An ADSS Service Profile is created in ADSS Web RA to configure ADSS Profiles (Certification and/or CSP) to issue different types of certificates for the ADSS Web RA users. In other words, an ADSS Server profile (Certification and/or CSP) is actually created at the ADSS Server end, and it is referred in the ADSS Web RA Admin for its implication.


Certification profiles entail all complex configurations and business requirements (i.e. CA details, Key Algorithm, Validity, etc.) to issue corresponding certificates for the ADSS Web RA users. 


ADSS Web RA supports the following certificate types:


  1. Signing the CSR only (the CSR is generated in another application e.g. IIS, a device etc.). The following configurations are required for this:
    1. A client must be registered in ADSS Server Client Manager
    2. The client must be configured in the ADSS Web RA connector of ADSS Server 
    3. A certification profile must be created in the ADSS Certification Server
    4. A certification profile must be created in the ADSS Web RA to map the ADSS Server Certification Profile
    5. The ADSS Web RA Certification Profile must be configured in the Service Plan


  1. Generating the key pair on client side and signing the CSR
    1. A Client must be registered in ADSS Server Client Manager
    2. The Client must be configured in the ADSS Web RA connector of ADSS Server 
    3. A Certification Profile must be created in the ADSS Certification Server
    4. A Go>Sign Profile must be created in the ADSS Go>Sign Server of type Certificate Generation 
    5. A Certification Profile must be created in the ADSS Web RA to map the ADSS Server Certification Profile
    6. The Go>Sign Profile must be configured in the ADSS Web RA Certification Profile
    7. The ADSS Web RA Certification Profile must be configured in the Service Plan


  1. Server side key generation for remote authorized signing
    1. Client must be registered in ADSS Server Client Manager
    2. The Client must be configured in the ADSS Web RA connector of ADSS Server 
    3. A SAM Profile must be created in the ADSS SAM Server 
    4. A RAS Profile must be created in the ADSS RAS Server
    5. A CSP Profile should be created in the ADSS CSP Server (only needed if you want to use the CSP service. Also, a CSP profile should be created in ADSS Web RA to map the ADSS CSP Profile.)
    6. A Certification Profile must be created in the ADSS Certification Server
    7. A Certification Profile must be created in the ADSS Web RA to map the ADSS Server Certification Profile
    8. The Go>Sign Profile must be configured in the ADSS Web RA Certification Profile
    9. The ADSS Web RA Certification Profile must be configured in the Service Plan


Create a Certification Profile in ADSS Web RA


  1. Click "External Services" from the left menu
  2. Then click "Certification Profiles" to see the certification profiles listing screen.



  1. Click  from the grid header. 
  2. A dialog will appear to add the profile details. The certification profile dialog consists of two screens, i.e. Basic Information, Profile Settings, Details. Authentications, Advance Settings. Specify the basic information and click "Next" to move to the next screen.


Basic Information

Field

Description

Name

Specify a unique name for this profile. 

Description

Specify any description related to this certification profile.

Active

Tick this check box to activate this profile.



Profile Settings

Field

Description

ADSS Service

This field will display the ADSS Services (i.e. Certification Service and CSP Service) that are available for ADSS Web RA. Select the one for which this service profile is being created, i.e. Certification Service. 

ADSS Certification Server

This field will display the list of active ADSS connectors in ADSS Web RA. Select the one to use for this certification service profile, e.g: 192.168.0.157

ADSS Certification/CSP Profile

Specify the ID or name of the profile that has been created in the ADSS Certification/CSP Service for ADSS Web RA, e.g: adss:certification:profile:001

Certificate Purpose

It contains a list of standard certificate purposes which actually comes from ADSS, based on selected certification profile. A certificate will be generated based on provided certification profile ID, and the purpose will be the one that is configured under that ADSS Service Profile. Possible certificate purposes could be Document Signing, TLS Server Authentication, Code Signing etc.

Device Enrolments

Tick this checkbox, it is mandatory to select Device Enrolment  or it will be a simple certification profile. A drop box will appear, allowing the user to choose and select between SCEP, CMP, ACME and EST according to requirement. 

Enable Device Enrolment Authentication with Enterprise Device CA

 By enabling this setting, user will not be required to upload an authentication certificate while creating an account.  





Details

Field

Description

Use this certificate profile to generate keys on smart cards/tokens

Enable this option if this profile will be used to generate the certificates in the smart card/ token.

