Index | Prev | Next

Simple Signing Profile (signingService-SimpleSigningProfile)

A signing service profile is where you define the alias and password of the CA certificate that will be used to sign all Certificate Signing Requests (CSRs) associated with that profile. It is also where you can define values for various certificate fields that are applied to the signed certificate, and to validate those fields within the CSR supplied by the remote station.

Each profile also holds a Certificate Store where you can view the records of a CSR associated with that profile, including the signed certificate.

Image

The Typical configuration folder contains signing profiles predefined for signing RSA certificates with a minimum key size and various other useful default parameters. There is also a plain unconfigured profile without any parameters in the Unconfigured components folder.

For a signing profile to fulfill requests, the following prerequisites must be met:

  • The CA certificate has been imported into the station or platform certificate manager.
  • The alias and password of the CA have been set in the Signing Profile’s Ca Alias And Password property. A password is mandatory.
     NOTE: Do not select the Use global certificate password checkbox as this option is not valid for the CA certificate. 
You may set fixed certificate values such as the expiration period of the signed certificates and the key purpose. These values override those set in the incoming CSR from the requesting component.

You have also the option to drop one of many certificate parameter objects underneath the signing profile. These allow you to define default values for any fields that may be unspecified in the incoming CSR. A validation error will be thrown if the incoming CSR defines a different value, causing the signing request to be rejected. Parameters include key type and minimum key size, and certificate parameters such as the Distinguished Name fields.

Image

In the Typical configuration > SigningService folder, the available profiles (clientProfile and serverProfile) are already preconfigured when adding the Signing Service. They come with values that are typically needed for two types of certificates commonly signed, that is, the client certificate and the server certificate. The serverProfile, for example, is used by the Fox Service, Web Service, and the Platform. Server certificates are issued by servers whose clients access them to validate the server. The clientProfile may be useful in cases in which a client certificate is needed to allow a server to validate an accessing client.

Property Value Description
Ca Status read-only Displays the current status of the Ca Alias And Password property configuration. The following states can be indicated:
  • Ok: the configured Ca Alias And Password property is valid for an existing CA certificate in the key store.
  • Bad Key: default value once a new (unconfigured) signing profile is added to a running station. This state means that the Ca Alias And Password property is currently configured with the default alias specified, or the alias field is empty, or the alias is specified to an existing certificate, but the certificate is not a proper CA.
  • Missing Key: the Ca Alias And Password property is currently configured with an alias that does not exist in the key store.
  • Bad Password: the Ca Alias And Password property is currently configured with a valid alias, but the password is incorrect for the selected CA certificate.
Ca Alias And Password additional mandatory properties Specifies the alias and password of the CA certificate that will be used to sign incoming CSR for this profile.
 NOTE: Do not select the Use global certificate password checkbox as this option is not valid for a CA certificate. 
Expiration Period days, hours, minutes Defines the expiration period that will be applied to the signed certificate, overriding any specified in the CSR. The period is applied to the time at which the CSR is processed by the service.
Key Purpose drop-down menu Specifies the purpose certificate extensions that will be applied to the signed certificate, overriding any specified in the CSR. Values are Client, Server, Cert Authority and Code Signing.
Certificate Store additional properties Holds the records of CSR associated with that profile, including the signed certificate.
commonNameTemplate additional properties (by default added to clientProfile and serverProfile) For more information, see “Common Name Template (platCrypto-CommonNameTemplate” in the Niagara Station Security Guide.
subjectAlternateName additional properties(by default added to serverProfile) For more information, see “Certificate Extension Parameter (platCrypto-CertificateExtensionParameter)” in the Niagara Station Security Guide.

Related Links

  • Components (Parent Topic)

    • Index | Prev | Next