Administrator's Guide
Red Hat Certificate System                                                            
Previous
 Contents
 Index
 Next

Chapter 11

Certificate Profiles

This chapter describes how to configure certificate profiles. This chapter contains the following sections:

About Certificate Profiles

A certificate profile defines everything associated with the issuance of a particular type of certificate including the authentication method, the certificate content (defaults), constraints for values associated with that content that can be contained in this type of certificate, and the contents of the input and output forms associated with the certificate profile. Enrollments requests are submitted to a particular certificate profile and are then subject to the defaults and constraints set up in that certificate profile whether the request is submitted via the input form associated with the certificate profile or via some other means. The certificate that is issued from a certificate profile request contains the content defined by the defaults with values derived from the values contained in the parameters associated with those defaults. The constraints provide rules for which content is allowable in the certificate, and defines allowable values for that content.

For example, you could set up a certificate profile for user certificates that defines all aspects of that certificate including the validity period of the issued certificate. You can set a default that defines the default validity period as two years. You would also set up a constraint that the validity period for certificates issued from requests submitted to this certificate profile cannot exceed two years. When a user sends a request using the input form associated with this certificate profile, the certificate issued will contain the information specified in the defaults set up and will be valid for two years. If a user submits a pre formatted request that requests a certificate with a validity period of four years, the request will be rejected since the constraints allow a maximum of two years validity period for this type of certificate.

A set of certificate profiles have been pre built for the most common types of certificates issued. The pre built certificate profiles define defaults and constraints commonly associated with this type of certificate, associate the authentication method common for this type of enrollment, and define the needed inputs and outputs for the certificate profile.

You can use these pre built certificate profiles, you can modify any or all of these by changing the authentication method, the defaults, the constraints used in each policy, the values assigned to any of the parameters in a policy, or the input and output. You can also create other certificate profiles either for other types of certificates, or for creating more than one certificate profile for a type of certificate. You might create more than one certificate profile for a particular type of certificate when you want to issue the same type of certificate with either a different authentication method or different definitions for the defaults and constraints. For example, you might create two certificate profiles used for enrollment for SSL Server certificates where one certificate profile issues certificates with a validity period of six months and another certificate profile issues certificates with a validity period of two years.

A set of defaults and constraints have been pre built for the most commonly used certificate content and constraints. You can set up additional defaults and constraints using the CS SDK.

An input specifies how the enrollment page should be presented, and what inputs should be gathered from the end-entities. You can use inputs to add text fields to the enrollment page so that additional information can be gathered and used for the enrollment. The input values are used as values in the certificate. A set of inputs have been created allowing you to create an enrollment form containing the fields needed for most certificate profiles you will create. The pre built inputs are not configurable in CS; you can change them using the CS SDK. For some options, or for some content you may want to collect, you may need to create additional inputs using the CS SDK. The inputs provide a certificate request field that can be added to any of the forms so that certificate requests can be pasted into this field, allowing a request to be created outside the input form with any of the request information you need.

An output specifies how the response page to a successful enrollment is presented. It usually displays the certificate in a user-readable format. A single output has been created that shows the pretty print version of the resultant certificate. You can create other outputs using the CS SDK.

How Certificate Profiles Work

An administrator sets up a certificate profile by associating an existing authentication plug-in, or method, with the certificate profile, enabling and configuring defaults and constraints, and defining inputs and outputs. The administrator can use the existing certificate profiles, modify the existing certificate profiles, create new certificate profiles, and delete any certificate profile that will not be used in this PKI.

Once a certificate profile is set up, it appears on the Manage Certificate Profiles page of the agent services interface where an agent can approve, and thus enable a certificate profile. Once the certificate profile is enabled, it will appear on the Certificate Profile tab of the end-entity interface where end-entity can enroll for a certificate using the certificate profile.

The Certificate Profile enrollment page contains links to each type of certificate profile enrollment that has been enabled by the agents. When an end entity selects one of those links, an enrollment page appears containing an enrollment form specific to that certificate profile. The enrollment page for this certificate profile in the end-entity interface is dynamically generated from the inputs defined for this certificate profile. If an authentication plug-in is configured, additional fields may be added that are needed to authenticate the user with that authentication method.

When the end entity submits a certificate profile request that is associated with an agent-approved (manual) enrollment, an enrollment where no authentication plug-in is configured, the certificate request is queued in the agent services interface under a certificate profile enrollment, showing that it is different from the old enrollment method. The agent can change some aspects of the enrollment, request, validate it, cancel it, reject it, update it, or approve it. The agent can able update the request without submitting it or validate that the request adheres to the profile's defaults and constraints. This validation procedure is only for verification and does not result in the request being submitted. The agent is bound by the constraints set up; they cannot change the request in such a way that a constraint is violated. The signed approval is immediately processed and a certificate is issued.

When a certificate profile is associated with an authentication method, the request is approved immediately and generates a certificate automatically if the user successfully authenticates, all the information required is provided, and the request does not violate any of the constraints set up for the certificate profile.

The issued certificate contains the content defined in the defaults for this certificate profile, such as the extensions and validity period for the certificate, and the content of the certificate is constrained by the constraints set up for each default. You can set up more than one set of policies (defaults and constraints) within one profile, distinguishing each set by using the same value in the Policy Set ID for each set. This is particulary useful for dealing with dual keys enrollment where encryption key and signing key are submitted into the same profile. The server evaluates each set with each request it receives. In the case where a single certificate is issued, one set is evaluated, any other sets are ignored. In the case where dual-key pairs are issued, the first set is evaluated with the first certificate request, and the second set is evaluated with the second certificate request. There is no need for more than one set if you are issuing a single certificate, or more than two sets if you are issuing dual-key pairs.

The request is not evaluated by the Policies set up in the Policy feature of CS. If the enrollment took place in a Registration Manager, both the Registration Manager and the Certificate Manager should have the same certificate profile implemented with the same policies. The profile in the Certificate Manager will have the final authority.

Setting Up Certificate Profiles

You set up certificate profiles by configuring the existing certificate profiles, deleting an existing certificate profile, or adding another certificate profile and configuring it.

Setting up certificate profiles includes the following process:

Modifying a Certificate Profile

Note that you cannot edit any certificate profile that has been approved by an agent. The agent must disapprove or disable the certificate profile before the administrator can edit that certificate profile.

To add a certificate profile and modify an existing or new certificate profile:

  1. Log in to the CS window. See "Logging Into the CS Console" on page 239.
  2. Select the Configuration tab.
  3. In the navigation tree, select the subsystem to which the certificate profile you want to modify belongs.
  4. Select Certificate Profiles.
The Certificate Profile Instances Management tab appears. It lists configured certificate profiles.



  1. To create a new certificate profile:
    1. Click Add.
The Select Certificate Profile Plugin Implementation window appears.
    1. Select Certificate Authority Enrollment Profile if this is a Certificate Manager or Registration Authority Enrollment Profile if this is a Registration Manager.
    2. Click Next.
The Certificate Profile Instances window appears.
    1. Fill in the following fields in this window:
Certificate Profile Instance ID. Specify the instance ID of the certificate profile. This name or number will be used by the system to identify the instance.
Certificate Profile Name. Specify a name for the certificate profile. This name is the user friendly name of the instance.
Certificate Profile Description. Provide a description to identify the use of this certificate profile.
End User Certificate Profile. Specifies whether or not the request must be made to the input form associated with this certificate profile. Generally, you will set this to true. If you have set up a Registration Manager, you will set this to false in the certificate profile you set up in the Certificate Manager that correlates to the certificate profile you set up in the Registration Manager. It is set to false allowing a signed request to be processed through the Certificate Manager's Certificate Profile framework, rather than through the input page for this certificate profile.
Certificate Profile Authentication. Specify the authentication method. Specify an automated authentication by providing the instance ID for the authentication instance that will be used. If this field is left blank, the request is authenticated as an agent-approved enrollment; the submitted request is queued in the request queue of the agent services interface.
    1. Click Ok.
The new certificate profile appears in the Certificate Profile Instances Management tab.
  1. To modify an existing certificate profile, select a certificate profile listed in the Certificate Profile Instances Management tab and click Edit/View.
The Certificate Profile Rule Editor window appears.



