2.2. Setting up Certificate Profiles

2.2.1. Creating Certificate Profiles through the CA Console

For security reasons, the Certificate Systems enforces separation of roles whereby an existing certificate profile can only be edited by an administrator after it was allowed by an agent. To add a new certificate profile or modify an existing certificate profile, perform the following steps as the administrator:
  1. Log in to the Certificate System CA subsystem console.
    pkiconsole https://server.example.com:8443/ca
  2. In the Configuration tab, select Certificate Manager, and then select Certificate Profiles.
    The Certificate Profile Instances Management tab, which lists configured certificate profiles, opens.
  3. To create a new certificate profile, click Add.
    In the Select Certificate Profile Plugin Implementation window, select the type of certificate for which the profile is being created.
  4. Fill in the profile information in the Certificate Profile Instance Editor.
    • Certificate Profile Instance ID. This is the ID used by the system to identify the profile.
    • Certificate Profile Name. This is the user-friendly name for the profile.
    • Certificate Profile Description.
    • End User Certificate Profile. This sets whether the request must be made through the input form for the profile. This is usually set to true. Setting this to false allows a signed request to be processed through the Certificate Manager's certificate profile framework, rather than through the input page for the certificate profile.
    • Certificate Profile Authentication. This sets the authentication method. An automated authentication is set by providing the instance ID for the authentication instance. If this field is blank, the authentication method is agent-approved enrollment; the request is submitted to the request queue of the agent services interface.
  5. Click OK. The plug-in editor closes, and the new profile is listed in the profiles tab.
  6. Configure the policies, inputs, and outputs for the new profile. Select the new profile from the list, and click Edit/View.
  7. Set up policies in the Policies tab of the Certificate Profile Rule Editor window. The Policies tab lists policies that are already set by default for the profile type.
    1. To add a policy, click Add.
    2. Choose the default from the Default field, choose the constraints associated with that policy in the Constraints field, and click OK.
    3. Fill in the policy set ID. When issuing dual key pairs, separate policy sets define the policies associated with each certificate. Then fill in the certificate profile policy ID, a name or identifier for the certificate profile policy.
    4. Configure any parameters in the Defaults and Constraints tabs.
      Defaults defines attributes that populate the certificate request, which in turn determines the content of the certificate. These can be extensions, validity periods, or other fields contained in the certificates. Constraints defines valid values for the defaults.
      See Section B.1, “Defaults Reference” and Section B.2, “Constraints Reference” for complete details for each default or constraint.
    To modify an existing policy, select a policy, and click Edit. Then edit the default and constraints for that policy.
    To delete a policy, select the policy, and click Delete.
  8. Set inputs in the Inputs tab of the Certificate Profile Rule Editor window. There can be more than one input type for a profile.
    1. To add an input, click Add.
    2. Choose the input from the list, and click OK. See Section A.1, “Input Reference” for complete details of the default inputs.
    3. The New Certificate Profile Editor window opens. Set the input ID, and click OK.
    Inputs can be added and deleted. It is possible to select edit for an input, but since inputs have no parameters or other settings, there is nothing to configure.
    To delete an input, select the input, and click Delete.
  9. Set up outputs in the Outputs tab of the Certificate Profile Rule Editor window.
    Outputs must be set for any certificate profile that uses an automated authentication method; no output needs to be set for any certificate profile that uses agent-approved authentication. The Certificate Output type is set by default for all profiles and is added automatically to custom profiles.
    Outputs can be added and deleted. It is possible to select edit for an output, but since outputs have no parameters or other settings, there is nothing to configure.
    1. To add an output, click Add.
    2. Choose the output from the list, and click OK.
    3. Give a name or identifier for the output, and click OK.
      This output will be listed in the output tab. You can edit it to provide values to the parameters in this output.
    To delete an output, select the output from list, and click Delete.
  10. Restart the CA to apply the new profile.
    systemctl restart pki-tomcatd@instance-name.service
  11. After creating the profile as an administrator, a CA agent has to approve the profile in the agent services pages to enable the profile.
    1. Open the CA's services page.
      https://server.example.com:8443/ca/services
    2. Click the Manage Certificate Profiles link. This page lists all of the certificate profiles that have been set up by an administrator, both active and inactive.
    3. Click the name of the certificate profile to approve.
    4. At the bottom of the page, click the Enable button.

