11.5 Setting up a credential profile for soft certificates

Note: You can select certificate policies for soft certificates only if they have a Certificate Storage option of Software or Both set in the Certificate Authorities workflow. To issue a soft certificate through the MyID Operator Client, the certificate policy must also have the Private Key Exportable option set.

Once you have created your credential profile, you can request, issue, and manage soft certificate packages in the following ways:

To set up a credential profile for issuing soft certificates:

  1. From the Configuration category, select Credential Profiles.

  2. Choose one of the following options:

    • Select a profile to modify and click Modify.
    • Select a profile to use as the basis for a new profile and click Copy.
    • Click New to create a new profile.
  3. Type a Name and optional Description for the credential profile.
  4. In Card Encoding, select Software Certificates (Only).

  5. Click Issuance Settings.

    Set the following options:

    • Validate Issuance

      If you set this option, certificates issued using this profile will require a validation of the request.

    • Validate Cancellation

      If you set this option, certificates issued using this profile will require secondary authorization when you cancel them.

  6. Click PIN Settings and PIN Characters to specify the format of the passwords used to protect PFX files containing the certificates.

    If you want to send PIN mailing documents, you must set the Issue With option to Server Generated PIN, then set the PIN Algorithm to either EdeficePinGenerator or EdeficePolicyPinGenerator. You cannot use user-specified PINs or the RandomPinGenerator; the PIN will be blank in the mailing document, as MyID must be able to regenerate the PIN when creating the mailing document, and this is not possible with the RandomPinGenerator or if the user typed their own PIN.

    See section 9, PIN generation for details of configuring your system to use the EdeficePinGenerator or EdeficePolicyPinGenerator algorithms.

    If you want to email the PIN to the user, select the Email PIN option and configure MyID to send email notifications; these notifications use the Card PIN Notification email template. See section 13, Email notification for more information.

    Important: If you use a server generated PIN, you must either configure an email notification, or configure a PIN mailing document that you can print and provide to the user. The PFX password is not displayed on screen.

  7. Click Mail Documents to specify the document sent to the user when the certificate is issued, if required.

    You can print mailing documents for soft certificate packages only through the MyID Operator Client. You cannot use the Print Mailing Document workflow. See the Printing mailing documents for a soft certificate package section in the MyID Operator Client guide for details.

    Set the following options:

    • Select PIN Mailing Document – select the name of the HTML template stored in the MyID database to be used to generate a PIN mailing document for the soft certificate package.

    • Select Transport Document – select the name of the HTML template stored in the MyID database to be used when collecting the soft certificate package. For example, you can create a document that provides the person's name and address to provide a cover letter if you are sending a soft certificate package to the user on a USB stick.

    For details of creating HTML templates, contact customer support, quoting reference SUP-255.

  8. Click Next.

  9. From the list of available soft certificates, select the certificates you want to issue.

    Note: If you select a certificate policy that is marked for archival, you can recover the certificates after they have been issued. See Recovering certificates section in the Operator's Guide for details.

  10. From the Storage Method list, select where you want the certificate to be stored:

    • FileStore – the certificate is exported to a password-protected PFX file, which you can then install into a user's certificate store.

      You can use the following characters in PFX passwords:

      a-zA-Z 0-9 ! \ " # $ % ' ( ) * + - . / : ; = ? @

      Note: You cannot use spaces.

      If you set the Issue With option to Server Generated PIN, and set the PIN Algorithm to either EdeficePinGenerator or EdeficePolicyPinGenerator, the PFX file is created with an automatically-generated password

    • SystemStore – the certificate is stored automatically in the Personal certificate store of the logged-on Windows user.

    • AutoSave – when collecting the request through the MyID Operator Client, the certificate package is automatically saved to the first empty USB device found attached to the PC. If you use the Collect My Certificates workflow in MyID Desktop to collect the request, however, the certificates are saved to the Personal certificate store of the logged-on Windows user, as for the SystemStore option.

    When saving PFX files from the MyID Operator Client, the file names are automatically generated; you can customize the format if necessary. See the Customizing certificate file names section in the MyID Operator Client guide for details.

    Note: You can select multiple certificate profiles, and choose a different Storage Method for each one. MyID allows you to collect the certificates at the same time.

  11. Click Next.
  12. Select the roles that can request this credential profile, the roles to which you want to be able to issue it, and the roles you want to be able to validate it.
  13. Click Next.

11.5.1 Upgraded credential profiles

Previous versions of MyID had the following options for Storage Method for certificate policies for soft certificates: