Certificate Profiles

Administrator's Guide
Red Hat Certificate System

Index

Chapter 11

Certificate Profiles

This chapter describes how to configure certificate profiles. This chapter contains the following sections:

About Certificate Profiles
Setting Up Certificate Profiles
Certificate Profile Reference
Input Reference
Output Reference
Defaults Reference
Constraints Reference

About Certificate Profiles

A certificate profile defines everything associated with the issuance of a particular type of certificate including the authentication method, the certificate content (defaults), constraints for values associated with that content that can be contained in this type of certificate, and the contents of the input and output forms associated with the certificate profile. Enrollments requests are submitted to a particular certificate profile and are then subject to the defaults and constraints set up in that certificate profile whether the request is submitted via the input form associated with the certificate profile or via some other means. The certificate that is issued from a certificate profile request contains the content defined by the defaults with values derived from the values contained in the parameters associated with those defaults. The constraints provide rules for which content is allowable in the certificate, and defines allowable values for that content.

For example, you could set up a certificate profile for user certificates that defines all aspects of that certificate including the validity period of the issued certificate. You can set a default that defines the default validity period as two years. You would also set up a constraint that the validity period for certificates issued from requests submitted to this certificate profile cannot exceed two years. When a user sends a request using the input form associated with this certificate profile, the certificate issued will contain the information specified in the defaults set up and will be valid for two years. If a user submits a pre formatted request that requests a certificate with a validity period of four years, the request will be rejected since the constraints allow a maximum of two years validity period for this type of certificate.

A set of certificate profiles have been pre built for the most common types of certificates issued. The pre built certificate profiles define defaults and constraints commonly associated with this type of certificate, associate the authentication method common for this type of enrollment, and define the needed inputs and outputs for the certificate profile.

You can use these pre built certificate profiles, you can modify any or all of these by changing the authentication method, the defaults, the constraints used in each policy, the values assigned to any of the parameters in a policy, or the input and output. You can also create other certificate profiles either for other types of certificates, or for creating more than one certificate profile for a type of certificate. You might create more than one certificate profile for a particular type of certificate when you want to issue the same type of certificate with either a different authentication method or different definitions for the defaults and constraints. For example, you might create two certificate profiles used for enrollment for SSL Server certificates where one certificate profile issues certificates with a validity period of six months and another certificate profile issues certificates with a validity period of two years.

A set of defaults and constraints have been pre built for the most commonly used certificate content and constraints. You can set up additional defaults and constraints using the CS SDK.

An input specifies how the enrollment page should be presented, and what inputs should be gathered from the end-entities. You can use inputs to add text fields to the enrollment page so that additional information can be gathered and used for the enrollment. The input values are used as values in the certificate. A set of inputs have been created allowing you to create an enrollment form containing the fields needed for most certificate profiles you will create. The pre built inputs are not configurable in CS; you can change them using the CS SDK. For some options, or for some content you may want to collect, you may need to create additional inputs using the CS SDK. The inputs provide a certificate request field that can be added to any of the forms so that certificate requests can be pasted into this field, allowing a request to be created outside the input form with any of the request information you need.

An output specifies how the response page to a successful enrollment is presented. It usually displays the certificate in a user-readable format. A single output has been created that shows the pretty print version of the resultant certificate. You can create other outputs using the CS SDK.

How Certificate Profiles Work

An administrator sets up a certificate profile by associating an existing authentication plug-in, or method, with the certificate profile, enabling and configuring defaults and constraints, and defining inputs and outputs. The administrator can use the existing certificate profiles, modify the existing certificate profiles, create new certificate profiles, and delete any certificate profile that will not be used in this PKI.

Once a certificate profile is set up, it appears on the Manage Certificate Profiles page of the agent services interface where an agent can approve, and thus enable a certificate profile. Once the certificate profile is enabled, it will appear on the Certificate Profile tab of the end-entity interface where end-entity can enroll for a certificate using the certificate profile.

The Certificate Profile enrollment page contains links to each type of certificate profile enrollment that has been enabled by the agents. When an end entity selects one of those links, an enrollment page appears containing an enrollment form specific to that certificate profile. The enrollment page for this certificate profile in the end-entity interface is dynamically generated from the inputs defined for this certificate profile. If an authentication plug-in is configured, additional fields may be added that are needed to authenticate the user with that authentication method.

When the end entity submits a certificate profile request that is associated with an agent-approved (manual) enrollment, an enrollment where no authentication plug-in is configured, the certificate request is queued in the agent services interface under a certificate profile enrollment, showing that it is different from the old enrollment method. The agent can change some aspects of the enrollment, request, validate it, cancel it, reject it, update it, or approve it. The agent can able update the request without submitting it or validate that the request adheres to the profile's defaults and constraints. This validation procedure is only for verification and does not result in the request being submitted. The agent is bound by the constraints set up; they cannot change the request in such a way that a constraint is violated. The signed approval is immediately processed and a certificate is issued.

When a certificate profile is associated with an authentication method, the request is approved immediately and generates a certificate automatically if the user successfully authenticates, all the information required is provided, and the request does not violate any of the constraints set up for the certificate profile.

The issued certificate contains the content defined in the defaults for this certificate profile, such as the extensions and validity period for the certificate, and the content of the certificate is constrained by the constraints set up for each default. You can set up more than one set of policies (defaults and constraints) within one profile, distinguishing each set by using the same value in the Policy Set ID for each set. This is particulary useful for dealing with dual keys enrollment where encryption key and signing key are submitted into the same profile. The server evaluates each set with each request it receives. In the case where a single certificate is issued, one set is evaluated, any other sets are ignored. In the case where dual-key pairs are issued, the first set is evaluated with the first certificate request, and the second set is evaluated with the second certificate request. There is no need for more than one set if you are issuing a single certificate, or more than two sets if you are issuing dual-key pairs.

