Certificates can be created with longer validity than CAs.
Originally Published: 2001-07-12
Article Number
Applies To
Keon Certificate Authority
TechNote 0143
Issue
Resolution
A better way to deal with this is to change the templates to check this and to disallow it. There are three methods that can be used:
1. Fix the validity period of the certs to two days less than CAs, so the certs
creator can not modify this field at all. This template is useful when the
administrators want to create the longest validity period for every certificate they
issue.
2. Make a drop-down list which lists the valid options of the validity period for the
cert, only those periods that are not longer than CA expiry will be listed. User
can only pick up the validity period option from the list.
3. Display a warning message when a longer validity period (than its CA's) is
entered. The certificate will not be issued and the user must go back and
re-enter again. This is the most flexible one, since the administrators can enter
any validity period they want and don't have to worry about exceeding the expiry
date of the issuing CA (the system will do the checking).
We have made available sample replacement templates for each of the above options. The steps to do the above are as follows:
----
For method 1:
1. Make a backup of your original "view-request.xuda" file (under <sentry-installation-directory>/SentryCA/WebServer/admin-server/ca/admin).
2. Pick up a sample copy of the xuda templates from: https://knowledge.rsasecurity.com/docs/utilities/TTL_Fixed_Period.zip
3. Unzip the TTL_Fixed_Period.zip file.
Copy "view-request.xuda" to ...SentryCA/WebServer/admin-server/ca/admin/
(note you may need to change file permissions on the original file to be able to overwrite it)
4. Issue the certificate using the usual process.
----
For method 2:
1. Make a backup of your original "view-request.xuda" file (under
<sentry-installation-directory>/SentryCA/WebServer/admin-server/ca/admin).
2. Pick up a sample copy of the xuda templates from:
https://knowledge.rsasecurity.com/docs/utilities/TTL_Dropdown_List.zip
3. Unzip the TTL_Dropdown_List.zip file.
Copy "view-request.xuda" to .../SentryCA/WebServer/admin-server/ca/admin/
Copy "x-ttl-option.xuda" to .../SentryCA/WebServer/x-templates/
(note you may need to change file permissions on the original files to be able to overwrite them)
4. Issue the certificate using the usual process.
Notes: You may go to the "x-ttl-option.xuda" to customize the drop-down list to fit your own requirements.
----
For method 3:
1. Make a backup of the following files:
.../SentryCA/WebServer/admin-server/ca/admin/view-request.xuda
.../SentryCA/WebServer/admin-server/ca/admin/authorize-request.xuda
.../SentryCA/WebServer/x-templates/x-forward-request.xuda
2. Pick up a sample copy of the xuda templates from:
https://knowledge.rsasecurity.com/docs/utilities/TTL_Warning_Message.zip
3. Unzip the TTL_Warning_Message.zip file.
Copy "view-request.xuda" and "authorize-request.xuda"
to .../SentryCA/WebServer/admin-server/ca/admin/
Copy "x-forward-request.xuda" to .../SentryCA/WebServer/x-templates/
(note you may need to change file permissions on the original files to be able to overwrite them)
4. Issue the certificate using the usual process.
Related Articles
Generic REST Collector fails OAuth 2.0 when the Client Secret is expected in the Request Body in RSA Identity Governance &… Number of Views RSA SecurID Authenticator 6.1.1 for Windows Release Notes Number of Views Cloud Administration APIs - Sample Code Number of Views SecurID Access Editions Number of Views Amazon Web Services - SAML My Page SSO Configuration - RSA Ready Implementation Guide Number of Views
Trending Articles
How to manipulate imported RSA SecurID Software Token(s) on an iPhone or iPad device RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide How to Download OTP Token Seed Files from myRSA Download RSA SecurID Access Cloud User Event audit logs using Cloud Administration REST API CLU
Don't see what you're looking for?
