Creating the Device Policy for Keyfactor EJBCA Certificates

This section illustrates how to create a device policy that issues Keyfactor EJBCA certificates onto the user’s device. For more information about creating a device policy, refer to Creating a Device Policy.

To create a device policy, perform the following tasks:

Log on to the ActivID CMS Operator Portal with an ActivID CMS Administrator certificate.
Click the Configuration tab, and then click Policies.
Depending upon the PKI applications to be used, add a new device policy.
Click Next, and then add the corresponding PKI applications.
Click the Configure button associated with the PKI application to display the Device Policy - Set Application Information page:
In the Friendly Name field, enter a valid, descriptive name for the certificate used for the device policy.
In the Provider drop-down menu, select Keyfactor EJBCA.
In the Certificate Authority drop-down menu, select a Certificate Authority host name.
Depending on the Provisioning Method selected, the fields vary. Perform the appropriate tasks based on your selection.
- Provisioning Method set to Create Credential
  
  Note: Selecting the Create Credential option is the equivalent of setting the former Recover Application option (available in previous ActivID CMS versions) to No.
  1. For Template, select the template corresponding to the PKI application (for example, one of the four available PIV templates).
    
    Note: The End-Entity profile / Certificate profile pair (separated by a colon) is used as a full template name (see End Entity and Certificate Profiles for details).
  2. Click Submit.
  3. Verify that the required fields contain appropriate information.
  4. Click Set.
- Provisioning Method set to Recover Credential
  Note:
  - Selecting the Recover Credential option is the equivalent of setting the former Recover Application option (available in previous ActivID CMS versions) to Yes.
  - If you select Recover Credential for the Provisioning Method, the Recovery Mode options become available.
  1. Select and configure either ActivID CMS Managed or CA Managed mode according to the location of the credential to recover:
    
    Note: To avoid any inconsistent behavior, do not mix “ActivID CMS Managed” and “CA Managed” applications from the same CA in the same device policy.
    - ActivID CMS Managed
      
      This is the usual ActivID CMS recovery mode (for standard replacement, applications update and re-issuance operations) where the credential to recover is present in the ActivID CMS system.
      - Application to Recover drop-down list—Select the application you want to recover from the original device (this means that credentials on this PKI slot contain a certificate template that escrows credentials).
      - Revoke for Replacement option—Select this option if you want to revoke credentials when a device replacement request is executed.
        
        Note: The ActivID CMS Managed option is not available for mobile app certificate device policies.
    - CA Managed
      
      This is the mode where the credential to recover is NOT present in the ActivID CMS system but is on an external CA selected as the Provider (in this case, Keyfactor EJBCA).
      
      The selected Certificate Authority (in this case, EJAB) must provide at least one credential profile template with the “usage” information set to “ExternalKeyRecovery”.
      
      The Template list contains the templates with the “usage” set to ExternalKeyRecovery.
  1. Optionally, in the Friendly Name Configuration section, enter the values in the User Name Prefix and User Name Suffix fields.
  2. Set the Revocation Settings — By default, the credentials are revoked for all the listed states of the device (terminated, damaged, expired, updated, re-issued). You can clear the check box(es) to indicate any state(s) for which you do not want to revoke the credentials. For example, if you clear the Damaged check box, the credentials in a device in the Damaged state will not be revoked.
  3. Click Submit.

Click Save.