diff options
author | Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com> | 2016-07-13 17:15:14 -0700 |
---|---|---|
committer | Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com> | 2016-07-14 18:20:57 -0700 |
commit | 96ebbeadc61e5a4c9df5d5adbd062a58ac3dee3c (patch) | |
tree | 88771cd78713dd21bc5911f9eb1dff7dc37f7366 /base/ca/shared | |
parent | 20e7cb7d95e0aa4e21cd54e86735d77521e332f6 (diff) | |
download | pki-96ebbeadc61e5a4c9df5d5adbd062a58ac3dee3c.tar.gz pki-96ebbeadc61e5a4c9df5d5adbd062a58ac3dee3c.tar.xz pki-96ebbeadc61e5a4c9df5d5adbd062a58ac3dee3c.zip |
[MAN] Apply 'generateCRMFRequest() removed from Firefox' workarounds to appropriate 'pki' man page
This fix will involve the following changes to the source tree.
1. Fixes to the CS.cfg to add two new cert profiles.
2. Make the caDualCert.cfg profile invisible since it has little chance of
working any more in Firefox.
3. Create caSigningUserCert.cfg and caSigningECUserCert.cfg to allow the CLI
to have convenient profiles from which to enroll signing ONLY certificates.
Diffstat (limited to 'base/ca/shared')
-rw-r--r-- | base/ca/shared/conf/CS.cfg | 6 | ||||
-rw-r--r-- | base/ca/shared/profiles/ca/caDualCert.cfg | 2 | ||||
-rw-r--r-- | base/ca/shared/profiles/ca/caSigningECUserCert.cfg | 86 | ||||
-rw-r--r-- | base/ca/shared/profiles/ca/caSigningUserCert.cfg | 86 |
4 files changed, 178 insertions, 2 deletions
diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg index 288f0d519..68e79a48f 100644 --- a/base/ca/shared/conf/CS.cfg +++ b/base/ca/shared/conf/CS.cfg @@ -966,7 +966,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18 oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 os.userid=nobody -profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment +profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment profile.caUUIDdeviceCert.class_id=caEnrollImpl profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg profile.caManualRenewal.class_id=caEnrollImpl @@ -1037,6 +1037,10 @@ profile.caServerCert.class_id=caEnrollImpl profile.caServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caServerCert.cfg profile.caSignedLogCert.class_id=caEnrollImpl profile.caSignedLogCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSignedLogCert.cfg +profile.caSigningECUserCert.class_id=caEnrollImpl +profile.caSigningECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSigningECUserCert.cfg +profile.caSigningUserCert.class_id=caEnrollImpl +profile.caSigningUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSigningUserCert.cfg profile.caSimpleCMCUserCert.class_id=caEnrollImpl profile.caSimpleCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSimpleCMCUserCert.cfg profile.caSubsystemCert.class_id=caEnrollImpl diff --git a/base/ca/shared/profiles/ca/caDualCert.cfg b/base/ca/shared/profiles/ca/caDualCert.cfg index f90f78f6c..87036d194 100644 --- a/base/ca/shared/profiles/ca/caDualCert.cfg +++ b/base/ca/shared/profiles/ca/caDualCert.cfg @@ -1,5 +1,5 @@ desc=This certificate profile is for enrolling dual user certificates. It works only with Netscape 7.0 or later. -visible=true +visible=false enable=true enableBy=admin name=Manual User Signing & Encryption Certificates Enrollment diff --git a/base/ca/shared/profiles/ca/caSigningECUserCert.cfg b/base/ca/shared/profiles/ca/caSigningECUserCert.cfg new file mode 100644 index 000000000..b410504a3 --- /dev/null +++ b/base/ca/shared/profiles/ca/caSigningECUserCert.cfg @@ -0,0 +1,86 @@ +desc=This certificate profile is for enrolling user ECC signing certificates. It works only with the latest Firefox. +visible=false +enable=true +enableBy=admin +name=Manual User Signing ECC Certificate Enrollment +auth.class_id= +input.list=i1,i2,i3 +input.i1.class_id=certReqInputImpl +input.i2.class_id=subjectNameInputImpl +input.i3.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=signingCertSet +policyset.signingCertSet.list=1,2,3,4,5,6,7,8,9 +policyset.signingCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.signingCertSet.1.constraint.name=Subject Name Constraint +policyset.signingCertSet.1.constraint.params.pattern=CN=.