From dfe9db55484339a8a9f2ce3bd057bd9702bb9579 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Fri, 17 Apr 2009 17:17:31 -0400 Subject: Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds --- install/share/Makefile.am | 1 + install/share/caJarSigningCert.cfg.template | 88 +++++++++++++++++++++++++++++ 2 files changed, 89 insertions(+) create mode 100644 install/share/caJarSigningCert.cfg.template (limited to 'install/share') diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 6ef43ba24..3a2ef87d5 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -10,6 +10,7 @@ app_DATA = \ 60basev2.ldif \ 60policyv2.ldif \ bootstrap-template.ldif \ + caJarSigningCert.cfg.template \ default-aci.ldif \ default-keytypes.ldif \ kerberos.ldif \ diff --git a/install/share/caJarSigningCert.cfg.template b/install/share/caJarSigningCert.cfg.template new file mode 100644 index 000000000..9f018553a --- /dev/null +++ b/install/share/caJarSigningCert.cfg.template @@ -0,0 +1,88 @@ +desc=Jar Signing certificate to auto-configure Firefox +enable=true +enableBy=admin +lastModified=1239836280692 +name=Manual Jar Signing Certificate Enrollment +visible=true +auth.class_id= +auth.instance_id=raCertAuth +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=caJarSigningSet +policyset.caJarSigningSet.list=1,2,3,6,7,9 +policyset.caJarSigningSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.caJarSigningSet.1.constraint.name=Subject Name Constraint +policyset.caJarSigningSet.1.constraint.params.accept=true +policyset.caJarSigningSet.1.constraint.params.pattern=.* +policyset.caJarSigningSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.caJarSigningSet.1.default.name=Subject Name Default +policyset.caJarSigningSet.1.default.params.name= +policyset.caJarSigningSet.2.constraint.class_id=validityConstraintImpl +policyset.caJarSigningSet.2.constraint.name=Validity Constraint +policyset.caJarSigningSet.2.constraint.params.notAfterCheck=false +policyset.caJarSigningSet.2.constraint.params.notBeforeCheck=false +policyset.caJarSigningSet.2.constraint.params.range=2922 +policyset.caJarSigningSet.2.default.class_id=validityDefaultImpl +policyset.caJarSigningSet.2.default.name=Validity Default +policyset.caJarSigningSet.2.default.params.range=1461 +policyset.caJarSigningSet.2.default.params.startTime=60 +policyset.caJarSigningSet.3.constraint.class_id=keyConstraintImpl +policyset.caJarSigningSet.3.constraint.name=Key Constraint +policyset.caJarSigningSet.3.constraint.params.keyMaxLength=4096 +policyset.caJarSigningSet.3.constraint.params.keyMinLength=1024 +policyset.caJarSigningSet.3.constraint.params.keyType=- +policyset.caJarSigningSet.3.default.class_id=userKeyDefaultImpl +policyset.caJarSigningSet.3.default.name=Key Default +policyset.caJarSigningSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.caJarSigningSet.6.constraint.name=Key Usage Extension Constraint +policyset.caJarSigningSet.6.constraint.params.keyUsageCritical=- +policyset.caJarSigningSet.6.constraint.params.keyUsageCrlSign=- +policyset.caJarSigningSet.6.constraint.params.keyUsageDataEncipherment=- +policyset.caJarSigningSet.6.constraint.params.keyUsageDecipherOnly=- +policyset.caJarSigningSet.6.constraint.params.keyUsageDigitalSignature=- +policyset.caJarSigningSet.6.constraint.params.keyUsageEncipherOnly=- +policyset.caJarSigningSet.6.constraint.params.keyUsageKeyAgreement=- +policyset.caJarSigningSet.6.constraint.params.keyUsageKeyCertSign=- +policyset.caJarSigningSet.6.constraint.params.keyUsageKeyEncipherment=- +policyset.caJarSigningSet.6.constraint.params.keyUsageNonRepudiation=- +policyset.caJarSigningSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.caJarSigningSet.6.default.name=Key Usage Default +policyset.caJarSigningSet.6.default.params.keyUsageCritical=true +policyset.caJarSigningSet.6.default.params.keyUsageCrlSign=false +policyset.caJarSigningSet.6.default.params.keyUsageDataEncipherment=false +policyset.caJarSigningSet.6.default.params.keyUsageDecipherOnly=false +policyset.caJarSigningSet.6.default.params.keyUsageDigitalSignature=true +policyset.caJarSigningSet.6.default.params.keyUsageEncipherOnly=false +policyset.caJarSigningSet.6.default.params.keyUsageKeyAgreement=false +policyset.caJarSigningSet.6.default.params.keyUsageKeyCertSign=true +policyset.caJarSigningSet.6.default.params.keyUsageKeyEncipherment=false +policyset.caJarSigningSet.6.default.params.keyUsageNonRepudiation=false +policyset.caJarSigningSet.7.constraint.class_id=nsCertTypeExtConstraintImpl +policyset.caJarSigningSet.7.constraint.name=Netscape Certificate Type Extension Constraint +policyset.caJarSigningSet.7.constraint.params.nsCertCritical=- +policyset.caJarSigningSet.7.constraint.params.nsCertEmail=- +policyset.caJarSigningSet.7.constraint.params.nsCertEmailCA=- +policyset.caJarSigningSet.7.constraint.params.nsCertObjectSigning=- +policyset.caJarSigningSet.7.constraint.params.nsCertObjectSigningCA=- +policyset.caJarSigningSet.7.constraint.params.nsCertSSLCA=- +policyset.caJarSigningSet.7.constraint.params.nsCertSSLClient=- +policyset.caJarSigningSet.7.constraint.params.nsCertSSLServer=- +policyset.caJarSigningSet.7.default.class_id=nsCertTypeExtDefaultImpl +policyset.caJarSigningSet.7.default.name=Netscape Certificate Type Extension Default +policyset.caJarSigningSet.7.default.params.nsCertCritical=false +policyset.caJarSigningSet.7.default.params.nsCertEmail=false +policyset.caJarSigningSet.7.default.params.nsCertEmailCA=false +policyset.caJarSigningSet.7.default.params.nsCertObjectSigning=true +policyset.caJarSigningSet.7.default.params.nsCertObjectSigningCA=false +policyset.caJarSigningSet.7.default.params.nsCertSSLCA=false +policyset.caJarSigningSet.7.default.params.nsCertSSLClient=false +policyset.caJarSigningSet.7.default.params.nsCertSSLServer=false +policyset.caJarSigningSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.caJarSigningSet.9.constraint.name=No Constraint +policyset.caJarSigningSet.9.constraint.params.signingAlgsAllowed=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC +policyset.caJarSigningSet.9.default.class_id=signingAlgDefaultImpl +policyset.caJarSigningSet.9.default.name=Signing Alg +policyset.caJarSigningSet.9.default.params.signingAlg=- -- cgit