An administrator sets up a certificate profile by associating an existing authentication plug-in, or method, with the certificate profile; enabling and configuring defaults and constraints; and defining inputs and outputs. The administrator can use the existing certificate profiles, modify the existing certificate profiles, create new certificate profiles, and delete any certificate profile that will not be used in the PKI.

Once a certificate profile is set, it appears on the Manage Certificate Profiles page, where an agent can approve, and thus enable, a certificate profile. Once the certificate profile is enabled, it appears on the Certificate Profile tab of the end entities page, so end entities can enroll for a certificate using the certificate profile.

The certificate profile enrollment page contains links to each type of certificate profile enrollment that has been enabled. When an end entity selects one of those links, an enrollment page appears, containing the enrollment form specific to that certificate profile. The enrollment page for the certificate profile in the end entities page is dynamically generated from the inputs defined for the certificate profile. If an authentication plug-in is configured, additional fields may be added that are needed to authenticate the user with that authentication method.

A manual enrollment is a request when no authentication plug-in is configured. When the end entity submits a certificate profile request with a manual enrollment, the certificate profile is queued in the agent services page as a certificate profile enrollment request. The agent can change the request, reject it, change the status, or approve it. The agent can also update the request without submitting it or validate that the request adheres to the profile's defaults and constraints. Agents are bound by the constraints set in the profile; they cannot change the request so that a constraint is violated. The signed approval is immediately processed, and a certificate is issued.

When a certificate profile is associated with an authentication method, the request generates a certificate automatically if the user successfully authenticates, all required information is provided, and the request does not violate any of the constraints set for the certificate profile.

The issued certificate contains the default content for the certificate profile (like the extensions and validity period) and follows the constraints set for each default. There can be more than one policy set (pair of defaults and constraints); each set is distinguished by using the same value for the policy set ID for the default and constraint in the set. The server evaluates each policy set for each request it receives. When a single certificate is issued, one set is evaluated, and any other sets are ignored. When dual key pairs are issued, the first policy set is evaluated with the first certificate request, and the second set is evaluated with the second certificate request. There is no need for more than one policy set when issuing single certificates or more than two sets when issuing dual key pairs.