Step 2 - RA Profiles

RA Profiles are used to define certificate request details such as distinguished name (DName) rules, key type, key size, the CA Service address and the certification service profile to be used. This screen allows suitably privileged RA Operators to manage ( view, add, edit, delete ) the RA Profiles. The following page is shown when the RA Profiles button is clicked:

This screen shows all the existing RA Profiles. Existing RA Profiles can be edited or deleted by using the relevant buttons. A new RA profile can be created by clicking the New button. The following configuration screen is shown:

The configuration items are as follows:

Items

Description

Status

A profile can be marked Active or Inactive. Inactive profiles are not available to process. Only Active profiles can be used by the RA service to manage certificate requests/responses.

Profile ID

A System-defined unique identifier for this profile.

Profile Name

An Operator-defined unique name for easier human recognition within the ADSS Server Operator Console.

Profile Description

Use this field to describe how this Profile is to be used. This is just for operator information purposes.

Certification Service Address

This defines the Certification Service URI address to send the CA request to. To see a list of possible certification service interfaces click here.

List of Certification Service Addresses

This field shows the Certification Service addresses that can be generate user certificate. Multiple service addresses can be added. The Test button checks that the ADSS Certification Service is available. The Remove button deletes a configured Certification Service address.

Certification Profile

A profile configured in ADSS Certification Service that identifies how to process the certificate signing requests from the ADSS RA Service.

Client ID

Shows the Client ID of Certification Service. RA Service will send this Client ID while communicating with Certification service. Certification service verifies that this is a registered Client ID within the Client Manager module before granting access to this service.

Use TLS client Authentication

After enabling this option, ADSS RA Service will communicate with the ADSS Certification Service over TLS Client Authentication, select the TLS Client Certificate which pre-exists in the Key Manager. User can select the certificate from the list of available certificates by clicking on dropdown appears when it is enabled.

Note: It is required to register the Issuer CA of the TLS Client Authentication Certificate in Trust Manager with the purpose CA for verifying TLS client certificates.

Sign Certification Request

This option is used to enable each certification request to be signed by the ADSS RA Service when sent to the ADSS CA Server. Select the request signing certificate which pre-exists in the Key Manager.

Note: Only those certificates will be shown by enabling this option in the respective drop down that are issued with purpose "RA Certificate" from Key Manager

Profile Category

Defines the Profile Category to which certificates issued by this RA profile belongs, e.g. Datacenter-Network, Production-Network, Testing-Network, Production-Auditing etc. RA Operator can only select those categories that are assigned to them. Each RA Profile can only be linked to one Profile Category.

A Profile Category can have more than one RA Profiles associated with it.

RA Operator can be assigned more than one Profile Categories, hence an RA Operator can access multiple RA Profiles and multiple Profile Categories if they are so authorised.

Key Algorithm

The type of the key pair to be generated when the certificate is created using a Face to Face Meeting or ADSS RA Service (server side key generation).

Note: This attribute is validated according to the required RA Profile if the key is generated on client side (SCEP, Go>Sign Applet (MSCAPI, PKCS#11) or PKCS#10 / CSR).

Key Length

The size of the key pair to be generated when the certificate is created using a Face to Face Meeting or ADSS RA Service (server side key generation).

Note: This attribute is validated according to the required RA Profile if the key is generated on client side (SCEP, Go>Sign Applet (MSCAPI, PKCS#11) or PKCS#10 / CSR).

Subject Distinguished Name

The default attributes and values to be used for the certificate generation. The $ symbol means that the value of this attribute can be provided by the requester or the ADSS RA Service Operator.

If the Crypto Source is Azure Key Vault HSM, then RA Service request can only use these characters for certificate alias:

A-Z, a-z, 0-9 and hyphen "-"

All special characters except '$' sign can be used in Subject Distinguished Name.

Validity Period

Set the validity period and select the time unit from the drop-down (minute(s), hour(s), day(s), month(s) and year(s)) to set the certificate validity period.

Note: The CA service may override this.

Send notification at certificate renewal time

If enabled, reminds the defined ADSS RA Operator(s), device administrator(s) or the end-user that a certificate requires renewal. These alert messages are configured in the Alerts section. ADSS RA Server supports email, SMS and SNMP based alerts.

This checkbox is disabled by default, to enable it, enable expiry alerts in the RA Server > Alerts page.

Allow auto-approval for web based requests

If enabled then any request to this profile will be processed automatically.
If left unchecked then any request to this profile will be logged as pending in the respective Device or End-User page. The RA Operator can review the request and decide whether to approve or to reject. An email alert will be sent to the respective user if alerts are configure in RA Service > Alerts.

Note: SCEP based requests are always auto approved irrespective of this setting.

Enable user registration through RAS Service

This checkbox is used to enable user registration via Remote Authorisation Service (RAS).

RAS Service Address

Use this field to add RAS service address(es).

List of RAS Service Addresses

This field shows the RAS Service addresses that can be used to register user. Multiple service addresses can be added. The Test button checks that the ADSS RAS Service is available. The Remove button deletes a configured RAS Service address.

RAS Profile

Specifies the RAS profile to be used for this RA profile

Client ID

Shows the Client ID of RAS Service. RA Service will send this Client ID while communicating with RAS service. RAS service verifies that this is a registered Client ID within the Client Manager module before granting access to this service.

Use TLS client Authentication

After enabling this option, ADSS RA Service will communicate with the ADSS RAS Service over TLS Client Authentication, select the TLS Client Certificate which pre-exists in the Key Manager. User can select the certificate from the list of available certificates by clicking on dropdown appears when it is enabled.

Note: It is required to register the Issuer CA of the TLS Client Authentication Certificate in Trust Manager with the purpose CA for verifying TLS client certificates.

The RA Operator must ensure that the Key Length, Key Algorithm and DName attributes and their occurrence defined in the RA Profile is exactly the same as defined in the ADSS CA Server > Certification Profile defined in this RA Profile. If there is any variation then the CA certification profile usually overrides the RA profile and thus the required result may not be delivered.

The configuration of the RA Profile is now complete. To have the changes take effect in the running system, ADSS Server will prompt for the RA Service to be restarted:

The RA Profiles can be sorted in various ways to make administration easier. Click the Search button and the Search RA Profiles page as shown:

Enter search criteria based on the profile Status, Profile ID and Profile Name. If more than one search criteria is provided, these are combined using the AND operator.

If "_" character is used in the search then it will act as wildcard.