summaryrefslogtreecommitdiffstats
path: root/pki/base/ca/shared/profiles/ca
diff options
context:
space:
mode:
Diffstat (limited to 'pki/base/ca/shared/profiles/ca')
-rw-r--r--pki/base/ca/shared/profiles/ca/DomainController.cfg130
-rw-r--r--pki/base/ca/shared/profiles/ca/caAdminCert.cfg88
-rw-r--r--pki/base/ca/shared/profiles/ca/caAgentFileSigning.cfg87
-rw-r--r--pki/base/ca/shared/profiles/ca/caAgentServerCert.cfg86
-rw-r--r--pki/base/ca/shared/profiles/ca/caCACert.cfg96
-rw-r--r--pki/base/ca/shared/profiles/ca/caCMCUserCert.cfg86
-rw-r--r--pki/base/ca/shared/profiles/ca/caDirUserCert.cfg94
-rw-r--r--pki/base/ca/shared/profiles/ca/caDualCert.cfg170
-rw-r--r--pki/base/ca/shared/profiles/ca/caDualRAuserCert.cfg95
-rw-r--r--pki/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg86
-rw-r--r--pki/base/ca/shared/profiles/ca/caInstallCACert.cfg97
-rw-r--r--pki/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg72
-rw-r--r--pki/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg72
-rw-r--r--pki/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg87
-rw-r--r--pki/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg89
-rw-r--r--pki/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg81
-rw-r--r--pki/base/ca/shared/profiles/ca/caOCSPCert.cfg71
-rw-r--r--pki/base/ca/shared/profiles/ca/caOtherCert.cfg86
-rw-r--r--pki/base/ca/shared/profiles/ca/caRACert.cfg86
-rw-r--r--pki/base/ca/shared/profiles/ca/caRARouterCert.cfg86
-rw-r--r--pki/base/ca/shared/profiles/ca/caRAagentCert.cfg96
-rw-r--r--pki/base/ca/shared/profiles/ca/caRAserverCert.cfg86
-rw-r--r--pki/base/ca/shared/profiles/ca/caRouterCert.cfg86
-rw-r--r--pki/base/ca/shared/profiles/ca/caServerCert.cfg86
-rw-r--r--pki/base/ca/shared/profiles/ca/caSignedLogCert.cfg75
-rw-r--r--pki/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg85
-rw-r--r--pki/base/ca/shared/profiles/ca/caTPSCert.cfg86
-rw-r--r--pki/base/ca/shared/profiles/ca/caTempTokenDeviceKeyEnrollment.cfg144
-rw-r--r--pki/base/ca/shared/profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg166
-rw-r--r--pki/base/ca/shared/profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg166
-rw-r--r--pki/base/ca/shared/profiles/ca/caTokenDeviceKeyEnrollment.cfg143
-rw-r--r--pki/base/ca/shared/profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg164
-rw-r--r--pki/base/ca/shared/profiles/ca/caTokenUserSigningKeyEnrollment.cfg164
-rw-r--r--pki/base/ca/shared/profiles/ca/caTransportCert.cfg80
-rw-r--r--pki/base/ca/shared/profiles/ca/caUserCert.cfg96
35 files changed, 3568 insertions, 0 deletions
diff --git a/pki/base/ca/shared/profiles/ca/DomainController.cfg b/pki/base/ca/shared/profiles/ca/DomainController.cfg
new file mode 100644
index 000000000..3a7663046
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/DomainController.cfg
@@ -0,0 +1,130 @@
+desc=This profile is for enrolling Domain Controller Certificate
+enable=true
+enableBy=admin
+name=Domain Controller
+visible=true
+auth.instance_id=AgentCertAuth
+input.list=i1,i2,i3
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+input.i3.class_id=genericInputImpl
+input.i3.params.gi_display_name0=ccm
+input.i3.params.gi_param_enable0=true
+input.i3.params.gi_param_name0=ccm
+input.i3.params.gi_display_name1=GUID
+input.i3.params.gi_param_enable1=true
+input.i3.params.gi_param_name1=GUID
+input.i3.params.gi_num=2
+output.list=o1,o2
+output.o1.class_id=certOutputImpl
+output.o2.class_id=pkcs7OutputImpl
+policyset.list=set1
+policyset.set1.list=p2,p4,p5,subj,p6,p8,p9,p12,eku,gen,crldp
+policyset.set1.subj.constraint.class_id=noConstraintImpl
+policyset.set1.subj.constraint.name=No Constraint
+policyset.set1.subj.default.class_id=nsTokenUserKeySubjectNameDefaultImpl
+policyset.set1.subj.default.name=nsTokenUserKeySubjectNameDefault
+#policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, E=$request.mail$, O=Token Key User
+#policyset.set1.subj.default.params.dnpattern=CN=GEMSTAR,OU=Domain Controllers,DC=test,dc=local
+policyset.set1.subj.default.params.dnpattern=CN=$request.ccm$
+policyset.set1.subj.default.params.ldap.enable=false
+policyset.set1.subj.default.params.ldap.searchName=uid
+policyset.set1.subj.default.params.ldapStringAttributes=uid,mail
+policyset.set1.subj.default.params.ldap.basedn=
+policyset.set1.subj.default.params.ldap.maxConns=4
+policyset.set1.subj.default.params.ldap.minConns=1
+policyset.set1.subj.default.params.ldap.ldapconn.Version=2
+policyset.set1.subj.default.params.ldap.ldapconn.host=
+policyset.set1.subj.default.params.ldap.ldapconn.port=
+policyset.set1.subj.default.params.ldap.ldapconn.secureConn=false
+policyset.set1.p2.constraint.class_id=noConstraintImpl
+policyset.set1.p2.constraint.name=No Constraint
+policyset.set1.p2.default.class_id=validityDefaultImpl
+policyset.set1.p2.default.name=Validity Default
+policyset.set1.p2.default.params.range=1825
+policyset.set1.p2.default.params.startTime=0
+policyset.set1.p4.constraint.class_id=noConstraintImpl
+policyset.set1.p4.constraint.name=No Constraint
