Превземање на MTnet KSN и MTnet KSN+ сертификати
Transcription
Превземање на MTnet KSN и MTnet KSN+ сертификати
The Value of Trust Activation of MTnet KSN and MTnet KSN+ certificates Before activating MTnet KSN and MTnet KSN+ certificates, the user must have both the Reference number and Authorization code which the user can get from MT CA, and he/she must have installed the client application Entrust Entelligence, Microsoft Internet Explorer 5.0 or newer (cipher Strength: 128-bit) and to have set the correct date and time. The activation of MTnet KSN and MTnet KSN+ certificates is performed by creating an Entrust profile for the user. Creating the Entrust profile starts with the Create Entrust Profile Wizard, this can be done in two ways: 1. from the Start menu (figure 1.) or 2. from the System tray, by right-clicking on the icon (Golden key) (figure 2) Figure 1. Starting the Wizard for creating an Entrust profile from the Start menu AD Makedonski Telekomunikacii ul. Orce Nikolov bb. – 1000 Skopje, Macedonia http://ca.mt.net.mk; cainfo@mt.com.mk tel: 0800 12345 1 The Value of Trust Figure 2. Starting the Wizard for creating an Entrust profile from the System tray When starting the Wizard, figure 3. appears and the Wizard leads the user through the creation of the profile. To continue, click Next. Figure 3. Wizard for creating the Entrust profile of the user The user should then enter the reference number and the authorization code. An example of how you should insert the two codes is given in figure 4. After inserting the codes, click Next to continue. AD Makedonski Telekomunikacii ul. Orce Nikolov bb. – 1000 Skopje, Macedonia http://ca.mt.net.mk; cainfo@mt.com.mk tel: 0800 12345 2 The Value of Trust Figure 4. Entering the reference number and authorization code If the Entrust profile of the user is stored on hard disk, then the user must chose the directory where the profile should be saved. By default, the Wizard saves the profile in “C:\Entrust Profile”, as shown on figure 5. Once you have chosen the directory where the profile should be saved, click Next to continue creating the user profile. Remark: The Check-box option Store profile on hardware token (card) from the form on figure 5. appears only if, after installing Entrust Entelligence on the PC, there is also installed an application for reading USB tokens (i.e. Datakey CIP). If the profile of the user is not stored on the hard disk of the local computer, then the Check-box option Store profile on hardware token (card) should be unchecked. The Check-box option Store profile on hardware token (card) allows the profile of the user to be saved on a USB token (i.e. Rainbow iKey 2032). Before saving the Entrust profile of the user on the token, we must change the following line in the client Entrust configuration file, <RootDirectory>\Winnt\entrust.ini, the line FipsMode=1 should be FipsMode=0. AD Makedonski Telekomunikacii ul. Orce Nikolov bb. – 1000 Skopje, Macedonia http://ca.mt.net.mk; cainfo@mt.com.mk tel: 0800 12345 3 The Value of Trust Figure 5. Selecting a folder for storing Entrust profile of the user Then the user should choose the name of the profile, shown on figure 6. The profile name cannot contain the following characters: \ / : * “ < > | ‘. AD Makedonski Telekomunikacii ul. Orce Nikolov bb. – 1000 Skopje, Macedonia http://ca.mt.net.mk; cainfo@mt.com.mk tel: 0800 12345 4 The Value of Trust Figure 6. Creating the name for the Entrust profile After this step, there is a message that the profile of the user will be saved in the folder that they named. To continue the wizard, click Next. The form in figure 7 appears, requiring the user to select a password. The password must satisfy the following rules: 1. 2. 3. 4. 5. must be at least 8 characters long must contain at least one uppercase character must contain at least one lowercase character must not contain a portion of profile name longer than half its length must not repeat a character more than half the length of the password AD Makedonski Telekomunikacii ul. Orce Nikolov bb. – 1000 Skopje, Macedonia http://ca.mt.net.mk; cainfo@mt.com.mk tel: 0800 12345 5 The Value of Trust Figure 7. Form for choosing a password When in the field New Password: a correct password is inserted and the same password is then inserted in the field Confirm Password. Click Next to continue creating the profile. After pressing the Next button, a new window appears, shown on figure 8, which shows that the profile has been successfully created. There is an option for exporting the Entrust Enterprise certificate in files with different types (Public Encryption Certificate for Entrust Users – extension .key, Public Encryption Certificate for S/MIME Users – extension .p7c, Certificates and Keys using PKCS#12 – extension .p12) if the check box I want to export my Entrust