Symantec MPKI
To configure the Symantec MPKI (Managed Public Key Infrastructure) v7.5 CA as an external CA select the Symantec MPKI option from the CA Type drop down. The following page will be shown to configure the Symantec MPKI:
The items in the above screen are described below:
| Item | Description |
| CA Alias |
An operator-defined unique name for easy management of certificate authorities within ADSS Server. This is only for human identification purposes. |
| CA Type |
ADSS Server can be configured to get the certificates issued from the Symantec MPKI. The requests that are received at certification service are forwarded to Symantec MPKI for certificate issuance. The supported request types are:
|
| CA Certificate |
All the CA certificates configured in Trust Manager with the purpose CA (will be used to verify other certificates and CRLs) will be available here for configurations. Select the required Symantec MPKI issuing CA, which will be used to issue the target certificates. Note: It is required to register the complete certificate chain of the Symantec MPKI CA in Trust Manager. |
| CA Address |
Specify the URL from where this CA could listen the certificate request messages. |
| TLS Client Certificate |
It is required for communication with this CA over the TLS client authentication. Select a TLS Client Authentication Certificate which pre-exists in the Key Manager. Note: It is required to register the Issuer CA of the TLS Client Authentication and TLS Server Authentication certificate in Trust Manager with the purpose CA for verifying TLS client certificates. It is required to register the Issuer CA of the TLS Client Authentication and TLS Server Authentication certificates in Trust Manager with the purpose CA for verifying TLS Client/Server authentication certificates. |
| Policy ID |
Specify the Policy ID to be used in order to issue certificates from Symantec MPKI. |
Known Limitations of Symantec MPKI
Here are the known limitations of Symantec MPKI that you must consider while configure the Certification Profile, otherwise certificate generation will be failed:
- RSA Key Size 1024 is not supported so it must be 2048 or bigger
- rfc822Name (email address) in SAN extension must be passed to the Symantec CA otherwise certificate generation will be failed
- If your Symantec Policy allows only one rfc822Name and you pass the multiple rfc822Names in the request, Symantec CA will pick the last one
- Special characters are not supported in Subject DN e.g. ~ ! @ # $ % ^ & * ( ) - _ = + , < > ? / \ { } [ ] . ; : ' " -
- If your Symantec Policy allows the Validity Period to be overriable then you must configure the Validity Period in Days in Certification Profile because Symantec CA expects this value in days. If it is not overridable then this value will not be considered by Symantec CA
See also