for Verification Server 279 Master List Client credentials 744
Offline Token Creation Utility 244 creating a profile 745
user names for digital signature requests 198 creating a user entry 744
Verification Server error logging 278 Master List Server
logging in configuring authentication to a directory without
CVCA Administration 1011 anonymous access 774
DV Administration 1523 profile 741
MLS Administration 798 updating profile keys 743
NPKD Administration 572 Master List Server credentials 741
Security Manager Control Command Shell 1006, 1518 creating a profile 742
SPOC Administration 1228 creating a user entry 741
logging out of Security Manager Control Command Master List Signer 1705
Shell 1010, 1522 configuring authentication to a directory without
Logical Data Structure 1704 anonymous access 772
Logical Data Structure Security Object configuring Security Manager for the Master List Signer
ASN.1 profile 227 services 734
Index 1723
creating Master List Signer administrators 779 disabling 793
deploying the Master List Signer services 737 enabling 793
files from the CSCA 749 master lists
installing a CA for Master List Signer services 733 adding a CSCA certificate from foreign master list as a
installing Administration Services 751 trust anchor 844
installing Security Manager for the Master List Signer adding foreign master lists 829
services 734 administering 797
Master List Client credentials 744 creating domestic master lists 799
Master List Server credentials 741 deleting foreign master lists 847
Master List Signer credentials 148 editing domestic master lists 799
modifying user policy for Master List Signer exporting archived domestic master lists 824
administrators 776 exporting CSCA certificate from foreign master
overview 51 lists 841
profile 148 exporting CSCA certificates from the active domestic
updating Master List Signer profile keys 151 master list 817
Master List Signer administrators exporting foreign master lists 839
creating 779 exporting from the National PKD 647
modifying a user policy for Master List Signer exporting the active domestic master list 815
administrators 776 importing into the National PKD 690
Master List Signer certificates 143 listing in the National PKD 639
Master List Signer credentials 148 making an archived domestic master lists the active
creating a profile 150 domestic master list 826
creating a user entry 148 managing in the National PKD 639
updating profile keys 151 overview 51
Master List Signer Policy 146 removing from the National PKD 649
Master List Signer service uploading the active domestic master list to the ICAO
configuring whether MLS Administration can create PKD 819
domestic master lists 794 viewing archived domestic master lists 821
Master List Signer services viewing assurance level details in the National PKD 644
configuring 785 viewing detailed information in the National PKD 641
configuring domestic master lists 788 viewing foreign master lists 832
configuring draft domestic master lists 791 viewing the active domestic master list 812
configuring foreign master lists 790 Master Users 1006, 1518
configuring logs 786 message formats in Signature Delivery Service 220
configuring the location of domestic master lists 788 message processing in Signature Delivery Service 219
configuring the location of draft domestic master Microsoft IIS 519, 957, 1351
lists 791 assigning SSL certificates to a CVCA Administration
configuring the location of foreign master lists 790 Web site 957
configuring the number of archived domestic master assigning SSL certificates to a DV Administration Web
lists 788 site 1351
configuring the number of draft domestic master assigning SSL certificates to the npkd Web site 519,
lists 791 522
deploying 737 installing CA certificates for CVCA Administration 960
disabling Master List Signer Web Service 793 installing CA certificates for DV Administration 1354
enabling Master List Signer Web Service 793 installing CA certificates for the NPKD services 524
Master List Client credentials 744 required features for Administration Services 468
Master List Server credentials 741 MLS Administration
Master List Signer Web Service adding a company logo 716, 876