This window contains a lot of information, you may want to enlarge the window by pulling out on one of the corners of the window.
  1. Change the information in the Certificate Profile Rule Editor for any of the following fields:
Certificate Profile Name. Specify a name for the certificate profile. This name is the user friendly name of the instance.
Certificate Profile Description. Provide a description to identify the use of this certificate profile.
End User Certificate Profile. Specifies whether or not the request must be made to the input form associated with this certificate profile. Generally, you will set this to true. If you have set up a Registration Manager, you will set this to false in the certificate profile you set up in the Certificate Manager that correlates to the certificate profile you set up in the Registration Manager. It is set to false allowing a signed request to be processed through the Certificate Manager's Certificate Profile framework, rather than through the input page for this certificate profile.
Certificate Profile Authentication. Specify the authentication method. Specify an automated authentication by providing the instance ID for the authentication instance that will be used. If this field is left blank, the request is authenticated as an agent-approved enrollment; The submitted request is queued in the request queue of the agent services interface.
Policies Tab. See Step 8.
Input Tab. See Step 9.
Output Tab. See Step 10.
  1. Set up Policies in the Policies tab of the Certificate Profile Rule Editor window.
The policies tab lists policies that have been set up for this certificate profile.
To add a policy:
    1. Click Add.
The Certificate Profile Policy Editor window appears.



    1. Choose the default you want to add from the Default field, and choose the from the constraints associated with that policy in the Constraints field, then click OK.
The New Certificate Profile Editor window appears.



    1. Fill in the following fields:
Policy Set Id. Type a name or identifier for this set of policies. When you are issuing dual key pairs, you can use separate sets to define the policies associated with each certificate.
Certificate Profile Policy ID. Type a name or identifier for this certificate profile policy.
    1. Configure any parameters in the Default or Constraint tab. See "Defaults Reference," on page 428 and "Constraints Reference," on page 453 for complete details for each default or constraint.
    2. Click Ok.
To modify an existing policy:
    1. Select a policy and click Edit.
The Policy Rule Editor window appears.



    1. The Policy Rule Editor window contains two tabs, Defaults and Constraints.
Defaults define attributes that populate the certificate request that will be used to create the issued certificate. These can be extensions, validity periods, or other fields contained in the certificates. Constraints define valid values for the defaults.
Change the values in the Defaults tab to change the value of a parameter. Change the values in the Constraints tab to change the value of the constraint applied to this policy. Some values can be edited by clicking into the value field and changing the entry; others have pull down menus associated with them where you can pick the values available from the pull down menu.
See "Defaults Reference," on page 428 and "Constraints Reference," on page 453 for complete information about the available defaults and constraints.
    1. Click Ok.
To delete a policy:
    1. Select the policy.
    2. Click delete.
  1. Set up Inputs in the Inputs tab of the Certificate Profile Rule Editor window.
The inputs tab lists inputs that have been set up for this certificate profile. You can add an input or you can delete an input. You can select an input and then select edit; but since the input has no parameters or other settings, there is nothing to configure.
To add an input:
    1. Click Add.
The Certificate Profile Input Editor window appears.
    1. Choose the input you want to add from the list and then click OK. See "Input Reference," on page 426 for complete details of the default inputs.
The New Certificate Profile Editor window appears.
    1. Fill in the following fields:
Id. Type a name or identifier for this input.
    1. Click Ok.
This input will be listed in the input tab. You can edit it to provide values to the parameters in this input.
To delete an input:
    1. Select the input.
    2. Click delete.
  1. Set up outputs in the Outputs tab of the Certificate Profile Rule Editor window.
You need to set up outputs for any certificate profile that uses an automated authentication method, you do not need to set up outputs for any certificate profile that uses an agent-approved authentication method. The outputs tab lists inputs that have been set up for this certificate profile. You can add an output or you can delete an output. You can select an output and then select edit; but since the output has no parameters or other settings, there is nothing to configure.
To add an output:
    1. Click Add.
The Certificate Profile Output Editor window appears.
    1. Choose the output you want to add from the list and then click OK.
The New Certificate Profile Editor window appears.
    1. Fill in the following fields:
Id. Type a name or identifier for this output.
    1. Click Ok.
This output will be listed in the output tab. You can edit it to provide values to the parameters in this output.
To delete an output:
    1. Select the output.
    2. Click delete.
  1. Delete any certificate profiles you don't want approved by an agent. Any certificate profile that appears in the Certificate Profile Instance Management tab also appears on the Certificate Profiles page in the agent services interface. The certificate profile can be enabled by an agent. If you do not want a certificate profile enabled by an agent, delete that certificate profile from this list by selecting it and then clicking delete.
Note

Once a certificate profile is enabled by an agent, that certificate profile is marked enabled in the Certificate Profile Instance Management tab, and the certificate profile cannot be edited in any way. To edit that certificate profile, an agent must first disable the certificate profile.


Certificate Profile Reference

A set of certificate profiles have been prebuilt for the types of certificates that are usually issued by a RA and a CA. All certificate profiles are installed with a CA, only those certificate profiles beginning with ra are installed with and RA. The default certificate profiles include the following:

Configured for end user enrollments in a Certificate Manager.
Configured for enrollments for dual key pairs in a Certificate Manager. Two keys will be generated, a signing key and an encryption key, and two certificates will be issued, one for each of those keys. This certificate profile will only work with the Netscape 7 or later browser.
Configured for enrollments for an SSL server certificate in a Certificate Manager.
Configured for enrollments for a CA signing certificate in a Certificate Manager.
Configured for enrollments for an RA signing certificate in a Certificate Manager.
Configured for enrollments for an OCSP signing certificate in a Certificate Manager.
Configured for enrollments for a transport signing certificate, used by the Data Recovery Manager, in a Certificate Manager.
Configured for enrollments for a signed audit signing certificate, used by a subsystem to sign the signed audit logs.
Configured for enrollments for end user certificates using directory-based authentication in a Certificate Manager.
Configured for enrollments for server certificates allowing for automatic issuance of the server certificate with the validation of an agent's certificate in a Certificate Manager.
Configured for end user enrollments. When installed in an RA, the value of the End User Certificate Profile field is set to true; when installed in a CA, the value of the End User Certificate Profile field is set to false. In a CA, you set this certificate profile up to match the certificate profile set up in the RA; the value of the End User Certificate Profile needs to be set to false in order for the CA to be able to accept the request from somewhere other than the certificate profile enrollment form.
Configured for enrollments for dual key pairs in a Registration Manager. Two keys will be generated, a signing key and an encryption key, and two certificates will be issued, one for each of those keys. This certificate profile will only work with the Netscape 7 or later browser.
When installed in an RA, the value of the End User Certificate Profile field is set to true; when installed in a CA, the value of the End User Certificate Profile field is set to false. In a CA, you set this certificate profile up to match the certificate profile set up in the RA; the value of the End User Certificate Profile needs to be set to false in order for the CA to be able to accept the request from somewhere other than the certificate profile enrollment form.
Configured for enrollments for an SSL server certificate. When installed in an RA, the value of the End User Certificate Profile field is set to true; when installed in a CA, the value of the End User Certificate Profile field is set to false. In a CA, you set this certificate profile up to match the certificate profile set up in the RA; the value of the End User Certificate Profile needs to be set to false in order for the CA to be able to accept the request from somewhere other than the certificate profile enrollment form.
Configured for enrollments for a CA signing certificate. When installed in an RA, the value of the End User Certificate Profile field is set to true; when installed in a CA, the value of the End User Certificate Profile field is set to false. In a CA, you set this certificate profile up to match the certificate profile set up in the RA; the value of the End User Certificate Profile needs to be set to false in order for the CA to be able to accept the request from somewhere other than the certificate profile enrollment form.
Configured for enrollments for an RA signing certificate. When installed in an RA, the value of the End User Certificate Profile field is set to true; when installed in a CA, the value of the End User Certificate Profile field is set to false. In a CA, you set this certificate profile up to match the certificate profile set up in the RA; the value of the End User Certificate Profile needs to be set to false in order for the CA to be able to accept the request from somewhere other than the certificate profile enrollment form.
Configured for enrollments for a transport signing certificate, used by the Data Recovery Manager, in a Registration Manager. When installed in an RA, the value of the End User Certificate Profile field is set to true; when installed in a CA, the value of the End User Certificate Profile field is set to false. In a CA, you set this certificate profile up to match the certificate profile set up in the RA; the value of the End User Certificate Profile needs to be set to false in order for the CA to be able to accept the request from somewhere other than the certificate profile enrollment form.
Configured for enrollments for a signed audit signing certificate, used by a subsystem to sign the signed audit logs.

Input Reference

An input puts certain fields on the enrollment page associated with a particular certificate profile. You define inputs for a certificate profile which are used to dynamically generate the enrollment page.

Certificate Request Input

The Certificate Request Input input is used for enrollments in which a certificate request will be pasted into the enrollment form. It allows the type of request to be specified from a drop down list, and provides an input field to paste the request.

This input puts the following fields into the enrollment form:

Certificate Request Type. This field allows the user to choose the certificate request type of the request they are submitting from the drop down menu. The choices include PKCS#10, CRMF, and CMC.

Certificate Request. This field allows the user to paste a request into the supplied input field.

Dual Key Generation Input

The Dual Key Geneneration Input input is used for enrollments in which dual key pairs will be generated, and thus two certificates issued, one for the signing certificate and one for the encryption certificate. The generation of dual key pairs using the certificate profile interface is only supported for the Netscape 7 and later browsers.

This input puts the following fields into the enrollment form:

Key Generation Request Type. This field is a read only field displaying crmf as the request type. (Note: This field will display Not Supported on browsers other than Netscape 7 and above.)

Key Generation Request. This field is a read only field displaying 1024 (Encryption), 1024 (Signing) as the key generation request. (Note: This field will display Not Supported on browsers other than Netscape 7 and above.)

Key Generation Input

The Key Generation Input input is used for enrollments in which a single key pair will be generated, generally used for user-based certificate enrollments.

This input puts the following fields into the enrollment form:

Key Generation Request Type. This field is a read only field displaying crmf as the request type.

Key Generation Request. This field is a read only field displaying 1024 (High Grade) as the key generation request.

Subject Name Input

The Subject Name Input input is used for enrollment when distinguished name parameters need to be collected from the user. The collected parameters could be used for formulating the subject name in the certificate.

This input puts the following fields into the enrollment form:

UID. This field is for the user ID of this user, as specified for this user in the LDAP directory.

Email. This field is for entering the email address of the user.

Common Name. This field is for entering the name of the user.

Organizational Unit. This field is for entering the organizational unit to which the user belongs.

Organization. This field is for entering the organization name.

Country. This field is for entering the country to which the user belongs.

Submitter Information Input

The Submitter Information Input input is used to collect the certificate requestor's information such as name, email and phone.

This input puts the following fields into the enrollment form:

Requestor Name. This field is used to enter the name of the requestor of this certificate.

Requestor Email. This field is used to enter the email address of the requestor of this certificate.

Requestor Phone. This field is used to enter the phone number of the requestor of this certificate.

Output Reference

An output represents the response to the end user of a successful enrollment.

certOutputImpl

This output displays the certificate in pretty print format. It is the only output defined at this time. You cannot configure or change this output. It does not display anything other than the certificate in pretty print format.

This output needs to be specified for any automated enrollment. Once a user successfully authenticates using the automated enrollment method, the certificate is automatically generated, and this output page is returned to the user. In an agent-approved enrollment, the user can get the certificate, once it is issued, by providing the request id in the end-entity interface; there is no output page associated with agent-approved enrollment.

Defaults Reference

Defaults are used to define the contents of a certificate and the values associated with that content. This section lists the pre built defaults with complete definitions of each.

Authority Info Access Extension Default

This default populates the Authority Info Access extension. This extension specifies how an application validating a certificate can access information, such as on-line validation services and CA policy statements, about the CA that has issued the certificate. Note that this extension should not be used to point directly to the CRL location maintained by a CA; the CRL Distribution Points extension explained in "CRL Distribution Points Extension Default" on page 432 allows you to provide references to CRL locations.

For general information about this extension, see "authorityInfoAccess" on page 731.

You can define the following constraints with this default:

This default allows you to define 5 locations and specify parameters for each location. The parameters are marked with an <n> in the table to distinguish that the parameter is associated with one of the five possible locations.

Table 11-1 Authority Info Access Extension Default Configuration Parameters  
Parameter
Description
Critical
Select true to mark this extension critical; select false to mark the extension noncritical.
Method_<n>
Specifies the access method for retrieving additional information about the CA that has issued the certificate in which the extension appears. Provide one of the following values:
 
  • ocsp (or 1.3.6.1.5.5.7.48.1).
  • caIssuers (or 1.3.6.1.5.5.7.48.2).
  • renewal (or 2.16.840.1.113730.16.1)
LocationType_<n>
Specifies the general-name type for the location that contains additional information about the CA that has issued the certificate in which this extension appears. Select one of the following types from the drop down menu: DirectoryName, DNSName, EDIPartyName, IPAddress, OID, RFC822Name, or URI.
Location_<n>
Specifies the address or location to get additional information about the CA that has issued the certificate in which this extension appears. Specifying the information based on the following:
 
  • If you selected directoryName, the value must be a string form of X.500 name, similar to the subject name in a certificate. For example, CN=SubCA, OU=Research Dept, O=Example Corporation, C=US.
 
  • If you selected dNSName, the value must be a valid domain name in the fully-qualified DNS format. For example, testCA.example.com.
 
  • If you selected EDIPartyName, the value must be an IA5String. For example, Example Corporation.
 
  • If you selected iPAddress, the value must be a valid IP address (IPv4 or IPv6).
    IPv4 address must be in n.n.n.n format, with endmost must be in n.n.n.n,m.m.m.m format. For example: 128.21.39.40. or 128.21.39.40,255.255.255.00.
    IPv 6 (IPv6) address with netmask is separated by a comma. FOr Example 0:0:0:0:0:0:13.1.68.3 and FF01::43; and 0:0:0:0:0:0:13.1.68.3,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:255.255.255.0 and FF01::43,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FF00:0000.
 
  • If you selected OID, the value must be a unique, valid OID specified in dot-separated numeric component notation. For example, 1.2.3.4.55.6.5.99.
 
  • If you selected RFC822Name, the value must be a valid Internet mail address in the fully qualified DNS format.
 
  • If you selected URI, the value must be a non-relative universal resource identifier (URI) following the URL syntax and encoding rules. That is, the name must include both a scheme (for example, http) and a fully qualified domain name or IP address of the host. For example, http://ocspResponder.example.com:8000
Enable_<n>
Specifies whether or not this location is enabled. Select true to enable, select false to disable.

