NOTE
The old policy framework for managing certificates was deprecated in Certificate System 7.1 and was removed entirely for Certificate System 7.2 and subsequent releases. Any certificate enrollments or other operations must be performed using the new profile framework.
An administrator cannot edit any certificate profile that has been approved by an agent. The agent must disapprove or disable the certificate profile before the administrator can edit that certificate profile.
Add a certificate profile and modify an existing certificate profile by doing the following:
- Log in to the Certificate System CA subsystem console.
pkiconsole https://server.example.com:9445/ca
- In the Configuration tab, select Certificate Manager, and then select Certificate Profiles.The Certificate Profile Instances Management tab, which lists configured certificate profiles, opens.
- To create a new certificate profile, click .In the Select Certificate Profile Plugin Implementation window, select the type of certificate for which the profile is being created.
- Fill in the profile information in the Certificate Profile Instance Editor.
- Certificate Profile Instance ID. This is the ID used by the system to identify the profile.
- Certificate Profile Name. This is the user-friendly name for the profile.
- Certificate Profile Description.
- End User Certificate Profile. This sets whether the request must be made through the input form for the profile. This is usually set to
true. Setting this tofalseallows a signed request to be processed through the Certificate Manager's certificate profile framework, rather than through the input page for the certificate profile. - Certificate Profile Authentication. This sets the authentication method. An automated authentication is set by providing the instance ID for the authentication instance. If this field is blank, the authentication method is agent-approved enrollment; the request is submitted to the request queue of the agent services interface.
- Click . The plug-in editor closes, and the new profile is listed in the profiles tab.
- Configure the policies, inputs, and outputs for the new profile. Select the new profile from the list, and click .
- Set up policies in the Policies tab of the Certificate Profile Rule Editor window. The Policies tab lists policies that are already set by default for the profile type.
- To add a policy, click .
- Choose the default from the Default field, choose the constraints associated with that policy in the Constraints field, and click .
- Fill in the policy set ID. When issuing dual key pairs, separate policy sets define the policies associated with each certificate. Then fill in the certificate profile policy ID, a name or identifier for the certificate profile policy.
- Configure any parameters in the Defaults and Constraints tabs.
Defaults defines attributes that populate the certificate request, which in turn determines the content of the certificate. These can be extensions, validity periods, or other fields contained in the certificates. Constraints defines valid values for the defaults.See Section B.1, “Defaults Reference” and Section B.2, “Constraints Reference” for complete details for each default or constraint.
To modify an existing policy, select a policy, and click . Then edit the default and constraints for that policy.To delete a policy, select the policy, and click . - Set inputs in the Inputs tab of the Certificate Profile Rule Editor window. There can be more than one input type for a profile.
- To add an input, click .
- Choose the input from the list, and click . See Section A.1, “Input Reference” for complete details of the default inputs.
- The New Certificate Profile Editor window opens. Set the input ID, and click .
Inputs can be added and deleted. It is possible to select edit for an input, but since inputs have no parameters or other settings, there is nothing to configure.To delete an input, select the input, and click . - Set up outputs in the Outputs tab of the Certificate Profile Rule Editor window.Outputs must be set for any certificate profile that uses an automated authentication method; no output needs to be set for any certificate profile that uses agent-approved authentication. The Certificate Output type is set by default for all profiles and is added automatically to custom profiles.
Outputs can be added and deleted. It is possible to select edit for an output, but since outputs have no parameters or other settings, there is nothing to configure.- To add an output, click .
- Choose the output from the list, and click .
- Give a name or identifier for the output, and click .This output will be listed in the output tab. You can edit it to provide values to the parameters in this output.
To delete an output, select the output from list, and click . - Restart the CA to apply the new profile.
service pki-ca start
- After creating the profile as an administrator, a CA agent has to approve the profile in the agent services pages to enable the profile.
- Open the CA's services page.
https://server.example.com:9445/ca/services
- Click the Manage Certificate Profiles link. This page lists all of the certificate profiles that have been set up by an administrator, both active and inactive.
