Abort On Timeout

Ask

Whether the issue process should be canceled if the certificate is taking so long to process that the timeout period is reached.

Allow Certificate User Creation

No

When importing a certificate using the MyID Core API, if you want MyID to create a user based on the information stored in the certificate if the person does not already exist, set this option to Yes.

See the Importing certificates section in the MyID Core API guide.

Allow Collect Later

Yes

Whether a device holder can collect a certificate later if the certificate is taking a long time to issue.

This option is available only in the Issue Card workflow. Other card issuance workflows do not allow you to collect certificates later.

See the Issuing certificates section in the Operator's Guide.

Automated Issuance Time Limit

45

The time to wait for a certificate to be issued when using an automated issuing process.

Card Authentication Certificate ID Format

Decimal

Determines the format of the serial number within the DN of a certificate written to a Card Auth container on a PIV-compatible card. The default is for the numeric components to be decimal values separated by - symbols, but some legacy systems require the serial number in hexadecimal format.

Select one of the following options:

• Decimal – this is the default.

• Hex (lowercase) – the serial number is provided in lower-case hexadecimal characters.

• Hex (uppercase) – the serial number is provided in upper-case hexadecimal characters.

This setting affects only certificates written to the Card Auth container on a device. Note, however, that it does not affect certificates written to the Card Auth container on a mobile device, as the device must have a FASC-N, which mobile devices do not generate.

You may experience problems if you attempt to switch between upper-case and lower-case hexadecimal serial numbers; cardholders with existing issued certificates may not obtain updated serial numbers when their device is reprovisioned. If this occurs, cancel the device, and issue it again as a new PIV credential, which ensures that the certificates are issued with serial numbers in the latest configured format.

Note: This feature is intended for use with Entrust certificate authorities only. Also, this configuration flag is respected only when carrying out the following operations:

• Any Self-Service App operations.

• Any Self-Service Kiosk operations.

• MyID Desktop:

  • Activate Card

  • Assisted Activation

  • Batch Collect Card

  • Collect Card

  • Collect Updates

If you use any other operation that writes certificates to a device, the Card Auth certificate is issued with a decimal serial number, whatever the configured value for the Card Authentication Certificate ID Format configuration option.

Cards Allowed For Derivation

A regular expression matching the ASCII value of the FASC-N for cards to determine whether you can use them to create derived credentials.

See the Derived Credentials Self-Service Request Portal for details.

Certificate Polling Refresh Time

5

The number of seconds between subsequent attempts to collect certificates.

Certificate Recovery Password Complexity

04-08N

Controls the complexity of the password automatically generated for PFX files. It takes the format mm-nnULSN.

Mm = min length

nn = max length

U/u = must/may contain upper case (optional)

L/l = must/may contain lower case (optional)

S/s = must/may contain symbols (optional)

N/n = must/may contain numbers (optional)

This option is also used to determine the complexity of the authentication codes used for mobile device issuance. In this case, you must set the complexity to use numeric characters only; for example 04-08N which means a code of 4 to 8 numbers.

See the Setting the authentication code complexity section in the Mobile Identity Management guide for details.

Certificate Refresh Threshold

15

The number of seconds to wait for a certificate to be issued before deferring issue or canceling process.

If you experience problems when collecting or updating cards, try increasing this option to a higher value; for example, 45.

This problem may manifest with an error similar to:

One of the certificates that have been requested for you has failed to issue.

Certificate Timeout For Deferred Collection

4320

The number of minutes that a certificate will remain valid while waiting for collection. When this limit is reached, the certificate is revoked.

Certificate Timeout For Issuance

20

The number of minutes that a certificate will remain valid while waiting to be issued. When this limit is reached, the certificate is revoked.

Deactivate Card Auth user in Entrust

No

PIV Card Authentication certificates are usually issued to a different subject DN than other certificates. As a result, the Entrust PKI creates an additional user account for this subject.

When this option is set to Yes, the MyID Entrust PKI connector deactivates this additional account when card authentication certificates are revoked.

Set this option to No to disable this behavior.

See the Deactivation of card authentication users section in the Entrust JASTK CA Integration Guide.

Derived credential certificate OID

2.16.840.1.101.3.2.1.3.13

The OID to be checked on the PIV Authentication certificate for derived credentials.

See the Derived Credentials Self-Service Request Portal for details.

