The content of the certificates (or the certificate requests to the CA) is defined under Certificate Attributes.
The certificate contents can be taken individually from the certificate datapool (or any other datapool listed on the left) or filled with a fixed value. Conversely, the fields of the certificate are listed on the right under 'Certificate Attribute'. You can now assign data fields to the certificate attributes as a 'Value' by drag-and-drop. You can also write a fixed, static value of a certificate attribute to the 'Value' field.
- Select fields and assign values to them with drag-and-drop or enter a fixed value.
- With the drop-down menu under Manage SAN-attributes you can add additional attributes, like Email or IP Address, you can add them also multiple times.
For Kerberos 5 Principal Name SAN-attibutes a specific JSON format is used, as shown in the examples below:
CODE
{"realm":"DEV","nameType":1,"nameComponents":["alice"]}
Each object contains of the realm name, the numeric name type (as defined in RFC-4120, section 7.5.8) and at least one name component.
Depending on the name type, there may be more than one name component, for example like this:
CODE
{"realm":"DATACENTER","nameType":4,"nameComponents":["myservice","myhost"]}
You may include JUEL expressions, which resolve to process-map variables. The following example defines a KRB_NT_SMTP_NAME (numeric name type: 7), based on the e-mail address of a person and another datapool field containing the realm name.
CODE
{"realm":"${Person_Krb5realm}","nameType":7,"nameComponents":["${Person_Email}"]}
Support for the Kerberos 5 Principal Name SAN attribute requires Smart ID Certificate Manager 8.7.1 or newer.
The SID extension (OID - 1.3.6.1.4.1.311.25.2) can be added to the authentication certificate templates, if necessary (see Microsoft KB-5014754 for details).
To add the "SID" attribute to the attribute list of an existing certificate template:
Export the complete configuration file and go to the <extracted_configuration_folder>/coretemplates\certificatetemplate
Edit the certificate template where you would like to add the "SID" attribute and add it as shown below. See this example::
Example: Certificate template
CODE
<certificateTemplateDetails caCertTemplateName="my_ca_template_name" caName="my_ca_name" coreTemplateName="my_core_template_name">
...
<attribute type="empty" subtype="SID"/>
</certificateTemplateDetails>
Import the modified CA template along with complete configuration file or with delta changes.
Info
Identity Manager supports the SID extension with only with the following CAs:
- Microsoft ADCS (PKCS#10 requests only, soft-token not supported)
- Smart ID Certificate Manager (soft-tokens also supported)