How to generate certificates through RCM-API with extensions enforced through a profile?
2 years ago
Originally Published: 2010-02-02
Article Number
000042379
Applies To
RSA Certificate Manager API 6.8
RSA Certificate Manager 6.8
Issue
How to generate certificates through RCM-API with extensions enforced through a profile?
How to generate certificates through RCM-API with extensions enforced through a profile
How to generate certificates through RCM-API consistent with those generated through Enrollment Server, with extensions enforced through a profile
XrcCONVERSIONFAILURE
Resolution
Certificates can be generated through RCM-API with extensions enforced through an extension profile configured in the jurisdiction, and that are consistent with the certificates generated for requests made through Enrollment Server for the same jurisdiction.  Following the guidelines listed below will result in certificates generated through RCM-API with the required extensions:

- Configure a single Extension Profile with all the required extensions in the jurisdiction
- Configure the Extension Profile such that no interactive data is required (to be entered by admin when vetting certificates through Certificate Operations workbench)
- All extensions that must be included in the certificate should be marked Mandatory in the Extension Profile
- For all extensions marked as Mandatory in the Extension Profile, the individual element type and value type must be set to 'mandatory' (see Note below)
- All editable/visible flags can optionally be set to false for extensions in the Extension Profile (so that an administrator or vettor does not have the ability to change any extension values when vetting a request)
- Enable 'Enforce Profile Definition' in the jurisdiction
- No need to manually set any extensions in RCM-API application
- No need to make calls to XudaEnforceProfile() in RCM-API application
- XresCERTIFICATEPROFILE resource must be set with the enforced Extension Profile ID in RCM-API application

Note:  If any of the extensions in the Extension Profile is not set correctly, a call to XudaCASignCertificate() to generate certificate may return an error XrcCONVERSIONFAILURE.
Notes
>> For all extensions marked as Mandatory in the Extension Profile, the individual element type and value type must be set to 'mandatory'

There is one exception to the above rule:  If Certificate Attributes section in the Jursidiction is configured to add an email address to the subject DN, AND the extension profile (being enforced in the jurisdiction) is configured to include a second email address in Subject Alternate Name (SAN) extension, then "type" attribute for "otherName" component should be set to "optional" rather than "mandatory".

For example, SAN extension configured in the profile as follows would throw an error XrcCONVERSIONFAILURE:

{
  name : 'Subject Alternative Names',
  type : 'mandatory',
  critical : {
    def : false,
    editable : false,
    visible : true,
    type : 'mandatory'
  },
  generalNames : {
    min : 1,
    max : 1,
    def : 1,
    editable : false,
    visible : false,
    elements : [
      {
        def : 'otherName',
        editable : false,
        visible : true,
        type : 'mandatory',
        value : {
          typeid : {
            def : '1.3.6.1.4.1.311.20.2.3',
            editable : false,
            visible : true,
            type : 'mandatory',
            validator : 'extCheckOID(this)'
          },
          value : {
            def : 'someuser@rsa.net',
            editable : true,
            visible : true,
            type : 'mandatory',
            validator : 'extCheckEmail(this)'
          }
        }
      }
    ]
  }
}

However, updating the above SAN extension in the profile to the following will work fine:

{
  name : 'Subject Alternative Names',
  type : 'mandatory',
  critical : {
    def : false,
    editable : false,
    visible : true,
    type : 'mandatory'
  },
  generalNames : {
    min : 1,
    max : 1,
    def : 1,
    editable : false,
    visible : false,
    elements : [
      {
        def : 'otherName',
        editable : false,
        visible : true,
        type : 'optional',
        value : {
          typeid : {
            def : '1.3.6.1.4.1.311.20.2.3',
            editable : false,
            visible : true,
            type : 'mandatory',
            validator : 'extCheckOID(this)'
          },
          value : {
            def : 'someuser@rsa.net',
            editable : true,
            visible : true,
            type : 'mandatory',
            validator : 'extCheckEmail(this)'
          }
        }
      }
    ]
  }
}

CMAPI-171

Related Articles

Trending Articles

Don't see what you're looking for?