...
Two administration officers must sign the request.
Both officers must have the following roles:
Use AWB
Policy tasks
A connection to the CM host must have been established. See Connect to a Certificate Manager host.
The following information is required by the administration officer during the task:
The procedure name that will appear in the explorer bar
The key usage attributes required for the certificate
The name of the issuing CA, its CA chain if applicable, and the certificate format to be used
The distribution rules to be used
The certificate validity period and the signature algorithm required
If the optional extensions certificate policy, authority information access or extended key usage will be used, all the necessary object identifier (OID), qualifier and access location information must be available.
It is recommended that certificate formats, which are not available, be generated before performing this task.
...
In AWB, select New > Certificate procedure.
In the Create Certificate Procedure Request dialog, in Procedure name, enter the name to appear in the Certificate procedures sub-group in the explorer bar. This field is mandatory.
Set the procedure State to Active or Closed as required.
Select Domain and check Visible in subdomain if applicable.
Select the Key usage parameters, if required, by checking the appropriate check boxes. It is normally not necessary to define key usage parameters. However, there are two cases when key usage restrictions for certificate procedures may be necessary:
when the certificate procedure is used in a token procedure that contains several certificate procedures.
to define the key usage required in a certificate if none are specified in the certificate request at the RA (for example, PKCS#12 tokens).
Warning:
Key usage must not be set if the certificate procedure should be used for issuing P12 certificates for officers. If the key usage is set, the P12 certificates may not appear in the Security dialog when trying to connect to CM.
In Issuing CA, browse for the required CA. This field is mandatory.
In CA chain, browse for the required CA chain.
In Certificate format, browse for the required end-user certificate format. This field is mandatory.
Note:
Depending on the parameter settings in the certificate format file, note that, if certificate procedures validity date extends beyond that of the CA certificate's expiration date, the certificate procedure will not be visible in the RA client or the CF server can truncate the expiration date of the end-user certificate to that of the CA certificate expiration date. For more information regarding certificate formats, refer to the "Certificate Format" chapter in the Technical Description.Insert excerpt Customize format in AWB Customize format in AWB nopanel true In Distribution rules, click + to add a distribution rule. Add all relevant distribution rules.
In Distribution rules, edit the processing order if needed. To change the order, select a rule and use the arrow buttons to move it.
The distribution rules will be processed in the order selected and then stored to CMDB.In Certificate validity, select in turn the years, months, days, hours, and minutes, and adjust the numbers with the arrows. The date and time units may also be entered manually.
In Signature algorithm, select the required signature algorithm.
Note:
The Signature algorithm drop-down list contains only those algorithms that matches the key algorithm for the key for the selected issuing CA.Warning:
If the hashInCis property is set to true and a signAlgorithm or signMechanism is specified for the device that holds the selected CA key, see the device configuration in cis.conf. The selected signature algorithm must be the same as the algorithm specified for the device in cis.conf. No warning message is displayed if any other signature algorithm is selected.If the warning text Signature algorithm signing key / CA key not consistent appears, do the following to troubleshoot:
Right-click on the issuing CA and select Open to see the detail information about the CA.
Right-click on the key and select Open to see the detail information about the key.
Check which algorithm was used for the CA key and select a compatible signature algorithm, that is, an algorithm with the same key type: RSA, DSA, or ECC.
There are several optional steps that can be done now, see the sections below:
Optional: Define Policy ID
Optional: Define authority information access
Optional: Define extended key usage
If QC Statements are required, go to the section "Optional: Qualified certificate statements".
If the certificates issued with this certificate procedure should be covered by a special CRL distribution point, do the following:
Select the CRL procedure in the CRL procedure field.
Check Explicit distribution points if the issued certificates should only add the distribution points from the selected CRL procedure. For more info, see section “Partition CRL on Distribution Point” in Create CRL procedure in Certificate Manager.
Specify for how long it is allowed to return an existing certificate, for identical certificate requests, in the Return existing until field. The value is specified as a percentage (nn%) of the certificate validity, default is set to 10%. Set this parameter to zero (00%) to always issue a new certificate.
If the certificate renewal policy is required to be restricted, see section “Optional: Configure certificate renewal policy” below.
Click OK. The Signature dialog box appears. See Sign tasks in Certificate Manager for more information.
Optional: Define policy ID
...
...