- Click the name of the certificate profile to approve.
- At the bottom of the page, click the button.
NOTE
If this profile will be used with an RA, then the RA must be configured, as well, so that users can access the profile. This is in Section 2.3, “Configuring Custom Enrollment Profiles to Use with an RA”.
If this profile will be used with a TPS, then the TPS must be configured to recognized the profile type. This is in Section 2.5, “Managing Smart Card CA Profiles”.
Authorization methods for the profiles can only be added to the profile using the command line, as described in Section 2.2.3, “Creating and Editing Certificate Profiles through the Command Line”.
To modify an existing certificate profile:
- Log into the agent services pages and disable the profile.Once a certificate profile is enabled by an agent, that certificate profile is marked enabled in the Certificate Profile Instance Management tab, and the certificate profile cannot be edited in any way through the console.
- Log in to the Certificate System CA subsystem console.
pkiconsole https://server.example.com:9445/ca
- In the Configuration tab, select Certificate Manager, and then select Certificate Profiles.
- Select the certificate profile, and click .
- The Certificate Profile Rule Editor window appears. Many any changes to the defaults, constraints, inputs, or outputs.
NOTE
The profile instance ID cannot be modified.If necessary, enlarge the window by pulling out one of the corners of the window. - Restart the CA to apply the changes.
- In the agent services page, re-enable the profile.
TIP
Delete any certificate profiles that will not be approved by an agent. Any certificate profile that appears in the Certificate Profile Instance Management tab also appears in the agent services interface. If a profile has already been enabled, it must be disabled by the agent before it can be deleted from the profile list.
The certificate profiles can be modified directly through the command line by modifying the profiles' configuration files. Default files exist for the default profiles at installation; when new profiles are created, new configuration files are also created. The configuration files are stored in the CA profile directory, instance_directory
/profiles/ca/, such as /var/lib/pki-ca/profiles/ca/. The file is named profile_name.cfg. All of the parameters for profile rules set or modified through the Console, such as defaults, inputs, outputs, and constraints, are written to the profile configuration file.
The enrollment profiles for subsystem certificates are located in the
/var/lib/instance_name/conf directory with the name *.profile.
NOTE
Restart the server after editing the profile configuration file for the changes to take effect.
The configuration files are stored in the CA profile directory, such as
/var/lib/pki-ca/profiles/ca/. The file is named profile_name.cfg. All of the parameters for a profile rule - defaults, inputs, outputs, and constraints - are configured within a single policy set. A policy set for a profile has the name policyset.policyName.policyNumber. For example:
policyset.cmcUserCertSet.6.constraint.class_id=noConstraintImpl policyset.cmcUserCertSet.6.constraint.name=No Constraint policyset.cmcUserCertSet.6.default.class_id=userExtensionDefaultImpl policyset.cmcUserCertSet.6.default.name=User Supplied Key Default policyset.cmcUserCertSet.6.default.params.userExtOID=2.5.29.15
The common profile configuration parameters are described in Table 2.1, “Profile Configuration File Parameters”.
There is only one policy set processed for the profile, except for dual key pairs when two policy sets are processed. The server evaluates each policy set for each request it receives. When a single certificate is issued, one set is evaluated, and any other sets in the profile are ignored. When dual key pairs are issued, the first policy set is evaluated with the first certificate request, and the second set is evaluated with the second certificate request. There is no need for more than one policy set when issuing single certificates or more than two sets when issuing dual key pairs.
Table 2.1. Profile Configuration File Parameters
| Parameter | Description |
|---|---|
| desc | Gives a free text description of the certificate profile, which is shown on the end-entities page. For example, desc=This certificate profile is for enrolling server certificates with agent authentication. |
| enable | Sets whether the profile is enabled, and therefore accessible through the end-entities page. For example, enable=true. |
| auth.instance_id | Sets which authentication manager plug-in to use to authenticate the certificate request submitted through the profile. For automatic enrollment, the CA issues a certificate immediately if the authentication is successful. If authentication fails or there is no authentication plug-in specified, the request is queued to be manually approved by an agent. For example, auth.instance_id=AgentCertAuth. |
| authz.acl |
Specifies the authorization constraint. Most commonly, this us used to set the group evaluation ACL. For example, this caCMCUserCert parameter requires that the signer of the CMC request belong to the Certificate Manager Agents group:
authz.acl=group="Certificate Manager Agents"
In directory-based user certificate renewal, this option is used to ensure that the original requester and the currently-authenticated user are the same.
