Configuring the TSS

Time Stamping Authority (TSA) keys

A Time Stamping Authority (TSA) key is used for signing time-stamps. You can either create a single TSA and use the same signature key for all time-stamps, or create multiple TSAs depending on your requirements. TSA keys are created by your organization’s Security Officer.

About multiple TSAs

TSS supports the creation of multiple TSAs. You can create multiple TSAs for:

Departments

Each department in your organization might need a different TSA.

Customers

If you are a service provider, you might want to operate a TSS for several customers. In such cases, you can create a separate TSA for each customer so that the TSA certificate name is related to the customer.

Policies

You might require different TSAs for different policies within your organization. For example, you might have policies that require different signature algorithms.

The number of TSAs that you can create depends on the NVRAM available in your nShield PCIe module.

How multiple TSAs work

RFC3161 time-stamps

The TSS uses Policy Object Identifiers (OIDs) and hash algorithms (SHA-1, SHA-256, SHA-384, and SHA-512) to determine which TSA should be used to issue the time-stamp. However, the policy OIDs need not be unique for each TSA. When you create multiple TSAs, you can assign one of them as the default TSA. You can configure each TSA to support a specific policy OID and a list of hash algorithms. When a client requests a time-stamp, the TSS checks the policy OID and the hash algorithm on the request and one of the following occurs:

  • If the request does not include an OID, it is sent to the default TSA or the first TSA that supports the hash algorithm.

  • If the request includes an OID, it is sent to the first TSA that supports the OID and the hash algorithm.

  • If the request includes an OID and none of the TSAs support the OID and the hash algorithm, the TSS returns an error.

A TSA on TSS must receive a DS/NTP audit before it can issue time-stamps. When there are multiple TSAs, each TSA is assigned to a unique port. Each TSA listens to and receives the DS/NTP audit on the specified port.

Authenticode time-stamps

Authenticode time-stamp requests do not include policy OIDs. If you intend to support Authenticode time-stamp requests, you must create a TSA that uses an Authenticode time-stamp mode key. When the client requests an Authenticode time-stamp, the TSS sends the request to this TSA.

Adding the CA certificates of an upper clock

The Upper Clock CA Cert Store holds the root CA certificate and intermediate CA certificates of upper clocks that are authorized to audit the TSS. To add the certificate you have received from your auditing service provider:

  1. Log in with the Security Officer role.

  2. Navigate to Certificate Management > Upper Clock Cert Store.
    The UC Certificate Store dialog opens.

  3. Click Add.

    Browse to locate the certificate, and click Add.

    To enable an upper clock to audit a TSA you must:

    • Add the root and intermediate CA certificates to the Upper Clock CA Cert Store

    • Add the clock to the TSA. See Configuring a TSA for more information.

  4. Log out of the TSS.

At this stage, your organization’s Network Manager can log in and configure settings so that your service provider can audit your time settings.

Adding an upper clock

This section explains how to add an upper clock and configure its settings so that it can be audited by your service provider. If you have multiple TSAs, you can configure the audit settings of each TSA. Each TSA can have a different upper clock.

  1. Log in with the Network Manager role.

  2. Navigate to TSA Management > Configuration.

    The TSA Configuration dialog opens, listing all the TSAs that exist in the TSS.

  3. Select the TSA to which you would like to add the upper clock, then click Configure.

    The TSA Configuration dialog opens.

  4. Click Add.

  5. Enter the following clock information:

    Field Enter / Select

    Upper Clock IP

    The IP address to your upper clock. The default port number is 318.

    Your audit service provider must be able to access this IP address.

    Upper Clock Port

    The default port for your upper clock.

    Audit Request Retry Delay

    How long in seconds before your service provider should wait before trying to audit your clock.

    Audit Request Max Retry

    The maximum number of audit attempts in the case of communication failure.

  6. Click Add.

    The new upper clock is added to your list.

  7. Back in the Audit Configuration dialog, click Update to save the information you have entered.

    For information on how to remove upper clocks, see Removing an upper clock.

Creating a new TSA

A TSA key is used for signing time-stamps. You can either create a single TSA to issue a single type of signature across all departments in your organization, or create multiple TSAs based on your requirements.

  1. Log in with the Security Officer role.

  2. Navigate to TSA Management > Configuration.

    The TSA Configuration dialog opens.

