Create attribute certificate procedure in Certificate Manager

This article includes updates for CM 8.10.

This article describes how to create an attribute certificate procedure in Smart ID Certificate Manager (CM). An attribute certificate procedure defines the parameters to be used when issuing an attribute certificate within the Certificate Authority (CA). This task is done in the Administrator's workbench (AWB) in Certificate Manager.

Prerequisites

The following prerequisites apply:

• Two administration officers must sign the request.

• Both officers must have the following roles:

  • Use AWB

  • Policy tasks

• A connection to the CM host must have been established (see Connect to a Certificate Manager host).

• The following information is required by the administration officer during the task:

  • The procedure name that will appear in the explorer bar

  • The key usage of the base certificate

  • The name of the issuing CA, its CA chain if applicable

  • The AC format, that is, the format to be used for the attribute certificate

  • The distribution rules to be used

  • The certificate validity period and the signature algorithm required

  • If the optional extensions certificate policy or authority information access will be used, all the necessary object identifier (OID), qualifier and access location information must be available

It is recommended that formats, which are not available, be generated before performing this task.

Create attribute certificate procedure

Clicking Save at any time during the creation of the attribute certificate procedure, before clicking OK, will save the data and place the incomplete procedure request in the Attribute Certificate procedures sub-group.

To complete the creation of the attribute certificate procedure at a later stage:

• Highlight the procedure in the explorer bar.

• Select Modify from the Edit menu, the toolbar, or the right-click shortcut menu.

To create an attribute certificate procedure:

1. In AWB, select New > Attribute Certificate procedure.

2. In the Create Attribute Certificate Procedure Request dialog, enter the Procedure name that should appear in the Attribute Certificate procedures sub-group in the explorer bar. This field is mandatory.

3. Set the procedure State to Active or Closed as required.

4. Select the Base certificate key usage by checking the appropriate check boxes. The base certificate is the public key certificate to which this attribute certificate is linked.

5. Click the Issuing CA browse button to open the Select Authority window.

6. Click on the required CA to highlight it and click OK. The selected CA appears in the Issuing CA field. This field is mandatory.

7. Click on the AC format browse button to open the Select certificate format window. This field is mandatory.

Depending on the parameter settings in the AC format file, note that, if attribute certificate procedures validity date extends beyond that of the CA certificate's expiration date, the corresponding token procedure will not be visible in the RA client and the RA client can truncate the expiration date of the end-user certificate to that of the CA certificate expiration date. For more information regarding certificate formats, refer to the "Certificate Format" chapter in the Technical Description.

8. Click on the required format to highlight it and click OK. The selected attribute certificate format appears in the AC format field.

9. Once a format has been selected, you can customize the set of format definition fields and modules.

   1. At Format, click Advanced.

      1. A pop-up window will appear containing all fields and modules from the selected format file.

         • The modules are shown in the top section with their indexes in the right column (the indexes determine the execution order of the modules).

         • The format definition fields are shown in the bottom section with the values of the parameters in the right column. You can edit the values for the definition fields parameters and store them for this particular procedure.

           Here is an example with the certificate format rfc5280.

           

   2. To add new format definition fields or modules click Add Parameter or Add Module. For added fields and modules (that are not present in the format file) you can edit values in the left column and also remove the row with Remove Parameter or Remove Module.

   The new values will take precedence over the values in the format file, but the format file will not be affected by these changes.

10. In Distribution rules, click + to add a distribution rule. Add all relevant distribution rules.

11. In Distribution rules, edit the processing order if needed. To change the order, select a rule and use the arrow buttons to move it.
    The distribution rules will be processed in the order selected and then stored to CMDB.

12. In Certificate validity, select in turn the years, months, days, hours, and minutes, and adjust the numbers with the arrows. The date and time units may also be entered manually.

13. Select the required Signature algorithm from the drop-down list.

The Signature algorithm drop-down list contains only those algorithms that matches the key algorithm for the key for the selected issuing CA.

14. If any of the optional extensions certificate Policy or Authority information access are required, see Create certificate procedure in Certificate Manager.

15. If QC Statements are required, see Create certificate procedure in Certificate Manager.

16. If the certificates issued with this attribute certificate procedure should be covered by a special CRL distribution point, select the CRL procedure in the CRL Procedure field. Also check Explicit distribution points if issued attribute certificates should only add the distribution points from the selected CRL procedure. For more info, see Create CRL procedure in Certificate Manager, section “Partition CRL on distribution point”.

17. Click OK and sign the request. See Sign tasks in Certificate Manager for more information.

Additional information