Page Comparison

To create a certificate procedure:

1. In AWB, select New > Certificate procedure.

2. In the Create Certificate Procedure Request dialog, in Procedure name, enter the name to appear in the Certificate procedures sub-group in the explorer bar. This field is mandatory.

3. Set the procedure State to Active or Closed as required.

4. Select Domain and check Visible in subdomain if applicable.

5. Select the Key usage parameters, if required, by checking the appropriate check boxes. It is normally not necessary to define key usage parameters. However, there are two cases when key usage restrictions for certificate procedures may be necessary:

   • when the certificate procedure is used in a token procedure that contains several certificate procedures.
   • to define the key usage required in a certificate if none are specified in the certificate request at the RA (for example, PKCS#12 tokens).

   Warning
   Key usage must not be set if the certificate procedure should be used for issuing P12 certificates for officers. If the key usage is set, the P12 certificates may not appear in the Security dialog when trying to connect to CM.

   
   

6. In Issuing CA, browse for the required CA. This field is mandatory.

7. In CA chain, browse for the required CA chain.

8. In Certificate format, browse for the required end-user certificate format. This field is mandatory.

   Note

   Depending on the parameter settings in the certificate format file, note that, if certificate procedures validity date extends beyond that of the CA certificate's expiration date, the certificate procedure will not be visible in the RA client or the CF server can truncate the expiration date of the end-user certificate to that of the CA certificate expiration date. For more information regarding certificate formats, refer to the "Certificate Format" chapter in the Technical Description.

   
   

9. Insert excerpt
   Customize format in AWB Customize format in AWB nopanel true

10. In Distribution rules, click + to add a distribution rule. Add all relevant distribution rules.

11. In Distribution rules, edit the processing order if needed. To change the order, select a rule and use the arrow buttons to move it.
    The distribution rules will be processed in the order selected and then stored to CMDB.

12. In Certificate validity, select in turn the years, months, days, hours, and minutes, and adjust the numbers with the arrows. The date and time units may also be entered manually.

13. In Signature algorithm, select the required signature algorithm.

    Note
    The Signature algorithm drop-down list contains only those algorithms that matches the key algorithm for the key for the selected issuing CA.

    
    

    Warning
    If the hashInCis property is set to true and a signAlgorithm or signMechanism is specified for the device that holds the selected CA key, see the device configuration in cis.conf. The selected signature algorithm must be the same as the algorithm specified for the device in cis.conf. No warning message is displayed if any other signature algorithm is selected.

    
    

14. If the warning text Signature algorithm signing key / CA key not consistent appears, do the following to troubleshoot:

    1. Right-click on the issuing CA and select Open to see the detail information about the CA.

    2. Right-click on the key and select Open to see the detail information about the key.

    3. Check which algorithm was used for the CA key and select a compatible signature algorithm, that is, an algorithm with the same key type: RSA, DSA, or ECC.

15. There are several optional steps that can be done now, see the sections below:
    1. Optional: Define Policy ID
    2. Optional: Define authority information access
    3. Optional: Define extended key usage
16. If QC Statements are required, go to the section "Optional: Qualified certificate statements".

17. If the certificates issued with this certificate procedure should be covered by a special CRL distribution point, do the following:

    1. Select the CRL procedure in the CRL procedure field.

    2. Check Explicit distribution points if the issued certificates should only add the distribution points from the selected CRL procedure. For more info, see section “Partition CRL on Distribution Point” in Create CRL procedure in Certificate Manager.

18. Specify for how long it is allowed to return an existing certificate, for identical certificate requests, in the Return existing until field. The value is specified as a percentage (nn%) of the certificate validity, default is set to 10%. Set this parameter to zero (00%) to always issue a new certificate.

19. If the certificate renewal policy is required to be restricted, see section “Optional: Configure certificate renewal policy” below.

20. Click OK. The Signature dialog box appears. See Sign tasks in Certificate Manager for more information.
    

For more information on the certificate policy extension Authority information access, see RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and CRL Profile.

To add authority information access pointers, do the following for each authority information access pointer:

1. In Authority information access, click +.
2. In the Select Authority Information Access window, do the following:
   1. Select the required Access method (OID).
   2. In Access location, select either URI or E-mail and enter the location pointer.
3. Click OK.