Превземање на MTnet KSN и MTnet KSN+ сертификати

Transcription

Превземање на MTnet KSN и MTnet KSN+ сертификати
The Value of Trust
Activation of MTnet KSN and MTnet KSN+ certificates
Before activating MTnet KSN and MTnet KSN+ certificates, the user must have both the
Reference number and Authorization code which the user can get from MT CA, and he/she
must have installed the client application Entrust Entelligence, Microsoft Internet Explorer 5.0
or newer (cipher Strength: 128-bit) and to have set the correct date and time.
The activation of MTnet KSN and MTnet KSN+ certificates is performed by creating an Entrust
profile for the user. Creating the Entrust profile starts with the Create Entrust Profile Wizard, this
can be done in two ways:
1. from the Start menu (figure 1.) or
2. from the System tray, by right-clicking on the icon (Golden key) (figure 2)
Figure 1. Starting the Wizard for creating an Entrust profile from the Start menu
AD Makedonski Telekomunikacii
ul. Orce Nikolov bb. – 1000 Skopje, Macedonia
http://ca.mt.net.mk; cainfo@mt.com.mk
tel: 0800 12345
1
The Value of Trust
Figure 2. Starting the Wizard for creating an Entrust profile from the System tray
When starting the Wizard, figure 3. appears and the Wizard leads the user through the creation of
the profile. To continue, click Next.
Figure 3. Wizard for creating the Entrust profile of the user
The user should then enter the reference number and the authorization code. An example of how
you should insert the two codes is given in figure 4. After inserting the codes, click Next to
continue.
AD Makedonski Telekomunikacii
ul. Orce Nikolov bb. – 1000 Skopje, Macedonia
http://ca.mt.net.mk; cainfo@mt.com.mk
tel: 0800 12345
2
The Value of Trust
Figure 4. Entering the reference number and authorization code
If the Entrust profile of the user is stored on hard disk, then the user must chose the directory
where the profile should be saved. By default, the Wizard saves the profile in “C:\Entrust Profile”,
as shown on figure 5. Once you have chosen the directory where the profile should be saved,
click Next to continue creating the user profile.
Remark: The Check-box option Store profile on hardware token (card) from the form on figure 5.
appears only if, after installing Entrust Entelligence on the PC, there is also installed an
application for reading USB tokens (i.e. Datakey CIP). If the profile of the user is not stored on the
hard disk of the local computer, then the Check-box option Store profile on hardware token (card)
should be unchecked. The Check-box option Store profile on hardware token (card) allows the
profile of the user to be saved on a USB token (i.e. Rainbow iKey 2032). Before saving the
Entrust profile of the user on the token, we must change the following line in the client Entrust
configuration file, <RootDirectory>\Winnt\entrust.ini, the line FipsMode=1 should be FipsMode=0.
AD Makedonski Telekomunikacii
ul. Orce Nikolov bb. – 1000 Skopje, Macedonia
http://ca.mt.net.mk; cainfo@mt.com.mk
tel: 0800 12345
3
The Value of Trust
Figure 5. Selecting a folder for storing Entrust profile of the user
Then the user should choose the name of the profile, shown on figure 6. The profile name cannot
contain the following characters: \ / : * “ < > | ‘.
AD Makedonski Telekomunikacii
ul. Orce Nikolov bb. – 1000 Skopje, Macedonia
http://ca.mt.net.mk; cainfo@mt.com.mk
tel: 0800 12345
4
The Value of Trust
Figure 6. Creating the name for the Entrust profile
After this step, there is a message that the profile of the user will be saved in the folder that they
named. To continue the wizard, click Next.
The form in figure 7 appears, requiring the user to select a password. The password must satisfy
the following rules:
1.
2.
3.
4.
5.
must be at least 8 characters long
must contain at least one uppercase character
must contain at least one lowercase character
must not contain a portion of profile name longer than half its length
must not repeat a character more than half the length of the password
AD Makedonski Telekomunikacii
ul. Orce Nikolov bb. – 1000 Skopje, Macedonia
http://ca.mt.net.mk; cainfo@mt.com.mk
tel: 0800 12345
5
The Value of Trust
Figure 7. Form for choosing a password
When in the field New Password: a correct password is inserted and the same password is then
inserted in the field Confirm Password. Click Next to continue creating the profile.
After pressing the Next button, a new window appears, shown on figure 8, which shows that the
profile has been successfully created.
There is an option for exporting the Entrust Enterprise certificate in files with different types
(Public Encryption Certificate for Entrust Users – extension .key, Public Encryption Certificate for
S/MIME Users – extension .p7c, Certificates and Keys using PKCS#12 – extension .p12) if the
check box I want to export my Entrust credentials (figure 8) is checked.
