The following is a description of an example caUserCert profile, as shipped with the server. A profile usually contains inputs, policy sets, and outputs. The default caUserCert certificate profile contains the following:
Profile description
This profile is for issuing user, or client, certificates.
Profile inputs
Key generation Specifies that the key pair generation during the request submission be CRMF-based and 1024-bit. This is a read-only field.
Subject name The subject name input is used when distinguished name (DN) parameters need to be collected from the user; the user DN can be used to create the subject name in the certificate. This input uses the following form fields:
UID The user ID of the user in the LDAP directory.
Email The email address of the user.
Common name The name of the user.
Organizational unit The organizational unit to which the user belongs.
Organization The organization name.
Country The country where the user is located.
Requester This input uses the following form fields:
Requester name The name of the certificate requester.
Requester email The email address of the certificate requester.
Requester phone The phone number of the certificate requester.
Profile policy sets
The different policy sets that are set by default on caUserCert are listed in Table 3.2, “caUserCert Profile Policy Sets”.
| Profile Policy Set | Defaults | Constraints |
|---|---|---|
| set1 - SubjectName | No defaults | |
| set2 - Validity | range = 180 days | The range is less than 365 days. The notbefore and notafter date checks are turned off. |
| set3 - Key | No defaults |
keytype = RSA The keytype should be RSA. keyminLength = 512 keymaxLength = 4096 The key length should be between 512 and 4096. |
| set4 - Authority Key Identifier | No defaults | No constraints |
| set5 - AIA extension |
authinfoaccesscritical = false authinfoaccessADMethod_0= OID authinfoaccessADLocationType_0=URIName authinfoaccessADEnable_0=true authinfoaccessADLocation_0= |
No constraints |
| set6 - Key Usage |
Populates a Key Usage extension (2.5.29.15) to the request. The default values are as follows: Criticality=true Digital Signature=true Non-Repudiation=true Key Encipherment=true Data Encipherment=false Key Agreement=false Key Certificate Sign=false Key CRL Sign=false Encipher Only=false Decipher Only=false |
Accepts the Key Usage extension, if present, only when the default values are set. |
| set7 - Extended Key Usage | Populates an Extended Key Usage extension to the request. The default values are Criticality=false and OIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4. | No constraints |
| set8 - Subject Alt Name Constraint | Populates a Subject Alternative Name extension (2.5.29.17) to the request. The default values are Criticality=false and Record #0{Pattern:$request.requester_email$,Pattern Type:RFC822Name,Enable:true}. | No constraints |
| set9 - SigningAlg | Populates the certificate signing algorithm. The default value is Algorithm=SHA1withRSA. |
Accepts only the following signing algorithms: SHA1withRSA SHA256withRSA SHA512withRSA MD5withRSA MD2withRSA |
Table 3.2. caUserCert Profile Policy Sets
Profile outputs.
The Certificate Output output displays the certificate in pretty print format and cannot be configured or changed. This output needs to be specified for any automated enrollment. Once a user successfully authenticates using the automated enrollment method, the certificate is automatically generated, and this output page is returned to the user. In an agent-approved enrollment, the user can get the certificate, once it is issued, by providing the request ID in the CA end entities page. (There is no output page associated with agent-approved enrollment.)