3.10 Setting up a custom PKCS #10 request

For requests made using the REST API for mobile credentials (rest.provision) you can customize the PKCS #10 certificate signing request where the subject name is provided in the request; you can create a DN from the information stored in the vPeopleUserAccounts view in the MyID database for the person for whom the request was made.

To configure the web service, you must edit the appsettings.Production.json file of the rest.provision web service:

1. As an administrator, open the appsettings.Production.json file in a text editor.

   By default, this is:

   C:\Program Files\Intercede\MyID\rest.provision\appsettings.Production.json

   This file is the override configuration file for the appsettings.json file for the web service. If this file does not already exist, you must create it in the same folder as the appsettings.json file.

2. In the MyID section, edit the dnProcessor section.

   If this section does not exist, you must add it.

   The format is:

   Copy

   {
      "MyID":{
         "dnProcessor":{
            "default":"default DN",
            "policy":[
               {
                  "name":"Policy 1",
                  "dn":"DN for policy 1"
               },
               {
                  "name":"Policy 2",
                  "dn":"DN for policy 2"
               },
               {
                  "name":"Policy 3",
                  "dn":"DN for policy 3"
               }
            ]
         }
      }
   }

   Provide the following:

   • default – provide the default DN to be used if the policy name does not match one of the specific policies in the configuration file.

   • policy – provide a block of JSON that includes:

     • name – the friendly name of the certificate policy as listed in the FriendlyName column of the CertPolicies table in the MyID database.

       See section 3.10.1, Policy names

     • dn – the DN to be used for this policy.

     You can include as many policy blocks as required, one for each policy.

   The format of the DN requests may include:

   • Simple text.

     For example:

     cn=Static DN

   • Substitutions from the vPeopleUserAccounts view in the database.

     See section 3.10.2, Available fields for substitution for details of which fields you can use.

     Enclose the codes for these fields in double square brackets; for example:

     cn=[[People.UserPrincipalName]], o=Users, c=uk

     The People element determines that the field is in the vPeopleUserAccounts view. This example takes the UserPrincipalName field for the user and inserts it into the cn component of the DN.

     If there are any special characters in the specified field, these are escaped with a slash \ character.

   • Raw substitutions from the vPeopleUserAccounts view in the database, without escaping.

     If the field in the database contains a full DN, you do not want to escape the special characters. To include the content of the field without substitutions, specify the field using triple square brackets; for example:

     [[[People.Xu55]]]

3. Save the appsettings.Production.json file.

4. Recycle the web service app pool:

   1. On the MyID web server, in Internet Information Services (IIS) Manager, select Application Pools.
   2. Right-click the myid.rest.provision.pool application pool, then from the pop-up menu click Recycle.

   This ensures that the web service has picked up the changes to the configuration file.

{
   "MyID":{
      "dnProcessor":{
         "default":"cn=Static DN",
         "policy":[
            {
               "name":"Smartcard Logon",
               "dn":"cn=[[People.UserPrincipalName]], o=Users, c=uk"
            },
            {
               "name":"Encryption",
               "dn":"[[[People.Xu55]]]"
            }
         ]
      }
   }
}