Certificate - policy parameters
This page lists the policy parameters specific to certificates.
In addition to the policy parameters defined here, the parameters defined in the table in the chapter All credential types are also valid for certificate credentials.
allowCertificateUpload
- Data type: boolean
- Default: true
- Description: Enables or disables certificate upload by users.
autoUpdate
- Data type: boolean
- Default: true
- Description: If true, a new certificate automatically replaces an existing certificate credential that has the same issuer and subject, taking into account the values in
issuerDNUpdateList.
certificateUploadAllowedIssuerCNList
Data type: String
Default: null
Description: List of issuer CNs that are checked before uploading a certificate. If the user's certificate has been signed by one of the listed CNs, the certificate is set to ACTIVE; otherwise, it remains DISABLED. In both cases, the certificate will be uploaded. Listed CN names can be separated by one of the following characters:
|,;,,. Example:A|B|CorA;B;CorA,B,C.If the parameter is not set, the issuer CN check will be skipped and not taken into account when determining the state of the credential.
certificateUploadCheck
- Data type: enum
- Values:
none,tolerant,strict - Default: none
- Description: Defines how certificates are checked during upload:
- none: no check will be performed.
- tolerant: checks will be performed, but upon a policy violation, the certificate will still be uploaded. However, its state will be set to "deactivated", and the state change reason code will be set to "policy-check-failed".
- strict: upon a policy violation, the upload is aborted. This is the recommended setting if validation has to be performed, because by doing so, only valid certificates are stored in nevisIDM, which increases data quality.
certificateUploadCheckSubjectDNElements
Data type: String
Default: null
Description: Comma-separated list of elements which must be present in the subject DN. The definition is done by means of configuration variables. Example:
certificateUploadCheckSubjectDNElements=_USER_NAME,CRED_PROP_PROPERTYNAME_.If the subject DN does not contain all listed elements, the check fails and the result depends on the value of
certificateUploadCheck:- If
certificateUploadCheck=strict, the certificate upload is aborted. - If
certificateUploadCheck=tolerant, the certificate is uploaded with state DISABLED. - If
certificateUploadCheckis not set, the certificate is uploaded with state ACTIVE.
- If
closeToExpirationThreshold
- Data type: int (days)
- Default: 10
- Description: Defines the number of days preceding the real expiry date at which the
UpdateCredentialStateJobwill trigger communication events. Example: If set to 2, all certificates that expire the day after tomorrow (between 00:00 and 23:59) will be affected.
issuerDNUpdateList
Data type: String
Default: empty
Description: Defines which issuerDNs should be considered equivalent when performing a certificate auto update. Can be used to migrate from an obsolete CA to a new one. The list contains pairs of issuerDNs separated by
|. A pair is defined as:<new issuerDN>--><old issuerDN>. This means that the new issuerDN is equivalent to the old issuerDN during a certificate auto update.Example:
CN=NewCA, O=Nevis Security AG, C=ch-->CN=OldCA, O=Nevis Security AG, C=ch
sendWarningWhenCloseToExpiration
- Data type: boolean
- Default: false
- Description: Defines whether
UpdateCredentialStateJobshould trigger aCertificateExpirationWarningcommunication event whencloseToExpirationThresholdis reached.
ticketTriggering
- Data type: boolean
- Default: false
- Description: If true, the creation of an empty certificate automatically triggers the creation of a new ticket (including sending of a ticket e-mail). This policy parameter applies only for certificates created via web services.