The request is not evaluated by the Policies set up in the Policy feature of CS. If the enrollment took place in a Registration Manager, both the Registration Manager and the Certificate Manager should have the same certificate profile implemented with the same policies. The profile in the Certificate Manager will have the final authority.

Setting Up Certificate Profiles

You set up certificate profiles by configuring the existing certificate profiles, deleting an existing certificate profile, or adding another certificate profile and configuring it.

Setting up certificate profiles includes the following process:

Decide which certificate profiles you will need for your PKI. You will have one certificate profile for each type of certificate you issue, and can have more than one certificate profile for each type of certificate you issue is you want to set up a particular type of certificate with different authentication methods, or different defaults and constraints. Note that any certificate profile available in the administrative interface can be approved by an agent and then used by an end entity to enroll.
Delete any certificate profiles that you will not use.
Create any certificate profiles you will need that are not among the pre built certificate profiles.
Modify the existing certificate profiles and any certificate profiles you have created by changing the following:

Changing the defaults set up in the certificate profile, the values of the parameters set in the defaults, or the constraints associated with the default to set the content of the issued certificate and the value of that content.
Changing the constraints set up by changing the value of the parameters in the constraints.
Changing the authentication method set up for this certificate profile.
Changing the inputs set up by adding or deleting inputs in the certificate profile thus defining the fields on the input page.
Add or delete the single output.

Optionally, you can modify existing defaults, constraints, inputs and outputs, or create new ones using the CS SDK.

Modifying a Certificate Profile

Note that you cannot edit any certificate profile that has been approved by an agent. The agent must disapprove or disable the certificate profile before the administrator can edit that certificate profile.

To add a certificate profile and modify an existing or new certificate profile:

Log in to the CS window. See "Logging Into the CS Console" on page 239.
Select the Configuration tab.
In the navigation tree, select the subsystem to which the certificate profile you want to modify belongs.
Select Certificate Profiles.

The Certificate Profile Instances Management tab appears. It lists configured certificate profiles.

To create a new certificate profile:

Click Add.

The Select Certificate Profile Plugin Implementation window appears.

Select Certificate Authority Enrollment Profile if this is a Certificate Manager or Registration Authority Enrollment Profile if this is a Registration Manager.
Click Next.

The Certificate Profile Instances window appears.

Fill in the following fields in this window:

Certificate Profile Instance ID. Specify the instance ID of the certificate profile. This name or number will be used by the system to identify the instance.

Certificate Profile Name. Specify a name for the certificate profile. This name is the user friendly name of the instance.

Certificate Profile Description. Provide a description to identify the use of this certificate profile.

End User Certificate Profile. Specifies whether or not the request must be made to the input form associated with this certificate profile. Generally, you will set this to true. If you have set up a Registration Manager, you will set this to false in the certificate profile you set up in the Certificate Manager that correlates to the certificate profile you set up in the Registration Manager. It is set to false allowing a signed request to be processed through the Certificate Manager's Certificate Profile framework, rather than through the input page for this certificate profile.

Certificate Profile Authentication. Specify the authentication method. Specify an automated authentication by providing the instance ID for the authentication instance that will be used. If this field is left blank, the request is authenticated as an agent-approved enrollment; the submitted request is queued in the request queue of the agent services interface.

Click Ok.

The new certificate profile appears in the Certificate Profile Instances Management tab.

To modify an existing certificate profile, select a certificate profile listed in the Certificate Profile Instances Management tab and click Edit/View.

The Certificate Profile Rule Editor window appears.

This window contains a lot of information, you may want to enlarge the window by pulling out on one of the corners of the window.

Change the information in the Certificate Profile Rule Editor for any of the following fields:

Certificate Profile Name. Specify a name for the certificate profile. This name is the user friendly name of the instance.

Certificate Profile Description. Provide a description to identify the use of this certificate profile.

End User Certificate Profile. Specifies whether or not the request must be made to the input form associated with this certificate profile. Generally, you will set this to true. If you have set up a Registration Manager, you will set this to false in the certificate profile you set up in the Certificate Manager that correlates to the certificate profile you set up in the Registration Manager. It is set to false allowing a signed request to be processed through the Certificate Manager's Certificate Profile framework, rather than through the input page for this certificate profile.

Certificate Profile Authentication. Specify the authentication method. Specify an automated authentication by providing the instance ID for the authentication instance that will be used. If this field is left blank, the request is authenticated as an agent-approved enrollment; The submitted request is queued in the request queue of the agent services interface.

Policies Tab. See Step 8.

Input Tab. See Step 9.

Output Tab. See Step 10.

Set up Policies in the Policies tab of the Certificate Profile Rule Editor window.

The policies tab lists policies that have been set up for this certificate profile.

To add a policy:

Click Add.

The Certificate Profile Policy Editor window appears.

Choose the default you want to add from the Default field, and choose the from the constraints associated with that policy in the Constraints field, then click OK.

The New Certificate Profile Editor window appears.

Fill in the following fields:

Policy Set Id. Type a name or identifier for this set of policies. When you are issuing dual key pairs, you can use separate sets to define the policies associated with each certificate.

Certificate Profile Policy ID. Type a name or identifier for this certificate profile policy.

Configure any parameters in the Default or Constraint tab. See "Defaults Reference," on page 428 and "Constraints Reference," on page 453 for complete details for each default or constraint.
Click Ok.

To modify an existing policy:

Select a policy and click Edit.

The Policy Rule Editor window appears.

The Policy Rule Editor window contains two tabs, Defaults and Constraints.

Defaults define attributes that populate the certificate request that will be used to create the issued certificate. These can be extensions, validity periods, or other fields contained in the certificates. Constraints define valid values for the defaults.

Change the values in the Defaults tab to change the value of a parameter. Change the values in the Constraints tab to change the value of the constraint applied to this policy. Some values can be edited by clicking into the value field and changing the entry; others have pull down menus associated with them where you can pick the values available from the pull down menu.

