Endentityprofiles

Username

These setting shouldn't be changed for most configurations.

Password

Should generally be required. If auto-generated is selected then will a new password be generated automatically when setting the status to 'New' or 'Keyrecoverable'. The password is never shown but can be sent to the end user by email by configuring notifications.

Batch Generation

If batch generation is chosen will the password be stored in clear-text in database. This is required for generating P12, PEM and JKS tokens.

'Use' indicates that this field will appear for the RA using the profile.
'Default' sets the preset value.
'Required' means that this field must be selected.

The SubjectDN and SubjectAltName fields

Defines which fields that should be used in the certificate.

The text-field indicates the predefined value for the field. If 'Required' is selected must the field have a value and cannot be left empty. Uncheck 'Modifiable' if the RA shouldn't be able to edit the field, a selection-box will then replace the text field. In this case it is possible to enter multiple values in the field using ';' as a delimiter. For example: Dep1;Dep2;Dep3 will generate a selection box where the RA can choose from Dep1, Dep2 and Dep3.

If both 'Required' and 'Modifiable' are selected results in field having a requirement one of the values entered in the text field. I.e must be one of Dep1, Dep2 or Dep3.
See the appendix 'DN Field Usages' for more information.

SubjectAltName is a certificate extension, so the SubjectAltName extension must have been enabled in the certificate profile for these values to show up in the certificate.

The email/rfc822Name field as a subjectAltName has a bit of special handling.
If "use entity email field" it will use the same value as registered in the email field for the user.
It is also possible to lock it down in different ways:

  1. uncheck "use entity email field"
  2. uncheck "modifyable"

Now if you enter only a domain name as "RFC822 Name (email address)", e.g. "fakedomain.com", only this will be locked down, and the RA guy will be able to enter the email name "tomas".
If you enter a full email address as "RFC822 Name (email address)", e.g. moc.niamodekaf|samot#moc.niamodekaf|samot, the complete email address will be locked down, and be the only thing selectable for the RA guy.
If "modifyable" is checked, you will get two fields to enter, both name and domain.

Subject Directory Attributes

Subject Directory Attributes works the same way as the The SubjectDN and SubjectAltName fields. This is a certificate extension, so the Subject Directory Attributes extension must have been enabled in the certificate profile for these values to show up in the certificate.

Email Domain

Same as for SubjectDNs, The text-field only restricts the domain name.

Certificate Profile and CA

Here it is possible to choose which certificate profiles and CAs that should be available for the RA. The default becomes the preset one.

Available Tokens

Which tokens that should be possible to generate using this profile. Here are also authorized hard token profiles listed. If hard tokens is used think about enabling the hard token issuers.

Hard Token Issuers

Same as for Certificate Profiles.

Number of allowed requests

By checking 'Use' for number of allowed requests you enable the possibility to request several certificates in a row, without the user status being set to generated.
Normally after a username/password pair has been used to generate a certificate, the users status is set from 'new' to 'generated'. This makes the password invalid, thus implementing a one-time password scheme.
By selecting a number higher than one for 'number of allowed requests' the user can request several certificates before the status is set to 'generated'. This makes it possible to enroll for several certificates directly, for example one authentication and one signature certificate.

The 'number of allowed requests' in the End Entity Profile will set the default, and maximum value available when adding or editing a new end entity.
When editing an existing end entity and setting the status to new, from a non-new status, the 'number of allowed requests' will automatically be altered to the default value for the profile. If the end entity profile used no longer uses the 'number of allowed requests' the request counter for the end entity will be removed when the end entity is edited.

Types

Administrator is a flag indicating that this user is an administrator of EJBCA/PrimeCA.

When adding an administrator you also have to add the administrator in the administrative privileges. This flag is only used as an extra safety for miss-configuration.

Send Notifications enables the notification functionality, se separate appendix.

'Use' indicates that this field will appear for the RA using the profile.
'Default' sets the preset value.
'Required' means that this field must be selected.

page_revision: 1, last_edited: 1206852559|%e %b %Y, %H:%M %Z (%O ago)
edittags history files print site tools+ options
Unless stated otherwise Content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License