Configure the Entrust Certificate Authority

Establish a preload session

You can use an OCS or Softcard to establish connection with the HSM. Before installing Certificate Authority, you must preload the OCS or Softcard that is used to protect the Entrust keys. If you are using a K-of-N OCS, this section assumes the OCS has been created. Refer to your Security World User Guide on how to create an OCS or Softcard. You must decide which method you will use for the connection before proceeding.

To initialize Certificate Authority, the OCS or Softcard has to be preloaded.

Edit the cknfastrc environment variables. The cknfastrc file can be found in %NFAST_HOME%\cknfastrc. Edit the file to include:
```
# Softcard
CKNFAST_LOADSHARING=1

# Enable Module Protection
CKNFAST_FAKE_ACCELERATOR_LOGIN=1

# Other variables
CKNFAST_NO_UNWRAP=1
CKNFAST_OVERRIDE_SECURITY_ASSURANCES=none

# Preload file location
NFAST_NFKM_TOKENSFILE=C:\preload\<filename>

# PCKS #11 log level and file location
CKNFAST_DEBUG=10
CKNFAST_DEBUGFILE=C:\preload\pkcs11.log
```
Useful information about environment variables:
- The filename in this line: 'NFAST_NFKM_TOKENSFILE=C:\preload\<filename>' is user defined and will be referenced in the preload command. For example, %NFAST_HOME%\Bin>preload -c <OCS Name> -f <pathname to preload file and filename> pause.
- When using a K-of-N Card Set where K>1, set CKNFAST_LOADSHARING=0. When using a K-of-N Card Set where K=1, set CKNFAST_LOADSHARING=1. This also applies to when using Softcards.
- For Enhanced Database Protection (EDP) use CKNFAST_LOADSHARING=0 after enabling the database hardware protection. Restart the system for load sharing to work.
- When you are using nShield with ePassport CVCA, use CKNFAST_ASSUME_SINGLE_PROCESS=0. If ePassport Document Verifier Certificate requests are canceled, this setting ensures that the associated physical key is deleted in the HSM. For information on environment variables, see the User Guide for the HSM.
For more information about the environment variables used in cknfastrc, see the nShield PKCS11 library environment variables section in the User Guide for the HSM.
Create an empty folder called Preload on drive C:.
Right-click on a command prompt and select Run as Administrator and navigate to %NFAST_HOME%\bin>.
Run the following command to list the OCS:
- For K-of-N OCS:
  % nfkminfo.exe -c
- For Softcard:
  % nfkminfo.exe -s
Open a command window to run preload exclusively.

Do not close this window throughout the Entrust Certificate Authority configuration. Otherwise the configuration will fail.

Preload the Card Set by running the preload -c command for OCS, or preload -s command for Softcard.

# preload -<c/s> <OCS/Softcard> -f <location of user defined file in cknfastrc> pause

Present the OCS cards and passphrase when prompted.

For example:

% preload -c testOCS -f C:\preload\entrustsmtoken pause
2024-10-09 19:10:02: [6352]: INFO: Preload running with: -c testOCS -f C:\preload\entrustsmtoken pause
2024-10-09 19:10:02: [6352]: INFO: Created a (new) connection to Hardserver
2024-10-09 19:10:02: [6352]: INFO: Modules newly usable: [1].
2024-10-09 19:10:02: [6352]: INFO: Found a change in the system: an update pass is needed.
2024-10-09 19:10:02: [6352]: INFO: Loading cardset: testOCS in modules: [1]

Loading `testOCS':
 Module 1 slot 3: `testOCS' #2
 Module 1 slot 0: empty
 Module 1 slot 2: empty
 Module 1 slot 4: empty
 Module 1 slot 5: empty
 Module 1 slot 3:- passphrase supplied - reading card
Card reading complete.

2024-10-09 19:10:15: [6352]: INFO: Stored Admin key: kfips (003e...) in module #1
2024-10-09 19:10:15: [6352]: INFO: Loading cardset: Cardset: testOCS (edb3...) in module: 1
2024-10-09 19:10:15: [6352]: INFO: Stored Cardset: testOCS (edb3...) in module #1
2024-10-09 19:10:15: [6352]: INFO: Maintaining the cardset testOCS protected key(s)=['pkcs11:ucedb3d45a28e5a6b22b033684ce589d9e198272c2-f40e2f7b44bdcbf04d449e254de978d017a81b2c'].
2024-10-09 19:10:15: [6352]: INFO: The private/symmetric key pkcs11/ucedb3d45a28e5a6b22b033684ce589d9e198272c2-f40e2f7b44bdcbf04d449e254de978d017a81b2c is loaded in module(s): [1].
2024-10-09 19:10:15: [6352]: INFO: Loading complete. Now pausing...

If non-persistent cards are used, then the last card in the quorum must remain inserted in the card reader. If persistent cards are used, then the last card in the quorum can be removed from the card reader.

