ADSS Admin Guide

Items

Description

Template ID

An Operator-defined unique Template ID for easier human recognition within the ADSS Operator Console. Once a Template ID is created, it cannot be changed. 

Template Name

An Operator-defined unique name for easier human recognition within the ADSS Operator Console.

Template Description

This can be used to describe the Template in more detail. This is for information purposes only.

Certificate Purpose

It contains a list of standard certificate purposes. Select a purpose for which the certificate will be generated using this template.

Certificate Type

This drop-down menu is accessible only when the CA/B Forum and WebTrust settings are enabled, and the template is created for certificate purposes such as Email Signing (S/MIME), TLS Server or EV TLS Server. It allows the user to select the appropriate certificate type to be generated for the required key, ensuring compliance with CA/B Forum and WebTrust guidelines.

S/MIME:

When a certificate is generated for Email Signing (S/MIME) purposes, the user can choose from the following certificate types:

• Individual Validated: This certificate type will be selected by default. It is a type of certificate that is focused solely on verifying the identity of an individual (Natural Person). It includes only personal attributes in the Subject field, without any organizational associations.
• Mailbox Validated: This type of certificate is primarily associated with the email address of the user. The Subject field may include optional attributes like emailAddress, commonName, and/or serialNumber.
• Organization Validated: This certificate type is used for verifying the legal entity of an organization. It includes only the Organizational attributes in the Subject field, confirming the identity of the organization.
• Sponsor Validated: This certificate type combines attributes of an individual (Natural Person) with the organization they are associated with, identified by the organizationName attribute. Registration for Sponsor-validated Certificates can be performed by an Enterprise RA (Registration Authority).

TLS Server:

When a certificate is generated for TLS Server purpose, the user can choose from the following certificate types:

• Domain Validated: This certificate type is selected by default. It is associated with a reserved Certificate Policy ID. For a Subscriber Certificate to be considered Domain Validated, it must adhere to the following profile: the subject attributes, such as countryName and commonName, must be included. Additionally, the certificatePolicies extension must be present, with the policyIdentifier set to the reserved OID 2.23.140.1.2.1. The certificate must also meet all other required certificate extension criteria.
• Individual Validated: An Individual Validated TLS Server Certificate includes a policy OID of 2.23.140.1.2.3 in its certificatePolicies extension. To qualify as an Individual Validated certificate, the Subscriber Certificate must follow a specific profile that includes subject attributes like countryName, stateOrProvinceName, localityName, postalCode, streetAddress, organizationName, surname, givenName, or commonName. The certificatePolicies extension must be present and all the required certificate extension criteria must also be met.
• Organization Validated: An Organization Validated TLS Server Certificate carries a policy OID of 2.23.140.1.2.2 in its certificatePolicies extension. For a Subscriber Certificate to be considered Organization Validated, it must adhere to a specific profile, including subject attributes like domainComponent, countryName, stateOrProvinceName, localityName, postalCode, streetAddress, or organizationName. The certificatePolicies extension must be present and all the required certificate extension criteria must also be met.

EV TLS Server:

When a certificate is generated for EV TLS Server purpose, the user can only select the following certificate type:

• Extended Validated: The Extended Validation (EV) requirement applies to the creation of an EV TLS Server Certificate, following the CA/B Forum Guidelines. For a Subscriber Certificate to qualify as Extended Validation, it must strictly adhere to the Certificate Profile outlined in the most current version of the Guidelines for the Issuance and Management of Extended Validation Certificates. The EV TLS Server Certificate must include a policy OID of 2.23.140.1.1 within the certificatePolicies extension. Additionally, it must meet all the necessary subject attribute criteria and comply with all certificate extension requirements.

Certificate Generation

This drop-down menu is accessible only when the CA/B Forum and WebTrust settings are enabled, and the template is created for Email Signing (S/MIME) certificate purpose. It allows the user to select the appropriate certificate generation type, ensuring compliance with CA/B Forum and WebTrust guidelines. The list of supported Certificate Generation items are:

• Legacy
• Multipurpose
• Strict

Validity Period (Months)

It contains the time period that for how long a certificate will be valid from its creation date.

