- Methods of Certificate Issuance
- Certificate Delivery
- Certificate Revocation
- Certificate Renewal
- To create a credential provider using discretionary CA entities
- To create a credential provider using external PKI entities
Configuring a Credential Provider varies mostly as a factor of which issuing entity and which issuing method are selected for it. You can distinguish between Credential Provider using an internal entity, such discretionary, and those using an external entity, such as Microsoft CA or GPKI.
This task shows you how to create a discretionary entity. The issuing method for a discretionary entity is always sign, meaning that with each issuing operation, Device Manager will sign a new key pair with the CA certificate selected for the entity whether the key pair is generated on the device or on the server will depend on the selected distribution method.
The second element on this tab is the configuration of certificate delivery. If you have defined RA certificates at the entity level, they will be filled by default here, but you can change them if you desire (but that the constraints on RA certificates still apply).
You can then select the delivery mode for certificates obtained from this entity. If you select the Prefer centralized delivery mode, RA certificates are optional; otherwise, they’re mandatory.
To have notifications sent for either case, simply specify a Notification Template for the appropriate event type. The event type for the former is Certificate is renewed; for the latter, Certificate will expire. Device Manager will create default Notification Templates for both these event types, but you can modify them or create new ones.
Note that renewal takes precedence over notification before renewal. That is, if at a given moment Device Manager determines that a certificate must be renewed, it will not also send a notification before renewal (instead, the notification on renewal, if any configured, will be used). You should configure a greater period for the notification before renewal if you imperatively need both to be sent. Notifications before renewal will only be sent at most once for a given certificate.