An entity must authenticate (bind or, essentially, log into the system) before authorization can be evaluated.
|
| name | Gives the name of the profile. For example, name=Agent-Authenticated Server Certificate Enrollment. This name is displayed in the end users enrollment or renewal page. |
| input.list | Lists the allowed inputs for the profile by name. For example, input.list=i1,i2. |
input.input_id.class_id
| Gives the java class name for the input by input ID (the name of the input listed in input.list). For example, input.i1.class_id=certReqInputImpl. |
| output.list | Lists the possible output formats for the profile by name. For example, output.list=o1. |
output.output_id.class_id
| Gives the java class name for the output format named in output.list. For example, output.o1.class_id=certOutputImpl. |
| policyset.list | Lists the configured profile rules. For dual certificates, one set of rules applies to the signing key and the other to the encryption key. Single certificates use only one set of profile rules. For example, policyset.list=serverCertSet. |
policyset.policyset_id.list
| Lists the policies within the policy set configured for the profile by policy ID number in the order in which they should be evaluated. For example, policyset.serverCertSet.list=1,2,3,4,5,6,7,8. |
policyset.policyset_id.policy_number.constraint.class_id
| Gives the java class name of the constraint plug-in set for the default configured in the profile rule. For example, policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl. |
policyset.policyset_id.policy_number.constraint.name
| Gives the user-defined name of the constraint. For example, policyset.serverCertSet.1.constraint.name=Subject Name Constraint. |
policyset.policyset_id.policy_number.constraint.params.attribute
| Specifies a value for an allowed attribute for the constraint. The possible attributes vary depending on the type of constraint. For example, policyset.serverCertSet.1.constraint.params.pattern=CN=.*. |
policyset.policyset_id.policy_number.default.class_id
| Gives the java class name for the default set in the profile rule. For example, policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl |
policyset.policyset_id.policy_number.default.name
| Gives the user-defined name of the default. For example, policyset.serverCertSet.1.default.name=Subject Name Default |
policyset.policyset_id.policy_number.default.params.attribute
| Specifies a value for an allowed attribute for the default. The possible attributes vary depending on the type of default. For example, policyset.serverCertSet.1.default.params.name=CN=(Name)$request.requestor_name$. |
Changing constraints changes the restrictions on the type of information which can be supplied. Changing the defaults and constraints can also add, delete, or modify the extensions which are accepted or required from a certificate request.
For example, the default caFullCMCUserCert profile is set to create a Key Usage extension from information in the request.
policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImplpolicyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraintpolicyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=truepolicyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=falsepolicyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=falsepolicyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=falsepolicyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=truepolicyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=falsepolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=falsepolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=falsepolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=truepolicyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=truepolicyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl policyset.cmcUserCertSet.6.default.name=Key Usage Default policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true
This extension can be removed so that the server accepts the key usage set in the request. In this example, the key extension constraint is removed and replaced by no constraint, and the default is updated to allow user-supplied key extensions:
policyset.cmcUserCertSet.6.constraint.class_id=noConstraintImplpolicyset.cmcUserCertSet.6.constraint.name=No Constraint to keep it simplepolicyset.cmcUserCertSet.6.default.class_id=userExtensionDefaultImpl policyset.cmcUserCertSet.6.default.name=User Supplied Key Default policyset.cmcUserCertSet.6.default.params.userExtOID=2.5.29.15
This sets the server to accept the extension OID
2.5.29.15 in the certificate request.
NOTE
If the User Supplied Extension Default is used, the CA expects any extensions which are specified with the specified userExtOID parameters in the request.
