A-SIT Secure Information Technology Center – Austria

Configuration

Various aspects of the certificate Validation Process can be configured. For example, LDAP directories and revocation services are customisable. The main configuration dialogue can be launched using the menu Configuration → Edit.

As shown in the above figure, the configuration menu consists of the following entries:

• Edit: Launches the main configuration dialogue.
• Online Update: Automatically downloads the most recent default configuration from the Internet (including trust anchors).
• Preferences: Used to enable and adapt automatic certificate validation settings.

Configuration Files

The configuration consists of local settings (the file localconfig.properties) and default settings (defaultconfig.properties). Configuration changes are stored as part of the local settings. By design, the default configuration is never altered. This enables resetting custom configuration values to their defaults. By manually editing the value of the RemoteConfigurationURL entry in the default settings configuration file, the distribution point for the default configuration can be customised.

Changing the Configuration

The main configuration dialogue enables the configuration of LDAP services and their corresponding OCSP responders and CRL distribution points as depicted in the figure below. Additionally, OIDs identifying qualified certificates can be specified.

Service Configuration

Selecting a service from the drop-down menu of all configured services populates all input fields with the values configured for this service and displays The trust anchors associated with the service. The following properties can be configured:

• Issuer certificates: Represents the trust anchors associated with a service. By pressing Open new certificate a certificate can be imported as a trust anchor for the currently selected service. An import copies the configured certificate into the directory .asitCertStatus/certificates in the user's home directory. In order to enable OCSP requests and a verification of certificates issued by a service provider, this provider has to be configured as a service, and its issuer certificate has to be imported.

  Hint: Multiple issuer certificates can be provided in order to support back-up certificates. In case the configured primary certificate gets revoked, the verification process can still commence based on additional certificates (if configured).

• LDAP Url: Specifies the URL of an LDAP directory to be queried. The URL must start with ldap://. In case no URL is specified, a service is not considered for queries.
• LDAP attribute for name search: The string of the LDAP pattern which specifies the field indicating subject names can be specified here. In most cases cn= is correct.
• Supplement of the filter expression for the LDAP name search: Contains the string which is appended to the subject name query string. If, for example, Meier is specified and the name search starts with Max Mustermann the resulting query string will be cn=MaxMustermannMeier. In most cases, this field should be left empty. The Austrian eCard, however, mandates :SER*, since an LDAP query must also contain a filter for serial numbers, which are specified by the SER field.
• LDAP attribute for serial number: Specifies the string of the LDAP pattern which denotes the field indicating a certificate serial number. In most cases serial=, or serialNumber= is correct.
• Supplement of the filter expression for the LDAP serial number search: Contains the string which is appended to the serial number query string.
• CRL Url: Used to specify the URL to a CRL distribution point used for the configured service. Delta-CRLs cannot be used. The URL must start with ldap:// or http://. By default, any certificate is inspected for CRL distribution points during its verification. If no distribution points are specified in the certificate, the URL specified here is used.
• OCSP Url: Used to configure the URL to an OCSP responder. As with CRL distribution points, the configured responder is only used as a fallback. OCSP responder URLs must start with http://.

Any changes made can be saved by pressing the Save configuration button.

The configuration can be reset to its defaults at any time by pressing the Reset default values button.

The buttons Add new Service and Remove can be used to add/remove services. The Remove button next to a certificate is used to remove individual trust anchors.

Hint: If an LDAP service is configured attribute names for name and serial number must be provided as well.

OID Settings

The OID tab of the configuration editor allows for defining OIDs which are considered to indicate qualified certificates.

OIDs can either be declared as QC statements or as certificate polcies extensions.

Certificates may contain certain OIDs which mark them as qualified certificates. Any certificate having at least one of the specified OIDs (either as part of the qualified certificate statements extensionor in the certificate policies extensions) are considered qualified certificates. Note: In both cases these data are set by the certificate issuer and will thus not be checked. New OIDs can be added by simply filling out the corresponding input field and pressing the Add button. By selecting an already specified OID it can be edited in the same way.