configuring whether MLS Administration can create PKD Reader email notification to use HTML content
domestic master lists 794 templates 433
customizing styles 880 PKD Writer email notification to use HTML content
customizing the application title 877 templates 355
customizing the browser title 877 modifying a user policy for CVCA administrators 974
customizing the interface 876 modifying a user policy for DV administrators 1368
local folders 883 modifying a user policy for Master List Signer
localizing 881 administrators 776
logging in 798 modifying a user policy for NPKD administrators 535
overview 55 modifying a user policy for SPOC administrators 1207
translating 885 MRTD 1705
troubleshooting localization 887
MLS Web Service 55
modifying N
CVCA Administration email notification to use HTML National PKD
content templates 1003 assigning CSCA certificates in a master list as trust
CVCAs 1537 anchors 651
DV Administration email notification to use HTML attributes 451
content templates 1470 configuring assurance policy settings for a country 603
DV Web Service email notification to use HTML content configuring automatic imports from PKD Reader 567
templates 1502 deploying the NPKD services 463
DVCKM email notification to use HTML content exporting all CSCA materials from a country 601
templates 1486 exporting CRLs 634
DVs 1071 exporting CSCA certificates 663
email notification message text for CVCA exporting Document Signer certificates 620
Administration 1001 exporting master lists 647
email notification message text for DV exporting trust anchors 663
Administration 1468 files for the DV Web Service 1421
email notification message text for DV Web importing a single CSCA material 668
Service 1500 importing CSCA materials 668
email notification message text for DVCKM 1484 importing CSCA materials from LDIF files 676
email notification message text for PKD Reader 431 importing CSCA materials from PKD Reader 696
email notification message text for PKD Writer 353 importing multiple CRLs from files 687
email notification message text for the NPKD importing multiple CSCA certificates from files 684
services 555 importing multiple Document Signer certificates from
email notification subject text for CVCA files 681
Administration 1001 importing multiple master lists from files 690
email notification subject text for DV importing multipletrust anchors from files 684
Administration 1468 installing manually 450
email notification subject text for DV Web Service 1500 listing countries 592
email notification subject text for DVCKM 1484 listing CRLs 625
email notification subject text for PKD Reader 431 listing CSCA certificates 655
email notification subject text for PKD Writer 353 listing Document Signer certificates 611
email notification subject text for the NPKD listing master lists 639
services 555 listing trust anchors 655
Inspection Systems 1602 managing countries 592
NPKD services email notification to use HTML content managing CRLs 625
templates 557 managing CSCA certificates 655
Index 1725
managing Document Signer certificates 611 exporting assurance policies 708
managing master lists 639 exporting CRLs from the National PKD 634
