Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual page 81

Using and Customizing Certificate Profiles
A set of certificate profiles have been predefined for the most common certificates issued. These
certificate profiles define defaults and constraints, associate the authentication method, and define the
needed inputs and outputs for the certificate profile.
The parameters of the default certificate profiles the authentication method, the defaults, the
constraints used in each profile, the values assigned to any of the parameters in a profile, the input,
and the output can be modified. It is also possible to create new certificate profiles for other types of
certificates or for creating more than one certificate profile for a certificate type. There can be multiple
certificate profiles for a particular type of certificate to issue the same type of certificate with a different
authentication method or different definitions for the defaults and constraints. For example, there can
be two certificate profiles for enrollment of SSL server certificates where one certificate profile issues
certificates with a validity period of six months and another certificate profile issues certificates with a
validity period of two years.
An input sets a text field in the enrollment form and what kind of information needs gathered from
the end entity; this includes setting the text area for a certificate request to be pasted, which allows
a request to be created outside the input form with any of the request information desired. The input
values are set as values in the certificate. The default inputs are not configurable in the Certificate
System.
An output specifies how the response page to a successful enrollment is presented. It usually displays
the certificate in a user-readable format. The default output shows a printable version of the resultant
certificate; other outputs set the type of information generated at the end of the enrollment, such as
PKCS #7.
Policy sets are sets of constraints and default extensions attached to every certificate processed
through the profile. The extensions define certificate content such as validity periods and subject name
requirements. A profile handles one certificate request, but a single request can contain information
for multiple certificates. A PKCS#10 request contains a single public key. One CRMF request can
contain multiple public keys, meaning multiple certificate requests. A profile may contain multiple sets
of policies, with each set specifying how to handle one certificate request within a CRMF request.
An administrator sets up a certificate profile by associating an existing authentication plug-in, or
method, with the certificate profile; enabling and configuring defaults and constraints; and defining
inputs and outputs. The administrator can use the existing certificate profiles, modify the existing
certificate profiles, create new certificate profiles, and delete any certificate profile that will not be used
in this PKI.
Once a certificate profile is set up, it appears on the Manage Certificate Profiles page of the agent
services page where an agent can approve, and thus enable, a certificate profile. Once the certificate
profile is enabled, it appears on the Certificate Profile tab of the end-entities page where end entities
can enroll for a certificate using the certificate profile.
The certificate profile enrollment page in the end-entities interface contains links to each certificate
profile that has been enabled by the agents. When an end entity selects one of those links, an
enrollment page appears containing an enrollment form specific to that certificate profile. The
enrollment page is dynamically generated from the inputs defined for the profile. If an authentication
plug-in is configured, additional fields may be added to authenticate the user.
When an end entity submits a certificate profile request that is associated with an agent-approved
(manual) enrollment, an enrollment where no authentication plug-in is configured, the certificate
request is queued in the agent services interface. The agent can change some aspects of the
enrollment, request, validate it, cancel it, reject it, update it, or approve it. The agent is able to update
the request without submitting it or validate that the request adheres to the profile's defaults and
71