Configuring a Certificate Profile
Context
- A certificate profile is a set of rules and settings used for certificate application and management. These rules and settings can be simple or complex to meet your varying requirements.
- Predefined profiles are default profiles provided by the system and cannot be deleted or modified. For detailed parameter descriptions, see Table 1. The following table describes some parameters in the preset profile. The actual configuration varies according to the information on the page.
Table 1 Predefined profile parameters Certificate level
Label
Description
Key algorithm
Key length
ECDSA key type
Validity
Basic constraints
Key usage
Certificate policy OID
Subject
Root CA
ROOT_CA_PREDEFINED_RSA4096
The root CA is most secure and trusted. To create a root CA certificate, use this profile.
RSA
4096
N/A
40 years
- Critical
- Type: CA
- Path length constraint: None
Digital signature, CRL signature, Certificate signature
2.5.29.32.0
Common name(CN), Country name(C), Organization(O), Organizational unit(OU)
ROOT_CA_PREDEFINED_ECDSA384
ECDSA
384
ECsecp384r1
Subordinate CA
SUB_CA_PREDEFINED_RSA4096
This profile is used to apply for a sub-CA certificate from the root CA or a subordinate CA. To construct a multi-level CA certificate chain, use this profile.
RSA
4096
N/A
25 years
- Critical
- Type: CA
- Path length constraint: 0
SUB_CA_PREDEFINED_ECDSA384
ECDSA
384
ECsecp384r1
End entity
END_ENTITY_PREDEFINED_RSA2048
This profile is used to apply for an end entity certificate from the root CA or a subordinate CA. To apply for an end entity certificate, use this profile.
RSA
2048
N/A
2 years
- Type: End entity
- Path length constraint: None
Digital signature, Content commitment (non-repudiation), Key encipherment, Data encipherment, Key agreement
END_ENTITY_PREDEFINED_RSA3072
RSA
3072
N/A
END_ENTITY_PREDEFINED_ECDSA256
ECDSA
256
ECprime256v1
Procedure
- Choose from the main menu.
- Choose from the navigation tree on the left.
- Click New and set required parameters.
For detailed parameter descriptions, see Table 2.
Table 2 Certificate profile parameters Parameter
Description
Value
Label
Name of a certificate profile.
The name is a string of 1 to 45 characters containing letters, digits, underscores (_), and hyphens (-).
The name cannot be null or all (case insensitive).
Certificate level
Certificate level, which can be root CA, subordinate CA, or end-entity CA.
N/A
Description
Description of a certificate profile.
The description is a string of 0 to 128 characters containing digits, uppercase letters, lowercase letters, spaces, and special characters: ( , . ! : ; ? ).
Subject
Identifiable alias of the certificate user, including Common name(CN), Country name(C), Email address (E), Organization(O), Organizational unit(OU), State(ST), Locality(L), Domain component (DC), and User identifier (UID).
By default, Common name is mandatory and cannot be deselected. When you need to fill in the profile subject information, the common name is a string of 1 to 127 characters containing uppercase letters, lowercase letters, digits, spaces, hyphens (-), colons (:), and dots (.).
If Domain component is selected, a maximum of 4 domain components can be configured at a time when Domain component information needs to be set in the profile.
Validity period
Validity period of a certificate profile.
You can set the certificate profile's validity period in units of day, month, or year. The maximum validity period is 18250 days.
Key algorithm
Key algorithm, which can be RSA or ECDSA.
N/A
Key length
If RSA is used, the available options are 2048, 3072, 4096, and 8192.
If ECDSA is selected, the available options are 256, 384, and 521.
N/A
ECDSA key type
Available options: ECprime256v1, ECsecp256r1, ECsecp384r1, ECsecp521r1.
NOTE:Set this parameter when you select the ECDSA algorithm.
N/A
Subject key identifier
Unique identifier of the subject.
N/A
Authority key identifier
Include issuer and SN
Unique identifier of the key contained in a certificate. It is used to identify multiple pairs of keys of the same issuer.
N/A
Basic constraints
Used to ensure that certificates are used only in certain applications.
N/A
Path length constraint
When the value of the path length constraint extension is 0, it indicates that the CA certificate can only issue end entity certificates in the valid certificate path. When the value of the path length constraint extension is greater than 0, it indicates the maximum number of intermediate subordinate CA certificates that may exist in the path from the CA certificate to end entity certificates. If a CA system has n layers, the path length constraint of the top-layer CA certificate is n - 2, and those of the lower-layer certificates is n - 3, n - 4, and so on. The result is greater than or equal to 0.
For example, if n is 4, the four-layer structure of the CA is root CA > subordinate CA1 > subordinate CA2 > end entity certificate. That is, the root CA issues the subordinate CA1, subordinate CA1 issues subordinate CA2, and subordinate CA2 issues the end entity certificate. In this case, the path length of the root CA is 2, the path length of subordinate CA1 is 1, and the path length of subordinate CA2 is 0.
