Creating a Certification Profile

This step defines how to create a Certification profile for Identity Certificates. A certification profile is a set of parameters configured within the ADSS Certification Service which define characteristics of the keys (e.g. which public key algorithm and key length to be used) and the attributes of the digital certificates (e.g. subject DName details and the validity periods for the certificate) generated by the service using this profile. The advantage of configuring a certificate profile on ADSS Server is that client applications do not need to pass all these parameters within each service request message, but can simply refer to a particular configured certification profile. Certification Profiles can also be used to tightly control what can be defined within a certificate and thus enforce CA Certificate Policies. ADSS Server allows the flexibility to override the profile attributes if specifically allowed within the profile settings.

To manage Certification Profiles navigate to the following location in ADSS Server Console:

This table shows the list of existing certification profiles. These can be edited or deleted.

To create a new profile, click the New button, or create a replica of an existing profile by clicking Make a copy button, this will present the following form:

Other than a generic Certification Profile, operator can also configure a Certification Profile that will be used for key pair generation through RAS Service of the ADSS Server. In such configuration, this profile will be accessed by RA Service for certificate enrolment of a registered user. Certification Service interacts with the RAS Service by making two calls, key pair and CSR generation. The details about its configurations are given below.

The configuration items are as follows:

Items

Description

Status

A certification profile may be marked Active or Inactive. Note an inactive certification profile will not be used to process certification requests.

Profile ID

A system-defined unique identifier for this profile. This must be referenced in certification service requests if this certification profile is to be used by the client application.

Profile Name

An Operator-defined unique name for easier human recognition within the ADSS Operator Console. This could be referenced instead of Profile ID in certification service requests if this certification profile is to be used by the client application

Profile Description

This can be used to describe the certification profile in more detail (e.g. in which circumstances this certification profile will be used and/or what sort of setting the certification profile holds etc). This is for information purposes only.

Automatically process requests

Unselect this option if you want to generate certificates in asynchronous mode i.e. CSR is generated and shown in Pending. ADSS Server admin can certify this CSR:

Either from the local or external configured CA using “Generate Certificate” button
Export the CSR and get it certified manually using local, external or offline CA and import the certificate back to certification service

RAS Settings

Defines following:

Enable key pair generation through RAS Service

This checkbox is used to enable the Remote Authorisation Signing feature in the selected certification profile. see below section for more details.

CA Details

Defines following:

Use Local CA

This checkbox is selected by default. Select this radio button, if the internal ADSS Manage CAs module to be used, will enable the following configuration:

Certification Template
Select a template for the certificates issued using this certification profile e.g. the template created for Document Signing, Log Signing etc.

Note: The certificate template list is taken from those defined within Key Manager or Manage CAs.

CA Certificate
Select an internal CA that is configured to service the certification requests from the ADSS Certification Service. The ADSS Certification Service will send PKCS#10 certificate request messages to this internal CA.

Note: The drop-down menu will only show those internal CAs that have already been configured (see Local CAs for further details).

External CA

Select this radio button to use an External online CA that is configured to service the certification requests from the ADSS Certification Service. The ADSS Certification Service will send PKCS#10 certificate request messages as well as public keys to this External CA.

The drop-down menu will only show those External CAs that have already been configured. All the External CAs accept public keys to generate certificate except: Symantec MPKI, Microsoft CA, DigiCert PKI, QuoVadis CA, EJBCA and GlobalSign EPKI. This functionality works only in case of certificate creation. See External CAs for further details.

Certificate Details

Define following:

Crypto Profile

Select whether to generate and store the key/certificate within the ADSS Server database (software mode), Azure Key Vault or to store the key/certificate on a hardware security module (HSM) preconfigured within ADSS Server Key Manager as described in the section Crypto Processor Settings.

Note:

When a configured hardware Crypto Profile is marked not available in the Key Manager screen (i.e. record is shown with orange highlighting) then the relevant crypto profile will not be available here for configurations.
Crypto profile won't be available for configurations if RAS Setting is enabled.

Key Algorithm

Select the Key Algorithm that should be use to generate the end entity key under this certification profile, Currently following key algorithm are supported:

RSA
ECDSA

Curve Type

Select the Curve Type that should be applied while generating the end entity key under current certification profile. ADSS Server supports the following curve types:

NIST
SEC2 K
Brainpool R
Brainpool T

Note: The Curve Type drop-down will be available only when ECDSA algorithm is selected in key algorithm field.

Key Length

Select the Key Length that ADSS Server should generate under this certification profile.
Currently following Key Lengths are supported:

RSA keys are: 1024, 2048, 3072, 4096 and 8192
ECDSA keys in terms of their respective curve types are:

For NIST P: 160, 192, 224, 256, 384 and 521
For SEC2 K: 256
For Brainpool R and Brainpool T: 160, 192, 224, 256, 320, 384 and 512

Note:

In case of Azure Key Vault only following Key Lengths are supported:

2048, 3072, 4096 supported for RSA keys
256 supported for ECDSA Keys (only NIST P curve)

In case of AWS CloudHSM following key lengths are supported:

2048, 3072, 4096 supported for RSA keys
256 and 384 supported for ECDSA Keys (only NIST P curve)

Subject Distinguished Name

This item describes the default attributes and values to be used for Subject Distinguished Name(DName) during certificate generation. ADSS Certification service provides a flexible format for specifying the DName. Possible values are:

Comma separated Relative DNs
$REQUEST
$PKCS10

The full Subject Distinguished Name can be provided to the certification service: (a) In the certificate request message (b) OR in the PKCS#10 / CSR data (c) OR via both certificate request messages and PKCS#10 / CSR data. To configure the DN structure correctly follow these rules:

Comma separated Relative DNs
ADSS Certification Service tries to find the value of Relative DNs (attributes) which are set as variables e.g. CN=$CN firstly from the request message and then within any supplied PKCS#10/CSR. Any missing attribute values are dropped from the final Subject Dname. If the option "Match the pattern with the subject DN in request" is enabled and the request data does not contain the value for a required Relative DNs (attribute) then the request will be rejected.
$REQUEST
ADSS Certification Service tries to find the DName value only from the request message and will ignore any supplied PKCS#10/CSR. If the request data does not contain the DName value then the request will be rejected.
$PKCS10
ADSS Certification Service tries to find the DName value only from the PKCS#10/CSR and will ignore any supplied RDNs in request message. If the request data does not contain the PKCS#10/CSR then the request will be rejected.

