A certification profile is created in ADSS Web RA to configure ADSS Profiles (Certification and/or CSP) to issue different types of certificates for the ADSS Web RA users. In other words, a certification profile (Certification and/or CSP) is actually created in the ADSS Server, and it is used in the ADSS Web RA Admin for its implication.


Certification profiles entail all complex configurations and business requirements (i.e. CA details, Key Algorithm, Validity, etc.) to issue corresponding certificates for the ADSS Web RA users. 


ADSS Web RA supports the following certificate types:


  1. Signing the CSR only (the CSR is generated in another application e.g. IIS, a device etc.). The following configurations are required for this:
    1. A client must be registered in ADSS Server Client Manager.
    2. The client must be configured in the ADSS Web RA connector of ADSS Server. 
    3. A certification profile must be created in the ADSS Certification Server.
    4. A certification profile must be created in the ADSS Web RA to map the ADSS Server Certification Profile.
    5. The ADSS Web RA Certification Profile must be configured in the Service Plan.


  1. Generating the key pair on client side and signing the CSR
    1. A Client must be registered in ADSS Server Client Manager.
    2. The Client must be configured in the ADSS Web RA connector of ADSS Server. 
    3. A Certification Profile must be created in the ADSS Certification Server.
    4. A Go>Sign Profile must be created in the ADSS Go>Sign Server of type Certificate Generation. 
    5. A Certification Profile must be created in the ADSS Web RA to map the ADSS Server Certification Profile.
    6. The Go>Sign Profile must be configured in the ADSS Web RA Certification Profile.
    7. The ADSS Web RA Certification Profile must be configured in the Service Plan.


  1. Server side key generation for remote authorized signing
    1. Client must be registered in ADSS Server Client Manager.
    2. The Client must be configured in the ADSS Web RA connector of ADSS Server.
    3. A SAM Profile must be created in the ADSS SAM Server. 
    4. A RAS Profile must be created in the ADSS RAS Server.
    5. A CSP Profile should be created in the ADSS CSP Server (only needed if you want to use the CSP service. Also, a CSP profile should be created in ADSS Web RA to map the ADSS CSP Profile.)
    6. A Certification Profile must be created in the ADSS Certification Server.
    7. A Certification Profile must be created in the ADSS Web RA to map the ADSS Server Certification Profile.
    8. The Go>Sign Profile must be configured in the ADSS Web RA Certification Profile.
    9. The ADSS Web RA Certification Profile must be configured in the Service Plan.


Create a Certification Profile in ADSS Web RA


  1. From the admin portal, expand External Services > Certification Profiles from the left menu to see the certification profiles listing screen.



  1. Click  from the grid header. 
  2. A dialog will appear to add the profile details. The certification profile dialog consists of 5 screens, i.e. Basic Information, Profile Settings, Details. Authentications, Advance Settings


Basic Information 


Basic Information

Field

Description

Name

Specify a unique name for this profile. 

Description

Specify any description related to this certification profile.

Active

Tick this check box to activate this profile.


At the Basic Information screen, enter the fields, then click >.



Profile Settings


The profile settings vary for different types of certification profiles. Click on any of the following to view profile settings:


  1. Certification profile settings for a Certification Service profile.
  2. Certification profile settings for CSP Service profile.
  3. Certification profile settings for Windows Enrolment 
  4. Certification profile to generate keys on Smart Card/Token
  5. Certification profile for Device Enrolment - Microsoft Intune SCEP.
  6. Certification profile for Enrolment Protocol - ACME


Certification Profile Settings for a Certification Service profile:


Profile Settings

Field

Description

ADSS Service

This field will display the ADSS Services (i.e. Certification Service and CSP Service) that are available for ADSS Web RA. Select Certification Service. 

ADSS Certification Server

This field will display the list of active ADSS connectors in ADSS Web RA. Select the one to use for this certification service profile, e.g: 192.168.2.64.

ADSS Certification Service Profile

In this field, enter the certification profile that you created on the ADSS Sever, e.g. adss:certification:profile:001.

Issuer Name

This field will display issuer CA name.

Certificate Purpose 

This field will appear in a disabled form. It contains a list of standard certificate purposes which actually comes from ADSS, based on selected certification profile. A certificate will be generated based on provided certification profile ID, and it will be in a disabled form as it is configured under that ADSS Certification Service Profile. Possible certificate purposes could be Document Signing, TLS Server Authentication, Code Signing etc.


