2.5 Enabling certificate policies

Although all certificate policies are detected when you add the CA to MyID, they are all initially disabled. To enable them:

1. From the Configuration category, select Certificate Authorities.

2. From the CA Name drop-down list, select the certificate authority you want to work with.

   

3. Click Edit.

   

4. Make sure Enable CA is selected.
5. Select a certificate template you want to enable for issuance within MyID in the Available Certificates list.
6. Click the Enabled (Allow Issuance) checkbox.

7. Set the options for the policy:

   • Display Name – the name used to refer to the policy.

   • Description – a description of the policy.

   • Allow Identity Mapping – used for additional identities. See the Additional identities section in the Administration Guide for details.

   • Reverse DN – select this option if the certificate requires the Distinguished Name to be reversed. This setting within MyID needs to take into account any reversal of the Distinguished Name that may occur within the Entrust CA itself.

     Note: MyID does not recognize this option when using the Issue Card workflow to issue a card.

   • Archive Keys – select whether the keys should be archived.

     See section 2.1, Key archival and recovery for details.

   • Certificate Lifetime – this value is set to the default policy lifetime value configured in the CA. This value is updated on when the policy is synchronized and therefore any update in MyID is overwritten on the next policy synchronization. As such, to change the default certificate lifetime, you must change it against the policy in the CA and not in MyID. Where the default certificate lifetime has been changed, a certificate may have different lifetime when renewing a certificate.

     It is recommended that the combination of constraining the certificate lifetime to the card's lifetime configuration (see section 2.5.2, Controlling certificate lifetimes) and the lifetime in the credential profile is used when a different certificate lifetime is required from the configured default certificate lifetime.

   • Automatic Renewal – select this option if the certificate is automatically renewed when it expires.

   • Certificate Storage – select one of the following:

     • Hardware – the certificate can be issued to cards.
     • Software – the certificate can be issued as a soft certificate.
     • Both – the certificate can be issued either to a card to as a soft certificate.

   • Recovery Storage – select one of the following:

     • Hardware – the certificate can be recovered to cards.
     • Software – the certificate can be recovered as a soft certificate.
     • Both – the certificate can be recovered either to cards or to a soft certificate.
     • None – allows you to prevent a certificate from being issued as a historic certificate, even if the Archive Keys option is set. If the Certificate Storage option is set to Both, the certificate can be issued to multiple credentials as a shared live certificate, but cannot be recovered as a historic certificate.

   • Additional options for storage:

     If you select Software or Both for the Certificate Storage, or Software, Both, or None for the Recovery Storage, set the following options:

     • CSP Name – select the name of the cryptographic service provider for the certificate. This option affects software certificates issued or recovered to local store for Windows PCs.

       The CSP you select determines what type of certificate templates you can use. For example, if you want to use a 2048-bit key algorithm, you cannot select the Microsoft Base Cryptographic Provider; you must select the Microsoft Enhanced Cryptographic Provider. See your Microsoft documentation for details.

     • Requires Validation – select this option if the certificate requires validation.

     • Private Key Exportable – when a software certificate is issued to local store, create the private key as exportable. This allows the user to export the private key as a PFX at any point after issuance.

       It is recommended that private keys are set as non-exportable for maximum security.

       Note: This setting affects only private keys for software certificates – private keys for smart cards are never exportable.

     • User Protected – allows a user to set a password to protect the certificate when they issue or recover it to their local store.

       This means that whenever they want to make use of the soft certificate, they will be prompted for a password before they are allowed to use it. This is a CSP feature that is enabled when you set this option, and affects only software certificates that are issued or recovered to local store for Windows PCs.

   • Key Algorithm – Read-only. Displays the key algorithm for the policy from the CA.

   • Key Purpose – Read-only. Displays the key purpose for the policy from the CA.

8. If you need to edit the policy attributes, click Edit Attributes.

   

   Note: You are recommended not to pass subject DN components through policy attributes, as the generated combined subject DN may not contain subject DN components in the desired order.

   1. For each attribute, select one of the following options from the Type list:

      • Not Required – the attribute is not needed.

      • Dynamic – select a mapping from the Value list to match to this attribute.

      • Static – type a value in the Value box.

   2. Click Hide Attributes.

   For information on mapping attributes for PIV systems, see section 2.7, Attribute mapping for PIV systems.

   Note: MyID may not override the settings of the CA. You need to obtain the correct settings from the administrator of your CA.

9. Click Save.

Note: Changes made to certificate profiles do not take effect immediately, as the normal interval for MyID to poll for updates is 50 minutes. To force MyID to poll for changes immediately, you must manually restart the eKeyServer service, then restart the eCertificate service.