3.3 Configuring additional attributes
You can set up MyID to provide additional attributes to Symantec MPKI in the certificate request.
You can then use these fields in Symantec Managed PKI Control Center – you can use some fields to search for certificates, and the values for the other fields are displayed in the search results.
The Symantec documentation provides a list of which attributes you can use in the enrollment request. Some fields are searchable, while other fields are non-searchable but will be returned in the search results.
Currently, you can use the following fields as searchable fields:
|
Name |
Type |
Description |
|---|---|---|
|
common_name |
VT_PRINTABLE_STRING |
Common name |
|
mail_email |
VT_IA5_STRING |
|
You can also use the following non-searchable fields:
|
Name |
Type |
Description |
|---|---|---|
|
additional_field4 |
VT_T61_STRING |
Additional Field 4 |
|
additional_field5 |
VT_T61_STRING |
Additional Field 5 |
|
employeeID |
VT_T61_STRING |
Employee ID |
|
mailStop |
VT_T61_STRING |
Address |
|
country |
VT_PRINTABLE_STRING |
Two letter country code. For example, US, UK. |
|
additional_field6 |
VT_T61_STRING |
Additional Field 6 |
|
jobTitle |
VT_T61_STRING |
Job title |
|
locality |
VT_T61_STRING |
Locality |
|
state |
VT_T61_STRING |
State |
3.3.1 Setting up the additional attributes
The availability of additional searchable and non-searchable attributes in the MyID Certificate Authorities workflow is determined by the SymantecMPKIConnector.xml configuration file in the MyID Components folder on the MyID application server; by default, this is:
C:\Program Files\Intercede\MyID\Components\
By default, the configuration file contains all of the available additional attributes. However, you can configure this file if necessary.
For example, for the Common Name searchable attribute, use an <Extension> block like:
<Extension displayType="recommended">
<Name>common_name</Name>
<DisplayName>Common Name (Searchable)</DisplayName>
</Extension>
with a displayType of "recommended".
For the Employee ID non-searchable attribute, use an <Extension> block like:
<Extension displayType="optional">
<Name>employeeID</Name>
<DisplayName>Employee ID (Non-searchable)</DisplayName>
</Extension>
with a displayType of "optional".
Note: After you have made any changes to this file, you must restart the service:
- From the Windows Administrative Tools, double-click Services.
- Right-click the eCertificate Services Server service, then from the popup menu click Restart.
3.3.2 Mapping the additional attributes
You must use the Edit Attributes option for each certificate policy in the Certificate Authorities workflow to set up a mapping or a static value for each of the additional attributes that you want to pass in the certificate request. See section 3.2.1, Enabling certificates on a CA for details.