NOTE:The path length constraint can be set only when Certificate level is set to Root CA or Subordinate CA.
The path length constraint must range from 0 to 9.
Subject alternative name
Domain name
Domain name contained in the alias of the certificate issuing object.
If Subject alternative name is selected, a maximum of 16 domain names and IP addresses in total can be configured at a time when Subject alternative name information needs to be set in the profile.
IP address
IP address contained in the alias of the certificate issuing object.
Certificate policy
A certificate policy defines the policy for issuing certificates and the application scenarios of certificates. A certificate policy ID is in the format of object identifier (OID). 2.5.29.32.0 indicates any policy. If you need to customize your own certificate policy, you must create a certificate policy ID, which must be constructed based on the enterprise ID allocated by the IANA. You can obtain the enterprise ID from the IANA free of charge.
A certificate policy consists of a certificate policy ID and a qualifier. The certificate policy ID must be unique in the certificate policy extensions of a certificate. The qualifier is used to express the detailed information that depends on the policy. The qualifier includes the following three types:
A maximum of four certificate policies can be created for each certificate profile.
The certificate policy ID must be a string of 3 to 256 characters prefixed with 0./1./2. If the period (.) is followed by 0, 0 cannot be followed by other digits. For example, 2.5.29.32.0 is in correct format, but 2.02 is in incorrect format.
The CPS URI must contain 1 to 256 characters.
The user notice text must contain 1 to 200 characters, including digits, uppercase letters, lowercase letters, spaces, and special characters: ( , . ! : ; ? ).
Key usage
Digital signature
A signature generated using the private key of the issuer. It is used for entity authentication and data source integrity authentication.
If the certificate level of the profile is End entity, Digital signature is selected by default for Key usage and can be deselected.
Content commitment (non-repudiation)
Verifies digital signature denial services used to provide non-digital signatures, preventing the signing entity from incorrectly denying certain operations. In the case of subsequent conflicts, a reliable third party can determine the authenticity of the signature data.
N/A
Key encipherment
Encrypts private keys or keys during key transmission.
N/A
CRL signature
Required when the subject public key is used to verify the signature in the revocation information (such as CRL).
If the certificate level of the profile is Root CA or Subordinate CA, CRL signature is selected by default for Key usage and can be deselected.
Data encipherment
Used to encrypt important user data instead of encoding keys.
N/A
Certificate signature
Used to verify the signature in the public key certificate.
If the certificate level of the profile is Root CA or Subordinate CA, Certificate signature is selected by default for Key usage and can be deselected.
Key agreement
Key agreement protocol. For example, when the Diffie-Hellman key is used for key management, select this option.
If the certificate level of the profile is End entity, Key agreement is selected by default for Key usage and can be deselected.
Encipher only
Uses a key to encrypt data only when the key protocol agreement is run.
N/A
Decipher only
Uses a key to decrypt data only when the key protocol agreement is run.
N/A
Extended key usage
TLS web server identity authentication
Authenticates the TLS www server. Digital signature, Key encipherment, or Key agreement may also provide the same function.
N/A
TLS web client identity authentication
Authenticates the TLS www client. Digital signature and/or Key agreement may also provide the same function.
N/A
Sign executable code
Signs the executable code that can be downloaded. Digital signature may also provide the same function.
N/A
Timestamping
Binds the hash of the object to the time. Digital signature and/or Content commitment may also provide the same function.
N/A
Email protection
Protects emails. Digital signature, Content commitment, and/or Key encipherment or Key agreement may also provide the same function.
N/A
IPSec end system
IP security terminal system.
N/A
IPSec user
IP security user.
N/A
IPSec tunnel
IP security tunnel.
N/A
CRL distribution point
A location where CRLs are published. You can obtain the CRL corresponding to the certificate based on this parameter.
This parameter cannot be set when Certificate level is set to Root CA.
- Click Submit.
You can click Reset to clear parameter settings.
Related Tasks
- Viewing a certificate profile
On the Certificate Profile page, click the name of a certificate profile. Then you can view the detailed information about this certificate profile.
- Modifying a certificate profile
On the Certificate Profile page, click Modify in the Operation column of a certificate profile. Then you can modify the configuration of this certificate profile.
- The certificate profile name cannot be changed when you modify the certification profile configuration.
- The predefined certificate profile cannot be modified.
- If the certificate level of a profile is Subordinate CA or End-entity and the profile has been associated with a CA, the certificate level of the profile cannot be changed to Root CA.
- Copying a certificate profile
On the Certificate Profile page, click Copy in the Operation column of a certificate profile. Then you can copy this certificate profile and rename it.
- Deleting a certificate profile
On the Certificate Profile page, click Delete in the Operation column of a certificate profile.
The predefined certificate profile cannot be deleted.
- Searching for a certificate profile
On the Certificate Profile page, enter a certificate profile name in the search box and click . The Certificate Authority Service supports fuzzy search by certificate profile name.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot