Skip to main content
Version: 8.2411.x.x RR

Certificate - policy parameters

This table lists the policy parameters specific to certificates.

In addition to the policy parameters defined in this table, the policy parameter defined in the table in the chapter All credential types is also valid for certificate credentials.

NameData Type, ValuesDefaultDescription
allowCertificateUploadData type: booleantrue
autoUpdateData type: booleantrueIf true, IdmX509State replaces existing credentials matching the same issuer and subject, considering the values in issuerDNUpdateList.
certificateUpload
AllowedIssuerCNList
Data type: stringnullList of issuer CNs that are checked before uploading a certificate. If the user's certificate has been signed by one of the listed CNs, the certificate is set to ACTIVE; otherwise, it remains DISABLED. In both cases, the certificate will be uploaded. Listed CN names can be separated by one of the following characters: "|", ";", "," Example: A|B|C or A;B;C or A,B,C
If the parameter is not set, the issuer CN check will be skipped and not taken into account when determining the state of the credential.
certificateUploadCheckValues: "none", "tolerant", "strict""none"Defines how certificates are checked during upload:
    none: no check will be performed.
    tolerant: checks will be performed, but upon a policy violation, the certificate will still be uploaded. However, its state will be set to "deactivated", and the state change reason code will be set to "policy-check-failed".
    strict: upon a policy violation, the upload is aborted. This is the recommended setting if validation has to be performed because by doing so, only valid certificates are stored in nevisIDM, which increases data quality.
certificateUploadCheck
SubjectDNElements
Data type: StringnullComma-separated list of elements which have to be present in the subject DN. The definition is done by means of configuration variables). Example: certificateUploadCheckSubjectDNElements=USER_NAME,CRED_PROP_PROPERTYNAME
If the subject DN does not contain all listed elements, the check fails and the result of the certificate upload will depend on the value of the "certificateUploadCheck" parameter:
    if "certificateUploadCheck=strict", the certificate upload is aborted
    if "certificateUploadCheck=tolerant", the certificate is uploaded with state DISABLED
    if "certificateUploadCheck" is not set in the policy, the certificate is uploaded with state ACTIVE.
closeToExpirationThresholdData type: int (days)10Defines the number of days preceeding the real expiry date at which the UpdateCredentialStateJob will trigger communication events. Example: If set to 2, all certificates that expire the day after tomorrow (between 00:00 and 23:59) will be affected.
issuerDNUpdateListData type: StringemptyDefines which issuerDNs should be considered equivalent when performing a certificate auto update. Can be used to migrate from an obsolete CA to a new one. The list contains pairs of issuerDNs separated by "|". A pair is defined as follows: <new issuerDN>--><old issuerDN>. This means that the new issuerDN is equivalent to the old issuerDN when performing a certificate auto update. Example: CN=NewCA, O=Nevis Security AG, C=ch-->CN=OldCA, O=Nevis Security AG, C=ch
sendWarningWhen
CloseToExpiration
Data type: booleanfalseDefines whether UpdateCredentialStateJob should trigger a CertificateExpirationWarning communication event when closeToExpirationThreshold is reached.
ticketTriggeringData type: booleanfalseIf true, the creation of an empty certificate automatically triggers the creation of a new ticket (incl. sending of a ticket e-mail). This policy variable applies only for certificates created via web services.