Other constraints and defaults can be changed similarly. Make sure that any required constraints and included with the appropriate default, that defaults are changed when a different constraint is required, and that only allowed constraints are used with the default. For more information, see Section B.1, “Defaults Reference” and Section B.2, “Constraints Reference”.
The certificate profile configuration file in the CA's
profiles/ca directory contains the input information for the that particular certificate profile form. Inputs are the fields in the end-entities page enrollment forms. There is a parameter, input.list, which lists the inputs included in that profile. Other parameters define the inputs; these are identified by the format input.ID. For example, this adds a generic input to a profile:
input.list=i1,i2,i3,i4 ... input.i4.class_id=genericInputImpl input.i4.params.gi_display_name0=Name0 input.i4.params.gi_display_name1=Name1 input.i4.params.gi_display_name2=Name2 input.i4.params.gi_display_name3=Name3 input.i4.params.gi_param_enable0=true input.i4.params.gi_param_enable1=true input.i4.params.gi_param_enable2=true input.i4.params.gi_param_enable3=true input.i4.params.gi_param_name0=gname0 input.i4.params.gi_param_name1=gname1 input.i4.params.gi_param_name2=gname2 input.i4.params.gi_param_name3=gname3 input.i4.params.gi_num=4
For more information on what inputs, or form fields, are available, see Section A.1, “Input Reference”.
There is one important thing to do when creating profiles: the Key Default must be added before the Subject Key Identifier Default. Certificate System processes the key constraints in the Key Default before creating or applying the Subject Key Identifier Default, so if the key has not been processed yet, setting the key in the subject name fails.
For example, an object-signing profile may define both defaults:
policyset.set1.p3.constraint.class_id=noConstraintImpl policyset.set1.p3.constraint.name=No Constraint policyset.set1.p3.default.class_id=subjectKeyIdentifierExtDefaultImpl policyset.set1.p3.default.name=Subject Key Identifier Default ... policyset.set1.p11.constraint.class_id=keyConstraintImpl policyset.set1.p11.constraint.name=Key Constraint policyset.set1.p11.constraint.params.keyType=RSA policyset.set1.p11.constraint.params.keyParameters=1024,2048,3072,4096 policyset.set1.p11.default.class_id=userKeyDefaultImpl policyset.set1.p11.default.name=Key Default
In the
policyset list, then, the Key Default (p11) must be listed before the Subject Key Identifier Default (p3).
policyset.set1.list=p1,p2,p11,p3,p4,p5,p6,p7,p8,p9,p10
Bridge or cross-pair certificates are CA signing certificate that are framed as dual certificate pairs, similar to encryption and signing certificate pairs for users, only each certificate in the pair is issued by a different CA. Both partner CAs store the other CA signing certificate in its database, so all of the certificates issued within the other PKI are trusted and recognized.
Issuing cross-pair certificates requires the Certificate Policies Extension, explained in Section B.3.4, “certificatePoliciesExt”.
- Stop the CA server, so that you can edit the configuration files.
service pki-ca stop
- Open the CA's
CS.cfgfile.vim /var/lib/pki-ca/conf/CS.cfg
- The Certificate Policies Extension default must be edited to specify cross-pair certificates.
ca.Policy.rule.CertificatePoliciesExt.critical=false ca.Policy.rule.CertificatePoliciesExt.enable=false ca.Policy.rule.CertificatePoliciesExt.implName=CertificatePoliciesExt ca.Policy.rule.CertificatePoliciesExt.numCertPolicies=1
ca.Policy.rule.CertificatePoliciesExt.predicate=HTTP_PARAMS.certType==fbcaca.Policy.rule.CertificatePoliciesExt.certPolicy0.cpsURI= ca.Policy.rule.CertificatePoliciesExt.certPolicy0.noticeRefNumbers= ca.Policy.rule.CertificatePoliciesExt.certPolicy0.noticeRefOrganization= ca.Policy.rule.CertificatePoliciesExt.certPolicy0.policyId= ca.Policy.rule.CertificatePoliciesExt.certPolicy0.userNoticeExplicitText=This will set the extension to add the hidden valuecertType==fbcato the certificate profile enrollment form, tagging the certificate as a cross-pair certificate. - Restart the CA server.
service pki-ca start
- Create a new profile with the Certificate Policies Extension Default (
certificatePoliciesExtDefaultImpl).
