Configuring custom certificate extensions

3.9 Configuring custom certificate extensions

PrimeKey EJBCA Enterprise PKI provides support for custom extensions to be added to a certificate.

The required extensions are first configured in the PrimeKey EJBCA through the Custom Certificate Extensions settings in the System Configuration as shown:

The OID is the extension that is added to the certificate.

Inclusion of a custom extension in a certificate requires that:

The associated certificate profile references the required custom extension through its Used Custom Certificate Extensions setting.
The use Custom certificate extension data option is enabled in the corresponding end entity profile.

Further information about managing these custom extensions is described in the PrimeKey EJBCA administration guide.

3.9.1 Setting up the custom extensions in MyID

MyID is unable to interrogate the PrimeKey EJBCA system configuration through the web service interface and, although it can identify that a certificate profile is referencing custom extensions, it cannot extract the extension details. Therefore, custom extensions cannot be automatically added to certificate policies within MyID.

Therefore, these custom extensions are identified through a custom extensions configuration file: EjbcaPKIConnector.xml. All custom extensions are defined in this file within an XML <Extensions> node. Each custom extension is defined in an <Extension> node.

For example, a configuration with two custom extensions would look like:

<Extensions>
    <Extension displayType="optional">
        <Name>MyExtnsion</Name>
        <DisplayName>My Extension</DisplayName>
        <OID>0.1.0.01</OID>
    </Extension>
    <Extension displayType="mandatory">
        <Name>MyExtnsion2</Name>
        <DisplayName>My Extension 2</DisplayName>
        <OID>0.1.0.02</OID>
    </Extension>
</Extensions>

The EJBCA connector attempts to load the custom extensions file from the MyID Components folder on the MyID application server; by default, this is:

C:\Program Files\Intercede\MyID\Components\

A default EjbcaPKIConnector.xml file, containing only the PIV NACI extension, is installed in the EJBCA installation folder on the MyID application server; by default, this is:

C:\Program Files\Intercede\MyID\Components\PKI\EJBCA\

You must add any additional custom extension to this file, then copy the file to the MyID Components folder.

As MyID cannot determine which custom extensions are being referenced by the individual policies, all custom extensions identified in the configuration file are added as policy attributes to any policy that references a custom extension on the PrimeKey EJBCA. It is up to the administrator to configure the required attributes through the Certificate Authorities workflow, as described in section 3.8.1, Enabling certificates policies on a CA.

Although an extension can be set to mandatory or optional within MyID, any referenced custom extensions are treated as mandatory by the EJBCA with the default value, configured in the system configuration, being used if a value is not supplied.

Note: The OID value of these custom extensions must match the extensions configured in the System Configuration in the PrimeKey EJBCA.

Note: After you have made any changes to this file, you must restart the eCertificate service to update the certificate policies within MyID.

From the Windows Administrative Tools, double-click Services.
Right-click the eCertificate Services Server service, then from the pop-up menu click Restart.

3.9.2 Certificate extension OIDs

You must configure the following certificate extensions:

Object Identifier (OID)	Label	Encoding	Comment
2.16.840.1.101.3.6.9.1	NACI	DERBOOLEAN	PIV only
1.3.6.1.4.1.311.25.2	UserSid	RAW	PIV and Enterprise

3.9.3 Additional attribute settings

The following table shows the configuration required to support the additional attributes and custom extensions:

