Eficiencia Global de Equipos (OEE)

Field Name Type Description

Self Enrollment Checkbox Default state - not checked

Checking this box will allow the end-users that belong to the Organization to apply for a personal certificate using the enrollment form hosted (by default) at: https://CCM/customer/customer_uri/smime. The Administrator can communicate the self-enrollment URL and the Access Code specified for the Organization to an end-user, enabling the end-user for self enrollment.

• Users that apply for a client certificate using the enrollment form will also be automatically created as a new 'End-User' in this

Organization/Department if they do not already exist. (List of end-users is viewable in the 'Client Certificates' area of 'Certificates Management' section).

• It is possible for Certificate Manager Account holders to use their own custom form templates rather than the default form supplied by Comodo. See your account manager for more details on enabling this functionality. Access Code (Appears only if the 'Self Enrollment' checkbox is selected)

Textbox (required) An Access Code identifies a particular Organization or Department and is used to authenticate certificate requests that are made using the Self-Enrollment form.

Organizations and Departments are uniquely identified by combination of the Organization's 'Access Code' and the 'Common Name' (domain) specified in 'General' properties. Multiple Organizations or

Departments can have the same Access Code OR the same Common Name - but no single entity can share both.

Comodo Certificate Manager - Administrator Guide

Field Name Type Description

Administrators should choose a complex Access Code containing a mixture of alpha and numeric characters that cannot easily be guessed. This code should be conveyed to the applicant(s) along with the URL of the sign up form.

Applicants that request a certificate using the Self Enrollment Form will need to enter this code.

Web API Checkbox

Default state - not checked

• Checking this box allows applicants to enroll for certificates through the Web Service API. This requires special agreement with Comodo CA. For detailed instructions please refer to Web API documentation. Secret Key

(Appears only if the 'Web API' checkbox is selected)

String Secret key is a phrase that is unique for all Organizations. This phrase restricts access for enrolling certificates for that Organization.

• Used in pair with 'Organization ID' (visible only for already created Organizations). Allow Key Recovery by Master Administrators Checkbox

Default state - checked

If selected, the MRAO will have the ability to recover the private keys of client certificates issued by this Organization. At the point of creation, each client certificate will be encrypted with the MRAOs master public key before being placed into escrow. If this box is selected then the Organization will not be able to issue client certificate UNTIL the MRAO has initialized their master key pair in the Encryption tab.

See 'Encryption and Key Escrow' for a more complete explanation of key recovery processes. Allow Key Recovery by Organization Administrators Checkbox

Default state - checked

If selected, the RAO will have the ability to recover the private keys of client certificates issued by this Organization. At the point of creation, each client certificate will be encrypted with the RAOs master public key before being placed into escrow. If this box is selected then the Organization will not be able to issue client certificate UNTIL the RAO has initialized their master key pair in the Encryption tab.

See 'Encryption and Key Escrow' for a more complete explanation of key recovery processes.

Allow Principal Name

Checkbox Default state - not checked

Checking this box enables Principal Name support to the Organization. If enabled, the client certificates issued to the end-users of the Organization will include an additional name - Principal Name, in addition to the RFC822 name in the Subject Alternative Name(SAN) field. If included, the Principal Name will be the primary email address of the end-user to whom the certificate is issued. But this can be customized at a later time by editing the end-user if Principal Name Customization is enabled for the Organization/Department.

Allow Principal Name Customization

Checkbox Activated only on selecting 'Allow Principal Name' checkbox

Checking this box enables customization of the Principal Names by the Administrator.

Client Cert Types Button 'customize'

The Client Cert types customization options allow the administrator to specify the Client Certificate types and term lengths that will be available for this

Organization through the Self Enrollment Forms. Refer to the section Customize an Organization's Client Certificate Types for more details.

• Clicking the 'customize' button will open the 'Bind Client Cert Types' interface.

• All choices made in the 'Bind Client Cert Types' interface will apply only to this specific Organization.

• The more powerful 'Client Cert Types' area contains a very similar interface that allows MRAO Administrators to determine universal

Comodo Certificate Manager - Administrator Guide

Field Name Type Description

certificate type and term lengths that apply to ALL Organizations • If a particular certificate type or term is not visible in the 'Bind Client

Cert Types' area then it may need enabling in the 'Client Cert Types' area.

Key Usage

Template Button_'KUT' The Key Usage Template (KUT) options allow administrators to specify the scope of key usage in client certificates at an Organization and/or Departmental level. It is possible for a key to be capable of (1) Digitally signing (2) Encrypting (3) Both signing and encrypting. Please refer to the section 'Defining Key Usage Template for an Organization's Client Certificates' for more details.

• Clicking the 'KUT' button will open the 'Key Usage Template' interface. From here you will be able to specify the usage scope of the keys of a particular organization.

• The KUT defined through the 'Key Usage Template' interface will apply only to this specific Organization.

Important Note: The Key Usage Template (KUT) feature will not be available by default. If required, the MRAO Administrator can contact Comodo and request for it. The KUT button will be visible to the MRAO Administrators only if it is enabled by Comodo.

5.2.2.4.6.1 Customize an Organization's Client Certificate Types Security Roles:

• MRAO - can customize client certificate type availability for all Organizations and Departments

• RAO SMIME - can customize client certificate type availability only for the Organizations and Departments belonging to the Organizations that are delegated to them.

• DRAO SMIME - cannot customize client certificate type availability.

The types and term lengths of client certificates that are available to any particular Organization can be customized using the 'Bind Client Cert Types' interface. Creating a targeted 'certificate roster' simplifies the certificate selection procedure at the application forms and helps avoid applications for certificates which are inappropriate for that Organization.

