diff options
| author | Christina Fu <cfu@redhat.com> | 2016-06-28 11:28:42 -0700 |
|---|---|---|
| committer | Christina Fu <cfu@redhat.com> | 2016-06-28 15:07:58 -0700 |
| commit | 66223629c5d8e74be9f5a59734ab091b081435bc (patch) | |
| tree | dcac367a622d021ab1ab63e937b1af525d1f57ee /base/tps/shared | |
| parent | 7e1ffced6b91b28a0fcbb65df5087220be0b6c68 (diff) | |
| download | pki-66223629c5d8e74be9f5a59734ab091b081435bc.tar.gz pki-66223629c5d8e74be9f5a59734ab091b081435bc.tar.xz pki-66223629c5d8e74be9f5a59734ab091b081435bc.zip | |
Ticket #1308 [RFE] Provide ability to perform off-card key generation for non-encryption token keys This is the patch to add missing serverKeygen params for non-encryption certs. By default it is disabled.
Diffstat (limited to 'base/tps/shared')
| -rw-r--r-- | base/tps/shared/conf/CS.cfg | 43 |
1 files changed, 35 insertions, 8 deletions
diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg index f552a547d..258d5a76c 100644 --- a/base/tps/shared/conf/CS.cfg +++ b/base/tps/shared/conf/CS.cfg @@ -332,6 +332,9 @@ op.enroll.delegateIEtoken.keyGen.authentication.recovery.keyCompromise.scheme=Ge op.enroll.delegateIEtoken.keyGen.authentication.recovery.onHold.revokeCert=false op.enroll.delegateIEtoken.keyGen.authentication.recovery.onHold.revokeCert.reason=6 op.enroll.delegateIEtoken.keyGen.authentication.recovery.onHold.scheme=GenerateNewKey +op.enroll.delegateIEtoken.keyGen.authentication.serverKeygen.archive=false +op.enroll.delegateIEtoken.keyGen.authentication.serverKeygen.drm.conn=kra1 +op.enroll.delegateIEtoken.keyGen.authentication.serverKeygen.enable=false op.enroll.delegateIEtoken.keyGen.encryption.ca.conn=ca1 op.enroll.delegateIEtoken.keyGen.encryption.private.keyCapabilities.decrypt=true op.enroll.delegateIEtoken.keyGen.encryption.private.keyCapabilities.derive=false @@ -359,7 +362,7 @@ op.enroll.delegateIEtoken.keyGen.encryption.public.keyCapabilities.verifyRecover op.enroll.delegateIEtoken.keyGen.encryption.public.keyCapabilities.wrap=true op.enroll.delegateIEtoken.keyGen.encryption.serverKeygen.archive=true op.enroll.delegateIEtoken.keyGen.encryption.serverKeygen.drm.conn=kra1 -op.enroll.delegateIEtoken.keyGen.encryption.serverKeygen.enable=true +op.enroll.delegateIEtoken.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN] op.enroll.delegateIEtoken.keyGen.keyType.num=1 op.enroll.delegateIEtoken.keyGen.keyType.value.0=authentication op.enroll.delegateIEtoken.keyGen.recovery.destroyed.keyType.num=1 @@ -501,6 +504,9 @@ op.enroll.delegateISEtoken.keyGen.authentication.recovery.keyCompromise.scheme=G op.enroll.delegateISEtoken.keyGen.authentication.recovery.onHold.revokeCert=false op.enroll.delegateISEtoken.keyGen.authentication.recovery.onHold.revokeCert.reason=6 op.enroll.delegateISEtoken.keyGen.authentication.recovery.onHold.scheme=GenerateNewKey +op.enroll.delegateISEtoken.keyGen.authentication.serverKeygen.archive=false +op.enroll.delegateISEtoken.keyGen.authentication.serverKeygen.drm.conn=kra1 +op.enroll.delegateISEtoken.keyGen.authentication.serverKeygen.enable=false op.enroll.delegateISEtoken.keyGen.encryption.SANpattern=$auth.mail$,$auth.exec-edipi$.$auth.exec-pcc$@EXAMPLE.com op.enroll.delegateISEtoken.keyGen.encryption._000=######################################### op.enroll.delegateISEtoken.keyGen.encryption._001=# encryption cert/keys are "recovered" for this profile @@ -556,7 +562,7 @@ op.enroll.delegateISEtoken.keyGen.encryption.recovery.onHold.revokeCert.reason=6 op.enroll.delegateISEtoken.keyGen.encryption.recovery.onHold.scheme=GenerateNewKey op.enroll.delegateISEtoken.keyGen.encryption.serverKeygen.archive=true op.enroll.delegateISEtoken.keyGen.encryption.serverKeygen.drm.conn=kra1 -op.enroll.delegateISEtoken.keyGen.encryption.serverKeygen.enable=true +op.enroll.delegateISEtoken.