This step defines how to create a Certification profile for Identity Certificates. A certification profile is a set of parameters configured within the ADSS Certification Service which define characteristics of the keys (e.g. which public key algorithm and key length to be used) and the attributes of the digital certificates (e.g. subject DName details and the validity periods for the certificate) generated by the service using this profile. The advantage of configuring a certificate profile on ADSS Server is that client applications do not need to pass all these parameters within each service request message, but can simply refer to a particular configured certification profile. Certification Profiles can also be used to tightly control what can be defined within a certificate and thus enforce CA Certificate Policies. ADSS Server allows the flexibility to override the profile attributes if specifically allowed within the profile settings. 


To manage Certification Profiles navigate to the following location in ADSS Server Console:



This table shows the list of existing certification profiles. These can be edited or deleted.


To create a new profile, click the '+' button, this will present the following form:


Profile Identification


The first step is to define the identification details of Certification Profile. The user need to fill the below fields with the appropriate information: 



The configuration items are as follows:


Items

Description

Status

A certification profile may be marked Active or Inactive. Note an inactive certification profile will not be used to process certification requests.

Profile ID

A system-defined unique identifier for this profile. This must be referenced in certification service requests if this certification profile is to be used by the client application.

Profile Name

An user-defined unique name for easier human recognition within the ADSS user Console. This could be referenced instead of Profile ID in certification service requests if this certification profile is to be used by the client application

Profile Description

This can be used to describe the certification profile in more detail (e.g. in which circumstances this certification profile will be used and/or what sort of setting the certification profile holds etc). This is for information purposes only.


Key Pair Settings


The second step is to enable the required key pair settings in Certification Profile. See the below image:



The configuration items are as follows:


Items

Description

Enable key pair generation through RAS Service

If this radio button is enabled, the key pair will be generated via ADSS RAS Service.

Enable key pair generation through Certification Service/Client

If this radio button is enabled, the key pair will be generated via ADSS Certification Service and below fields will be displayed.

Crypto Profile

Select whether to generate and store the key/certificate within the ADSS Server database (software mode), Azure Key Vault or to store the key/certificate on a hardware security module (HSM) preconfigured within ADSS Server Key Manager as described in the section Crypto Processor Settings.

Note:

  1. When a configured hardware crypto profile is Not Available in the ADSS Server Key Manager (i.e. record is shown with orange highlighting) then the relevant crypto profile will not be available here for configurations.
  2. Crypto profile won't be available for configurations if RAS Setting is enabled.

Algorithm

Select the Key Algorithm that should be use to generate the end entity key under this certification profile, Currently following key algorithm are supported:

  • RSA
  • ECDSA
  • Dilithium
  • Kyber


Note:

  • The keys generated using PQC algorithms, such as Dilithium and Kyber, are created solely through software and not via HSMs.
  • The Dilithium key algorithm will be only be used for document signing purposes. 
  • The below mentioned signature types are supported for Dilithium:
    • PKCS1
    • CMS
    • CAdES Baseline (Only if CA key is RSA/EC)
    • CAdES Extended (Only if CA key is RSA/EC)
  • The Kyber key algorithm will be visible only when the user selects one of the certificate purposes listed below in the 'Purpose' field:
    • Key Encapsulation Mechanism
    • TLS Server Authentication
    • EV TLS Server Authentication
    • TLS Client Authentication

Currently the PQC algorithms (Dilithium and Kyber) are only for proof of concept (POC).

Key Length

Select the Key Length that ADSS Server should generate under this certification profile.
Currently following Key Lengths are supported:

  • RSA keys are: 1024, 2048, 3072, 4096 and 8192
  • ECDSA keys in terms of their respective curve types are:
    • For NIST P: 160, 192, 224, 256, 384 and 521
    • For SEC2 K: 256
    • For Brainpool R and Brainpool T: 160, 192, 224, 256, 320, 384 and 512

Note:

  • In case of Azure Key Vault only following Key Lengths are supported:
    • 2048, 3072, 4096 supported for RSA keys
    • 256, 384, 521 supported for ECDSA Keys (only NIST P curve)
  • In case of AWS CloudHSM following key lengths are supported:
    • 2048, 3072, 4096 supported for RSA keys
    • 256 and 384 supported for ECDSA Keys (only NIST P curve).

Security Level

The Security Level drop-down will be available when either Dilithium or Kyber is selected in the 'Algorithm' field. This drop-down allows the user to choose the security level for the selected key algorithm. The security levels for both Dilithium and Kyber are defined below:

  • Dilithium: 2,3 and 5.
  • Kyber: 2,3 and 5.