ADSS Web RA supports the following types of TLS certificates:


  • EVS TLS Server authentication
  • TLS Client authentication
  • TLS Server authentication


When an EV TLS Server authentication certificate is revoked, ADSS Web RA will support only the following six revocation reasons:


  1. Unspecified 
  2. Key Compromise
  3. Affiliation Change 
  4. Superseded
  5. Cease of Operation 
  6. Privilege Withdrawn 


In case of external CA  this field will be enabled and operator can select certificate purpose.

Verification Type 

Select an option from the following:


  • DV SSL 
  • EV SSL 
  • OV SSL 
  • None.

Certificate Enrolment 

A drop down where you can select one from the following:


  • None - For a simple certification profile.
  • Device Enrolments - It allows you to create a device enrolment profile. If you select this, another drop down for device enrolments appears. 
  • Windows Enrolment - Once you select this from the drop down, another drop down with Active Directory Profile appears. 

Active Directory Profile

It allows a user to select an active directory profile which is required for Windows Enrolment. 

Device Enrolments

Select this checkbox. A drop box will appear, allowing the user to choose and select between SCEP, CMP, ACME and EST according to requirement. 

Certificate Template 

This drop down will fetch the list of certificate template fetched from the active directory selected above.

Enable Device Enrolment 

 By enabling this setting, user will not be required to upload an authentication certificate while creating an account. 

Enable Virtual ID Registration with Password

Enable this checkbox if you want the user to provide a password during the process of registering a Virtual ID. This password will be used for credential authorization within business applications.

Enable Client Keys

Enabling the client keys option will require public key to generate the certificate. The Subject Distinguished Names (SDNs) in the certificate request will be populated based on what is configured in the ADSS certification profile and the data provided in the CSR (Certificate Signing Request).

Enable one-time PFX download

If enabled, users can download the PFX file only once. After that, the PFX download option will not be available. Additionally, when this option is enabled, the operator will not be able to download the PFX from the admin portal.



Click on the View icon to see the details of the ADSS Connector. 


The Basic Information screen will appear. Click next to move to the Details screen. 



On the Details screen, the ADSS connector details are displayed in a disabled form. 




Certification Profile Settings for CSP Service profile:


Profile Settings

Field

Description

ADSS Service

This field will display the ADSS Services (i.e. Certification Service and CSP Service) that are available for ADSS Web RA. Select CSP Service. 

ADSS Certification Server

This field will display the list of active ADSS connectors in ADSS Web RA. Select the one to use for this certification service profile, e.g: Default ADSS Server.

ADSS CSP Service Profile

In this field, enter the CSP service profile that you created on the ADSS Sever, e.g. adss:certification:profile:001.


An operator will select CSP Service from the ADSS Service drop down, select ADSS connector and then ADSS CSP service profile. This will be used a default profile. 



If you select the Configure Default Certificate, two more drop downs will appear:

  1. ADSS Certification Server.
  2. ADSS Certification Service Profile. 

Once you select an ADSS Certification Service Profile, the Certificate Purpose, Verification Type and Enable Client Keys checkbox appears as displayed in the screenshot below:



Certification Profile Settings for Windows Enrolment:


These settings can either be used for device enrolments or Windows enrolment.



Certification profile to generate keys on Smart Card/Token


To create the certification profile, expand External Services > Certification Profiles, then click ‘+’ from the grid header. The system will open the ‘Basic Information’ screen.


Basic Information


On this screen, provide a unique name for the profile and specify any description. Then, select the ‘Active’ checkbox to activate this profile.



After entering the information, click > to navigate to the ‘Profile Settings’ section.


Profile Settings


On this screen, provide information as described in the table below:


Profile Settings

Field

Description

ADSS Service

This field will display the ADSS Services (i.e. Certification Service and CSP Service) that are available for ADSS Web RA. Select Certification Service. 

ADSS Certification Server

This field will display the list of active ADSS connectors in ADSS Web RA. Select the one to use for this certification service profile, e.g: ADSS.

ADSS Certification Service Profile

In this field, enter the certification profile that you created on the ADSS Sever, e.g. adss:certification:profile:001.

Issuer Name

This field will display issuer CA name. This information is fetched from ADSS Server and is displayed in read-only format.

Certificate Purpose 

This field will appear in a disabled form. It contains a list of standard certificate purposes which actually comes from ADSS, based on selected certification profile. A certificate will be generated based on provided certification profile ID, and it will be in a disabled form as it is configured under that ADSS Certification Service Profile. Possible certificate purposes could be Document Signing, TLS Server Authentication, Code Signing etc.


ADSS Web RA supports the following types of TLS certificates:


  • EVS TLS Server authentication
  • TLS Client authentication
  • TLS Server authentication


In case of external CA  this field will be enabled and operator can select certificate purpose.

