Issuing user certificates with user participation
- In the Certificate Manager dialog box, select File > Issue User Certificates. This opens the Manage User Certificate Requests dialog box.
- In the Add User field, specify the new user’s name.
-
Click Add.
To batch-process new users, repeat steps 2 and 3 to add as many new users as required before continuing.
- Select the user name in Select User.
-
Click Next.
This reconfigures the dialog box for specifying user information. User Name shows the name of the user selected in Step 4 and is not editable. To change the user name, click Prev to return to the previous dialog box.
-
Fill in the necessary information to create a user information
file.
The only required information items are the user name and email address. Everything else is optional.
- Country is the two-letter code. For example, US for United States.
- State, or province, or other governmental unit, is not abbreviated.
- Locality is usually the city name.
- Organization is the legal name of your organization.
- Unit is any unit within the organization, and is user-defined.
- Email is the user’s email address.
- Click Save User Information. The dialog box displays the location of the information file.
-
Email the user information file to the user.
If your email does not support attachments, then send the request in PEM format.
To send the form in PEM format, click PEM Format and paste it into an email message.
After receiving the user information file, the end-user selects an algorithm, creates a private key, a public key, and a Certificate Request. At this point the end-user emails you the certificate request.
-
Click Next. This reconfigures the dialog box for copying the user’s
Certificate Request to the specified location.
- If it is an email attachment, then copy it to the location that was specified in Option 1.
- If it is the text of an email message, then copy the entire message into the text box in Option 2. Copy the message from -----BEGIN CERTIFICATE REQUEST----- through -----END CERTIFICATE REQUEST-----.
- Click Next.
-
If the end-user did not modify the original user information, then
this would be stated in the first item.
If the first item states that the end-user modified information, then review the new information.
If the end-user made unacceptable changes, or if the second item specifies that the end-user did not create a public key, then click Quit. Then, notify the end-user to change it and resend the Certificate Request. When you receive the new information, repeat the steps.
- When you are satisfied that the end-user’s information is valid, and that the end-user has created a public key, click Next.
-
Use the Start Date
or Days field to specify a start date for the user certificate other
than the default.
The date can be expressed in mm/dd/yyyy format or as a specific number of days from the current date, such as 1000.
-
In the Expire Date
or Days field, specify the expiration date in mm/dd/yyyy format, or
the number of days from the current date, such as 1000.
You can also accept the valid date range that is shown in the dialog box and not specify any dates or days.Note: An expiration date, or number of days, is required. A user certificate can never outlive a CA certificate. If the expiration date is after the CA certificate's expiration date, then the user certificate is automatically set to expire one day before the CA certificate's expiration date.
- Click Create Certificate. A message is displayed confirming that the password that was created for the user.
- Specify the password and click OK. The Certificate Manager creates the user certificate and notifies you that the certificate has been created.
- Click Finished to add another user or Quit to exit the GUI.
- Click Quit to close the Manage User Certificate Request dialog box.
- Verify that the user certificate has been issued by clicking File > Refresh in the Certificate Manager dialog box.