certificate profile, the issued certificate contains the information specified in the defaults and will be
valid for two years. If the user submits a pre-formatted request for a certificate with a validity period of
four years, the request is rejected since the constraints allow a maximum of two years validity period for
this type of certificate.
A set of certificate profiles have been predefined for the most common certificates issued. These
certificate profiles define defaults and constraints, associate the authentication method, and define the
needed inputs and outputs for the certificate profile.
Modifying the Certificate Profile Parameters
The parameters of the default certificate profiles can be modified; this includes the authentication
method, the defaults, the constraints used in each profile, the values assigned to any of the parameters
in a profile, the input, and the output. It is also possible to create new certificate profiles for other types
of certificates or for creating more than one certificate profile for a certificate type. There can be
multiple certificate profiles for a particular type of certificate to issue the same type of certificate with a
different authentication method or different definitions for the defaults and constraints. For example,
there can be two certificate profiles for enrollment of TLS server certificates where one certificate
profile issues certificates with a validity period of six months and another certificate profile issues
certificates with a validity period of two years.
An input sets a text field in the enrollment form and what kind of information needs gathered from the
end entity; this includes setting the text area for a certificate request to be pasted, which allows a
request to be created outside the input form with any of the request information required. The input
values are set as values in the certificate. The default inputs are not configurable in the
Certificate System. Only CMC requests are accepted.
An output specifies how the response page to a successful enrollment is presented. It usually displays
the certificate in a user-readable format. Some default output show a printable version of the resultant
certificate; other outputs set the type of information generated at the end of the enrollment, such as
PKCS #7. Only CMC response output is returned for CMC full response, and PKCS #7 for CMC simple
response.
Policy sets are sets of constraints and default extensions attached to every certificate processed
through the profile. The extensions define certificate content such as validity periods and subject name
requirements.
Certificate Profile Administration
An administrator sets up a certificate profile by associating an existing authentication plug-in, or
method, with the certificate profile; enabling and configuring defaults and constraints; and defining
inputs and outputs. The administrator can use the existing certificate profiles, modify the existing
certificate profiles, create new certificate profiles, and delete any certificate profile that will not be used
in this PKI.
Once a certificate profile is set up, it appears on the Manage Certificate Profiles page of the agent
services page where an agent can approve, and thus enable, a certificate profile. Once the certificate
profile is enabled, it appears on the Certificate Profile tab of the end-entities page where end entities
can enroll for a certificate using the certificate profile.
The certificate profile enrollment page in the end-entities interface contains links to each certificate
profile that has been enabled by the agents. When an end entity selects one of those links, an enrollment
page appears containing an enrollment form specific to that certificate profile. The enrollment page is
dynamically generated from the inputs defined for the profile. If an authentication plug-in is configured,
additional fields may be added to authenticate the user.
When an end entity submits a certificate profile request that is associated with an agent-approved
(manual) enrollment, an enrollment where no authentication plug-in is configured, the certificate
request is queued in the agent services interface. The agent can change some aspects of the