Chapter 2. CA: Working with Certificate Profiles
A Certificate Manager agent is responsible for approving certificate profiles that have been configured by a Certificate System administrator. Certificate Manager agents also manage and approve certificate requests that come from profile-based enrollments.
A certificate profile defines everything associated with issuing a certificate, including the authentication method, the certificate content (defaults), constraints for content values in the requested certificate type, and the contents of the input and output forms associated with the certificate profile.
There are three categories of information that constitute a certificate profile:
Profile inputs. Profile inputs are parameters and values that are submitted to the CA when a certificate is requested. Profile inputs include public keys for the certificate request and the certificate subject name requested by the end entity for the certificate.
Profile policy sets. A certificate profile can have one or more policy sets, which are each defined by a set of defaults and constraints.
Profile defaults. Profile defaults are parameters and values defined by the CA administrator. Profile defaults include the authentication mechanism for the end-entity, how long the certificate is valid, and what certificate extensions appear for each type of certificate issued.
Profile constraints. Profile constraints are parameters and values that form the rules or policies for issuing certificates. Profile constraints include rules like requiring the certificate subject name to have at least one CN component, setting the validity of a certificate to a maximum of 360 days, or requiring that the subjectaltname extension always be set to true.
Profile outputs. Profile outputs are parameters and values that specify the format in which to issue the certificate to the end entity. Profile outputs include base-64 encoded files, CMMF responses, and PKCS #7 output, which also includes the CA chain.