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN] op.enroll.delegateISEtoken.keyGen.keyType.num=2 op.enroll.delegateISEtoken.keyGen.keyType.value.0=signing op.enroll.delegateISEtoken.keyGen.keyType.value.1=authentication @@ -618,6 +624,9 @@ op.enroll.delegateISEtoken.keyGen.signing.recovery.keyCompromise.scheme=Generate op.enroll.delegateISEtoken.keyGen.signing.recovery.onHold.revokeCert=false op.enroll.delegateISEtoken.keyGen.signing.recovery.onHold.revokeCert.reason=6 op.enroll.delegateISEtoken.keyGen.signing.recovery.onHold.scheme=GenerateNewKey +op.enroll.delegateISEtoken.keyGen.signing.serverKeygen.archive=false +op.enroll.delegateISEtoken.keyGen.signing.serverKeygen.drm.conn=kra1 +op.enroll.delegateISEtoken.keyGen.signing.serverKeygen.enable=false op.enroll.delegateISEtoken.keyGen.tokenName=$auth.cn$ op.enroll.delegateISEtoken.loginRequest.enable=true op.enroll.delegateISEtoken.pinReset.enable=true @@ -736,12 +745,12 @@ op.enroll.externalRegAddToToken.keyGen.encryption.public.keyCapabilities.wrap=tr op.enroll.externalRegAddToToken.keyGen.encryption.recovery.destroyed.revokeCert=false op.enroll.externalRegAddToToken.keyGen.encryption.recovery.keyCompromise.revokeCert=false op.enroll.externalRegAddToToken.keyGen.encryption.recovery.onHold.revokeCert=false -op.enroll.externalRegAddToToken.keyGen.signing.recovery.destroyed.revokeCert=false -op.enroll.externalRegAddToToken.keyGen.signing.recovery.keyCompromise.revokeCert=false -op.enroll.externalRegAddToToken.keyGen.signing.recovery.onHold.revokeCert=false +op.enroll.externalRegAddToToken.keyGen.encryption.recovery.destroyed.revokeCert=false +op.enroll.externalRegAddToToken.keyGen.encryption.recovery.keyCompromise.revokeCert=false +op.enroll.externalRegAddToToken.keyGen.encryption.recovery.onHold.revokeCert=false op.enroll.externalRegAddToToken.keyGen.encryption.serverKeygen.archive=true op.enroll.externalRegAddToToken.keyGen.encryption.serverKeygen.drm.conn=kra1 -op.enroll.externalRegAddToToken.keyGen.encryption.serverKeygen.enable=true +op.enroll.externalRegAddToToken.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN] op.enroll.externalRegAddToToken.keyGen.tokenName=$auth.cn$ op.enroll.externalRegAddToToken.loginRequest.enable=true op.enroll.externalRegAddToToken.pkcs11obj.compress.enable=true @@ -894,6 +903,9 @@ op.enroll.soKey.keyGen.signing.recovery.keyCompromise.scheme=GenerateNewKey op.enroll.soKey.keyGen.signing.recovery.onHold.revokeCert.reason=6 op.enroll.soKey.keyGen.signing.recovery.onHold.revokeCert=true op.enroll.soKey.keyGen.signing.recovery.onHold.scheme=GenerateNewKey +op.enroll.soKey.keyGen.signing.serverKeygen.archive=false +op.enroll.soKey.keyGen.signing.serverKeygen.drm.conn=kra1 +op.enroll.soKey.keyGen.signing.serverKeygen.enable=false op.enroll.soKey.keyGen.tokenName=$auth.cn$ op.enroll.soKey.loginRequest.enable=true op.enroll.soKey.pinReset.enable=true @@ -948,6 +960,9 @@ op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.unwrap=false op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.verifyRecover=true op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.verify=true op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.wrap=false +op.enroll.soKeyTemporary.keyGen.auth.serverKeygen.archive=false +op.enroll.soKeyTemporary.keyGen.auth.serverKeygen.drm.conn=kra1 +op.enroll.soKeyTemporary.keyGen.auth.serverKeygen.enable=false op.enroll.soKeyTemporary.keyGen.auth.publicKeyNumber=1 op.enroll.soKeyTemporary.keyGen.encryption.ca.conn=ca1 op.enroll.soKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment @@ -992,7 +1007,7 @@ op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert=true