The filename is user defined but must be consistent when setting the variable in cknfastrc and invoking preload. For example: A variable set in cknfastrc: NFAST_NFKM_TOKENSFILE=C:\Preload\filename A variable invoked with preload: >preload.exe -c ocsname -f "C:\Preload\filename" pause ** Both should use the path to the same user defined file, initially defined in 'cknfastrc'

Confirm the OCS or Softcard has been preloaded by opening a separate command window and running the following command. You must keep the preload command window active. You can minimize it but do not close it, otherwise you will shut down the session. The loaded Objects will be reported.

For K-of-N OCS:

% preload.exe -c <cardsetname> -f <pathname>\<filename> nfkminfo

For Softcard:

% preload -s <softcardname> -f <pathname>\<filename> nfkminfo

For example:

% preload.exe -c testOCS -f

...

C:\preload\entrustsmtoken nfkminfo
Pre-Loaded Objects (  3):  objecthash   module objectid  generation
 003e04e3c07fb5791f651c992da5527779159f87   1 0x5b2a083c 1
 edb3d45a28e5a6b22b033684ce589d9e198272c2   1 0x5b2a0839 1
 744bff70468d7ec74162d859447a4b15c3554ed6   1 0x5b2a083a 1

Useful information concerning Operator Card Sets (OCS):

You must present sufficient different OCS cards to fulfill the quorum. The passphrase (if any) can be different for each OCS card.
If non-persistent cards are used, then the last card in the quorum must remain inserted in the card reader.
If persistent cards are used, then the last card in the quorum can be removed from the card reader.
The tokens file is generated by the preload utility and is valid for one continuous session only. If the session is lost, then the token authorization is lost. You cannot reuse the same token file once the session is lost, even if you will use the exact same OCS cards again. To restart, you must delete the expired tokens file, and will have to go through the entire preload sequence again.
A session, and tokens authorization may be lost if:
- There is a temporary power failure
- You remove the last card in the quorum if they are non-persistent OCS cards
- You clear the module.

The tokens file represents a security risk if permissions to access it are not restricted to authorized persons only.

nShield Edge pre-configuration

If you are using an nShield Edge device, it is necessary to adjust the .ini file settings for Certificate Authority in order to allow for a sufficient timeout duration for the system to initialize properly. The nShield Edge exhibits slower service startup times with respect to operations, which is to be expected. Therefore, in order to ensure optimal performance, it is recommended that the timeout settings be configured appropriately in the .ini file.

Navigate to the ini directory:

By default: C:\Program Files\Entrust\Certificate Authority\etc\ini\entMgr.ini

Edit the entMgr.ini file in the [login] section and add this setting:

serviceStartStopWaitSeconds=3600
clusterStartWaitSeconds=1800
clusterStopWaitSeconds=300

Configure the Entrust Certificate Authority

This section describes how to configure Entrust Certificate Authority. You can configure Certificate Authority immediately after you install it. You must configure Certificate Authority before you can initialize it. (Initializing Certificate Authority allows you to use Certificate Authority).

When you configure Certificate Authority:

You provide data that allows Certificate Authority to connect to your directory and the Certificate Authority database.
You then choose certificate algorithms, lifetimes, and other options for your Certification Authority.

You can only configure Certificate Authority once. If you make a mistake configuring Certificate Authority, you can change some of the settings by editing the entmgr.ini file, or you can uninstall Certificate Authority, then reinstall and configure it.

To configure Certificate Authority:

Navigate to the Certificate Authority \bin directory.

By default, this is: C:\Program Files\Entrust\Certificate Authority\bin.
Double-click entConfig.exe.

The Database Deployment Model dialog appears.
Select Yes.
In the Entrust Certificate Authority Configuration dialog, select Next.

The Certificate Authority License Information dialog appears.
Enter the Enterprise licensing information that appears on your Entrust licensing card:
- Serial Number
- Enterprise user limit
- Enterprise licensing code
Select Next.

The Certificate Authority Data and Backup Locations dialog appears.
Accept the defaults:
- For the data files, the default is c:\authdata.
- For the backup files, the default is c:\entbackup.
Select Next.

The Directory Node and Port dialog appears.
Enter the required details:
- Select the type of directory that the Certificate Authority will use, for example: LDAP Directory.
- Enter the Directory node name (server name or IP address) of your directory services server.
- Set the Directory listen port to 389.
Select Next.

The CA Distinguished Name and Password dialog appears.
Enter the CA DN and CA Directory access password, which you provided when you were configuring the Directory Services for use with Certificate Authority, see Install the Entrust Certificate Authority.
Select Test Bind Information.
- If the bind is successful, select OK.
- If the bind is unsuccessful, ensure that the server name or IP address are correct, and that the Directory Services is running and retest using the following information:
  - Set CA DN to o=CA<name>.
  - Enter the CA Directory access password.
Select Next.

