|PHPki HELP FILE
TABLE OF CONTENTS
Requesting a New Certificate
Managing Your Certificate With The Control Panel
Revoking a Certificate
Displaying Certificate Details
Renewing a Cettificate
Downloading a Certificate
End User Help Documents
The PHPki Glossary of Terms
Getting Additional Help
PHPki is an Open Source Web based application for managing a "Public Key Infrastructure" within a small organization. PHPki may be used to create and manage digital certificates for use with S/MIME enabled e-mail clients, SSL servers, and VPN applications.
Most commercial certificate authorities (CA) require that certificates be issued to individual workstations, one at a time. The transaction required to obtain a commercial certificate must usually take place at the workstation on which the certifcate is to be installed, and can be complicated, confusing, and time consuming. Such a process does not allow for easy centralized administration of groups of certificates, where a single person within an organization or department must request, create, and install certificates on a number of workstations.
PHPki creates standard X.509 digital certificates which should work with most e-mail clients. It packages private certificates in the PKCS#12 format accepted by Microsoft e-mail clients PEM used by certain web servers. PKCS #12 certificates usually have a .P12 filename extension. Since most PKCS #12 certificates usually include the certificate's private key, they should never be distributed to the general public. PHPki's publicly distributable certificates are packaged in standard DER format.
The process of creating and using digital certificates with PHPki is fairly easy.
- First you must download and install our root certificate on your computer. Everyone else you intend to exchange encrypted e-mail with must also install our root certificate. Everyone who installs our root certificate becomes a member of our "circle of trust". The PHPki main menu contains an option for downloading our root certificate. Root certificates are not private and should be widely distributed and published on the Internet in a conspicuous location. The more widely published a root certificate is, the more difficult it becomes to forge.
- You must request and download a digital certificate for each person who will RECEIVE encrypted e-mail at your agency. Remember, having a digital certificate does not enable one to send encrypted e-mail, but only to receive it. Each of the certificates you download must be installed on the respective users' workstations. If you wish to send encrypted e-mail to someone, you must install that person's public certificate on your computer. You can obtain another person's public certificate simply by having them send you a digitally signed e-mail message. When you receive the message, your e-mail program should give you the option to add the sender's public key to your address book or key ring. Once you have installed your digital certificates, your users should send digitally signed messages to each person who will need to send encrypted e-mail to them.
- Users come and go, passwords are compromised, and files are lost, such is life. PHPki includes a certificate management system for handling these situations. The certificate management control panel gives you the ability to display certificates in excruciating detail, revoke a certificate when its e-mail address is no longer valid or its public key has been compromised, renew certificates which have or will expire, and re-download a previously issued certificate if you've lost the original.
- There must be a method for letting outside entities know which of your certificates have been revoked. The mechanism for doing this is the Certificate Revocation List or CRL. A CRL is a digitally signed list of certificates which have been revoked by a Certificate Authority. Our CRL is updated periodically, and can be downloaded from the PHPki Main Menu. Many e-mail clients will automatically download and install CRLs using information embedded in certificates. However, there is no widely adopted standard for automatic CRL checking, so it is not unusual to have to manually install and update CRLs.
- PHPki provides a public interface for Internet users to download our root certificate and certificate revokation list. A certificate search feature is also provided to allow easy distribution of public certificates over the Internet.
All of the PHPki primary functions can be accessed from the Main Menu. It is possible to navigate back to the Main Menu from any screen by clicking the "Menu" link in the upper right corner of each page. Clicking the Public link will open a new browser window to the public content menu where the general public may search for certificates and download the Root Certificate and Certificate Revocation List.
When you select "Request a New Certificate" from the Main Menu, you will be presented with the Certificate Request Form.
This form is used to collect the minimum necessary information required to issued a new digital certificate. All fields must be completed.
- E-mail User's Full Name: Enter the full name of the user for which the certificate will be issued.
- E-mail Address: Enter the e-mail address of the user for which the certificate is to be issued. This field will be checked for proper e-mail address format, but the e-mail address is not verified otherwise.
- Organization: Enter the full name of your organization (i.e. ACME Shoe Repair).
- Department/Unit: Enter the name of the department or unit in which the user works. (i.e. Accounting Department).
- Locality: Enter the name of the City or County in which the organization is located.
- State/Province: Enter the name of the State or Province in which the organization is located.
- Country: Enter the name of the Country in which the organization is located.
- Certificate Password: Enter a password to protect the certificate. If you enter a password, it must ben enter twice for verification. This password will be used to encrypt the private key which will be packaged with the completed certificate. It may also be required when installing a PKCS#12 certificate. This password should be handled with the utmost security and should never be lost, as it cannot be recovered under any circumstance. If this password is lost, you must immediately revoke the certificate and request/create a new certificate for the user.
