Table of Contents
Advertisement
Chapter 2. CA: Working with Certificate Profiles
A manual enrollment is a request when no authentication plug-in is configured. When the end entity
submits a certificate request with a manual enrollment profile, the certificate request is queued in the
agent services page as a certificate enrollment request. The agent can change the request, reject
it, change the status, or approve it. The agent can also update the request without submitting it or
validate that the request adheres to the profile's defaults and constraints. Agents are bound by the
constraints set in the profile; they cannot change the request so that a constraint is violated. The
signed approval is immediately processed, and a certificate is issued.
When a certificate profile is associated with an authentication method, the request generates a
certificate automatically if the user successfully authenticates, all required information is provided,
and the request does not violate any of the constraints set for the certificate profile. If an authorization
method is set in the profile, a check is done to authorize the requester.
NOTE
There are several different kinds of authentication that can be used for enrollment or
renewal profiles. However, some authentication methods require outside configuration to
work. For example, to use a renewal profile which uses directory-based authentication,
then directory-based authentication must be enabled and the CA configured to connect to
an LDAP directory before that authentication module can be used.
The issued certificate contains the default content for the certificate profile (like the extensions and
validity period) and follows the constraints set for each default. There can be more than one policy
set. Each policy set consists of multiple sets of defaults and constraints, which defines individual
policy settings. Each policy set has a unique policy ID, and every policy within the set is identified as a
member of the set by using the same value for the policy set ID for each default and constraint in the
set.
The server evaluates each policy set for each request it receives. When a single certificate is
requested, the profile should contain a single policy set to evaluate. When dual key pairs are
requested, then there must be two policies in the policy set. The first policy set is evaluated with the
first certificate request, and the second set is evaluated with the second certificate request. Policies
within each policy set are evaluated in the specific order set in the policy set order list.
A profile usually contains inputs, policy sets, and outputs, as illustrated in the caUserCert profile in
Section 2.2, "Example caUserCert
2.2. Example caUserCert Profile
The first part of a certificate profile is the description. This shows the name, long description, whether it
is enabled, and who enabled it.
desc=This certificate profile is for enrolling user certificates.
visible=true
enable=true
enableBy=admin
name=Manual User Dual-Use Certificate Enrollment
In the Managing Certificate Profiles page of the CA's agent services, this looks like:
18
Profile".
Advertisement
Table of Contents
Need help?
Do you have a question about the CERTIFICATE SYSTEM 8 - AGENTS GUIDE and is the answer not in the manual?