User Certificate Tasks


Creating User Certificates

This task is described in Chapter 2. See Create a User Certificate .


Creating User Certificates in Bulk

This feature allows you to create user certificates for multiple users at the same time using one sequence of operations.

NOTE:  In order for the user certificates to be created, each User object must have an e-mail address listed in the User object properties.

  1. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Creating user certificates.

  2. In ConsoleOne, select multiple User objects or select the container that the User objects reside in.

  3. Click File > Properties of Multiple Objects.

    If you selected a container that contains eDirectory objects other than User objects, you are prompted to select an Object class. Select the User object class, then click OK.

    You can change the list by using the Add or Remove buttons on this page. You can add users from other containers by using the Add button.

  4. Click the Security tab > Certificates.

  5. Click Create.

    This launches the certificate creation wizard, which will guide you through the creation process. For specific information on the wizard pages, click Help.


Importing a Public Key Certificate into a User Object

You can import any public key certificate into a user object (for example, a certificate signed by a third-party Certificate Authority). Once imported, the certificate is stored in the User object and appears on the list of certificates available.

  1. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate right for this task, see Importing a public key certificate into a User object.

  2. Start ConsoleOne.

  3. Double-click the User object that you want to host the imported certificate.

  4. Click the Security tab > Certificates.

  5. Click Import.

  6. Enter a nickname for the user certificate.

    The nickname should be unique and should help you identify the certificate. You can enter up to 64 characters in the Certificate Nickname field.

  7. Select the certificate to import.

  8. Click Finish.

    This stores the certificate in the User object, and the certificate appears on the list of certificates available to this user.

NOTE:  Private keys cannot be imported to the User object.


Viewing a User Certificate's Properties

In addition to the eDirectory rights and properties that are viewable with any eDirectory object, you can also view properties specific to the user certificate, including the issuer, the certificate status, the private key status, and the validation period.

These properties provide you with the information you need to perform any task related to this object.

  1. Log in to the eDirectory tree as the user who owns the user certificate or as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Viewing a user certificates properties.

  2. Start ConsoleOne.

  3. Double-click the User object that hosts the user certificate.

    This brings up the property pages for the User object.

  4. Click the Security tab > Certificates.

  5. Click a certificate to view its properties.

  6. Click Close, then click Cancel.


Exporting a User Certificate Using ConsoleOne

In order to exchange secure e-mail with another person, you must first have the other person's public key certificate. One way of obtaining that certificate is to export it using ConsoleOne. The other person's certificate can also be obtained using LDAP or e-mail.

To export your own or any other user's public key certificate:

  1. Log in to the eDirectory tree as a user with the appropriate rights.

    To view the appropriate rights for this task, see Exporting a user certificate using ConsoleOne .

  2. Start ConsoleOne.

  3. Double-click the User object that hosts the user certificate.

  4. Click Security > Certificates tab.

  5. Click the user certificate that you want to export.

  6. Click Export.

    This opens a wizard that helps you export the user certificate to a file. If you are not logged in as the user that owns the certificate, you will not be able to export the private key. If you are logged in as that user, you will be asked whether to export the private key as well -- select No. See Exporting a User Certificate and Private Key Using ConsoleOne .


Exporting a User Certificate and Private Key Using ConsoleOne

In order to use a certificate for secure e-mail, authentication, or encryption, you must export both the private key and the certificate. Knowing the private key proves that you are the person indicated in the certificate.

The private keys in a user's object belong to that user. Only that user can export the private key. No other user, not even the network administrator, has rights to export a another user's private key.

To export your own private key and certificate:

  1. Log in to the eDirectory tree as the user who owns the certificate.

    To view the appropriate rights for this task, see Exporting a users private key and certificate using ConsoleOne.

  2. Start ConsoleOne.

  3. Double-click the User object that hosts the user certificate.

  4. Click the Security tab > Certificates.

  5. Click the user certificate that you want to export.

  6. Click Export.

    This opens a wizard that helps you export the user certificate to a file. If you are not logged in as the user who owns the certificate, you will not be able to export the private key. If you are logged in as that user, you will be asked whether to export the private key as well. Select Yes.

  7. Select the filename and the location for the backup file.

  8. Specify a password with 6 or more alphanumeric characters to use in encrypting the PFX file.

  9. Click Next.

  10. Click Finish.

    The encrypted file is written to the location specified. It is now ready to be imported into a cryptography-enabled application.

IMPORTANT:  The exported file can be kept to provide a backup. If so, it should be stored in a secure place. The password used to encrypt the file should be committed to memory or stored in a safe place to ensure that it is available when needed, but inaccessible to others.


Deleting a User Certificate and Private Key

If a user certificate has become invalid or you suspect the private key has been compromised in some way, you might need to delete the user certificate and private key.

  1. Log in to the eDirectory tree as the user who owns the user certificate or as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Deleting a user certificate and private key.

  2. Start ConsoleOne.

  3. Double-click the User object that hosts the user certificate. This brings up the property pages for the User object.

  4. Click the Security tab > Certificates.

  5. Click the certificate you want to delete.

  6. Click Delete.

  7. Click Yes to verify that you want to delete the user certificate and private key.

  8. Click Cancel.


Validating a User Certificate

If you suspect a problem with a certificate or think that it might no longer be valid, you can easily validate the certificate using ConsoleOne. Any certificate in the eDirectory tree can be validated, including certificates issued by external CAs.

The certificate validation process includes several checks of the data in the certificate as well as the data in the certificate chain. A certificate chain is composed of a root CA certificate and, optionally, the certificates of one or more intermediate CAs. The certificate chain for a certificate signed by your Organizational CA is composed of one certificate, which is the Organizational CA's self-signed certificate. Externally signed user and server certificates might have longer chains.

A result of Valid means that all certificates in the certificate chain were found to be valid. Certificates are considered valid if they pass a predefined set of criteria including whether the current time is within the validity period of the certificate, whether it has not been revoked, and whether it has been signed by a CA that is trusted. Only those certificates with a CRL distribution point extension are checked for revocation.

A result of Invalid means that one or more certificates in the certificate chain were found to be invalid or their validity could not be determined. Additional information is provided in these cases about which certificate is considered invalid and why. Click Help for more information about the reason.

To validate a certificate:

  1. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Validating User Certificates.

  2. Start ConsoleOne.

  3. Double-click the User object that hosts the certificate you want to validate.

  4. Click Security > Certificates tab.

  5. Select the User certificate you want to validate.

  6. Click Validate.

    The Certificate Validation screen appears, providing the status of the certificate.

  7. Click OK to exit.

NOTE:   If the user certificate was signed by a third-party CA, the certificate chain must be in the Trusted Roots container in the Security container for the validation to succeed. Typically, the certificate chain consists of a single, root-level CA or it consists of an Intermediate CA and a root-level CA. The name of the Trusted Roots container must be Trusted Roots and each certificate in the chain must be stored in its own Trusted Root object. For instructions on how to create a Trusted Roots container and Trusted Root objects, see Creating a Trusted Root Container and Creating a Trusted Root Object .

When validating user certificates or intermediate CA certificates signed by external CAs, the external CA's certificate must be stored in a Trusted Root object in order for the certificate validation to be successful. The Trusted Root object must be in a Trusted Root Container named Trusted Roots and it must be located in the Security container.



  Previous Page: Server Certificate Object Tasks  Next Page: Trusted Root Object Tasks