See "Defaults Reference," on page 428 and "Constraints Reference," on page 453 for complete information about the available defaults and constraints.

Click Ok.

To delete a policy:

Select the policy.
Click delete.

Set up Inputs in the Inputs tab of the Certificate Profile Rule Editor window.

The inputs tab lists inputs that have been set up for this certificate profile. You can add an input or you can delete an input. You can select an input and then select edit; but since the input has no parameters or other settings, there is nothing to configure.

To add an input:

Click Add.

The Certificate Profile Input Editor window appears.

Choose the input you want to add from the list and then click OK. See "Input Reference," on page 426 for complete details of the default inputs.

The New Certificate Profile Editor window appears.

Fill in the following fields:

Id. Type a name or identifier for this input.

Click Ok.

This input will be listed in the input tab. You can edit it to provide values to the parameters in this input.

To delete an input:

Select the input.
Click delete.

Set up outputs in the Outputs tab of the Certificate Profile Rule Editor window.

You need to set up outputs for any certificate profile that uses an automated authentication method, you do not need to set up outputs for any certificate profile that uses an agent-approved authentication method. The outputs tab lists inputs that have been set up for this certificate profile. You can add an output or you can delete an output. You can select an output and then select edit; but since the output has no parameters or other settings, there is nothing to configure.

To add an output:

Click Add.

The Certificate Profile Output Editor window appears.

Choose the output you want to add from the list and then click OK.

The New Certificate Profile Editor window appears.

Fill in the following fields:

Id. Type a name or identifier for this output.

Click Ok.

This output will be listed in the output tab. You can edit it to provide values to the parameters in this output.

To delete an output:

Select the output.
Click delete.

Delete any certificate profiles you don't want approved by an agent. Any certificate profile that appears in the Certificate Profile Instance Management tab also appears on the Certificate Profiles page in the agent services interface. The certificate profile can be enabled by an agent. If you do not want a certificate profile enabled by an agent, delete that certificate profile from this list by selecting it and then clicking delete.

Note

Once a certificate profile is enabled by an agent, that certificate profile is marked enabled in the Certificate Profile Instance Management tab, and the certificate profile cannot be edited in any way. To edit that certificate profile, an agent must first disable the certificate profile.

Certificate Profile Reference

A set of certificate profiles have been prebuilt for the types of certificates that are usually issued by a RA and a CA. All certificate profiles are installed with a CA, only those certificate profiles beginning with ra are installed with and RA. The default certificate profiles include the following:

caUserCert

Configured for end user enrollments in a Certificate Manager.

caDualCert

Configured for enrollments for dual key pairs in a Certificate Manager. Two keys will be generated, a signing key and an encryption key, and two certificates will be issued, one for each of those keys. This certificate profile will only work with the Netscape 7 or later browser.

caServerCert

Configured for enrollments for an SSL server certificate in a Certificate Manager.

caCACert

Configured for enrollments for a CA signing certificate in a Certificate Manager.

caRACert

Configured for enrollments for an RA signing certificate in a Certificate Manager.

caOCSPCert

Configured for enrollments for an OCSP signing certificate in a Certificate Manager.

caTransportCert

Configured for enrollments for a transport signing certificate, used by the Data Recovery Manager, in a Certificate Manager.

caAuditCert

Configured for enrollments for a signed audit signing certificate, used by a subsystem to sign the signed audit logs.

caDirUserCert

Configured for enrollments for end user certificates using directory-based authentication in a Certificate Manager.

caAgentServerCert

Configured for enrollments for server certificates allowing for automatic issuance of the server certificate with the validation of an agent's certificate in a Certificate Manager.

raUserCert

Configured for end user enrollments. When installed in an RA, the value of the End User Certificate Profile field is set to true; when installed in a CA, the value of the End User Certificate Profile field is set to false. In a CA, you set this certificate profile up to match the certificate profile set up in the RA; the value of the End User Certificate Profile needs to be set to false in order for the CA to be able to accept the request from somewhere other than the certificate profile enrollment form.

raDualCert

Configured for enrollments for dual key pairs in a Registration Manager. Two keys will be generated, a signing key and an encryption key, and two certificates will be issued, one for each of those keys. This certificate profile will only work with the Netscape 7 or later browser.

When installed in an RA, the value of the End User Certificate Profile field is set to true; when installed in a CA, the value of the End User Certificate Profile field is set to false. In a CA, you set this certificate profile up to match the certificate profile set up in the RA; the value of the End User Certificate Profile needs to be set to false in order for the CA to be able to accept the request from somewhere other than the certificate profile enrollment form.

raServerCert

Configured for enrollments for an SSL server certificate. When installed in an RA, the value of the End User Certificate Profile field is set to true; when installed in a CA, the value of the End User Certificate Profile field is set to false. In a CA, you set this certificate profile up to match the certificate profile set up in the RA; the value of the End User Certificate Profile needs to be set to false in order for the CA to be able to accept the request from somewhere other than the certificate profile enrollment form.

raCACert

Configured for enrollments for a CA signing certificate. When installed in an RA, the value of the End User Certificate Profile field is set to true; when installed in a CA, the value of the End User Certificate Profile field is set to false. In a CA, you set this certificate profile up to match the certificate profile set up in the RA; the value of the End User Certificate Profile needs to be set to false in order for the CA to be able to accept the request from somewhere other than the certificate profile enrollment form.

raRACert

Configured for enrollments for an RA signing certificate. When installed in an RA, the value of the End User Certificate Profile field is set to true; when installed in a CA, the value of the End User Certificate Profile field is set to false. In a CA, you set this certificate profile up to match the certificate profile set up in the RA; the value of the End User Certificate Profile needs to be set to false in order for the CA to be able to accept the request from somewhere other than the certificate profile enrollment form.

raTransportCert

Configured for enrollments for a transport signing certificate, used by the Data Recovery Manager, in a Registration Manager. When installed in an RA, the value of the End User Certificate Profile field is set to true; when installed in a CA, the value of the End User Certificate Profile field is set to false. In a CA, you set this certificate profile up to match the certificate profile set up in the RA; the value of the End User Certificate Profile needs to be set to false in order for the CA to be able to accept the request from somewhere other than the certificate profile enrollment form.

raAuditCert

Configured for enrollments for a signed audit signing certificate, used by a subsystem to sign the signed audit logs.

