30.5 Certificates page (Operation Settings)

Setting

Abort On Timeout

Default value

Ask

Description

Whether the issue process should be canceled if the certificate is taking so long to process that the timeout period is reached.

Further information

 

 

Setting

Allow Certificate User Creation

Default value

No

Description

When importing a certificate using the MyID Core API, if you want MyID to create a user based on the information stored in the certificate if the person does not already exist, set this option to Yes.

Further information

See the Importing certificates section in the MyID Core API guide.

 

Setting

Allow Collect Later

Default value

Yes

Description

Whether a device holder can collect a certificate later if the certificate is taking a long time to issue.

This option is available only in the Issue Card workflow. Other card issuance workflows do not allow you to collect certificates later.

Further information

See the Issuing certificates section in the Operator's Guide.

 

Setting

Automated Issuance Time Limit

Default value

45

Description

The time to wait for a certificate to be issued when using an automated issuing process.

Further information

 

 

Setting

Card Authentication Certificate ID Format

Default value

Decimal

Description

Determines the format of the serial number within the DN of a certificate written to a Card Auth container on a PIV-compatible card. The default is for the numeric components to be decimal values separated by - symbols, but some legacy systems require the serial number in hexadecimal format.

Select one of the following options:

  • Decimal – this is the default.

  • Hex (lowercase) – the serial number is provided in lower-case hexadecimal characters.

  • Hex (uppercase) – the serial number is provided in upper-case hexadecimal characters.

Further information

This setting affects only certificates written to the Card Auth container on a device. Note, however, that it does not affect certificates written to the Card Auth container on a mobile device, as the device must have a FASC-N, which mobile devices do not generate.

You may experience problems if you attempt to switch between upper-case and lower-case hexadecimal serial numbers; cardholders with existing issued certificates may not obtain updated serial numbers when their device is reprovisioned. If this occurs, cancel the device, and issue it again as a new PIV credential, which ensures that the certificates are issued with serial numbers in the latest configured format.

Note: This feature is intended for use with Entrust certificate authorities only. Also, this configuration flag is respected only when carrying out the following operations:

  • Any Self-Service App operations.

  • Any Self-Service Kiosk operations.

  • MyID Desktop:

    • Activate Card

    • Assisted Activation

    • Batch Collect Card

    • Collect Card

    • Collect Updates

If you use any other operation that writes certificates to a device, the Card Auth certificate is issued with a decimal serial number, whatever the configured value for the Card Authentication Certificate ID Format configuration option.

 

Setting

Cards Allowed For Derivation

Default value

 

Description

A regular expression matching the ASCII value of the FASC-N for cards to determine whether you can use them to create derived credentials.

Further information

See the Derived Credentials Self-Service Request Portal for details.

 

Setting

Certificate Polling Refresh Time

Default value

5

Description

The number of seconds between subsequent attempts to collect certificates.

Further information

 

 

Setting

Certificate Recovery Password Complexity

Default value

04-08N

Description

Controls the complexity of the password automatically generated for PFX files. It takes the format mm-nnULSN.

Mm = min length

nn = max length

U/u = must/may contain upper case (optional)

L/l = must/may contain lower case (optional)

S/s = must/may contain symbols (optional)

N/n = must/may contain numbers (optional)

Further information

This option is also used to determine the complexity of the authentication codes used for mobile device issuance. In this case, you must set the complexity to use numeric characters only; for example 04-08N which means a code of 4 to 8 numbers.

See the Setting the authentication code complexity section in the Mobile Identity Management guide for details.

 

Setting

Certificate Refresh Threshold

Default value

15

Description

The number of seconds to wait for a certificate to be issued before deferring issue or canceling process.

If you experience problems when collecting or updating cards, try increasing this option to a higher value; for example, 45.

This problem may manifest with an error similar to:

One of the certificates that have been requested for you has failed to issue.

Further information

 

 

Setting

Certificate Timeout For Deferred Collection

Default value

4320

Description

The number of minutes that a certificate will remain valid while waiting for collection. When this limit is reached, the certificate is revoked.

Further information

 

 

Setting

Certificate Timeout For Issuance

Default value

20

Description

The number of minutes that a certificate will remain valid while waiting to be issued. When this limit is reached, the certificate is revoked.

Further information

 

 

Setting

Deactivate Card Auth user in Entrust

Default value

No

Description

PIV Card Authentication certificates are usually issued to a different subject DN than other certificates. As a result, the Entrust PKI creates an additional user account for this subject.

When this option is set to Yes, the MyID Entrust PKI connector deactivates this additional account when card authentication certificates are revoked.

Set this option to No to disable this behavior.

Further information

See the Deactivation of card authentication users section in the Entrust JASTK CA Integration Guide.

 

Setting

Derived credential certificate OID

Default value

2.16.840.1.101.3.2.1.3.13

Description

The OID to be checked on the PIV Authentication certificate for derived credentials.

Further information

See the Derived Credentials Self-Service Request Portal for details.

 

Setting

Derived Credential Revocation Check Interval

Default value

0

Description

The number of hours between repeated revocation checks of the original credentials.

Further information

Note: If you set this option to a value greater than 0, it overrides the Derived credential revocation check offset setting.

