3.3 Server Configuration
3.3.5 Certificate Template
This section describes the Certificate Template page of the administration console. Use the functionality on this page to perform any certificate template-related task.
Choose the Certificate Template node in the left-hand pane of the administration console.
The following page appears:
Figure: Administration Console – Certificate Template Management
The default template cannot be deleted, changed, or exported. The Mapping option is only available if an additional certificate template is available.
Option Details
Template Name Templates created by the user and available for use are listed here. Per default the default template is available.
Add Adds a new certificate template. This takes you to the template creation page.
Copy Duplicates the selected template. This takes you to the template creation page
Edit Edits a selected template. This takes you to the template creation page.
Delete Deletes a template selected in the list.
Mapping Maps any template to another.
Export Exports a template as an XML file. If you select more than one template for export, all of the templates are incorporated into a single XML file.
Import Imports templates found on the local machine/network to the list.
Add a New Certificate Template
This section describes how you create a new certificate template.
Click the Add button and the following information appears:
Figure: Administration Console – New Certificate Template Entries marked with * are mandatory.
Option Details
Template Name* The unique template identifier
SubjectKeyIdentifier Use this option to identify the specific public key used in an application.
AuthorityKeyIdentifier Use this option to identify the public key corresponding to the private key that is used to sign a certificate.
3 Administration
CertificatePolicies This option indicates the policy under which the certificate has been issued and the purposes for which the certificate may be used.
Checking this option will open a mandatory field for the CertificatePolicies.OID (enter the ID and choose Add).
KeyUsage The key usage extension defines the purpose of the key contained in the certificate.
DigitalSignature
Use when the public key is used with a digital signature mechanism to support security services other than non-repudiation, certificate signing, or CRL signing. Digital signatures are often used for entity authentication and data origin authentication with integrity.
NonRepudiation
Use when the public key is used to verify digital signatures used to provide a non-repudiation service. Non-repudiation protects against the signing entity falsely denying some action (excluding certificate or CRL signing).
KeyEncipherment
Use when a certificate is used with a protocol that encrypts keys. An example is S/MIME enveloping where a fast (symmetric) key is encrypted with the public key from the certificate. SSL protocol also performs key enciphering.
DataEncipherment
Use when the public key is used for encrypting user data, other than cryptographic keys.
KeyAgreement
Use when the sender and receiver of the public key need to derive the key without using encryption. This key can be used to encrypt messages between the sender and receiver.
Key agreement is typically used with Diffie-Hellman ciphers.
KeyCertSign
Use when the subject‟s public key is used for verifying a signature on public key certificates. If the keyCertSign is asserted, the CA bit in the basic constraints extension must also be asserted.
CrlSign
Use when the subject public key is used for verifying a signature on certificate revocation list. CrlSign must be asserted in certificates that are used to verify signatures on CRLs.
EncipherOnly
Use only when key agreement is also enabled. This enables the public key to be used only for enciphering data while performing key agreement.
DecipherOnly
Use only when „key agreement‟ is also enabled. This enables the public key to be used only for deciphering data while performing key agreement.
For more information about standard certificate extensions, see http://www.ietf.org/rfc/rfc3280.txt
ExtendedKeyUsage This option defines the extended purpose of the key contained in the certificate.
Example SNC/SSF Client Certificate:
KeyUsage
Example SNC Server Certificate:
KeyUsage
DigitalSignature NonRepudiation KeyEncipherment DataEncipherment
For more information about standard certificate extensions, see http://www.ietf.org/rfc/rfc3280.txt
BasicConstraints This option defines whether the subject of the certificate is a Certification Authority and how deep a certification path may exist through that Certification Authority.
Checking this option will open the following sub-options:
Is critical?
If you select this option, the basic constraints parameter is required in the certificate for communication to be
successful.
Is CA?
This option defines whether the subject of the certificate is a Certification Authority. When you select this option, the Path Length field opens. Enter the number of levels for which the constraints are valid.
Private Extensions Add a user-specific extension to the template.
Choose Add and open the Create Private Extension input page:
3 Administration
Extension Name*
The unique name for this extension Base64/DER Encoded Data*
The content of the private extension in Base64 or DER format
Add
Adds the information from the fields above to the certificate template (this will also take you back to the Create
Certificate Template page).
Cancel
Cancels the Create Private Extension configuration step.
Reset Clears the fields of any entries.
Cancel Cancels the Create Certificate Template configuration step.
For more information about standard certificate extensions, see http://www.ietf.org/rfc/rfc3280.txt
Mapping Certificate Template
This section describes how you can map certificate templates to server instances (user certificates) or SAP server certificates.
Choose the desired template name and choose the Mapping button.
Figure: Administration Console – Certificate Template
The default template cannot be deleted, changed, or exported. The Mapping option is only available for the default template if another certificate template is available.
Figure: Administration Console – Certificate Template Mapping
Option Details
SAP Server Certificate Assigns the certificate template that is used to create SAP server certificates.
User Certificate Assigns the certificate template to an instance used for creating user certificates.
To confirm any changes, choose Save.
3 Administration
Export Certificate Template
This section describes how to export certificate templates as an XML file.
Choose the desired template and choose the Export button.
Figure: Administration Console – Export Certificate Template
Option Details
[List Box] Selected Template
Exports the selected certificate template.
All Templates
Exports all certificate templates.
Export Executes the export procedure.
Cancel Cancels the export procedure.
Import Certificate Template
This section describes how to import certificate templates into the Certificate Template Management page.
Choose the Import button.
Figure: Administration Console – Import Certificate Template
Option Details
Browse Opens a file browser to locate a certificate template XML file.
Import Executes the import procedure.
Cancel Cancels the import procedure.