3.4 Configuring certification authorities
Before you add a PrimeKey EJBCA CA into MyID, you must configure the CA on the PrimeKey EJBCA.
See your PrimeKey EJBCA documentation for details.
The following restrictions are imposed on configuring a CA to ensure that MyID can manage certificates using the CA, and to prevent performance degradation due to unnecessary database queries.
|
Configuration Field |
Purpose |
Recommended Setting |
|---|---|---|
|
Type of CA |
Controls the type of certificates that can be issued by the CA, X509 or CVC. |
X.509 |
|
Crypto Token |
Token where the CA's key mappings are expected to exist. |
PKCS#11 HSM slot mapping, or a Soft PKCS#12 keystore in the database. A PKCS#11 crypto token requires additional common fields to be set to identify the location of the crypto token. See the PrimeKey EJBCA documentation for details. |
|
Enforce unique public keys |
When enabled, checks are performed that the same public key is not used to issue certificates using different certificate policies (users are associated with certificate policy when used by MyID). |
Disable When enabled may affect performance if the database is not configured with (subjectKeyId,issuerDN) database index. |
|
Enforce unique DN |
Enforces that the same DN cannot be used when issuing policies using different certificate policies. |
Disable Enabling this option would prevent a user being issued certificates using different policies but the same DN. |
|
Enforce unique Subject DN Serial Number |
Ensures that only one end entity, with a specific Subject DN Serial Number, can be issued from this CA. |
Disable (default) Enabling this option can affect certificate issuance performance and prevent the same user being issued certificates using different certificate policies if Subject DN serial number is used. |
|
Use Certificate Request History |
Maintain a history of Certificate Requests. |
Disable (default) Enabling this option will lead to reduced certificate issuance performance. |
|
Use User Storage |
Allows users (end entities) to be searched. When enabled, a certificate can only be requested for stored users (end entity). |
Enable You can disable the option to improve performance when the CA is not being used for escrow. You must enable this option when using the PrimeKey PKI CA for key escrow. |
|
Use Certificate Storage |
Stores issued certificates to enable certificates to be retrieved and provide revocation information. |
Enable (default) Required to provide CRLs although it does have the effect of reducing performance. You must enable this option when using the PrimeKey PKI CA for key escrow. |
|
Default CA defined validation data |
Configure a CRL distribution point OCSP default service URI. A CRL publishing service is required to periodically publish the CRL. |
If you need to validate certificates against a CRL, the CRL publishing service must be enabled to publish the updated CRL periodically; the MyID application server must be able to access the Certificate Revocation List (CRL) location, and if configured, the OCSP default service URI. Certificate profiles used to issue certificates that are published with the CA must have the Access Information Access, as well as the Use CA defined CA issuer and/or the Use CA defined OCSP locator options enabled; see section 3.5, Configuring certificate profiles. |
|
Approval Settings |
Provides default approval settings for the relevant options. |
None Enabling these prevents operations being completed until the operation has been approved. |
|
Finish User |
Checks if an end entity should transit from New to Generated after issuing a certificate. |
Enable Disabling this setting prevents the end entity from being created in a specific table within PrimeKey database. This will prevent the EJBCA "republish all" CLI command from failing when attempting to publish an issued certificate to an external database. |