managing trust anchors 655 exporting CSCA certificates from the National PKD 663
manually deploying 449 exporting Document Signer certificates from the
monitoring 588 National PKD 620
object classes 455 exporting master lists from the National PKD 647
removing CRLs 637 exporting trust anchors from the National PKD 663
removing CSCA certificates 666 importing CSCA materials from PKD Reader into the
removing Document Signer certificates 623 National PKD 696
removing master lists 649 listing countries in the National PKD 592
removing trust anchors 666 listing CRLs in the National PKD 625
required entries 457 listing CSCA certificates in the National PKD 655
schema 451 listing Document Signer certificates in the National
viewing assurance level details about a CRL 631 PKD 611
viewing assurance level details about a CSCA listing master lists in the National PKD 639
certificate 660 listing trust anchors in the National PKD 655
viewing assurance level details about a Document locale folders 723
Signer certificate 617 localizing 721
viewing assurance level details about a master list 644 logging in 572
viewing assurance level details about a trust managing countries in the National PKD 592
anchor 660 managing CRLs in the National PKD 625
viewing detailed information about a country 596 managing CSCA certificates in the National PKD 655
viewing detailed information about a CRL 627 managing Document Signer certificates in the National
viewing detailed information about a CSCA PKD 611
certificate 657 managing master lists in the National PKD 639
viewing detailed information about a Document Signer managing PKD Reader 693
certificate 613 managing trust anchors in the National PKD 655
viewing detailed information about a master list 641 modifying user policy for NPKD administrators 535
viewing detailed information about a trust anchor 657 monitoring the National PKD 588
nonrepudiation 1705 overview 56
NPKD Administration removing CRLs from the National PKD 637
assigning CSCA certificates in a master list as trust removing CSCA certificates from the National PKD 666
anchors 651 removing Document Signer certificates from the
configuring assurance policy settings for a country in National PKD 623
the National PKD 603 removing master lists from the National PKD 649
configuring global assurance policy settings 704 removing trust anchors from the National PKD 666
configuring NPKD services 710 testing 543
creating user policy for NPKD administrators 535 translating 726
customizing styles 720 troubleshooting localization 729
customizing the application title 718 using grids 573
customizing the browser title 717 viewing assurance level details about a CRL in the
customizing the interface 716 National PKD 631
dashboard 588 viewing assurance level details about a CSCA certificate
downloading CSCA materials from ICAO PKD into PKD in the National PKD 660
Reader 702 viewing assurance level details about a Document
editing PKD Reader settings 700 Signer certificate in the National PKD 617
exporting all CSCA materials from a country in the viewing assurance level details about a master list in the
National PKD 601 National PKD 644

