2.4 Adding policy extended attributes

Entrust CA policies only specify mandatory extended attributes. The following XML configuration file:

C:\Program Files\Intercede\MyID\Components\EntrustRestConnector.xml

is used to add attributes to each of the Entrust CA policies. All custom extensions are defined in this file within an XML <Extensions> node. Each policy attribute is defined in an <Extension> node. Each attribute in the file specifies the following:

• Name – the type of extension. This may be:

  • san – A Subject Alternative Name.

  • dn – A subject DN component.

  • Any other text – a custom attribute.

• DisplayName – text that is displayed when editing the attribute in MyID.

• OID – The attribute OID or name.

• Encoding – identifies how the attribute is encoded in the certificate:

  • One of the following ASN1 coding types:

    • bool

    • octet

    • int

  • Any other text – a prefix that is added to the attribute value.

  • Not specified – defaults to using the passed-in attribute text value.

Note: Use of this configuration file is mandatory when setting up certificate policies on PIV systems – PIV requires the use of attribute mapping – but you can also use attribute mapping on non‑PIV systems.

2.4.1 Example configuration file

For example:

<Extensions>
    <Extension>
        <Name>NACI</Name>
        <DisplayName>NACI</DisplayName>
        <OID>2.16.840.1.101.3.6.9.1</OID>
        <Encoding>{bool}</Encoding>
    </Extension>
    <Extension>
        <Name>san</Name>
        <DisplayName>RFC 822 Name(E-mail address)</DisplayName>
        <OID>Email</OID>
    </Extension>
    <Extension>
        <Name>san</Name>
        <DisplayName>Uniform Resource ID</DisplayName>
        <OID>UUID</OID>
        <Encoding>urn:uuid:</Encoding>
    </Extension>
    <Extension>
        <Name>san</Name>
        <DisplayName>User Principal Name</DisplayName>
        <OID>1.3.6.1.4.1.311.20.2.3 </OID>
    </Extension>
    <Extension>
        <Name>san</Name>
        <DisplayName>FASC-N (Hex)</DisplayName>
        <OID>2.16.840.1.101.3.6.6 </OID>
        <Encoding>{octet}</Encoding>
    </Extension>
</Extensions>

The following policy attributes are defined in the above example:

• A PIV NACI attribute that is encoded as an ASN1 bool.

• A san email attribute encoded as a text string (no Encoding is specified).

• A san Uniform Resource ID that is prefixed by urn:uuid:

• A User Principal Name encoded as a text string.

• A san FASC-N (HEX) that is encoded as an ASN1 octet.