Create SA in Certificate Manager
This article is added for CM 8.10.
This article describes how to create a new Signing Authority (SA) in Smart ID Certificate Manager (CM). This task is done in the Administrator's workbench (AWB).
Prerequisites
The SA tasks require a specific license option.
The following task requires MSO signatures to be completed. Both officers must have the following roles:
Use AWB
Signing Authority and SA Key tasks
A connection to the CM host must have been established. See Connect to a Certificate Manager host.
The following information is required by the CMO during the task:
The SA name that will appear in the Authority Hierarchy in the explorer bar
The name of the issuing CA
SA key to be used for the certificate, see SA key tasks in Certificate Manager
The signature algorithm
The distribution rules applicable
The applicable certificate format
Step-by-step instruction
Request SA
Clicking Save at any time during the creation of the Authority, before clicking OK, will save the data and place the incomplete Authority request in the Authority Hierarchy.
To complete the creation of the Authority at a later stage:
Highlight the unsigned Authority in the explorer bar.
Select Modify from the Edit menu, the toolbar, or the right-click shortcut menu.
To create a SA request:
In AWB, select New > Authority.
In the Create Authority Request dialog, enter the SA name that should appear in the Authority Hierarchy in the explorer bar. This field is mandatory.
Set the SA State to Active or Closed as required.
Select Domain and check Visible in subdomain if applicable.
Select the Authority type SA.
Modify Valid from and Expiration date by selecting the days, hours, and minutes, and adjust the values with the up and down arrows. The date and time units may also be entered manually.
The expiration date will be truncated to the expiration date of the issuing CA.
The SA is subordinate to a CA. This field is mandatory. Click the browse button to open the Select Authority window.
Click on the required CA to highlight it and click OK. The selected CA appears in the Issuing CA field.
In Key, click the browse button, select the required key and click OK.
The selected key appears in the Key field. This field is mandatory.If an RSA key was selected, select a Key algorithm.
The key algorithm is used to restrict an RSA key to be used only for RSASSA-PSS signatures or only with the selected RSASSA-PSS parameters. The drop-down list contains only those algorithms that matches the specified algorithmOID for the CIS device that holds the selected key, see the device configuration in cis.conf. The selected algorithm will be set in the subjectPublicKeyInfo field in the issued SA certificate.
Select a Signature algorithm. The drop-down list contains only those algorithms that matches the key algorithm for the key for the selected issuing SA.
If immediate publishing is wanted, do the following steps in Distribution rules, for each relevant distribution rule:
Click on + to open the Select Distribution Rules window.
Select the required distribution rule for the CA certificate from the list in the window and click OK.
When all the relevant distribution rules have been entered, edit the processing order of distribution rules if needed. To change the order, select a procedure and use the arrow buttons to move it up or down. The distribution rules will be processed in the order selected and then stored in CMDB.
In Format, click the browse button, select the required format and click OK.
The selected certificate format appears in the Format field. This field is mandatory.Once a format has been selected, you can customize the set of format definition fields and modules.
At Format, click Advanced.
A pop-up window will appear containing all fields and modules from the selected format file.
The modules are shown in the top section with their indexes in the right column (the indexes determine the execution order of the modules).
The format definition fields are shown in the bottom section with the values of the parameters in the right column. You can edit the values for the definition fields parameters and store them for this particular procedure.
Here is an example with the certificate format rfc5280.
To add new format definition fields or modules click Add Parameter or Add Module. For added fields and modules (that are not present in the format file) you can edit values in the left column and also remove the row with Remove Parameter or Remove Module.
The new values will take precedence over the values in the format file, but the format file will not be affected by these changes.
Continue to set the certificate attributes.
Set certificate attributes
To set certificate attributes:
Select the required Country attribute.
Enter the Organization and Organizational Unit names.
In Common Name, enter a new SA name. The SA name will appear in the SA certificate.
For customizing the attribute display, see step 4. Also, if Subject Information Access attribute is chosen, see step 5.
If you want to change what certificate attributes to be displayed, do the following:
Click Browse, to the right of the certificate attributes.
Select which attributes to present and click OK.
The attributes will be shown in the same order as they are listed in this dialog box.The Auto add data fields option is used to present all available fields of an existing certificate. It is not applicable in the Create SA Request dialog.
If Subject Information Access is displayed, do the following:
For information concerning the subject information access extension, refer to RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and CRL Profile.
Click the + button associated with the Subject Information Access field to open the fields below.
Enter the Access method OID to be used.
Select either the URI or E-mail option button in the Access Location section and enter the required information.
Click Finish.
Click OK to close the dialog.
In Create Authority Request, click OK. The Signature dialog box appears. See Sign tasks in Certificate Manager for more information.