credentials (figure 8) is checked. Creating the profile of the user ends by clicking Finish (figure 8.). AD Makedonski Telekomunikacii ul. Orce Nikolov bb. – 1000 Skopje, Macedonia http://ca.mt.net.mk; cainfo@mt.com.mk tel: 0800 12345 6 The Value of Trust Figure 8. Confirmation for successful creating of the user profile Once created, the Entrust profile of the user is stored on his hard disk and can be seen with Windows Explorer. There are several types of Entrust files that comprise the Entrust profile of the user, but the most important file that represents the profile with the private cryptographic keys for decrypting and signing and certificates for encryption and verification of the signature is with extension .epf. Once the profile has been created, the user can log in to Entrust. Logging in to Entrust can be done in two ways: 1. from the Start menu (figure 9) or 2. from the System tray, by right-clicking the icon and choosing the option Log In to Entrust (figure 10). AD Makedonski Telekomunikacii ul. Orce Nikolov bb. – 1000 Skopje, Macedonia http://ca.mt.net.mk; cainfo@mt.com.mk tel: 0800 12345 7 The Value of Trust Figure 9. Logging in to Entrust from the Start menu Figure 10. Logging to Entrust from System tray the Entrust Login form appears, as shown in figure 11., within which the user should choose the Entrust profile and must enter the password. AD Makedonski Telekomunikacii ul. Orce Nikolov bb. – 1000 Skopje, Macedonia http://ca.mt.net.mk; cainfo@mt.com.mk tel: 0800 12345 8 The Value of Trust Figure 11. Form for user login to Entrust By entering the user profile and the password, the user logs in to Entrust. After the first log-in of the user, the root certificate of MT CA should be automatically imported into the Microsoft CryptoAPI store and the notice of successful importing should appears, as shown in figure 12. Notice: If the certificate is МТnet KSN+, i.e. a certificate on a token, the next two pictures should not appear. Figure 12. Successful importing of the root CA certificate After successful notification of importing is given, the form shown on figure 13 should appear. It is possible for the user to choose the security level by clicking the Set Security Level button. The level of protection can be set to High or Medium. The desirable level of protection is High so the user should choose that level of protection for the private key. Continue with the activation of the certificate by clicking Set Security Level and choose High. AD Makedonski Telekomunikacii ul. Orce Nikolov bb. – 1000 Skopje, Macedonia http://ca.mt.net.mk; cainfo@mt.com.mk tel: 0800 12345 9 The Value of Trust Figure 13. Setting a security level After choosing a High level of protection, as shown on figure 14, the user should click Next. Figure 14. Setting a High level of protection for the private key The form for entering the password now appears (figure 15.). In the Password and Confirm fields the user enters their password, as shown on figure 15. To continue, the user should click Finish. AD Makedonski Telekomunikacii ul. Orce Nikolov bb. – 1000 Skopje, Macedonia http://ca.mt.net.mk; cainfo@mt.com.mk tel: 0800 12345 10 The Value of Trust Figure 15. Creating a password for the private key A new window now appears and the user needs to click ОK. There then appears a notification of importing the private key for signing certificates and verification of signatures to Microsoft Internet Explorer. To continue, click ОK as shown in figure 16. Figure 16. Form with a notification of importing of the private key This concludes the importing of the certificates into Microsoft Internet Explorer. The imported certificates (certificate for encryption and the certificate for verification of signatures) can be seen from the form Certificates and the Personal tab. This form can be viewed with Microsoft Internet Explorer by clicking Internet Options from the Tools menu. From the Internet Options menu, choose the Content tab and then the button Certificates. When the Entrust certificates and private cryptographic keys have been imported into the certificate store of Microsoft Internet Explorer and once the root CA certificate of МТ CA has also been imported, it is possible to use the MTnet KSN/MTnet KSN+ certificates in Microsoft applications (Microsoft Internet Explorer, Microsoft Outlook, Microsoft Outlook Express, Microsoft AD Makedonski Telekomunikacii ul. Orce Nikolov bb. – 1000 Skopje, Macedonia http://ca.mt.net.mk; cainfo@mt.com.mk tel: 0800 12345 11 The Value of Trust Word 2002/2003, Microsoft Excel 2002/2003, Microsoft PowerPoint 2002/2003, etc.) and the applications of other manufacturers if they access the certificates through Microsoft CryptoAPI interface. AD Makedonski Telekomunikacii ul. Orce Nikolov bb. – 1000 Skopje, Macedonia http://ca.mt.net.mk; cainfo@mt.com.mk tel: 0800 12345 12