Attribute certificates are signed objects that assert additional properties with respect to some identity certificate (also called base certificate). An attribute certificate has no associated key pair and consequently cannot be used to establish identity.
Attribute certificates can be thought of as extensions to identity certificates, even if the attribute certificate may be signed by a different CA than the base certificate. When the associated attributes are mainly used for the purpose of authorization, an attribute certificate is called authorization certificate.
An attribute certificate (AC) can either be issued together with the linked public key certificate (PKC) or issued after the PKC certificate has been issued. The first alternative requires the token procedure being used to specify that both a PKC and an AC should be issued simultaneously. This is described in Issue smart card certificate in Certificate Manager and Issue software token in Certificate Manager respectively.
This article describes how to issue an AC, linked to an existing PKC, in Smart ID Certificate Manager (CM). This task is done in the Registration Authority (RA) in Certificate Manager.
This task requires that:
- The Registration Authority is running.
- The issuing procedure to be used is known.
- The officer has the following roles:
- Issue attribute certificate
- Issue attribute certificate
- A smart card reader is available.
- In the RA user interface in Certificate Manager, select the Attribute Certificate tab.
Click Search to open the Select Certificate window to select the base certificate to which the new attribute certificate will be linked.
Check Serial Number and Subject as required. Enter the search criteria in the relevant fields and click Search.
The search results are displayed in the right-hand pane of the Select Certificate window.
Details of a highlighted certificate can be displayed in the lower Details section of the right-hand pane.
The Certificate ID is a decimal string that uniquely represents a certificate in a CM installation.
The Certificate Serial Number must be entered as a hexadecimal string and is shown as a hexadecimal string.
Select the appropriate base certificate and click OK.
Click the button next to File for Media and specify a path and file name for the certificate to be stored. You need write access to the location where the attribute certificate is to be stored.
Select procedure to be used when issuing the attribute certificate.
Only token procedures with storage profile Attribute Certificate are listed in the procedure list.
If necessary, click Fields Chooser and select the attributes to be stored in the AC. For more information, see Select fields in Registration Authority in Certificate Manager.
Enter data in the input fields. As long as the PIN field is being disabled, the reason for that is displayed in the status bar at the bottom of the window.
More information on how to enter Qualified Certificates (QC) statements is available in Qualified certificates in Certificate Manager.
- Enter your PIN code in Signature PIN.
- Click Submit to send the request to the CM host.
- Connect to a Certificate Manager host
- Issue smart card certificate in Certificate Manager
- Issue software token in Certificate Manager
- Smart ID Certificate Manager
- Qualified certificates in Certificate Manager
- Registration Authority (RA) in Certificate Manager
- RA user interface in Certificate Manager
- Select fields in Registration Authority in Certificate Manager