Authority Key Identifier Extension Default

This default populates the Authority Key Identifier extension into the certificate request. The extension is used to identify the public key that corresponds to the private key used by a CA to sign certificates.

For general information about this extension, see "authorityKeyIdentifier" on page 731.

This default has not parameters. If used, this extension will be included in the certificate with the public key information.

Basic Constraints Extension Default

This default populates Basic Constraint extension in the certificate request. The extension identifies whether or not the Certificate Manager is a CA. The extension is also used during the certificate chain verification process to identify CA certificates and to apply certificate chain-path length constraints.

For general information about this extension, see "basicConstraints" on page 732.

You can define the following constraints with this default:

Table 11-2 Basic Constraints Extension Default Configuration Parameters  
Parameter
Description
Critical
Select true to mark this extension critical; select false to mark the extension noncritical.
IsCA
Specifies whether the certificate subject is a CA. If you select true, the server checks the PathLen parameter and sets the specified path length in the certificate. If you select false, the server treats the certificate subject as a non-CA and ignores the value specified for the PathLen parameter.
PathLen
Specifies the path length, the maximum number of CA certificates that may be chained below (subordinate to) the subordinate CA certificate being issued. Note that the path length you specify affects the number of CA certificates to be used during certificate validation. The chain starts with the end-entity certificate being validated and moving up the chain.
 
The maxPathLen parameter has no effect if the extension is set in end-entity certificates.
 
Permissible values: 0 or n. Make sure that the value you choose is less than the path length specified in the Basic Constraints extension of the CA signing certificate (owned by the CA that will issue these certificates).
 
  • 0 specifies that no subordinate CA certificates are allowed below the subordinate CA certificate being issued-that is, only an end-entity certificate may follow in the path.
 
  • n must be an integer greater than zero. It specifies at the most n subordinate CA certificates are allowed below the subordinate CA certificate being used.
 
If you leave the field blank, the path length defaults to a value that is determined by the path length set in the Basic Constraints extension in the issuer's certificate. If the issuer's path length is unlimited, the path length in the subordinate CA certificate will also be unlimited. If the issuer's path length is an integer greater than zero, the path length in the subordinate CA certificate will be set to a value that's one less than the issuer's path length; for example, if the issuer's path length is 4, the path length in the subordinate CA certificate will be set to 3.

CRL Distribution Points Extension Default

This default populates the CRL Distribution points extension in the certificate request. This extension, when present in a certificate, identifies one or more locations from which an application that is validating the certificate can obtain the CRL information (to verify the revocation status of the certificate).

For general information about this extension, see "CRLDistributionPoints" on page 733.

You can define the following constraints with this default:

This default allows you to define 5 locations and specify parameters for each location. The parameters are marked with an <n> in the table to distinguish that the parameter is associated with one of the five possible locations.

Table 11-3 CRL Distribution Points Extension Configuration Parameters  
Parameter
Description
Critical
Select true to mark this extension critical; select false to mark the extension noncritical.
Type_<n>
Specifies the type of the CRL distribution point.
Permissible values: DirectoryName, URIName, or RelativeToIssuer. The type you select must correspond to the value in the Name field.
Name_<n>
Specifies the name of the CRL distribution point, the name can be in any of the following formats:
  • An X.500 directory name in the RFC 2253 syntax. For example, the name would look similar to the subject name in a certificate, like this: CN=CA Central, OU=Research Dept, O=Example Corporation, C=US
  • A URIName; for example, it would look similar to this:
    http://testCA.example.com:80
  • An RDN which specifies a location relative to the CRL Issuer. In this case, the value of the Type attribute must be RelativeToIssuer.
Reasons_<n>
Specifies revocation reasons covered by the CRL maintained at the distribution point. Provide a comma-separated list of the following constants:
  • unused
  • keyCompromise
  • cACompromise
  • affiliationChanged
  • superseded
  • cessationOfOperation
  • certificateHold
IssuerName_<n>
Specifies the name of the issuer that has signed the CRL maintained at the distribution point, the name can be in any of the following formats:
  • An X.500 directory name in the RFC 2253 syntax. For example:
    CN=CA Central, OU=Research Dept, O=Example Corporation, C=US
  • A URIName; for example, it would look similar to this:
    http://testCA.example.com:80
IssuerType_<n>
Specifies the general-name type of the CRL issuer that has signed the CRL maintained at distribution point.
Permissible values: DirectoryName or URIName. The value you specify for this parameter must correspond to the value in the issuerName field.
  • Select DirectoryName if the value in the issuerName field is an X.500 directory name.
  • Select URIName if the value in the issuerName field is a uniform resource indicator.

Extended Key Usage Extension Default

This default populates the Extended Key Usage extension in the certificate request.

For general information about this extension, see "extKeyUsage" on page 734.

The extension identifies one or more purposes-in addition to or in place of the basic purposes indicated in the key usage extension-for which the certified public key may be used. For example, if the key usage extension identifies a key to be used for signing, the extended key usage extension can further narrow down the usage of the key for signing OCSP responses only or for signing Java applets only.

Table 11-4 PKIX usage definitions for the extended key usage extension  
Usage
OID
Server authentication
1.3.6.1.5.5.7.3.1
Client authentication
1.3.6.1.5.5.7.3.2
Code signing
1.3.6.1.5.5.7.3.3
Email
1.3.6.1.5.5.7.3.4
IPSec end system
1.3.6.1.5.5.7.3.5
IPSec tunnel
1.3.6.1.5.5.7.3.6
IPSec user
1.3.6.1.5.5.7.3.7
Timestamping
1.3.6.1.5.5.7.3.8

Note that Windows 2000TM allows you to encrypt files on the hard disk, a feature known as encrypted file system (EFS), using certificates that contain the Extended Key Usage extension with the following two OIDs:

1.3.6.1.4.1.311.10.3.4 (this OID is for the EFS certificate)

1.3.6.1.4.1.311.10.3.4.1 (this OID is for the EFS recovery certificate)

The EFS recovery certificate is used by a recovery agent when a user loses the private key and the data encrypted with that key needs to be used. CS supports the above two OIDs and allows you to issue certificates containing extended key usage extension with these OIDs.

Normal user certificates should be created with only the EFS OID, not the recovery OID.

You can define the following constraints with this default:

Table 11-5 Extended Key Usage Extension Default Configuration Parameters  
Parameter
Description
Critical
Select true to mark this extension critical; select false to mark the extension noncritical.
OIDs
Specifies the OID that identifies a key-usage purpose.
Permissible values: A unique, valid OID specified in the dot-separated numeric component notation. Depending on the key-usage purposes, you may choose to use the OIDs designated by PKIX (listed in Table 11-4 on page 434) or define your own OIDs. If you're defining your own OID, it should be in the registered subtree of IDs reserved for your company's use. Although you can invent your own OIDs for the purposes of evaluating and testing this server, in a production environment, you should comply with the ISO rules for defining OIDs and for registering subtrees of IDs. See Appendix H, "Object Identifiers" for information on allocating private OIDs.
Example: 2.16.840.1.113730.1.99

Freshest CRL Extension Default

This default populates the Freshest CRL extension in the certificate request. The Freshest CRL Extension Default enables you to configure a Certificate Manager to set the FreshestCRL Extension in certificate.

You can define the following constraints with this default:

This default allows you to define 5 locations and specify parameters for each location. The parameters are marked with an <n> in the table to distinguish that the parameter is associated with one of the five possible locations.

