Set up certificate template in Identity Manager
This article includes updates for Smart ID 23.10.7.
This article describes how to set up or edit a certificate template in Smart ID Identity Manager. It also describes how to determine the issuing certification authority (CA).
Prerequisites
Before setting up the template, make sure that the following things apply:
Available data pool to refer to
Available processes related to the identity
Available forms related to the identity
Step-by-step instruction
Log in to Identity Manager Admin
Log in to Identity Manager Admin as an admin user.
Add certificate template
In Identity Manager Admin, go to Home > Certificates.
To add a certificate template:
Click +New. Enter a Name and a Description.
Select a Data Pool.
Click Save+Edit.
The Certificate panel is shown.
To edit an existing certificate template, double-click on its name.
Add state graph
Select a State Graph from the selection box.
New tabs are displayed, one for each state in the connected state graph.
Select New-process
Select which process that leads to a new instance of the template. This process is started when a user selects the template in Identity Manager and clicks NEW:
In Process, select a process in the selection box.
Set quick search fields
Select the data pool fields that are to be used in the quick search in the Home tab of Identity Manager:
Click Field Selection.
Check the fields to be used in quick search.
If you want to change the view order, select a field, and move it up or down with the arrow buttons.
Click OK.
Add permissions
To specify which users and roles shall have read access to the template:
Go to the Permissions tab.
Click on the users in the Read area.
To add permissions for a specific user, click the Add user icon and select the user in the drop-down list.
To add permissions for a role, click the Add role icon and select the role in the drop-down list.
For each state: set form and processes
For each state of the object, select a form for how to display the object in this state. Also select processes to be started for commands like Save and Delete:
Go to the tab for the specific state, for example Active.
In Form, select the form to display the object contents of this type in the given state.
If you want to specify processes that shall be started for Default Commands, such as Save and Delete, select those processes in the drop-down lists.
In Identity Manager, the default commands are displayed as symbols above the panel. These commands can have different effects depending on the current state.
If you want to offer another command in Identity Manager for the given state, click + in Additional Commands. Select the Process to be displayed. Optionally, to copy data from a data pool to the start form of the process, choose a Mapping.
For example, for the Employee object in state active, Create Employee Card can be an additional command. By using a mapping between Employee and Employee Card, personal data such as first name and last name can be copied from the Employee object to the starting form of Create Employee Card.
In Identity Manager, the added commands will be shown in the What do you want to do? panel on the right.
Click Save.
Select certificate authority (CA)
In the Certification Authority selection box, select the CA that shall issue this type of certificate. The available CAs are connected to the server via CA connectors and displayed here.
In the Certificate Type selection box, select one of the templates supported by the CA.
This template determines the cryptographic properties (signature algorithm) and intended purpose of the configured certificate type. The templates are determined by the Identity Manager CA connector.
Define certificate attributes
The content of the certificates (or the certificate requests to the CA) is defined under Certificate Attributes.
The certificate contents can be taken individually from the certificate datapool (or any other datapool listed on the left) or filled with a fixed value. Conversely, the fields of the certificate are listed on the right under 'Certificate Attribute'. You can now assign data fields to the certificate attributes as a 'Value' by drag-and-drop. You can also write a fixed, static value of a certificate attribute to the 'Value' field.
Select fields and assign values to them with drag-and-drop or enter a fixed value.
With the drop-down menu under Manage SAN-attributes you can add additional attributes, like Email or IP Address, you can add them also multiple times.
For Kerberos 5 Principal Name SAN-attibutes a specific JSON format is used, as shown in the examples below:
CODE{"realm":"DEV","nameType":1,"nameComponents":["alice"]}
Each object contains of the realm name, the numeric name type (as defined in RFC-4120, section 7.5.8) and at least one name component.
Depending on the name type, there may be more than one name component, for example like this:CODE{"realm":"DATACENTER","nameType":4,"nameComponents":["myservice","myhost"]}
You may include JUEL expressions, which resolve to process-map variables. The following example defines a KRB_NT_SMTP_NAME (numeric name type: 7), based on the email address of a person and another datapool field containing the realm name.
CODE{"realm":"${Person_Krb5realm}","nameType":7,"nameComponents":["${Person_Email}"]}
Support for the Kerberos 5 Principal Name SAN attribute requires Smart ID Certificate Manager 8.7.1 or newer.
The SID extension (OID - 1.3.6.1.4.1.311.25.2) can be added to the authentication certificate templates, if necessary (see Microsoft KB-5014754 for details).
To add the "SID" attribute to the attribute list of an existing certificate template:
Export the complete configuration file and go to the <extracted_configuration_folder>/coretemplates\certificatetemplate
Edit the certificate template where you would like to add the "SID" attribute and add it as shown below. See this example::
Example: Certificate template
CODE<certificateTemplateDetails caCertTemplateName="my_ca_template_name" caName="my_ca_name" coreTemplateName="my_core_template_name"> ... <attribute type="empty" subtype="SID"/> </certificateTemplateDetails>
Import the modified CA template along with complete configuration file or with delta changes.
Identity Manager supports the SID extension with only with the following CAs:
Microsoft ADCS (PKCS#10 requests only, soft-token not supported)
Smart ID Certificate Manager (soft-tokens also supported)
Seis (Secure Electronic Information in Society) Card Number (OID 1.2.752.34.2.1) can be added to the certificate template. This value can be seen into requested certificate as ASN1 encoded value.
To add the "SEIS_CARD_NUMBER" attribute to the attribute list of an existing certificate template:
Export the complete configuration file and go to the <extracted_configuration_folder>/coretemplates\certificatetemplate
Edit the certificate template where you would like to add the "SEIS_CARD_NUMBER" attribute and add it as shown below. See this example:
Example: Certificate template
CODE<certificateTemplateDetails caCertTemplateName="my_ca_template_name" caName="my_ca_name" coreTemplateName="my_core_template_name"> ... <attribute type="empty" subtype="SEIS_CARD_NUMBER"/> </certificateTemplateDetails>
Import the modified CA template along with complete configuration file or with delta changes.
Identity Manager supports the SEIS_CARD_NUMBER extension supports with Nexus CA only.
Save the identity template
Click Save.
If any mandatory settings are missing, an error message will be shown. Otherwise, there will be a message saying Successful saving.