Breadcrumbs

Create a Certificate Profile for SSL Servers

The following describes how to create Certificate Profiles for server certificates.

For more conceptual information about Certificate Profiles, see Certificate Profiles Overview and for information on available Certificate Profiles Fields, see Certificate Profile Fields.

Certificate Profiles provide a template and constraints for the certificates produced for a certain purpose. The certificate profile chosen for a CA constrains the certificates for that CA's keys and not the certificates which are in turn signed by those keys. These are instead defined in the End Entity Profile.

This example is provided for illustration only. It does not necessarily comply with any baseline requirements program or standard. Standards and requirements vary and evolve, and it is the responsibility of the end user to ensure that configurations are compliant.

Create Certificate Profile for Server Certificates

To create a certificate profile suitable for SSL/TLS servers, such as web servers, do the following:

  1. Go to CA Functions > Certificate Profiles to open the Manage Certificate Profiles page.

  2. Specify a name for the certificate profile, for example SSLServerCertificateProfile, and click Add.

  3. Find your new SSLServerCertificateProfile in the List of Certificate Profiles, and click Edit.

  4. Edit the settings according to the following:

    • In Type, select End Entity.

    • Select whatever algorithm and parameters you want to accept, for example:

    • For Available Key Algorithms, select RSA. 

    • For Available Bit Lengths, select 2048 and 4096.

    • For Validity, enter 365d to specify the validity of the certificate to 1 year.

    • Under Permissions ensure that Allow Key Usage Override is cleared, as this would otherwise allow a CSR to override the key usages specified in the profile.

    • Enable Key Usage, select Critical, Digital Signature, and Key encipherment.

    • Enable Extended Key Usage and select Server Authentication.

    • If using Certificate Transparency, select Use in New Certificates and then select the Enabled CT Labels (log groups) you wish to submit to.

    • If your workflow requires several administrators to approve of certificate requests, scroll down to Approval Settings and select your approvals scheme.

    • Under Other Data, for Available CAs, select the CAs to be able to use this profile.

    • If you are to publish your certificates (for example, publishing revocations to a Verification Authority), select your Publishers.

  5. Click Save to store the settings and view the new certificate profile in the list.

Create Certificate Profile for Server Certificates from Template

You can create a new Certificate Profile by cloning a default template or any other existing Certificate Profile. The Manage Certificate Profiles page (CA Functions > Certificate Profiles) displays all available profiles and lists the default profiles at the top of the List of Certificate Profiles list, followed by any existing Certificate Profiles created.

To create a new Certificate Profile using an existing profile as a template, do the following:

  1. Click Certificate Profiles under CA Functions to open the Manage Certificate Profiles page.

  2. Find the Certificate Profile to use as a template, for example the default SERVER template, and click Clone.

  3. In the Clone screen that appears, specify a name for your new Certificate Profile, for example SSLServerCertificateProfile, and click Create from template.

  4. Find your new SSLServerCertificateProfile in the List of Certificate Profiles, and click Edit to make any changes.