Trust Center
A Trust Center in the PKI-as-a-Service Portal is an organizational entity that enrolls users and systems, manages groups, interfaces with other or provides own certification capabilities.
Creating a Trust Center
You need to have the Subscriber role to create a Trust Center. This role is automatically granted to the first user enrolled in the system or to any self-enrolled user, if the grantSubscriberRole in the configuration is asserted.
Select "Create TrustCenter" from the "Home" menu.
You can then choose a name for your Trust Center. The name must be unique within the same instance of the system. Select "Private" if you want to limit visibility of your Trust Center to persons enrolled under this Trust Center or "Public" if you want to provide services to any person active in the portal. You can change this setting later.
After submitting the request the Trust Center is created. Next you can add a Trust Center token.
A SmartCard-HSM added as Trust Center token stores cryptographic keys required for token/card management or certification services. Adding the token links the identity of the token to the Trust Center instance, so that when the token connects to the portal, the Trust Center can locate it's keys.
You need to initialize the SmartCard-HSM token or card for use in the PKI-as-a-Service Portal.
Insert the designated token or card and press Add Token
The token is identified and added to the list of Assigned Token. All tokens in the list are assumed to be token that can store keys for this Trust Center.
You can select and remove a token from the list with Remove Token
A click on My TrustCenter (or whatever name you choose) bring you to the TrustCenter view.
A click on the token path brings you back to the service request that registered this token.
Connecting the Token to the Portal
So far you have used SmartCard-HSM token or cards locally through the OCF web client. This type of interaction connects the token only temporarily to the portal for a single transaction.
A Trust Center token is usually connected longer than for a single transaction, as key material may need to be online permanently.
There are two ways to connect the Trust Center token to the portal, permanently or on a case-by-case basis. To connect the token permanently, you need to have a designated host to which the token is connected and from which the connection to the portal is established. A typical setup is to use a Raspberry PI local in your IT infrastructure and use the RAMOverHTTP Client to connect the token to the portal.
A case-by-case connection can be established using the Smart Card Shell or OCF Web-Client. In that approach you attach the token and use the Key Manager in the Smart Card Shell to connect to the portal. See Prepare Token for Trust Center for details
Adding a token requires the token to be present at the workstation from which you configure the Trust Center. Once registered you can move the token to the designated place in your infrastructure, if it should be connected to the portal permanently.
While the token is connected the VERIFIED indicator should be visible. A reload of the page in the browser updates the status.
Troubleshooting Lost Authentications
The connection between the token and the portal is protected for integrity, authenticity and confidentiality. This ensures, that only the portal has access to keys on the token. If an attacker intercepts the secure communication, then the authentication state is reset to protect the keys.
Unfortunately Windows has SmartCard Plug & Play that interferes with the secure connection by sending probing APDUs to the SmartCard-HSM. These probing APDUs are considered attacks by the SE and reset the authentication state. There are also other SmartCard aware programs (like GNUPG or CardOS middleware) that interfere with the secure link and potentially reset the authentication state.
If you see a lost authentication state after doing a page reload, then SmartCard Plug & Play or other open programs or drivers interfere. Disabling SmartCard Plug & Play or those programs can help. Alternatively you can permanently connect the token from a different PC.
Permanent Token Connection
Permanently connecting the Trust Center to the portal has the advantage, that Trust Center functions can be used at any time. For example when using the EST-Server, certificates should be issued immediately. But also if multiple persons interact with the portal at disperse locations.
Even if the token is permanently connected, you can prevent misuse by logging out, when keys are not used. See how to configure Public Key Authentication if you want to use that.