Certificate Settings


The third step is to configure the Certificate Settings for Certification Profile. See the below image:



The configuration items are as follows:


Items

Description

Subject Distinguished Name

This item describes the default attributes and values to be used for Subject Distinguished Name(DName) during certificate generation. ADSS Certification service provides a flexible format for specifying the DName. Possible values are:

  • Comma separated Relative DNs
  • $REQUEST
  • $PKCS10 

The full Subject Distinguished Name can be provided to the certification service: (a) In the certificate request message (b) OR in the PKCS#10 / CSR data (c) OR via both certificate request messages and PKCS#10 / CSR data. To configure the DN structure correctly follow these rules:

  1. Comma separated Relative DNs
    ADSS Certification Service tries to find the value of Relative DNs (attributes) which are set as variables e.g. CN=$CN firstly from the request message and then within any supplied PKCS#10/CSR.  Any missing attribute values are dropped from the final Subject Dname. If the option "Match the pattern with the subject DN in request" is enabled and the request data does not contain the value for a required Relative DNs (attribute) then the request will be rejected.

  2. $REQUEST
    ADSS Certification Service tries to find the DName value only from the request message and will ignore any supplied PKCS#10/CSR. If the request data does not contain the DName value then the request will be rejected.

  3. $PKCS10
    ADSS Certification Service tries to find the DName value only from the PKCS#10/CSR and will ignore any supplied RDNs in request message. If the request data does not contain the PKCS#10/CSR then the request will be rejected.


Note: The supported Relative DNs values are: 

  • CN - Common Name
  • G - Given Name
  • SN - Surname
  • T - Title
  • OU - Organization Unit
  • O - Organization
  • OI - Organization Identifier
  • E - Email
  • L - Locality
  • ST - Street Address
  • S - State
  • P - Postal Code
  • C - Country
  • SERIALNUMBER - Subject Serial Number
  • UID - Unique Identifier
  • B - Business Category
  • houseIdentifier - House Identifier
  • DC - Domain Component
  • EVL - Extended Validation Locality 
  • EVS - Extended Validation State
  • EVC - Extended Validation Country
  • unstructuredName - Unstructured Name
  • unstructuredAddress - Unstructured Address
  • pseudonym - Pseudonym

​If the Crypto Source is Azure Key Vault HSM, then, the certificate request can only use these characters for either Client ID or Certificate Alias:

  • A-Z
  • a-z
  • 0-9
  • hyphen "-"


If the profile is having Entrust CA ( as External CA in CA Details), then Common Name and Surname are mandatory parameters to be configured as Subject Distinguished Names.


The value for CA/Browser Forum Organization Identifier extension is taken from Organization Identifier when ENABLE_CA_VALIDATION_CHECK is set to TRUE in Global Settings > Advanced Settings. Its support is not provided in Certificate Templates.


Multilingual characters are supported in Subject Distinguished Name.​

All special characters except '$' sign can be used in Subject Distinguished Name.


Match the pattern with subject DN in request

Select this option if you want to generate certificates using the exact RDN pattern defined in the certification profile. If this option is enabled and the RDN pattern is not matched in the certificate request data or PKCS#10/CSR then the request will be rejected.

Note: If the Subject Distinguished Name filed is configured as $REQUEST or $PKCS10 then no validation or pattern matching will be performed.  The Subject DName will be set as configured in the request or in the PKCS#10/CSR.

Validity Period

Set the validity period and select the time unit from the drop-down (minute(s), hour(s), day(s), month(s) and year(s)) to set the certificate validity period.

Note: If '0' value is configured in the validity period or '0' value is passed from the request then the validity period configured in the selected certificate template will be used and default time unit will be Month(s). Moreover if validity period is checked as overrideable and any value is passed through the request then the certificate time unit will be in Month(s) by default.

Current Time

Select this option if you want to issue the certificates whose "Valid From" is from the date of issuance.

Future Time

Select this option if you want to issue the certificates whose "Valid From" is in future e.g. you issue a certificate whose "Valid From" is two days onward from the date of issuance then you can set the value 2 in "After Days" field. You also need to set the "Valid From" time in the "Valid From" field. Use the time control to set the time. Time format is HH:MM AM/PM.

Renew certificate using existing key pair

Select this option when certificate renewal is required using existing key pair.

Renew certificate using new key pair (Rekey)

Select this option when certificate renewal is required using new key pair 

Note: PKCS10 in request means Key Pair was generated at client side and also service would reject REKEY and RENEW(with new Key) request containing PKCS10 if existing key was generated on server.



CA Details


The last step is to define the CA Details for Certification Profile. See the below image:



The configuration items are as follows:


Items

Description

Automatically process requests

Unselect this option if you want to generate certificates in asynchronous mode i.e. CSR is generated and shown in Pending. ADSS Server admin can certify this CSR:

  • Either from the local or external configured CA using “Generate Certificate” button
  • Export the CSR and get it certified manually using local, external or offline CA and import the certificate back to certification service

Reject already certified public key

If this checkbox is enabled, the ADSS Server will check the public key in the database. If the public key is already certified, the ADSS Server will not allow to certify the public key again, whether it is present in the CSR or individually sent in a certification request in the case of a create or rekey request.

