diff options
author | cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2008-11-18 23:39:12 +0000 |
---|---|---|
committer | cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2008-11-18 23:39:12 +0000 |
commit | ab68b8dc0a485e2b4bf505cbdea8da786a13ce41 (patch) | |
tree | b665054fd8b4749578137f3e72998f701bef0a7a /pki/base/ca | |
parent | 0e913677fe84263495a20c1fe4f47508f762a1ad (diff) | |
download | pki-ab68b8dc0a485e2b4bf505cbdea8da786a13ce41.tar.gz pki-ab68b8dc0a485e2b4bf505cbdea8da786a13ce41.tar.xz pki-ab68b8dc0a485e2b4bf505cbdea8da786a13ce41.zip |
Bugzilla Bug #471622 - Need Renewal feature via enrollment profile Framework (Phase 1)
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@141 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/ca')
-rw-r--r-- | pki/base/ca/shared/conf/CS.cfg | 11 | ||||
-rw-r--r-- | pki/base/ca/shared/conf/registry.cfg | 10 | ||||
-rw-r--r-- | pki/base/ca/shared/profiles/ca/caDirUserCert.cfg | 8 | ||||
-rwxr-xr-x | pki/base/ca/shared/profiles/ca/caDirUserRenewal.cfg | 12 | ||||
-rwxr-xr-x | pki/base/ca/shared/profiles/ca/caManualRenewal.cfg | 11 | ||||
-rwxr-xr-x | pki/base/ca/shared/profiles/ca/caSSLClientSelfRenewal.cfg | 9 | ||||
-rw-r--r-- | pki/base/ca/shared/profiles/ca/caUserCert.cfg | 8 |
7 files changed, 64 insertions, 5 deletions
diff --git a/pki/base/ca/shared/conf/CS.cfg b/pki/base/ca/shared/conf/CS.cfg index b552a6b29..7d8fd4140 100644 --- a/pki/base/ca/shared/conf/CS.cfg +++ b/pki/base/ca/shared/conf/CS.cfg @@ -106,6 +106,7 @@ CrossCertPair.ldap=internaldb accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator +accessEvaluator.impl.user_origreq.class=com.netscape.cms.evaluators.UserOrigReqAccessEvaluator auths._000=## auths._001=## new authentication auths._002=## @@ -116,6 +117,7 @@ auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthenti auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll +auths.impl.SSLclientCertAuth.class=com.netscape.cms.authentication.SSLclientCertAuthentication auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication @@ -129,6 +131,7 @@ auths.instance.raCertAuth.agentGroup=Registration Manager Agents auths.instance.raCertAuth.pluginName=AgentCertAuth auths.instance.flatFileAuth.pluginName=FlatFileAuth auths.instance.flatFileAuth.fileName=[PKI_INSTANCE_PATH]/conf/flatfile.txt +auths.instance.SSLclientCertAuth.pluginName=SSLclientCertAuth auths.revocationChecking.bufferSize=50 auths.revocationChecking.ca=ca auths.revocationChecking.enabled=true @@ -796,9 +799,15 @@ oidmap.pse.oid=2.16.840.1.113730.1.18 oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 os.userid=nobody -profile.list=caUserCert,caDualCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caOtherCert,caCACert,caInstallCACert,caRACert,caOCSPCert,caTransportCert,caDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert +profile.list=caUserCert,caDualCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caOtherCert,caCACert,caInstallCACert,caRACert,caOCSPCert,caTransportCert,caDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal profile.caUUIDdeviceCert.class_id=caEnrollImpl profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUUIDdeviceCert.cfg +profile.caManualRenewal.class_id=caEnrollImpl +profile.caManualRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caManualRenewal.cfg +profile.caDirUserRenewal.class_id=caEnrollImpl +profile.caDirUserRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caDirUserRenewal.cfg +profile.caSSLClientSelfRenewal.class_id=caEnrollImpl +profile.caSSLClientSelfRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caSSLClientSelfRenewal.cfg profile.DomainController.class_id=caEnrollImpl profile.DomainController.config=[PKI_INSTANCE_PATH]/profiles/ca/DomainController.cfg profile.caAgentFileSigning.class_id=caEnrollImpl diff --git a/pki/base/ca/shared/conf/registry.cfg b/pki/base/ca/shared/conf/registry.cfg