Table 11-6 Freshest CRL Extension Default Configuration Parameters  
Parameter
Description
Critical
Select true to mark this extension critical; select false to mark the extension noncritical.
PointEnable_<n>
Select true to enable this point; select false to disable this point.
PointType_<n>
Specifies the type of issuing point. Select from DirectoryName and URIName.
PointName_<n>
  • If pointType is set to directoryName, the value must be a string form of X.500 name, similar to the subject name in a certificate. For example, CN=CACentral,OU=Research Dept,O=Example Corporation,C=US.
  • If pointType is set to URI, the name must be a URIName; the URIName must be an absolute pathname and must specify the host. For example:
http://testCA.example.com/get/your/crls/here/
PointIssuer Name_<n>
Specifies the name of the issuer that has signed the CRL maintained at this distribution point, the name can be in any of the following formats:
  • An X.500 directory name in the RFC 2253 syntax. For example:
    CN=CA Central, OU=Research Dept, O=Example Corporation, C=US
  • A URIName; for example:
    http://testCA.example.com:80
PointType_<n>
Specifies the general-name type of the CRL issuer that signed the CRL maintained at distribution point.
Permissible values: DirectoryName or URIName. The value you specify for this parameter must correspond to the value in the issuerName field.

Key Usage Extension Default

This default populates the Key Usage extension in the certificate request. The extension specifies the purposes for which the key contained in a certificate should be used-for example, it specifies whether the key should be used for data signing, key encipherment, or data encipherment-and thus enables you to restrict the usage of a key pair to predetermined purposes.

For general information about this extension, see "keyUsage" on page 736.

You can define the following constraints with this default:

Table 11-7 Key Usage Extension Default Configuration Parameters  
Parameter
Description
critical
Select true to mark this extension critical; select false to mark the extension noncritical.
digitalSignature
Specifies whether to allow for signing of SSL client certificates, S/MIME signing certificates, and object-signing certificates. Select true to set, select false to not set.
nonRepudiation
Specifies whether to some S/MIME signing certificates and object-signing certificates. Note, however, that the use of this bit is controversial. You should carefully consider the legal consequences of its use before setting it for any certificate. Select true to set, select false to not set.
keyEncipherment
Specifies whether to set the extension for SSL server certificates and S/MIME encryption certificates. Select true to set, select false to not set.
dataEncipherment
Specifies whether to set the extension when the subjects's public key is used to encipher user data (as opposed to key material). Select true to set, select false to not set.
keyAgreement
Specifies whether to set the extension whenever the subject's public key is used for key agreement. Select true to set, select false to not set.
keyCertsign
Specifies whether extension for all CA signing certificates. Select true to set, select false to not set.
cRLSign
Specifies whether to set the extension for CA signing certificates that are used to sign CRLs. Select true to set, select false to not set.
encipherOnly
Specifies whether to set the extension if the public key is to be used only for enciphering data. If this bit is set, keyAgreement should also be set. Select true to set, select false to not set.
decipherOnly
Specifies whether to set the extension if the public key is to be used only for deciphering data. If this bit is set, keyAgreement should also be set. Select true to set, select false to not set.

Name Constraints Extension Default

This default populates a name constraint extension in the certificate request. The extension is used in CA certificates to indicate a name space within which subject names or subject alternative names in subsequent certificates in a certification path or chain should be located.

For general information about this extension, see "nameConstraints" on page 737.

You can define the following constraints with this default:

This default allows you to define 5 locations for both the permitted subtree and the excluded subtree and specify parameters for each of these location. The parameters are marked with an <n> in the table to distinguish that the parameter is associated with one of the five possible locations.

Table 11-8 Name Constraints Extension Default Configuration Parameters  
Parameter
Description
critical
Select true to mark this extension critical; select false to mark the extension noncritical.
permittedSubtrees<n>.
min
Specifies the minimum number of permitted subtrees.
  • -1 specifies that the field should not be set in the extension.
  • 0 specifies that the minimum number of subtrees is zero.
  • n must be an integer that is greater than zero. It specifies at the most n subtrees are allowed.
permittedSubtreesmax_<n>
Specifies the maximum number of permitted subtrees.
  • -1 specifies that the field should not be set in the extension.
  • 0 specifies that the maximum number of subtrees is zero.
  • n must be an integer that is greater than zero. It specifies at the most n subtrees are allowed.
PermittedSubtree
NameChoice_<n>
Specifies the general-name type for the permitted subtree you want to include in the extension.
Permissible values: RFC822Name, DirectoryName, DNSName, EDIPartyName, URIName, IPAddress, OIDName, or OtherName.
PermittedSubtree
NameValue_<n>
Specifies the general-name value for the permitted subtree you want to include in the extension.
  • If you selected RFC822Name, the value must be a valid Internet mail address in fully-qualified DNS format. For example, testCA@example.com.
 
  • If you selected DirectoryName, the value must be a string form of X.500 name, similar to the subject name in a certificate. For example, CN=SubCA, OU=Research Dept, O=Example Corporation, C=US.
 
  • If you selected DNSName, the value must be a valid domain name in the fully-qualified DNS format. For example, testCA.example.com.
 
  • If you selected EDIPartyName, the value must be a IA5String. For example, Example Corporation.
 
  • If you selected URIName, the value must be a non-relative universal resource identifier (URI) following the URL syntax and encoding rules. The name must include both a scheme (for example, http) and a fully qualified domain name or IP address of the host. For example, http://testCA.example.com.
 
  • If you selected IPAddress, the value must be a valid IP address (IPv4 or IPv6).
    IPv4 address must be in n.n.n.n format, with netmask must be in n.n.n.n,m.m.m.m format. For example: 128.21.39.40. or 128.21.39.40,255.255.255.00.
    IPv 6 (IPv6) address with netmask is separated by a comma. FOr Example 0:0:0:0:0:0:13.1.68.3 and FF01::43; and 0:0:0:0:0:0:13.1.68.3,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:255.255.255.0 and FF01::43,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FF00:0000.
 
  • If you selected OIDName, the value must be a unique, valid OID specified in dot-separated numeric component notation. For example, 1.2.3.4.55.6.5.99.
 
  • If you selected OtherName, the value must be the absolute path to the file that contains the base-64 encoded string of the subtree. For example, /usr/netscape/servers/ext/nc/othername.txt.
PermittedSubtree
Enable_<n>
Select true to enable this permitted subtree entry, select false to disable this permitted subtree entry.
ExcludedSubtrees<n>.
min
Specifies the minimum number of excluded subtrees.
  • -1 specifies that the field should not be set in the extension.
  • 0 specifies that the minimum number of subtrees is zero.
  • n must be an integer that is greater than zero. It specifies at the most n subtrees are allowed.
ExcludedSubtree
Max_<n>
Specifies the maximum number of excluded subtrees.
  • -1 specifies that the field should not be set in the extension .
  • 0 specifies that the maximum number of subtrees is zero.
  • n must be an integer that is greater than zero. It specifies at the most n subtrees are allowed.
ExcludedSubtree NameChoice_<n>
Specifies the general-name type for the excluded subtree you want to include in the extension.
Permissible values: RFC822Name, DirectoryName, DNSName, EDIPartyName, URIName, IPAddress, OIDName, or OtherName.
ExcludedSubtrees
NameValue_<n>
Specifies the general-name value for the permitted subtree you want to include in the extension.
  • If you selected RFC822Name, the value must be a valid Internet mail address in fully-qualified DNS format. For example, testCA@example.com.
 
  • If you selected DirectoryName, the value must be a string form of X.500 name, similar to the subject name in a certificate. For example, CN=SubCA, OU=Research Dept, O=Example Corporation, C=US.
 
  • If you selected DNSName, the value must be a valid domain name in the fully-qualified DNS format. For example, testCA.example.com.
 
  • If you selected EDIPartyName, the value must be a IA5String. For example, Example Corporation.
 