op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.scheme=RecoverLast op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.archive=true op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.drm.conn=kra1 -op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.enable=true +op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN] op.enroll.soKeyTemporary.keyGen.keyType.num=3 op.enroll.soKeyTemporary.keyGen.keyType.value.0=auth op.enroll.soKeyTemporary.keyGen.keyType.value.1=signing @@ -1041,6 +1056,9 @@ op.enroll.soKeyTemporary.keyGen.signing.publicKeyNumber=3 op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.revokeCert.reason=0 op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.revokeCert=true op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.scheme=GenerateNewKey +op.enroll.soKeyTemporary.keyGen.signing.serverKeygen.archive=false +op.enroll.soKeyTemporary.keyGen.signing.serverKeygen.drm.conn=kra1 +op.enroll.soKeyTemporary.keyGen.signing.serverKeygen.enable=false op.enroll.soKeyTemporary.keyGen.tokenName=$auth.cn$ (Temporary) op.enroll.soKeyTemporary.loginRequest.enable=true op.enroll.soKeyTemporary.pinReset.enable=true @@ -1187,6 +1205,9 @@ op.enroll.userKey.keyGen.signing.recovery.keyCompromise.scheme=GenerateNewKey op.enroll.userKey.keyGen.signing.recovery.onHold.revokeCert.reason=6 op.enroll.userKey.keyGen.signing.recovery.onHold.revokeCert=true op.enroll.userKey.keyGen.signing.recovery.onHold.scheme=GenerateNewKey +op.enroll.userKey.keyGen.signing.serverKeygen.archive=false +op.enroll.userKey.keyGen.signing.serverKeygen.drm.conn=kra1 +op.enroll.userKey.keyGen.signing.serverKeygen.enable=false op.enroll.userKey.keyGen.tokenName=$auth.cn$ op.enroll.userKey.loginRequest.enable=true op.enroll.userKey.pinReset.enable=true @@ -1255,6 +1276,9 @@ op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.verifyRecover=true op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.verify=true op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.wrap=false op.enroll.userKeyTemporary.keyGen.auth.publicKeyNumber=1 +op.enroll.userKeyTemporary.keyGen.auth.serverKeygen.archive=false +op.enroll.userKeyTemporary.keyGen.auth.serverKeygen.drm.conn=kra1 +op.enroll.userKeyTemporary.keyGen.auth.serverKeygen.enable=false op.enroll.userKeyTemporary.keyGen.encryption.ca.conn=ca1 op.enroll.userKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment op.enroll.userKeyTemporary.keyGen.encryption.certAttrId=c2 @@ -1298,7 +1322,7 @@ op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert=true op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.scheme=RecoverLast op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.archive=true op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.drm.conn=kra1 -op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable=true +op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN] op.enroll.userKeyTemporary.keyGen.keyType.num=3 op.enroll.userKeyTemporary.keyGen.keyType.value.0=auth op.enroll.userKeyTemporary.keyGen.keyType.value.1=signing @@ -1347,6 +1371,9 @@ op.enroll.userKeyTemporary.keyGen.signing.publicKeyNumber=3 op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.revokeCert.reason=0 op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.revokeCert=true op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.scheme=GenerateNewKey +op.enroll.userKeyTemporary.keyGen.signing.serverKeygen.archive=false +op.enroll.userKeyTemporary.keyGen.signing.serverKeygen.drm.conn=kra1 +op.enroll.userKeyTemporary.keyGen.signing.serverKeygen.enable=false op.enroll.userKeyTemporary.keyGen.tokenName=$auth.cn$ (Temporary) op.enroll.userKeyTemporary.loginRequest.enable=true op.enroll.userKeyTemporary.pinReset.enable=true |