3.5 Configuring certificate profiles

The following restrictions are imposed on configuring certificate profiles that are used for issuing certificates to users to ensure that MyID can manage certificates using the CA.

Configuration Field

Purpose

Recommended Setting

Type

Type of entity using the certificate profile.

End Entity

Available key algorithm

List of allowed key algorithms that public key used in the certificate request.

Select RSA if the profile is to be used for issuing RSA certificates.

Select ECDSA if the profile is to be used for issuing ECC certificates.

You can use a profile for both RSA and ECDSA keys.

Available bit lengths

List of allowed key sizes that the public key used in the certificate requests must comply with.

Ensure that the required bit lengths are selected. Bit lengths supported by MyID are:

RSA: 1024, 1536, 2048, 3072, and 4096

ECDSA: 256, 384 and 521

Validity Offset

A validity offset can be configured to handle to handle clock skew.

The offset adjusts the certificate validity start/end times when the corresponding validity time is specified as a relative time.

The default validity offset is used if an offset is not specified.

To prevent a certificate lifetime exceeding the required certificate lifetime, MyID specifies the certificate start time only in terms of relative time. The certificate end time is specified as a fixed time. Hence the validity offset is applied only to the certificate start time.

Allow validity override

Enables the default certificate validity period, specified in the certificate profile, to be overridden by the validity period in the certificate request.

Enable

MyID allows the required validity period to be overridden by the setting the credential profile used to issue the certificate.

The policy validity period should not be modified through the Certificate Authorities workflow, as the change would get overwritten on the next policy synchronization.

Allow extension override

When enabled, allows X.509 certificate extensions featured in a certificate request to be honored. Externally supplied extensions are added "as-is". Matching extensions already supplied in the certificate profile are overridden.

Further override control can be provided by providing a comma separated list of OIDs specifying the extensions that may (or may not) be overridden.

When this option is disabled, the default certificate profile extensions are used and the end entity subject DN is taken from the registered entity LDAP setting.

Enable

MyID provides dynamic extension data that is written to the certificate.

Allow subject DN override by CSR

Allows the X.509 subject DN in a certificate to come directly from the PKCS#10 included in the certificate request rather than from the registered end entity LDAP DN entry.

You must disable this option for certificate profiles that are used for key escrow policies, as PKCS#10 is not provided in the certificate request for these policies.

Normally this option is enabled for non-key escrow policies, although you can disable the option if the subject DN is being generated using the policy attributes or custom DN order is required using the certificate profile's Custom DN Order setting.

See section 3.8.3, Configuring attributes for information on configuring policy attributes.

Allow subject DN override by End Entity Information

Allows the X.509 subject DN in a certificate to come from the end entity information rather than the subject DN supplied in the certificate request.

Disabled

MyID configures the end entity being used for the certificate request with same subject DN as that provided in the request, although this may not be the same as that provided in the CSR for a non-key certificate request.

Disabling this option ensures that the required subject DN is taken from the certificate request, rather than using information stored against the End Entity within EJBCA. You are recommended to disable this option, as its main use is for when the EJBCA is being used as a Certificate Management System.

You must disable both this option and the Allow subject DN override by CSR option if you are using the Custom Subject DN Order setting in the certificate profile.

Allow Key Usage Override

When enabled, allows the key usage to be overridden by the certificate request.

Disabled (default)

The option is not currently used by MyID.

Use certificate storage

Issued certificates are stored in the database to provide certificate management and CRLs.

Enabled

Note: This may impact on certificate issuance performance.

CRL Distribution point

The CRL Distribution point information enables a client to verify a certificate using the provided URI.

Enable

Certificate Policies

Policy OIDs may be set to indicate that certificates issued using this profile are for a specific purpose.

Enable the Use option and specify the required policy OIDs to ensure that certificates issued using the profile assert the required policy OID as specified by the appropriate common policy requirement; for example, PIV model policies may be required to assert policy OIDs to satisfy the X.509 Certificate Policy for the U.S. Federal PKI Common Policy Framework.

X.509v3 extensions

This group of configuration options is used to control which X.509v3 validation data extensions URIs are asserted by certificates issued with this profile.

Enable the Use option for the extensions according to the common policy requirements; for example, PIV model policies may be required to assert the CRL Distribution Points and the OCSP Service Locator URIs.

It is recommended that the URI values are inherited from the CA configuration rather than being specified within the profile.

Used Custom Certificate Extensions

Selects custom extensions, configured through the custom data in System Configuration, as described in section 3.9, Configuring custom certificate extensions.

Selected custom extensions are, by default, treated as mandatory, and the extension default value is used if an override value is not provided in the certificate request.

Select the required configured custom extensions.

Custom extensions, as described in section 3.9.1, Setting up the custom extensions in MyID, are added to a policy only if at least one custom extension has been selected in the corresponding certificate profile.

Approval settings

Provides default approval settings for the relevant options.

None (default)

Enabling these prevents operations being completed until the operation has been approved.

Available CAs

Determines which CAs can use this certificate profile for certificate issuance.

You must at least select the CA that was specified in the CA Path field when configuring the CA through the Certificate Authorities workflow.

Publishers

Controls where the certificate is published.

Select if certificates issued using the certificate profile are required to be published.

Single Active Certificate Constraint

Controls if multiple active certificates can be issued to an end entity.

Disable (default)

Enabling this option prevents MyID from issuing multiple certificates using the same certificate policy.