000016008 - When issuing a cert via AEP  the validity period is always set to 1 year  no matter the validity specified in the extension profile/Jurisdiction.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016008
Applies ToRSA Certificate Manager 6.8
Auto Enrollment Proxy (AEP)
Issue

When issuing a cert via AEP, the validity period is always set to 1 year, no matter the validity specified in the extension profile/Jurisdiction.


Certificates are assigned validity from the Minimum certificate validity expiry policy when issued through the AEP.


 If certificate expiry policy set as profile based, then certificates are issued with the validity of profile which is configured under aep.xuda page. (It will not take the validity of profile configured under "Profile Choices").
CauseIf validAfter and validUntil values are not set from GUI, Apache retrieves the values from TTL. If TTL is not set in xuda page, apache sets the validity period as 30 days. This validity period compare against the Jurisdiction or Profile min or max expiry policy. If it is minimum than the configured jurisdiction policy, then certificates are issued with configured minimum value.

AEP xuda page configured with TTL value as 1 year.
Since we are using same signer code for AEP certificate issuance and there are no validAfter or validUntil values for certificate from AEP, apache takes this TTL value for validity. So that, it is working with minimum validity period (if min. validity > 1year) of expiry policy.

Resolution

The AEP Xuda page is configured with the time-to-live (TTL) value as one year, which is set as the validity for the certificate. As all certificates are set with this one-year validity period, users cannot have certificates with greater or lesser validity period.

This problem is fixed in RSA Certificate Manager 6.8 build519. The validity period is now taken from the Certificate Expiry Policy configuration.

Notes

CERTMGR-3774

Legacy Article IDa53874

Attachments

    Outcomes