Export Certificate Data

Ellen Thoren - Versasec
Ellen Thoren - Versasec
  • Updated

Introduction

It is possible to configure the export of certificate data when performing life cycle operations from vSEC:CMS. This can be used if it is required to update external systems with certificate related information when life cycle tasks are performed. 

Configure Certificate Data Export

From Templates – Credential Templates select an already configured credential template that you wish to use for this functionality and click the Edit button.

In the Issue credential section click the Edit button.

Select the certificate you want to extract data for in the Enroll Certificate Options section and click the Export button. Click the Manage button and click Add.

Note
It is possible to export data to file OR MS SQL table.

If the data is to be exported to file select the type File (Export to file) from the Target drop-down list and follow the instructions in this paragraph to configure this type. Select Write automatically to file option if it is required to write to file when the life cycle operation is configured to export the data. Click the Format button to configure the file format and select the data that can be exported to file. Currently Delimited textXML format and JSON format is supported with encoding of either UTF-8 or UTF-16. The data that is selected to be exported can be configured so that the sequence of the entries as written to the export data file can be set. Use the Up and Down button to configure the sequence of data variables as written to file. Click the Browse button to select a file that the application will write the data to. From the Permissions section, it is possible to configure the operators with specific roles who will be allowed to export the data. Click Save when complete.

Note
It is not possible to cache the data that is to be exported, therefore this option is disabled here.
Note
If the data export is configured to write data to XML file it is important to note that special characters will be handled differently because XML syntax uses some characters for tags and attributes therefore it is not possible to directly use those characters inside XML tags or attribute values. For these characters, the vSEC:CMS uses the numeric character reference instead of that character as defined in the XML standard.

If the data is to be exported to an SQL table select the type SQL (Export to SQL database) from the Target drop-down list and follow the instructions in this paragraph to configure this type. Select Write to database automatically option when the life cycle operation is configured to export the data. Select the SQL DB from the Database drop-down list. It will be required that a connection to the SQL table that the data should be written to is already added from Options – Connections – SQL Database (see the article Using MS SQL with vSEC:CMS and follow the instructions in the section MS SQL Support for Export of vSEC:CMS Data). Click the Test button to test that connection to the database is functional. Click the Configure fields button to configure the mappings of the vSEC:CMS variables to the SQL database columns. Click the Get button to retrieve the table that the data should be exported to and select this from the drop-down list if multiple tables are available. From the Variables table select an entry and click Edit value button. Select All from the drop-down list and select the variable that should be mapped to. If a static value is to be written to the table during export then enter the value in the Static field. From the Permissions section, it is possible to configure the operators with specific roles who will be allowed to export the data. Click Save when complete.

Note
It is not possible to cache the data that is to be exported, therefore this option is disabled here.

Once the data export has been configured then it will be necessary to enable this for each of the life cycle tasks where this is possible. From the credential template enable the Export certificate data option. Currently it is possible to enable this for the following life cycle task:

  • Issue
  • Initiate
  • Inactivate
  • Activate
  • Lock
  • Revoke
Note
For other CMS related operations the data export will be performed automatically and these will not be possible to configure. These are certificate related actions performed from the self-service application and from Actions – Certificate(s)/Keys.

The vSEC:CMS variables that can be exported are described in the table below.

CMS Variable Name

Description

UserEmail

The users email address. This will be retrieved from AD mail attribute if an email address exists.

RevocationReasonStr

This is the revocation reason in string format specific to MS CA as defined in MS API. This data will be exported when the managed credential token is revoked.

See the OCSP_BASIC_REVOKED_INFO as defined in the MS API wincrypt.h.

RevocationReason

This is the revocation reason value (0 to 8) specific to MS CA as defined in MS API. This data will be exported when the managed credential token is revoked.

See the OCSP_BASIC_REVOKED_INFO as defined in the MS API wincrypt.h.

RevocationComment

This is revocation reason comment, if applied, that will be exported when the managed credential token is revoked.

PivUuid

This is the UUID that will be exported if the credential token issued is a PIV credential.

PivOrgAffiliation

This is the organization affiliation data that will be exported if the credential token issued is a PIV credential.

PivNameLast

This is the last name of the user that will be exported if the credential token issued is a PIV credential.

PivNameFirst

This is the first name of the user that will be exported if the credential token issued is a PIV credential.

PivFascn

This is the FASCN data that will be exported if the credential token issued is a PIV credential.

PivEmployeeAffiliation

This is the employee affiliation data that will be exported if the credential token issued is a PIV credential.

OperatorName

This is the name of the operator who performed the operation.

OperatorDn

This is the DN of the operator who performed the operation.

DbCredentialsTemplateName

This is the credential template name that was used.

DbCredentialsTemplate

This is an internal vSEC:CMSID for the credential templated used.

DbCredentialsStatusStr

This is the current status of the managed credential in string format.

DbCredentialsStatus

This is an internal vSEC:CMSID for the credential status.

DbCredentialsRfidWiegandCode

This is the Wiegand code used if RFID encoding is configured as part of the credential template life cycle management.

DbCredentialsRfidWiegandCredentialId

This is the Wiegand code ID if RFID encoding is configured as part of the credential template life cycle management.

DbCredentialsRfidCsnHexRev

This is the RFID CSN HEX encoding reversed value as set on the managed token.

