X509 certificate profile

Certificate profiles define the technical parameters that can be part of a given certificate such as X.509 Certificate extensions, Subject DN, Key usages, Extended key usages, etc. Certificate profiles are extendable and upgradeable.

CA Certificate Profile

The user must select the X.509 certificate type to generate a CA certificate profile. The default certificate type is "X509".

There are three types of X.509 certificate profiles, each explained in the following section:

  • CA Certificate Profiles.

  • User Certificate Profiles.

  • OCSP Certificate Profiles.

In order to create a root CA OR Sub CA certificate profile, the admin must select the CA Certificate Profile and fill in all mandatory fields in the Certificate Profile Edit Dialog, which contains three sections:

  • Basic Information.

  • Subject DN Details.

  • X.509 Extensions.

Basic Information

The following image displays the Basic Information section of the Certificate Profile Edit Dialog.

Profile Type Selection: Choose "User" as the profile type.

Profile Name Entry: Enter a unique "Profile Name" in the corresponding field, using any printable characters.

Validity Fields: When filling in the "validity" fields, ensure it is less than the remaining validity of the issuing CA. Be mindful of leap days, especially when exceeding leap years.

Issuing CA Selection: Select the corresponding issuing CA for "Self Signed" in order to create root CA else select any existing CA in order to SUB CA.

Choose Algorithm: Choose an algorithm from the list that is supported by emCA and select the corresponding signature algorithm.

Users have choices when it comes to "Signature Algorithms." Here are the options explained:

DSA Algorithm: If you choose "DSA," the corresponding signature algorithm is "SHA1WithDSA."

RSA Algorithm: Opting for "RSA" gives you signature algorithms like "SHA1WithRSA," "SHA256WithRSA," "SHA384WithRSA," and "SHA512WithRSA."

ECDSA Algorithm: Going with "ECDSA" means signature algorithms such as "SHA1WithECDSA," "SHA256WithECDSA," "SHA384WithECDSA," and "SH512WithECDSA."

EDDSA Algorithm: If you go for "EDDSA," the associated signature algorithm is "Ed25512."

PQC Algorithm: Choosing "PQC" Algorithm opens up signature algorithms like "DILITHIUM2," "DILITHIUM3," "DILITHIUM5," "FALCON-512," "FALCON 1024," and "SPHINCSPlus."

Edit Subject DN Details

The following image displays the Subject DN Details section of the Certificate Profile Edit Dialog.

The Subject Distinguished Name (Subject DN) is the unique name that is attributed to the certificate owner.

In order to create a Subject DN, you need to choose from a list of Subject DN attributes. The image above shows a pre-defined subset of the available attributes. To choose the attributes that you want to include in your certificate, simply select the corresponding checkbox. Any unselected attributes will be ignored.

Users can rearrange the order of certificate elements by dragging and dropping the Subject DN attribute.

The first element in the Subject DN is the top element in the UI.

By clicking + Subject OID, you may add additional Subject DN attributes to your list.

Object Identifiers (OIDs) identify Subject DN attributes. For instance, the "Locality" attribute is identified by 2.5.4.7. Customize your OID in the field above.

To choose an attribute encoding, simply use the dropdown list located in the middle of each row.

In most cases, PrintableString or UTF8String are used. For more information, refer to RFC 5280.

Please choose either "Mandatory" or "Optional" from the last dropdown menu.

Mandatory fields are required for certificate generation. Failure results from missing data.

During certificate generation, optional attributes may be provided. Empty fields are not added to the certificate.

X.509 Certificate Extensions

The following is the list of extensions available for selection as part of the ‘X.509' Certificate Extensions’ section. To select a specific extension, select the ‘Use’ checkbox attached to the respective extension. In addition, for selected extensions, an option to mark a specific section as ‘Critical’ is also provided.

  • Select the checkbox 'Use' in order to include specific extensions in the certificate. Note that some extensions must be filled with content if selected in accordance with RFC 5280.

  • Select the checkbox 'Critical' in order to set the critical flag in the certificate for this extension. If a critical extension fails validation, the certificate is not valid.

  • Users can reorder X.509 Extensions via drag and drop.

  • Basic Constraint (mandatory) - By default, the Basic Constraint "None" is selected. The administrator can choose to maintain up to 6 sub-CAs or a certificate hierarchy. This option is only available for CAs.

  • Key Usage (mandatory) - Please select the 'Usage' option from the dropdown menu. Make sure to select at least one key.

  • The authority key identifier extension is an optional feature that helps identify the corresponding public key used to sign a certificate.

  • The Issuer Alt Name Extension allows additional identities to be associated with the issuer of a CRL.

  • The Subject Key Identifier extension is mandatory and provides information on how to access information and services related to the certificate's subject.

  • Authority Information Access extension (optional) indicates how to access CA information and services for the issuer of the certificate in which the extension appears.

  • The subject alternative names extension (optional) allows additional identities to be bound to the subject of the certificate. It may include an email address, a DNS name, an IP address, and a uniform resource identifier (URI).