Hash Algorithm

This list contains a list of supported Hash Algorithms; select one of the Hash algorithm for this certificate template. The available options are SHA1, SHA224, SHA256, SHA384, SHA512, SHA3-224, SHA3-256, SHA3-384 and SHA3-512.

Key Usages

Key usage extensions define the purpose of the public key contained in a certificate. it can be used to restrict the public key to as few or as many operations as needed.

Extended Key Usages

Extended Key Usage (EKU) further refines key usage extensions. An extended key usage extension is either critical or non-critical. Critical implies that a certificate using system MUST understand and be able to process the particular attribute.

Note: The relevant EKU bit must be ON otherwise the certificate will be rejected. e.g If you are using the certificate for Timestamping then the Timestamping bit must be ON otherwise timestamps created with a certificate that have no Timestamping EKU in it, will be rejected.

NoCheck

This extension is specific to OCSP response signing certificates. IF set to TRUE then OCSP certificate revocation will not be checked by the OCSP client applications.

Certificate Extensions

Certificate extension field permits any number of additional fields to be added to the certificate. Certificate extensions provide a way of adding information such as alternative subject names and usage restrictions to certificates.

Basic Constraints Type

It contains three attributes i.e. CA, End Entity & Empty. 

• If CA is selected then you have to specify a certificate Path Length i,e. the maximum number of intermediate CA certificates, that can be in the path from the CA to an End Entity certificate. A path length of -1 can be used to indicate that any number of CA certificates are allowable in the path.
• If End Entity is selected then the Path Length field will be disabled because there is no path length in the End Entity certificate.
• If Empty is selected, basic constraint extension will not be the part of issued certificate

Authority Key Identifier (AKI)

Authority Key Identifier (AKI) extension adds the hash of the issuer's public key in the target certificate.

Subject Key Identifier (SKI)

Subject Key Identifier (SKI) extension adds the hash of the issued public key in the target certificate.

CRL Distribution Point (CDP)

A CRL (Certificate Revocation List) Distribution Point identifies where CRLs for the certificate can be downloaded. CDP addresses can be configured in the module Manage CA(s).

Authority Information Access (AIA)

Authority Information Access (AIA) is a certificate extension that contains information useful for verifying the trust status of a certificate. This information potentially includes Uniform Resource Locators (URLs) where the issuing CA’s certificate can be retrieved, as well as a location of an Online Certificate Status Protocol (OCSP) responder configured to provide status for the certificate in question. The AIA extension can potentially contain HTTP, LDAP, or file URLs. The AIA address  can be configured in the module Manage CA(s).

Issuer Alternative Name

If the issuing CA has the Subject Alternative Name (SAN) extension, then those SAN will be added as Issuer Alternative Name in the CRL which are enabled in its certificate template.

For example, if iPAddress and directoryName are enabled in SAN extension, then it will be added as Issuer Alternative Name in the CRL. 

Subject Alternative Name

The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an internet electronic mail address, and DNS name. Other options exist, including completely local definitions. Multiple name forms, and multiple instances of each name form, may be included.

rfc822Name:
Check this option if you want to bind the email address(s) with the certificate as an alternative extension. Here are the business rules:

• If rfc822Name option is checked and a PKCS#10 is received in the request and it contains the subject alternative name extension with rfc822Name then all electronic mail addresses found in PKCS#10 will be bound to this certificate. Email addresses found in the distinguished name will be skipped.
• If rfc822Name option is checked and a PKCS#10 is received in the request and it does not contain the rfc822Name extension but distinguished name contains the email addresses then all email addresses found from the DN will be bound to the certificate.
• If rfc822Name option is checked and only DN is provided in the certificate request then then all email addresses found in the DN will be bound to the certificate.

dNSName:
Check this option if you want to bind the domain name address(s) with the certificate as an alternative extension. Here are the business rules:

