3.3 Enable certificate templates for issuance within MyID
Although all certificate templates are detected during the installation of MyID, they are all initially disabled. To enable them:
-
From the Configuration category, select Certificate Authorities.
-
From the CA Name drop-down list, select the certificate authority you want to work with.
-
Click Edit.
- Make sure Enable CA is selected.
- Select a certificate template you want to enable for issuance within MyID in the Available Certificates list.
- Click the Enabled (Allow Issuance) checkbox.
-
Set the options for the policy:
-
Display Name – the name used to refer to the policy.
-
Description – a description of the policy.
-
Allow Identity Mapping – used for additional identities. See the Additional identities section in the Administration Guide for details.
-
Reverse DN – select this option if the certificate requires the Distinguished Name to be reversed.
Microsoft CAs sort DN components at an OID Group level, not at the OID level. This means that if a DN contains two components with the same OID, such as ou, the resultant order of these components may be unexpected. If this is being experienced, set the Reverse DN option on the certificate policy and MyID will perform the OID ordering.
Note: MyID does not recognize this option when using the Issue Card workflow to issue a card.
- Archive Keys – select whether the keys should be archived.
-
Certificate Lifetime – the life in days of the certificate. You can request a certificate from one day up to the maximum imposed by the CA. For example, type 365 to request one-year certificates.
Note: You must make a change on the Microsoft CA to use this option; see section 3.9, Setting certificate lifetime for details.
- Automatic Renewal – select this option if the certificate is automatically renewed when it expires.
-
Certificate Storage – select one of the following:
- Hardware – the certificate can be issued to cards.
- Software – the certificate can be issued as a soft certificate.
- Both – the certificate can be issued either to a card to as a soft certificate.
-
Requires Validation – select this option if the certificate requires validation.
Note: This option is available only if you select Software or Both for the Certificate Storage option.
-
Recovery Storage – select one of the following:
- Hardware – the certificate can be recovered to cards.
- Software – the certificate can be recovered as a soft certificate.
- Both – the certificate can be recovered either to cards or to a soft certificate.
- None – allows you to prevent a certificate from being issued as a historic certificate, even if the Archive Keys option is set. If the Certificate Storage option is set to Both, the certificate can be issued to multiple credentials as a shared live certificate, but cannot be recovered as a historic certificate.
-
Additional options for storage:
If you select Software or Both for the Certificate Storage, or Software, Both, or None for the Recovery Storage, set the following options:
-
CSP Name – select the name of the cryptographic service provider for the certificate. This option affects software certificates issued or recovered to local store for Windows PCs.
The CSP you select determines what type of certificate templates you can use. For example, if you want to use a 2048-bit key algorithm, you cannot select the Microsoft Base Cryptographic Provider; you must select the Microsoft Enhanced Cryptographic Provider. See your Microsoft documentation for details.
- Requires Validation – select this option if the certificate requires validation.
-
Private Key Exportable – when a software certificate is issued to local store, create the private key as exportable. This allows the user to export the private key as a PFX at any point after issuance.
It is recommended that private keys are set as non-exportable for maximum security.
Note: This setting affects only private keys for software certificates – private keys for smart cards are never exportable.
-
User Protected – allows a user to set a password to protect the certificate when they issue or recover it to their local store.
This means that whenever they want to make use of the soft certificate, they will be prompted for a password before they are allowed to use it. This is a CSP feature that is enabled when you set this option, and affects only software certificates that are issued or recovered to local store for Windows PCs.
-
Key Algorithm – select the type and length of the key-pairs used for certificate generation. A longer key length is more secure but certain manufacturers' CSPs do not support longer lengths. Select the appropriate key length from the list. This must match the key type and length set up in your CA.
You can select RSA or ECC types.
Note: Issuance of ECC certificates is available only for a subset of smart cards – see the Smart Card Integration Guide for details. You cannot currently issue ECC certificates as software certificates or to mobile devices.
-
Key Purpose – select one of the following:
- Signature – the key can be used for signing only.
- Signature and Encryption – the key can be used for either signing or encryption.
Note: The Key Purpose option has an effect only where the device being issued supports the feature. PIV cards do not support this feature, while smart cards issued with minidrivers and software certificates issued to local store for Windows PCs do support this feature.
-
-
-
If you need to edit the policy attributes, click Edit Attributes.
For details of adding the User Security Identifier
-
For each attribute, select one of the following options from the Type list:
- Not Required – the attribute is not needed.
- Dynamic – select a mapping from the Value list to match to this attribute.
- Static – type a value in the Value box.
- Click Hide Attributes.
-
- Click Save.
Note: Changes made to certificate profiles do not take effect immediately, as the normal interval for MyID to poll for updates is 50 minutes. To force MyID to poll for changes immediately, you must manually restart the eKeyServer service, and then restart the eCertificate service.