End Entity Profiles model how the certificates themselves will look in terms of what fields should be in the certificates and what Certificate Profiles and CAs are allowed to use them.

The following sections describe how to create End Entity Profiles for user and workstation.

Create User End Entity Profile

To create a Corporate User End Entity Profile, do the following:

  1. Under RA Functions, select End Entity Profiles.
  2. In the Add Profile field, enter Corporate User EE Profile and click Add.
  3. Edit the newly created Corporate User EE Profile according to the following:
    • Subject DN Attributes: Select desired fields for subject DN and click Add. Recommended values:
      • (CN) Common name (default)
      • (C) Country
      • (O) Organization

        NOTE Any field specified in the Subject DN Attributes and marked as required must be populated or the certificate request will be denied. If you specify a value and clear Modifiable, it will be rejected if that exact value is not in the certificate request that is placed in these fields.
    1. Default Certificate Profile: Specify Corporate User Certificate Profile.
    2. Available Certificate Profiles: Specify Corporate User Certificate Profile.
    3. Default CA: Specify Corporate Issuing CA – G1.
    4. Available CAs: Corporate Issuing CA – G1.
    5. Default Token: Specify User Generated.
    6. Available Tokens: Clear the JKS option.
      • User Generated: User will provide a CSR for a certificate request.
      • P12: The certificate and key will be generated by EJBCA.
      • JKS: Generally used for Tomcat Application servers and thus cleared in this case as you are creating a user profile.
      • PEM: Certificate only in PEM format.
  4. Click Save to save the Corporate User End Entity Profile.

Create Workstation End Entity Profile

To create a Corporate Workstation End Entity Profile, do the following:

  1. Under RA Functions, select End Entity Profiles.
  2. In the Add Profile field, enter Corporate Workstation EE Profile and click Add.
  3. Edit the newly created Corporate Workspace EE Profile according to the following:
    1. Subject DN Attributes: Select desired fields for subject DN and click Add. Recommended values:
      • (CN) Common name (default)
      • (C) Country
      • (O) Organization
        NOTE Any field specified in the Subject DN Attributes and marked as required must be populated or the certificate request will be denied. If you specify a value and clear Modifiable, it will be rejected if that exact value is not in the certificate request that is placed in these fields.
    2. Other subject attributes show options for Subject Alternative Name (SAN). Some browsers (for example, Google Chrome) require this field and it should be implemented for server and workstation certificates. Add DNS name values from the Subject Alternative Name list as needed and also add at least one IP Address value.

      NOTE If specifying a number of DNS Name attributes for the SAN and the certificate request contains more requests than you have allowed, certificate generation will fail. For example, if you specify 3 DNS Name fields allowed in a certificate and a System Admin requests a certificate with 4 DNS Name fields in it, the request will fail.
    3. Default Certificate Profile: Specify Corporate Workstation Certificate Profile.
    4. Available Certificate Profiles: Specify Corporate Workstation Certificate Profile.
    5. Default CA: Specify Corporate Issuing CA – G1.
    6. Available CAs: Corporate Issuing CA – G1.
    7. Default Token: Specify User Generated.
    8. Available Tokens: Select all options for evaluation convenience purposes (CTRL-click to set multiple options).
      • User Generated: User will provide a CSR for a certificate request.
      • P12: The certificate and key will be generated by EJBCA.
      • JKS: Generally used for Tomcat Application servers and thus allowed in this case as you are creating a workstation/server profile.
      • PEM: Certificate only in PEM format.
        NOTE If no Server Certificates should be allowed without a CSR being provided, clear the P12 option since a P12 file contains a key generated by EJBCA.
  4. Click Save to save the Corporate Workstation End Entity Profile.