Input Reference

An input puts certain fields on the enrollment page associated with a particular certificate profile. You define inputs for a certificate profile which are used to dynamically generate the enrollment page.

Certificate Request Input

The Certificate Request Input input is used for enrollments in which a certificate request will be pasted into the enrollment form. It allows the type of request to be specified from a drop down list, and provides an input field to paste the request.

This input puts the following fields into the enrollment form:

Certificate Request Type. This field allows the user to choose the certificate request type of the request they are submitting from the drop down menu. The choices include PKCS#10, CRMF, and CMC.

Certificate Request. This field allows the user to paste a request into the supplied input field.

Dual Key Generation Input

The Dual Key Geneneration Input input is used for enrollments in which dual key pairs will be generated, and thus two certificates issued, one for the signing certificate and one for the encryption certificate. The generation of dual key pairs using the certificate profile interface is only supported for the Netscape 7 and later browsers.

This input puts the following fields into the enrollment form:

Key Generation Request Type. This field is a read only field displaying crmf as the request type. (Note: This field will display Not Supported on browsers other than Netscape 7 and above.)

Key Generation Request. This field is a read only field displaying 1024 (Encryption), 1024 (Signing) as the key generation request. (Note: This field will display Not Supported on browsers other than Netscape 7 and above.)

Key Generation Input

The Key Generation Input input is used for enrollments in which a single key pair will be generated, generally used for user-based certificate enrollments.

This input puts the following fields into the enrollment form:

Key Generation Request Type. This field is a read only field displaying crmf as the request type.

Key Generation Request. This field is a read only field displaying 1024 (High Grade) as the key generation request.

Subject Name Input

The Subject Name Input input is used for enrollment when distinguished name parameters need to be collected from the user. The collected parameters could be used for formulating the subject name in the certificate.

This input puts the following fields into the enrollment form:

UID. This field is for the user ID of this user, as specified for this user in the LDAP directory.

Email. This field is for entering the email address of the user.

Common Name. This field is for entering the name of the user.

Organizational Unit. This field is for entering the organizational unit to which the user belongs.

Organization. This field is for entering the organization name.

Country. This field is for entering the country to which the user belongs.

Submitter Information Input

The Submitter Information Input input is used to collect the certificate requestor's information such as name, email and phone.

This input puts the following fields into the enrollment form:

Requestor Name. This field is used to enter the name of the requestor of this certificate.

Requestor Email. This field is used to enter the email address of the requestor of this certificate.

Requestor Phone. This field is used to enter the phone number of the requestor of this certificate.

Output Reference

An output represents the response to the end user of a successful enrollment.

certOutputImpl

This output displays the certificate in pretty print format. It is the only output defined at this time. You cannot configure or change this output. It does not display anything other than the certificate in pretty print format.

This output needs to be specified for any automated enrollment. Once a user successfully authenticates using the automated enrollment method, the certificate is automatically generated, and this output page is returned to the user. In an agent-approved enrollment, the user can get the certificate, once it is issued, by providing the request id in the end-entity interface; there is no output page associated with agent-approved enrollment.

Defaults Reference

Defaults are used to define the contents of a certificate and the values associated with that content. This section lists the pre built defaults with complete definitions of each.

Authority Info Access Extension Default

This default populates the Authority Info Access extension. This extension specifies how an application validating a certificate can access information, such as on-line validation services and CA policy statements, about the CA that has issued the certificate. Note that this extension should not be used to point directly to the CRL location maintained by a CA; the CRL Distribution Points extension explained in "CRL Distribution Points Extension Default" on page 432 allows you to provide references to CRL locations.

For general information about this extension, see "authorityInfoAccess" on page 731.

You can define the following constraints with this default:

Extension Constraint, see "Extension Constraint," on page 454
No Constraints, see "No Constraint," on page 456.

This default allows you to define 5 locations and specify parameters for each location. The parameters are marked with an <n> in the table to distinguish that the parameter is associated with one of the five possible locations.

Table 11-1 Authority Info Access Extension Default Configuration Parameters

Parameter

Description

Critical

Select true to mark this extension critical; select false to mark the extension noncritical.

Method_<n>

Specifies the access method for retrieving additional information about the CA that has issued the certificate in which the extension appears. Provide one of the following values:

ocsp (or 1.3.6.1.5.5.7.48.1).
caIssuers (or 1.3.6.1.5.5.7.48.2).
renewal (or 2.16.840.1.113730.16.1)

LocationType_<n>

Specifies the general-name type for the location that contains additional information about the CA that has issued the certificate in which this extension appears. Select one of the following types from the drop down menu: DirectoryName, DNSName, EDIPartyName, IPAddress, OID, RFC822Name, or URI.

Location_<n>

Specifies the address or location to get additional information about the CA that has issued the certificate in which this extension appears. Specifying the information based on the following:

If you selected directoryName, the value must be a string form of X.500 name, similar to the subject name in a certificate. For example, CN=SubCA, OU=Research Dept, O=Example Corporation, C=US.

If you selected dNSName, the value must be a valid domain name in the fully-qualified DNS format. For example, testCA.example.com.

If you selected EDIPartyName, the value must be an IA5String. For example, Example Corporation.

If you selected iPAddress, the value must be a valid IP address (IPv4 or IPv6).
IPv4 address must be in n.n.n.n format, with endmost must be in n.n.n.n,m.m.m.m format. For example: 128.21.39.40. or 128.21.39.40,255.255.255.00.
IPv 6 (IPv6) address with netmask is separated by a comma. FOr Example 0:0:0:0:0:0:13.1.68.3 and FF01::43; and 0:0:0:0:0:0:13.1.68.3,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:255.255.255.0 and FF01::43,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FF00:0000.