The Directory Administrator Distinguished Name and Password dialog appears.
Enter the distinguished name and password details:
- Enter the Directory administrator DN as cn=diradmin,ou=CA,o=Entrust.
- Enter the Directory access password.
Select Test Bind Information.
- If the bind is successful, select OK.
- If the bind is unsuccessful, ensure that the server name or IP address are correct, and that the Directory Services is running and retest using the following information:
  - Set Directory administrator DN to cn=<manager>.
  - Enter the Directory access password.
Select Next.

The Advanced Directory Attributes dialog appears. This displays the distinguished name for the First Officer.
Verify the information for the First Officer is correct. This should follow the cn=First Officer, o=CA<name> general format.
Select Next.

The Verify Directory Information dialog appears.
Select Verify Directory information now, then select Next.

The ENTDVT Logfile page appears.

The Entrust Directory Verification Tool (EntDVT) will verify the settings. At the bottom of the dialogue there should be no errors in the Summary section. For example:

If there are errors on the results, you need to address them in your directory services setup before proceeding.
Select Next.

The Current User’s Windows Login Password dialog appears.
Log in with your Windows credentials.
Clear the Enable autologin for automatic service startup checkbox.
Select Next.

The Database User and Password dialog appears.
Enter the password that was assigned to easm_entrust when you installed the PostgreSQL Server, see Install the Entrust Certificate Authority, then select Next.

The Database User and Password dialog appears.
Enter the password that was assigned to the backup user when you installed the PostgreSQL Server, see Install the Entrust Certificate Authority, then select Next.

The Certificate Authority Port Configuration dialog appears.
Accept the defaults, then select Next.

The CA Type dialog appears.
Choose the default Root CA option, ensure that the Root CA used as Single Point of Contact CA (SPOC) box remains unchecked, and then select Next.

The Cryptographic Information dialog appears.
Select the Certification Authority Key Generation tab, select Use hardware, then select Next.
On the CA Key Type tab, which defines the CA key pair type and parameters, accept the defaults, then select Next.
On the Database tab, which defines the database encryption algorithm, accept the default, then select Next.
On the User Signing Key Type tab, which defines the key pair type and parameters for user signing keys, accept the defaults, then select Next.
On the User Encryption Key Type tab, which defines the key pair type and parameters for user encryption keys, accept the defaults, then select Next.
On the CA Signing Algorithm Type tab, accept the default, then select Next.
On the Policy Certificate tab, which defines the lifetime of the Entrust policy certificate, accept the default, then select Next.

For this integration to work with EC-P and RSAPSS, the ECC activation feature must be enabled for the nShield HSM. In the %NFAST_ HOME%\bin directory, run FET.exe.

The No Hardware Device Found dialog appears.
Select Ok.

A file explorer opens.

To select the nShield PKCS11 library, navigate to and select %NFAST_HOME%\toolkits\pkcs11\cknfast.dll.

You can confirm this location by opening the entmgr.ini file located in the Entrust directory and looking for the CryptokiV2LibraryNT = C:\Program Files\nCipher\nfast\toolkits\pkcs11\cknfast.dll entry.

In the Use This Hardware dialog, select the HSM slot, then select Next.
In the CRL Configuration dialog, select No, do not work with Microsoft Windows applications, then select Next.
In the CRL Distribution Point dialog, accept the defaults, then select Next.
In the CA Certificate Properties dialog, accept the default of 120 months for the CA certificate lifetime and 100% for the private key usage period, then select Next.

Consult your security policy of your organization about recommendations for CA lifetime.

The CRL Share Warning dialog appears.
Select OK.

The Configuration Complete dialog appears.
To initialize the CA, select Run Certificate Authority Command Shell now, and then select OK.

The Certificate Authority Control Command Shell (entsh) launches, and starts the CA initialization process.

You will have the option to initialize the CA later by running the init command from the entsh command window.
Provide the password for the HSM PKCS11 user that you created when you installed and initialized the HSM using the tools provided by the HSM.

Enter and confirm passwords for all Master users and the First Officer. These are required later during testing. For example:

Starting First-Time Initialization...

A Hardware Security Module (HSM) will be used for the CA key:
    nCipher Corp. Ltd  SN : edb3d45a28e5a6b2
    The HSM requires a password.

Enter password for CA hardware security module (HSM):
Enter new password for Master1:
Confirm new password for Master1:
Enter new password for Master2:
Confirm new password for Master2:
Enter new password for Master3:
Confirm new password for Master3:
Enter new password for First Officer:
Confirm new password for First Officer:

Initialization starting; creating ca keys...
Initialization complete.
Starting the services...
Creating CA profile...
Creating First Officer profile...
You are logged in to Entrust Certificate Authority Control Command Shell.
Performing database backup...
SUCCESS: Full backup completed successfully.
Press return to exit

Close any open windows or dialogs.