PreviousNextUp[Front page] [Index]

Certificate Profile

A certification request can have an associated Profile in it. In general, profiles restrict the allowable fields in a request by removing all extensions that are not explicitly set by the profile. They can also change the names in a request and add extra extensions with default values if they are not present in the request.

Note: The profiles are processed only if the relevant CA policy contains an Apply Profile or Apply Request Profile policy module. See Section Policy Modules.

The following certificate profiles are sample profiles that might not work in all cases. Because PKI-enabled applications, such as routers and e-mail clients, have different requirements for the certificate extensions and fields, you need to be aware of what kind of certificates a specific installation requires. Also, sometimes it makes sense to have a certificate for multiple purposes. New certificate profiles can be easily created for environments where the following sample policies are not enough. Contact SSH Tectia Certifier technical support http://www.ssh.com/support/ if you need customized certificate profiles.

  • Email

    A profile for e-mail (S/MIME) certificates.

    • Copies the Email subject alternative name from the request to the certificate template.

      Fails if it is not present.

    • Sets the Digital Signature, Non Repudiation, Key Encipherment, and Data Encipherment key usage bits.
    • Sets the ekuEmailProtection extended key usage OID.

  • TLS

    A profile for TLS certificates.

    • Copies the Email subject alternative name from the request to the certificate template.

      Fails if it is not present.

    • Sets the Digital Signature and Key Encipherment key usage bits.
    • Sets the ekuServerAuth and ekuClientAuth extended key usage OIDs.

  • IPSEC

    A profile for IPSec certificates.

    • Copies the IP subject alternative name from the request to the certificate template.

      Fails if it is not present.

    • If present, copies the Email subject alternative name from the request to the certificate template.
    • Sets the Digital Signature, Key Encipherment, and Data Encipherment key usage bits

  • Windows 2000 logon with smart cards

    A profile for Microsoft Windows smart card logon certificates. Note that this profile requires a pre-configured entity with the UPN attribute.

    • Copies the UPN attribute of the entity to the UPN subject alternative name of the certificate template.

      Fails if it is not present.

    • Sets the Digital Signature and Key Encipherment key usage bits.
    • Sets the ekuSmartCardLogon and ekuClientAuth extended key usage OIDs.


PreviousNextUp[Front page] [Index]