viewing assurance level details about a trust anchor in configuring automatic imports from PKD Reader 567
the National PKD 660 configuring automatic signature updates of CSCA
viewing detailed information about a country in the materials 565
National PKD 596 configuring email notification 550
viewing detailed information about a CRL in the configuring logs 546
National PKD 627 configuring NPKD Validation Engine logs 548
viewing detailed information about a CSCA certificate in configuring SMTP server settings 550
the National PKD 657 configuring the CRL cache timeout 559
viewing detailed information about a Document Signer configuring the LDAP page size for Document Signer
certificate in the National PKD 613 certificate list operations 560
viewing detailed information about a master list in the configuring the NPKD secure audit log 569
National PKD 641 creating NPKD administrators 538
viewing detailed information about a trust anchor in the deploying 463
National PKD 657 disabling automatic CRL discovery from Document
viewing the status of PKD Reader 693 Signer certificates 561
NPKD administrators disabling email notification 552
creating 538 disabling signature validation when retrieving CSCA
creating a user policy for NPKD administrators 535 materials 564
modifying a user policy for NPKD administrators 535 email notification files 551
NPKD Client enabling automatic CRL discovery from Document
profile 476 Signer certificates 561
NPKD Client credentials 476 enabling email notification 552
creating a profile 477 enabling signature validation when retrieving CSCA
creating a user entry 476 materials 564
NPKD Server installing 482
configuring authentication to a directory without installing CA certificates in Microsoft IIS 524
anonymous access 515 modifying email notification message text 555
profile 473 modifying email notification subject text 555
NPKD Server credentials 473 NPKD Client credentials 476
creating a profile 474 NPKD Server credentials 473
creating a user entry 473 testing NPKD Administration 543
updating profile keys 475 updating NPKD Server profile keys 475
NPKD Services NPKD Services CA
installing a NPKD Services CA 459 installing 459
NPKD services NPKD Web Service 56
adding CA certificates to Apache HTTP Server 532
administering 571
assigning SSL certificates to the NPKD services O
VirtualHosts in Apache HTTP Server 529 obtaining
assigning SSL certificates to the npkd Web site in documentation 44
Microsoft IIS 519, 522 technical assistance 45
completing the Apache HTTP Server front-end Offline Token Creation Utility 64
configuration 529 advantages 67
completing the Microsoft IIS front-end creating profiles 258
configuration 519 generating key pairs 248
configuring 545, 710 logging 244
configuring automatic assurance level calculations of offline profile creation 65
CSCA materials 562 overview 57
Index 1727
recovering profiles 253 updating PKD Reader Server profile keys 390
writing profiles to an HSM 260 viewing the status 693
OID 1705 PKD Reader Client
online help configuring authentication to a directory without
customizing for CVCA Administration 1114 anonymous access 517
customizing for DV Administration 1638 profile 391
editing for CVCA Administration 1115 updating profile keys 478
editing for DV Administration 1639 PKD Reader Client credentials 391
files for CVCA Administration 1114 creating a profile 392
files for DV Administration 1638 creating a user entry 391
updating the CVCA Administration application updating profile keys 393
title 1116 PKD Reader Server
updating the CVCA Administration browser title 1115 configuring authentication to a directory without
updating the DV Administration application title 1640 anonymous access 422
updating the DV Administration browser title 1640 profile 388
outbound requests PKD Reader Server credentials 388
deleting 1253 creating a profile 389
generating 1236 creating a user entry 388
viewing 1249 updating profile keys 390
PKD Reader services
configuring logs 435
P PKD Reader Services CA
passwords installing 381
changing a profile password using Verification PKD Reader Web Service 55
Server 274 configuring 425
PKCS #11 library 1705 deploying 385
PKD Reader installing 404
configuring email notification 426 PKD Writer
configuring Security Manager as a PKD Reader Services configuring email notification 348
CA 382 configuring Security Manager as a PKD Writer Services
configuring SMTP server settings 426 CA 302, 460
deploying the PKD Reader Web Service 385 configuring SMTP server settings 348
disabling email notification 428 deploying the PKD Writer Web Service 305
downloading CSCA materials from ICAO PKD 702 disabling email notification 350
editing settings using NPKD Administration 700 email notification files 349
email notification files 427 enabling email notification 350
enabling email notification 428 installing a PKD Writer Services CA 301
importing CSCA materials into the National PKD 696 installing Security Manager as a PKD Writer Services
installing a PKD Reader Services CA 381 CA 302, 460
installing Security Manager as a PKD Reader Services installing the PKD Writer Web Service 324
CA 382 modifying email notification message text 353
installing the PKD Reader Web Service 404 modifying email notification subject text 353
managing using NPKD Administration 693 PKD Writer Client credentials 312
modifying email notification message text 431 PKD Writer Server credentials 308
modifying email notification subject text 431 updating PKD Writer Client profile keys 314
PKD Reader Client credentials 391 updating PKD Writer Server profile keys 310
PKD Reader Server credentials 388 PKD Writer Client
updating PKD Reader Client profile keys 393 profile 312

