Policies
Overview
Policies are sets of rules or guidelines that define how certificates can be used. In Redtrust, policies define rules and restrictions on how individual certificates or groups of certificates are used. Generally, if a certificate has no assigned policies, no user will be able to use it. Only owners of a certificate have complete access to their certificate superseding any configured policies. For more information, see Certificates.
You can configure policies from the Policies navigation tab of the web admin console. To do that, you need to choose a certificate group and define who can use them and where they can use them (that is, in which applications and sites) and when (that is, at what times). From the sidebar, you can also define the applications and sites that can use certificates.
Click here to see the list of policy settings.
Policy settings
General
| Setting | Description |
|---|---|
| Name | Descriptive name for the policy. |
| Priority | Determines the order in which policies are applied when users want to make use of a certificate assigned to multiple policies, where 0 is the highest priority. Avoid assigning policies with the same level of priority to the same user or group, as this can lead policies being applied inconsistently. |
| Status | Determines whether the policy is enabled or not. An enabled policy is active and enforced while a disabled policy is inactive or not enforced. |
| Action | Defines whether the policy allows or denies the use of the certificate based on the defined parameters of the policy. |
| User PIN policy | Do nothing: When this option is selected, the system requires a user PIN only if the certificate is configured to enforce it. Ask for user PIN: This option requires the PIN when a certificate is used. Don't ask for user PIN: This option doesn't require the PIN unless the certificate configuration is set to Force ask for user PIN. |
| Description | Optional information about the policy. |
Certificates
The Certificates section of the policy creation wizard defines which certificates or groups of certificates a policy applies to.
| Setting | Description |
|---|---|
| Select Certificate(s) | Start typing to populate a list of certificates and certificate groups to choose from for the policy. The certificates available in this list will depend on which certificate groups the currently authenticated user has access to based on their defined role. For more information see the roles section |
Who
The Who section of the wizard defines the users or groups of users that the policy will apply to. You can search for a user by typing the first two letters of his name in the User field.
| Setting | Description |
|---|---|
| Select User(s) | Start typing to populate a list of users and user groups to select from. Multiple users and groups of users can be selected. |
Where
The Where section of the wizard defines the applications or regular expressions that apply to the policy. Select Add Applications to bring up a list of created applications.
If no relevant applications have been defined, the user can define a new ones using the Add application group button. For more information see the Applications section.
When
The When section of the wizard defines the option to schedule when the policy will be applied.
It can be configured to always apply or follow a custom schedule based on specific dates, times of day or days of the week. When selecting a date range, a calendar appears for you to choose start and end dates. For a specific time range, you can specify the hours during which the policy is active. Additionally, you can define the days of the week its use is allowed.
Redtrust uses Universal Coordinated Time (UTC) for measuring the time and dates for policies.
Click here to see the list of policy operations.
Policy operations
To see the policy operations, click the ⋯ in the certificate's row.
| Setting | Description |
|---|---|
| Assign a policy to a role | By default, a policy is assigned to the role that created it. This ensures that only users within that role, who have the necessary permissions, can view and modify the policy. However, the policy can still be applied to users outside the assigned role. The Redtrust administrator account has the ability to reassign the policy to a different role if needed. |
| Enable and Disable | Enables or disables the policy. |
| Delete | Permanently deletes the policy. |
Applications
In the applications tab of the Policies section of the administration console you can define applications by creating processes or regular expressions (RegEx) that are applied on the command line. These application groups can be applied to policies allowing granular control over what applications on the client machine are allowed or prohibited from using the certificate associated with the policy.
When adding the process or command line expression to an application group (see image below), you can use the Search Coincidences field to test the process or command line expression. This way you can check if the text matches any properties that have been added to this application group. To test, simply enter the text and click Test. If nothing is found, Redtrust will display a warning. If successful, it will show the number of elements that match the field.
Click here to see a list of the applications settings.
| Setting | Description |
|---|---|
| Application Group Name | The name for the application group. |
| Process | Name of the application you want to define (without the extension). It's used to identify specific applications, such as “mmc” for Microsoft Management Center or “signtool” for Microsoft SignTool. To indicate any application you can use the * as a wildcard operator by entering a period followed by an asterisk [ .* ] If desired, multiple processes can be added. |
| Command line | This option lets you define a RegEx to analyze the command being run and check if it matches the specific pattern. This is useful when you want to enforce specific properties, such as a specifying PDFs from a specific path or other settings, when you are using the certificate in Acrobat Reader. The following example uses a RegEx to define the preceding scenario. .*Acrobat.exe D:Document D:*.pdf.*. |
Sites
The Sites tab in the Policies section of the admin console is where site groups can be defined. These sites can be applied to policies allowing granular control over what sites on the client machine are allowed or prohibited from using the certificate associated with the policy. In addition, once a user is authenticated to a site, it's possible to control which sections of the site are accessible and which aren't.
This is an example to better understand the Site setting field. If you add www*.aeat.es, it resolves to www.aeat.es or www1.aeat.es or www.gob.aeat.es. That is, the * character is equivalent to any number of characters or none. Furthermore, the ? character can be resolved zero or one character. Similarly, the + character resolves to one or more characters.
Sites can be defined at the host level or at the full URL level. The difference is marked with a / at the end of the domain. For example, * .agenciatributaria.gob.es/path resolves to www.agenciatributaria.gob.es/path but not to www.agenciatributaria.gob.es/another_path. Instead, aplcr.dgt.es resolves to any URL within aplcr.dgt.es.
You can also define filters at the URL level. For example, *.agenciatributaria.gob.es/*/aeat resolves to www.agenciatributaria.gob.es/es13/aeat or www.agenciatributaria.gob.es/es13/ct/aeat.
For example, by combining these two mechanisms you can create a policy that gives access to an entire domain and create a higher priority policy, denying access to a specific part of the web.
If you use the ?, * or + character literally, without intending to interpret it as a wildcard in regular expressions, for example because it's contained in the URL, you must escape the character using the \. That is, use \?, \* o \+.
Example: https://sedeapl.dgt.gob.es:\?9443/WEB_COPACI3/certificado/irAntecedentes.faces
Click here to see the list of site settings.
| Setting | Description |
|---|---|
| Sites group name | Name of the sites group. |
| Site | Defines the site. It supports the use of the character * and ? as wildcards when defining them. * is resolved to any alphanumeric string but not including ., that is, it allows you to define a wildcard string within a subdomain. |
| Regular expression | The regular expression option. For more information on the use of regular expressions, check this article on the topic. |