  • If you selected URIName, the value must be a non-relative universal resource identifier (URI) following the URL syntax and encoding rules. The name must include both a scheme (for example, http) and a fully qualified domain name or IP address of the host. For example, http://testCA.example.com.
 
  • If you selected IPAddress, the value must be a valid IP address (IPv4 or IPv6).
    IPv4 address must be in n.n.n.n format, with netmask must be in n.n.n.n,m.m.m.m format. For example: 128.21.39.40. or 128.21.39.40,255.255.255.00.
    IPv 6 (IPv6) address with netmask is separated by a comma. FOr Example 0:0:0:0:0:0:13.1.68.3 and FF01::43; and 0:0:0:0:0:0:13.1.68.3,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:255.255.255.0 and FF01::43,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FF00:0000.
 
  • If you selected OIDName, the value must be a unique, valid OID specified in dot-separated numeric component notation. For example, 1.2.3.4.55.6.5.99.
 
  • If you selected OtherName, the value must be the absolute path to the file that contains the base-64 encoded string of the subtree. For example, /usr/netscape/servers/ext/nc/othername.txt.
ExcludedSubtree
Enable_<n>
Select true to enable this excluded subtree entry, select false to disable this excluded subtree entry.

Red Hat Comment Extension Default

This default populates a Red Hat comment extension in the certificate request. The extension can be used to include textual comments in certificates. Applications that are capable of interpreting the comment may display it to a relying party when the certificate is used or viewed.

For general information about this extension, see "netscape-comment" on page 749.

You can define the following constraints with this default:

Table 11-9 Red Hat Comment Extension Configuration Parameters  
Parameter
Description
critical
Select true to mark this extension critical; select false to mark the extension noncritical.
CommentContent
Specifies the content of the comment to appear in the certificate.

Netscape Certificate Type Extension Default

This default populates a Netscape Certificate Type extension in the certificate request. The extension identifies the certificate type-for example, it identifies whether the certificate is a CA certificate, server SSL certificate, client SSL certificate, object signing certificate, or S/MIME certificate-and thus enables you to restrict the usage of a certificate to predetermined purposes.

You can define the following constraints with this default:

Table 11-10 Netscape Certificate Type Extension Default Configuration Parameters  
Parameter
Description
critical
Select true to mark this extension critical; select false to mark the extension noncritical.
SSLClient
Specifies that the certificate can be used by clients for authentication during SSL connections. Select true to include this capability; select false to not include this capability.
SSLServer
Specifies that the certificate can be used by servers for authentication during SSL connections. Select true to include this capability; select false to not include this capability.
CertEmail
Specifies that the certificate can be used to send secure email messages. Select true to include this capability; select false to not include this capability.
CertObjectSigning
Specifies that the certificate can be used for signing objects such as Java applets and plug-ins. Select true to include this capability; select false to not include this capability.
CertSSLCA
Specifies that the certificate can be used by a CA to issue certificates for SSL connections. Select true to include this capability; select false to not include this capability.
CertEmailCA
Specifies that the certificate can be used by a CA to issue certificates for secure email. Select true to include this capability; select false to not include this capability.
CertObjectSigningCA
Specifies that the certificate can be used by a CA to issue certificates for object signing. Select true to include this capability; select false to not include this capability.

No Default Extension

This default can be used to set constraints when no defaults are being used. This default has not settings and sets no defaults, but does allow you to set all of the constraints available.

OCSP No Check Extension Default

This default populates an OCSP No Check extension in the certificate request. The extension, which should be used in OCSP responder certificates only, indicates how OCSP-compliant applications can verify the revocation status of the certificate an authorized OCSP responder uses to sign OCSP responses.

For general information about this extension, see "OCSPNocheck" on page 738.

You can define the following constraints with this default:

Table 11-11 OCSP No Check Extension Default Configuration Parameters  
Parameter
Description
critical
Select true to mark this extension critical; select false to mark the extension noncritical.

Policy Constraints Extension Default

This default populates a policy constraints extension in the certificate request. The extension, which can be used in CA certificates only, constrains path validation in two ways-either to prohibit policy mapping or to require that each certificate in a path contain an acceptable policy identifier. The default allows you to specify both, ReqExplicitPolicy and InhibitPolicyMapping fields. PKIX standard requires that, if present in a CA certificate, the extension must never consist of a null sequence. At least one of the two specified fields must be present.

For general information about this extension, see "policyConstraints" on page 738.

You can define the following constraints with this default:

Table 11-12 Policy Constraints Extension Default Configuration Parameters  
Parameter
Description
critical
Select true to mark this extension critical; select false to mark the extension noncritical.
reqExplicit
Policy
Specifies the total number of certificates permitted in the path before an explicit policy is required-that is, the number of CA certificates that can be chained below (subordinate to) the subordinate CA certificate being issued before an acceptable policy is required.
 
  • -1 specifies that the field should not be set in the extension.
  • 0 specifies that no subordinate CA certificates are permitted in the path before an explicit policy is required.
  • n must be an integer that is greater than zero. It specifies at the most n subordinate CA certificates are allowed in the path before an explicit policy is required.
 
Note that the number you specify affects the number of CA certificates to be used during certificate validation. The chain starts with the end-entity certificate being validated and moving up the chain. (The parameter has no effect if the extension is set in end-entity certificates.)
inhibitPolicy
Mapping
Specifies the total number of certificates permitted in the path before policy mapping is no longer permitted.
  • -1 specifies that the field should not be set in the extension.
  • 0 specifies that no subordinate CA certificates are permitted in the path before policy mapping is no longer permitted.
  • n must be an integer that is greater than zero. It specifies at the most n subordinate CA certificates are allowed in the path before policy mapping is no longer permitted. For example, a value of one indicates that policy mapping may be processed in certificates issued by the subject of this certificate, but not in additional certificates in the path.

Policy Mappers Extension Default

This default populates a policy mappings extension in the certificate request. The extension lists one or more pairs of OIDs, each pair identifying two policy statements of two CAs. The pairing indicates that the corresponding policies of one CA are equivalent to policies of another CA. The extension may be useful in the context of cross-certification. If supported, the extension is to be included in CA certificates only. The default allows you to map policy statements of one CA to that of another by pairing the OIDs assigned to their policy statements

Each pair is defined by two parameters, issuerDomainPolicy and subjectDomainPolicy. The pairing indicates that the issuing CA considers the issuerDomainPolicy equivalent to the subjectDomainPolicy of the subject CA. The issuing CA's users may accept an issuerDomainPolicy for certain applications. The policy mapping tells these users which policies associated with the subject CA are equivalent to the policy they accept.

For general information about this extension, see "policyMappings" on page 739.

You can define the following constraints with this default:

Table 11-13 Policy Mappings Extension Default Configuration Parameters  
Parameter
Description
critical
Select true to mark this extension critical; select false to mark the extension noncritical.
IssuerDomainPolicy_<n>
Specifies the OID assigned to the policy statement of the issuing CA that you want to map with the policy statement of another CA.
Example: 1.2.3.4.5
SubjectDomainPolicy_<n>
Specifies the OID assigned to the policy statement of the subject CA that corresponds to the policy statement of the issuing CA.
Example: 6.7.8.9.10

Signing Algorithm Default

This default populates a signing algorithm in the certificate request. This default presents an agent with the possible algorithms that can be used for signing the certificate in a list that the agent can select from.

You can define the following constraints with this default:

Table 11-14 Signing Algorithm Default Configuration Parameters  
Parameter
Description
signingAlgsAllowed
Specify the signing algorithms that can be used for signing this certificate. You can specify any or all of the following:
MD2withRSA,MD5withRSA,SHA1withRSA
signingAlg
Specify the default signing algorithm to be used to create this certificate. An agent can override this value by specifying one of the values contained in the signingAlgsAllowed parameter.