* +policyset.signingCertSet.1.constraint.params.accept=true +policyset.signingCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.signingCertSet.1.default.name=Subject Name Default +policyset.signingCertSet.1.default.params.name= +policyset.signingCertSet.2.constraint.class_id=validityConstraintImpl +policyset.signingCertSet.2.constraint.name=Validity Constraint +policyset.signingCertSet.2.constraint.params.range=365 +policyset.signingCertSet.2.constraint.params.notBeforeCheck=false +policyset.signingCertSet.2.constraint.params.notAfterCheck=false +policyset.signingCertSet.2.default.class_id=validityDefaultImpl +policyset.signingCertSet.2.default.name=Validity Default +policyset.signingCertSet.2.default.params.range=180 +policyset.signingCertSet.2.default.params.startTime=0 +policyset.signingCertSet.3.constraint.class_id=keyConstraintImpl +policyset.signingCertSet.3.constraint.name=Key Constraint +policyset.signingCertSet.3.constraint.params.keyType=EC +policyset.signingCertSet.3.constraint.params.keyParameters=nistp256,nistp521 +policyset.signingCertSet.3.default.class_id=userKeyDefaultImpl +policyset.signingCertSet.3.default.name=Key Default +policyset.signingCertSet.4.constraint.class_id=noConstraintImpl +policyset.signingCertSet.4.constraint.name=No Constraint +policyset.signingCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.signingCertSet.4.default.name=Authority Key Identifier Default +policyset.signingCertSet.5.constraint.class_id=noConstraintImpl +policyset.signingCertSet.5.constraint.name=No Constraint +policyset.signingCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.signingCertSet.5.default.name=AIA Extension Default +policyset.signingCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.signingCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.signingCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.signingCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.signingCertSet.5.default.params.authInfoAccessCritical=false +policyset.signingCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.signingCertSet.6.constraint.class_id=noConstraintImpl +policyset.signingCertSet.6.constraint.name=No Constraint +policyset.signingCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.signingCertSet.6.default.name=Key Usage Default +policyset.signingCertSet.6.default.params.keyUsageCritical=true +policyset.signingCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.signingCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.signingCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.signingCertSet.6.default.params.keyUsageKeyEncipherment=false +policyset.signingCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.signingCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.signingCertSet.6.default.params.keyUsageCrlSign=false +policyset.signingCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.signingCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.signingCertSet.7.constraint.class_id=noConstraintImpl +policyset.signingCertSet.7.constraint.name=No Constraint +policyset.signingCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.signingCertSet.7.default.name=Extended Key Usage Extension Default +policyset.signingCertSet.7.default.params.exKeyUsageCritical=false +policyset.signingCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.signingCertSet.8.constraint.class_id=noConstraintImpl +policyset.signingCertSet.8.constraint.name=No Constraint +policyset.signingCertSet.8.default.class_id=subjectAltNameExtDefaultImpl +policyset.signingCertSet.8.default.name=Subject Alt Name Constraint +policyset.signingCertSet.8.default.params.subjAltNameExtCritical=false +policyset.signingCertSet.8.default.params.subjAltExtType_0=RFC822Name +policyset.signingCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ +policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true +policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1 +policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.signingCertSet.9.constraint.name=No Constraint +policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.signingCertSet.9.default.name=Signing Alg +policyset.signingCertSet.9.default.params.signingAlg=- + diff --git a/base/ca/shared/profiles/ca/caSigningUserCert.cfg b/base/ca/shared/profiles/ca/caSigningUserCert.cfg new file mode 100644 index 000000000..f197ffaa9 --- /dev/null +++ b/base/ca/shared/profiles/ca/caSigningUserCert.cfg @@ -0,0 +1,86 @@ +desc=This certificate profile is for enrolling user signing certificates. +visible=false +enable=true +enableBy=admin +name=Manual User Signing Certificate Enrollment +auth.class_id= +input.list=i1,i2,i3 +input.i1.class_id=certReqInputImpl +input.i2.class_id=subjectNameInputImpl +input.i3.