Certificate Profile	End Entity Profile	MyID certificate policy attributes
Allow subject DN override by CSR: Enabled LDAP DN Order and Custom Subject DN Order settings are ignored.	Subject DN Attributes are used only as the subject DN of the End Entity and not used in the issued certificate.	No need to configure subject DN attributes in MyID. The subject DN is written to the certificate as supplied in the PKCS#10.
Allow subject DN override by CSR: Disabled Custom Subject DN Order: Disabled LDAP DN Order is used to control the subject DN components order.	Subject DN Attributes are used for both the subject DN of the End Entity and in the issued certificate.	Configure certificate policy attributes as described in section 3.8.1, Enabling certificates policies on a CA. The policy attribute Reverse DN has no effect. The subject DN order is controlled through the EJBCA certificate profile setting
Allow subject DN override by CSR: Disabled Custom Subject DN Order: Enabled The Apply LDAP DN order sub-option is used to control the subject DN order. LDAP DN Order setting is ignored.	Subject DN Attributes are used for both the subject DN of the End Entity and in the issued certificate.	Configure certificate policy attributes as described in section 3.8.1, Enabling certificates policies on a CA. The policy attribute Reverse DN has no effect. The subject DN order is controlled through the EJBCA certificate profile setting
Allow Extension override: Enabled and Subject Alternative Name: Enabled	The required attributes are required to be configured in Subject Alternative Name.	Configure certificate policy attributes as described in section section 3.8.1, Enabling certificates policies on a CA.
Allow Extension override: Enabled and Subject Directory Attributes: Enabled	The required attributes are required to be configured in Subject Directory Attributes.	Configure certificate policy attributes as described in section 3.8.1, Enabling certificates policies on a CA.
Allow Extension override: Enabled and The required custom extensions are selected in Used Custom Certificate Extensions.	Enable Custom certificate extension data. Note: MyID cannot validate that this setting has been enabled. The required custom extensions are required to be configured in System Configuration as described in section 3.9, Configuring custom certificate extensions.	Configure the required extensions in EjbcaPKIConnector.xml as described in section 3.9.1, Setting up the custom extensions in MyID. Configure certificate policy attributes as described in section 3.8.1, Enabling certificates policies on a CA. The custom extensions defined in the external file are added to all PrimeKey PKI certificate policies. Only those extensions required by the policy should be configured within MyID. Configuring more custom attributes than required may result in a certificate request being rejected due to configuration mismatch.

Certificate Profile

End Entity Profile

MyID certificate policy attributes

Allow subject DN override by CSR: Enabled

LDAP DN Order and Custom Subject DN Order settings are ignored.

Subject DN Attributes are used only as the subject DN of the End Entity and not used in the issued certificate.

No need to configure subject DN attributes in MyID.

The subject DN is written to the certificate as supplied in the PKCS#10.

Allow subject DN override by CSR: Disabled

Custom Subject DN Order: Disabled

LDAP DN Order is used to control the subject DN components order.

Subject DN Attributes are used for both the subject DN of the End Entity and in the issued certificate.

Configure certificate policy attributes as described in section 3.8.1, Enabling certificates policies on a CA.

The policy attribute Reverse DN has no effect. The subject DN order is controlled through the EJBCA certificate profile setting

Allow subject DN override by CSR: Disabled

Custom Subject DN Order: Enabled

The Apply LDAP DN order sub-option is used to control the subject DN order.

LDAP DN Order setting is ignored.

Subject DN Attributes are used for both the subject DN of the End Entity and in the issued certificate.

Configure certificate policy attributes as described in section 3.8.1, Enabling certificates policies on a CA.

The policy attribute Reverse DN has no effect. The subject DN order is controlled through the EJBCA certificate profile setting

Allow Extension override: Enabled

and

Subject Alternative Name: Enabled

The required attributes are required to be configured in Subject Alternative Name.

Configure certificate policy attributes as described in section section 3.8.1, Enabling certificates policies on a CA.

Allow Extension override: Enabled

and

Subject Directory Attributes: Enabled

The required attributes are required to be configured in Subject Directory Attributes.

Configure certificate policy attributes as described in section 3.8.1, Enabling certificates policies on a CA.

Allow Extension override: Enabled

and

The required custom extensions are selected in Used Custom Certificate Extensions.

Enable Custom certificate extension data.

Note: MyID cannot validate that this setting has been enabled.

The required custom extensions are required to be configured in System Configuration as described in section 3.9, Configuring custom certificate extensions.

Configure the required extensions in EjbcaPKIConnector.xml as described in section 3.9.1, Setting up the custom extensions in MyID.

Configure certificate policy attributes as described in section 3.8.1, Enabling certificates policies on a CA.

The custom extensions defined in the external file are added to all PrimeKey PKI certificate policies. Only those extensions required by the policy should be configured within MyID. Configuring more custom attributes than required may result in a certificate request being rejected due to configuration mismatch.