Note: The supported Relative DNs values are:

CN - Common Name
G - Given Name
SN - Surname
T - Title
OU - Organization Unit
O - Organization
OI - Organization Identifier
E - Email
L - Locality
ST - Street Address
S - State
P - Postal Code
C - Country
SERIALNUMBER - Subject Serial Number
UID - Unique Identifier
B - Business Category
EVL - Extended Validation Locality
EVS - Extended Validation State
EVC - Extended Validation Country

If the Crypto Source is Azure Key Vault HSM, then certificate request can only use these characters for certificate alias:

A-Z, a-z, 0-9 and hyphen "-".

If the profile is having Entrust CA ( as External CA in CA Details), then Common Name and Surname are mandatory parameters to be configured as Subject Distinguished Names.

Multilingual characters are supported in Subject Distinguished Name.

All special characters except '$' sign can be used in Subject Distinguished Name.

Match the pattern with subject DN in request

Select this option if you want to generate certificates using the exact RDN pattern defined in the certification profile. If this option is enabled and the RDN pattern is not matched in the certificate request data or PKCS#10/CSR then the request will be rejected.

Note: If the Subject Distinguished Name filed is configured as $REQUEST or $PKCS10 then no validation or pattern matching will be performed. The Subject DName will be set as configured in the request or in the PKCS#10/CSR.

Validity Period

Set the validity period and select the time unit from the drop-down (minute(s), hour(s), day(s), month(s) and year(s)) to set the certificate validity period.

Note: If '0' value is configured in the validity period or '0' value is passed from the request then the validity period configured in the selected certificate template will be used and default time unit will be Month(s). Moreover if validity period is checked as overrideable and any value is passed through the request then the certificate time unit will be in Month(s) by default.

Valid From

A Mandatory field.
Set the Valid From period in the form of current or future time from which the certificate will be valid.

Current Time
Select this option if you want to issue the certificates whose "Valid From" is from the date of issuance

Future Time
Select this option if you want to issue the certificates whose "Valid From" is in future e.g. you issue a certificate whose "Valid From" is two days onward from the date of issuance then you can set the value 2 in "After Days" field. You also need to set the "Valid From" time in the "Valid From" field. Use the time control to set the time. Time format is HH:MM AM/PM.

Overrideable

These flags indicate whether the details configured in the certification profile can be amended by the client application by passing parameters in the certification request message. Select the check boxes for those values that you want the client application to be able to override.

Note: In case of Azure Key Vault Key Algorithm and Key Length are also overrideable from ADSS Server v6.0 onwards.

Certificate Renewal Settings

Define following:

Renew certificate using existing key pair

Select this option when certificate renewal is required using existing key pair

Renew certificate using new key pair (Rekey)

Select this option when certificate renewal is required using new key pair

Note: PKCS10 in request means Key Pair was generated at client side and also service would reject REKEY and RENEW(with new Key) request containing PKCS10 if existing key was generated on server.

If operator enabled the checkbox Enable key pair generation through RAS Service then following screen will be shown:

The configuration items are as follows:

Items	Description
Enable Key Pair Generation Through RAS Service	Enable this check box to forward request to RAS service in order to generate the keys inside the ADSS SAM.
RAS Service Address	Use this field to add RAS service address(es). User can enter the address in the field and then press ADD button to include the address in list of RAS Service addresses.
List of RAS Service Addresses	This field shows the available RAS service address(es) use for key generation in ADSS SAM. Multiple service addresses can be added to handle the Primary and Secondary service addresses as a fallback mechanism. The Test button checks that the ADSS RAS Server is available. The Remove button deletes a configured RAS Service address
RAS Profile	Specify the RAS profile Name/ID to be used with this certification profile.
Client ID	Define the client ID for this ADSS Certification profile to be included in the request message when communicating with the ADSS RAS Service for keypair generation inside ADSS SAM. This client ID needs to be registered within the ADSS Client Manager module.
Use TLS Client Authentication	After enabling this option, ADSS Certification Service will communicate with the ADSS RAS Service over TLS Client Authentication, select the TLS Client Certificate which pre-exists in the Key Manager. User can select the certificate from the list of available certificates by clicking on drop-down appears when it is enabled. Note: It is required to register the Issuer CA of the TLS Client Authentication Certificate in Trust Manager with the purpose CA for verifying TLS client certificates.

The list of existing certification profiles can be sorted in either ascending or descending order by selecting a table column from the drop down list.

Clicking on the Search button on the Certification Profile main page will display following screen:

This helps to locate a particular type of certification profile generated in the Certification Service. The profile can be searched based on Status, Profile ID, Profile Name, CA Type, Key Algorithm, Key Length and validity period. If a search is based on multiple values, then these will be combined together using the “AND” operand, and thus only records that meet all the criteria will be presented.

If "_" character is used in the search then it will act as wildcard..

The Copied profile will be created without the "Name" and "Description" of the selected Profile. The Unique ID generates automatically or the next available ID will be assigned to the Profile