Note

If this profile will be used with a TPS, then the TPS must be configured to recognized the profile type. This is in Section 2.4, “Managing Smart Card CA Profiles”.
Authorization methods for the profiles can only be added to the profile using the command line, as described in Section 2.2.3, “Creating and Editing Certificate Profiles through the Command Line”.

2.2.2. Editing Certificate Profiles in the Console

To modify an existing certificate profile:
  1. Log into the agent services pages and disable the profile.
    Once a certificate profile is enabled by an agent, that certificate profile is marked enabled in the Certificate Profile Instance Management tab, and the certificate profile cannot be edited in any way through the console.
  2. Log in to the Certificate System CA subsystem console.
    pkiconsole https://server.example.com:8443/ca
  3. In the Configuration tab, select Certificate Manager, and then select Certificate Profiles.
  4. Select the certificate profile, and click Edit/View.
  5. The Certificate Profile Rule Editor window appears. Many any changes to the defaults, constraints, inputs, or outputs.

    Note

    The profile instance ID cannot be modified.
    If necessary, enlarge the window by pulling out one of the corners of the window.
  6. Restart the CA to apply the changes.
  7. In the agent services page, re-enable the profile.

Note

Delete any certificate profiles that will not be approved by an agent. Any certificate profile that appears in the Certificate Profile Instance Management tab also appears in the agent services interface. If a profile has already been enabled, it must be disabled by the agent before it can be deleted from the profile list.

2.2.3. Creating and Editing Certificate Profiles through the Command Line

The certificate profiles can be modified directly through the command line by modifying the profiles' configuration files. Default files exist for the default profiles at installation; when new profiles are created, new configuration files are also created. The configuration files are stored in the CA profile directory, instance_directory/ca/profiles/ca/, such as /var/lib/pki/pki-ca/ca/profiles/ca/. The file is named profile_name.cfg. All of the parameters for profile rules set or modified through the Console, such as defaults, inputs, outputs, and constraints, are written to the profile configuration file.
The enrollment profiles for subsystem certificates are located in the /var/lib/pki/instance_name/ca/conf directory with the name *.profile.

Note

Restart the server after editing the profile configuration file for the changes to take effect.

2.2.3.1. Profile Configuration Parameters

The configuration files are stored in the CA profile directory, such as /var/lib/pki/pki-ca/ca/profiles/ca/. The file is named profile_name.cfg. All of the parameters for a profile rule - defaults, inputs, outputs, and constraints - are configured within a single policy set. A policy set for a profile has the name policyset.policyName.policyNumber. For example:
policyset.cmcUserCertSet.6.constraint.class_id=noConstraintImpl
policyset.cmcUserCertSet.6.constraint.name=No Constraint
policyset.cmcUserCertSet.6.default.class_id=userExtensionDefaultImpl
policyset.cmcUserCertSet.6.default.name=User Supplied Key Default
policyset.cmcUserCertSet.6.default.params.userExtOID=2.5.29.15
The common profile configuration parameters are described in Table 2.1, “Profile Configuration File Parameters”.
There is only one policy set processed for the profile, except for dual key pairs when two policy sets are processed. The server evaluates each policy set for each request it receives. When a single certificate is issued, one set is evaluated, and any other sets in the profile are ignored. When dual key pairs are issued, the first policy set is evaluated with the first certificate request, and the second set is evaluated with the second certificate request. There is no need for more than one policy set when issuing single certificates or more than two sets when issuing dual key pairs.