  3. Click Add.

    The Create a New TSA dialog opens.

  4. Enter a name for the TSA.

  5. Enter a TSA policy identifier.

    The policy OID is used to determine which TSA should sign the time-stamp request. When a time-stamp request is received, the TSS checks the policy OID and sends it to the TSA that supports the OID. It is possible to change the policy OID later. See Configuring a TSA for more information.

  6. Click Add.

  7. Click OK to confirm the details of the TSA.

    The TSA is created and the status appears as Uncertified. You can now configure the settings of the TSA. The TSA is not functional until you initiate and fulfill the certificate request.

Configuring a TSA

After you create a TSA, you can configure its settings.

The Configuration option enables you to:

  • Change time-stamp policy OIDs

  • Select the acceptable time-stamp hashes

  • Configure the port on which the TSA listens on for DS/NTP audits

  • Select the DS/NTP audit source

  • Add the root CA certificate of the upper clock that must audit the TSA.

To configure the settings:

  1. Log in with the Security Officer role.

  2. Navigate to TSA Management > Configuration.

    The TSA Configuration dialog opens, listing all the TSAs that exist in the TSS.

  3. Select the TSA that you would like to configure, then click Configure.

    The TSA Configuration dialog opens.

  4. Enter the name of the TSA in the TSA Name field.

  5. Optionally, to change the policy OID in the TSA, enter a new OID in the Acceptable Policy field.

  6. Select the time-stamp hashes that the TSA must support.

  7. Select a TST TAC encoding and binding option.

    These options determine in which part of the time-stamp token the TAC is stored. The ETSI option adds two additional signed attributes that are required by RFC3126. For more information about these options, see Time Stamp Tokens (TST) TAC encoding and binding.

  8. Select a TST option.

    For more information about TST options, see TST options.

  9. Enter a DS/NTP port number on which the TSA will receive the audit.

    This port number has to be unique for each TSA.

  10. Select an DS/NTP audit source:

    Local Audit

    If you choose this option, a Windows Administrator must log into the System console and restart the NTP Service. Also, a reference to an NTP server (on the local network) should be added to the NTP configuration file. The Local Audit setting provides time that can be traced only to the TSS host PC clock. If you select this option, we recommend that you use a good security policy with regard to the physical security of the TSS and the network connection to the NTP server. See Local Audit / NTP service.

    Upper Clock

    If you choose this option, select the upper clocks that will audit the TSA. Optionally, select the Auto-trust New Upper Clock Certificates check box — when new upper clocks are added to the Upper Clock CA Cert Store, the TSA automatically starts trusting them.

    All TSAs share a single Upper Clock CA Cert Store, which holds all the root and intermediate CA certificates of the upper clocks that are authorized to audit the TSS. When you add an upper clock to a TSA, you are essentially choosing (from the upper clock CA cert store) the ones that will audit the TSA.
  11. Click Update. The changes take effect immediately.

Initiating and fulfilling TSA certificate requests

The following sections describe the steps involved in initiating and fulfilling certificate requests.

Create an OCS before you create a TSA Key, otherwise you cannot use the TSA backup/restore feature and you will not have a backup of the key.

Creating Operator Card Sets

This section explains how to create an OCS for authorizing access to TSA keys. Creating an OCS is optional.

Card sets belong to the Security World in which they are created. When you create an OCS, the smart cards in that set can only be read by the nShield PCIe modules belonging to the same Security World. The cards cannot be read, erased, or reformatted by a module from a different Security World.

If the OCS you create is to be used to protect TSA keys that have the Disable Unattended Start-up feature enabled (see Initiating a TSA certificate request), it is important that you understand the effect of the persistence and time-out options.

By default, the TSS creates non-persistent card sets, which means that keys protected by this card set become unavailable when the last card is removed. Thus, a TSA key can be fulfilled by the TSA only while a card remains in the slot. When the card is removed, the TSS essentially becomes non-operational. Moreover, if you define a time-out when creating the OCS, the TSA key is subject to this time-out.

However, if the TSA Key does not have the Disable Unattended Start-up feature enabled, time-stamp requests can be fulfilled even after the card has been removed from the card reader, and the availability of the TSA key is not subject to a time-out.

