3.3. List of Certificate Profiles
The following pre-defined certificate profiles are ready to use when the Certificate System is installed. These certificate profiles have been designed for the most common types of certificates, and they provide common defaults and constraints, authentication methods, and inputs and outputs. You can edit these profiles or add more profiles as necessary. An administrator can set up additional defaults and constraints using the CS SDK.
| Profile ID | Profile Name | Description |
|---|---|---|
| caUserCert | Manual User Dual-Use Certificate Enrollment | Used to enrol user certificates. |
| caDualCert | Manual User Signing & Encryption Certificates Enrollment | Used to enrol dual user certificates. It works only with Netscape 7.0 or later. |
| caSignedLogCert | Manual Log Signing Certificate Enrollment | Used to enrol audit log signing certificates |
| caTPSCert | Manual TPS Server Certificate Enrollment | Used to enrol TPS server certificates. |
| caRARouterCert | RA Agent-Authenticated Router Certificate Enrollment | Used to enrol router certificates. |
| caRouterCert | One Time Pin Router Certificate Enrollment | Used to enrol router certificates. |
| caServerCert | Manual Server Certificate Enrollment | Used to enrol server certificates. |
| caOtherCert | Other Certificate Enrollment | Used to enrol other certificates. |
| caCACert | Manual Certificate Manager Signing Certificate Enrollment | Used to enrol Certificate Authority certificates. |
| caInstallCACert | Manual Security Domain Certificate Authority Signing Certificate Enrollment | Used to enrol Security Domain Certificate Authority certificates. |
| caRACert | Manual Registration Manager Signing Certificate Enrollment | Used to enrol Registration Manager certificates. |
| caOCSPCert | Manual OCSP Manager Signing Certificate Enrollment | Used to enrol OCSP Manager certificates. |
| caTransportCert | Manual Data Recovery Manager Transport Certificate Enrollment | Used to enrol Data Recovery Manager transport certificates. |
| caDirUserCert | Directory-Authenticated User Dual-Use Certificate Enrollment | Used to enrol user certificates with directory-based authentication. |
| caAgentServerCert | Agent-Authenticated Server Certificate Enrollment | Used to enrol server certificates with agent authentication. |
| caAgentFileSigning | Agent-Authenticated File Signing | This certificate profile is for file signing with agent authentication. |
| caCMCUserCert | Signed CMC-Authenticated User Certificate Enrollment | Used to enrol user certificates by using the CMC certificate request with CMC Signature authentication. |
| caFullCMCUserCert | Signed CMC-Authenticated User Certificate Enrollment | Used to enrol user certificates by using the CMC certificate request with CMC Signature authentication. |
| caSimpleCMCUserCert | Simple CMC Enrollment | Request for User Certificate Used to enrol user certificates by using the CMC certificate request with CMC Signature authentication. |
| caTokenDeviceKeyEnrollment | Token Device Key Enrollment | Used to enrol token device keys |
| caTokenUserEncryptionKeyEnrollment | Token User Encryption Certificate Enrollment | Used to enrol Token Encryption key |
| caTokenUserSigningKeyEnrollment | Token User Signing Certificate Enrollment | Used to enrol Token Signing key |
| caTempTokenDeviceKeyEnrollment | Temporary Device Certificate Enrollment | Used to enrol token device keys |
| caTempTokenUserEncryptionKeyEnrollment | Temporary Token User Encryption Certificate Enrollment | Used to enrol Token Encryption key |
| caTempTokenUserSigningKeyEnrollment | Temporary Token User Signing Certificate Enrollment | Used to enrol Token Signing key |
| caAdminCert | Security Domain Administrator Certificate Enrollment | Used to enrol Security Domain Administrator's certificates with LDAP authentication against the internal LDAP database. |
| caInternalAuthServerCert | Security Domain Server Certificate Enrollment | Used to enrol Security Domain server certificates. |
| caInternalAuthTransportCert | Security Domain Data Recovery Manager Transport Certificate Enrollment | Used to enrol Security Domain Data Recovery Manager transport certificates. |
| caInternalAuthDRMstorageCert | Security Domain DRM storage Certificate Enrollment | Used to enrol Security Domain DRM storage certificates |