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=signingCertSet +policyset.signingCertSet.list=1,2,3,4,5,6,7,8,9 +policyset.signingCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.signingCertSet.1.constraint.name=Subject Name Constraint +policyset.signingCertSet.1.constraint.params.pattern=CN=.* +policyset.signingCertSet.1.constraint.params.accept=true +policyset.signingCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.signingCertSet.1.default.name=Subject Name Default +policyset.signingCertSet.1.default.params.name= +policyset.signingCertSet.2.constraint.class_id=validityConstraintImpl +policyset.signingCertSet.2.constraint.name=Validity Constraint +policyset.signingCertSet.2.constraint.params.range=365 +policyset.signingCertSet.2.constraint.params.notBeforeCheck=false +policyset.signingCertSet.2.constraint.params.notAfterCheck=false +policyset.signingCertSet.2.default.class_id=validityDefaultImpl +policyset.signingCertSet.2.default.name=Validity Default +policyset.signingCertSet.2.default.params.range=180 +policyset.signingCertSet.2.default.params.startTime=0 +policyset.signingCertSet.3.constraint.class_id=keyConstraintImpl +policyset.signingCertSet.3.constraint.name=Key Constraint +policyset.signingCertSet.3.constraint.params.keyType=RSA +policyset.signingCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.signingCertSet.3.default.class_id=userKeyDefaultImpl +policyset.signingCertSet.3.default.name=Key Default +policyset.signingCertSet.4.constraint.class_id=noConstraintImpl +policyset.signingCertSet.4.constraint.name=No Constraint +policyset.signingCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.signingCertSet.4.default.name=Authority Key Identifier Default +policyset.signingCertSet.5.constraint.class_id=noConstraintImpl +policyset.signingCertSet.5.constraint.name=No Constraint +policyset.signingCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.signingCertSet.5.default.name=AIA Extension Default +policyset.signingCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.signingCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.signingCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.signingCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.signingCertSet.5.default.params.authInfoAccessCritical=false +policyset.signingCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.signingCertSet.6.constraint.class_id=noConstraintImpl +policyset.signingCertSet.6.constraint.name=No Constraint +policyset.signingCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.signingCertSet.6.default.name=Key Usage Default +policyset.signingCertSet.6.default.params.keyUsageCritical=true +policyset.signingCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.signingCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.signingCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.signingCertSet.6.default.params.keyUsageKeyEncipherment=false +policyset.signingCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.signingCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.signingCertSet.6.default.params.keyUsageCrlSign=false +policyset.signingCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.signingCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.signingCertSet.7.constraint.class_id=noConstraintImpl +policyset.signingCertSet.7.constraint.name=No Constraint +policyset.signingCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.signingCertSet.7.default.name=Extended Key Usage Extension Default +policyset.signingCertSet.7.default.params.exKeyUsageCritical=false +policyset.signingCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.signingCertSet.8.constraint.class_id=noConstraintImpl +policyset.signingCertSet.8.constraint.name=No Constraint +policyset.signingCertSet.8.default.class_id=subjectAltNameExtDefaultImpl +policyset.signingCertSet.8.default.name=Subject Alt Name Constraint +policyset.signingCertSet.8.default.params.subjAltNameExtCritical=false +policyset.signingCertSet.8.default.params.subjAltExtType_0=RFC822Name +policyset.signingCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ +policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true +policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1 +policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.signingCertSet.9.constraint.name=No Constraint +policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.signingCertSet.9.default.name=Signing Alg +policyset.signingCertSet.9.default.params.signingAlg=- + |