Configuring end entity profiles

3.6 Configuring end entity profiles

The following restrictions are imposed on configuring end entity profiles that are used for issuing certificates to users to ensure that MyID can manage certificates using the CA.

Configuration Field	Purpose	Recommended Setting
Username	Controls if the username for the end entity is automatically generated.	Disable auto-generated MyID provides the username based on the end entity profile name.
Password (Enrolment Code)	Password is used for key and certificate recovery.	Disable auto-generated Enable the Required option for profiles being used for key escrow certificates, as a password is required to recover the server-generated keypair. Passwords are not required for non-key escrow certificates, as certificates issued using the profile do not need to be recovered.
Maximum number of failed login attempts	Used when the EJBCA is also validating login attempts using the configured password.	Disable
Batch generation (clear text pwd storage)	Password is used to authenticate PKI requests.	Disable
End Entity E-mail	Email is used for notifications.	Disable The EJBCA is not used for sending notifications.
Subject DN Attributes	Controls which DN attributes can be configured in the Subject DN. This configuration is used to populate the certificate policy extensions in MyID.	See section 3.9.3, Additional attribute settings. For each attribute: Enable the Required option if the attribute is mandatory. A certificate request will fail if a mandatory attribute is not supplied in the certificate request even if the subject DN attributes are being taken from the supplied PKCS#10 data. See section section 3.8.1, Enabling certificates policies on a CA for details of mapping policy attributes in MyID. Enable the Modifiable field if the value can be modified. This option is normally enabled unless there is a specific reason for wanting a static attribute value in the issued certificates. You must specify a static value for any non-modifiable attribute. In this case the attribute must also be configured with the same value in MyID. When configuring an End Entity profile for key escrow certificates or when using a certificate profile that uses the Subject DN supplied in the certificate request, the Subject DN components must cater for any DN components that are required for the certificate. Any DN components that are not specified in this section will not be supplied in the certificate request. Where the supplied subject DN may contain repeated DN components, the number of such components, configured in the profile, must be greater than or equal to the maximum number of such components. For example, if the supplied DN could have three OU components, the profile must also have at least three OU components.
Other Subject Attributes	Controls which SAN and Subject Directory attributes are required to be configured in this certificate policy. This configuration is used to populate the certificate policy extensions in MyID.	As for Subject DN Attributes. When adding RFC 822 Name attribute, the Use entity e-mail field option is automatically enabled and the Modifiable option is disabled. An email address is not set for an end entity and therefore you must disable the Use entity e-mail option. The Modifiable option must also be enabled but initially this may remain disabled; in this case, you must save the profile setting and then re-edit the profile to set the Modifiable option.
Default Certificate Profile	The certificate profile used if a certificate profile is not specified in the certificate request.	MyID does not specify the certificate profile in the received certificate request, therefore the default certificate profile is used.
Available Certificate Profiles	Controls which certificate profiles can be used in a certificate request using this profile.	You can leave this list unselected, as the default certificate will be added even if it has not been selected.
Available CAs	Determines which CAs can use this certificate profile for certificate issuance.	Must at least select the CA selected in the certificate profile referenced by this profile. Ensure that the profile does not reference a CA, including the default CA, that is not referenced by the referenced certificate profile.
Default Token	Controls the types of certificates that may be issued using this profile.	Must select User Generated. Must also select P12 token for key escrow certificate policies.
Key recoverable	Identifies that the profile can be used to recover the server-generated encryption keys.	Check Use if the profile is to be used for issuing key escrow certificates; otherwise, leave this option unchecked. When Use is checked, you must also check the following to prevent additional certificates being created unnecessarily: Default and Reuse old certificate.
Send Notifications	Notification is sent when a certificate is available for collection.	Leave unset PrimeKey EJBCA CA must not be used for sending notifications.

Note: For the Key Management End Entity, you must make sure that the minimum password strength is set to a value higher than 0. If you set the minimum password strength to 0, the key management certificate does not issue.

3.6.1 Certificate Request Subject DN generation

MyID automatically generates the subject DN for the certificate request using any configured certificate policy attributes and the supplied user DN. Where the same DN component is present in both the certificate policy attribute and the user DN, the attribute supplied in the attributes takes priority. Only those subject DN components that have been configured as being allowed in the corresponding End Entity Profile will be included in the generated subject DN.