Certificate Enrolment 

A drop down where you can select one from the following:


  • None - For a simple certification profile.
  • Device Enrolments - It allows you to create a device enrolment profile. If you select this, another drop down for device enrolments appears. 
  • Windows Enrolment - Once you select this from the drop down, another drop down with Active Directory Profile appears. 


Note: If certificate enrolment is selected, the certification profile can not be used as a token profile.

Enable Client Keys

Enabling the client keys option will require public key to generate the certificate. The Subject Distinguished Names (SDNs) in the certificate request will be populated based on what is configured in the ADSS certification profile and the data provided in the CSR (Certificate Signing Request). 


Note: If this option is enabled, the certification profile can not be used to generate keys for smart cards/tokens.



Details


After providing the required information in the Profile Settings, click > to navigate to the ‘Details’ section.



Details

Field

Description

Use this certificate profile to generate keys on smart cards/tokens

Enable this option if this profile will be used to generate the certificates in the smart card/ token. After enabling this checkbox, the administrator must provide the ADSS Server details along with the ADSS Go>Sign Profile.


The system will also display the ‘Enable Reset PIN/PUK dropdown’, allowing the administrator to reset default PIN and PUK values for the token.


The following options are available in the dropdown:


  • None
  • PIN
  • PUK
  • Both (PIN and PUK)


The operator has the option to reset default value for either PIN or PUK by selecting the respective option from the dropdown.


If Both (PIN and PUK) option is selected, the system will display fields for both Default PIN and Default PUK, where the administrator will have to enter the same default values of PIN/PUK that were configured during the token’s initial setup.


Note: By default, ‘None’ option will be selected for the


From the “Mechanism” dropdown, the administrator can choose how the default PIN and PUK values will be shared. The available options are:


  • Email
  • SMS
  • Both (Email and SMS)


If Both (Email and SMS) is selected, the entered PIN and PUK values will be shared with the user via both email and SMS.

Enable Mandatory Certificate Fields

If enabled, this option allows the administrator to define which Subject Distinguished Name (SDN) and Subject Alternative Name (SAN) fields must be mandatory when generating a certificate.


Enabling this checkbox will display the SDN and SAN dropdowns, allowing the administrator to select the required mandatory fields while leaving the optional ones unchecked.

Key Algorithm

Key Algorithm that will be used to generate the key pair in the smart card/token. This is configured in the ADSS Server so it cannot be changed.

Key Length

Key Length that will be used to generate the key pair in the smart card/token. This is configured in the ADSS Server so it cannot be changed.

Validity Period Type

Validity period type can be configured as a Fixed to restrict the enterprise user to change the certificate validity or it can be set as Custom if enterprise RAO allows an enterprise user to set validity period while creating a certificate request.

These Fixed and Custom values can only be used on ADSS Web RA admin, if the selected ADSS Certification profile has set overridable option in certification profile. It will be shown as Fixed validity period type otherwise.

Validity Period

The certificate validity period. If the CA profile is configured to use its time instead taking the time from the request then this value will be dropped by the CA server. 

Validity Duration

The time unit of the validity period. It could be minutes, hours, days, months and years.




Certification Profile for Device Enrolment - Microsoft Intune SCEP


These configurations are used for Microsoft Intune SCEP. 



Certification profile for Device Enrolment – ACME


To create a certification profile for ACME enrolment protocol, expand External Services > Certification Profiles, then click ‘+’ from the grid header. The system will open the ‘Basic Information’ screen.


Basic Information


On this screen, provide a unique name for the profile and specify any description. Then, select the ‘Active’ checkbox to activate this profile.



After entering the information, click > to navigate to the ‘Profile Settings’ section.


Profile Settings


On this screen, provide information as described in the table below:


Profile Settings

Field

Description

ADSS Service

This field will display the ADSS Services (i.e. Certification Service and CSP Service) that are available for ADSS Web RA. Select Certification Service. 

ADSS Certification Server

This field will display the list of active ADSS connectors in ADSS Web RA. Select the one to use for this certification service profile, e.g: ADSS.

ADSS Certification Service Profile

In this field, enter the certification profile that you created on the ADSS Sever, e.g. adss:certification:profile:001.

Issuer Name

This field will display issuer CA name. This information is fetched from ADSS Server and is displayed in read-only format.

Certificate Purpose 

This field will appear in a disabled form. It contains a list of standard certificate purposes which actually comes from ADSS, based on selected certification profile. A certificate will be generated based on provided certification profile ID, and it will be in a disabled form as it is configured under that ADSS Certification Service Profile. Possible certificate purposes could be Document Signing, TLS Server Authentication, Code Signing etc.


