Ca: Working With Certificate Profiles; About Certificate Profiles - Red Hat CERTIFICATE SYSTEM 8 - AGENTS GUIDE Agents Manual

Chapter 2.

CA: Working with Certificate Profiles

A Certificate Manager agent is responsible for approving certificate profiles that have been configured
by a Certificate System administrator. Certificate Manager agents also manage and approve certificate
requests that come from profile-based enrollments.

2.1. About Certificate Profiles

A certificate profile defines everything associated with issuing a certificate, including the authentication
method, the authorization method, the certificate content (defaults), constraints for content values
in the requested certificate type, and the contents of the input and output forms associated with the
certificate profile.
There are three categories of information that constitute a certificate profile:
• Profile inputs. Profile inputs are parameters and values that are submitted to the CA when a
certificate is requested. Profile inputs include public keys for the certificate request and the
certificate subject name requested by the end entity for the certificate.
• Profile policy sets. A certificate profile can have one or more policy sets, each of which is defined by
a set of defaults and constraints.
• Profile defaults. Profile defaults are parameters and values defined by the CA administrator.
Profile defaults include how long the certificate is valid and what certificate extensions appear for
each type of certificate issued.
• Profile constraints. Profile constraints are parameters and values that form the rules or policies for
issuing certificates. Profile constraints include rules like requiring the certificate subject name to
have at least one CN component, setting the validity of a certificate to a maximum of 360 days,
grace periods to allow certificate renewal as the certificate nears its expiration date, or requiring
that the subjectaltname extension always be set to true.
• Profile outputs. Profile outputs are parameters and values that specify the format in which to issue
the certificate to the end entity. Profile outputs include base-64 encoded files, CMMF responses,
and PKCS #7 output, which also includes the CA chain.
An administrator sets up a certificate profile by associating an existing authentication plug-in, or
method, with the certificate profile; enabling and configuring defaults and constraints; and defining
inputs and outputs. The administrator can use the existing certificate profiles, modify the existing
certificate profiles, create new certificate profiles, and disable or delete any certificate profile that will
not be used in the PKI.
Once a certificate profile is set, it appears on the Manage Certificate Profiles page of the agent
services interface, where an agent can approve, and thus enable, a certificate profile. Once the
certificate profile is enabled, it appears on the List Certificate Profile tab of the end-entities page, so
end entities can enroll for certificates using the certificate profile.
The certificate profile enrollment or renewal page contains links to each type of certificate profile
enrollment that has been enabled. When an end entity selects one of those links, an enrollment page
appears, containing the enrollment form specific to that certificate profile. The enrollment page for
the certificate profile in the end entities page is dynamically generated from the inputs defined for the
certificate profile. If an authentication plug-in is configured, additional fields may be added that are
needed to authenticate the user with that authentication method.
17