• If dNSName option is checked and a PKCS#10 is received in the request and it contains the subject alternative name extension with dNSName then all domain names found in PKCS#10 will be bound to this certificate. dNSName names found in the distinguished name will be skipped.
• If dNSName option is checked and a PKCS#10 is received in the request and it does not contain the dNSName extension but distinguished name contains the CN then all common names like (.com, .org, .net etc) will be bound to the certificate. Plain common names (John Doe, Joseph Smith etc) will not be bound as dnsName.
• If dNSName option is checked and only DN is provided in the certificate request and distinguished name contains the CN then all common names like (.com, .org, .net etc) will be bound to the certificate. Plain common names (John Doe, Joseph Smith etc) will not be bound as dnsName.

iPAddress:
Check this option if you want to bind the IP address(s) with the certificate as an alternative extension. Here is the business rule:

• If iPAddress option is checked and a PKCS#10 is received in the request and it contains the subject alternative name extension with iPAddress then all IP address(s)found in PKCS#10 will be bound to this certificate. iPAddress names found in the distinguished name will be skipped.

otherName:
Check this option if you want to bind any custom value as an alternative extension. The otherName OID entries provided by the RA in the certificate request message are used in the generated certificate. Here is the business rule:

• PKCS#10 MUST contain the otherName as a key pair value to bind any custom value with the certificate.

directoryName:
Check this option if you want to bind directory name(es) with the certificate as an alternative extension. Here is the business rule:

• If directoryName option is checked and a PKCS#10 is received in the request and it contains the subject alternative name extension with directoryName then all Directory Name(s) found in PKCS#10 will be bound to this certificate.

uniformResourceIdentifier:
Check this option if you want to add uniform resource identifier (URI) in subject alternative name extension.

registeredID:
Check this option if you want to add the registered ID with the certificate as an alternative extension.

ediPartyName:
Check this option if you want to add an electronic data interchange entity as an alternative extension with the certificate.

Name Constraints

The Name constraint option will only be visible if 'CA' attribute is selected in 'Basic Constraint' drop down. The Name Constraint extension is used in CA certificates which specifies those constraints which will apply on Subject DN and Subject Alternative Names of subsequent certificates in CA path. These Constraints can be applied in the form of Permitted and Excluded name list ,where at least one list i.e. permitted or excluded must be present in the extension. 

Permitted Names:
If a constraint is stated in permitted names list, the subsequent certificates should comply with this list and must contain only those names in their Subject DN and Subject Alternative Name (SAN) which are permitted. Following options are available in Permitted Name List.

• rfc822Name
• dNSName
• iPAddress
• Directory Name

Excluded Names:
If a constraint is stated in excluded names list, then the subsequent certificates must not have those names in their Subject DN and Subject Alternative Name (SAN). Following options are available in Excluded Name List.

• rfc822Name
• dNSName
• iPAddress
• Directory Name

Private Key Usage Period

This field indicates the period of the use of private key corresponding to the certified public key. The operator can select the time period (i.e. days, months, years) from the drop-down and enter the required number in the field. 

Name Change

This extension is used in a CSCA and its link certificates used in an E-Passport infrastructure. It is only visible if you have the E-Passport license and if CSCA Certificate is selected in Certificate Purpose drop-down field. By enabling this extension, the operator can change Distinguished Name (DN) while rekey of a CSCA certificate.

Document Type

This extension is added to Document Signer (DS) certificates in an E-Passport infrastructure. It is visible only if you have the E-Passport license and if DS Certificate is selected in Certificate Purpose drop-down field. It is a mandatory field for a DS Certificate and operator can enter the document type in this field e.g. "P" for passport. 

Multiple document types can be added as comma-separated list in the Document Type field where each document type can contain a maximum of one or two letters.

Custom Extensions

Custom Extensions can be added in the certificates generated by the ADSS Server. In Certificate Template one or more custom extensions can be configured. At the time of certificate generation, if the CSR contains any custom extensions, then it must match with the OID's configured in certification template. If they match the extensions will be added in the certificate, otherwise custom extensions received in CSR will be ignored. 

Extension OID: 
The OID of extension will be provided in 'Extension OID' field and can be added in List of Extensions by clicking the Add button. The extension can be marked as critical or non-critical by checking Critical checkbox. 

