Creating a Certification Profile
This step defines how to create a Certification profile for Identity Certificates. A certification profile is a set of parameters configured within the ADSS Certification Service which define characteristics of the keys (e.g. which public key algorithm and key length to be used) and the attributes of the digital certificates (e.g. subject DName details and the validity periods for the certificate) generated by the service using this profile. The advantage of configuring a certificate profile on ADSS Server is that client applications do not need to pass all these parameters within each service request message, but can simply refer to a particular configured certification profile. Certification Profiles can also be used to tightly control what can be defined within a certificate and thus enforce CA Certificate Policies. ADSS Server allows the flexibility to override the profile attributes if specifically allowed within the profile settings.
To manage Certification Profiles navigate to the following location in ADSS Server Console:
This table shows the list of existing certification profiles. These can be edited or deleted.
To create a new profile, click the New button, or create a replica of an existing profile by clicking Make a copy button, this will present the following form:
Other than a generic Certification Profile, operator can also configure a Certification Profile that will be used for key pair generation through RAS Service of the ADSS Server. In such configuration, this profile will be accessed by RA Service for certificate enrolment of a registered user. Certification Service interacts with the RAS Service by making two calls, key pair and CSR generation. The details about its configurations are given below.
The configuration items are as follows:
Items |
Description |
||||||
Status |
A certification profile may be marked Active or Inactive. Note an inactive certification profile will not be used to process certification requests. |
||||||
Profile ID |
A system-defined unique identifier for this profile. This must be referenced in certification service requests if this certification profile is to be used by the client application. |
||||||
Profile Name |
An Operator-defined unique name for easier human recognition within the ADSS Operator Console. This could be referenced instead of Profile ID in certification service requests if this certification profile is to be used by the client application |
||||||
Profile Description |
This can be used to describe the certification profile in more detail (e.g. in which circumstances this certification profile will be used and/or what sort of setting the certification profile holds etc). This is for information purposes only. |
||||||
Automatically process requests |
Unselect this option if you want to generate certificates in asynchronous mode i.e. CSR is generated and shown in Pending. ADSS Server admin can certify this CSR:
|
||||||
RAS Settings |
Defines following: |
||||||
Enable key pair generation through RAS Service |
This checkbox is used to enable the Remote Authorisation Signing feature in the selected certification profile. see below section for more details. |
||||||
CA Details |
Defines following: |
||||||
Use Local CA |
This checkbox is selected by default. Select this radio button, if the internal ADSS Manage CAs module to be used, will enable the following configuration: |
||||||
External CA |
Select this radio button to use an External online CA that is configured to service the certification requests from the ADSS Certification Service. The ADSS Certification Service will send PKCS#10 certificate request messages as well as public keys to this External CA.
|
||||||
Certificate Details |
Define following: |
||||||
Crypto Profile |
Select whether to generate and store the key/certificate within the ADSS Server database (software mode), Azure Key Vault or to store the key/certificate on a hardware security module (HSM) preconfigured within ADSS Server Key Manager as described in the section Crypto Processor Settings.
|
||||||
Key Algorithm |
Select the Key Algorithm that should be use to generate the end entity key under this certification profile, Currently following key algorithm are supported:
|
||||||
Curve Type |
Select the Curve Type that should be applied while generating the end entity key under current certification profile. ADSS Server supports the following curve types:
Note: The Curve Type drop-down will be available only when ECDSA algorithm is selected in key algorithm field. |
||||||
Key Length |
Select the Key Length that ADSS Server should generate under this certification profile.
Note:
|
||||||
Subject Distinguished Name |
This item describes the default attributes and values to be used for Subject Distinguished Name(DName) during certificate generation. ADSS Certification service provides a flexible format for specifying the DName. Possible values are:
The full Subject Distinguished Name can be provided to the certification service: (a) In the certificate request message (b) OR in the PKCS#10 / CSR data (c) OR via both certificate request messages and PKCS#10 / CSR data. To configure the DN structure correctly follow these rules:
|
||||||
Match the pattern with subject DN in request |
Select this option if you want to generate certificates using the exact RDN pattern defined in the certification profile. If this option is enabled and the RDN pattern is not matched in the certificate request data or PKCS#10/CSR then the request will be rejected. |
||||||
Validity Period |
Set the validity period and select the time unit from the drop-down (minute(s), hour(s), day(s), month(s) and year(s)) to set the certificate validity period. |
||||||
Valid From |
A Mandatory field. |
||||||
Overrideable |
These flags indicate whether the details configured in the certification profile can be amended by the client application by passing parameters in the certification request message. Select the check boxes for those values that you want the client application to be able to override. |
||||||
Certificate Renewal Settings |
Define following: |
||||||
Renew certificate using existing key pair |
Select this option when certificate renewal is required using existing key pair |
||||||
Renew certificate using new key pair (Rekey) |
Select this option when certificate renewal is required using new key pair |
If operator enabled the checkbox Enable key pair generation through RAS Service then following screen will be shown:
The configuration items are as follows:
Items |
Description |
Enable Key Pair Generation Through RAS Service |
Enable this check box to forward request to RAS service in order to generate the keys inside the ADSS SAM. |
RAS Service Address |
Use this field to add RAS service address(es). User can enter the address in the field and then press ADD button to include the address in list of RAS Service addresses. |
List of RAS Service Addresses |
This field shows the available RAS service address(es) use for key generation in ADSS SAM. Multiple service addresses can be added to handle the Primary and Secondary service addresses as a fallback mechanism. The Test button checks that the ADSS RAS Server is available. The Remove button deletes a configured RAS Service address |
RAS Profile |
Specify the RAS profile Name/ID to be used with this certification profile. |
Client ID |
Define the client ID for this ADSS Certification profile to be included in the request message when communicating with the ADSS RAS Service for keypair generation inside ADSS SAM. This client ID needs to be registered within the ADSS Client Manager module. |
Use TLS Client Authentication |
After enabling this option, ADSS Certification Service will communicate with the ADSS RAS Service over TLS Client Authentication, select the TLS Client Certificate which pre-exists in the Key Manager. User can select the certificate from the list of available certificates by clicking on drop-down appears when it is enabled. |
The list of existing certification profiles can be sorted in either ascending or descending order by selecting a table column from the drop down list.
Clicking on the Search button on the Certification Profile main page will display following screen:
This helps to locate a particular type of certification profile generated in the Certification Service. The profile can be searched based on Status, Profile ID, Profile Name, CA Type, Key Algorithm, Key Length and validity period. If a search is based on multiple values, then these will be combined together using the “AND” operand, and thus only records that meet all the criteria will be presented.
If "_" character is used in the search then it will act as wildcard. |
The Copied profile will be created without the "Name" and "Description" of the selected Profile. The Unique ID generates automatically or the next available ID will be assigned to the Profile. |
See also
Creating an Attribute Certificate Profile
Creating a CV Certificate Profile