Table of Contents
Advertisement
How Certificate Profiles Work
An output specifies how the response page to a successful enrollment is presented.
It usually displays the certificate in a user-readable format. A single output has
been created that shows the pretty print version of the resultant certificate.
How Certificate Profiles Work
An administrator sets up a certificate profile by associating an existing
authentication plug-in, or method, with the certificate profile, enabling and
configuring defaults and constraints, and defining inputs and outputs. The
administrator can use the existing certificate profiles, modify the existing certificate
profiles, create new certificate profiles, and delete any certificate profile that will
not be used in this PKI.
Once a certificate profile is set up, it appears on the Manage Certificate Profiles
page of the agent services interface where an agent can approve, and thus enable a
certificate profile. Once the certificate profile is enabled, it will appear on the
Certificate Profile tab of the end-entity interface where end-entity can enroll for a
certificate using the certificate profile.
The Certificate Profile enrollment page contains links to each type of certificate
profile enrollment that has been enabled. When an end entity selects one of those
links, an enrollment page appears containing an enrollment form specific to that
certificate profile. The enrollment page for this certificate profile in the end-entity
interface is dynamically generated from the inputs defined for this certificate
profile. If an authentication plug-in is configured, additional fields may be added
that are needed to authenticate the user with that authentication method.
When the end entity submits a certificate profile request that is associated with a
manual enrollment, an enrollment where no authentication plug-in is configured,
the certificate profile is queued in the agent services interface as a certificate profile
enrollment request, showing that it is different from the old enrollment method.
The agent can change some aspects of the enrollment, reject it, change the status, or
approve it. The agent can also update the request without submitting it or validate
that the request adheres to the profile's defaults and constraints. The agent is
bound by the constraints set up; they cannot change the request in such a way that
a constraint is violated. The signed approval is immediately processed and a
certificate is issued.
When a certificate profile that is associated with an authentication method, the
request generates a certificate automatically if the user successfully authenticates,
all the information required is provided, and the request does not violate any of the
constraints set up for the certificate profile.
Chapter 2
Working with Certificate Profiles
31
Advertisement
Table of Contents
