Introduction


An ADSS Service Profile is created in Web RA to configure ADSS Profiles (Certification and/or CSP) to issue different types of certificates for the Web RA users. In other words, the ADSS Server profile (Certification and/or CSP) is actually created at the ADSS Server end, and it is referred in Web RA Admin for their implication.


The ADSS Certification Profiles entail all the complex configurations and business requirements (i.e. CA details, Key Algorithm, Validity, etc.) to issue corresponding certificates for the Web RA users, however, Web RA only uses these profiles to keep the things simple.

How it Works?


Web RA and ADSS Server supports the following certificate types:


  1. Signing the CSR only (the CSR is generated in another application e.g. IIS, a device etc.). The following configurations are required for this:
    1. A Client must be registered in ADSS Server Client Manager
    2. The Client must be configured in the Web RA connector of ADSS Server 
    3. A Certification Profile must be created in the ADSS Certification Server
    4. A Certification Profile must be created in the Web RA to map the ADSS Server Certification Profile
    5. The Web RA Certification Profile must be configured in the Service Plan


  1. Generating the key pair on client side and signing the CSR
    1. A Client must be registered in ADSS Server Client Manager
    2. The Client must be configured in the Web RA connector of ADSS Server 
    3. A Certification Profile must be created in the ADSS Certification Server
    4. A Go>Sign Profile must be created in the ADSS Go>Sign Server of type Certificate Generation 
    5. A Certification Profile must be created in the Web RA to map the ADSS Server Certification Profile
    6. The Go>Sign Profile must be configured in the Web RA Certification Profile
    7. The Web RA Certification Profile must be configured in the Service Plan


  1. Server side key generation for remote authorized signing
    1. Client must be registered in ADSS Server Client Manager
    2. The Client must be configured in the Web RA connector of ADSS Server 
    3. A SAM Profile must be created in the ADSS SAM Server 
    4. A RAS Profile must be created in the ADSS RAS Server
    5. A CSP Profile should be created in the ADSS CSP Server (only needed if you want to use the CSP service. Also, a CSP profile should be created in Web RA to map the ADSS CSP Profile.)
    6. A Certification Profile must be created in the ADSS Certification Server
    7. A Certification Profile must be created in the Web RA to map the ADSS Server Certification Profile
    8. The Go>Sign Profile must be configured in the Web RA Certification Profile
    9. The Web RA Certification Profile must be configured in the Service Plan


Create a Certification Profile in Web RA


  1. Click Configurations from the left menu.
  2. Click ADSS Service Profiles.
  3. Click  from the grid header. 
  4. A dialog will appear to add the profile details. The ADSS Service Profile dialog is comprised of two screens, i.e. Basic Information and Details. Specify the basic information and click Next to provide the respective details.
  5. Click Finish. A new service profile will be saved and displayed in the list. See the below table for fields description.



Basic Information

Field

Description

Name

Specify a unique name for this connector, i.e. My ADSS Server. This connector will be used in the ADSS Service Profiles.

Description

Specify any description related to this certification service profile.

Active

Tick this check box to make this connector active. Inactive connectors cannot be configured in the Certification or CSP Profiles.



Profile Settings

Field

Description

ADSS Server

This field will display the list of active ADSS connectors in Web RA. Select the one to use for this certification service profile.

ADSS Service

This field will display the ADSS Services (i.e. Certification Service and CSP Service) that are available for Web RA. Select the one for which this service profile is being created, i.e. Certification Service. 

ADSS Certification/CSP Profile

Specify the ID or name of the profile that has been created in the ADSS Certification/CSP Service for Web RA, e.g. adss:certification:profile:001

Purpose

It contains a list of standard certificate purposes which actually comes from ADSS, based on selected certification profile. A certificate will be generated based on provided certification profile ID, and the purpose will be the one that is configured under that ADSS Service Profile. Possible certificate purposes could be Document Signing, TLS Server Authentication, Code Signing etc.

Verification Type

If ADSS Certification Profile is of type TLS Server Authentication then this drop down will appear while creating the profile with following options:

  • Domain Validated (DV)
  • Organization Validated (OV)
  • Extended Validation (EV)

Domain Validation Method

When issuing a TLS Server Authentication certificate, there are two ways to validate the domain as following:

  • TXT Record - TXT Lookup will list TXT records for a domain, TXT record is a type of resource record in the Domain Name System (DNS) used to provide the ability to associate arbitrary text with a host or other name, such as human readable information about a server, network, data center, or other accounting information. The RA administrator uses the TXT record to validate the domain in this case 
  • Upload a File - in this case, the RA provides a verification file which the owner of the website places in the website root directory. The RA administrator then initiates a verification call from the Web RA, if the file is found with correct code then the domain is considered valid and under the ownership of the requester.

Enable Device Enrolment

Select this checkbox, it is mandatory to select "Device Enrolment" or it will be a simple certification profile. A drop box will appear, allowing the user to choose and select between 'SCEP' and 'CMP' according to requirement. 

Enable Client Keys

 If configured profile in ADSS Certification profile have fixed RDNs, new check box “Enable client keys” will appear

  • If check box Enable client keys is checked then CSR will be used for certificate creation. Application will mandate the user/operator to upload the CSR for creation of certificate.
  • If check box Enable client keys is unchecked then CSR will not be used for certificate creation. Application will show the RDN’s Configured in the profile and certificate will be created based on server side keys.


Advanced Settings

Field

Description

Use this certificate profile to generate keys on smart cards/tokens

Enable this option if this profile will be used to generate the certificates in the smart card/ token.

Key Algorithm

Key Algorithm that will be used to generate the key pair in the smart card/token. This configuration is coming from the ADSS Server so it cannot be changed

Key Length

Key Length that will be used to generate the key pair in the smart card/token. This configuration is coming from the ADSS Server so it cannot be changed

Validity Period Type

Validity period type can be configured as a Fixed to restrict the enterprise user to change the certificate validity or it can be set as Custom if enterprise RAO allow an enterprise user to set validity period while creating a certificate request.

These Fixed and Custom values can only be used on Web RA admin, if the selected ADSS Certification profile has set overridable option in certification profile. It will be  shown as Fixed validity period type otherwise.

Validity Period

The certificate validity period. If the CA profile is configured to use its time instead taking the time from the request then this value will be dropped by the CA server. 

Validity Duration

The time unit of the validity period. It could be minutes, hours, days, months and years.


Authentications - Enable Secondary Authentication for:

Field

Description

New Requests

If enables then an OTP (One TIme Password) can be set as a second factor authentication, and an enterprise RAO has to provide an OTP to approve new certificate request. The OTP can be received either through SMS or via an email, depending upon the selected profile.

In Authentication Profiles list only those profiles are listed for which secondary authentication has configured while creating that authentication profile. See Authentication Profiles section for details.

Revocation Requests

If enables then an OTP (One TIme Password) can be set as a second factor authentication, and an enterprise RAO has to provide an OTP to approve a certificate revocation request. The OTP can be received either through SMS or via an email, depending upon the selected profile.

In Authentication Profiles list only those profiles are listed for which secondary authentication has configured while creating that authentication profile. See Authentication Profiles section for details.



Details

Field

Description

Vetting Options

Select whether vetting is required for this certification service profile or not. Select the "Manual Vetting" option if you require the vetting provision and then select a vetting form from the next appearing field.

Vetting Form

This field will display the list of active vetting forms. Select the one to use for this certification service profile.