Key Algorithm

Key Algorithm that will be used to generate the key pair in the smart card/token. This configuration is coming from the ADSS Server so it cannot be changed

Key Length

Key Length that will be used to generate the key pair in the smart card/token. This configuration is coming from the ADSS Server so it cannot be changed

Validity Period Type

Validity period type can be configured as a Fixed to restrict the enterprise user to change the certificate validity or it can be set as Custom if enterprise RAO allow an enterprise user to set validity period while creating a certificate request.

These Fixed and Custom values can only be used on ADSS Web RA admin, if the selected ADSS Certification profile has set overridable option in certification profile. It will be  shown as Fixed validity period type otherwise.

Validity Period

The certificate validity period. If the CA profile is configured to use its time instead taking the time from the request then this value will be dropped by the CA server. 

Validity Duration

The time unit of the validity period. It could be minutes, hours, days, months and years.


Authentications - Enable Secondary Authentication for:

Field

Description

New Requests

If enables then an OTP (One TIme Password) can be set as a second factor authentication, and an enterprise RAO has to provide an OTP to approve new certificate request. The OTP can be received either through SMS or via an email, depending upon the selected profile.

In Authentication Profiles list only those profiles are listed for which secondary authentication has configured while creating that authentication profile. See Authentication Profiles section for details.

Revocation Requests

If enables then an OTP (One TIme Password) can be set as a second factor authentication, and an enterprise RAO has to provide an OTP to approve a certificate revocation request. The OTP can be received either through SMS or via an email, depending upon the selected profile.

In Authentication Profiles list only those profiles are listed for which secondary authentication has configured while creating that authentication profile. See Authentication Profiles section for details.

Rekey Requests

Enable authentication for rekey requests will show in the 'Authentications' section to handle second factor authentications for rekey certificate. 

This section only shows when the operator has enabled the 'rekey' policy. Configurations > Policy 

Renew Requests 

Enable authentication for renew requests will show in the Authentications section to manage second factor authentication for renew certificate. This section will only appear when the operator has enabled the 'rekey' policy.Configurations > Policy


An administrator can use any of the available methods (OTP, SAML or Active Directory) for primary and secondary authentications, and he can enable authentication for various certificate requests in ADSS Web RA as displayed in the screenshot below:




Advance Settings 

Field

Description

Agreement

Select a subscriber agreement if an admin wants a user to agree on certain terms before submitting a certificate request 

Vetting Option

Select whether vetting is required for this certification service profile or not. Select the "Manual Vetting" option if you require the vetting provision and then select a vetting form from the next appearing field.

Vetting Form

This field will display the list of active vetting forms. Select the one to use for this certification service profile.

Enable Revocation Vetting

Tick this checkbox if you want enable vetting for revocation 

Special Permission 

Special permission configurations allow you to permit creation or revocation of certificates to a specific number of Admin RAO and Enterprise RAO

Vetting Permission 

Vetting permissions for new certificate request. 

  • None
  • Certificate Vetting Permission 
  • Revocation Vetting Permission (This list will appear only when you tick the checkbox Enable Revocation Vetting)
  • Certificate and Revocation Vetting Permission 

Admin RAO for Certificate Creation 

The number of Admin RAO that can vet a certificate request

Enterprise RAO for Certificate Creation 

The number of Enterprise RAO that can vet a certificate request


Special Permissions


ADSS Web RA allows an operator to configure/set number of Admin RAOs and Enterprise RAOs that will be required to approve requests for the following in the certification profiles:


  1. Creating a new certificate
  2. Renewal of certificate
  3. Certificate rekeying
  4. Certificate re issuance

It is important to note that this quorum will only be applicable when manual vetting is enabled. 



  • An operator can set a limit on the number of the Admin RAO and Enterprise RAO that can perform various actions with respect to certification profiles (as mentioned above).


  • An operator can permit either Admin RAO (s) or Enterprise RAO (s) or he can set permissions for both Admin RAO (s) and Enterprise RAO (s). 


Minimum number of Admin RAO/Enterprise RAO required


An operator needs to permit at least one Admin RAO or Enterprise RAO. If an operator enters less than 1 Admin RAO/Enterprise RAO, the following messages will appear on the screen:



Maximum Limit on Number of Enterprise RAOs


If an operator enters a number more than the maximum number of Admin RAOs/Enterprise RAOs available in the application, the following messages will appear on the screen:




When an operator selects Certificate and Revocation Vetting Permission, the following screen appears:




An operator can also view the number of approvers by clicking on the approver information link against a request.