|
Agent's Guide Netscape Certificate Management System |
|
||
|
|
Chapter 2 Working with Certificate Profiles
As a Certificate Manager or Registration Manager agent, you are responsible for approving certificate profiles that have been configured by a CMS administrator. You also manager and approve requests that come from certificate profile enrollments.
This chapter contains the following sections:
- About Certificate Profiles
- How Certificate Profiles Work
- Enabling and Disabling Certificate Profiles
A certificate profile defines everything associated with the issuance of a particular type of certificate including the authentication method, the certificate content (defaults), constraints for values associated with that content that can be contained in this type of certificate, and the contents of the input and output forms associated with the certificate profile. Enrollments requests are submitted to a particular certificate profile and are then subject to the defaults and constraints set up in that certificate profile whether the request is created from the input form associated with the certificate profile, or the request is created elsewhere and submitted as a pre formatted request. The certificate that is issued from a certificate profile request contains the content defined by the defaults with values derived from the values contained in the parameters associated with those defaults. The constraints provide rules for which content is allowable in the certificate, and defines allowable values for that content.
For example, a certificate profile could be set up for user certificates that defines all aspects of that certificate including the validity period of the issued certificate. A default can be set up that defines the validity period as two years. A constraint can be set up so that the validity period for certificates issued from requests submitted to this certificate profile cannot exceed two years. When a user sends a request using the input page associated with this certificate profile, the certificate issued will contain the information specified in the defaults set up and will be valid for two years. If a user submits a pre formatted request that requests a certificate with a validity period of four years, the request will be rejected since the constraints allow a maximum of two years validity period for this type of certificate.
A set of certificate profiles have been pre built for the most common types of certificates issued. The pre built certificate profiles define defaults and constraints commonly associated with this type of certificate, associate the authentication method common for this type of enrollment, and define the needed inputs and outputs for the certificate profile.
An administrator can use these pre built certificate profiles, modify any or all of these by changing the authentication method, the defaults, the constraints used in each policy, the values assigned to any of the parameters in a policy, or the input and output. They can also create other certificate profiles either for other types of certificates, or for creating more than one certificate profile for a type of certificate. They might create more than one certificate profile for a particular type of certificate when they want to issue the same type of certificate with either a different authentication method or different definitions for the defaults and constraints. For example, an administrator might create two certificate profiles used for enrollment for SSL Server certificates where one certificate profile issues certificates with a validity period of six months and another certificate profile issues certificates with a validity period of two years.
A set of defaults and constraints have been pre built for the most commonly used certificate content and constraints. An administrator can set up additional defaults and constraints using the CMS SDK.
An input specifies how the enrollment page should be presented. An administrator can use inputs to add text fields to the enrollment page so that additional information can be gathered and used for the enrollment. The input values are used as values in the certificate. A set of inputs have been created allowing administrators to create an enrollment form containing the fields needed for most certificate profiles you will create. The inputs provide a certificate request field that can be added to any of the forms so that certificate requests can be pasted into this field, allowing a request to be created outside the input form with any of the request information you need.
An output specifies how the response page to a successful enrollment is presented. It usually displays the certificate in a user-readable format. A single output has been created that shows the pretty print version of the resultant certificate.
An administrator sets up a certificate profile by associating an existing authentication plug-in, or method, with the certificate profile, enabling and configuring defaults and constraints, and defining inputs and outputs. The administrator can use the existing certificate profiles, modify the existing certificate profiles, create new certificate profiles, and delete any certificate profile that will not be used in this PKI.
Once a certificate profile is set up, it appears on the Manage Certificate Profiles page of the agent services interface where an agent can approve, and thus enable a certificate profile. Once the certificate profile is enabled, it will appear on the Certificate Profile tab of the end-entity interface where end-entity can enroll for a certificate using the certificate profile.
The Certificate Profile enrollment page contains links to each type of certificate profile enrollment that has been enabled. When an end entity selects one of those links, an enrollment page appears containing an enrollment form specific to that certificate profile. The enrollment page for this certificate profile in the end-entity interface is dynamically generated from the inputs defined for this certificate profile. If an authentication plug-in is configured, additional fields may be added that are needed to authenticate the user with that authentication method.
When the end entity submits a certificate profile request that is associated with a manual enrollment, an enrollment where no authentication plug-in is configured, the certificate profile is queued in the agent services interface as a certificate profile enrollment request, showing that it is different from the old enrollment method. The agent can change some aspects of the enrollment, reject it, change the status, or approve it. The agent can also update the request without submitting it or validate that the request adheres to the profile's defaults and constraints. The agent is bound by the constraints set up; they cannot change the request in such a way that a constraint is violated. The signed approval is immediately processed and a certificate is issued.