If you selected OID, the value must be a unique, valid OID specified in dot-separated numeric component notation. For example, 1.2.3.4.55.6.5.99.

If you selected RFC822Name, the value must be a valid Internet mail address in the fully qualified DNS format.

If you selected URI, the value must be a non-relative universal resource identifier (URI) following the URL syntax and encoding rules. That is, the name must include both a scheme (for example, http) and a fully qualified domain name or IP address of the host. For example, http://ocspResponder.example.com:8000

Enable_<n>

Specifies whether or not this location is enabled. Select true to enable, select false to disable.

Authority Key Identifier Extension Default

This default populates the Authority Key Identifier extension into the certificate request. The extension is used to identify the public key that corresponds to the private key used by a CA to sign certificates.

For general information about this extension, see "authorityKeyIdentifier" on page 731.

This default has not parameters. If used, this extension will be included in the certificate with the public key information.

Basic Constraints Extension Default

This default populates Basic Constraint extension in the certificate request. The extension identifies whether or not the Certificate Manager is a CA. The extension is also used during the certificate chain verification process to identify CA certificates and to apply certificate chain-path length constraints.

For general information about this extension, see "basicConstraints" on page 732.

You can define the following constraints with this default:

Basic Constraints Extension Constraint, see "Basics Constraints Extension Constraint," on page 453
Extension Constraint, see "Extension Constraint," on page 454
No Constraints, see "No Constraint," on page 456.

Table 11-2 Basic Constraints Extension Default Configuration Parameters

Parameter

Description

Critical

Select true to mark this extension critical; select false to mark the extension noncritical.

IsCA

Specifies whether the certificate subject is a CA. If you select true, the server checks the PathLen parameter and sets the specified path length in the certificate. If you select false, the server treats the certificate subject as a non-CA and ignores the value specified for the PathLen parameter.

PathLen

Specifies the path length, the maximum number of CA certificates that may be chained below (subordinate to) the subordinate CA certificate being issued. Note that the path length you specify affects the number of CA certificates to be used during certificate validation. The chain starts with the end-entity certificate being validated and moving up the chain.

The maxPathLen parameter has no effect if the extension is set in end-entity certificates.

Permissible values: 0 or n. Make sure that the value you choose is less than the path length specified in the Basic Constraints extension of the CA signing certificate (owned by the CA that will issue these certificates).

0 specifies that no subordinate CA certificates are allowed below the subordinate CA certificate being issued-that is, only an end-entity certificate may follow in the path.

n must be an integer greater than zero. It specifies at the most n subordinate CA certificates are allowed below the subordinate CA certificate being used.

If you leave the field blank, the path length defaults to a value that is determined by the path length set in the Basic Constraints extension in the issuer's certificate. If the issuer's path length is unlimited, the path length in the subordinate CA certificate will also be unlimited. If the issuer's path length is an integer greater than zero, the path length in the subordinate CA certificate will be set to a value that's one less than the issuer's path length; for example, if the issuer's path length is 4, the path length in the subordinate CA certificate will be set to 3.

CRL Distribution Points Extension Default

This default populates the CRL Distribution points extension in the certificate request. This extension, when present in a certificate, identifies one or more locations from which an application that is validating the certificate can obtain the CRL information (to verify the revocation status of the certificate).

For general information about this extension, see "CRLDistributionPoints" on page 733.

You can define the following constraints with this default:

Extension Constraint, see "Extension Constraint," on page 454
No Constraints, see "No Constraint," on page 456

This default allows you to define 5 locations and specify parameters for each location. The parameters are marked with an <n> in the table to distinguish that the parameter is associated with one of the five possible locations.

Table 11-3 CRL Distribution Points Extension Configuration Parameters

Parameter

Description

Critical

Select true to mark this extension critical; select false to mark the extension noncritical.

Type_<n>

Specifies the type of the CRL distribution point.

Permissible values: DirectoryName, URIName, or RelativeToIssuer. The type you select must correspond to the value in the Name field.

Name_<n>

Specifies the name of the CRL distribution point, the name can be in any of the following formats:

An X.500 directory name in the RFC 2253 syntax. For example, the name would look similar to the subject name in a certificate, like this: CN=CA Central, OU=Research Dept, O=Example Corporation, C=US
A URIName; for example, it would look similar to this:
http://testCA.example.com:80
An RDN which specifies a location relative to the CRL Issuer. In this case, the value of the Type attribute must be RelativeToIssuer.

Reasons_<n>

Specifies revocation reasons covered by the CRL maintained at the distribution point. Provide a comma-separated list of the following constants:

unused
keyCompromise
cACompromise
affiliationChanged
superseded
cessationOfOperation
certificateHold

IssuerName_<n>

Specifies the name of the issuer that has signed the CRL maintained at the distribution point, the name can be in any of the following formats:

An X.500 directory name in the RFC 2253 syntax. For example:
CN=CA Central, OU=Research Dept, O=Example Corporation, C=US
A URIName; for example, it would look similar to this:
http://testCA.example.com:80

IssuerType_<n>

Specifies the general-name type of the CRL issuer that has signed the CRL maintained at distribution point.

Permissible values: DirectoryName or URIName. The value you specify for this parameter must correspond to the value in the issuerName field.

Select DirectoryName if the value in the issuerName field is an X.500 directory name.
Select URIName if the value in the issuerName field is a uniform resource indicator.

Extended Key Usage Extension Default

This default populates the Extended Key Usage extension in the certificate request.

For general information about this extension, see "extKeyUsage" on page 734.

