Step 2 - RA Profiles
RA Profiles are used to define certificate request details such as distinguished name (DName) rules, key type, key size, the CA Service address and the certification service profile to be used. This screen allows suitably privileged RA Operators to manage ( view, add, edit, delete ) the RA Profiles. The following page is shown when the RA Profiles button is clicked:
This screen shows all the existing RA Profiles. Existing RA Profiles can be edited or deleted by using the relevant buttons. A new RA profile can be created by clicking the New button. The following configuration screen is shown:
The configuration items are as follows:
Items |
Description |
||||
Status |
A profile can be marked Active or Inactive. Inactive profiles are not available to process. Only Active profiles can be used by the RA service to manage certificate requests/responses. |
||||
Profile ID |
A System-defined unique identifier for this profile. |
||||
Profile Name |
An Operator-defined unique name for easier human recognition within the ADSS Server Operator Console. |
||||
Profile Description |
Use this field to describe how this Profile is to be used. This is just for operator information purposes. |
||||
Certification Service Address |
This defines the Certification Service URI address to send the CA request to. To see a list of possible certification service interfaces click here. |
||||
List of Certification Service Addresses |
This field shows the Certification Service addresses that can be generate user certificate. Multiple service addresses can be added. The Test button checks that the ADSS Certification Service is available. The Remove button deletes a configured Certification Service address. |
||||
Certification Profile |
A profile configured in ADSS Certification Service that identifies how to process the certificate signing requests from the ADSS RA Service. |
||||
Client ID |
Shows the Client ID of Certification Service. RA Service will send this Client ID while communicating with Certification service. Certification service verifies that this is a registered Client ID within the Client Manager module before granting access to this service. |
||||
Use TLS client Authentication |
After enabling this option, ADSS RA Service will communicate with the ADSS Certification Service over TLS Client Authentication, select the TLS Client Certificate which pre-exists in the Key Manager. User can select the certificate from the list of available certificates by clicking on dropdown appears when it is enabled. |
||||
Sign Certification Request |
This option is used to enable each certification request to be signed by the ADSS RA Service when sent to the ADSS CA Server. Select the request signing certificate which pre-exists in the Key Manager. |
||||
Profile Category |
Defines the Profile Category to which certificates issued by this RA profile belongs, e.g. Datacenter-Network, Production-Network, Testing-Network, Production-Auditing etc. RA Operator can only select those categories that are assigned to them. Each RA Profile can only be linked to one Profile Category. |
||||
Key Algorithm |
The type of the key pair to be generated when the certificate is created using a Face to Face Meeting or ADSS RA Service (server side key generation). |
||||
Key Length |
The size of the key pair to be generated when the certificate is created using a Face to Face Meeting or ADSS RA Service (server side key generation). NOTE: This attribute is ignored if key is generated on client side (SCEP, Go>Sign Applet (MSCAPI, PKCS#11) or PKCS#10 / CSR). |
||||
Subject Distinguished Name |
The default attributes and values to be used for the certificate generation. The $ symbol means that the value of this attribute can be provided by the requester or the ADSS RA Service Operator.
|
||||
Validity Period |
Set the validity period and select the time unit from the drop-down (minute(s), hour(s), day(s), month(s) and year(s)) to set the certificate validity period. |
||||
Send notification at certificate renewal time |
If enabled, reminds the defined ADSS RA Operator(s), device administrator(s) or the end-user that a certificate requires renewal. These alert messages are configured in the Alerts section. ADSS RA Server supports email, SMS and SNMP based alerts. |
||||
Allow auto-approval for web based requests |
If enabled then any request to this profile will be processed automatically. |
||||
Enable user registration through RAS Service |
This checkbox is used to enable user registration via Remote Authorisation Service (RAS). |
||||
RAS Service Address |
Use this field to add RAS service address(es). |
||||
List of RAS Service Addresses |
This field shows the RAS Service addresses that can be used to register user. Multiple service addresses can be added. The Test button checks that the ADSS RAS Service is available. The Remove button deletes a configured RAS Service address. |
||||
RAS Profile |
Specifies the RAS profile to be used for this RA profile |
||||
Client ID |
Shows the Client ID of RAS Service. RA Service will send this Client ID while communicating with RAS service. RAS service verifies that this is a registered Client ID within the Client Manager module before granting access to this service. |
||||
Use TLS client Authentication |
After enabling this option, ADSS RA Service will communicate with the ADSS RAS Service over TLS Client Authentication, select the TLS Client Certificate which pre-exists in the Key Manager. User can select the certificate from the list of available certificates by clicking on dropdown appears when it is enabled. |
The RA Operator must ensure that the Key Length, Key Algorithm and DName attributes and their occurrence defined in the RA Profile is exactly the same as defined in the ADSS CA Server > Certification Profile defined in this RA Profile. If there is any variation then the CA certification profile usually overrides the RA profile and thus the required result may not be delivered. |
The configuration of the RA Profile is now complete. To have the changes take effect in the running system, ADSS Server will prompt for the RA Service to be restarted:
The RA Profiles can be sorted in various ways to make administration easier. Click the Search button and the Search RA Profiles page as shown:
Enter search criteria based on the profile Status, Profile ID and Profile Name. If more than one search criteria is provided, these are combined using the AND operator.
If "_" character is used in the search then it will act as wildcard. |
See also
Step 2 - RA Profiles
Step 3 - Registering Business Application
Step 4 - Using the Service Manager