index 807ebdd4d..5cb40faba 100644 --- a/pki/base/ca/shared/conf/registry.cfg +++ b/pki/base/ca/shared/conf/registry.cfg @@ -1,5 +1,5 @@ types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater -constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl +constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint @@ -33,6 +33,9 @@ constraintPolicy.uniqueSubjectNameConstraintImpl.name=Unique Subject Name Constr constraintPolicy.validityConstraintImpl.class=com.netscape.cms.profile.constraint.ValidityConstraint constraintPolicy.validityConstraintImpl.desc=Validity Constraint constraintPolicy.validityConstraintImpl.name=Validity Constraint +constraintPolicy.renewGracePeriodConstraintImpl.class=com.netscape.cms.profile.constraint.RenewGracePeriodConstraint +constraintPolicy.renewGracePeriodConstraintImpl.desc=Renewal Grace Period Constraint +constraintPolicy.renewGracePeriodConstraintImpl.name=Renewal Grace Period Constraint constraintPolicy.uniqueKeyConstraintImpl.class=com.netscape.cms.profile.constraint.UniqueKeyConstraint constraintPolicy.uniqueKeyConstraintImpl.desc=Unique Public Key Constraint constraintPolicy.uniqueKeyConstraintImpl.name=Unique Public Key Constraint @@ -161,7 +164,7 @@ profile.caServerCertEnrollImpl.name=Server Certificate Enrollment Profile profile.caUserCertEnrollImpl.class=com.netscape.cms.profile.common.UserCertCAEnrollProfile profile.caUserCertEnrollImpl.desc=Certificate Authority User Certificate Enrollment Profile profile.caUserCertEnrollImpl.name=User Certificate Enrollment Profile -profileInput.ids=cmcCertReqInputImpl,certReqInputImpl,keyGenInputImpl,dualKeyGenInputImpl,subjectNameInputImpl,submitterInfoInputImpl,genericInputImpl,fileSigningInputImpl,imageInputImpl,subjectDNInputImpl,nsNKeyCertReqInputImpl,nsHKeyCertReqInputImpl +profileInput.ids=cmcCertReqInputImpl,certReqInputImpl,keyGenInputImpl,dualKeyGenInputImpl,subjectNameInputImpl,submitterInfoInputImpl,genericInputImpl,fileSigningInputImpl,imageInputImpl,subjectDNInputImpl,nsNKeyCertReqInputImpl,nsHKeyCertReqInputImpl,serialNumRenewInputImpl profileInput.fileSigningInputImpl.class=com.netscape.cms.profile.input.FileSigningInput profileInput.fileSigningInputImpl.desc=File Signing Input profileInput.fileSigningInputImpl.name=File Signing Input @@ -192,6 +195,9 @@ profileInput.nsNKeyCertReqInputImpl.name=nsNKeyCertReqInputImpl profileInput.nsHKeyCertReqInputImpl.class=com.netscape.cms.profile.input.nsHKeyCertReqInput profileInput.nsHKeyCertReqInputImpl.desc=nsHKeyCertReqInputImpl profileInput.nsHKeyCertReqInputImpl.name=nsHKeyCertReqInputImpl +profileInput.serialNumRenewInputImpl.class=com.netscape.cms.profile.input.SerialNumRenewInput +profileInput.serialNumRenewInputImpl.desc=Certificate Renewal Request Serial Number Input +profileInput.serialNumRenewInputImpl.name=Certificate Renewal Request Serial Number Input profileInput.subjectDNInputImpl.class=com.netscape.cms.profile.input.SubjectDNInput profileInput.subjectDNInputImpl.desc=Subject DN Input profileInput.subjectDNInputImpl.name=Subject DN Input diff --git a/pki/base/ca/shared/profiles/ca/caDirUserCert.cfg b/pki/base/ca/shared/profiles/ca/caDirUserCert.cfg index 3806d0b21..693f3dc9e 100644 --- a/pki/base/ca/shared/profiles/ca/caDirUserCert.cfg +++ b/pki/base/ca/shared/profiles/ca/caDirUserCert.cfg @@ -9,7 +9,7 @@ input.i1.class_id=keyGenInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=userCertSet -policyset.userCertSet.list=1,2,3,4,5,6,7,8,9 +policyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9 policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl policyset.userCertSet.1.constraint.name=Subject Name Constraint policyset.userCertSet.1.constraint.params.pattern=UID=.