When issuing a cert via AEP the validity period is always set to 1 year no matter the validity specified in the extension profile/Jurisdiction.
3 years ago
Originally Published: 2011-02-08
Article Number
000048381
Applies To
RSA Certificate Manager 6.8
Auto Enrollment Proxy (AEP)
Issue

When issuing a cert via AEP, the validity period is always set to 1 year, no matter the validity specified in the extension profile/Jurisdiction.


Certificates are assigned validity from the Minimum certificate validity expiry policy when issued through the AEP.


 If certificate expiry policy set as profile based, then certificates are issued with the validity of profile which is configured under aep.xuda page. (It will not take the validity of profile configured under "Profile Choices").
Cause
If validAfter and validUntil values are not set from GUI, Apache retrieves the values from TTL. If TTL is not set in xuda page, apache sets the validity period as 30 days. This validity period compare against the Jurisdiction or Profile min or max expiry policy. If it is minimum than the configured jurisdiction policy, then certificates are issued with configured minimum value.

AEP xuda page configured with TTL value as 1 year.
Since we are using same signer code for AEP certificate issuance and there are no validAfter or validUntil values for certificate from AEP, apache takes this TTL value for validity. So that, it is working with minimum validity period (if min. validity > 1year) of expiry policy.


Resolution

The AEP Xuda page is configured with the time-to-live (TTL) value as one year, which is set as the validity for the certificate. As all certificates are set with this one-year validity period, users cannot have certificates with greater or lesser validity period.

This problem is fixed in RSA Certificate Manager 6.8 build519. The validity period is now taken from the Certificate Expiry Policy configuration.


Notes

CERTMGR-3774


Related Articles

Trending Articles

Don't see what you're looking for?