Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Reverted from v. 5

This article describes how to set up or edit a certificate template in Smart ID Identity Manager. It also describes how to determine the issuing certification authority (CA).




Before setting up the template, make sure that the following things apply:

Step-by-step instruction

titleLog in to Identity Manager Admin
  1. Log in to Identity Manager Admin as an admin user.

titleAdd certificate template
  1. In Identity Manager Admin, go to Home > Certificates.

  2. To add a certificate template:

    1. Click +New. Enter a Name and a Description.

    2. Select a Data Pool.

    3. Click Save+Edit.
      The Certificate panel is shown.

  3. To edit an existing certificate template, double-click on its name.

titleAdd state graph
  1. Select a State Graph from the selection box.
    New tabs are displayed, one for each state in the connected state graph.

titleSelect New-process

Select which process that leads to a new instance of the template. This process is started when you select a user selects the template in Identity Manager and click clicks NEW:

  1. In Process, select a process in the selection box.

titleSet quick search fields

Select the data pool fields that are to be used in the quick search in the Home tab of Identity Manager:

  1. Click Field Selection.
  2. Check the fields to be used in quick search.
  3. If you want to change the view order, select a field, and move it up or down with the arrow buttons.
  4. Click OK.

titleAdd permissions

To specify which users and roles shall have read access to the template:

  1. Go to the Permissions tab.
  2. Click on the users in the Read area.
  3. To add permissions for a specific user, click the Add user icon and select the user in the drop-down list.
  4. To add permissions for a role, click the Add role icon and select the role in the drop-down list.

titleFor each state: set form and processes

For each state of the object, select a form for how to display the object in this state. Also select processes to be started for commands like Save and Delete:

  1. Go to the tab for the specific state, for example Active.
  2. In Form, select the form to display the object contents of this type in the given state.
  3. If you want to specify processes that shall be started for Default Commands, such as Save and Delete, select those processes in the drop-down lists.

    In Identity Manager, the default commands are displayed as symbols above the panel. These commands can have different effects depending on the current state.

  4. If you want to offer another command in Identity Manager for the given state, click + in Additional Commands. Select the Process to be displayed. Optionally, to copy data from a data pool to the start form of the process, choose a Mapping.

    For example, for the Employee object in state active, Create Employee Card can be an additional command. By using a mapping between Employee and Employee Card, personal data such as first name and last name can be copied from the Employee object to the starting form of Create Employee Card.

    In Identity Manager, the added commands will be shown in the What do you want to do? panel on the right.

  5. Click Save.

titleSelect certificate authority (CA)
  1. In the Certification Authority selection box, select the CA that shall issue this type of certificate. The available CAs are connected to the server via CA connectors and displayed here.
  2. In the Certificate Type selection box, select one of the templates supported by the CA.
    This template determines the cryptographic properties (signature algorithm) and intended purpose of the configured certificate type. The templates are determined by the Identity Manager CA connector.

titleDefine certificate attributes

The content of the certificates (or the certificate requests to the CA) is defined under Certificate Attributes.

The certificate contents can be taken individually from the certificate datapool (or any other datapool listed on the left) or filled with a fixed value. Conversely, the fields of the certificate are listed on the right under 'Certificate Attribute'. You can now assign data fields to the certificate attributes as a 'Value' by drag-and-drop. You can also write a fixed, static value of a certificate attribute to the 'Value' field. 

  1. Select fields and assign values to them with drag-and-drop or enter a fixed value.
  2. With the drop-down menu under Manage SAN-attributes you can add additional attributes, like Email or IP Address, you can add them also multiple times.
  3. The SID extension (OID - can be added to the authentication certificate templates, if necessary .
    For more information, (see Microsoft KB-5014754for details).

    <util:list id="customExtensionAttributeOids">     <value></value> <!--

    The SID extension can only be used in PKCS#10 requests. Identity Manager cannot issue softtokens containing this extension.


    You must add a bean override to custom-beans.xml to enable proper support for the SID extension when used with Smart ID Certificate Manager:

    Code Block
    titleEnable proper support for Smart ID Certificate Manager


    is the OID of the SID




    .. </util:list>

    To add the "SID" attribute to the attribute list of an existing certificate template:

    1. Export the complete configuration file and go to the <extracted_configuration_folder>/coretemplates\certificatetemplate

    2. Edit the certificate template where you would like to add the "SID" attribute and add it as shown below. This "SID" attribute is only applicable for p10 request. See this example:

      Code Block
      titleExample: Certificate template
      <certificateTemplateDetails caCertTemplateName="my_ca_template_name" caName="my_ca_name" coreTemplateName="my_core_template_name">
          <attribute type="empty" subtype="SID"/>

    3. Import the modified CA template along with complete configuration file or with delta changes.


      Identity Manager supports the SID extension with Microsoft ADCS and Smart ID Certificate Manager only.

titleSave the identity template
  1. Click Save.
    If any mandatory settings are missing, an error message will be shown. Otherwise, there will be a message saying Successful saving.