Making Rules For Issuing Certificates; About Certificate Profiles; The Profile - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

Chapter 2.

Making Rules for Issuing Certificates

The Certificate System provides a customizable framework to apply policies for incoming certificate
requests and to control the input request types and output certificate types; these are called certificate
profiles. Certificate profiles set the required information for certificate enrollment forms in the
Certificate Manager end-entities page. This chapter describes how to configure certificate profiles.

2.1. About Certificate Profiles

A certificate profile defines everything associated with issuing a particular type of certificate, including
the authentication method, the authorization method, the certificate content (defaults), constraints for
the values of the content, and the contents of the input and output for the certificate profile. Enrollment
and renewal requests are submitted to a certificate profile and are then subject to the defaults
and constraints set in that certificate profile. These constraints are in place whether the request is
submitted through the input form associated with the certificate profile or through other means. The
certificate that is issued from a certificate profile request contains the content required by the defaults
with the information required by the default parameters. The constraints provide rules for what content
is allowed in the certificate.
All of the information about a certificate profile is defined in a profile policy set entry in the profile's
configuration file, and then the profile is listed in the CA's CS.cfg file.
• Profile inputs. Profile inputs are parameters and values that are submitted to the CA when a
certificate is requested. Profile inputs include public keys for the certificate request and the
certificate subject name requested by the end entity for the certificate.
• Certificate extensions. Each issued certificate defines certain information, like the name of the entity
to which it is assigned (the subject name), its key fingerprint, and its validity period. What is included
in a certificate is defined in the X.509 standard. A certificate extension is a way to add additional,
optional, customizable information to a certificate that is not included in the certificate by the X.509
standard or a way to set rules on how the certificate can be used.
Sometimes, including the certificate extension itself is enough to configure the certificate content,
but a certificate extension can include two additional parts:
• Profile defaults. These are predefined parameters and allowed values for information contained
within the certificate. Profile defaults include the how long the certificate is valid, and what
certificate extensions appear for each type of certificate issued.
• Profile constraints. Constraints set rules or policies for issuing certificates. Profile constraints
include rules like requiring the certificate subject name to have at least one CN component,
setting the validity of a certificate to a maximum of 360 days, defining the allowed grace period for
renewal, or requiring that the subjectaltname extension always be set to true.
• Profile outputs. Profile outputs are parameters and values that specify the format in which to issue
the certificate to the end entity. Profile outputs include base-64 encoded files, CMMF responses,
and PKCS #7 output, which also includes the CA chain.

2.1.1. The Profile

A profile configures the entire set of rules around issuing a certificate: the kind of content that is
required to submit the request, the way the request is processed and approved (authenticated and
23