* @@ -17,6 +17,12 @@ policyset.userCertSet.1.constraint.params.accept=true policyset.userCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl policyset.userCertSet.1.default.name=Subject Name Default policyset.userCertSet.1.default.params.name= +policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl +policyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint +policyset.userCertSet.10.constraint.params.renewal.graceBefore=30 +policyset.userCertSet.10.constraint.params.renewal.graceAfter=30 +policyset.userCertSet.10.default.class_id=noDefaultImpl +policyset.userCertSet.10.default.name=No Default policyset.userCertSet.2.constraint.class_id=validityConstraintImpl policyset.userCertSet.2.constraint.name=Validity Constraint policyset.userCertSet.2.constraint.params.range=365 diff --git a/pki/base/ca/shared/profiles/ca/caDirUserRenewal.cfg b/pki/base/ca/shared/profiles/ca/caDirUserRenewal.cfg new file mode 100755 index 000000000..f0ec21388 --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caDirUserRenewal.cfg @@ -0,0 +1,12 @@ +desc=This certificate profile is for renewing a certificate by serial number by using directory based authentication. +visible=true +enable=true +enableBy=admin +renewal=true +auth.instance_id=UserDirEnrollment +authz.acl=user_origreq="auth_token.uid" +name=Directory-Authenticated User Certificate Self-Renew profile +input.list=i1 +input.i1.class_id=serialNumRenewInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl diff --git a/pki/base/ca/shared/profiles/ca/caManualRenewal.cfg b/pki/base/ca/shared/profiles/ca/caManualRenewal.cfg new file mode 100755 index 000000000..b691b4d10 --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caManualRenewal.cfg @@ -0,0 +1,11 @@ +desc=This certificate profile is for renewing certificates to be approved manually by agents. +visible=true +enable=true +enableBy=admin +renewal=true +auth.instance_id= +name=Renew certificate to be manually approved by agents +input.list=i1 +input.i1.class_id=serialNumRenewInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl diff --git a/pki/base/ca/shared/profiles/ca/caSSLClientSelfRenewal.cfg b/pki/base/ca/shared/profiles/ca/caSSLClientSelfRenewal.cfg new file mode 100755 index 000000000..f89c1b143 --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caSSLClientSelfRenewal.cfg @@ -0,0 +1,9 @@ +desc=This certificate profile is for renewing SSL client certificates. +visible=true +enable=true +enableBy=admin +renewal=true +auth.instance_id=SSLclientCertAuth +name=Self-renew user SSL client certificates +output.list=o1 +output.o1.class_id=certOutputImpl diff --git a/pki/base/ca/shared/profiles/ca/caUserCert.cfg b/pki/base/ca/shared/profiles/ca/caUserCert.cfg index bd5932a76..56780ac62 100644 --- a/pki/base/ca/shared/profiles/ca/caUserCert.cfg +++ b/pki/base/ca/shared/profiles/ca/caUserCert.cfg @@ -11,7 +11,7 @@ input.i3.class_id=submitterInfoInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=userCertSet -policyset.userCertSet.list=1,2,3,4,5,6,7,8,9 +policyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9 policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl policyset.userCertSet.1.constraint.name=Subject Name Constraint policyset.userCertSet.1.constraint.params.pattern=UID=.* @@ -19,6 +19,12 @@ policyset.userCertSet.1.constraint.params.accept=true policyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl policyset.userCertSet.1.default.name=Subject Name Default policyset.userCertSet.1.default.params.name= +policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl +policyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint +policyset.userCertSet.10.constraint.params.renewal.graceBefore=30 +policyset.userCertSet.10.constraint.params.renewal.graceAfter=30 +policyset.userCertSet.10.default.class_id=noDefaultImpl +policyset.userCertSet.10.default.name=No Default policyset.userCertSet.2.constraint.class_id=validityConstraintImpl policyset.userCertSet.2.constraint.name=Validity Constraint policyset.userCertSet.2.constraint.params.range=365 |