Certificate Filter Criteria
This page is used to define certificate filters that could retrieve specific signing certificates for the end users. This is useful when client side (local) signing is configured, and multiple certificates from a selected keystore are expected to appear at the time of signing. Hence, to make the certificate selection easy for the end users, Go>Sign signing drop down list will only show the specific certificate(s) by processing these filters.
The configuration items are as follows:
Item | Description |
Filtering based on Key Usage extension | Select the Key Usage extension(s) that you want to allow for the signing certificate filtration. In case of multiple selections, the filtration will be done through OR operation. This implies that if any of the selected criteria is found in a signing certificate, then that signing certificate will be shown in the Go>Sign signing drop down list. |
Filtering based on Extended Key Usage extension | Select the Extended Key Usage extension(s) that you want to allow for the signing certificate filtration. In case of multiple selections, the filtration will be done through OR operation. This implies that if any of the selected criteria is found in a signing certificate, then that signing certificate will be shown in the Go>Sign signing drop down list. |
Filtering based on Signature Algorithm | Select the Signature Algorithm(s) that you want to allow for the signing certificate filtration. In case of multiple selections, the filtration will be done through OR operation. This implies that if any of the selected algorithm is found in a signing certificate, then that signing certificate will be shown in the Go>Sign signing drop down list. |
Filtering based on Certificate Policy extension |
Specify the Certificate Policy extension(s) that you want to allow for the signing certificate filtration:
In case of multiple policies, the filtration will be done through OR operation. This implies that if any of the configured policy is found in a signing certificate, then that signing certificate will be shown in the Go>Sign signing drop down list.
|
Filtering based on Distinguished Name (DN) |
Specify the Distinguished Name (DN) that you want to allow for the signing certificate filtration. Distinguished Name (DN) filtration for a signing certificate can be set in two ways by using:
Note: Currently we support only four RDNs for filtration criteria which are:
Support for rest of the RDNs in our roadmap and we it will be provided soon in a future releases.
|
Filtering based on Subject Alternative Name (SAN) |
Specify the Subject Alternative Name (SAN) that you want to allow for the signing certificate filtration. Subject Alternative Name (SAN) based filtration can be set for rfc822Name, otherName or for both the SAN extensions:
|
Use only Qualified certificates | When enabled, it will filter only those signing certificates that are EU eIDAS Qualified and holds their private keys inside a Qualified/ Secure Signature Creation Device (SSCD) which is also called QSCD. |
Allow expired certificates to be used | When enabled, it will allow showing the expired signing certificates in the Go>Sign signing drop down list. |
Alias Display Pattern |
Specify the format in which the signing certificates should be shown in the Go>Sign signing drop down list. SUBJECT_CN, ISSUER_O means subject CN and issuer organization will be shown in the certificate selection dropdown separated with comma. Following are the possible supported values which are applicable to the certificate selection dialog:
|
Alias Display Value Missing | Specify a string to be shown in the Go>Sign certification selection dialog, when none of the above configured criteria matches the available signing certificate(s), e.g. N/A |
See also