Configuring a Certificate Profile

Context

• A certificate profile is a set of rules and settings used for certificate application and management. These rules and settings can be simple or complex to meet your varying requirements.
• Predefined profiles are default profiles provided by the system and cannot be deleted or modified. For detailed parameter descriptions, see Table 1. The following table describes some parameters in the preset profile. The actual configuration varies according to the information on the page.

  Table 1 Predefined profile parameters

  Certificate level	Label	Description	Key algorithm	Key length	ECDSA key type	Validity	Basic constraints	Key usage	Certificate policy OID	Subject
  Root CA	ROOT_CA_PREDEFINED_RSA4096	The root CA is most secure and trusted. To create a root CA certificate, use this profile.	RSA	4096	N/A	40 years	Critical Type: CA Path length constraint: None	Digital signature, CRL signature, Certificate signature	2.5.29.32.0	Common name(CN), Country name(C), Organization(O), Organizational unit(OU)
  	ROOT_CA_PREDEFINED_ECDSA384		ECDSA	384	ECsecp384r1
  Subordinate CA	SUB_CA_PREDEFINED_RSA4096	This profile is used to apply for a sub-CA certificate from the root CA or a subordinate CA. To construct a multi-level CA certificate chain, use this profile.	RSA	4096	N/A	25 years	Critical Type: CA Path length constraint: 0
  	SUB_CA_PREDEFINED_ECDSA384		ECDSA	384	ECsecp384r1
  End entity	END_ENTITY_PREDEFINED_RSA2048	This profile is used to apply for an end entity certificate from the root CA or a subordinate CA. To apply for an end entity certificate, use this profile.	RSA	2048	N/A	2 years	Type: End entity Path length constraint: None	Digital signature, Content commitment (non-repudiation), Key encipherment, Data encipherment, Key agreement
  	END_ENTITY_PREDEFINED_RSA3072		RSA	3072	N/A
  	END_ENTITY_PREDEFINED_ECDSA256		ECDSA	256	ECprime256v1

Procedure

1. Choose System > About > Certificate Authority Service from the main menu.
2. Choose PKI Management > Certificate Profile from the navigation tree on the left.
3. Click New and set required parameters.

   For detailed parameter descriptions, see Table 2.

