PKI Certificate Profiles¶
Certificate profiles define the properties and constraints for certificates issued by the PKI system. Profiles are provided as templates and can be modified per use case.
Overview¶
Profiles control:
- Profile Type — whether the certificate is a Root CA, Sub CA, or End-Entity
- Distinguished Name (DN) — fields written to the certificate
- Key and Signature algorithms — cryptographic algorithms used
- Validity period — how long the certificate is valid
- Basic Constraints — CA flag and path length
- Key Usage and Extended Key Usage — permitted operations
- CRL Distribution Points and Policy Identifiers — revocation and policy information
- Uniqueness Constraints — how duplicate certificates are handled
Profile Types¶
Choose the profile type based on where the certificate sits in the PKI hierarchy:
| Type | Value | Description |
|---|---|---|
| End-Entity | 1 | Leaf certificates issued to devices, users, or services. Cannot sign other certificates. |
| Sub CA | 2 | Intermediate Certificate Authority. Can issue certificates under a Root CA. |
| Root CA | 3 | Trust anchor at the top of the PKI hierarchy. Self-signed. |
Tip
Most use cases only require modifying End-Entity profiles. Sub CA and Root CA profiles are typically set up once during initial PKI configuration.
Distinguished Name¶
The Distinguished Name (DN) identifies the certificate subject. Fields defined in the profile override values from the Certificate Signing Request (CSR).
Common fields:
| Field | Description | Example |
|---|---|---|
| Organization | Company or organization name | Laavat |
| Country | Two-letter country code | FI, DE, US |
| Organizational Unit | Department or unit | R&D |
| Common Name | Entity name | See note below |
| Province | State or province | |
| Locality | City or locality |
Note
For (A)HAB use cases:
- CA names must contain SRK{0...3} for correct SRK selection (SRK0 is the first CA by default)
- End-Entity Common Names must contain IMG{0...3}, CSF{0...3}, or SGK{0...3}
- Leave Common Name empty as it is populated from product information
Key & Signature Algorithm¶
Key Algorithm¶
The key algorithm determines the type of cryptographic key pair generated. It must match the key algorithm configured in the product.
| Algorithm | Value | Description |
|---|---|---|
| RSA | 1 | Widely supported, larger key sizes (2048, 4096 bits) |
| ECDSA | 2 | Smaller keys with equivalent security (P-224, P-256, P-384, P-521) |
Signature Algorithm¶
The signature algorithm must be compatible with the selected key algorithm:
RSA Signature Algorithms:
| Algorithm | Value |
|---|---|
| SHA256WithRSA | 4 |
| SHA384WithRSA | 5 |
| SHA512WithRSA | 6 |
| SHA256WithRSAPSS | 13 |
| SHA384WithRSAPSS | 14 |
| SHA512WithRSAPSS | 15 |
ECDSA Signature Algorithms:
| Algorithm | Value |
|---|---|
| ECDSAWithSHA256 | 10 |
| ECDSAWithSHA384 | 11 |
| ECDSAWithSHA512 | 12 |
Warning
The signature algorithm must match the key type. For example, use SHA256WithRSA (4) with RSA keys and ECDSAWithSHA256 (10) with ECDSA keys.
Validity Period¶
Certificate validity can be specified as a duration (max 290 years) or an absolute date in RFC3339 format.
- Duration example:
1h10m10s(onlyh,m,saccepted) - Absolute date example:
9999-12-31T23:59:59Z
Basic Constraints¶
Basic Constraints control whether a certificate can act as a Certificate Authority and how deep the chain can go.
| Field | Description |
|---|---|
| BasicConstraintsValid | Set to true to include the Basic Constraints extension |
| IsCA | Set to true for CA certificates (Root CA, Sub CA), false for End-Entity |
Tip
- Root CA and Sub CA profiles should have
IsCA: true - End-Entity profiles should have
IsCA: false - Always set
BasicConstraintsValid: trueto include this critical extension
Key Usage¶
Key Usage defines what operations the certificate's public key can be used for. Select one or more values:
| Usage | Value | Typical Use |
|---|---|---|
| Digital Signature | 1 | Signing data, authentication |
| Content Commitment | 2 | Non-repudiation |
| Key Encipherment | 4 | Encrypting keys (e.g., TLS) |
| Data Encipherment | 8 | Encrypting data directly |
| Key Agreement | 16 | Diffie-Hellman key exchange |
| Cert Sign | 32 | Signing other certificates (CA only) |
| CRL Sign | 64 | Signing Certificate Revocation Lists (CA only) |
| Encipher Only | 128 | With Key Agreement only |
| Decipher Only | 256 | With Key Agreement only |
Common combinations
- End-Entity (TLS server): Digital Signature (1) + Key Encipherment (4)
- End-Entity (signing): Digital Signature (1)
- CA certificate: Cert Sign (32) + CRL Sign (64)
Extended Key Usage¶
Extended Key Usage further restricts what the certificate can be used for. This provides more granular control beyond the basic Key Usage.
| Usage | Value | Description |
|---|---|---|
| Any | 0 | No restriction on purpose |
| Server Auth | 1 | TLS server authentication |
| Client Auth | 2 | TLS client authentication |
| Code Signing | 3 | Signing executable code |
| Email Protection | 4 | S/MIME email |
| IPSEC End System | 5 | IPsec communication |
| IPSEC Tunnel | 6 | IPsec tunnel endpoint |
| IPSEC User | 7 | IPsec user |
| Time Stamping | 8 | Trusted timestamps |
| OCSP Signing | 9 | OCSP response signing |
CRL Distribution Points & Policy Identifiers¶
CRL Distribution Points¶
CRL Distribution Points (CDPs) are URIs where the Certificate Revocation List can be downloaded. Relying parties use these to check if a certificate has been revoked.
CRLDistributionPoints:
- http://crl.company.com/e37f045c.crl
Note
CA-specific CDPs defined in the product configuration will override the CDPs defined in the profile.
Policy Identifiers¶
Policy Identifiers are ASN.1 OIDs that indicate the certificate policy under which the certificate was issued.
PolicyIdentifiers:
- 1.10.123.432.4.5
- 2.10.123.432.4.65
Note
CA-specific Policy Identifiers defined in the product configuration will override the Policy Identifiers in the profile.
Uniqueness Constraints¶
Uniqueness constraints control how the system handles duplicate certificate requests. This determines whether a new certificate is issued or an existing one is returned.
Version 1 Profiles¶
| EnforceUniqueDN | Behavior |
|---|---|
false |
New certificate is issued every time |
true |
If a certificate with the same DN exists from the CA, it is returned. If the public key was used with a different DN, an error is returned. |
Version 2 Profiles¶
| EnforceUniqueDN | EnforceUniquePublicKey | Behavior |
|---|---|---|
false |
false |
New certificate is issued every time |
true |
false |
Same DN from the CA returns existing certificate |
false |
true |
Same public key from the CA returns an error |
true |
true |
Same DN + same key returns existing certificate. New DN + new key issues new certificate. Otherwise an error is returned. |
Deleting a Profile¶
Permanent deletion of a profile is a two-step process:
- Mark for deletion: Create a Change Request with type "Set Profile To Be Deleted". This moves the profile to the To Be Deleted state after approval. Only profiles in Ready state that are not used by any product can be selected.
- Delete permanently: From the profiles list, use the actions menu on a profile in To Be Deleted state and select "Delete Profile". Confirm the deletion in the dialog.
Warning
Deletion is irreversible. Ensure the profile is no longer needed by any product before proceeding. Profiles that are currently in use by a product cannot be marked for deletion.
Tip
To cancel a pending deletion, create a change request with type "Set Profile To Ready" to restore the profile to Ready state.
Important Notes¶
- Profiles may be shared across multiple products. Modifying a profile could affect other products.
- Profile modifications are done through Change Requests and require approval.
- For the full PKI technical documentation including YAML examples, see the PKI General Guide.