This AppNote discusses how auto-enrollment for users and workstations can be achieved in a Novell eDirectory and cv act PKIntegrated environment.
Providing users and machines with digital certificates (enrollment) is the most important process in a PKI. This can be realized by establishing a registration authority, where the user needs to show up and register personally.
However, many PKI operators want a simpler process that is transparent to the user. In addition, it should be possible to generate digital certificates for machines (workstations) in an simple way, without physical access to the machines.
The easiest way known today is certificate auto-enrollment. Auto-enrollment means that the subject (user or machine) gets its certificate and key in a transparent way, without user interaction and without personal contact between the subject and the PKI registrator. This can be achieved by combining the enrollment process with the system login - immediately after login, a process is started that provides the user or machine with a key and a certificate. The security of this process (the wrong subject must not be allowed to get a certificate) is based on the security of the login password.
Auto-enrollment is a highly valuable method for many PKI operators. Compared to other enrollment procedures it saves a lot of time and effort, and it enhances user acceptance. These are the reasons why auto-enrollment has become very popular in recent years. Many organizations even choose to enroll all of their digital certificates this way. One field where auto-enrollment is especially valuable is IEEE 802.1x. This technology is used in LANs and WLANs for authenticating workstations. As PKI operators usually don't want to enrol each workstation separately by physical access, they prefer auto-enrollment.
Figure 1: Auto-enrollment is especially valuable for 802.1x authentication
Auto-enrollment is only possible in an environment where the PKI operator has access to the software configuration of the subject, and when a software key store is used. If the user stores his key on a Smart Card, enrollment always requires user interaction (inserting the card, typing the PIN), which can certainly not be called "auto-enrollment".
Auto-enrollment was first introduced by Microsoft with Windows 2000. The Windows 2000 CA automatically creates digital certificates for a machine, if the system is configured in an appropriate way. The security is provided by the system login (usually with a password). With Windows 2003, Microsoft also introduced auto-enrollment for users, which resulted in a complete auto-enrollment support for all kinds of certificates. With a component named CLM (Certificate Lifecycle Manager) Microsoft also supports the automated replacement of a certificate when it expires (key roll-over).
Auto-enrollment is not a standard functionality of cv act PKIntegrated, but there are two tools provided by Cryptovision that can be used to enable it:
Of course it would be nice if both kind of certificates could be handled by a single tool, but unfortunatelly the current version of cv act workstation/cic doesn't handle user certificates. Still, there is some hope that Cryptovision will make some extensions in that direction. Until then, the pki/roamer is a perfect workaround and will do its job with some minor limitations discussed later.
The purpose of cv act workstation/cic is to enable auto-enrollment for machine certificates issued by cv act PKIntegrated ("cic" stands for certificate installation client). cv act workstation/cic consists of only one component, a lean client software-executable for Windows. This client is started via Novell ZENworks after a user has logged in to his PC. It verifies whether a digital certificate minted on the respective workstation is available in Novell eDirectory, and whether the same certificate is stored in the local key store. If neither case is true, it triggers the generation of a new key pair and certificate.
One of the nice aspects about cv act workstation/cic is that it also provides for a key roll-over. It automatically checks the validity of the workstation's certificate and initiates the generation of a new one, if the expiration date is within a configurable time range.
Currently, cv act workstation/cic doesn't support user certificates.
Figure 2: cv act workstation/cic enables an auto-enrollment for machine certificates
cv act pki/roamer is also provided by Cryptovision as an add-on to the PKI solution cv act PKIntegrated. cv act pki/roamer is not primarily a tool for auto-enrollment, yet it can be used for this purpose. The actual goal of cv act pki/roamer is to enable roaming keys. A roaming key is a private key that is stored on a server and that can be downloaded to the local key store (Microsoft or Mozilla) whenever the user needs it. Roaming keys are an alternative to storing a private key in a Smart Card or on the user's hard disk. While roaming keys are certainly not suitable for high-security requirements, they render a cost-effective way to have keys available outside the user's home PC.
cv act pki/roamer is a simple client software for Windows operating systems. It enables roaming keys by using the Novell SecretStore and requires that the CA store a newly generated key in the user's SecretStore. From there, the key is downloaded to the user's PC each time the user logs in. cv act pki/roamer can be configured so that after logout the keys are deleted from the key store.
Figure 3: cv act pki/roamer can be used for enabling auto-enrollment for user certificates
In order to use cv act pki/roamer for auto-enrollment, an IDM loop-back driver can be used. This triggers the generation of a digital certificate with cv act PKIntegrated, when a user object is marked in a defined way. The user's private key needs to be stored in the SecretStore, which is easily configurable with cv act PKIntegrated. When a user logs in to the operating system with the Novell Client, cv act pki/roamer automatically copies the key from the SecretStore to the local key store. If cv act pki/roamer is configured in an appropriate way, the key is not deleted from there after logout. This means that the user always has his keys available, even offline.
Unlike cv act workstation/cic, cv act pki/roamer doesn't support a key roll-over. For this reason, a loop-back driver is necessary. The loop-back driver needs to care about the certificate lifetime. Once the validity expires, the loop-back driver replaces the digital certificate and stores the new key in the user's Secret Store. Form there, cv act pki/roamer copies the key to the local key store, when the user logs in the next time.
Auto-enrollment for a PKI is not available out-of-the box in an eDirectory environments. Yet, there are appropriate tools to enable auto-enrollment, if cv act PKIntegrated is used. Unfortunately, user enrollment and machine enrollment are not supported by the same tool. Another disadvantage is that both tools are only available for Windows environments, while Linux is not supported. Still, cv act workstation/cic and cv act pki/roamer jointly provide for functionality in a Novell environment, which is usually only available in Microsoft systems.
The author would like to thank cv Cryptovision for its support.