17.3.3.1. Procedure – Certificates and Audit Player

Purpose: 

To validate audit trails and replay encrypted audit trails, the required certificates must be available in the appropriate certificate store of the Window host.

Note

Certificates are used as a container and delivery mechanism. For encryption and decryption, only the keys are used.

To import certificates to the Windows host, complete the following steps.

Prerequisites: 

AP may need the following certificates.

  • To validate timestamped audit trails, the CA certificate of PSM must be available under Local Computer > Trusted Root Certification Authorities.

  • To validate digitally-signed audit trails, the respective CA certificates that issued the certificates used to sign the audit trail must be available under Local Computer > Trusted Root Certification Authorities. (These are the CAs of the certificates set at Policies > Audit policies > Enable signing on the PSM interface.)

  • To replay encrypted audit trails, the private key of the encrypting certificates must be available under Current User > Personal Certificate Store.

The certificate and private key to import must be in PKCS12 format. The key_usage parameter of the certificate must be AT_KEYEXCHANGE. Certificates with the AT_SIGNATURE value will not work. To convert a certificate from a different format (for example, .pfx) to PKCS12, you can use the OpenSSL software package or a web browser like Internet Explorer or Mozilla Firefox. For details, see Procedure 17.3.3.2, Converting certificates using OpenSSL and Procedure 17.3.3.3, Converting certificates using Firefox, respectively.

Steps: 

  1. Start Microsoft Management Console by executing mmc.exe (Start menu Run application).

    Note

    Running mmc.exe requires administrator privileges.

  2. Navigate to File > Add/Remove snap-in....

  3. Select the Certificates module, and click Add.

  4. To download and validate audit trails: To import certificate used to download and validate the audit trails, complete the following steps.

    1. Select Computer account and click Add > Next > Finish > OK.

    2. Select Certificates > Local Computer > Trusted Root Certification Authorities.

    3. Right-click on the Certificates folder and from the appearing menu select All tasks > Import. The Certificate Import Wizard will be displayed. Click Next.

    4. Import your certificates that you need to decrypt encrypted audit trails.

    5. Optional step: Certificates used to decrypt the audit trails include a private key. Provide the password for the private key when requested.

    6. Click Finish on the summary window and Yes on the window that marks the successful importing of the certificate.

  5. Replaying encrypted audit trails: To import the certificates needed to replay encrypted audit trails, complete the following steps.

    1. Navigate to File > Add/Remove snap-in....

    2. Select the Certificates module, and click Add.

    3. Select My user account and click Add.

    4. Select Current User > Personal.

    5. Right-click on the Certificates folder and from the appearing menu select All tasks > Import. The Certificate Import Wizard will be displayed. Click Next.

    6. Import your certificates that you need to decrypt encrypted audit trails.

    7. Optional step: Certificates used to decrypt the audit trails include a private key. Provide the password for the private key when requested.

    8. Click Finish on the summary window and Yes on the window that marks the successful importing of the certificate.