Derived Credential Revocation Check Interval

0

The number of hours between repeated revocation checks of the original credentials.

Note: If you set this option to a value greater than 0, it overrides the Derived credential revocation check offset setting.

See the Derived Credentials Self-Service Request Portal for details.

Derived credential revocation check offset

7

The number of days after which MyID checks the original credentials that the cardholder used to request the derived credentials. If the original credentials have been revoked in this period, the derived credentials are also revoked.

See the Derived Credentials Self-Service Request Portal for details.

Derived credential signing certificate OID

2.16.840.1.101.3.2.1.3.6;

2.16.840.1.101.3.2.1.3.7;

2.16.840.1.101.3.2.1.3.16

A semicolon-delimited list of OIDs to be checked on the Digital Signature certificate for derived credentials.

See the Derived Credentials Self-Service Request Portal for details.

Entrust force new escrow

No

When this option is set to Yes, if Entrust returns an existing escrow certificate in response to a request for a new certificate, MyID revokes the certificate and requests the new certificate again.

Setting this option returns MyID to its previous behavior; you are recommended to keep this option at the default No for most systems, and set this option to Yes only if directed to by Intercede.

See the Forcing the issuance of new escrow certificates section in the Entrust CA Integration Guide.

Note: This option is not relevant for the Entrust CA Gateway.

iOS OTA Credential Profile

Set this option to the name of the Device Identity credential profile.

See the Setting up iOS OTA provisioning section in the Mobile Identity Management document for details.

iOS OTA Description

Set this option to the a description for the OTA update. This appears on the OTA provisioning message on the mobile device.

See the Setting up iOS OTA provisioning section in the Mobile Identity Management document for details.

iOS OTA Display Name

Set this option to a name for the OTA update. This appears on the OTA provisioning message on the mobile device.

See the Setting up iOS OTA provisioning section in the Mobile Identity Management document for details.

iOS OTA Organization

Set this option to the name of your organization. This appears on the OTA provisioning message on the mobile device.

See the Setting up iOS OTA provisioning section in the Mobile Identity Management document for details.

Limit derived credential lifetime to deriving credential

No

When set to Yes, any derived credentials issued have their expiry date limited to the expiry date of the certificate used for derivation.

Note: Some CAs do not allow control over the time portion of the certificate expiry. When MyID sets the lifetime of the derived credential, the date is aligned with the lifetime of the deriving certificate, but the time may not match exactly, depending on the certificate authority being used.

See the MyID configuration options section in the Derived Credentials Self-Service Request Portal for details.

Mask Certificate Revocation Code

No

Whether certificate revocation reasons are sent to the CA. (Yes means they are not sent.)

Cannot be edited.

Maximum certificate suspensions

-1

The number of times a certificate can be suspended before it is revoked. (-1 means unlimited)

Maximum keys per card to recover

0

Specifies the number of certificates to recover per card when creating key recovery jobs.

Not currently used.

Mobile Certificate Recovery Service URL

Specify the URL of the host that a mobile device must use to collect a mobile ID.

Pre-recover archived certificates for the rest.provison API

No

Store a temporary copy of recovered archived certificates to improve the performance of provisioning to mobile devices.

Renew Expired Certs Via API

No

Allow the renewing of expired certificates through calls to the Credential Web Service API.

See the Credential Web Service document for details.

Restrict certificate lifetimes to the card

Yes

Whether the lifetimes of the certificates are restricted to the lifetime of the card. This may not be supported by all certificate authorities.

Retry On Collection

No

If a certificate timeout period has been reached, must the request be resubmitted to the CA before the certificate can be collected.

Storage method allowed for certificate recovery

Both

Allows you to restrict the software certificates recovered depending on the recovery method configured by the certificate profile. Can be one of the following:

Local Store

Save to PFX

Both

See the Options for recovering soft certificates section in the Operator's Guide.

Suspend to revoke period

0

The time between suspension and revocation.

See section 6.4, Scheduled certificate revocation operations for more information on setting MyID to revoke suspended certificates after a given time period.

Update email address from derivation

No

Whether MyID updates the user record with the email address obtained from the certificate used for derived credentials.

See the Derived Credentials Self-Service Request Portal for details.

Use Entrust default key update policy

No

Whether MyID uses the Entrust CA default certificate lifetimes.

See the Controlling certificate lifetimes section in the Entrust CA Integration Guide.

Note: This option is not relevant for the Entrust CA Gateway.