Subject Alternative Name Extension Default

This default populates a subject alternative name extension in the certificate request. The extension enables you to bind additional identities-such as Internet electronic mail address, a DNS name, an IP address, and a uniform resource indicator (URI)-to the subject of the certificate.

For general information about this extension, see "subjectAltName" on page 740.

The standard suggests that if the certificate subject field contains an empty sequence, then the subject alternative name extension must contain the subject's alternative name and that the extension be marked critical.

If you're using any of the directory-based authentication methods, you can configure CS to retrieve values for any string and byte attributes from the directory and set them in the certificate request during authentication-you specify these attributes by entering them in the ldapStringAttributes and ldapByteAttributes fields defined in the automated enrollment modules.

In general, you can configure which attributes should or shouldn't be stored in the request; for example, you can exclude sensitive attributes such as passwords from getting stored in the request with the help of the parameter named dontSaveHttpParams defined in the CS configuration file. For details on using this parameter, see the description for HTTP_PARAMS in section "JavaScript Used By All Interfaces" of CS Customization Guide. You can also distinguish the attributes based on their origin-that is, whether they originated from the enrollment form or where added to the request during the authentication process. Authenticated attributes have AUTH_TOKEN as prefix (for example, AUTH_TOKEN.mail) and non-authenticated attributes such as the ones that come from the HTTP input have HTTP_PARAMS as prefix (for example, HTTP_PARAMS.csrRequestorEmail).

If enabled, the subject alternative extension policy checks the certificate request for configured attributes. If the request contains an attribute, the policy reads its value and sets it in the extension. This way, the extension that gets to added to certificates contains all the configured attributes.

You can define the following constraints with this default:

Table 11-15 Subject Alternative Name Extension Default Configuration Parameters  
Parameter
Description
Critical
Select true to mark this extension critical; select false to mark the extension noncritical.
Pattern
Specifies the request attribute whose value is to be included in the extension. The attribute value must conform to any of the supported general-name types. If the server finds the attribute in the request, it sets the attribute value in the extension and then adds the extension to certificates. If you specify multiple attributes and if none of the attributes are present in the request, the server does not add the subject alternative name extension to certificates.
Permissible values: A request attribute included in the certificate request.
Example: $request.requestor_email$
Type
Specifies the general-name type for the request attribute.
  • Select RFC822Name if the request-attribute value is an Internet mail address in the local-part@domain format. For example, jdoe@example.com.
  • Select DirectoryName if the request-attribute value is an X.500 directory name, similar to the subject name in a certificate. For example,
    CN=Jane Doe, OU=Sales Dept, O=Example Corporation, C=US.
 
  • Select DNSName if the request-attribute value is a DNS name. For example, corpDirectory.example.com.
  • Select EDIPartyName if the request-attribute value is a EDI party name. For example, Example Corporation.
 
  • Select URLName if the request-attribute value is a non-relative URI that includes both a scheme (for example, http) and a fully qualified domain name or IP address of the host. For example, http://hr.example.com.
  • Select IPAddress if the request-attribute value is a valid IP address specified in dot-separated numeric component notation. For example, 128.21.39.40.
 
  • Select OIDName if the request-attribute value is a unique, valid OID specified in the dot-separated numeric component notation. For example, 1.2.3.4.55.6.5.99.

Subject Key Identifier Extension Default

This default populates a subject key identifier extension in the certificate request. The extension is used to identify certificates that contain a particular public key-that is, the extension is used to uniquely identify a certificate from among several that have the same subject name.

For general information about this extension, see "subjectKeyIdentifier" on page 741.

If enabled, the policy adds a Subject Key Identifier Extension to an enrollment request if the extension does not already exist. If the extension exists in the request, for example from a CRMF request, the default replaces the extension. In case of agent-approved enrollments, after an agent approves the enrollment request, the policy accepts any Subject Key Identifier Extension that is already there.

This default has not parameters. If used, this extension will be included in the certificate with the public key information.

You can define the following constraints with this default:

Subject Name Default

This default populates server-side configurable subject name into the certificate request. You provide a static subject name that is used as the subject name in the certificate.

You can define the following constraints with this default:

Table 11-16 Subject Name Default Configuration Parameters  
Parameter
Description
Name
Specify the subject name for this certificate.

Token Supplied Subject Name Default

This default policy that populates subject name based on the attribute values in the authentication token (AuthToken) object.

This default plugin works with the directory-based authentication manager. The Directory-Based User Dual-Use Certificate Enrollment certificate profile has the following input parameters: UID and Password. The directory-based authentication manager will check if the given UID and password are correct.

In addition, the directory-based authentication manager will formulate the subject name of the issuing certificate (It will forms the subject name by using the dnPattern attribute), and it will place the subject name into an internal data structured called AuthToken.

This default is responsible for reading the subject name from the AuthToken and place it into the certificate request so that the final certificate will contain the subject name.

You can define the following constraints with this default: No Constraints see "No Constraint," on page 456.

User Supplied Extension Default

This class implements an enrollment default policy that populates a user-supplied extension into the certificate request. If included in the certificate profile, allows a user to define extensions.

No inputs are provided to add user supplied extensions to the enrollment form. You can create an input for this purpose using the CS SDK. You can also submit a request that contains this information.

You can define the following constraints with this default:

User Supplied Key Default

This default populates a user supplied key into the certificate request. This is a required default. Keys are part of the enrollment request.

You can define the following constraints with this default:

User Signing Algorithm Default

This default implements an enrollment default policy that populates a user-supplied signing algorithm into the certificate request. If included in the certificate profile, allows a user to choose a signing algorithm for the certificate, subject to the constraint set.

No inputs are provided to add signing algorithm choices to the enrollment form. You can create an input for this purpose using the CS SDK. You can also submit a request that contains this information.

You can define the following constraints with this default:

User Supplied Subject Name Default

This default populates a user-supplied subject name into the certificate request. If included in the certificate profile, allows a user to supply a subject name for the certificate, subject to the constraints set.

You can define the following constraints with this default:

User Supplied Validity Default

This default populates a user-supplied validity in the certificate request. If included in the certificate profile, allows a user to supply the validity period, subject to the constraints set.

No inputs are provided to add user supplied validity date to the enrollment form. You can create an input for this purpose using the CS SDK. You can also submit a request that contains this information.

You can define the following constraints with this default:

Validity Default

This default populates a server-side configurable validity into the certificate request.

You can define the following constraints with this default:

Table 11-17 Validity Default Configuration Parameters  
Parameter
Description
range
Specifies the validity period for this certificate.

Constraints Reference

Constraints are used to define the allowable contents of a certificate and the values associated with that content. This section lists the pre built constraints with complete definitions of each.

Basics Constraints Extension Constraint

The basic constraints extension constraint checks if the basic constraint in the certificate request satisfies the criteria set in this constraint.

Table 11-18 Basic Constraints Extension Constraint Configuration Parameters  
Parameter
Description
Critical
Specifies whether the extension can be marked critical or noncritical. Select true to allow this extension to be mark critical, select false to prevent this extension from being marked critical; select "-" to indicate no constraints are placed for this parameter.
IsCA
Specifies whether the certificate subject is a CA. Select true to allow a value of true for this parameter, select false to disallow a value of true for this parameter, select "-" to indicate no constraints are placed for this parameter.
PathLen
Specifies the maximum allowable path length, the maximum number of CA certificates that may be chained below (subordinate to) the subordinate CA certificate being issued. Note that the path length you specify affects the number of CA certificates to be used during certificate validation. The chain starts with the end-entity certificate being validated and moving up the chain.
 
This parameter has no effect if the extension is set in end-entity certificates.
 