- Certificate Life: Select the number of years you want the certificate to be valid. Although it is common practice to issue certificates which are valid for only one year, the option to issue certificates for a longer period is available should you wish to be rebel. The certificate may be revoked or renewed at any point during its life.
- Key Size: Select this size of your private key in bits. Larger keys are considered more secure. However, certain VPN applications may have difficulty with keys larger than 1024 bits.
- Certificate Use: Select the purpose for which the certificate will be use. E-mail certifcates have different attributes from SSL server certifcates and may not be interchangeable. Some IPSEC/VPN applications may be sensitive to large certificates, so those certificates contain less embedded information to keep them small.
When you have complete filling in the form, click the "Submit Request" button. The information you submitted will be checked for errors, and a confirmation screen will be displayed.
Clicking the "Yes! Create and Download" button will cause a file download window to open in your browser, allowing you to save the certificate on your computer under whatever name you choose. The default name for each certificate is derived from the e-mail address provided in the certificate request form. You may download the certificate as many time as you wish as long as your browser remains on this page. If you navigate from this page, you will have to use the Certificate Management Control Panel to download the certificate again. Be sure to save all of your certificates in a safe and secure place. Doing so will make it easier for you to re-install a certificate on a user's workstation should the need arise.
After the download window closes, you may click the "Back" button to return to the form and request another certificate. All of the data you previously entered will be retained. This is to allow you to issue a large number of certificates without having to re-enter much of the form. As well, your form input will be saved as your default values for the future sessions
PHPki provides one convenient place to manage your certificates. It is called the Certificate Management Control Panel.
With the Control Panel you can display, download, revoke, and renew your certificates by simply clicking on the appropriate button to the right of each certificate entry. Your certificates are listed in columnar format, with the left-most color coded "Status" column showing whether a certificate is "Valid" or "Revoked". The listing can be sorted in any order by clicking on the column headings. An arrow graphic    beside a column heading indicates which column is being used to sort the listing. Clicking on the arrow graphic will cause the listing to alternate between ascending and descending sort order. You may find these sort features particularly useful if you are careful to plan and utilize the Department/Unit and Locality fields to categorize your certificates according to your particular organizational needs.
At times it may become necessary to revoke or invalidate a certificate. This usually happens when an e-mail address is no longer valid, or the certificate's private key has been lost or compromised.
To revoke a certificate, click on the   icon next to the certificate entry in the Control Panel.
You will then be asked to confirm or cancel the revocation. Be absolutely sure of what you wish to do before clicking the "Yes" button. Once a certificate is revoked, it cannot be un-revoked. Well, this isn't completely true, as a revoked certificate can be renewed. Renewing a revoked certificate results in a new certificate being issued. Certificate renewal is covererd later.
If you click the "Yes" button, the certificate is revoked with no further interaction. The certificate's status in the Control Panel will change to Revoked.
Certificates may be displayed in full detail by clicking the   icon next to a certificate's entry in the Control Panel. Although some users may find this feature useful, many will not find anything of interest in it.
Certificates expire periodically. The usually length a time for which a certificate is valid is one year. With PHPki, you have the option to issue certificates with a more extended life span. Regardless, sooner or later your certificates will begin to expire.
To renew a certificate which has expired or is near expiration, simply click the   icon next to the certifcate's Control Panel entry. You will then be presented with a certificate renewal form.
The certificate renewal form takes the values for Common Name, E-mail Address, Organization, etc. from the original certificate. Those fields are disabled in the form, and cannot be changed. You are required to enter the original certificate's password and select a life span for the new certificate. If you do not enter the correct password that was assigned to the original certificate when it was created, you will not be able to renew the certificate. You may cancel this operation by clicking the "Back" button, which will take you back to the Control Panel.
If you click the "Submit Request" button to renew the certificate, it is renewed with no further interaction, and you will be returned to the Control Panel. You will notice a new Valid certificate in the Control Panel, and the old expired certificate is marked Revoked.
If you lose the original file you downloaded when you first created a certificate, you may download another copy of a certificate at any time by clicking the   icon next to the certificate's entry in the Control Panel. When downloading a certificate, you will be reminded that the certificate is a PRIVATE certificate, which SHOULD NEVER BE DISTRIBUTED TO THE PUBLIC. You may choose to download PKCS #12 or PEM formatted bundles.
Click here to view the complete PHPki glossary of terms.
Address Line #1
Address Line #2
City, State, ZipCode
Phone: (000) 000-0000
E-mail: firstname.lastname@example.org E-mail is preferred.