WebRA User Guide

Field

Description

Name

Specify a unique name for this profile. 

Description

Specify any description related to this certification profile. (Optional)

Active

Select this checkbox to make the profile active.

Field

Description

ADSS Service

This field will display the ADSS Services (i.e. Certification Service and CSP Service) that are available for ADSS Web RA. Select the ‘Certification Service’ option. 

ADSS Certification Server

This field will display the list of active ADSS connectors in ADSS Web RA. Select the one to use for this certification service profile. For example: 192.168.2.64.

ADSS Certification Service Profile

In this field, enter the certification profile that you created on the ADSS Sever. For example: adss:certification:profile:001.

Issuer Name

This field will display issuer CA name.

Certificate Purpose 

This field will display ‘Email Signing’ as the certificate purpose. (This field will appear in a disabled form).

Validation Type

The Validation Type dropdown appears only when the certificate purpose is Email Signing.

The following validation types are available in the dropdown list:

• None
• Mailbox 
• Organisation
• Sponsor

None: If this option is selected, no validation would be required during certificate request creation.

Mailbox: If this option is selected, the system will verify the email address(es) mentioned in the RFC822Name field.

Organisation: If this option is selected, the domain ownership of the organisation will be verified.

Sponsor: If this option is selected, both the domain ownership and email address(es) will be verified. 

Domain Verification Method

This dropdown appears when the Organisation or Sponsor validation type is selected in the Validation Type field. 

The following options are available in the dropdown:

• Select All
• Upload a File 
• TXT Record

You can select both options for domain verification or choose only one, depending on your requirements.

Enable Open MPIC Validation

If this checkbox is enabled, Open MPIC will perform domain validation and CAA verification.

Note: This option will only appear if the “Open MPIC Connector” is selected in the Configurations > Policies > Requests section. To learn more about this, navigate to the “Requests” section. Furthermore, the Open MPIC Validation option is only available when the certificate purpose is ‘TLS Server Authentication’ or ‘Email Signing’.

Field

Description

Use this certificate profile to generate keys on smart cards/tokens

Enable this option if this profile will be used to generate the certificates in the smart card/ token. After enabling this checkbox, the administrator must provide the ADSS Server details along with the ADSS Go>Sign Profile.

The system will also display the ‘Enable Reset PIN/PUK dropdown’, allowing the administrator to reset default PIN and PUK values for the token.

The following options are available in the dropdown:

• None
• PIN
• PUK
• Both (PIN and PUK)

The operator has the option to reset default value for either PIN or PUK by selecting the respective option from the dropdown.

If Both (PIN and PUK) option is selected, the system will display both fields for Default PIN and Default PUK, where the administrator can reset the default values.

Note: By default, ‘None’ option will be selected for the

From the “Mechanism” dropdown, the administrator can choose how the default PIN and PUK values will be shared. The available options are:

• Email
• SMS
• Both (Email and SMS)

If Both (Email and SMS) is selected, the entered PIN and PUK values will be shared with the user via both email and SMS.

Key Algorithm

Key Algorithm that will be used to generate the key pair in the smart card/token. This is configured in the ADSS Server so it cannot be changed.

Key Length

Key Length that will be used to generate the key pair in the smart card/token. This is configured in the ADSS Server so it cannot be changed.

Validity Period Type

Validity period type can be configured as a Fixed to restrict the enterprise user to change the certificate validity or it can be set as Custom if enterprise RAO allows an enterprise user to set validity period while creating a certificate request.

These Fixed and Custom values can only be used on ADSS Web RA admin, if the selected ADSS Certification profile has set overridable option in certification profile. It will be shown as Fixed validity period type otherwise.

Validity Period

The certificate validity period. If the CA profile is configured to use its time instead taking the time from the request then this value will be dropped by the CA server. 

Validity Duration

The time unit of the validity period. It could be minutes, hours, days, months and years.

Enable Mandatory Certificate Fields

If enabled, this option allows the administrator to define which Subject Distinguished Name (SDN) and Subject Alternative Name (SAN) fields must be mandatory when generating a certificate.

Enabling this checkbox will display the SDN and SAN dropdowns, allowing the administrator to select the required mandatory fields while leaving the optional ones unchecked.

Authentications - Enable Secondary Authentication for:

Field

Description

New Requests

If enabled then an OTP (One TIme Password) can be set as a second factor authentication, and an enterprise RAO has to provide an OTP to approve new certificate request. The OTP can be received either through SMS or via an email, depending upon the selected profile.

In Authentication Profiles list only those profiles are listed for which secondary authentication has configured while creating that authentication profile. See Authentication Profiles section for details.

Revocation Requests

If enabled then an OTP (One TIme Password) can be set as a second factor authentication, and an enterprise RAO has to provide an OTP to approve a certificate revocation request. The OTP can be received either through SMS or via an email, depending upon the selected profile.

In Authentication Profiles list only those profiles are listed for which secondary authentication has configured while creating that authentication profile. See Authentication Profiles section for details.

Rekey Requests

Enable authentication for rekey requests will appear in the Authentications section to handle second factor authentications for rekey certificate. 

This section appears only when the operator has enabled the Rekey policy. Configurations > Policy 

Renew Requests 

Enable authentication for renew requests will show in the Authentications section to manage second factor authentication for renew certificate. This section appears only when the operator has enabled the Rekey policy.Configurations > Policy

Advance Settings 

Field

Description

Agreement

Select a subscriber agreement if an admin wants a user to agree on certain terms before submitting a certificate request 

Vetting Option

Select whether vetting is required for this certification service profile or not. Select the "Manual Vetting" option if you require the vetting provision and then select a vetting form from the next appearing field.

Vetting Form

This field will display the list of active vetting forms. Select the one to use for this certification profile.

Enable Revocation Vetting

Tick this checkbox to enable vetting for revocation 

Special Permission 

Special permission configurations allow you to permit creation or revocation of certificates to a specific number of Admin RAOs and Enterprise RAOs

Vetting Permission 

Vetting permissions for new certificate request: 

• None
• Certificate Vetting Permission 
• Revocation Vetting Permission (This list will appear only when you tick the checkbox Enable Revocation Vetting)
• Certificate and Revocation Vetting Permission 

Admin RAO for Certificate Creation 

The number of Admin RAO (s) that can vet a certificate request

Enterprise RAO for Certificate Creation 

The number of Enterprise RAO (s) that can vet a certificate request