2.5 Enabling certificate policies

Although all certificate policies are detected when you add the CA to MyID, they are all initially disabled. To enable them:

1. From the Configuration category, select Certificate Authorities.

2. From the CA Name drop-down list, select the certificate authority you want to work with.

   

3. Click Edit.

   

4. Make sure Enable CA is selected.
5. Select a certificate template you want to enable for issuance within MyID in the Available Certificates list.
6. Click the Enabled (Allow Issuance) checkbox.

7. Set the options for the policy:

   • Display Name – the name used to refer to the policy.

   • Description – a description of the policy.

   • Allow Identity Mapping – used for additional identities. See the Additional identities section in the Administration Guide for details.

   • Reverse DN – select this option if the certificate requires the Distinguished Name to be reversed.

   • Archive Keys – select whether the keys should be archived.

     See section 2.1, Key archival and recovery for details.

   • Certificate Lifetime – the life in days of the certificate. You can request a certificate from one day up to the maximum imposed by the CA. For example, type 365 to request one-year certificates.

     Note: The default certificate lifetime value in MyID is 365 days. The default in Entrust is 36 months; if you want to configure MyID to match the Entrust default, enter 1095 days.

   • Automatic Renewal – select this option if the certificate is automatically renewed when it expires.

   • Certificate Storage – select one of the following:

     • Hardware – the certificate can be issued to cards.
     • Software – the certificate can be issued as a soft certificate.
     • Both – the certificate can be issued either to a card to as a soft certificate.

   • Recovery Storage – select one of the following:

     • Hardware – the certificate can be recovered to cards.
     • Software – the certificate can be recovered as a soft certificate.
     • Both – the certificate can be recovered either to cards or to a soft certificate.
     • None – allows you to prevent a certificate from being issued as a historic certificate, even if the Archive Keys option is set. If the Certificate Storage option is set to Both, the certificate can be issued to multiple credentials as a shared live certificate, but cannot be recovered as a historic certificate.

   • Additional options for storage:

     If you select Software or Both for the Certificate Storage, or Software, Both, or None for the Recovery Storage, set the following options:

     • CSP Name – select the name of the cryptographic service provider for the certificate. This option affects software certificates issued or recovered to local store for Windows PCs.

       The CSP you select determines what type of certificate templates you can use. For example, if you want to use a 2048-bit key algorithm, you cannot select the Microsoft Base Cryptographic Provider; you must select the Microsoft Enhanced Cryptographic Provider. See your Microsoft documentation for details.

     • Requires Validation – select this option if the certificate requires validation.

     • Private Key Exportable – when a software certificate is issued to local store, create the private key as exportable. This allows the user to export the private key as a PFX at any point after issuance.

       It is recommended that private keys are set as non-exportable for maximum security.

       Note: This setting affects only private keys for software certificates – private keys for smart cards are never exportable.

     • User Protected – allows a user to set a password to protect the certificate when they issue or recover it to their local store.

       This means that whenever they want to make use of the soft certificate, they will be prompted for a password before they are allowed to use it. This is a CSP feature that is enabled when you set this option, and affects only software certificates that are issued or recovered to local store for Windows PCs.

   • Key Algorithm – select the type and length of the key-pairs used for certificate generation. A longer key length is more secure but certain manufacturers' CSPs do not support longer lengths. Select the appropriate key length from the list. This must match the key type and length set up in your CA.

     Select an RSA type. ECC types are not supported with Entrust CA in this version of MyID.

   • Key Purpose – select one of the following:

     • Signature – the key can be used for signing only.
     • Signature and Encryption – the key can be used for either signing or encryption.

     Note: The Key Purpose option has an effect only where the device being issued supports the feature. PIV cards do not support this feature, while smart cards issued with minidrivers and software certificates issued to local store for Windows PCs do support this feature.

8. If you need to edit the policy attributes, click Edit Attributes.

   

   1. For each attribute, select one of the following options from the Type list:

      • Not Required – the attribute is not needed.

      • Dynamic – select a mapping from the Value list to match to this attribute.

      • Static – type a value in the Value box.

   2. Click Hide Attributes.

   For information on mapping attributes for PIV systems, see section 2.7, Attribute mapping for PIV systems.

   Note: MyID may not override the settings of the CA. You need to obtain the correct settings from the administrator of your CA.

9. Click Save.

Note: Changes made to certificate profiles do not take effect immediately, as the normal interval for MyID to poll for updates is 50 minutes. To force MyID to poll for changes immediately, you must manually restart the eKeyServer service, then restart the eCertificate service.