diff options
-rw-r--r-- | base/ca/shared/conf/CS.cfg | 6 | ||||
-rw-r--r-- | base/ca/shared/profiles/ca/caDualCert.cfg | 2 | ||||
-rw-r--r-- | base/ca/shared/profiles/ca/caSigningECUserCert.cfg | 86 | ||||
-rw-r--r-- | base/ca/shared/profiles/ca/caSigningUserCert.cfg | 86 |
4 files changed, 178 insertions, 2 deletions
diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg index 288f0d519..68e79a48f 100644 --- a/base/ca/shared/conf/CS.cfg +++ b/base/ca/shared/conf/CS.cfg @@ -966,7 +966,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18 oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 os.userid=nobody -profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment +profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment profile.caUUIDdeviceCert.class_id=caEnrollImpl profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg profile.caManualRenewal.class_id=caEnrollImpl @@ -1037,6 +1037,10 @@ profile.caServerCert.class_id=caEnrollImpl profile.caServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caServerCert.cfg profile.caSignedLogCert.class_id=caEnrollImpl profile.caSignedLogCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSignedLogCert.cfg +profile.caSigningECUserCert.class_id=caEnrollImpl +profile.caSigningECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSigningECUserCert.cfg +profile.caSigningUserCert.class_id=caEnrollImpl +profile.caSigningUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSigningUserCert.cfg profile.caSimpleCMCUserCert.class_id=caEnrollImpl profile.caSimpleCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSimpleCMCUserCert.cfg profile.caSubsystemCert.class_id=caEnrollImpl diff --git a/base/ca/shared/profiles/ca/caDualCert.cfg b/base/ca/shared/profiles/ca/caDualCert.cfg index f90f78f6c..87036d194 100644 --- a/base/ca/shared/profiles/ca/caDualCert.cfg +++ b/base/ca/shared/profiles/ca/caDualCert.cfg @@ -1,5 +1,5 @@ desc=This certificate profile is for enrolling dual user certificates. It works only with Netscape 7.0 or later. -visible=true +visible=false enable=true enableBy=admin name=Manual User Signing & Encryption Certificates Enrollment diff --git a/base/ca/shared/profiles/ca/caSigningECUserCert.cfg b/base/ca/shared/profiles/ca/caSigningECUserCert.cfg new file mode 100644 index 000000000..b410504a3 --- /dev/null +++ b/base/ca/shared/profiles/ca/caSigningECUserCert.cfg @@ -0,0 +1,86 @@ +desc=This certificate profile is for enrolling user ECC signing certificates. It works only with the latest Firefox. +visible=false +enable=true +enableBy=admin +name=Manual User Signing ECC Certificate Enrollment +auth.class_id= +input.list=i1,i2,i3 +input.i1.class_id=certReqInputImpl +input.i2.class_id=subjectNameInputImpl +input.i3.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=signingCertSet +policyset.signingCertSet.list=1,2,3,4,5,6,7,8,9 +policyset.signingCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.signingCertSet.1.constraint.name=Subject Name Constraint +policyset.signingCertSet.1.constraint.params.pattern=CN=.* +policyset.signingCertSet.1.constraint.params.accept=true +policyset.signingCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.signingCertSet.1.default.name=Subject Name Default +policyset.signingCertSet.1.default.params.name= +policyset.signingCertSet.2.constraint.class_id=validityConstraintImpl +policyset.signingCertSet.2.constraint.name=Validity Constraint +policyset.signingCertSet.2.constraint.params.range=365 +policyset.signingCertSet.2.constraint.params.notBeforeCheck=false +policyset.signingCertSet.2.constraint.params.notAfterCheck=false +policyset.signingCertSet.2.default.class_id=validityDefaultImpl +policyset.signingCertSet.2.default.name=Validity Default +policyset.signingCertSet.2.default.params.range=180 +policyset.signingCertSet.2.default.params.startTime=0 +policyset.signingCertSet.3.constraint.class_id=keyConstraintImpl +policyset.signingCertSet.3.constraint.name=Key Constraint +policyset.signingCertSet.3.constraint.params.keyType=EC +policyset.signingCertSet.3.constraint.params.keyParameters=nistp256,nistp521 +policyset.signingCertSet.3.default.class_id=userKeyDefaultImpl +policyset.signingCertSet.3.default.name=Key Default +policyset.signingCertSet.4.constraint.class_id=noConstraintImpl +policyset.signingCertSet.4.constraint.name=No Constraint +policyset.signingCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.signingCertSet.4.default.name=Authority Key Identifier Default +policyset.signingCertSet.5.constraint.class_id=noConstraintImpl +policyset.signingCertSet.5.constraint.name=No Constraint +policyset.signingCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.signingCertSet.5.default.name=AIA Extension Default +policyset.signingCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.signingCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.signingCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.signingCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.signingCertSet.5.default.params.authInfoAccessCritical=false +policyset.signingCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.signingCertSet.6.constraint.class_id=noConstraintImpl +policyset.signingCertSet.6.constraint.name=No Constraint +policyset.signingCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.signingCertSet.6.default.name=Key Usage Default +policyset.signingCertSet.6.default.params.keyUsageCritical=true +policyset.signingCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.signingCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.signingCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.signingCertSet.6.default.params.keyUsageKeyEncipherment=false +policyset.signingCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.signingCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.signingCertSet.6.default.params.keyUsageCrlSign=false +policyset.signingCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.signingCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.signingCertSet.7.constraint.class_id=noConstraintImpl +policyset.signingCertSet.7.constraint.name=No Constraint +policyset.signingCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.signingCertSet.7.default.name=Extended Key Usage Extension Default +policyset.signingCertSet.7.default.params.exKeyUsageCritical=false +policyset.signingCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.signingCertSet.8.constraint.class_id=noConstraintImpl +policyset.signingCertSet.8.constraint.name=No Constraint +policyset.signingCertSet.8.default.class_id=subjectAltNameExtDefaultImpl +policyset.signingCertSet.8.default.name=Subject Alt Name Constraint +policyset.signingCertSet.8.default.params.subjAltNameExtCritical=false +policyset.signingCertSet.8.default.params.subjAltExtType_0=RFC822Name +policyset.signingCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ +policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true +policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1 +policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.signingCertSet.9.constraint.name=No Constraint +policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.signingCertSet.9.default.name=Signing Alg +policyset.signingCertSet.9.default.params.signingAlg=- + diff --git a/base/ca/shared/profiles/ca/caSigningUserCert.cfg b/base/ca/shared/profiles/ca/caSigningUserCert.cfg new file mode 100644 index 000000000..f197ffaa9 --- /dev/null +++ b/base/ca/shared/profiles/ca/caSigningUserCert.cfg @@ -0,0 +1,86 @@ +desc=This certificate profile is for enrolling user signing certificates. +visible=false +enable=true +enableBy=admin +name=Manual User Signing Certificate Enrollment +auth.class_id= +input.list=i1,i2,i3 +input.i1.class_id=certReqInputImpl +input.i2.class_id=subjectNameInputImpl +input.i3.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=signingCertSet +policyset.signingCertSet.list=1,2,3,4,5,6,7,8,9 +policyset.signingCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.signingCertSet.1.constraint.name=Subject Name Constraint +policyset.signingCertSet.1.constraint.params.pattern=CN=.* +policyset.signingCertSet.1.constraint.params.accept=true +policyset.signingCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.signingCertSet.1.default.name=Subject Name Default +policyset.signingCertSet.1.default.params.name= +policyset.signingCertSet.2.constraint.class_id=validityConstraintImpl +policyset.signingCertSet.2.constraint.name=Validity Constraint +policyset.signingCertSet.2.constraint.params.range=365 +policyset.signingCertSet.2.constraint.params.notBeforeCheck=false +policyset.signingCertSet.2.constraint.params.notAfterCheck=false +policyset.signingCertSet.2.default.class_id=validityDefaultImpl +policyset.signingCertSet.2.default.name=Validity Default +policyset.signingCertSet.2.default.params.range=180 +policyset.signingCertSet.2.default.params.startTime=0 +policyset.signingCertSet.3.constraint.class_id=keyConstraintImpl +policyset.signingCertSet.3.constraint.name=Key Constraint +policyset.signingCertSet.3.constraint.params.keyType=RSA +policyset.signingCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.signingCertSet.3.default.class_id=userKeyDefaultImpl +policyset.signingCertSet.3.default.name=Key Default +policyset.signingCertSet.4.constraint.class_id=noConstraintImpl +policyset.signingCertSet.4.constraint.name=No Constraint +policyset.signingCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.signingCertSet.4.default.name=Authority Key Identifier Default +policyset.signingCertSet.5.constraint.class_id=noConstraintImpl +policyset.signingCertSet.5.constraint.name=No Constraint +policyset.signingCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.signingCertSet.5.default.name=AIA Extension Default +policyset.signingCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.signingCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.signingCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.signingCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.signingCertSet.5.default.params.authInfoAccessCritical=false +policyset.signingCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.signingCertSet.6.constraint.class_id=noConstraintImpl +policyset.signingCertSet.6.constraint.name=No Constraint +policyset.signingCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.signingCertSet.6.default.name=Key Usage Default +policyset.signingCertSet.6.default.params.keyUsageCritical=true +policyset.signingCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.signingCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.signingCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.signingCertSet.6.default.params.keyUsageKeyEncipherment=false +policyset.signingCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.signingCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.signingCertSet.6.default.params.keyUsageCrlSign=false +policyset.signingCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.signingCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.signingCertSet.7.constraint.class_id=noConstraintImpl +policyset.signingCertSet.7.constraint.name=No Constraint +policyset.signingCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.signingCertSet.7.default.name=Extended Key Usage Extension Default +policyset.signingCertSet.7.default.params.exKeyUsageCritical=false +policyset.signingCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.signingCertSet.8.constraint.class_id=noConstraintImpl +policyset.signingCertSet.8.constraint.name=No Constraint +policyset.signingCertSet.8.default.class_id=subjectAltNameExtDefaultImpl +policyset.signingCertSet.8.default.name=Subject Alt Name Constraint +policyset.signingCertSet.8.default.params.subjAltNameExtCritical=false +policyset.signingCertSet.8.default.params.subjAltExtType_0=RFC822Name +policyset.signingCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ +policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true +policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1 +policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.signingCertSet.9.constraint.name=No Constraint +policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.signingCertSet.9.default.name=Signing Alg +policyset.signingCertSet.9.default.params.signingAlg=- + |