30.5 Certificates page (Operation Settings)
Setting |
|
Default value |
Ask |
Description |
Whether the issue process should be canceled if the certificate is taking so long to process that the timeout period is reached. |
Further information |
|
Setting |
|
Default value |
No |
Description |
When importing a certificate using the MyID Core API, if you want MyID to create a user based on the information stored in the certificate if the person does not already exist, set this option to Yes. |
Further information |
See the Importing certificates section in the MyID Core API guide. |
Setting |
|
Default value |
Yes |
Description |
Whether a device holder can collect a certificate later if the certificate is taking a long time to issue. This option is available only in the Issue Card workflow. Other card issuance workflows do not allow you to collect certificates later. |
Further information |
See the Issuing certificates section in the Operator's Guide. |
Setting |
|
Default value |
45 |
Description |
The time to wait for a certificate to be issued when using an automated issuing process. |
Further information |
|
Setting |
|
Default value |
Decimal |
Description |
Determines the format of the serial number within the DN of a certificate written to a Card Auth container on a PIV-compatible card. The default is for the numeric components to be decimal values separated by - symbols, but some legacy systems require the serial number in hexadecimal format. Select one of the following options:
|
Further information |
This setting affects only certificates written to the Card Auth container on a device. Note, however, that it does not affect certificates written to the Card Auth container on a mobile device, as the device must have a FASC-N, which mobile devices do not generate. You may experience problems if you attempt to switch between upper-case and lower-case hexadecimal serial numbers; cardholders with existing issued certificates may not obtain updated serial numbers when their device is reprovisioned. If this occurs, cancel the device, and issue it again as a new PIV credential, which ensures that the certificates are issued with serial numbers in the latest configured format. Note: This feature is intended for use with Entrust certificate authorities only. Also, this configuration flag is respected only when carrying out the following operations:
If you use any other operation that writes certificates to a device, the Card Auth certificate is issued with a decimal serial number, whatever the configured value for the Card Authentication Certificate ID Format configuration option. |
Setting |
|
Default value |
|
Description |
A regular expression matching the ASCII value of the FASC-N for cards to determine whether you can use them to create derived credentials. |
Further information |
See the Derived Credentials Self-Service Request Portal for details. |
Setting |
|
Default value |
5 |
Description |
The number of seconds between subsequent attempts to collect certificates. |
Further information |
|
Setting |
|
Default value |
04-08N |
Description |
Controls the complexity of the password automatically generated for PFX files. It takes the format mm-nnULSN. Mm = min length nn = max length U/u = must/may contain upper case (optional) L/l = must/may contain lower case (optional) S/s = must/may contain symbols (optional) N/n = must/may contain numbers (optional) |
Further information |
This option is also used to determine the complexity of the authentication codes used for mobile device issuance. In this case, you must set the complexity to use numeric characters only; for example 04-08N which means a code of 4 to 8 numbers. See the Setting the authentication code complexity section in the Mobile Identity Management guide for details. |
Setting |
|
Default value |
15 |
Description |
The number of seconds to wait for a certificate to be issued before deferring issue or canceling process. If you experience problems when collecting or updating cards, try increasing this option to a higher value; for example, 45. This problem may manifest with an error similar to: One of the certificates that have been requested for you has failed to issue. |
Further information |
|
Setting |
|
Default value |
4320 |
Description |
The number of minutes that a certificate will remain valid while waiting for collection. When this limit is reached, the certificate is revoked. |
Further information |
|
Setting |
|
Default value |
20 |
Description |
The number of minutes that a certificate will remain valid while waiting to be issued. When this limit is reached, the certificate is revoked. |
Further information |
|
Setting |
|
Default value |
No |
Description |
PIV Card Authentication certificates are usually issued to a different subject DN than other certificates. As a result, the Entrust PKI creates an additional user account for this subject. When this option is set to Yes, the MyID Entrust PKI connector deactivates this additional account when card authentication certificates are revoked. Set this option to No to disable this behavior. |
Further information |
See the Deactivation of card authentication users section in the Entrust JASTK CA Integration Guide. |
Setting |
|
Default value |
2.16.840.1.101.3.2.1.3.13 |
Description |
The OID to be checked on the PIV Authentication certificate for derived credentials. |
Further information |
See the Derived Credentials Self-Service Request Portal for details. |
Setting |
|
Default value |
0 |
Description |
The number of hours between repeated revocation checks of the original credentials. |
Further information |
Note: If you set this option to a value greater than 0, it overrides the Derived credential revocation check offset setting. See the Derived Credentials Self-Service Request Portal for details. |