Table 2.1. Profile Configuration File Parameters

Parameter Description
desc Gives a free text description of the certificate profile, which is shown on the end-entities page. For example, desc=This certificate profile is for enrolling server certificates with agent authentication.
enable Sets whether the profile is enabled, and therefore accessible through the end-entities page. For example, enable=true.
auth.instance_id Sets which authentication manager plug-in to use to authenticate the certificate request submitted through the profile. For automatic enrollment, the CA issues a certificate immediately if the authentication is successful. If authentication fails or there is no authentication plug-in specified, the request is queued to be manually approved by an agent. For example, auth.instance_id=AgentCertAuth.
authz.acl
Specifies the authorization constraint. Most commonly, this us used to set the group evaluation ACL. For example, this caCMCUserCert parameter requires that the signer of the CMC request belong to the Certificate Manager Agents group:
authz.acl=group="Certificate Manager Agents"
In directory-based user certificate renewal, this option is used to ensure that the original requester and the currently-authenticated user are the same.
An entity must authenticate (bind or, essentially, log into the system) before authorization can be evaluated.
name Gives the name of the profile. For example, name=Agent-Authenticated Server Certificate Enrollment. This name is displayed in the end users enrollment or renewal page.
input.list Lists the allowed inputs for the profile by name. For example, input.list=i1,i2.
input.input_id.class_id Gives the java class name for the input by input ID (the name of the input listed in input.list). For example, input.i1.class_id=certReqInputImpl.
output.list Lists the possible output formats for the profile by name. For example, output.list=o1.
output.output_id.class_id Gives the java class name for the output format named in output.list. For example, output.o1.class_id=certOutputImpl.
policyset.list Lists the configured profile rules. For dual certificates, one set of rules applies to the signing key and the other to the encryption key. Single certificates use only one set of profile rules. For example, policyset.list=serverCertSet.
policyset.policyset_id.list Lists the policies within the policy set configured for the profile by policy ID number in the order in which they should be evaluated. For example, policyset.serverCertSet.list=1,2,3,4,5,6,7,8.
policyset.policyset_id.policy_number.constraint.class_id Gives the java class name of the constraint plug-in set for the default configured in the profile rule. For example, policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl.
policyset.policyset_id.policy_number.constraint.name Gives the user-defined name of the constraint. For example, policyset.serverCertSet.1.constraint.name=Subject Name Constraint.
policyset.policyset_id.policy_number.constraint.params.attribute Specifies a value for an allowed attribute for the constraint. The possible attributes vary depending on the type of constraint. For example, policyset.serverCertSet.1.constraint.params.pattern=CN=.*.
policyset.policyset_id.policy_number.default.class_id Gives the java class name for the default set in the profile rule. For example, policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl
policyset.policyset_id.policy_number.default.name Gives the user-defined name of the default. For example, policyset.serverCertSet.1.default.name=Subject Name Default
policyset.policyset_id.policy_number.default.params.attribute Specifies a value for an allowed attribute for the default. The possible attributes vary depending on the type of default. For example, policyset.serverCertSet.1.default.params.name=CN=(Name)$request.requestor_name$.

2.2.3.2. Modifying Certificate Extensions through the Command Line

Changing constraints changes the restrictions on the type of information which can be supplied. Changing the defaults and constraints can also add, delete, or modify the extensions which are accepted or required from a certificate request.
For example, the default caFullCMCUserCert profile is set to create a Key Usage extension from information in the request.
 policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl  
 policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint  
 policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true  
 policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false  
 policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false  
 policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false  
 policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true  
 policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false  
 policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false  
 policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false  
 policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true  
 policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true  
 policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl
 policyset.cmcUserCertSet.6.default.name=Key Usage Default
 policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true
 policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false
 policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false
 policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false
 policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true
 policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false
 policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false
 policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false
 policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true
 policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true
This constraint can be removed so that the server accepts the key usage set in the request. In this example, the key extension constraint is removed and replaced by no constraint, and the default is updated to allow user-supplied key extensions:
 policyset.cmcUserCertSet.6.constraint.class_id=noConstraintImpl   
 policyset.cmcUserCertSet.6.constraint.name=No Constraint to keep it simple  
 policyset.cmcUserCertSet.6.default.class_id=userExtensionDefaultImpl
 policyset.cmcUserCertSet.6.default.name=User Supplied Key Default
 policyset.cmcUserCertSet.6.default.params.userExtOID=2.5.29.15
This sets the server to accept the extension OID 2.5.29.15 in the certificate request.
Other constraints and defaults can be changed similarly. Make sure that any required constraints and included with the appropriate default, that defaults are changed when a different constraint is required, and that only allowed constraints are used with the default. For more information, see Section B.1, “Defaults Reference” and Section B.2, “Constraints Reference”.

2.2.3.3. Adding Inputs through the Command Line

The certificate profile configuration file in the CA's profiles/ca directory contains the input information for the that particular certificate profile form. Inputs are the fields in the end-entities page enrollment forms. There is a parameter, input.list, which lists the inputs included in that profile. Other parameters define the inputs; these are identified by the format input.ID. For example, this adds a generic input to a profile:
input.list=i1,i2,i3,i4
...
input.i4.class_id=genericInputImpl
input.i4.params.gi_display_name0=Name0
input.i4.params.gi_display_name1=Name1
input.i4.params.gi_display_name2=Name2
input.i4.params.gi_display_name3=Name3
input.i4.params.gi_param_enable0=true
input.i4.params.gi_param_enable1=true
input.i4.params.gi_param_enable2=true
input.i4.params.gi_param_enable3=true
input.i4.params.gi_param_name0=gname0
input.i4.params.gi_param_name1=gname1
input.i4.params.gi_param_name2=gname2
input.i4.params.gi_param_name3=gname3
input.i4.params.gi_num=4
For more information on what inputs, or form fields, are available, see Section A.1, “Input Reference”.

2.2.4. Defining Key Defaults in Profiles

When creating certificate profiles, the Key Default must be added before the Subject Key Identifier Default. Certificate System processes the key constraints in the Key Default before creating or applying the Subject Key Identifier Default, so if the key has not been processed yet, setting the key in the subject name fails.
For example, an object-signing profile may define both defaults:
policyset.set1.p3.constraint.class_id=noConstraintImpl
policyset.set1.p3.constraint.name=No Constraint
policyset.set1.p3.default.class_id=subjectKeyIdentifierExtDefaultImpl
policyset.set1.p3.default.name=Subject Key Identifier Default
...
policyset.set1.p11.constraint.class_id=keyConstraintImpl
policyset.set1.p11.constraint.name=Key Constraint
policyset.set1.p11.constraint.params.keyType=RSA
policyset.set1.p11.constraint.params.keyParameters=1024,2048,3072,4096
policyset.set1.p11.default.class_id=userKeyDefaultImpl
policyset.set1.p11.default.name=Key Default
In the policyset list, then, the Key Default (p11) must be listed before the Subject Key Identifier Default (p3).
policyset.set1.list=p1,p2,p11,p3,p4,p5,p6,p7,p8,p9,p10

2.2.5. Configuring Cross-Pair Profiles

Cross-pair certificates are distinct CA signing certificates that establish a trust partner relationship whereby entities from these two distinct PKIs will trust each other. Both partner CAs store the other CA signing certificate in its database, so all of the certificates issued within the other PKI are trusted and recognized.
Two extensions supported by the Certificate System can be used to establish such a trust partner relationship (cross-certification):
  • The Certificate Policies Extension (CertificatePoliciesExtension) specifies the terms that the certificate fall under, which is often unique for each PKI.
  • The Policy Mapping Extension (PolicyMappingExtension) seals the trust between two PKI’s by mapping the certificate profiles of the two environments.
Issuing cross-pair certificates requires the Certificate Policies Extension, explained in Section B.3.4, “certificatePoliciesExt”.
To ensure that the issued certificate contains the CertificatePoliciesExtension, the enrollment profile needs to include an appropriate policy rule, for example:
policyset.userCertSet.p7.constraint.class_id=noConstraintImpl
policyset.userCertSet.p7.constraint.name=No Constraint
policyset.userCertSet.p7.default.class_id=certificatePoliciesExtDefaultImpl
policyset.userCertSet.p7.default.name=Certificate Policies Extension Default
policyset.userCertSet.p7.default.params.Critical=false
policyset.userCertSet.p7.default.params.PoliciesExt.num=1
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.enable=true
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.policyId=1.1.1.1
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=false
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=
Certificates issued with the enrollment profile in this example would contain the following information:
Identifier: Certificate Policies: - 2.5.29.32
Critical: no
Certificate Policies:
Policy Identifier: 1.1.1.1

2.2.6. List of Certificate Profiles

The following pre-defined certificate profiles are ready to use and set up in this environment when the Certificate System CA is installed. These certificate profiles have been designed for the most common types of certificates, and they provide common defaults, constraints, authentication methods, inputs, and outputs.
By default, the profile configuration files are in the /var/lib/instance_name/profiles/ca directory. Note, that the table below is not complete as the default token enrollment profiles are listed in Table 2.4, “Default Token Certificate Profiles”.

Table 2.2. Certificate Profiles

Profile ID Profile Name Description
caAdminCert Security Domain Administrator Certificate Enrollment Enrolls Security Domain Administrator's certificates with LDAP authentication against the internal LDAP database.
caAgentFileSigning Agent-Authenticated File Signing This certificate profile is for file signing with agent authentication.
caAgentServerCert Agent-Authenticated Server Certificate Enrollment Enrolls server certificates with agent authentication.
caCACert Manual Certificate Manager Signing Certificate Enrollment Enrolls Certificate Authority certificates.
caCMCUserCert Signed CMC-Authenticated User Certificate Enrollment Enrolls user certificates by using the CMC certificate request with CMC Signature authentication.
caDirUserCert Directory-Authenticated User Dual-Use Certificate Enrollment Enrolls user certificates with directory-based authentication.
caDirUserRenewal Directory-Authenticated User Certificate Self-Renew profile Renews user certificates through directory-based authentication. The user certificate is issued as soon as the requester successfully authenticates to the LDAP directory.

Note

Renewal profiles can only be used in conjunction with the profile that issued the original certificate. There are two settings that are beneficial:
  • It is important the original enrollment profile name does not change.
  • The Renew Grace Period Constraint should be set in the original enrollment profile. This defines the amount of time before and after the certificate's expiration date when the user is allowed to renew the certificate. There are only a few examples of these in the default profiles, and they are mostly not enabled by default.
caDualCert Manual User Signing & Encryption Certificates Enrollment Enrolls dual user certificates. It works only with Netscape 7.0 or later.
caFullCMCUserCert Signed CMC-Authenticated User Certificate Enrollment Enrolls user certificates by using the CMC certificate request with CMC Signature authentication.
caInstallCACert Manual Security Domain Certificate Authority Signing Certificate Enrollment Enrolls Security Domain Certificate Authority certificates.
caInternalAuthAuditSigningCert Audit Signing Certificate Enrollment Enrolls a signing certificate to use for signing audit logs; used automatically during any supported subsystem configuration.
caInternalAuthKRAstorageCert Security Domain KRA Storage Certificate Enrollment Enrolls KRA storage certificates for KRAs within a security domain; used automatically during a KRA configuration.
caInternalAuthOCSPCert Security Domain OCSP Manager Signing Certificate Enrollment Enrolls Security Domain OCSP Manager certificates.
caInternalAuthServerCert Security Domain Server Certificate Enrollment Enrolls Security Domain server certificates.
caInternalAuthSubsystemCert Security Domain Subsystem Certificate Enrollment Enrolls Security Domain subsystem certificates.
caInternalAuthTransportCert Security Domain Key Recovery Authority Transport Certificate Enrollment Enrolls Security Domain Key Recovery Authority transport certificates.
caManualRenewal Renew certificate to be manually approved by agents Renews a certificate that must be manually approved by agents.