Use Local CA

This checkbox is selected by default. Select this radio button, if the internal ADSS Manage CAs module to be used, will enable the following configuration:

Certification Template
Select a template for the certificates issued using this certification profile e.g. the template created for Document Signing, Log Signing etc.

Note: 

  • The certificate template list is taken from those defined within Key Manager or CA Manager
  • If Kyber is selected as a key algorithm in key pair settings, then only below list of certificate templates will be available to the user:
    • Default Key Encapsulation Mechanism Template
    • Default TLS Server Authentication Template
    • Default EV TLS Server Authentication Template
    • Default TLS Client Authentication Template


CA Certificate
Select an internal CA that is configured to service the certification requests from the ADSS Certification Service. The ADSS Certification Service will send PKCS#10 certificate request messages to this internal CA.

Note: The drop-down menu will only show those internal CAs that have already been configured (see Local CAs for further details).

External CA

Select this radio button to use an External online CA that is configured to service the certification requests from the ADSS Certification Service. The ADSS Certification Service will send PKCS#10 certificate request messages as well as public keys to this External CA.

The drop-down menu will only show those External CAs that have already been configured. All the External CAs accept public keys to generate certificate except: Symantec MPKI, Microsoft CA, DigiCert PKI, QuoVadis CA, EJBCA and GlobalSign EPKI. This functionality works only in case of certificate creation. See External CAs for further details.



Other than a generic Certification Profile, user can also configure a Certification Profile that will be used for key pair generation through RAS Service of the ADSS Server. In such configuration, this profile will be accessed by RA Service for certificate enrolment of a registered user. Certification Service interacts with the RAS Service by making two calls, key pair and CSR generation. The details about its configurations are given below.

If user enabled the checkbox Enable key pair generation through RAS Service then following screen will be shown:



The configuration items are as follows:


Items

Description

RAS Service Address 

Use this field to add RAS service address(es). User can enter the address in the field and then press ADD button to include the address in list of RAS Service addresses.

List of RAS Service Addresses

This field shows the available RAS service address(es) use for key generation in ADSS SAM. Multiple service addresses can be added to handle the Primary and Secondary service addresses as a fallback mechanism. The Test button checks that the ADSS RAS Server is available. The Remove button deletes a configured RAS Service address

RAS Profile

Specify the RAS profile Name/ID to be used with this certification profile.

Client ID

Define the client ID for this ADSS Certification profile to be included in the request message when communicating with the ADSS RAS Service for keypair generation inside ADSS SAM. This client ID needs to be registered within the ADSS Client Manager module.

Use TLS Client Authentication

After enabling this option, ADSS Certification Service will communicate with the ADSS RAS Service over TLS Client Authentication, select the TLS Client Certificate which pre-exists in the Key Manager. User can select the certificate from the list of available certificates by clicking on drop-down appears when it is enabled.

Note: It is required to register the Issuer CA of the TLS Client Authentication Certificate in Trust Manager with the purpose CA for verifying TLS client certificates.

OAuth2 Client Authentication

Enabling this checkbox ensures that the RAS APIs are authenticated by the Certification Service through OAuth2 Authentication. In this setup, the RAS Service provides an access token, which the Certification Service can use for subsequent communications.

Client Secret

This field becomes available only when OAuth2 Client Authentication is enabled. It allows the user to enter the Client Secret that was generated for the configured Client during registration.

Don’t share the Client Secret with anyone. Once the client secret is configured then operator cannot see it because once operator leave this page the client secret will be masked with asterisks for security reason and cannot be seen again.



The list of existing certification profiles can be sorted in either ascending or descending order by selecting a table column from the drop down list. 

Clicking on the Search button on the Certification Profile main page will display following screen:



This helps to locate a particular type of certification profile generated in the Certification Service. The profile can be searched based on Status, Certificate Profile ID, Certificate Profile Name, CA Type, Key Algorithm, Key Length, Security Level and Validity Period. The Security Level field will only be available if Dilithium or Kyber is selected in the Algorithm field.

If "_" character is used in the search then it will act as wildcard..


The Copied profile will be created without the "Name" and "Description" of the selected Profile. The Unique ID generates automatically or the next available ID will be assigned to the Profile

See also

Service Manager

Certification Profiles

CV Certificate Profiles

Attribute Profiles

Directory Integration

Identity Certificates

Attribute Certificates

Transaction Logs

Log Archiving

Alerts

Advanced Settings