Update/Configure Signing Certificates inside ACS for Ranges

Document ID : KB000041321
Last Modified Date : 23/05/2018
Show Technical Document Details
Introduction:

This document provides steps to procure and configure Signing Certificates inside Authentication Control Server (ACS) in case of both, Software and Hardware Security Module (HSM)

Background:
Signing certificates are used to sign the PARes for a specific range/BIN. The certificate and key combination needs to be loaded inside ACS to be able to sign PARes which is then sent to MPI.
Environment:
CA Transaction Manager 7.x and above
Instructions:

Software Key Setup 


Please follow the below steps to get the key and singing certificate:

1. Generate Key: Use the following openssl command to generate the certificate key.

 Command: openssl genrsa -out AcsSignkey.key <1024 /2048>

2. Generate CSR: Generate the certificate request using the following command.

 Command: openssl req -new -key AcsSignkey.key -out AcsSignreq.csr

3. Convert Key file from PEM format to DER format: As the signing certificate key and certificate format should be DER format, please convert key to the required format using the below command.

 Command: openssl rsa -in AcsSignkey.key -inform PEM -out AcsSignkey.der -outform DER

4. Send the certificate request to Certificate Signing Authority to get the Signing certificate.

5. Verify the certificate received to ensure that the certificate chain is correct and it is DER format.

6. Upload AcsSignkey.der and certificate to the range applicable using the steps provided in the below.
 

Steps to configure signing certificate:

1. Login to admin console, click on 'Upload Signing Certificate'

2. Select the issuer, range and choose the Signing Cert in p7b format and submit the screen.

3. This will configure the signing certificate against the selected Issuer and Range.

4. To upload the signing key, open SQL-developer, go to the table ‘ARSIGNINGCERT’ and upload the signing key against column ‘CERTKEY’ for appropriate certificate.

5. Restart ACS.

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 
HSM setup
 
The key needs to be created inside HSM. Please follow the steps to create private key and CSR
 
To create and load the certificate chain:

1. Navigate to the  directory: /opt/arcot/bin

      This directory contains the PK11Util command line utility.

2. Run the pk11 utility to generate a private key and the certificate request by using the following command.

Command: pk11util -module nfast -slot 1 -label <acssignkey> -genrsa -genreq <X500 file> -out certrequest.pem

Example: pk11util -module /opt/nfast/toolkits/pkcs11/libcknfast.so -slot 1 -label testlabel -genrsa -genreq x500name.txt -out certreq.pem

 

3. The X500 is a format for creating a distinguished name. Following are a few examples of X500 fields:


 C=US, S=New York, L=Syracuse, O=Dart, OU=Development, CN=My Machine

 C=US, S=Georgia, L=Atlanta, O=MyOrg, OU=Toy Department, CN=John Doe

 

4. Upload/Send the generated certificate request file to the CA. The CA returns a signing certificate.

 

5. Combine the signing certificate, the CA root certificate, and any intermediate certificates into a PKSC#7 certificate chain (for example, ACSCert.p7b).

 

6. Copy the certificate file to the location, which is accessible by the Administration Console to load the certificate file.
 
 
Steps to configure signing certificate:
 
1. Login to admin console, click on 'Upload Signing Certificate'

2. Select the issuer, range and choose the SigningCert in p7b format and submit the screen.

3. This will configure the signing certificate against the selected Issuer and Range.

4. Key should already be present inside HSM

5. Restart ACS.
 

Additional Information:

To test the changes:

1. Perform a transaction from the range for which the certificate has been changed

2. View the PARes inside admin console for the above mentioned step 1 transaction

3. Note if the certificates mentioned there are new