Permissible values: 0 or n. Make sure that the value you choose is less than the path length specified in the Basic Constraints extension of the CA signing certificate (owned by the CA that will issue these certificates).
 
  • 0 specifies that no subordinate CA certificates are allowed below the subordinate CA certificate being issued-that is, only an end-entity certificate may follow in the path.
 
  • n must be an integer greater than zero. It specifies at the most n subordinate CA certificates are allowed below the subordinate CA certificate being used.
 

If you leave the field blank, the path length defaults to a value that is determined by the path length set on the Basic Constraints extension in the issuer's certificate. If the issuer's path length is unlimited, the path length in the subordinate CA certificate will also be unlimited. If the issuer's path length is an integer greater than zero, the path length in the subordinate CA certificate will be set to a value that's one less than the issuer's path length; for example, if the issuer's path length is 4, the path length in the subordinate CA certificate will be set to 3.


Extended Key Usage Extension Constraint

The extended key usage extension constraint checks if the extended key usage extension in the certificate request satisfies the criteria set in this constraint.

Table 11-19 Extended Key Usage Extension Constraint Configuration Parameters  
Parameter
Description
Critical
Specifies whether the extension can be marked critical or noncritical. Select true to allow the extension to be marked critical, select false to disallow the extension from being marked critical; select "-" to indicate no constraints are placed for this parameter.
exKeyUsageOIDs
Specifies the allowable OIDs that identifies a key-usage purpose. You can specify more than one separating each with a comma.

Extension Constraint

This constraint implements the general extension constraint. It checks if the extension is present or not.

Key Constraint

This constraint checks the key type and key length.

Table 11-20 Key Constraint Configuration Parameters  
Parameter
Description
Type
Select which key type is allowed from DSA and RSA.
MinLength
Specifies the minimum allowable key length.
MaxLength
Specifies the maximum allowable key length.

Key Usage Extension Constraint

The key usage extension constraint checks if the key usage constraint in the certificate request satisfies the criteria set in this constraint.

Table 11-21 Key Usage Extension Constraint Configuration Parameters  
Parameter
Description
critical
Select true allow this extension to be marked critical; select false to keep this extension from being marked critical. Select true to allow this to be set; select false to not allow this to be set; select "-" to indicate no constraints are placed for this parameter.
digitalSignature
Specifies whether to allow for signing of SSL client certificates, S/MIME signing certificates, and object-signing certificates. Select true to allow this to be set; select false to not allow this to be set; select "-" to indicate no constraints are placed for this parameter.
nonRepudiation
Specifies whether some S/MIME signing certificates and object-signing certificates. Note, however, that the use of this bit is controversial. You should carefully consider the legal consequences of its use before setting it for any certificate. Select true to allow this to be set; select false to not allow this to be set; select "-" to indicate no constraints are placed for this parameter.
keyEncipherment
Specifies whether to set the extension for SSL server certificates and S/MIME encryption certificates. Select true to allow this to be set; select false to not allow this to be set; select "-" to indicate no constraints are placed for this parameter.
dataEncipherment
Specifies whether to set the extension when the subjects's public key is used to encipher user data (as opposed to key material). Select true to allow this to be set; select false to not allow this to be set; select "-" to indicate no constraints are placed for this parameter.
keyAgreement
Specifies whether to set the extension whenever the subject's public key is used for key agreement. Select true to allow this to be set; select false to not allow this to be set; select "-" to indicate no constraints are placed for this parameter.
keyCertsign
Specifies whether extension for all CA signing certificates. Select true to allow this to be set; select false to not allow this to be set; select "-" to indicate no constraints are placed for this parameter.
cRLSign
Specifies whether to set the extension for CA signing certificates that are used to sign CRLs. Select true to allow this to be set; select false to not allow this to be set; select "-" to indicate no constraints are placed for this parameter.
encipherOnly
Specifies whether to set the extension if the public key is to be used only for enciphering data. If this bit is set, keyAgreement should also be set. Select true to allow this to be set; select false to not allow this to be set; select "-" to indicate no constraints are placed for this parameter.
decipherOnly
Specifies whether to set the extension if the public key is to be used only for deciphering data. If this bit is set, keyAgreement should also be set. Select true to allow this to be set; select false to not allow this to be set; select "-" to indicate no constraints are placed for this parameter.

No Constraint

This constraint implements no constraint. When chosen along with a default, there are not constraints placed on that default.

Netscape Certificate Type Extension Constraint

The Netscape Certificate Type extension constraint checks if the Netscape Certificate Type extension in the certificate request satisfies the criteria set in this constraint.

Table 11-22 Netscape Certificate Type Extension Constraint Configuration Parameters  
Parameter
Description
critical
Select true to allow this extension to be marked critical; select false to keep this extension from being marked critical; select "-" to indicate no constraints are placed for this parameter.
SSLClient
Specifies that the certificate can be used by clients for authentication during SSL connections. Select true to allow this capability; select false to not allow this capability; select "-" to indicate no constraints are placed for this parameter.
SSLServer
Specifies that the certificate can be used by servers for authentication during SSL connections. Select true to allow this capability; select false to not allow this capability; select "-" to indicate no constraints are placed for this parameter.
CertEmail
Specifies that the certificate can be used to send secure email messages. Select true to allow this capability; select false to not allow this capability; select "-" to indicate no constraints are placed for this parameter.
CertObjectSigning
Specifies that the certificate can be used for signing objects such as Java applets and plug-ins. Select true to allow this capability; select false to not allow this capability; select "-" to indicate no constraints are placed for this parameter.
CertSSLCA
Specifies that the certificate can be used by a CA to issue certificates for SSL connections. Select true to allow this capability; select false to not allow this capability; select "-" to indicate no constraints are placed for this parameter.
CertEmailCA
Specifies that the certificate can be used by a CA to issue certificates for secure email. Select true to allow this capability; select false to not allow this capability; select "-" to indicate no constraints are placed for this parameter.
CertObjectSigningCA
Specifies that the certificate can be used by a CA to issue certificates for object signing. Select true to allow this capability; select false to not allow this capability; select "-" to indicate no constraints are placed for this parameter.

Signing Algorithm Constraint

The signing algorithm constraint checks if the signing algorithm in the certificate request satisfies the criteria set in this constraint.

Table 11-23 Signing Algorithms Constraint Configuration Parameters  
Parameter
Description
signingAlgsAllowed
List the signing algorithms that can be specified for use in signing this certificate. Specify any or all of the following:
MD2withRSA,MD5withRSA,SHA1withRSA

Subject Name Constraint

This constraint implements the subject name constraint. It checks if the subject name in the certificate request satisfies the criteria.

Table 11-24 Subject Name Constraint Configuration Parameters  
Parameter
Description
Pattern
Specifies a regular expression specified as a string, all regular-expression constructs listed in http://java.sun.com/j2se/1.4.1/docs/api/java/util/regex/Pattern.html are supported.
For example, if you have the pattern of the subject name constraint set to UID=.*, the certificate profile framework will check if the subject name in the certificate request matches the pattern. Assumed that you have UID=user, O=Example, C=US as the subject name, the value satisfies the pattern UID=.* . If you have CN=user, O=example,C=US, the value will not satisfy the pattern.
UID=.* means the subject name must have UID=., .* means zero or more times of any character

Validity Constraint

This constraint implements the validity constraint. It checks if the validity in the certificate request satisfies the criteria.

Table 11-25 Validity Constraint Configuration Parameters  
Parameter
Description
range
The range parameter is of type integer. And the unit of this value is day.




Previous
 Contents
 Index
 Next
© 2001 Sun Microsystems, Inc. Used by permission. © 2005 Red Hat, Inc. All rights reserved.
Read the Full Copyright and Third-Party Acknowledgments.

 last updated September 26, 2005