See the Derived Credentials Self-Service Request Portal for details.

 

Setting

Derived credential revocation check offset

Default value

7

Description

The number of days after which MyID checks the original credentials that the cardholder used to request the derived credentials. If the original credentials have been revoked in this period, the derived credentials are also revoked.

Further information

See the Derived Credentials Self-Service Request Portal for details.

 

Setting

Derived credential signing certificate OID

Default value

2.16.840.1.101.3.2.1.3.6;

2.16.840.1.101.3.2.1.3.7;

2.16.840.1.101.3.2.1.3.16

Description

A semicolon-delimited list of OIDs to be checked on the Digital Signature certificate for derived credentials.

Further information

See the Derived Credentials Self-Service Request Portal for details.

 

Setting

Entrust force new escrow

Default value

No

Description

When this option is set to Yes, if Entrust returns an existing escrow certificate in response to a request for a new certificate, MyID revokes the certificate and requests the new certificate again.

Setting this option returns MyID to its previous behavior; you are recommended to keep this option at the default No for most systems, and set this option to Yes only if directed to by Intercede.

Further information

See the Forcing the issuance of new escrow certificates section in the Entrust CA Integration Guide.

Note: This option is not relevant for the Entrust CA Gateway.

 

Setting

iOS OTA Credential Profile

Default value

 

Description

Set this option to the name of the Device Identity credential profile.

Further information

See the Setting up iOS OTA provisioning section in the Mobile Identity Management document for details.

 

Setting

iOS OTA Description

Default value

 

Description

Set this option to the a description for the OTA update. This appears on the OTA provisioning message on the mobile device.

Further information

See the Setting up iOS OTA provisioning section in the Mobile Identity Management document for details.

 

Setting

iOS OTA Display Name

Default value

 

Description

Set this option to a name for the OTA update. This appears on the OTA provisioning message on the mobile device.

Further information

See the Setting up iOS OTA provisioning section in the Mobile Identity Management document for details.

 

Setting

iOS OTA Organization

Default value

 

Description

Set this option to the name of your organization. This appears on the OTA provisioning message on the mobile device.

Further information

See the Setting up iOS OTA provisioning section in the Mobile Identity Management document for details.

 

Setting

Limit derived credential lifetime to deriving credential

Default value

No

Description

When set to Yes, any derived credentials issued have their expiry date limited to the expiry date of the certificate used for derivation.

Note: Some CAs do not allow control over the time portion of the certificate expiry. When MyID sets the lifetime of the derived credential, the date is aligned with the lifetime of the deriving certificate, but the time may not match exactly, depending on the certificate authority being used.

Further information

See the MyID configuration options section in the Derived Credentials Self-Service Request Portal for details.

 

Setting

Mask Certificate Revocation Code

Default value

No

Description

Whether certificate revocation reasons are sent to the CA. (Yes means they are not sent.)

Further information

Cannot be edited.

 

Setting

Maximum certificate suspensions

Default value

-1

Description

The number of times a certificate can be suspended before it is revoked. (-1 means unlimited)

Further information

 

 

Setting

Maximum keys per card to recover

Default value

0

Description

Specifies the number of certificates to recover per card when creating key recovery jobs.

Further information

Not currently used.

 

Setting

Mobile Certificate Recovery Service URL

Default value

 

Description

Specify the URL of the host that a mobile device must use to collect a mobile ID.

Further information

 

 

Setting

Pre-recover archived certificates for the rest.provison API

Default value

No

Description

Store a temporary copy of recovered archived certificates to improve the performance of provisioning to mobile devices.

Further information

 

 

Setting

Renew Expired Certs Via API

Default value

No

Description

Allow the renewing of expired certificates through calls to the Credential Web Service API.

Further information

See the Credential Web Service document for details.

 

Setting

Restrict certificate lifetimes to the card

Default value

Yes

Description

Whether the lifetimes of the certificates are restricted to the lifetime of the card. This may not be supported by all certificate authorities.

Further information

 

 

Setting

Retry On Collection

Default value

No

Description

If a certificate timeout period has been reached, must the request be resubmitted to the CA before the certificate can be collected.

Further information

 

 

Setting

Storage method allowed for certificate recovery

Default value

Both

Description

Allows you to restrict the software certificates recovered depending on the recovery method configured by the certificate profile. Can be one of the following:

Local Store

Save to PFX

Both

Further information

See the Options for recovering soft certificates section in the Operator's Guide.

 

Setting

Suspend to revoke period

Default value

0

Description

The time between suspension and revocation.

Further information

See section 6.4, Scheduled certificate revocation operations for more information on setting MyID to revoke suspended certificates after a given time period.

 

Setting

Update email address from derivation

Default value

No

Description

Whether MyID updates the user record with the email address obtained from the certificate used for derived credentials.

Further information

See the Derived Credentials Self-Service Request Portal for details.

 

Setting

Use Entrust default key update policy

Default value

No

Description

Whether MyID uses the Entrust CA default certificate lifetimes.

Further information

See the Controlling certificate lifetimes section in the Entrust CA Integration Guide.

Note: This option is not relevant for the Entrust CA Gateway.