When a certificate profile that is associated with an authentication method, the request generates a certificate automatically if the user successfully authenticates, all the information required is provided, and the request does not violate any of the constraints set up for the certificate profile.
The issued certificate contains the content defined in the defaults for this certificate profile, such as the extensions and validity period for the certificate, and the content of the certificate is constrained by the constraints set up for each default. You can set up more than one set of policies (defaults and constraints), distinguishing each set by using the same value in the Policy Set ID for each set. The server evaluates each set with each request it receives. In the case where a single certificate is issued, one set is evaluated, any other sets are ignored. In the case where dual-key pairs are issued, the first set is evaluated with the first certificate request, and the second set is evaluated with the second certificate request. There is no need for more than one set if you are issuing a single certificate, or more than two sets if you are issuing dual-key pairs.
The request is not evaluated by the Policies set up in the Policy feature of CMS. If the enrollment took place in a Registration Manager, both the Registration Manager and the Certificate Manager should have the same certificate profile implemented with the same policies.
Enabling and Disabling Certificate Profiles
Any certificate profiles that have been configured by an administrator will be listed in the Manage Certificate Profiles page of the agent services interface. The Manager Certificate Profiles page can be accessed by clicking the Manager Certificate Profiles link in the left hand portion of the agent services interface.
The Manager Certificate Profiles page contains all of the certificate profiles that have been set up by an administrator. It shows the name of the certificate profile, a short description of the certificate profile, whether or not this is an end user certificate profile, whether or not the certificate profile has been approved and is thus enabled, and if it is approved, which agent under ID approved the request.
Getting Certificate Profile Information
You can get information about any certificate profile by clicking the name of the certificate profile, which is linked to the Approve Certificate Profile page. This page lists information about the certificate profile and allows you to approve a certificate profile, or disapprove a previously approved certificate profile. Note, an approved certificate profile can only be disapproved by the agent who originally approved the certificate profile.
If the End User Field of the certificate profile is marked true, then this certificate profile will appear as an enrollment in the end-entity interface. If the End User Field of the certificate profile is marked false, then this certificate profile will not appear in the end-entity interface. This parameter determines whether or not the certificate profile needs to be received from the end-entity interface in order to be processed. Certificate Profiles would provide the value of false if the certificate profile is in a Certificate Manager where the certificate profile is mirroring a certificate profile in a Registration Manager. The value of false allows the Certificate Manager to process a certificate profile request received from a Registration Manager rather than the Certificate Manager's end-entity interface.
Each policy has a Policy Information section which shows a table for each Policy Set. Generally, a certificate profile will have just one policy set. If the enrollment if for dual-key pairs, then there will be two Policy Sets, one for the signing key and one for the encryption key. The Policy Set defines all of the defaults and constraints that have been set up for a particular certificate that is being requested. In the case of dual-key pairs, two certificates are being requested, one for the signing key and one for the encryption key.
The Policy Set table has columns that list the following
#. The number column lists the number for this set of defaults and constraints.
Extensions/Fields. This column lists the defaults that are set up. The defaults define certificate content including extensions.
Constraints. This column lists the constraints placed on the content of this certificate. The content placed in this certificate must comply with these constraints in order to be issued.
To Approve a Certificate Profile
To approve a certificate profile, you go to the certificate profiles Approve Certificate Profile page and click Approve at the bottom of the page. You get to the page by clicking Mange Certificate Profiles and then clicking on a certificate profile name.
Once a certificate profile is approved, it appears in the end-entity interface allowing an end-entity to use that certificate profile to enroll for a certificate.
Once a certificate profile is enabled, administrators cannot change any aspect of the certificate profile. The certificate profile must first be disapproved for an administrator to change any aspect of the certificate profile.
To Disapprove a Certificate Profile
A certificate profile can only be disapproved, thus disabled, the agent who approved the certificate profile.
To disapprove a certificate profile, you go to the certificate profiles Approve Certificate Profile page and click Disapprove at the bottom of the page. (You can only disapprove approved certificate profiles.) You get to the page by clicking Mange Certificate Profiles and then clicking on a certificate profile name.
Once a certificate profile is disapproved, it is unavailable for enrollment from the end-entity interface.
© 2001 Sun Microsystems, Inc. Portions copyright 1999, 2002-2004 Netscape Communications Corporation. All rights reserved.
Last Updated November 19, 2004