Page tree
Skip to end of metadata
Go to start of metadata

This article provides an overview of the officers, roles, and officer profiles in Nexus Certificate Manager (CM). 

Certificate Manager users are known as officers. CM enables configuration of officer roles on a fine-grained level for restricting officers to perform specific tasks only, for example as prescribed by the CA operational policies.

To simplify the administration of officers, officer profiles are configured to predefine a number of permitted roles and other constraints. A unique officer is then created by associating an officer profile either to a certificate issued by CM, to a system unique subject, or to a token serial number.

The following general officer types are available, to separate administrative from operational duties and for establishing a secure connection from client to server:

  • Administration officers
  • Registration officers

The available roles for each officer type are listed below.

Administration Officers are responsible for administrating security policies, setting up CA Policies, auditing, and so on, whereas Registration Officers are responsible for registering users, issuing certificates, and so on.

Administration officer roles

Administration officers are responsible for administering the security policies of CM, for example setting up CA Policies and auditing. The following administration roles are available in the Administrator's Workbench (AWB) client:

  • Use AWB
  • CA and Key tasks
  • Policy tasks
  • Officer tasks
  • Domain tasks
  • Profile tasks
  • Audit tasks
  • Configuration tasks

Registration officer roles

Registration officers are responsible for tasks such as registering users and issuing, activating, and revoking certificates. Registration officers work in the CM client software Registration Authority (RA), Certificate Controller (CC), Order Explorer (OE), Batch Explorer (BE), and Secure Printer (SP).

The following roles are available: 

  • Use clients
  • Issue certificate
  • Revoke certificate
  • Revoke certificate with password
  • Issue attribute certificate
  • Revoke attribute certificate
  • Revoke attribute certificate with password
  • Publish certificate
  • Republish failed distribution
  • Create batch
  • Claim batch
  • Manage PIN letters
  • Manage revocation password
  • Manage OCSP Activation
  • Recover key
  • Export search results

Additional constraints

In addition to the roles, there are several other constraints that can be used to limit officer permissions, for example that an officer is only allowed to handle specific CAs, CA policies, and certificate content, for example only certificates for a certain organization.