- As a CA agent, enable the certificate profile.
The following pre-defined certificate profiles are ready to use when the Certificate System CA is installed. These certificate profiles have been designed for the most common types of certificates, and they provide common defaults and constraints, authentication methods, and inputs and outputs.
By default, the profile configuration files are in the
/var/lib/instance_name/profiles/ca directory.
Table 2.2. Certificate Profiles
| Profile ID | Profile Name | Description |
|---|---|---|
| caAdminCert | Security Domain Administrator Certificate Enrollment | Enrolls Security Domain Administrator's certificates with LDAP authentication against the internal LDAP database. |
| caAgentFileSigning | Agent-Authenticated File Signing | This certificate profile is for file signing with agent authentication. |
| caAgentServerCert | Agent-Authenticated Server Certificate Enrollment | Enrolls server certificates with agent authentication. |
| caCACert | Manual Certificate Manager Signing Certificate Enrollment | Enrolls Certificate Authority certificates. |
| caCMCUserCert | Signed CMC-Authenticated User Certificate Enrollment | Enrolls user certificates by using the CMC certificate request with CMC Signature authentication. |
| caDirUserCert | Directory-Authenticated User Dual-Use Certificate Enrollment | Enrolls user certificates with directory-based authentication. |
| caDirUserRenewal | Directory-Authenticated User Certificate Self-Renew profile |
Renews user certificates through directory-based authentication. The user certificate is issued as soon as the requester successfully authenticates to the LDAP directory.
NOTE
Renewal profiles can only be used in conjunction with the profile that issued the original certificate. There are two settings that are beneficial:
|
| caDualCert | Manual User Signing & Encryption Certificates Enrollment | Enrolls dual user certificates. It works only with Netscape 7.0 or later. |
| caDualRAuserCert | RA Agent-Authenticated User Certificate Enrollment | Enrolls user certificates with RA agent authentication. |
| caFullCMCUserCert | Signed CMC-Authenticated User Certificate Enrollment | Enrolls user certificates by using the CMC certificate request with CMC Signature authentication. |
| caInstallCACert | Manual Security Domain Certificate Authority Signing Certificate Enrollment | Enrolls Security Domain Certificate Authority certificates. |
| caInternalAuthAuditSigningCert | Audit Signing Certificate Enrollment | Enrolls a signing certificate to use for signing audit logs; used automatically during any subsystem configuration, with the exception of the RA. |
| caInternalAuthDRMstorageCert | Security Domain DRM Storage Certificate Enrollment | Enrolls DRM storage certificates for DRMs within a security domain; used automatically during a DRM configuration. |
| caInternalAuthOCSPCert | Security Domain OCSP Manager Signing Certificate Enrollment | Enrolls Security Domain OCSP Manager certificates. |
| caInternalAuthServerCert | Security Domain Server Certificate Enrollment | Enrolls Security Domain server certificates. |
| caInternalAuthSubsystemCert | Security Domain Subsystem Certificate Enrollment | Enrolls Security Domain subsystem certificates. |
| caInternalAuthTransportCert | Security Domain Data Recovery Manager Transport Certificate Enrollment | Enrolls Security Domain Data Recovery Manager transport certificates. |
| caManualRenewal | Renew certificate to be manually approved by agents |
Renews a certificate that must be manually approved by agents.