   Table 2 Certificate profile parameters

   Parameter		Description	Value
   Label		Name of a certificate profile.	The name is a string of 1 to 45 characters containing letters, digits, underscores (_), and hyphens (-). The name cannot be null or all (case insensitive).
   Certificate level		Certificate level, which can be root CA, subordinate CA, or end-entity CA.	N/A
   Description		Description of a certificate profile.	The description is a string of 0 to 128 characters containing digits, uppercase letters, lowercase letters, spaces, and special characters: ( , . ! : ; ? ).
   Subject		Identifiable alias of the certificate user, including Common name(CN), Country name(C), Email address (E), Organization(O), Organizational unit(OU), State(ST), Locality(L), Domain component (DC), and User identifier (UID).	By default, Common name is mandatory and cannot be deselected. When you need to fill in the profile subject information, the common name is a string of 1 to 127 characters containing uppercase letters, lowercase letters, digits, spaces, hyphens (-), colons (:), and dots (.). If Domain component is selected, a maximum of 4 domain components can be configured at a time when Domain component information needs to be set in the profile.
   Validity period		Validity period of a certificate profile.	You can set the certificate profile's validity period in units of day, month, or year. The maximum validity period is 18250 days.
   Key algorithm		Key algorithm, which can be RSA or ECDSA.	N/A
   Key length		If RSA is used, the available options are 2048, 3072, 4096, and 8192. If ECDSA is selected, the available options are 256, 384, and 521.	N/A
   ECDSA key type		Available options: ECprime256v1, ECsecp256r1, ECsecp384r1, ECsecp521r1. NOTE: Set this parameter when you select the ECDSA algorithm.	N/A
   Subject key identifier		Unique identifier of the subject.	N/A
   Authority key identifier	Include issuer and SN	Unique identifier of the key contained in a certificate. It is used to identify multiple pairs of keys of the same issuer.	N/A
   Basic constraints		Used to ensure that certificates are used only in certain applications.	N/A
   Path length constraint		When the value of the path length constraint extension is 0, it indicates that the CA certificate can only issue end entity certificates in the valid certificate path. When the value of the path length constraint extension is greater than 0, it indicates the maximum number of intermediate subordinate CA certificates that may exist in the path from the CA certificate to end entity certificates. If a CA system has n layers, the path length constraint of the top-layer CA certificate is n - 2, and those of the lower-layer certificates is n - 3, n - 4, and so on. The result is greater than or equal to 0. For example, if n is 4, the four-layer structure of the CA is root CA > subordinate CA1 > subordinate CA2 > end entity certificate. That is, the root CA issues the subordinate CA1, subordinate CA1 issues subordinate CA2, and subordinate CA2 issues the end entity certificate. In this case, the path length of the root CA is 2, the path length of subordinate CA1 is 1, and the path length of subordinate CA2 is 0. NOTE: The path length constraint can be set only when Certificate level is set to Root CA or Subordinate CA.	The path length constraint must range from 0 to 9.
   Subject alternative name	Domain name	Domain name contained in the alias of the certificate issuing object.	If Subject alternative name is selected, a maximum of 16 domain names and IP addresses in total can be configured at a time when Subject alternative name information needs to be set in the profile.
   	IP address	IP address contained in the alias of the certificate issuing object.
   Certificate policy		A certificate policy defines the policy for issuing certificates and the application scenarios of certificates. A certificate policy ID is in the format of object identifier (OID). 2.5.29.32.0 indicates any policy. If you need to customize your own certificate policy, you must create a certificate policy ID, which must be constructed based on the enterprise ID allocated by the IANA. You can obtain the enterprise ID from the IANA free of charge. A certificate policy consists of a certificate policy ID and a qualifier. The certificate policy ID must be unique in the certificate policy extensions of a certificate. The qualifier is used to express the detailed information that depends on the policy. The qualifier includes the following three types: No policy qualifier: Indicates that the certificate policy does not contain additional information. CPS URI: The CPS qualifier indicates the URI of the certificate practice statement issued by the CA. User notice text: Displays certificate information to certificate users.	A maximum of four certificate policies can be created for each certificate profile. The certificate policy ID must be a string of 3 to 256 characters prefixed with 0./1./2. If the period (.) is followed by 0, 0 cannot be followed by other digits. For example, 2.5.29.32.0 is in correct format, but 2.02 is in incorrect format. The CPS URI must contain 1 to 256 characters. The user notice text must contain 1 to 200 characters, including digits, uppercase letters, lowercase letters, spaces, and special characters: ( , . ! : ; ? ).
   Key usage	Digital signature	A signature generated using the private key of the issuer. It is used for entity authentication and data source integrity authentication.	If the certificate level of the profile is End entity, Digital signature is selected by default for Key usage and can be deselected.
   	Content commitment (non-repudiation)	Verifies digital signature denial services used to provide non-digital signatures, preventing the signing entity from incorrectly denying certain operations. In the case of subsequent conflicts, a reliable third party can determine the authenticity of the signature data.	N/A
   	Key encipherment	Encrypts private keys or keys during key transmission.	N/A
   	CRL signature	Required when the subject public key is used to verify the signature in the revocation information (such as CRL).	If the certificate level of the profile is Root CA or Subordinate CA, CRL signature is selected by default for Key usage and can be deselected.
   	Data encipherment	Used to encrypt important user data instead of encoding keys.	N/A
   	Certificate signature	Used to verify the signature in the public key certificate.	If the certificate level of the profile is Root CA or Subordinate CA, Certificate signature is selected by default for Key usage and can be deselected.
   	Key agreement	Key agreement protocol. For example, when the Diffie-Hellman key is used for key management, select this option.	If the certificate level of the profile is End entity, Key agreement is selected by default for Key usage and can be deselected.
   	Encipher only	Uses a key to encrypt data only when the key protocol agreement is run.	N/A
   	Decipher only	Uses a key to decrypt data only when the key protocol agreement is run.	N/A
   Extended key usage	TLS web server identity authentication	Authenticates the TLS www server. Digital signature, Key encipherment, or Key agreement may also provide the same function.	N/A
   	TLS web client identity authentication	Authenticates the TLS www client. Digital signature and/or Key agreement may also provide the same function.	N/A
   	Sign executable code	Signs the executable code that can be downloaded. Digital signature may also provide the same function.	N/A
   	Timestamping	Binds the hash of the object to the time. Digital signature and/or Content commitment may also provide the same function.	N/A
   	Email protection	Protects emails. Digital signature, Content commitment, and/or Key encipherment or Key agreement may also provide the same function.	N/A
   	IPSec end system	IP security terminal system.	N/A
   	IPSec user	IP security user.	N/A
   	IPSec tunnel	IP security tunnel.	N/A
   CRL distribution point		A location where CRLs are published. You can obtain the CRL corresponding to the certificate based on this parameter.	This parameter cannot be set when Certificate level is set to Root CA.

   

   • Critical: The certificate user performs strong verification on the extensions that are marked as critical.

   • Required: During certificate request, the packet must contain this extension.

   • Permitted in request: During certificate issuing, the value of this extension in the request packet is used.

4. Click Submit.
   

   You can click Reset to clear parameter settings.

Related Tasks

• Viewing a certificate profile

  On the Certificate Profile page, click the name of a certificate profile. Then you can view the detailed information about this certificate profile.

• Modifying a certificate profile

  On the Certificate Profile page, click Modify in the Operation column of a certificate profile. Then you can modify the configuration of this certificate profile.

  

  • The certificate profile name cannot be changed when you modify the certification profile configuration.
  • The predefined certificate profile cannot be modified.
  • If the certificate level of a profile is Subordinate CA or End-entity and the profile has been associated with a CA, the certificate level of the profile cannot be changed to Root CA.
• Copying a certificate profile

  On the Certificate Profile page, click Copy in the Operation column of a certificate profile. Then you can copy this certificate profile and rename it.

• Deleting a certificate profile

  On the Certificate Profile page, click Delete in the Operation column of a certificate profile.

  

  The predefined certificate profile cannot be deleted.

• Searching for a certificate profile

  On the Certificate Profile page, enter a certificate profile name in the search box and click . The Certificate Authority Service supports fuzzy search by certificate profile name.