| caInternalAuthSubsystemCert | Security Domain Subsysem Certificate Enrollment | Used to enrol Security Domain subsystem certificates. |
| caInternalAuthOCSPCert | Security Domain OCSP Manager Signing Certificate Enrollment | Used to enrol Security Domain OCSP Manager certificates. |
| DomainController | Domain Controller | Used to enrol Domain Controller Certificate |
| caDualRAuserCert | RA Agent-Authenticated User Certificate Enrollment | Used to enrol user certificates with RA agent authentication. |
| caRAagentCert | RA Agent-Authenticated Agent User Certificate Enrollment | Used to enrol RA agent user certificates with RA agent authentication. |
| caRAserverCert | RA Agent-Authenticated Server Certificate Enrollment | Used to enrol server certificates with RA agent authentication. |
The following is a description of an example caUserCert profile, as shipped with the server. A profile usually contains inputs, policy sets, and outputs. The default caUserCert certificate profile contains the following:
Profile description
This profile is for issuing user, or client, certificates.
Profile inputs
Key generation Specifies that the key pair generation during the request submission be CRMF-based and 1024-bit. This is a read-only field.
Subject name The subject name input is used when distinguished name (DN) parameters need to be collected from the user; the user DN can be used to create the subject name in the certificate. This input uses the following form fields:
UID The user ID of the user in the LDAP directory.
Email The email address of the user.
Common name The name of the user.
Organizational unit The organizational unit to which the user belongs.
Organization The organization name.
Country The country where the user is located.
Requester This input uses the following form fields:
Requester name The name of the certificate requester.
Requester email The email address of the certificate requester.
Requester phone The phone number of the certificate requester.
Profile policy sets
The different policy sets that are set by default on caUserCert are listed in Table 3.2, “caUserCert Profile Policy Sets”.
| Profile Policy Set | Defaults | Constraints | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| userCertSet.1 (SubjectName) | No defaults | |||||||||||
| userCertSet.2 (Validity) | range = 180 days |
The range is less than 365 days. The notbefore and notafter date checks are turned off.
|
||||||||||
| userCertSet.3 (Key) | No defaults |
|
||||||||||
| userCertSet.4 (Authority Key Identifier) | No defaults | No constraints | ||||||||||
| userCertSet.5 (AIA extension) |
|
No constraints | ||||||||||
| userCertSet.6 (Key Usage) |
Populates a Key Usage extension (2.5.29.15) to the request. The default values are as follows:
|
Accepts the Key Usage extension, if present, only when the default values are set. | ||||||||||
| userCertSet.7 - Extended Key Usage |
Populates an Extended Key Usage extension to the request. The default values are Criticality=false and OIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4.
|
No constraints | ||||||||||
| userCertSet.8 - Subject Alt Name Constraint |
Populates a Subject Alternative Name extension (2.5.29.17) to the request. The default values are Criticality=false and Record #0{Pattern:$request.requester_email$,Pattern Type:RFC822Name,Enable:true}.
|
No constraints | ||||||||||
| userCertSet.9 - SigningAlg |
Populates the certificate signing algorithm. The default value is Algorithm=SHA1withRSA.
|
Accepts only the following signing algorithms:
|
||||||||||
|
[a] The keytype should be RSA. [b] The key length should be between 512 and 4096. |
||||||||||||
Profile outputs.
The Certificate Output output displays the certificate in pretty print format and cannot be configured or changed. This output needs to be specified for any automated enrollment. Once a user successfully authenticates using the automated enrollment method, the certificate is automatically generated, and this output page is returned to the user. In an agent-approved enrollment, the user can get the certificate, once it is issued, by providing the request ID in the CA end entities page. (There is no output page associated with agent-approved enrollment.)