System information
agent can approve, and thus enable, a certificate profile. Once the certificate profile is enabled,
it appears on the Certificate Profile tab of the end entities page, so end entities can enroll for a
certificate using the certificate profile.
The certificate profile enrollment page contains links to each type of certificate profile enrollment
that has been enabled. When an end entity selects one of those links, an enrollment page
appears, containing the enrollment form specific to that certificate profile. The enrollment page
for the certificate profile in the end entities page is dynamically generated from the inputs
defined for the certificate profile. If an authentication plug-in is configured, additional fields may
be added that are needed to authenticate the user with that authentication method.
A manual enrollment is a request when no authentication plug-in is configured. When the end
entity submits a certificate profile request with a manual enrollment, the certificate profile is
queued in the agent services page as a certificate profile enrollment request. The agent can
change the request, reject it, change the status, or approve it. The agent can also update the
request without submitting it or validate that the request adheres to the profile's defaults and
constraints. Agents are bound by the constraints set in the profile; they cannot change the
request so that a constraint is violated. The signed approval is immediately processed, and a
certificate is issued.
When a certificate profile is associated with an authentication method, the request generates a
certificate automatically if the user successfully authenticates, all required information is
provided, and the request does not violate any of the constraints set for the certificate profile.
The issued certificate contains the default content for the certificate profile (like the extensions
and validity period) and follows the constraints set for each default. There can be more than one
policy set (pair of defaults and constraints); each set is distinguished by using the same value
for the policy set ID for the default and constraint in the set. The server evaluates each policy
set for each request it receives. When a single certificate is issued, one set is evaluated, and
any other sets are ignored. When dual key pairs are issued, the first policy set is evaluated with
the first certificate request, and the second set is evaluated with the second certificate request.
There is no need for more than one policy set when issuing single certificates or more than two
sets when issuing dual key pairs.
5. Enabling and Disabling Certificate Profiles
Any certificate profiles that have been configured by an administrator are listed in the Manage
Certificate Profiles page of the agent services page, which is accessed through the Manage
Certificate Profiles link in the left menu of the CA agent services page.
The Manage Certificate Profiles page contains all of the certificate profiles that have been set
up by an administrator. It shows the name of the certificate profile, a short description of the
certificate profile, whether this is an end user certificate profile, whether the certificate profile
has been approved and enabled, and, if approved, which agent under ID approved the request.
5.1. Getting Certificate Profile Information
Information about any certificate profile is available by clicking the name of the certificate profile,
Chapter 3. CA: Working with Certificate Profiles
28