To access the 'Customize Client Cert Types' interface, click the 'Customize' button under the 'Client Cert' tab of the Add New/Edit Organization interface:

Comodo Certificate Manager - Administrator Guide

This will open the 'Customize Client Cert Types' interface for that Organization, that enables to restrict the Client Cert types that will be available to applicants using the Self Enrollment Formfor that Organization.

By default, the 'Customized' option is left unchecked so that all the certificate types are available through the self enrollment forms (both Access Code and Secret ID based application forms).

Prior to customization, MRAO Administrators can also view the Client Cert Type customization as imposed by the RAO Administrator of an Organization and can modify the same. Refer to Viewing Pre-imposed Client Certificate Type Customization for an Organization for more details.

To restrict the Client Cert types and their term lengths:

1. Select the 'Customized' checkbox.

2. Check the names of the certificates you wish to be available for the Organization leave the others unchecked. 3. Click the 'Select' button next to the certificate name to choose which terms will be available. If you want to set the

selected term as default term for the selected certificate type, select Default radio button.

4. Select the Validation type from the drop-down.

The two options available are 'Standard' and 'High' validation types.

'Standard' certificates can be issued quickly and take advantage of the user authentication mechanisms that are built into CCM. A user applying for a 'Standard Personal Validation' certificate is authenticated using the following criteria:

Comodo Certificate Manager - Administrator Guide

• User must apply for a certificate from an email address @ a domain that has been delegated to the issuing Organization

• The Organization has been independently validated by an web-trust accredited Certificate Authority as the owner of that domain

• User must know either a unique Access Code or Secret ID that should be entered at the certificate enrollment form. These will have been communicated by the administrator to the user via out-of-band communication.

• User must be able to receive an automated confirmation email sent to the email address of the certificate that they are applying for. The email will contain a validation code that the user will need to enter at the certificate collection web page.

• 'High Personal Validation' certificates require that the user undergo the validation steps listed above AND • Face-to-Face meeting with the issuing Organization

Note: The additional validation steps must be completed PRIOR to the administrator selecting 'High Personal Validation' type. 5. Click 'OK'.

The administrator needs to log out then back in again for the customization options to take effect.

Only the types and terms of client certificates that are selected in the 'Bind Client Cert Types' interface will now be available in the 'Type' drop-down field of the Self Enrollment form.

Viewing Pre-imposed Client Certificate Type Customization for an Organization

While editing an existing Organization, MRAO Administrators can view the Client Cert Type customization imposed by the RAO Administrator of the Organization, before imposing his/her own customization, by clicking the 'View' button at the bottom right of the 'Bind Client Cert Types' interface.

Note: The 'View' button will be active only when the 'Customized' checkbox is not selected in the 'Customize Client Cert Types' interface.

Clicking the 'View' button will display the 'Bind Client Cert Types' dialog as displayed to the RAO Administrator of the respective Organization.

This interface also allows the MRAO Administrator to modify the customization of client certificate type availability for the Organization by the RAO Administrator.

Notes:

• All choices made in the 'Bind Client Cert Types' interface will apply only to this specific Organization. • The more powerful 'Client Cert Types' area contains a very similar interface that allows MRAO to determine

universal certificate type and term lengths that apply to ALL Organizations.

5.2.2.4.6.2 Defining Key Usage Template for an Organization's Client Certificates

Important Note: The Key Usage Template (KUT) feature will not be available by default. If required, the MRAO Administrator can contact Comodo and request for it. The KUT button will be visible to the MRAO Administrators only if it is enabled by Comodo.

Comodo Certificate Manager - Administrator Guide

Security Roles:

• MRAO - Can define Key Usage Template (KUT) for all Organizations.

• RAO SMIME - Can define KUT for Organization(s) delegated to them and the Departments belonging to those Organizations. The KUT options available for an Organization depend on the templates defined for the Organization by the MRAO.

• DRAO SMIME - cannot view or change the KUTs.

The KUT for the Client Certificates of the end-users belonging to any particular Organization can be defined through 'Key Usage Template' interface. Defining the templates restrict the usage of the client certificates to the purposes of digital signing,

encryption or both depending on the nature of the Organization and limits the inappropriate usage by the end-users. To access the 'Key Usage Templates' interface, click the 'KUT' button under the 'Client Cert' tab of the Add New/Edit Organization interface:

This will open the 'Key Usage Templates' for that Organization, that enables to restrict the capabilities of the Client Certificates of the end-users within that Organization.

The KUTs available are displayed as a list in the left hand side pane and the KUTs assigned to the Client Certificates of the Organization are displayed in the right hand side pane. By default, no templates are assigned to the Organization.

To define the KUTs

• Select the template from the LHS pane and move it to RHS pane by clicking the right arrow button. Repeat the process for defining more than one template. To assign all the templates, just click the right double arrow button. • To remove the assigned templates, select the template from the RHS pane and click left arrow button to move to LHS

Comodo Certificate Manager - Administrator Guide

pane. To remove all the templates, just click left double arrow button. • Click OK.

The end-users belonging to the Organization can use their Client Certificate only for the purposes as dictated by the assigned templates.

Notes:

• The KUTs defined in the 'Key Usage Template' interface will apply only to this specific Organization.

• The Key Usage Template interface is accessible only by MRAO administrators. RAO administrators will see only a drop-down with the template options assigned by the MRAO for the Organization while editing the Organization or the Departments of the Organization.

• If the MRAO administrator has not assigned any templates, the option will not be available.