Create CIL procedure in Certificate Manager
This article includes updates for CM 8.6.1.
This article describes how to create a Certificate Issuance List (CIL) procedure that defines the parameters to be used when issuing a CIL within Smart ID Certificate Manager (CM). This task is done in the Administrator's workbench (AWB).
There can be only one active CIL for a certain Certificate Authority (CA). An error will occur when trying to create and sign more than one CIL procedure for the same CA.
Prerequisites
The following prerequisites apply:
Two administration officers must sign the request.
Both officers must have the following roles:
Use AWB
Policy tasks
A connection to the CM host must have been established (see Connect to a Certificate Manager host).
The following information is required by the administration officer during the task:
The procedure name that will appear in the explorer bar
The name of the CIL issuer
The CIL format to be used
The distribution rules to be used
Step-by-step instruction
Create CIL procedure
Clicking Save at any time during the creation of the CIL procedure, before clicking OK, will save the data and place the incomplete procedure definition in the CIL procedures sub-group.
To complete the creation of the CIL procedures at a later stage:
Highlight the procedure in the explorer bar
Select Modify from the Edit menu, the toolbar, or the right-click shortcut menu.
To create a CIL procedure:
In AWB, select New > CIL procedure.
In the Create CIL Procedure Request dialog, enter the Procedure name that should appear in the CIL procedures sub-group in the explorer bar. This field is mandatory.
Set the procedure State to Active or Closed as required.
Select Domain and check Visible in subdomain, if applicable.
Click the CIL issuer browse button and select the required CA. This field is mandatory.
Click the CIL format browse button and select the required format. This field is mandatory.
Once a format has been selected, you can customize the set of format definition fields and modules.
At Format, click Advanced.
A pop-up window will appear containing all fields and modules from the selected format file.
The modules are shown in the top section with their indexes in the right column (the indexes determine the execution order of the modules).
The format definition fields are shown in the bottom section with the values of the parameters in the right column. You can edit the values for the definition fields parameters and store them for this particular procedure.
Here is an example with the certificate format rfc5280.
To add new format definition fields or modules click Add Parameter or Add Module. For added fields and modules (that are not present in the format file) you can edit values in the left column and also remove the row with Remove Parameter or Remove Module.
The new values will take precedence over the values in the format file, but the format file will not be affected by these changes.
In Distribution rules, click + to add a distribution rule. Add all relevant distribution rules. This field is mandatory.
Set the Immediate issue parameter using the Yes and No options. If Yes is selected, any certificate issuance will cause an extra CIL to be issued.
Modify the Update interval, which means the time between successive CIL issues.
Select in turn the years, months, days, hours and minutes and adjust the amounts using the up and down arrows. The date and time units may also be entered manually.Modify the Margin. The margin is added to the update interval to ensure that a CIL is always available (for example, during download of the current CIL).
Select in turn the years, months, days, hours and minutes and adjust the amounts using the up and down arrows. The date and time units may also be entered manually.If the CIL should be built at a specific time, add a minutes and hours specification in the Build at (hh:mm) field. Otherwise the CIL will be built at the time of day when the CIL procedure is created. To use a "Build at"-specification, the update interval must be a whole multiple of days, that is, the hours and minutes of the update interval must be set to zero.
In order to limit the file size, CIL supports segmentation. This means that a CIL can be split into several files. Enter the number of certificates included in one CIL file (size of a CIL segment) in the Certificates / file field. For more information about certificate issuance list and CIL segments, see "Appendix A. Certificate Issuance List (CIL)" in the Technical Description.
If no limit is specified for the certificates in a file, all certificates issued will be added to the same segment and the file size will grow indefinitely.
Option: Configure delta CIL
If delta CILs are to be issued, select Yes next to Issue Delta. No is the default.
Enter the following delta parameters:
Reference CIL - the value entered here represents the number of CILs you are required to backtrack to locate the reference CIL (for example, 1 represents the immediate previous CIL).
Frequency - the number of delta CILs that are issued between CIL issues.
Margin - the margin is added to the period between delta CIL issues to ensure a valid deltaCIL is always available.
Set the delta Immediate issue parameter using the Yes and No options. If Yes is selected, any certificate issuance will cause an extra delta CIL to be issued.
In Distribution rules, click + to add a distribution rule. Add all relevant distribution rules.
Click OK and sign the request. See Sign tasks in Certificate Manager for more information.
Note about activated certificates
It may be required to not mark a certificate as issued because it has not yet been published. The activated certificates CIL contains only certificates that have been published and activated. This list will therefore only contain a sub-list of all issued certificates and will further on allow a setup where issued but non activated certificates can be marked as ‘revoked’ when using CILs in conjunction with CRLs to support RFC 6960.