Using And Customizing Certificate Profiles - Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual

Chapter 5. Planning the Certificate System
• If the extension is critical and the certificate is sent to an application that does not understand the
extension based on the extension's ID, the application must reject the certificate.
• If the extension is not critical and the certificate is sent to an application that does not understand
the extension based on the extension's ID, the application can ignore the extension and accept
the certificate.
• An octet string containing the DER encoding of the value of the extension.
Typically, the application receiving the certificate checks the extension ID to determine if it can
recognize the ID. If it can, it uses the extension ID to determine the type of value used.
Some of the standard extensions defined in the X.509 v3 standard include the following:
• Authority Key Identifier extension, which identifies the CA's public key, the key used to sign the
certificate.
• Subject Key Identifier extension, which identifies the subject's public key, the key being certified.
NOTE
Not all applications support certificates with version 3 extensions. Applications that
do support these extensions may not be able to interpret some or all of these specific
extensions.

5.4.6. Using and Customizing Certificate Profiles

Certificates have different types and different applications. They can be used to establish a single
sign-on environment for a corporate network, to set up VPNs, to encrypt email, or to authenticate to
a website. The requirements for all of these certificates can be different, just as there may also be
different requirements for the same type of certificate for different kinds of users. These certificate
characteristics are set in certificate profiles. The Certificate Manager defines a set of certificate profiles
that it uses as enrollment forms when users or machines request certificates.
A certificate profile defines everything associated with issuing a particular type of certificate, including
the authentication method, the certificate content (defaults), constraints for the values of the content,
and the contents of the input and output for the certificate profile. Enrollment requests are submitted
to a certificate profile and are then subject to the defaults and constraints set in that certificate profile.
These constraints are in place whether the request is submitted through the input form associated with
the certificate profile or through other means. The certificate that is issued from a certificate profile
request contains the content required by the defaults with the information required by the default
parameters. The constraints provide rules for what content is allowed in the certificate.
For example, a certificate profile for user certificates defines all aspects of that certificate, including the
validity period of the certificate. The default validity period can be set to two years, and a constraint
can be set on the profile that the validity period for certificates requested through this certificate profile
cannot exceed two years. When a user requests a certificate using the input form associated with this
certificate profile, the issued certificate contains the information specified in the defaults and will be
valid for two years. If the user submits a pre-formatted request for a certificate with a validity period of
four years, the request is rejected since the constraints allow a maximum of two years validity period
for this type of certificate.
70