PKD Writer Client credentials 312 writing to an HSM using Offline Token Creation
creating a profile 313 Utility 260
creating a user entry 312 protecting the Digital Signature service 198
updating profile keys 314 providing
PKD Writer Server CSCA materials to DV Web Service 1514
configuring authentication to a directory without latest domestic CSCA root certificate to DV Web
anonymous access 344 Service 1513
profile 308 SPOC with domestic CVCA certificates 1227
PKD Writer Server credentials 308 providing feedback on documentation 44
creating a profile 309 public key 1705
creating a user entry 308 Public Key Directory 51
updating profile keys 310
PKD Writer services
administering 373 Q
PKD Writer Services CA queued operations 1105, 1629
installing 301
PKD Writer Web Service 55
configuring 347 R
configuring logs 367
reconfiguring a CA as a CSCA 111
deploying 305
recovering
installing 324
all users 134
policy
profiles using Offline Token Creation Utility 253
see CVCA policy
profiles using Verification Server 272
see DV policy
reference number 1705
previewing
related documentation 43
DV certificate requests for countersigning 1084
removing
DV certificate requests for processing 1090
CRLs from the National PKD 637
EAC certificate requests 1103, 1627
CSCA certificates from the National PKD 666
EAC certificates 1103, 1627
Document Signer certificates from the National
Inspection System certificate requests 1613
PKD 623
private key 1705
master lists from the National PKD 649
processing
trust anchors from the National PKD 666
DV certificate requests 1091
request format in Signature Delivery Service 220
Inspection System certificate requests 1614
requesting
Professional Services 45
CVCA certificates from foreign CVCAs 1236
Profile Creation Utility 63
DV certificates from a foreign CVCA 1240
overview 57
response format in Signature Delivery Service 222
profiles 64
revision information 38
ASN.1 profile for Logical Data Structure Security
revoking
Object 227
certificates 152
changing the password using Verification Server 274
previous CA certificate 134
creating 191
service certificate 274
creating using Offline Token Creation Utility 258
role
definition 1704
creating for CVCA administrators 977
offline profile creation 65
creating for DV administrators 1371
recovering using Offline Token Creation Utility 253
roles
recovering using Verification Server 272
affect on CVCA Administration 1012
affect on DV Administration 1524
Index 1729
S ASN.1 structure of Document Security Object 229
client programming tasks 226
SDS.ini 212 configuring 212
searching. See finding error format 223
Secure Sockets Layer. See SSL health query 225
securing access to the Digital Signature Service 197 how it works 69
security classes 1133, 1655 implementing the sample client code 226
Security Manager message formats 220
configuring as a CSCA 99 message processing 219
configuring as a CVCA 894 operational flow 69
configuring as a DV 1296 overview 57
configuring as a Master List Signer Services CA 734 request format 220
configuring as a PKD Reader Services CA 382 response format 222
configuring as a PKD Writer Services CA 302, 460 SDS.ini 212
configuring as a SPOC CA 1154 security concerns and safeguards for sample client
configuring CVCA license information 903 code 227
configuring DV license information 1302 using 211
in a BAC system 54 signature validation when retrieving CSCA materials
in an EAC system 79 disabling 564
initializing a CVCA 904 enabling 564
initializing a DV 1303 signing private key 1706
installing as a CSCA 99 Single Point of Contact. See SPOC
installing as a CVCA 894 SOAP 1706
installing as a DV 1296 SOD. See Document Security Object
installing as a Master List Signer Services CA 734 SOLDS. See Logical Data Structure Security Object
installing as a PKD Reader Services CA 382 SPOC
installing as a PKD Writer Services CA 302, 460 adding foreign SPOCs 1229
installing as a SPOC CA 1154 administering 1223
Security Manager Control Command Shell creating SPOC administrators 1208
Security Manager Control Command Shell 1006, 1518 deleting foreign SPOCs 1234
CVCA command reference 1133 deleting inbound requests 1270
dv command reference 1655 deleting outbound requests 1253
logging in 1006, 1518 deploying the SPOC services 1161
logging out 1010, 1522 editing foreign SPOCs 1232
Master Users 1006, 1518 files for the DVCKM 1387
security classes 1133, 1655 files from the CVCA 1177
sending generating outbound requests 1236
CVCA certificates to a foreign CVCA 1243 installing SPOC services 1178
general messages to foreign SPOCs 1247 message threads 1218
sequence number algorithm 84 modifying user policy for SPOC administrators 1207
Server Login 1705 overview 76
Server Login credentials providing with domestic CVCA certificates 1227
creating 191 requesting CVCA certificates from foreign CVCAs 1236
creating for a CVCA Administration XAP profile 920 requesting DV certificates from a foreign CVCA 1240
creating for a DV Administration XAP profile 1317 sending CVCA certificates to a foreign CVCA 1243
servlet 1706 sending general messages to foreign SPOCs 1247
Signature Delivery Service 69 SPOC DVCKM Client credentials 1224
ASN.1 profile for Logical Data Structure Security updating SPOC DVCKM Client profile keys 1226
Object 227