To create an OCS:

  1. Log in with the Security Officer role.

  2. Navigate to Card Set Management > Create Card Set.

    The Create Operator Card Set dialog opens.

  3. Enter the following information to create an OCS you can use when creating a TSA key you want to be able to backup and restore:

    Field Description

    Operator Card Set name

    Enter a name for the OCS.

    Total number of cards in set (N)

    Enter the total number of cards (N) that you want to have in the OCS. This number (N) must be less than or equal to 64.

    Number of cards required for access

    Enter the number of cards (K) needed to restore the key. This number (K) must be less than or equal to the total number of cards (N).

    Card set is persistent?

    The default value for this option is 'No'.

    This means that any key protected by the OCS becomes unavailable when the last card is removed from the card reader. If you select 'Yes', the key will still be valid even after the last card has been removed.

    Card set has a timeout?

    Optionally select to enable a time-out value in seconds for the OCS. The time-out is the length of time that a card from the set can remain effective when inserted in the card reader. After the time-out is reached, the card must be re-inserted before it can be used.

    Timeout in seconds

    Enter the number of seconds to elapse before the timeout is enforced. The maximum value is 31622400 seconds.

  4. Click Next.

    The TSS prompts you to insert the cards that will form the OCS.

  5. For each card, follow the onscreen instructions to either set a pass phrase for the card or to create a card without a pass phrase. Each card can have a different pass phrase, and any card’s pass phrase can be changed later. See Using pass phrases for more information on pass phrases.

    When creating a card set, the TSS recognizes a card that belongs to the set before the card set is complete. If you accidentally insert a card to be rewritten, the system returns a warning.

    On completion the TSS displays a message indicating that the OCS has been successfully created.

Initiating a TSA certificate request

A TSA is not functional until you initiate and fulfill the certificate request.

  1. Log in with the Security Officer role.

  2. Navigate to TSA Management > Certification Status.

    The TSA Certification Status dialog opens, listing all the TSAs that have been created.

  3. Select the TSA that you would like to work with, then click Initiate to initiate a new TSA certificate request.

    The Select Cardset for TSA Key Backup dialog opens. If there are no Operator Card Sets installed on the TSS, the TSA Key Backup dialog does not open. Instead the TSA Certificate Request dialog opens, see step 6 below. The TSA keys you generate without an OCS will not have TSA Key Backup enabled.

  4. TSA keys cannot be restored if the OCS is lost. However, to restore keys from a disk crash or data corruption, make regular backups of the TSA key backup files and other Security World data. See Restoring a TSA key for the instructions to restore a TSA key.

  5. To enable TSA Key Backup for the TSA Key you are about to generate, select the OCS you want to use.

    If you choose the Do not enable TSA Key backup for this key option, you cannot enable key backup for this key later.

  6. Click Next.

    The Loading OCS:OCSName dialog opens. This dialog displays general information about the OCS followed by loading state information and a Next button. Each time you click Next, you are redirected to an updated display of this dialog.

    The Loading OCS:OCSName dialog requests cards and pass phrases until you have presented the number of cards required to load the OCS. When the OCS is loaded, the Loading OCS:OCSName dialog displays the message Operator Card Set OCS Name loaded.

  7. Click Next.

    The TSA Certificate Request dialog opens.

  8. Enter the following information:

    Field Enter

    Common Name

    A name for the TSA certificate

    Organization

    The name of your organization

    Organizational Unit

    The name of your organizational unit (optional)

    Serial Number

    A number that uniquely identifies the certificate (optional)

    Organizational Unit

    Any additional information you want to include in the certificate name (optional)

    Organization Identifier

    A string to identify the organization (optional)

    Locality

    The name of your locality (optional)

    State

    The name of your state (optional)

    Country

    The name of your country

    A message appears, asking you to confirm the details that you have entered.

  9. Click OK to confirm the information that you have entered.

  10. Click Next.

    The TSA Certificate Request Parameters dialog opens.

  11. Enter the following information:

    Field / Option Description

    Key Type

    Select one of the following key types:

    • DSA

    • ECDSA

    • RSA

    Signature Algorithm

    Select an algorithm that is acceptable to your CA.

    Key Length/Curve

    Select a key length/curve.