Note

Renewal profiles can only be used in conjunction with the profile that issued the original certificate. There are two settings that are beneficial:
  • It is important the original enrollment profile name does not change.
  • The Renew Grace Period Constraint should be set in the original enrollment profile. This defines the amount of time before and after the certificate's expiration date when the user is allowed to renew the certificate. There are only a few examples of these in the default profiles, and they are mostly not enabled by default.
caOCSPCert Manual OCSP Manager Signing Certificate Enrollment Enrolls OCSP Manager certificates.
caOtherCert Other Certificate Enrollment Enrolls other certificates.
caRouterCert One Time Pin Router Certificate Enrollment Enrolls router certificates using an automatically-generated, one-time PIN that the router can use to retrieve its certificate.
caServerCert Manual Server Certificate Enrollment Enrolls server certificates.
caSignedLogCert Manual Log Signing Certificate Enrollment Enrolls audit log signing certificates.
caSimpleCMCUserCert Simple CMC Enrollment Enrolls user certificates by using the CMC certificate request with CMC Signature authentication.
caSSLClientSelfRenewal Self-renew user SSL client certificates Renews SSL client certificates using certificate-based authentication. The certificate is issued as soon as the request is authenticated and authorized by presenting the original certificate.

Note

Renewal profiles can only be used in conjunction with the profile that issued the original certificate. There are two settings that are beneficial:
  • It is important the original enrollment profile name does not change.
  • The Renew Grace Period Constraint should be set in the original enrollment profile. This defines the amount of time before and after the certificate's expiration date when the user is allowed to renew the certificate. There are only a few examples of these in the default profiles, and they are mostly not enabled by default.
caTempTokenDeviceKeyEnrollment Temporary Device Certificate Enrollment Enrolls temporary keys to be used by servers or other network devices on a token; used by the TPS for smart card enrollment operations. These are temporary keys, valid for about a week, and intended to replace a temporarily lost token.
caTempTokenUserEncryptionKeyEnrollment Temporary Token User Encryption Certificate Enrollment Enrolls an encryption key on a token; used by the TPS for smart card enrollment operations. These are temporary keys, valid for about a week, and intended to replace a temporarily lost token.
caTempTokenUserSigningKeyEnrollment Temporary Token User Signing Certificate Enrollment Enrolls a signing key on a token; used by the TPS for smart card enrollment operations. These are temporary keys, valid for about a week, and intended to replace a temporarily lost token.
caTokenDeviceKeyEnrollment Token Device Key Enrollment Enrolls keys to be used by servers or other network devices on a token; used by the TPS for smart card enrollment operations.
caTokenMSLoginEnrollment Token User MS Login Certificate Enrollment Enrolls key to be used by a person for logging into a Windows domain or PC; used by the TPS for smart card enrollment operations.
caTokenUserEncryptionKeyEnrollment Token User Encryption Certificate Enrollment Enrolls an encryption key on a token; used by the TPS for smart card enrollment operations.
caTokenUserEncryptionKeyRenewal smart card token encryption cert renewal profile Renews an encryption key that was enrolled on a token using the caTokenUserEncryptionKeyEnrollment profile; used by a TPS subsystem.
caTokenUserSigningKeyEnrollment Token User Signing Certificate Enrollment Enrolls a signing key on a token; used by the TPS for smart card enrollment operations.
caTokenUserSigningKeyRenewal smart card token signing cert renewal profile Renews a signing that was enrolled on a token using the caTokenUserSigningKeyEnrollment profile; used by a TPS subsystem.
caTPSCert Manual TPS Server Certificate Enrollment Enrolls TPS server certificates.
caTransportCert Manual Key Recovery Authority Transport Certificate Enrollment Enrolls Key Recovery Authority transport certificates.
caUserCert Manual User Dual-Use Certificate Enrollment Enrolls user certificates.
caUUIDdevicecert Manual device Dual-Use Certificate Enrollment to contain UUID in SAN Enrolls certificates for devices which must contain a unique user ID number (UUID) as a component in the certificate's subject alternate name extension.
DomainController Domain Controller Enrolls certificates to be used by a Windows domain controller.