ADSS Web RA supports the following types of TLS certificates:


  • EVS TLS Server authentication
  • TLS Client authentication
  • TLS Server authentication


In case of external CA  this field will be enabled and operator can select certificate purpose.

Certificate Enrolment 

From this dropdown you can select the following options: 


  • None - For a simple certification profile.
  • Enrolment Protocols – It allows you to select a certificate enrolment protocol. If you select this, another drop-down for enrolment protocols appears.
  • Windows Enrolment - Once you select this from the drop down, another drop down with Active Directory Profile appears. 

Enable one-time PFX download

If enabled, users can download the PFX file only once. After that, the PFX download option will not be available. Additionally, when this option is enabled, the operator will not be able to download the PFX from the admin portal.

Enable Client Keys

Enabling the client keys option will require public key to generate the certificate. The Subject Distinguished Names (SDNs) in the certificate request will be populated based on what is configured in the ADSS certification profile and the data provided in the CSR (Certificate Signing Request). 


Note: If this option is enabled, the enrolment protocol section will not be visible, and the certification profile cannot be used for any protocol-based enrolments.


To create a certification profile for ACME, you need to select ‘Enrolment Protocols’ option from the ‘Certificate Enrolment’ dropdown. 


Then you have to select ‘ACME’ protocol from the ‘Select Enrolment Protocol(s)’ dropdown.



After selecting ‘ACME’ as the enrolment protocol, the system will display the ‘External Account Binding Type’ dropdown. This dropdown will display three options:


  • None
  • Fixed
  • Random


External account bindings are used to associate an ACME account with an external account such as a CA custom database. 


Choose an external account binding type from the drop down:


None: No binding is required. ADSS Web RA will process ACME requests using the default certificate profile settings defined here.


Fixed: A fixed HMAC key is generated and associated with the user’s existing ADSS Web RA account. This same key is used to authenticate each ACME request.


Random: A random HMAC key is generated for every ACME request. This key is linked to the user’s existing ADSS Web RA account and used to authenticate that specific request.



If you have selected the ‘Fixed’ binding option, the system will display the ‘HMAC Key’ field. 


You can generate the HMAC key by clicking the ‘Generate’ button, and copy the key by clicking the folder icon next to the Generate button.



After making the required configurations from Profile Settings, click the Next ‘>’ button till the ‘Settings’ screen appears, then click ‘Create’ to complete the certification profile creation process.


Details


Once you have configured the profile settings, click next to move to the Details screen. 


Details

Field

Description

Use this certificate profile to generate keys on smart cards/tokens

Enable this option if this profile will be used to generate the certificates in the smart card/ token. After enabling this checkbox, the administrator must provide the ADSS Server details along with the ADSS Go>Sign Profile.


The system will also display the ‘Enable Reset PIN/PUK dropdown’, allowing the administrator to reset default PIN and PUK values for the token.


The following options are available in the dropdown:


  • None
  • PIN
  • PUK
  • Both (PIN and PUK)


The operator has the option to reset default value for either PIN or PUK by selecting the respective option from the dropdown.


If Both (PIN and PUK) option is selected, the system will display both fields for Default PIN and Default PUK, where the administrator can reset the default values.


Note: By default, ‘None’ option will be selected for the


From the “Mechanism” dropdown, the administrator can choose how the default PIN and PUK values will be shared. The available options are:


  • Email
  • SMS
  • Both (Email and SMS)


If Both (Email and SMS) is selected, the entered PIN and PUK values will be shared with the user via both email and SMS.

Key Algorithm

Key Algorithm that will be used to generate the key pair in the smart card/token. This is configured in the ADSS Server so it cannot be changed.

Key Length

Key Length that will be used to generate the key pair in the smart card/token. This is configured in the ADSS Server so it cannot be changed.

Validity Period Type

Validity period type can be configured as a Fixed to restrict the enterprise user to change the certificate validity or it can be set as Custom if enterprise RAO allows an enterprise user to set validity period while creating a certificate request.

These Fixed and Custom values can only be used on ADSS Web RA admin, if the selected ADSS Certification profile has set overridable option in certification profile. It will be shown as Fixed validity period type otherwise.

Validity Period

The certificate validity period. If the CA profile is configured to use its time instead taking the time from the request then this value will be dropped by the CA server. 

Validity Duration

The time unit of the validity period. It could be minutes, hours, days, months and years.