    Time-stamp Mode

    Select the time-stamp mode. The available values are:

    • RFC 3161

      RFC 3161 is the Internet X.509 Public Key Infrastructure Time-Stamp Protocol.

    • Authenticode

      Authenticode, from Microsoft, allows developers to include information about themselves and their code with their programs through the use of digital signatures.

    Distinguished Name

    Review the information used for the certificate’s name.

    Disable unattended startup for this key!

    Select this option to disable the ability for your TSS to startup unattended. By default, a TSS can start up and become completely operational without user intervention. However, in some environments, this is not appropriate. Disabling this option allows the TSS to operate under such policies. The ability to disable unattended start-up of the TSS can be granted to a TSA Key only when it is created. This feature depends on the OCS protection that is part of the new TSA Key Backup and Restore feature. Therefore this option is only available on a TSA Key that is being created with the Backup feature enabled.

    This option is only available if you selected to enable TSA key backup for the TSA key.
    If you select this option, you must load the TSA key for the unit to operate.

    Generate a self-signed certificate for this key

    Select this option to generate a self-signed certificate. This is useful for testing purposes.

  12. Click Submit Request.

    The TSA PKCS10 Certificate Request dialog opens.

  13. Click Download.

    A browser window opens:
    On Google Chrome and Mozilla Firefox, the certificate request is directly displayed in the TSS Web interface after the Download button is clicked.
    On Microsoft Internet Explorer and Microsoft Edge, the certificate request is downloaded at TSAcertreq_tsaid_n.pem where n is the TSA number.

  14. Send the TSA certificate request file to your CA. If the CA approves your request, then the CA returns a TSA certificate to you.

  15. Save the TSA certificate in a secure location. You use this certificate in Fulfilling a TSA certificate request.

    The TSA certificates remain in the pending state until they are fulfilled. To view the list of all TSA certificates that are not fulfilled, navigate to TSA Management > Certification Status. The Key Status of any certificate that has not been fulfilled appears as UncertifiedPending.

Importing the TSA certificate chain

After the CA approves your certificate request, you must import the CA’s certificate chain into your TSA certificate store. The TSA Certificate Store contains one or more CA certificate chains that can be used to validate your TSA certificate during fulfillment. A CA certificate chain typically includes a root certificate and an intermediate issuing CA certificate. A simple CA certificate chain might include a single root certificate, which is used as an issuing CA certificate. A more complex CA certificate chain might include a root certificate, intermediate CA certificate, and an issuing CA certificate. You must add the certificates to the TSA certificate store in the following order:

  • Root CA certificate

  • Certificates signed by the root CA certificate in the order in which they are signed

  • Issuing CA certificate.

To import the CA certificate chain into the TSA certificate store:

  1. Navigate to Certificate Management > TSA Cert Store.

    The TSA Certificate Store dialog opens.

  2. Click Add.

    The Add TSA Certificate dialog opens.

  3. Do one of the following:

    • Browse and locate the certificate, then click Load File.

    • Copy and paste the contents of the certificate in the text box.

  4. Click Add.

  5. Repeat the steps until you have finished adding all the certificates in the CA certificate chain, including the issuing CA certificate.

Fulfilling a TSA certificate request

After you receive your TSA certificate from your CA, you can fulfill it. Before proceeding with this step, ensure that you have imported the complete CA certificate chain including the root, intermediate, and issuing CA certificates.

  1. Navigate to TSA Management > Certification Status.

    The TSA Certification Status dialog opens, listing all the TSAs that have been created.

    The Key Status of a pending certificate appears as UncertifiedPending.
  2. Select the TSA certificate request that you would like to fulfill, then click Fulfill.

    The Fulfill TSA Certificate dialog opens.

  3. Browse to the TSA certificate file you received from your CA, or copy it in base-64 format into the box.

    If your CA has sent the certificate in Binary DER, ask for one in .pem or base-64 format.
  4. Click Accept.

    If you have chosen to enable key backup for this key, the TSS creates a unique backup file for the TSS on the system hard drive when the certificate request is fulfilled.

    Backup files are stored under %NFAST_KMDATA%\local\key_dsetsa_tsakey(n), where ’n’ is the number allotted to the TSA based on the order in which it is created. For example, the TSS assigns the filename key_dsetsa_tsakey(1) for the first TSA that you create. Back up the contents of the %NFAST_KMDATA% directory to an appropriate storage device.