The extension identifies one or more purposes-in addition to or in place of the basic purposes indicated in the key usage extension-for which the certified public key may be used. For example, if the key usage extension identifies a key to be used for signing, the extended key usage extension can further narrow down the usage of the key for signing OCSP responses only or for signing Java applets only.

Table 11-4 PKIX usage definitions for the extended key usage extension

Usage

OID

Server authentication

1.3.6.1.5.5.7.3.1

Client authentication

1.3.6.1.5.5.7.3.2

Code signing

1.3.6.1.5.5.7.3.3

Email

1.3.6.1.5.5.7.3.4

IPSec end system

1.3.6.1.5.5.7.3.5

IPSec tunnel

1.3.6.1.5.5.7.3.6

IPSec user

1.3.6.1.5.5.7.3.7

Timestamping

1.3.6.1.5.5.7.3.8

Note that Windows 2000TM allows you to encrypt files on the hard disk, a feature known as encrypted file system (EFS), using certificates that contain the Extended Key Usage extension with the following two OIDs:

1.3.6.1.4.1.311.10.3.4 (this OID is for the EFS certificate)

1.3.6.1.4.1.311.10.3.4.1 (this OID is for the EFS recovery certificate)

The EFS recovery certificate is used by a recovery agent when a user loses the private key and the data encrypted with that key needs to be used. CS supports the above two OIDs and allows you to issue certificates containing extended key usage extension with these OIDs.

Normal user certificates should be created with only the EFS OID, not the recovery OID.

You can define the following constraints with this default:

Extended Key Usage Constraint, see "Extended Key Usage Extension Constraint," on page 454
Extension Constraint, see "Extension Constraint," on page 454
No Constraints, see "No Constraint," on page 456.

Table 11-5 Extended Key Usage Extension Default Configuration Parameters

Parameter

Description

Critical

Select true to mark this extension critical; select false to mark the extension noncritical.

OIDs

Specifies the OID that identifies a key-usage purpose.

Permissible values: A unique, valid OID specified in the dot-separated numeric component notation. Depending on the key-usage purposes, you may choose to use the OIDs designated by PKIX (listed in Table 11-4 on page 434) or define your own OIDs. If you're defining your own OID, it should be in the registered subtree of IDs reserved for your company's use. Although you can invent your own OIDs for the purposes of evaluating and testing this server, in a production environment, you should comply with the ISO rules for defining OIDs and for registering subtrees of IDs. See Appendix H, "Object Identifiers" for information on allocating private OIDs.

Example: 2.16.840.1.113730.1.99

Freshest CRL Extension Default

This default populates the Freshest CRL extension in the certificate request. The Freshest CRL Extension Default enables you to configure a Certificate Manager to set the FreshestCRL Extension in certificate.

You can define the following constraints with this default:

Extension Constraint, see "Extension Constraint," on page 454.
No Constraints, see "No Constraint," on page 456.

This default allows you to define 5 locations and specify parameters for each location. The parameters are marked with an <n> in the table to distinguish that the parameter is associated with one of the five possible locations.

Table 11-6 Freshest CRL Extension Default Configuration Parameters

Parameter

Description

Critical

Select true to mark this extension critical; select false to mark the extension noncritical.

PointEnable_<n>

Select true to enable this point; select false to disable this point.

PointType_<n>

Specifies the type of issuing point. Select from DirectoryName and URIName.

PointName_<n>

If pointType is set to directoryName, the value must be a string form of X.500 name, similar to the subject name in a certificate. For example, CN=CACentral,OU=Research Dept,O=Example Corporation,C=US.
If pointType is set to URI, the name must be a URIName; the URIName must be an absolute pathname and must specify the host. For example:

http://testCA.example.com/get/your/crls/here/

PointIssuer Name_<n>

Specifies the name of the issuer that has signed the CRL maintained at this distribution point, the name can be in any of the following formats:

An X.500 directory name in the RFC 2253 syntax. For example:
CN=CA Central, OU=Research Dept, O=Example Corporation, C=US
A URIName; for example:
http://testCA.example.com:80

PointType_<n>

Specifies the general-name type of the CRL issuer that signed the CRL maintained at distribution point.

Permissible values: DirectoryName or URIName. The value you specify for this parameter must correspond to the value in the issuerName field.

Key Usage Extension Default

This default populates the Key Usage extension in the certificate request. The extension specifies the purposes for which the key contained in a certificate should be used-for example, it specifies whether the key should be used for data signing, key encipherment, or data encipherment-and thus enables you to restrict the usage of a key pair to predetermined purposes.

For general information about this extension, see "keyUsage" on page 736.

You can define the following constraints with this default:

Key Usage Constraint, see "Key Usage Extension Constraint," on page 455.
Extension Constraint, see "Extension Constraint," on page 454.
No Constraints, see "No Constraint," on page 456.

Table 11-7 Key Usage Extension Default Configuration Parameters

Parameter

Description

critical

Select true to mark this extension critical; select false to mark the extension noncritical.

digitalSignature

Specifies whether to allow for signing of SSL client certificates, S/MIME signing certificates, and object-signing certificates. Select true to set, select false to not set.

nonRepudiation

Specifies whether to some S/MIME signing certificates and object-signing certificates. Note, however, that the use of this bit is controversial. You should carefully consider the legal consequences of its use before setting it for any certificate. Select true to set, select false to not set.

keyEncipherment

Specifies whether to set the extension for SSL server certificates and S/MIME encryption certificates. Select true to set, select false to not set.

dataEncipherment

Specifies whether to set the extension when the subjects's public key is used to encipher user data (as opposed to key material). Select true to set, select false to not set.

keyAgreement

Specifies whether to set the extension whenever the subject's public key is used for key agreement. Select true to set, select false to not set.

keyCertsign

Specifies whether extension for all CA signing certificates. Select true to set, select false to not set.

cRLSign

Specifies whether to set the extension for CA signing certificates that are used to sign CRLs. Select true to set, select false to not set.

encipherOnly

Specifies whether to set the extension if the public key is to be used only for enciphering data. If this bit is set, keyAgreement should also be set. Select true to set, select false to not set.

decipherOnly

Specifies whether to set the extension if the public key is to be used only for deciphering data. If this bit is set, keyAgreement should also be set. Select true to set, select false to not set.

