Skip to main content
Skip table of contents

Constraints and roles for officers in Certificate Manager

This article describes the constraints that can be set for an officer in Smart ID Certificate Manager (CM). An officer is assigned roles, which allow them to perform various tasks, and constraints can also be set.

The following can be set for the officer:

  • Issuer constraints

  • Name constraints

  • Officer role(s)

Issuer constraints

An officer can have constraints so that the officer may only issue and revoke end user certificates with a certain subject name space. This means, for example, that an officer can be restricted to issuing certificates only for a specific issuer (that is, for a specific Certificate Authority, CA).

The issuing constraints for an officer may consist of one or more rules and each rule, in turn, consists of one or more attribute values. To grant the officer issuing rights, (that is, access to a token procedure), at least one of the rules must be fulfilled. For a rule to be fulfilled, all attribute values of that rule must match the corresponding attributes of the issuer subject name.

Example of issuer constraints

Rule 1: C=DE O=Org1 OU=QC Root CA
Rule 2: C=DE O=Org2 L<>Location A L<>Location B
Rule 3: C=SE O=Nexus

Rules and permissions:

  • Rule number 1 gives permission to use all issuers that have a subject name containing C=DEO=Org1 and OU=QC Root CA.

  • Rule number 2 gives permission to use all issuers that have a subject name containing C=DE and O=Org2 and does not have L=Location A nor L=Location B.

  • Rule number 3 gives permission to use all issuers that have a subject name that contains C=SE and O=Nexus.

Examples of issuers:

  • An issuer with subject OU=CA4O=Org2, and C=DE will work due to rule number 2.

  • An issuer with subject OU=QC Root CAO=Org1, and C=SE will not work because none of the rules gives permission

You can add, delete, and modify rules for each officer profile in the Administrator's workbench (AWB) (AWB) and you can add, delete, and modify attribute values for each rule. For more information, see Officer profile tasks in Certificate Manager.

Name constraints

Name constraints can be set for an officer. All end-user certificates will automatically contain the organization, organization unit and directory management domain specified in the officer profile name constraints.


The role performed by an officer can be limited to specific functions, such as issuing, publishing or revoking certificates, working with batches, managing PIN letters, or recovering keys from the key archiving function. The role privileges given to any particular officer are determined by the officer profile that is assigned to the officer in the Create officer profile in Certificate Manager request dialog.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.