  • The CRL distribution points extension (optional) identifies how CRL information is obtained.

  • The Certificate policy extension is mandatory and defines the roles and duties of different entities in a PKI. Clicking the (+) button allows optional entry of the Certificate policy.

  • The Policy Mapping extension (optional) contains pairs of OIDs: each pair includes an ‘issuerDomainPolicy’ and a ‘subjectDomainPolicy’. The pairing indicates that the issuing CA considers its ‘issuerDomainPolicy’ equivalent to the subject CA’s ‘subjectDomainPolicy’.

  • The Policy Constraints extension, which is optional, can be used to prohibit policy mapping or require that each certificate in a path contains an acceptable policy identifier.

  • The Inhibit any policy extension (optional) indicates that the special ‘anyPolicy’ OID with the value is not considered an explicit match for other certificate policies.

  • The Freshest URL extension (optional) identifies the CRL to which a certificate user should refer to obtain the freshest revocation information.

  • The Subject information access extension (optional) indicates how to access information and services for the subject of the certificate in which the extension appears.

  • The Subject Directory Attributes extension (optional) is used to convey identification attributes of the subject

Save Certificate profile

Click "Proceed" to confirm saving the profile will redirect to the next page you will then be prompted to authenticate the action using your Administrator Username, and Token Pin and click on the ‘Authenticate’ button. The admin credentials will be validated

Click "Confirm" to finalize the certificate profile and view the success message as shown below.

You can create new profiles by clicking on "+New" or return to the Certificate Profile overview by clicking "View All".

This way, you can easily set up an X509 CA profile with the necessary details for your specific use.

User Certificate Profile

emCA allows users to generate various X509 certificate types within the certificate framework, as subtypes including New, DS, MLS, and DLS certificates.

Click on + New Profile to create a new certificate profile. This will open the Certificate Profile Edit Dialog.

Basic Information

The Basic Information section of the Certificate Profile Edit Dialog is displayed in the following image:

The administrator provides the basic information

Profile Type Selection: Choose "User" as the profile type.

Profile Name Entry: Enter a unique "Profile Name" in the corresponding field, using any printable characters.

Validity Fields: When filling in the "validity" fields, ensure it is less than the remaining validity of the issuing CA. Be mindful of leap days, especially when exceeding leap years.

Issuing CA Selection: Select the corresponding issuing CA for "Issuing CA" to filter Signature Algorithm values to those supported by the issuing CA.

Signature Algorithm: Choose a "signature algorithm" that is supported by the options available under the Signature Algorithm.

Certificate Recovery Option: If you wish to enable the recovery of user certificates, select "Is KRS Enabled."

Certificate Transparency Logs: Select "Is CT Logs Enabled" to create Certificate Transparency (CT) Logs for user certificates. This enables selection between Manual or Automatic Process Types for SCT Requests.

Manual Authorization: Choose "Is Manual Authorization Enabled" to ensure that an officer must authorize during creation.

Customize Validity Support: Select "Support Customize Validity" to allow different validity values from CSR.

Link Check: To include link checks for user certificates, check 'Is Link Check Enabled'.

Subject DN Details:

The following image displays the Subject DN Details section of the Certificate Profile Edit Dialog.

Subject DN (Common name, Country, Email, organization etc.) attributes can be added by selecting the checkbox of the respective attribute. Once the attribute is selected, use the dropdown menu to define the relevant string from the options: Printable String, BitString, IA5String, BMPString, and UTF8String.

The option to make an attribute Mandatory (or) Optional is also provided.

In addition to these options, the order of attributes can also be rearranged using the option next to Mandatory/optional.

Optional: The option to customize OID is also offered. To add a custom Subject DN, click on ‘+ Subject OID’ option.

Enter a valid OID and select the corresponding values to include this OID to the Certificate creation process.

X.509 Certificate Extensions:

The following are the list of extensions available for selection as part of the ‘X.509 Certificate Extensions’ section. To select a specific extension, select the ‘Use’ checkbox attached to the respective extension. In addition to it, for selected extensions, an option to mark a specific section as ‘Critical’ is also provided.

Basic Constraints: To use the Basic Constraints extension, select the Use Basic Constraints checkbox.

Key Usage: From the Key Usage dropdown menu, select the appropriate key usage options.

Enhanced Key Usage (optional): From the Enhanced Key Usage dropdown menu, select the appropriate key usage options.

Authority Key Identifier (optional): To use the Authority Key Identifier extension, select the Use Authority Key Identifier checkbox.

Issuer Alternate Name (optional): To use the Issuer Alternate Name extension, select the Use Issuer Alternate Name checkbox.

Subject Key Identifier (mandatory): The Subject Key Identifier extension is mandatory.

Authority Information Access (optional): To use the Authority Information Access extension, select the Use Authority Information Access checkbox.

