How Certificate Profiles Work - Netscape MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR Administrator's Manual

About Certificate Profiles
inputs using the CMS SDK. The inputs provide a certificate request field that can
be added to any of the forms so that certificate requests can be pasted into this
field, allowing a request to be created outside the input form with any of the
request information you need.
An output specifies how the response page to a successful enrollment is presented.
It usually displays the certificate in a user-readable format. A single output has
been created that shows the pretty print version of the resultant certificate. You can
create other outputs using the CMS SDK.

How Certificate Profiles Work

An administrator sets up a certificate profile by associating an existing
authentication plug-in, or method, with the certificate profile, enabling and
configuring defaults and constraints, and defining inputs and outputs. The
administrator can use the existing certificate profiles, modify the existing certificate
profiles, create new certificate profiles, and delete any certificate profile that will
not be used in this PKI.
Once a certificate profile is set up, it appears on the Manage Certificate Profiles
page of the agent services interface where an agent can approve, and thus enable a
certificate profile. Once the certificate profile is enabled, it will appear on the
Certificate Profile tab of the end-entity interface where end-entity can enroll for a
certificate using the certificate profile.
The Certificate Profile enrollment page contains links to each type of certificate
profile enrollment that has been enabled by the agents. When an end entity selects
one of those links, an enrollment page appears containing an enrollment form
specific to that certificate profile. The enrollment page for this certificate profile in
the end-entity interface is dynamically generated from the inputs defined for this
certificate profile. If an authentication plug-in is configured, additional fields may
be added that are needed to authenticate the user with that authentication method.
When the end entity submits a certificate profile request that is associated with an
agent-approved (manual) enrollment, an enrollment where no authentication
plug-in is configured, the certificate request is queued in the agent services
interface under a certificate profile enrollment, showing that it is different from the
old enrollment method. The agent can change some aspects of the enrollment,
request, validate it, cancel it, reject it, update it, or approve it. The agent can able
update the request without submitting it or validate that the request adheres to the
profile's defaults and constraints. This validation procedure is only for verification
and does not result in the request being submitted. The agent is bound by the
constraints set up; they cannot change the request in such a way that a constraint is
violated. The signed approval is immediately processed and a certificate is issued.
Chapter 10 Certificate Profiles 433