DbCredentialsRfidCsnHex

This is the RFID CSN HEX encoding value as set on the managed token.

DbCredentialsRfidCsnDecRev

This is the RFID CSN DEC encoding reversed value as set on the managed token.

DbCredentialsRfidCsnDec

This is the RFID CSN DEC encoding value as set on the managed token.

DbCredentialsRfidCsn

This is the RFID CSN encoding value as set on the managed token.

DbCredentialsOtpTokenId

This is an internal vSEC:CMS ID for the operator token ID that performed the operation.

DbCredentialsIdGuid

This is the GUID of the user who the managed credential token is issued to.

DbCredentialsIdDn

This is the DN of the user who the managed credential token is issued to.

DbCredentialsExpireStr

This is the date when the certificate will expire in string format.

DbCredentialsExpiresInDays

This is the number of days that the certificate is valid for.

DbCredentialsExpire

This is the number of days that the certificate is valid for in decimal format.

DbCredentialsDeviceId

This is the device ID of the device that the credential token was issued on.

DbCredentialsCsn

This is the CSN of the token that a life cycle operation was performed on.

DbCredentialsCertificatesValidToStr

This is the date when the certificate will expire in string format.

DbCredentialsCertificatesValidTo

This is the date when the certificate will expire in decimal format.

DbCredentialsCertificatesValidFromStr

This is the date that the certificate in valid from in string format.

DbCredentialsCertificatesValidFrom

This is the date that the certificate in valid from in decimal format.

DbCredentialsCertificatesTemplateName

This is the CA connection template name used when performing the lifecycle operation.

DbCredentialsCertificatesTemplate

This is the internal vSEC:CMSID for the CA connection template name used when performing the lifecycle operation.

DbCredentialsCertificatesSerialRev

This is the certificate serial number in reverse order.

DbCredentialsCertificatesSerial

This is the certificate serial number.

DbCredentialsCertificatesIssuerRev

This is the issuer name in reverse order.

DbCredentialsCertificatesIssuer

This is the issuer name.

DbCredentialsCertificatesIssuedToRev

This is the name of the user who the certificate was issued to in reverse order.

DbCredentialsCertificatesIssuedTo

This is the name of the user who the certificate was issued to.

DbCredentialsCertificatesHashRev

This is the hash of the issued certificate in reverse order.

DbCredentialsCertificatesHash

This is the hash of the issued certificate.

DbCredentialsCertificatesData

This is base16 HEX encoded certificate X509 data.

Note: The certificate data is not stored in vSEC:CMS repository, therefore this data will only be available when it is received from the CA at issuance time.

The size of the base16 encoded data depends on the X509 size.

DbCredentialsCertificatesDataB64

This is base64 HEX encoded certificate X509 data.

Note: The certificate data is not stored in vSEC:CMS repository, therefore this data will only be available when it is received from the CA at issuance time.

The size of the base64 encoded data depends on the X509 size.

DbCredentialsAssignedStr

This is the date that the certificate was assigned to the user in string format.

DbCredentialsAssigned

This is the date that the certificate was assigned to the user in decimal format.

CurrentTimeStr

This is the time that the operation was performed in string format.

CurrentTimeLong

This is the time that the operation was performed in decimal format.

CredentialProcessId

This is internal vSEC:CMS ID for the life cycle operations performed. See the Credential Process ID table below for a description of the IDs.

CredentialProcess

This is the name of the life cycle process performed.

Credential Process ID Table

ID

Description

1

This ID indicates that a managed token is registered with the vSEC:CMS.

2

This ID indicates that a managed token is unregistered with the vSEC:CMS.

3

This ID indicates that a managed token had a credential update operation performed.

4

Assigned as an internal system ID and will not be an exported value.

5

Assigned as an internal system ID and will not be an exported value.

6

Assigned as an internal system ID and will not be an exported value.

7

Assigned as an internal system ID and will not be an exported value.

8

This ID indicates that a managed token is issued with the vSEC:CMS.

9

This ID indicates that a managed token is initiated with the vSEC:CMS.

10

This ID indicates that a managed token is activated with the vSEC:CMS.

11

This ID indicates that a managed token is inactivated with the vSEC:CMS.

12

This ID indicates that a managed token is locked with the vSEC:CMS.

13

This ID indicates that a managed token is unlocked with the vSEC:CMS.

14

This ID indicates that a managed token is revoked with the vSEC:CMS.

15

This ID indicates that a managed token is retired with the vSEC:CMS.

16

This ID indicates that a managed token is deleted with the vSEC:CMS.

17

Assigned as an internal system ID and will not be an exported value.

18

Assigned as an internal system ID and will not be an exported value.

19

Assigned as an internal system ID and will not be an exported value.

20

Assigned as an internal system ID and will not be an exported value.

21

Assigned as an internal system ID and will not be an exported value.

22

Assigned as an internal system ID and will not be an exported value.

23

Assigned as an internal system ID and will not be an exported value.

24

Assigned as an internal system ID and will not be an exported value.

25

This ID indicates that a managed token is reissued with the vSEC:CMS.

26

Assigned as an internal system ID and will not be an exported value.

27

This ID indicates that a managed token has its certificate deleted from Actions – Certificate/Keys with the vSEC:CMS.

28

This ID indicates that a managed token has a new certificate issued from Actions – Certificate/Keys with the vSEC:CMS.