viewing foreign SPOCs 1231 profile 1224
viewing inbound requests 1258 SPOC DVCKM Client credentials 1224
viewing outbound requests 1249 creating a profile 1225
SPOC Administration creating a user entry 1224
adding a company logo 1278 updating profile keys 1226
customizing styles 1282 SPOC Server
customizing the application title 1279 configuring authentication to a directory without
customizing the browser title 1279 anonymous access 1203
customizing the interface 1278 SPOC Server credentials 1169
local folders 1285 creating a profile 1171
localizing 1283 creating a user entry 1169
logging in 1228 updating profile keys 1171
overview 79 SPOC services
translating 1287 configuring 1213
troubleshooting localization 1289 configuring logs 1214
SPOC administrators deploying 1161
creating 1208 installing 1178
modifying a user policy for SPOC administrators 1207 SPOC Client credentials 1172
SPOC CA SPOC Server credentials 1169
configuring 1157 updating SPOC Client profile keys 1174
configuring Security Manager 1154 updating SPOC Server profile keys 1171
configuring the SPOC CA certificate 1157 SPOC Web Service 79
installing 1153 SPOC WSDL URL 1199
installing Security Manager 1154 SSL
post-configuration steps 1160 configuring on Apache HTTP Server 201
publishing CRLs to the Web server 1157 configuring on Apache Tomcat 199
SPOC Client enabling 910, 1307
configuring authentication to a directory without testing 911, 1308
anonymous access 1201 support
SPOC Client credentials 1172 customer support 45
creating a profile 1173 technical support 45
creating a user entry 1172 suspending
updating profile keys 1174 CVCAs 1541
SPOC Domesti Web Service credentials DVs 1076
creating a user entry 921 foreign CVCAs 1035
SPOC Domestic Web Service Inspection Systems 1607
configuring authentication to a directory without synchronizing time settings 307, 387, 470, 740, 913,
anonymous access 1205 1164, 1310, 1381, 1413
creating SPOC Domestic Web Service profiles 921 system components
overview 80 BAC 53
updating SPOC Domestic Web Service profile keys 923 EAC 78
URL 1200
SPOC Domestic Web Service credentials
creating a profile 922 T
updating profile keys 923 technical support 45
SPOC DVCKM Client testing
configuring authentication to a directory without CVCA Administration 984
anonymous access 1409 DV Administration 1377
Index 1731
NPKD Administration 543 CSCA keys 153
SSL-enabled Web server 911, 1308 CVCA Administration online help application title 1116
Web server 468 CVCA Administration online help browser title 1115
Tomcat. See Apache Tomcat CVCA Administration Server profile keys 917
training 46 CVCA Administration XAP profile keys 920
translating CVCA key pair 1030
CVCA Administration 1126 DV Administration online help application title 1640
DV Administration 1649 DV Administration online help browser title 1640
email notification templates 729, 1129, 1652 DV Administration Server profile keys 1314
JSP pages 1129, 1652 DV Administration XAP profile keys 1317
MLS Administration 885 DV Web Service profile keys 1417
NPKD Administration 726 DVCKM profile keys 1384
SPOC Administration 1287 Master List Client profile keys 746
troubleshooting Master List Server profile keys 743
broken JavaScript code 729, 887, 1130, 1289, 1653 Master List Signer profile keys 151
HTML entities referenced by name 729, 887, 1130, NPKD Server profile keys 475
1289, 1653 PKD Reader Client profile keys 393, 478
localization in CVCA Administration 1129 PKD Reader Server profile keys 390
localization in DV Administration 1652 PKD Writer Client profile keys 314
localization in MLS Administration 887 PKD Writer Server profile keys 310
localization in NPKD Administration 729 SPOC Client profile keys 1174
localization in SPOC Administration 1289 SPOC Domestic Web Service profile keys 923
tips 281 SPOC DVCKM Client profile keys 1226
translating email notification templates 729, 1129, SPOC Server profile keys 1171
1652 uploading the active domestic master list to the ICAO
Verification Server 278 PKD 819
Web browsers cannot display some locale names 887, URL
1130, 1289, 1653 DV Web Service 1443
trust anchor SPOC Domestic Web Service 1200
adding from foreign master lists 844 SPOC WSDL 1199
see also CSCA certificates user 1706
trust anchors user policy
exporting from the National PKD 663 creating for CVCA administrators 974
importing into the National PKD 684 creating for DV administrators 1368
listing in the National PKD 655 creating for NPKD administrators 535
managing in the National PKD 655 modifying for CVCA administrators 974
removing from the National PKD 666 modifying for DV administrators 1368
viewing assurance level details in the National PKD 660 modifying for Master List Signer administrators 776
viewing detailed information in the National PKD 657 modifying for NPKD administrators 535
typographic conventions 41 modifying for SPOC administrators 1207
using
Signature Delivery Service 211
U
UAL file 1706
updating
V
CA certificate 133 validation strings 86, 1706
CA keys 133 verification public key 1706
CSCA certificate 153 Verification Server 61