Name Constraints Extension Default

This default populates a name constraint extension in the certificate request. The extension is used in CA certificates to indicate a name space within which subject names or subject alternative names in subsequent certificates in a certification path or chain should be located.

For general information about this extension, see "nameConstraints" on page 737.

You can define the following constraints with this default:

Extension Constraint, see "Extension Constraint," on page 454.
No Constraints, see "No Constraint," on page 456.

This default allows you to define 5 locations for both the permitted subtree and the excluded subtree and specify parameters for each of these location. The parameters are marked with an <n> in the table to distinguish that the parameter is associated with one of the five possible locations.

Table 11-8 Name Constraints Extension Default Configuration Parameters

Parameter

Description

critical

Select true to mark this extension critical; select false to mark the extension noncritical.

permittedSubtrees<n>.
min

Specifies the minimum number of permitted subtrees.

-1 specifies that the field should not be set in the extension.
0 specifies that the minimum number of subtrees is zero.
n must be an integer that is greater than zero. It specifies at the most n subtrees are allowed.

permittedSubtreesmax_<n>

Specifies the maximum number of permitted subtrees.

-1 specifies that the field should not be set in the extension.
0 specifies that the maximum number of subtrees is zero.
n must be an integer that is greater than zero. It specifies at the most n subtrees are allowed.

PermittedSubtree
NameChoice_<n>

Specifies the general-name type for the permitted subtree you want to include in the extension.

Permissible values: RFC822Name, DirectoryName, DNSName, EDIPartyName,

Parameter	Description
Critical	Select true to mark this extension critical; select false to mark the extension noncritical.
Method_<n>	Specifies the access method for retrieving additional information about the CA that has issued the certificate in which the extension appears. Provide one of the following values:
	ocsp (or 1.3.6.1.5.5.7.48.1). caIssuers (or 1.3.6.1.5.5.7.48.2). renewal (or 2.16.840.1.113730.16.1)
LocationType_<n>	Specifies the general-name type for the location that contains additional information about the CA that has issued the certificate in which this extension appears. Select one of the following types from the drop down menu: DirectoryName, DNSName, EDIPartyName, IPAddress, OID, RFC822Name, or URI.
Location_<n>	Specifies the address or location to get additional information about the CA that has issued the certificate in which this extension appears. Specifying the information based on the following:
	If you selected directoryName, the value must be a string form of X.500 name, similar to the subject name in a certificate. For example, CN=SubCA, OU=Research Dept, O=Example Corporation, C=US.
	If you selected dNSName, the value must be a valid domain name in the fully-qualified DNS format. For example, testCA.example.com.
	If you selected EDIPartyName, the value must be an IA5String. For example, Example Corporation.
	If you selected iPAddress, the value must be a valid IP address (IPv4 or IPv6). IPv4 address must be in n.n.n.n format, with endmost must be in n.n.n.n,m.m.m.m format. For example: 128.21.39.40. or 128.21.39.40,255.255.255.00. IPv 6 (IPv6) address with netmask is separated by a comma. FOr Example 0:0:0:0:0:0:13.1.68.3 and FF01::43; and 0:0:0:0:0:0:13.1.68.3,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:255.255.255.0 and FF01::43,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FF00:0000.
	If you selected OID, the value must be a unique, valid OID specified in dot-separated numeric component notation. For example, 1.2.3.4.55.6.5.99.
	If you selected RFC822Name, the value must be a valid Internet mail address in the fully qualified DNS format.
	If you selected URI, the value must be a non-relative universal resource identifier (URI) following the URL syntax and encoding rules. That is, the name must include both a scheme (for example, http) and a fully qualified domain name or IP address of the host. For example, http://ocspResponder.example.com:8000
Enable_<n>	Specifies whether or not this location is enabled. Select true to enable, select false to disable.

Parameter	Description
Critical	Select true to mark this extension critical; select false to mark the extension noncritical.
IsCA	Specifies whether the certificate subject is a CA. If you select true, the server checks the PathLen parameter and sets the specified path length in the certificate. If you select false, the server treats the certificate subject as a non-CA and ignores the value specified for the PathLen parameter.
PathLen	Specifies the path length, the maximum number of CA certificates that may be chained below (subordinate to) the subordinate CA certificate being issued. Note that the path length you specify affects the number of CA certificates to be used during certificate validation. The chain starts with the end-entity certificate being validated and moving up the chain.
	The maxPathLen parameter has no effect if the extension is set in end-entity certificates.
	Permissible values: 0 or n. Make sure that the value you choose is less than the path length specified in the Basic Constraints extension of the CA signing certificate (owned by the CA that will issue these certificates).
	0 specifies that no subordinate CA certificates are allowed below the subordinate CA certificate being issued-that is, only an end-entity certificate may follow in the path.
	n must be an integer greater than zero. It specifies at the most n subordinate CA certificates are allowed below the subordinate CA certificate being used.
	If you leave the field blank, the path length defaults to a value that is determined by the path length set in the Basic Constraints extension in the issuer's certificate. If the issuer's path length is unlimited, the path length in the subordinate CA certificate will also be unlimited. If the issuer's path length is an integer greater than zero, the path length in the subordinate CA certificate will be set to a value that's one less than the issuer's path length; for example, if the issuer's path length is 4, the path length in the subordinate CA certificate will be set to 3.

