Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

This article describes the constraints that can be set for an officer in Nexus Certificate Manager (CM). An officer is assigned roles, which allow them to perform various tasks, and constraints can also be set.

The following can be set for the officer:

  • Issuer constraints
  • Name constraints
  • Officer role(s)

 Issuer constraints

An officer can have constraints so that the officer may only issue and revoke end user certificates with a certain subject name space. This means, for example, that an officer can be restricted to issuing certificates only for a specific issuer (that is, for a specific Certificate Authority, CA).

The issuing constraints for an officer may consist of one or more rules and each rule, in turn, consists of one or more attribute values. To grant the officer issuing rights, (that is, access to a token procedure), at least one of the rules must be fulfilled. For a rule to be fulfilled, all attribute values of that rule must match the corresponding attributes of the issuer subject name.

Example:

Example of issuer constraints

Rule 1: C=DE O=Org1 OU=QC Root CA
Rule 2: C=DE O=Org2 L<>Location A L<>Location B
Rule 3: C=SE O=Nexus

Rules and permissions:

  • Rule number 1 gives permission to use all issuers that have a subject name containing C=DEO=Org1 and OU=QC Root CA.
  • Rule number 2 gives permission to use all issuers that have a subject name containing C=DE and O=Org2 and does not have L=Location A nor L=Location B.
  • Rule number 3 gives permission to use all issuers that have a subject name that contains C=SE and O=Nexus.

Examples of issuers:

  • An issuer with subject OU=CA4O=Org2, and C=DE will work due to rule number 2.
  • An issuer with subject OU=QC Root CAO=Org1, and C=SE will not work because none of the rules gives permission

You can add, delete, and modify rules for each officer profile in the Administrator's workbench (AWB) and you can add, delete, and modify attribute values for each rule. For more information, see Officer profile tasks.

 Name constraints

Name constraints can be set for an officer. All end-user certificates will automatically contain the organization, organization unit and directory management domain specified in the officer profile name constraints.

 Roles

The role performed by an officer can be limited to specific functions, such as issuing, publishing or revoking certificates, working with batches, managing PIN letters, or recovering keys from the key archiving function. The role privileges given to any particular officer are determined by the officer profile that is assigned to the officer in the Create Officer request dialog.

  • No labels