accessing 275 assurance level details about a master list in the National
adding a user for Verification Server 189 PKD 644
Apache Tomcat security 197 assurance level details about a trust anchor in the
application server 62 National PKD 660
changing digital ID passwords 274 current CVCA signing key 1026
changing profile passwords 274 current DV signing keys 1589
configuring 186 CVCA certificates 1550
configuring for auditing 266 CVCA holder identity 1015
configuring the entrust.ini file 186 CVCAs 1534
creating a profile for secure logging 265 detailed information about a country in the National
creating a user for audit logging 264 PKD 596
creating Server Login credentials 191 detailed information about a CRL in the National
creating Server Login credentials for secure logging 265 PKD 627
customizing the log files 278 detailed information about a CSCA certificate in the
Digital Signature problems 283 National PKD 657
Digital Signature Service 61 detailed information about a Document Signer
enabling the Digital Signature service 189 certificate in the National PKD 613
entrust-configuration.xml 287 detailed information about a master list in the National
error logging 278 PKD 641
features and benefits 61 detailed information about a trust anchor in the
HSM problems 282 National PKD 657
log file entries 280 domestic CVCA certificates 1017
log file header 280 domestic CVCA holder identity 1528
logging Digital Signature requests 281 DV certificate requests 1571
logging levels 279 DV certificates 1096, 1581
login problems 281 DV holder identity 1527
overview 56 DVs 1066
protecting the Digital Signature service 198 foreign CVCA certificates 1047
recovering profiles 272 foreign CVCAs 1033
revoking a service certificate 274 foreign master lists 832
secure logging 264 foreign SPOCs 1231
securing access to the Digital Signature Service 197 inbound requests 1258
troubleshooting 278 Inspection System certificates 1619
troubleshooting tips 281 Inspection Systems 1598
verifying secure audit log files 269 outbound requests 1249
viewing secure audit log files 269 secure audit log files 269
Web server 62 status of PKD Reader 693
verifying
secure audit log files 269
viewing W
active domestic master list 812 Web browser
archived domestic master lists 821 cannot display some locale names 887, 1130, 1289,
assurance level details about a CRL in the National 1653
PKD 631 customizing the CVCA Administration browser
assurance level details about a CSCA certificate in the title 1111
National PKD 660 customizing the DV Administration browser title 1635
assurance level details about a Document Signer customizing the MLS Administration browser title 877
certificate in the National PKD 617
Index 1733
customizing the NPKD Administration browser testing 911, 1308
title 717 testing the Web server 468
customizing the SPOC Administration browser Web service 1706
title 1279 writing profiles to an HSM using Offline Token Creation
Web server Utility 260
adding CA certificates to Apache HTTP Server for CVCA WSDL 1706
Administration 967
adding CA certificates to Apache HTTP Server for DV
Administration 1361 X
adding CA certificates to Apache HTTP Server for the X.509 1706
NPKD services 532 XAP message signing algorithm
assigning SSL certificates to a CVCA Administration configuring for DV Web Service 1506
Web site in Microsoft IIS 957 configuring for DVCKM 1489
assigning SSL certificates to a DV Administration Web XML 1706
site in Microsoft IIS 1351
assigning SSL certificates to the CVCA Administration
assigning SSL certificates to the DV Administration
assigning SSL certificates to the NPKD services
VirtualHosts in Apache HTTP Server 529
assigning SSL certificates to the NPKD Web site in
Microsoft IIS 519, 522
completing Apache HTTP Server configuration for
CVCA Administration 964
completing Apache HTTP Server configuration for DV
Administration 1358
completing Apache HTTP Server configuration for the
NPKD services 529
completing Microsoft IIS configuration for CVCA
Administration 957
completing Microsoft IIS configuration for DV
Administration 1351
completing Microsoft IIS configuration for the NPKD
services 519
component of Verification Server 62
configuring the VirtualHost directive on Apache HTTP
Server 469, 912, 1309
enabling SSL 467, 910, 1307
installing CA certificates in Microsoft IIS for CVCA
Administration 960
installing CA certificates in Microsoft IIS for DV
Administration 1354
installing CA certificates in Microsoft IIS for the NPKD
services 524
installing the Web server 467, 910, 1307
Microsoft IIS features required for Administration
Services 468

