Ca: Working With Certificate Profiles; About Certificate Profiles; Categories Of Certificate Profiles; Profile Operations Performed By Ca Agents - Red Hat CERTIFICATE SYSTEM 7.3 - AGENT GUIDE Manual

Chapter 3.

CA: Working with Certificate Profiles

A Certificate Manager (CM) agent is responsible for approving certificate profiles that have been con-
figured by a Certificate System administrator. CM agents also manage and approve certificate re-
quests that come from profile-based enrollments.

3.1. About Certificate Profiles

Profile Definition
A certificate profile defines everything associated with issuing a certificate, including the authentication
method, the certificate content (defaults), constraints for content values in the requested certificate
type, and the contents of the input and output forms associated with the certificate profile.

3.1.1. Categories of Certificate Profiles

There are three categories of information that constitute a certificate profile:
• Profile inputs. Profile inputs are parameters and values that are submitted to the CA when a certific-
ate is requested. Profile inputs include public keys for the certificate request and the certificate sub-
ject name requested by the end entity for the certificate.
• Profile policy sets. A certificate profile can have one or more policy sets, each of which is defined by
a set of defaults and constraints.
• Profile defaults. Profile defaults are parameters and values defined by the CA administrator. Pro-
file defaults include the authentication mechanism for the end entity, how long the certificate is
valid, and what certificate extensions appear for each type of certificate issued.
• Profile constraints. Profile constraints are parameters and values that form the rules or policies for
issuing certificates. Profile constraints include rules like requiring the certificate subject name to
have at least one CN component, setting the validity of a certificate to a maximum of 360 days, or
requiring that the subjectaltname extension always be set to true.
• Profile outputs. Profile outputs are parameters and values that specify the format in which to issue
the certificate to the end entity. Profile outputs include base-64 encoded files, CMMF responses,
and PKCS #7 output, which also includes the CA chain.

3.2. Profile Operations Performed by CA Agents

Certificate Authority agents review profile requests and may consequently take any of the following ac-
tions:
Approve the request.
The certificate is issued, and the end entity then retrieves and uses it.
23