000022407 - How to configure Certificate Extension Profile for KCA OneStep

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022407
Applies ToKeon Certificate Authority OneStep 6.0
Keon CA using OneStep sample
IssueHow to configure Certificate Extension Profile for KCA OneStep
ResolutionHere's some detailed information on Extension Profiles and the OneStep CGI:

When you create a CA, a new Jurisdiction is automatically created for that CA. You can configure that Jurisdiction, or create another Jurisdiction associated with that CA. Using the Jurisdiction automatically created for the CA is easiest. Profiles are a set of rules for certificate extension enforcement. You can set up Profile policy and specify which Profile(s) can be used for each Jurisdiction.

A bit of word-problem logic - a profile will be enforced on a certificate issued through the OneStep CGI if and only if the "Enforce Profile Definition" checkbox is checked for the Jurisdiction and a Profile has been specified to the OneStep CGI.

For the OneStep CGI flatfile demo, the Jurisdiction name must be specified in the OneStep/conf/flatdemo.conf file.

To enforce a profile on all certificates issued through the flatfile demo, perform the following steps:
1. Create a new CA
2. From the CA Operations Workbench "View CA" page (of your CA) under "Jurisdiction Configuration", select the Jurisdiction you will be using and click "Configure"
3. Optionally, in the "General Information" section, rename the Jurisdiction
4. Install the OneStep CGI as specified in the RSA Keon OneStep Developers Guide:
 - Unpack the contents of the zip file or tar file
 - Request an SSL LDAP certificate using the setupSSL utility
 - Issue the SSL LDAP certificate from Administrator Operations Workbench > Installation > Request Active
 - Retrieve the SSL LDAP certificate
5. In the Jurisdiction configuration (see step 2) "Extension Profiles" section, check the "Enforce Profile Definition" checkbox
 - The "Requestor Can Select" and "Vettor Can Override" checkboxes have no meaning for the OneStep CGI, only for manual enrollment & vetting
6. In the "Profile Choices" selection box, select the Profile(s) you want to be able to use for this Jurisdiction
7. In OneStep/conf/flatdemo.conf, add a "profile" parameter line. Here's an example:

  jurisdiction OneStep
  profile "S/MIMEv3 User"

This example shows certificate issued under the OneStep Jurisdiction by the OneStep CGI, will use S/MIME profile.


1. If you specify a Profile to the OneStep CGI, but that Profile is not selected in the "Profile Choices" select box, the CGI will return KCSOSE_PROFILE
2. If the "Enforce Profile Definition" checkbox is checked, but no Profile is specified to the CGI, it will return KCSOSE_PROFILE
3. If the "Enforce Profile Definition" checkbox is NOT checked, and a Profile is specified to the CGI, behavior is undefined. In face, the Profile will NOT be enforced on the certificates.
Profiles are referenced on page 26, 41, 47, and 64 of the RSA Keon OneStep Developers Guide. The flatfile demo specifics are on page 64.

Additional Note:

If a Profile is selected and needs to be enforced, make sure the default values for the selected extensions have been set. For example, if SKI and AKI are selected, all is fine as these extension values are automatically generated when issuing certificates. However, for KeyUsage, the required values may need to be set before a certificate can be automatically issued with those values.
Legacy Article IDa7880