|Applies To||Keon Certificate Authority OneStep 6.0|
Keon CA using OneStep sample
|Issue||How to configure Certificate Extension Profile for KCA OneStep|
|Resolution||Here's some detailed information on Extension Profiles and the OneStep CGI:|
When you create a CA, a new Jurisdiction is automatically created for that CA. You can configure that Jurisdiction, or create another Jurisdiction associated with that CA. Using the Jurisdiction automatically created for the CA is easiest. Profiles are a set of rules for certificate extension enforcement. You can set up Profile policy and specify which Profile(s) can be used for each Jurisdiction.
A bit of word-problem logic - a profile will be enforced on a certificate issued through the OneStep CGI if and only if the "Enforce Profile Definition" checkbox is checked for the Jurisdiction and a Profile has been specified to the OneStep CGI.
For the OneStep CGI flatfile demo, the Jurisdiction name must be specified in the OneStep/conf/flatdemo.conf file.
To enforce a profile on all certificates issued through the flatfile demo, perform the following steps:
1. Create a new CA
2. From the CA Operations Workbench "View CA" page (of your CA) under "Jurisdiction Configuration", select the Jurisdiction you will be using and click "Configure"
3. Optionally, in the "General Information" section, rename the Jurisdiction
4. Install the OneStep CGI as specified in the RSA Keon OneStep Developers Guide:
- Unpack the contents of the zip file or tar file
- Request an SSL LDAP certificate using the setupSSL utility
- Issue the SSL LDAP certificate from Administrator Operations Workbench > Installation > Request Active
- Retrieve the SSL LDAP certificate
5. In the Jurisdiction configuration (see step 2) "Extension Profiles" section, check the "Enforce Profile Definition" checkbox
- The "Requestor Can Select" and "Vettor Can Override" checkboxes have no meaning for the OneStep CGI, only for manual enrollment & vetting
6. In the "Profile Choices" selection box, select the Profile(s) you want to be able to use for this Jurisdiction
7. In OneStep/conf/flatdemo.conf, add a "profile" parameter line. Here's an example:
profile "S/MIMEv3 User"
This example shows certificate issued under the OneStep Jurisdiction by the OneStep CGI, will use S/MIME profile.
1. If you specify a Profile to the OneStep CGI, but that Profile is not selected in the "Profile Choices" select box, the CGI will return KCSOSE_PROFILE
2. If the "Enforce Profile Definition" checkbox is checked, but no Profile is specified to the CGI, it will return KCSOSE_PROFILE
3. If the "Enforce Profile Definition" checkbox is NOT checked, and a Profile is specified to the CGI, behavior is undefined. In face, the Profile will NOT be enforced on the certificates.
Profiles are referenced on page 26, 41, 47, and 64 of the RSA Keon OneStep Developers Guide. The flatfile demo specifics are on page 64.
If a Profile is selected and needs to be enforced, make sure the default values for the selected extensions have been set. For example, if SKI and AKI are selected, all is fine as these extension values are automatically generated when issuing certificates. However, for KeyUsage, the required values may need to be set before a certificate can be automatically issued with those values.
|Legacy Article ID||a7880|