Creating the profile of the user ends by clicking Finish (figure 8.).
AD Makedonski Telekomunikacii
ul. Orce Nikolov bb. – 1000 Skopje, Macedonia
http://ca.mt.net.mk; cainfo@mt.com.mk
tel: 0800 12345
6
The Value of Trust
Figure 8. Confirmation for successful creating of the user profile
Once created, the Entrust profile of the user is stored on his hard disk and can be seen with
Windows Explorer. There are several types of Entrust files that comprise the Entrust profile of the
user, but the most important file that represents the profile with the private cryptographic keys for
decrypting and signing and certificates for encryption and verification of the signature is with
extension .epf.
Once the profile has been created, the user can log in to Entrust.
Logging in to Entrust can be done in two ways:
1. from the Start menu (figure 9) or
2. from the System tray, by right-clicking the icon and choosing the option Log In to Entrust
(figure 10).
AD Makedonski Telekomunikacii
ul. Orce Nikolov bb. – 1000 Skopje, Macedonia
http://ca.mt.net.mk; cainfo@mt.com.mk
tel: 0800 12345
7
The Value of Trust
Figure 9. Logging in to Entrust from the Start menu
Figure 10. Logging to Entrust from System tray
the Entrust Login form appears, as shown in figure 11., within which the user should choose the
Entrust profile and must enter the password.
AD Makedonski Telekomunikacii
ul. Orce Nikolov bb. – 1000 Skopje, Macedonia
http://ca.mt.net.mk; cainfo@mt.com.mk
tel: 0800 12345
8
The Value of Trust
Figure 11. Form for user login to Entrust
By entering the user profile and the password, the user logs in to Entrust.
After the first log-in of the user, the root certificate of MT CA should be automatically imported into
the Microsoft CryptoAPI store and the notice of successful importing should appears, as shown in
figure 12.
Notice: If the certificate is МТnet KSN+, i.e. a certificate on a token, the next two pictures should
not appear.
Figure 12. Successful importing of the root CA certificate
After successful notification of importing is given, the form shown on figure 13 should appear. It is
possible for the user to choose the security level by clicking the Set Security Level button. The
level of protection can be set to High or Medium.
The desirable level of protection is High so the user should choose that level of protection for the
private key. Continue with the activation of the certificate by clicking Set Security Level and
choose High.
AD Makedonski Telekomunikacii
ul. Orce Nikolov bb. – 1000 Skopje, Macedonia
http://ca.mt.net.mk; cainfo@mt.com.mk
tel: 0800 12345
9
The Value of Trust
Figure 13. Setting a security level
After choosing a High level of protection, as shown on figure 14, the user should click Next.
Figure 14. Setting a High level of protection for the private key
The form for entering the password now appears (figure 15.). In the Password and Confirm fields
the user enters their password, as shown on figure 15. To continue, the user should click Finish.
AD Makedonski Telekomunikacii
ul. Orce Nikolov bb. – 1000 Skopje, Macedonia
http://ca.mt.net.mk; cainfo@mt.com.mk
tel: 0800 12345
10
The Value of Trust
Figure 15. Creating a password for the private key
A new window now appears and the user needs to click ОK. There then appears a notification of
importing the private key for signing certificates and verification of signatures to Microsoft Internet
Explorer. To continue, click ОK as shown in figure 16.
Figure 16. Form with a notification of importing of the private key
This concludes the importing of the certificates into Microsoft Internet Explorer. The imported
certificates (certificate for encryption and the certificate for verification of signatures) can be seen
from the form Certificates and the Personal tab. This form can be viewed with Microsoft Internet
Explorer by clicking Internet Options from the Tools menu. From the Internet Options menu,
choose the Content tab and then the button Certificates.
When the Entrust certificates and private cryptographic keys have been imported into the
certificate store of Microsoft Internet Explorer and once the root CA certificate of МТ CA has also
been imported, it is possible to use the MTnet KSN/MTnet KSN+ certificates in Microsoft
applications (Microsoft Internet Explorer, Microsoft Outlook, Microsoft Outlook Express, Microsoft
AD Makedonski Telekomunikacii
ul. Orce Nikolov bb. – 1000 Skopje, Macedonia
http://ca.mt.net.mk; cainfo@mt.com.mk
tel: 0800 12345
11
The Value of Trust
Word 2002/2003, Microsoft Excel 2002/2003, Microsoft PowerPoint 2002/2003, etc.) and the
applications of other manufacturers if they access the certificates through Microsoft CryptoAPI
interface.
AD Makedonski Telekomunikacii
ul. Orce Nikolov bb. – 1000 Skopje, Macedonia
http://ca.mt.net.mk; cainfo@mt.com.mk
tel: 0800 12345
12