NOTE
Renewal profiles can only be used in conjunction with the profile that issued the original certificate. There are two settings that are beneficial:
|
| caOCSPCert | Manual OCSP Manager Signing Certificate Enrollment | Enrolls OCSP Manager certificates. |
| caOtherCert | Other Certificate Enrollment | Enrolls other certificates. |
| caRAagentCert | RA Agent-Authenticated Agent User Certificate Enrollment | Enrolls RA agent user certificates with RA agent authentication. |
| caRACert | Manual Registration Manager Signing Certificate Enrollment | Enrolls Registration Manager certificates. |
| caRARouterCert | RA Agent-Authenticated Router Certificate Enrollment | Enrolls router certificates after agent approval (as opposed to automatic enrollment). |
| caRAserverCert | RA Agent-Authenticated Server Certificate Enrollment | Enrolls server certificates with RA agent authentication. |
| caRouterCert | One Time Pin Router Certificate Enrollment | Enrolls router certificates using an automatically-generated, one-time PIN that the router can use to retrieve its certificate. |
| caServerCert | Manual Server Certificate Enrollment | Enrolls server certificates. |
| caSignedLogCert | Manual Log Signing Certificate Enrollment | Enrolls audit log signing certificates. |
| caSimpleCMCUserCert | Simple CMC Enrollment | Enrolls user certificates by using the CMC certificate request with CMC Signature authentication. |
| caSSLClientSelfRenewal | Self-renew user SSL client certificates |
Renews SSL client certificates using certificate-based authentication. The certificate is issued as soon as the request is authenticated and authorized by presenting the original certificate.
NOTE
Renewal profiles can only be used in conjunction with the profile that issued the original certificate. There are two settings that are beneficial:
|
| caTempTokenDeviceKeyEnrollment | Temporary Device Certificate Enrollment | Enrolls temporary keys to be used by servers or other network devices on a token; used by the TPS for smart card enrollment operations. These are temporary keys, valid for about a week, and intended to replace a temporarily lost token. |
| caTempTokenUserEncryptionKeyEnrollment | Temporary Token User Encryption Certificate Enrollment | Enrolls an encryption key on a token; used by the TPS for smart card enrollment operations. These are temporary keys, valid for about a week, and intended to replace a temporarily lost token. |
| caTempTokenUserSigningKeyEnrollment | Temporary Token User Signing Certificate Enrollment | Enrolls a signing key on a token; used by the TPS for smart card enrollment operations. These are temporary keys, valid for about a week, and intended to replace a temporarily lost token. |
| caTokenDeviceKeyEnrollment | Token Device Key Enrollment | Enrolls keys to be used by servers or other network devices on a token; used by the TPS for smart card enrollment operations. |
| caTokenMSLoginEnrollment | Token User MS Login Certificate Enrollment | Enrolls key to be used by a person for logging into a Windows domain or PC; used by the TPS for smart card enrollment operations. |
| caTokenUserEncryptionKeyEnrollment | Token User Encryption Certificate Enrollment | Enrolls an encryption key on a token; used by the TPS for smart card enrollment operations. |
| caTokenUserEncryptionKeyRenewal | smart card token encryption cert renewal profile | Renews an encryption key that was enrolled on a token using the caTokenUserEncryptionKeyEnrollment profile; used by a TPS subsystem. |
| caTokenUserSigningKeyEnrollment | Token User Signing Certificate Enrollment | Enrolls a signing key on a token; used by the TPS for smart card enrollment operations. |
| caTokenUserSigningKeyRenewal | smart card token signing cert renewal profile | Renews a signing that was enrolled on a token using the caTokenUserSigningKeyEnrollment profile; used by a TPS subsystem. |
| caTPSCert | Manual TPS Server Certificate Enrollment | Enrolls TPS server certificates. |
| caTransportCert | Manual Data Recovery Manager Transport Certificate Enrollment | Enrolls Data Recovery Manager transport certificates. |
| caUserCert | Manual User Dual-Use Certificate Enrollment | Enrolls user certificates. |
| caUUIDdevicecert | Manual device Dual-Use Certificate Enrollment to contain UUID in SAN | Enrolls certificates for devices which must contain a unique user ID number (UUID) as a component in the certificate's subject alternate name extension. |
| DomainController | Domain Controller | Enrolls certificates to be used by a Windows domain controller. |