2.3. List of Certificate Profiles

2.3. List of Certificate Profiles

The certificate profiles described here have been pre-defined and are ready to use when the Certificate System is installed. This set of certificate profiles have been pre-built for the most common types of certificates and provide standard defaults and constraints, the authentication methods, and inputs and outputs common for these certificate profiles. It is possible to add more profiles or edit these profiles. An administrator can set up additional defaults and constraints using the CS SDK.

Profile ID Profile Name Description
caUserCert Manual User Dual-Use Certificate Enrollment This certificate profile is for enrolling user certificates.
caDualCert Manual User Signing and Encryption Certificates Enrollment This certificate profile is for enrolling dual user certificates.
caLogCert Manual Log Signing Certificate Enrollment This profile is for enrolling audit log signing certificates
caTPSCert Manual TPS Server Certificate Enrollment This certificate profile is for enrolling TPS server certificates.
caServerCert Manual Server Certificate Enrollment This certificate profile is for enrolling server certificates.
caCAcert Manual Certificate Manager Signing Certificate Enrollment This certificate profile is for enrolling Certificate Manager certificates (CA signing certificates).
caOCSPCert Manual OCSP Manager Signing Certificate Enrollment This certificate profile is for enrolling OCSP Manager certificates (OCSP signing certificates).
caTransportCert Manual Data Recovery Manager Transport Certificate Enrollment This certificate profile is for enrolling DRM transport certificates.
caDirAuthCert Directory-Authenticated User Dual-Use Certificate Enrollment This certificate profile is for enrolling user certificates with directory-based authentication (LDAP authentication).
caAgentServerCert Agent-Authenticated Server Certificate Enrollment This certificate profile is for enrolling server certificates with agent authentication.
caAgentFileSigning Agent-Authenticated File Signing This certificate profile is for file signing with agent authentication.
caFullCMCCert Signed CMC-Authenticated User Certificate Enrollment This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC signature authentication; a full CMC request conforming to the RFC is expected.
caSimpleCMCCert Simple CMC Enrollment Request for User Certificate This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC signature authentication; a simple CMC request conforming to the RFC is expected.
caTokenUserEncryptionKeyEnrollment Token User Encryption Certificate Enrollment This certificate profile is for performing smart card-based enrollments initiated through the TPS server for encryption certificates.
caTokenUserSigningKeyEnrollment Token User Signing Certificate Enrollment This certificate profile is for performing smart card-based enrollments initiated through the TPS server for signing certificates.

Table 2.1. List of Certificate Profiles

2.3.1. Example Profile

An example caUserCert profile, as shipped with the server, is described here. A profile usually contains inputs, policy sets, and outputs. The default caUserCert certificate profile contains the following:

  • Profile description.

    This profile is for issuing user, or client, certificates.

  • Profile inputs.

    • Key generation. This sets that the key pair generation during the request submission is CRMF-based and 1024-bit. This is a read-only field.

    • Subject name. The subject name input is used when distinguished name (DN) parameters need to be collected from the user; the user DN can be used to create the subject name in the certificate. This input uses the following form fields:

      • UID. The user ID of the user in the LDAP directory.

      • Email. The email address of the user.

      • Common name. The name of the user.

      • Organizational unit. The organizational unit to which the user belongs.

      • Organization. The organization name.

      • Country. The country where the user is located.

    • Requester. This input uses the following form fields:

      • Requester name. The name of the certificate requester.

      • Requester email. The email address of the certificate requester.

      • Requester phone. The phone number of the certificate requester.

  • Profile policy sets.

    The different policy sets that are set by default on caUserCert are listed in Table 2.2, “caUserCert - Profile Policy Sets”.

    Profile Policy Set Defaults Constraints
    set1 - SubjectName No defaults Subject name should match the regular expression of the form uid=.*.
    set2 - Validity range = 180 days The range is less than 365 days. The notbefore and notafter date checks are turned off.
    set3 - Key No defaults

    keytype = RSA

    The keytype should be RSA.

    keyminLength = 512

    keymaxLength = 4096

    The key length should be between 512 and 4096.
    set4 - Authority Key Identifier No defaults No constraints
    set5 - AIA extension

    authinfoaccesscritical = false

    authinfoaccessADMethod_0= OID

    authinfoaccessADLocationType_0=URIName

    authinfoaccessADEnable_0=true

    authinfoaccessADLocation_0=

    		No constraints
    set6 - Key Usage

    Populates a Key Usage extension (2.5.29.15) to the request. The default values are as follows:

    Criticality=true

    Digital Signature=true

    Non-Repudiation=true

    Key Encipherment=true

    Data Encipherment=false

    Key Agreement=false

    Key Certificate Sign=false

    Key CRL Sign=false

    Encipher Only=false

    Decipher Only=false

    		Accepts the Key Usage extension, if present, only when the default values are set.
    set7 - Extended Key Usage Populates an Extended Key Usage extension to the request. The default values are Criticality=false and OIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4. No constraints
    set8 - Subject Alt Name Constraint Populates a Subject Alternative Name extension (2.5.29.17) to the request. The default values are Criticality=false and Record #0{Pattern:$request.requester_email$,Pattern Type:RFC822Name,Enable:true}. No constraints
    set9 - SigningAlg Populates the certificate signing algorithm. The default value is Algorithm=SHA1withRSA.

    Accepts only the following signing algorithms:

    SHA1withRSA

    SHA256withRSA

    SHA512withRSA

    MD5withRSA

    MD2withRSA

    Table 2.2. caUserCert - Profile Policy Sets

  • Profile outputs.

    The Certificate Output output displays the certificate in pretty print format and cannot be configured or changed. This output needs to be specified for any automated enrollment. Once a user successfully authenticates using the automated enrollment method, the certificate is automatically generated, and this output page is returned to the user. In an agent-approved enrollment, the user can get the certificate, once it is issued, by providing the request ID in the CA end-entities page. (There is no output page associated with agent-approved enrollment.)