2 Prerequisites

The MyID application server must be able to communicate using secure HTTP/TLS with the web service that is hosting the CA.

You must obtain an appropriate RA certificate for a configured PrimeKey jurisdiction.

PrimeKey EJBCA Enterprise PKI is a public-key PKI certification platform for registration agents and remote users.

• Create and configure the following entities:

  • CA functions:

    • Certification Authority (CA).
    • Crypto tokens (for storing CA keys).

    • Publishers (if required).

      EJBCA provides support for publishing certificates to LDAP and Active Directory. Custom publishers require customized plug-ins.

      See section 3.4, Configuring certification authorities when configuring a CA for use within MyID.

  • System functions:

    • Administration Roles.

      These roles are used to control access to CAs and administrator functions.

    • Services.

      Various timed services are available to carry out periodic system functions and checks. Services for publishing CRLs and publishing certificates must be enabled. The HSM service is required if using HSM for storing cryptographic tokens.

      The supported services you may need to configure are:

      • CRLUpdater to periodically update the CRL from the required CAs.
      • PublisherQueueChecker to periodically check the publication queue.

    • Configure the following Custom Certificate Extensions:

      • NACI (PIV-only)

      • UserSid (PIV and Enterprise)

      See section 3.9.2, Certificate extension OIDs.

• Configure the certificate profiles.

  These determine the non-user specific content and behavior of certificates. The largest part of the settings controls the information that is included in a certificate that is issued using the certificate profile, and the source of the information. See section 3.5, Configuring certificate profiles for constraints when configuring a certificate profile for use within MyID.

• Configure end entity profiles.

  These are used to control the information that is present when configuring an end entity. An end entity profile specifies one or more certificate profiles that is used when generating certificates. The combination of an end entity profile and a certificate profile is used to control the information that is present in an issued certificate.

  Although an end entity profile may reference multiple certificate profiles, MyID treats the combination of an end entity profile and a certificate profile as a certificate policy, and therefore end entity profiles used within MyID must reference only a single certificate profile.

  See section 3.6, Configuring end entity profiles for constraints when configuring end entity profiles for use within MyID.

See the PrimeKey EJBCA documentation for details on how to configure the above entities.