Enable Mandatory Certificate Fields

If enabled, this option allows the administrator to define which Subject Distinguished Name (SDN) and Subject Alternative Name (SAN) fields must be mandatory when generating a certificate.


Enabling this checkbox will display the SDN and SAN dropdowns, allowing the administrator to select the required mandatory fields while leaving the optional ones unchecked.




Authentications


Authentications - Enable Secondary Authentication for:

Field

Description

New Requests

If enabled then an OTP (One TIme Password) can be set as a second factor authentication, and an enterprise RAO has to provide an OTP to approve new certificate request. The OTP can be received either through SMS or via an email, depending upon the selected profile.

In Authentication Profiles list only those profiles are listed for which secondary authentication has configured while creating that authentication profile. See Authentication Profiles section for details.

Revocation Requests

If enabled then an OTP (One TIme Password) can be set as a second factor authentication, and an enterprise RAO has to provide an OTP to approve a certificate revocation request. The OTP can be received either through SMS or via an email, depending upon the selected profile.

In Authentication Profiles list only those profiles are listed for which secondary authentication has configured while creating that authentication profile. See Authentication Profiles section for details.

Rekey Requests

Enable authentication for rekey requests will appear in the Authentications section to handle second factor authentications for rekey certificate. 

This section appears only when the operator has enabled the Rekey policy. Configurations > Policy 

Renew Requests 

Enable authentication for renew requests will show in the Authentications section to manage second factor authentication for renew certificate. This section appears only when the operator has enabled the Rekey policy.Configurations > Policy


An administrator can use any of the available methods (OTP, SAML, Active Directory, Azure Active Directory, or OIDC) for secondary authentications, and can enable authentication for new certificate requests, revocation requests and rekey requests as displayed in the screenshot below:



View icon


An administrator can click on the view icon to compare the values of the window server template and the certification service template. The Windows Enrolment Template Mapping screen will appear as indicated in the screenshot below:



An operator can set OIDC as secondary authentication by configuring connectors in the Authentications section of the certification profile as displayed below:



Advance Settings 


In case of Device Enrolment and Windows Enrolment, there will be no vetting in the Advance Settings tab, as displayed in the screenshot below:




Advance Settings 

Field

Description

Agreement

Select a subscriber agreement if an admin wants a user to agree on certain terms before submitting a certificate request 

Vetting Option

Select whether vetting is required for this certification service profile or not. Select the "Manual Vetting" option if you require the vetting provision and then select a vetting form from the next appearing field.

Vetting Form

This field will display the list of active vetting forms. Select the one to use for this certification profile.

Enable Revocation Vetting

Tick this checkbox to enable vetting for revocation 

Special Permission 

Special permission configurations allow you to permit creation or revocation of certificates to a specific number of Admin RAOs and Enterprise RAOs

Vetting Permission 

Vetting permissions for new certificate request: 


  • None
  • Certificate Vetting Permission 
  • Revocation Vetting Permission (This list will appear only when you tick the checkbox Enable Revocation Vetting)
  • Certificate and Revocation Vetting Permission 

Admin RAO for Certificate Creation 

The number of Admin RAO (s) that can vet a certificate request

Enterprise RAO for Certificate Creation 

The number of Enterprise RAO (s) that can vet a certificate request


Click Create to complete the process of creating a certification profile. 


Special Permissions


ADSS Web RA allows an operator to configure/set number of Admin RAOs and Enterprise RAOs that will be required to approve requests for the following in the certification profiles:


  1. Creating a new certificate.
  2. Renewal of certificate.
  3. Certificate rekeying.
  4. Certificate re issuance.

It is important to note that this quorum will only be applicable when manual vetting is enabled. Configurations > General Settings > Vetting Method Settings



  • An operator can set a limit on the number of the Admin RAO and Enterprise RAO that can perform various actions with respect to certification profiles (as mentioned above).
  • An operator can permit either Admin RAO (s) or Enterprise RAO (s) or he can set permissions for both Admin RAO (s) and Enterprise RAO (s). 


Minimum number of Admin RAO/Enterprise RAO required


An operator needs to permit at least one Admin RAO or Enterprise RAO. If an operator enters less than 1 Admin RAO/Enterprise RAO, the following messages will appear on the screen:



Maximum Limit on Number of Enterprise RAOs


If an operator enters a number more than the maximum number of Admin RAOs/Enterprise RAOs available in the application, the following messages will appear on the screen:



When an operator selects Certificate and Revocation Vetting Permission, the following screen appears:



Click Save to save your configurations. An operator can also view the number of approvers by clicking on the approver information link against a request.