Index 1735

EPassport Solutions 3.00 Issue5

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

EPassport Solutions 3.00 Issue5

Uploaded by

Copyright:

Available Formats

Entrust® ePassport Solutions Guide

Entrust Authority Security Manager 8.3

Entrust Authority Security Manager Administration 8.3

Entrust Authority Administration Services 9.3

Entrust Authority Document Signer Service 9.0

Document issue: 5.0

Date of issue: April 2019

Entrust is a trademark or a registered trademark of Entrust

This information is subject to change as Entrust Datacard

Export and/or import of cryptographic products may be

2 Entrust® ePassport 3.00 Solutions Guide

About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37

Overview section ....................................................................... 47

Extended Access Control overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73

4 Entrust® ePassport 3.00 Solutions Guide Document issue: 5.0

Country Signing CA section .........................................................93

Reconfiguring a CA as a CSCA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Managing a Country Signing CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137

Document Signer Service section ............................................... 161

6 Entrust® ePassport 3.00 Solutions Guide Document issue: 5.0

Using the Signature Delivery Service from your application . . . . . . . . . . . . 211

Using Verification Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .263

8 Entrust® ePassport 3.00 Solutions Guide Document issue: 5.0

Verification Server entrust-configuration.xml file . . . . . . . . . . . . . . . . . . . . 287

PKD Writer section ....................................................................299

Deploying the PKD Writer Web Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

Administering the PKD Writer services . . . . . . . . . . . . . . . . . . . . . . . . . . . .373

PKD Reader section .................................................................. 379

Deploying the PKD Reader Web Service . . . . . . . . . . . . . . . . . . . . . . . . . . .385

10 Entrust® ePassport 3.00 Solutions Guide Document issue: 5.0

Configuring the PKD Reader Web Service . . . . . . . . . . . . . . . . . . . . . . . . . 425

National PKD section ................................................................447

Installing an NPKD Services CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .459

Deploying the NPKD services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463

12 Entrust® ePassport 3.00 Solutions Guide Document issue: 5.0

Configuring the NPKD services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .545

Administering data in the National PKD . . . . . . . . . . . . . . . . . . . . . . . . . . .571

14 Entrust® ePassport 3.00 Solutions Guide Document issue: 5.0

Customizing NPKD Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .715

16 Entrust® ePassport 3.00 Solutions Guide Document issue: 5.0

Master List Signer section ..........................................................731

Deploying the Master List Signer services . . . . . . . . . . . . . . . . . . . . . . . . . . 737

Configuring the Master List Signer services . . . . . . . . . . . . . . . . . . . . . . . . .785

Administering master lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .797

18 Entrust® ePassport 3.00 Solutions Guide Document issue: 5.0

Customizing MLS Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875

Localizing MLS Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 881

MLS Web Service API reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .889

Country Verifying CA section .................................................... 891

Deploying CVCA Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .907

20 Entrust® ePassport 3.00 Solutions Guide Document issue: 5.0

Configuring CVCA Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 985

Administering a Country Verifying Certification Authority . . . . . . . . . . . . .1005

22 Entrust® ePassport 3.00 Solutions Guide Document issue: 5.0

Localizing CVCA Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1121

CVCA command quick reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1133

Single Point of Contact section ................................................ 1151

24 Entrust® ePassport 3.00 Solutions Guide Document issue: 5.0

Deploying the SPOC services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1161

Administering a Single Point of Contact. . . . . . . . . . . . . . . . . . . . . . . . . . .1223

26 Entrust® ePassport 3.00 Solutions Guide Document issue: 5.0

Localizing SPOC Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1283

SPOC Domestic Web Service API reference . . . . . . . . . . . . . . . . . . . . . . . 1291

Document Verifier section ........................................................1293