What Is a Certificate Profile?
Every Certificate Authority (CA) has a certificate profile that defines what information is stored in what fields in the certificate: what fields are required, what fields are optional, allowed values for some fields etc. The information required by the X-Road must be present in the certificates, but the fields where it’s stored may vary between different CAs. The X-Road requires the following information to be present in the certificates:
instance identifier
member class
member code.
The X-Road supports multiple different certificate profiles, but adding support for a new profile requires coding and a new software version must be released. Usually, the profiles are country-specific and include a hard-coded country code.
X-Road comes with a basic certificate profile implementation that doesn't contain a hard-coded country code and therefore, is not connected to any specific country. The basic profile (source code) can be used to get started with X-Road. The basic profile can be used by setting the below CertificateProfileInfo value on the Central Server:
ee.ria.xroad.common.certificateprofile.impl.BasicCertificateProfileInfoProvider
Certificate Profile Info Provider
Certificate profile info provider is a Java class that knows how to read/write the information required by the X-Road from/to certificates. Certificate profile info provider is a Java class must implement CertificateProfileInfoProvider interface that has methods for:
Storing the required information (required by both the X-Road and CA) in a CSR when a new certificate request is generated.
Parsing instance identifier, member class and member code from a certificate.
Technically, the X-Road requires instance identifier, member class and member code to be present in sign certificate only – the X-Road does not read any values from authentication certificate.
Example
The certificate profile used in Finland:
Sign cert:
C=<contry code>
O=<organization name>
serialNumber=<instanceIdentifier>/<serverCode>/<memberClass>
CN=<organization business id>
Authentication cert:
C=<contry code>
O=<organization name>
serialNumber=<instanceIdentifier>/<serverCode>/<memberClass>
CN=<security server FQDN> |
The X-Road requires instance identifier, member class and member code to be present in the sign cert.
The way information is stored and what fields are used come from the CA’s requirements.
C, O and CN fields are standard requirements to all certificates.
For sign certificate serialNumber is required for storing all the must have information. Server code is included to make each sign certificate unique (CA’s requirement) and to define the server that uses the certificate.
For auth certificate, serialNumber is there to make it easy to see the server that the certificate is associated with. However, X-Road does not use any of the information stored in the auth certificate.
Java classes that implement the profile:
New certificate profile implementations can be submitted to the X-Road source code repository as pull requests by following the contributing guidelines.