Loading a TSA

Whenever the TSS software is restarted with a TSA Certificate with the Disable Unattended Startup feature enabled, the Key Status is Certified_NotLoaded (or CertifiedPending_NotLoaded). Before the TSS can be audited to start issuing time-stamps, you must load the TSA Key.

  1. Log in with the Security Officer role.

  2. Navigate to TSA Management > Operational Status.

    The Operational Status dialog opens, listing all the TSAs that exist in the TSS.

  3. Select the TSA that you would like to load, then click Details.

    The Operational Status dialog opens. The last line of this dialog is the Key Status. If the Key Status includes the _NotLoaded label, the dialog also includes a Load button next to the indicated Key Status.

  4. Click Load.

    The Loading OCS:OCSName dialog is displayed. This dialog displays general information about the OCS followed by loading state information and a Next button. Each time you click Next, you are redirected to an updated display of this dialog.

    The Loading OCS:OCSName dialog requests cards and pass phrases until you have presented a quorum and the OCS is loaded. When the OCS is loaded, the Loading OCS:OCSName dialog displays the message Operator Card Set OCSName loaded.

  5. Click Next.

    The TSA Key is loaded, and you are directed back to the Operational Status dialog. The key state is now Certified or CertifiedPending.

    The TSA Key remains loaded as long as the application continues to run and the protecting OCS allows the key to be loaded. If the protecting OCS is not persistent and the last card is removed from the card reader, the TSA key is unloaded. If the OCS has a time-out enabled, the TSA Key is unloaded when the time-out period expires. In such cases, you must reload the TSA Key by following the instructions in this section.

Registering a TSA

The TSA Registration section of the Certificate Management menu focuses on a key part of the security used to register a TSA certificate with an auditing service provider.

  1. Log in with the Security Officer role.

  2. Navigate to Certificate Management > TSA Registration.

    The TSA Registration dialog opens, displaying the list of TSA certificates that exist in the TSS.

  3. Select the TSA that you would like to register, then click Details.

    The TSA Registration dialog opens, displaying the TSA certificate and the TSS certificate. This information guarantees that the TSA certificate is in the TSS. Also, the audit service provider can know for certain that the TSA certificate is controlled by the TSS.

  4. Click E-mail to send the TSARegistration.pem file (a binary file containing no useful plain-text information) to the audit services provider.

  5. Add the appropriate information, then click Send Registration.

Checking the operational status

If you log in as a Security Officer, you will only be able to view the details.

The final phase of getting started with your TSS is for the Network Manager to check operational status.

  1. Log in with the Network Manager role.

  2. Navigate to TSA Management > Operational Status.

    The Operational Status dialog opens, listing all the TSAs that exist in the TSS.

  3. Select the TSA that you would like to review, then click Details.

    The operational status for the selected TSA is displayed:

    Parameter Description

    Clock Status

    A green light indicates that the clock is running.

    Audit Status

    A green light indicates that the auditing software is running, and that the clock can be audited.

    Time-stamping Status

    A green light indicates that the TSS is ready to time-stamp documents. An amber light indicates that the TSS needs a new TAC before it can continue. A red light indicates that time-stamping has been disabled.

    Time Attribute Certificate

    The status of the current TAC:

    Received

    a valid, operational TAC has been received and can be used for time-stamping.

    AntiTAC_Rcvd

    a non-operational TAC has been received, which has halted time-stamping until the next audit (which is likely to provide an operational TAC).

    Expired

    the current time is later than the “Valid To:” time specified in the current TAC.

    Invalid

    the current TAC has been invalidated, for instance, by rebooting the TSS or by disabling the clock.

    Key

    The status of the TSA Key.

    Certified

    the TSA is operational.

    CertifiedPending

    the TSA has an operational certificate and also has an outstanding certificate request.

    Uncertified

    the TSA does not have any certificate and does not have an outstanding certificate request.

    UncertifiedPending

    the TSA does not have any certificate but has an outstanding certificate request.

    Expired

    either the TSA is past its validity period, or the current time in the TSS board clock is set to a time outside the range defined by the TSA certificate.

  4. All objects should be green. If one or more are not, click the object’s Enable button.