Subject Alternative Names (optional): To use the Subject Alternative Names extension, select the Use Subject Alternative Names checkbox.

CRL Distribution Points (optional): To use the CRL Distribution Points extension, select the Use CRL Distribution Points checkbox.

Certificate Policy (mandatory): The Certificate Policy extension is mandatory. To enter the Certificate Policy, click the (+) button.

Freshest CRL URL (optional): To use the Freshest CRL URL extension, select the Use Freshest CRL URL checkbox.

Subject Information Access (optional):To use the Subject Information Access extension, select the Use Subject Information Access checkbox.

Subject Directory Attributes (optional):To use the Subject Directory Attributes extension, select the Use Subject Directory Attributes checkbox.

Private Key Usage Period:To Configure the private key lifetime by providing the validity

Save Certificate profile

Click "Proceed" to confirm saving the profile will redirect to the next page you will then be prompted to authenticate the action using your Administrator Username, and Token Pin and click on the ‘Authenticate’ button. The admin credentials will be validated

Click "Confirm" to finalize the certificate profile and view the success message as shown below.

You can create new profiles by clicking on "+New" or return to the Certificate Profile overview by clicking "View All".

This way, you can easily set up an X509 User profile with the necessary details for your specific use.

Create OCSP Certificate Profile

Click on the "+ New Profile" button to create a new certificate profile. This will open the Certificate Profile Edit Dialog.

Basic Information:

The image below displays the "Basic Information" section of the Certificate Profile Edit Dialog:

OCSP Selection: Choose OCSP by selecting the OCSP radio button.

Profile Name Entry: Give your profile a unique name.

Validity Duration: Choose how long the certificate should be valid in terms of days, hours, minutes, and seconds.

Issuing CA Selection: Pick the issuing CA from the dropdown.

Signature Algorithm Selection: Choose the signature algorithm that suits your needs.

Subject DN Details:

The following image displays the Subject DN Details section of the Certificate Profile Edit Dialog.

Subject DN Attributes

Subject DN attributes can be added to a certificate by selecting the checkbox for the desired attribute. Once an attribute is selected, use the dropdown menu to specify the data type. The data types available are Printable String, BitString, IA5String, BMPString, and UTF8String.

Attributes can be marked as Mandatory or Optional. The order of attributes can also be changed using the arrows next to the Mandatory/Optional checkbox.

Optional: Custom Subject DN OIDs

To add a custom Subject DN OID, click the "+ Subject OID" button. Enter a valid OID and select the corresponding values to include this OID in the certificate creation process.

X.509 Certificate Extensions:

The following are the list of extensions available for selection as part of the ‘X.509 Certificate Extensions’ section. To select a specific extension, select the ‘Use’ checkbox attached to the respective extension. In addition it, for selected extensions, an option to mark a specific section as ‘Critical’ is also provided.

  • Key Usage: This tells how you can use your certificate key. For example, you can use it to sign other certificates or revoke them. You can pick one option from the dropdown list. The default option is Key Agreement, Key Certificate, CRL Sign.

  • Enhanced Key Usage: This adds more ways to use your certificate key, besides the basic ones. You can pick one option from the dropdown list. This feature is optional.

  • Authority key identifier: This helps to identify the key that signed your certificate. This feature is optional.

  • Issuer alternate name: This adds more names for the issuer of CRL. CRL is a list of revoked certificates. This feature is optional.

  • Subject Key Identifier: This tells how to find information and services for your certificate. This feature is mandatory.

  • Authority Information Access: This tells how to find information and services for the issuer of your certificate. This feature is optional.

  • Subject alternative names: This adds more names for your certificate, besides the one you already have. It can be an email, a website, an IP address, or a web address. This feature is optional.

  • CRL distribution points: This tells how to get the list of revoked certificates. Revoked certificates are the ones that are no longer valid. This feature is optional.

  • Certificate policy: This tells the rules and responsibilities of the certificate issuer and user. The issuer is the one who gives you the certificate, and the user is you. You can enter your own policy in the text box by clicking on the (+) button. This feature is mandatory.

  • Freshest URL: This tells how to get the latest information about revoked certificates. This feature is optional.

  • Subject information access: This tells how to find information and services for your certificate. For example, you can find out how to renew or revoke your certificate. This feature is optional.

  • Subject directory attributes: This adds more details about your identity, such as your name, address, or phone number. This feature is optional.

  • OCSP No Revocation Checking: This tells the rules and responsibilities of the certificate issuer and user, without checking for revoked certificates. This feature is optional.

Save Certificate profile

Click "Proceed" to confirm saving the profile will redirect to the next page you will then be prompted to authenticate the action using your Administrator Username, and Token Pin and click on the ‘Authenticate’ button. The admin credentials will be validated

Click "Confirm" to finalize the certificate profile and view the success message as shown below.

You can create new profiles by clicking on "+New" or return to the Certificate Profile overview by clicking "View All".

This way, you can easily create an OCSP profile with specific details for your use case.

Last updated