About Certificate ProfilesChapter 10 Certificate Profiles 433inputs using the CMS SDK. The inputs provide a certificate request field that canbe added to any of the forms so that certificate requests can be pasted into thisfield, allowing a request to be created outside the input form with any of therequest information you need.An output specifies how the response page to a successful enrollment is presented.It usually displays the certificate in a user-readable format. A single output hasbeen created that shows the pretty print version of the resultant certificate. You cancreate other outputs using the CMS SDK.How Certificate Profiles WorkAn administrator sets up a certificate profile by associating an existingauthentication plug-in, or method, with the certificate profile, enabling andconfiguring defaults and constraints, and defining inputs and outputs. Theadministrator can use the existing certificate profiles, modify the existing certificateprofiles, create new certificate profiles, and delete any certificate profile that willnot be used in this PKI.Once a certificate profile is set up, it appears on the Manage Certificate Profilespage of the agent services interface where an agent can approve, and thus enable acertificate profile. Once the certificate profile is enabled, it will appear on theCertificate Profile tab of the end-entity interface where end-entity can enroll for acertificate using the certificate profile.The Certificate Profile enrollment page contains links to each type of certificateprofile enrollment that has been enabled by the agents. When an end entity selectsone of those links, an enrollment page appears containing an enrollment formspecific to that certificate profile. The enrollment page for this certificate profile inthe end-entity interface is dynamically generated from the inputs defined for thiscertificate profile. If an authentication plug-in is configured, additional fields maybe added that are needed to authenticate the user with that authentication method.When the end entity submits a certificate profile request that is associated with anagent-approved (manual) enrollment, an enrollment where no authenticationplug-in is configured, the certificate request is queued in the agent servicesinterface under a certificate profile enrollment, showing that it is different from theold enrollment method. The agent can change some aspects of the enrollment,request, validate it, cancel it, reject it, update it, or approve it. The agent can ableupdate the request without submitting it or validate that the request adheres to theprofile’s defaults and constraints. This validation procedure is only for verificationand does not result in the request being submitted. The agent is bound by theconstraints set up; they cannot change the request in such a way that a constraint isviolated. The signed approval is immediately processed and a certificate is issued.
