Certificate - policy parameters
This table lists the policy parameters specific to certificates.
In addition to the policy parameters defined in this table, the policy parameter defined in the table in the chapter All credential types is also valid for certificate credentials.
Name | Data Type, Values | Default | Description |
---|---|---|---|
allowCertificateUpload | Data type: boolean | true | |
autoUpdate | Data type: boolean | true | If true, IdmX509State replaces existing credentials matching the same issuer and subject, considering the values in issuerDNUpdateList. |
certificateUpload AllowedIssuerCNList | Data type: string | null | List of issuer CNs that are checked before uploading a certificate. If the user's certificate has been signed by one of the listed CNs, the certificate is set to ACTIVE; otherwise, it remains DISABLED. In both cases, the certificate will be uploaded. Listed CN names can be separated by one of the following characters: "|", ";", "," Example: A|B|C or A;B;C or A,B,C If the parameter is not set, the issuer CN check will be skipped and not taken into account when determining the state of the credential. |
certificateUploadCheck | Values: "none", "tolerant", "strict" | "none" | Defines how certificates are checked during upload:
tolerant: checks will be performed, but upon a policy violation, the certificate will still be uploaded. However, its state will be set to "deactivated", and the state change reason code will be set to "policy-check-failed". strict: upon a policy violation, the upload is aborted. This is the recommended setting if validation has to be performed because by doing so, only valid certificates are stored in nevisIDM, which increases data quality. |
certificateUploadCheck SubjectDNElements | Data type: String | null | Comma-separated list of elements which have to be present in the subject DN. The definition is done by means of configuration variables). Example: certificateUploadCheckSubjectDNElements=USER_NAME,CRED_PROP_PROPERTYNAME If the subject DN does not contain all listed elements, the check fails and the result of the certificate upload will depend on the value of the "certificateUploadCheck" parameter:
if "certificateUploadCheck=tolerant", the certificate is uploaded with state DISABLED if "certificateUploadCheck" is not set in the policy, the certificate is uploaded with state ACTIVE. |
closeToExpirationThreshold | Data type: int (days) | 10 | Defines the number of days preceeding the real expiry date at which the UpdateCredentialStateJob will trigger communication events. Example: If set to 2, all certificates that expire the day after tomorrow (between 00:00 and 23:59) will be affected. |
issuerDNUpdateList | Data type: String | empty | Defines which issuerDNs should be considered equivalent when performing a certificate auto update. Can be used to migrate from an obsolete CA to a new one. The list contains pairs of issuerDNs separated by "|". A pair is defined as follows: <new issuerDN>--><old issuerDN> . This means that the new issuerDN is equivalent to the old issuerDN when performing a certificate auto update. Example: CN=NewCA, O=Nevis Security AG, C=ch-->CN=OldCA, O=Nevis Security AG, C=ch |
sendWarningWhen CloseToExpiration | Data type: boolean | false | Defines whether UpdateCredentialStateJob should trigger a CertificateExpirationWarning communication event when closeToExpirationThreshold is reached. |
ticketTriggering | Data type: boolean | false | If true, the creation of an empty certificate automatically triggers the creation of a new ticket (incl. sending of a ticket e-mail). This policy variable applies only for certificates created via web services. |