List of Extension:
Extensions added in the template will be displayed in this field. Any extension can be removed from the list by clicking on the Remove button. 

Certificate Policies

The Certificate Policies extension defines one or more policies, each of which consists of an OID and optional qualifiers. The extension can include a URI to the issuer's Certificate Practice Statement or can embed issuer information, such as a user notice in text form. The Certificate Policy provides the information that can be used by a certificate user to decide whether or not to trust a certificate. Certificate policies are also used to establish trust relationships between CAs (i.e. cross certification). When CAs issue cross certificates, one CA assesses and recognizes one or more certificate polices of the other CA.

Qualified Certificate Statements

Defines unambiguous identification of the EU Qualified Certificate type of the end user for QES (Qualified Electronic Signatures) creation by means of OID in QCStatements in accordance with IETF RFC 3739 and especially with ETSI EN 319 412-1. This allows the configuration of various aspects of the ETSI Qualified Certificate profile statements, i.e. this is a qualified certificate, Semantics Information, PKI Disclosure Statements, transaction value limit, CA retention period and whether the private key held on a Secure Signature Creation Device (SSCD), typically an evaluated smart card that has achieved a particular security assurance level.

Semantics Information:
Defines an identifier about the semantics of data stored in the certificate i.e. whether the certificate is issued to a natural person or legal person: 

• Natural person semantics Identifier (0.4.0.194121.1.1)
• Legal person semantics Identifier (0.4.0.194121.1.2)

When enabled, ADSS CA Server automatically adds the semantic identifier based on the selected configuration i.e. Natural or Legal Person.

Private key resides in Secure Signature Creation Service (SSCD):
Defines an Identifier (represented by an OID), made by the CA, stating that the private key associated with the public key in the certificate is stored in a Secure Signature Creation Device according to Annex III of the EU Directive 1999/93/EC [1], as implemented in the law of the country where the CA is established. The private key cannot be exported from the secure device and is under a sole control of a person to whom the qualified certificate was issued.

Transaction Limit:
This impose a limitation on the value of transaction for which this certificate can be used to the specified amount (Monetary Value). Alphabetic or numeric currency code can be used as defined in ISO 4217.

CA Retention Period:
Defines a retention period in years for material information relevant to the use of and reliance on the certificate, that will be archived and can be made available upon request beyond the end of the validity period of the certificate.

PKI Disclosure Statements (PDS):
Defines the URL for the PDS document (a supplemental instrument of disclosure and notice by CA) and language code for this PDF document as defined in ISO 639-1. PDS document is intended to provide PKI participants (subscribers and relying parties) with a short extract of Qualified Certificates for Electronic Seals PKI policy documentation which focuses on key information of interest to users. It assists CA to respond to regulatory requirements and concerns, particularly those related to consumer deployment. Multiple PDS URLs and language codes can be added by using the + button. 

Qualified Certificate of a particular type:
Defines the type of qualified certificate i.e. 

• Certificate for electronic signatures
• Certificate for electronic seals
• Certificate for website authentication

This type is used in combination with the Semantic Identifier selected above i.e. Certificate for Electronic Signature used by Natural Person.

Qualified Certificate Legislation Countries (QcCClegislation):
If the Qualified Certificate Legislation Countries (QcCClegislation) checkbox is enabled, it will identify the country or set of countries under the legislation of which the certificate is issued as a qualified certificate. The operator will select the required country/countries from the available list of countries.

Note: If the checkbox is enabled, then the operator needs to select at least one country.

NetScape Certificate Type

Netscape has defined certain certificate extensions for its products. Some of the extensions are now obsolete, and others have been superseded by the extensions defined in the X.509 standard.

Copy of a Certificate Template is created without the Name and Description and ID of a selected Certificate Template.

​Refer to RFC 5280, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, for a further discussion on the above certificate attributes and recommendations for whether these should be marked as 'critical' or 'non-critical'. Critical implies that a certificate using system MUST understand and be able to process the particular attribute.

While creating a certificate template, if the ENABLE_CA_VALIDATION_CHECK property is TRUE in Global Settings > Advanced Settings, the relevant error message will be displayed (as per CA/B forum guidelines).