Parameter	Description
Critical	Select true to mark this extension critical; select false to mark the extension noncritical.
Type_<n>	Specifies the type of the CRL distribution point. Permissible values: DirectoryName, URIName, or RelativeToIssuer. The type you select must correspond to the value in the Name field.
Name_<n>	Specifies the name of the CRL distribution point, the name can be in any of the following formats: An X.500 directory name in the RFC 2253 syntax. For example, the name would look similar to the subject name in a certificate, like this: CN=CA Central, OU=Research Dept, O=Example Corporation, C=US A URIName; for example, it would look similar to this: http://testCA.example.com:80 An RDN which specifies a location relative to the CRL Issuer. In this case, the value of the Type attribute must be RelativeToIssuer.
Reasons_<n>	Specifies revocation reasons covered by the CRL maintained at the distribution point. Provide a comma-separated list of the following constants: unused keyCompromise cACompromise affiliationChanged superseded cessationOfOperation certificateHold
IssuerName_<n>	Specifies the name of the issuer that has signed the CRL maintained at the distribution point, the name can be in any of the following formats: An X.500 directory name in the RFC 2253 syntax. For example: CN=CA Central, OU=Research Dept, O=Example Corporation, C=US A URIName; for example, it would look similar to this: http://testCA.example.com:80
IssuerType_<n>	Specifies the general-name type of the CRL issuer that has signed the CRL maintained at distribution point. Permissible values: DirectoryName or URIName. The value you specify for this parameter must correspond to the value in the issuerName field. Select DirectoryName if the value in the issuerName field is an X.500 directory name. Select URIName if the value in the issuerName field is a uniform resource indicator.

Usage	OID
Server authentication	1.3.6.1.5.5.7.3.1
Client authentication	1.3.6.1.5.5.7.3.2
Code signing	1.3.6.1.5.5.7.3.3
Email	1.3.6.1.5.5.7.3.4
IPSec end system	1.3.6.1.5.5.7.3.5
IPSec tunnel	1.3.6.1.5.5.7.3.6
IPSec user	1.3.6.1.5.5.7.3.7
Timestamping	1.3.6.1.5.5.7.3.8

Parameter	Description
Critical	Select true to mark this extension critical; select false to mark the extension noncritical.
OIDs	Specifies the OID that identifies a key-usage purpose. Permissible values: A unique, valid OID specified in the dot-separated numeric component notation. Depending on the key-usage purposes, you may choose to use the OIDs designated by PKIX (listed in Table 11-4 on page 434) or define your own OIDs. If you're defining your own OID, it should be in the registered subtree of IDs reserved for your company's use. Although you can invent your own OIDs for the purposes of evaluating and testing this server, in a production environment, you should comply with the ISO rules for defining OIDs and for registering subtrees of IDs. See Appendix H, "Object Identifiers" for information on allocating private OIDs. Example: 2.16.840.1.113730.1.99

Parameter	Description
Critical	Select true to mark this extension critical; select false to mark the extension noncritical.
PointEnable_<n>	Select true to enable this point; select false to disable this point.
PointType_<n>	Specifies the type of issuing point. Select from DirectoryName and URIName.
PointName_<n>	If pointType is set to directoryName, the value must be a string form of X.500 name, similar to the subject name in a certificate. For example, CN=CACentral,OU=Research Dept,O=Example Corporation,C=US. If pointType is set to URI, the name must be a URIName; the URIName must be an absolute pathname and must specify the host. For example: http://testCA.example.com/get/your/crls/here/
PointIssuer Name_<n>	Specifies the name of the issuer that has signed the CRL maintained at this distribution point, the name can be in any of the following formats: An X.500 directory name in the RFC 2253 syntax. For example: CN=CA Central, OU=Research Dept, O=Example Corporation, C=US A URIName; for example: http://testCA.example.com:80
PointType_<n>	Specifies the general-name type of the CRL issuer that signed the CRL maintained at distribution point. Permissible values: DirectoryName or URIName. The value you specify for this parameter must correspond to the value in the issuerName field.

Parameter	Description
critical	Select true to mark this extension critical; select false to mark the extension noncritical.
digitalSignature	Specifies whether to allow for signing of SSL client certificates, S/MIME signing certificates, and object-signing certificates. Select true to set, select false to not set.
nonRepudiation	Specifies whether to some S/MIME signing certificates and object-signing certificates. Note, however, that the use of this bit is controversial. You should carefully consider the legal consequences of its use before setting it for any certificate. Select true to set, select false to not set.
keyEncipherment	Specifies whether to set the extension for SSL server certificates and S/MIME encryption certificates. Select true to set, select false to not set.
dataEncipherment	Specifies whether to set the extension when the subjects's public key is used to encipher user data (as opposed to key material). Select true to set, select false to not set.
keyAgreement	Specifies whether to set the extension whenever the subject's public key is used for key agreement. Select true to set, select false to not set.
keyCertsign	Specifies whether extension for all CA signing certificates. Select true to set, select false to not set.
cRLSign	Specifies whether to set the extension for CA signing certificates that are used to sign CRLs. Select true to set, select false to not set.
encipherOnly	Specifies whether to set the extension if the public key is to be used only for enciphering data. If this bit is set, keyAgreement should also be set. Select true to set, select false to not set.
decipherOnly	Specifies whether to set the extension if the public key is to be used only for deciphering data. If this bit is set, keyAgreement should also be set. Select true to set, select false to not set.

Parameter	Description
critical	Select true to mark this extension critical; select false to mark the extension noncritical.
permittedSubtrees<n>. min	Specifies the minimum number of permitted subtrees. -1 specifies that the field should not be set in the extension. 0 specifies that the minimum number of subtrees is zero. n must be an integer that is greater than zero. It specifies at the most n subtrees are allowed.
permittedSubtreesmax_<n>	Specifies the maximum number of permitted subtrees. -1 specifies that the field should not be set in the extension. 0 specifies that the maximum number of subtrees is zero. n must be an integer that is greater than zero. It specifies at the most n subtrees are allowed.
PermittedSubtree NameChoice_<n>	Specifies the general-name type for the permitted subtree you want to include in the extension. Permissible values: RFC822Name, DirectoryName, DNSName, EDIPartyName,