Setting |
|
Default value |
7 |
Description |
The number of days after which MyID checks the original credentials that the cardholder used to request the derived credentials. If the original credentials have been revoked in this period, the derived credentials are also revoked. |
Further information |
See the Derived Credentials Self-Service Request Portal for details. |
Setting |
|
Default value |
2.16.840.1.101.3.2.1.3.6; 2.16.840.1.101.3.2.1.3.7; 2.16.840.1.101.3.2.1.3.16 |
Description |
A semicolon-delimited list of OIDs to be checked on the Digital Signature certificate for derived credentials. |
Further information |
See the Derived Credentials Self-Service Request Portal for details. |
Setting |
|
Default value |
No |
Description |
When this option is set to Yes, if Entrust returns an existing escrow certificate in response to a request for a new certificate, MyID revokes the certificate and requests the new certificate again. Setting this option returns MyID to its previous behavior; you are recommended to keep this option at the default No for most systems, and set this option to Yes only if directed to by Intercede. |
Further information |
See the Forcing the issuance of new escrow certificates section in the Entrust CA Integration Guide. Note: This option is not relevant for the Entrust CA Gateway. |
Setting |
|
Default value |
|
Description |
Set this option to the name of the Device Identity credential profile. |
Further information |
See the Setting up iOS OTA provisioning section in the Mobile Identity Management document for details. |
Setting |
|
Default value |
|
Description |
Set this option to the a description for the OTA update. This appears on the OTA provisioning message on the mobile device. |
Further information |
See the Setting up iOS OTA provisioning section in the Mobile Identity Management document for details. |
Setting |
|
Default value |
|
Description |
Set this option to a name for the OTA update. This appears on the OTA provisioning message on the mobile device. |
Further information |
See the Setting up iOS OTA provisioning section in the Mobile Identity Management document for details. |
Setting |
|
Default value |
|
Description |
Set this option to the name of your organization. This appears on the OTA provisioning message on the mobile device. |
Further information |
See the Setting up iOS OTA provisioning section in the Mobile Identity Management document for details. |
Setting |
|
Default value |
No |
Description |
When set to Yes, any derived credentials issued have their expiry date limited to the expiry date of the certificate used for derivation. Note: Some CAs do not allow control over the time portion of the certificate expiry. When MyID sets the lifetime of the derived credential, the date is aligned with the lifetime of the deriving certificate, but the time may not match exactly, depending on the certificate authority being used. |
Further information |
See the MyID configuration options section in the Derived Credentials Self-Service Request Portal for details. |
Setting |
|
Default value |
No |
Description |
Whether certificate revocation reasons are sent to the CA. (Yes means they are not sent.) |
Further information |
Cannot be edited. |
Setting |
|
Default value |
-1 |
Description |
The number of times a certificate can be suspended before it is revoked. (-1 means unlimited) |
Further information |
|
Setting |
|
Default value |
0 |
Description |
Specifies the number of certificates to recover per card when creating key recovery jobs. |
Further information |
Not currently used. |
Setting |
|
Default value |
|
Description |
Specify the URL of the host that a mobile device must use to collect a mobile ID. |
Further information |
|
Setting |
|
Default value |
No |
Description |
Store a temporary copy of recovered archived certificates to improve the performance of provisioning to mobile devices. |
Further information |
|
Setting |
|
Default value |
No |
Description |
Allow the renewing of expired certificates through calls to the Credential Web Service API. |
Further information |
See the Credential Web Service document for details. |
Setting |
|
Default value |
Yes |
Description |
Whether the lifetimes of the certificates are restricted to the lifetime of the card. This may not be supported by all certificate authorities. |
Further information |
|
Setting |
|
Default value |
No |
Description |
If a certificate timeout period has been reached, must the request be resubmitted to the CA before the certificate can be collected. |
Further information |
|
Setting |
|
Default value |
Both |
Description |
Allows you to restrict the software certificates recovered depending on the recovery method configured by the certificate profile. Can be one of the following: Local Store Save to PFX Both |
Further information |
See the Options for recovering soft certificates section in the Operator's Guide. |
Setting |
|
Default value |
0 |
Description |
The time between suspension and revocation. |
Further information |
See section 6.4, Scheduled certificate revocation operations for more information on setting MyID to revoke suspended certificates after a given time period. |
Setting |
|
Default value |
No |
Description |
Whether MyID updates the user record with the email address obtained from the certificate used for derived credentials. |
Further information |
See the Derived Credentials Self-Service Request Portal for details. |
Setting |
|
Default value |
No |
Description |
Whether MyID uses the Entrust CA default certificate lifetimes. |
Further information |
See the Controlling certificate lifetimes section in the Entrust CA Integration Guide. Note: This option is not relevant for the Entrust CA Gateway. |