+policyset.set1.p4.default.class_id=signingAlgDefaultImpl
+policyset.set1.p4.default.name=Signing Algorithm Default
+policyset.set1.p4.default.params.signingAlg=-
+policyset.set1.p5.constraint.class_id=noConstraintImpl
+policyset.set1.p5.constraint.name=No Constraint
+policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl
+policyset.set1.p5.default.name=Key Usage Extension Default
+policyset.set1.p5.default.params.keyUsageCritical=true
+policyset.set1.p5.default.params.keyUsageCrlSign=false
+policyset.set1.p5.default.params.keyUsageDataEncipherment=false
+policyset.set1.p5.default.params.keyUsageDecipherOnly=false
+policyset.set1.p5.default.params.keyUsageDigitalSignature=true
+policyset.set1.p5.default.params.keyUsageEncipherOnly=false
+policyset.set1.p5.default.params.keyUsageKeyAgreement=false
+policyset.set1.p5.default.params.keyUsageKeyCertSign=false
+policyset.set1.p5.default.params.keyUsageKeyEncipherment=true
+policyset.set1.p5.default.params.keyUsageNonRepudiation=false
+policyset.set1.p6.constraint.class_id=noConstraintImpl
+policyset.set1.p6.constraint.name=No Constraint
+policyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl
+policyset.set1.p6.default.name=Subject Alternative Name Extension Default
+policyset.set1.p6.default.params.subjAltExtGNEnable_0=true
+policyset.set1.p6.default.params.subjAltExtGNEnable_1=true
+policyset.set1.p6.default.params.subjAltExtPattern_0=$request.ccm$
+policyset.set1.p6.default.params.subjAltExtType_0=DNSName
+policyset.set1.p6.default.params.subjAltExtPattern_1=(Any)1.3.6.1.4.1.311.25.1,0410$request.GUID$
+policyset.set1.p6.default.params.subjAltExtType_1=OtherName
+policyset.set1.p6.default.params.subjAltNameExtCritical=false
+policyset.set1.p6.default.params.subjAltNameNumGNs=2
+policyset.set1.5.constraint.class_id=noConstraintImpl
+policyset.set1.5.constraint.name=No Constraint
+policyset.set1.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.set1.5.default.name=AIA Extension Default
+policyset.set1.5.default.params.authInfoAccessADEnable_0=true
+policyset.set1.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.set1.5.default.params.authInfoAccessADLocation_0=http://air.sfbay.redhat.com:9080/ca/ee/ca/getCRL?crlIssuingPoint=MasterCRL&op=getCRL&crlDisplayType=cachedCRL&submit=Submit
+policyset.set1.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.2
+policyset.set1.5.default.params.authInfoAccessCritical=false
+policyset.set1.5.default.params.authInfoAccessNumADs=1
+policyset.set1.eku.constraint.class_id=noConstraintImpl
+policyset.set1.eku.constraint.name=No Constraint
+policyset.set1.eku.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.set1.eku.default.name=Extended Key Usage Extension Default
+policyset.set1.eku.default.params.exKeyUsageCritical=false
+policyset.set1.eku.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
+policyset.set1.p8.constraint.class_id=noConstraintImpl
+policyset.set1.p8.constraint.name=No Constraint
+policyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl
+policyset.set1.p8.default.name=Subject Key Identifier Default
+policyset.set1.p9.constraint.class_id=noConstraintImpl
+policyset.set1.p9.constraint.name=No Constraint
+policyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.set1.p9.default.name=Authority Key Identifier Extension Default
+policyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl
+policyset.set1.p12.constraint.name=Basic Constraints Extension Constraint
+policyset.set1.p12.constraint.params.basicConstraintsCritical=-
+policyset.set1.p12.constraint.params.basicConstraintsIsCA=-
+policyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1
+policyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1
+policyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl
+policyset.set1.p12.default.name=Basic Constraints Extension Default
+policyset.set1.p12.default.params.basicConstraintsCritical=false
+policyset.set1.p12.default.params.basicConstraintsIsCA=false
+policyset.set1.p12.default.params.basicConstraintsPathLen=-1
+policyset.set1.crldp.constraint.class_id=noConstraintImpl
+policyset.set1.crldp.constraint.name=No Constraint
+policyset.set1.crldp.default.class_id=crlDistributionPointsExtDefaultImpl
+policyset.set1.crldp.default.name=crlDistributionPointsExtDefaultImpl
+policyset.set1.crldp.default.params.crlDistPointsCritical=false
+policyset.set1.crldp.default.params.crlDistPointsNum=1
+policyset.set1.crldp.default.params.crlDistPointsEnable_0=true
+policyset.set1.crldp.default.params.crlDistPointsIssuerName_0=
+policyset.set1.crldp.default.params.crlDistPointsIssuerType_0=
+policyset.set1.crldp.default.params.crlDistPointsPointName_0=http://air.sfbay.redhat.com:9080/ca/ee/ca/getCRL?crlIssuingPoint=MasterCRL&op=getCRL&crlDisplayType=cachedCRL&submit=Submit
+policyset.set1.crldp.default.params.crlDistPointsPointType_0=URIName
+policyset.set1.crldp.default.params.crlDistPointsReasons_0=
+policyset.set1.gen.constraint.class_id=noConstraintImpl
+policyset.set1.gen.constraint.name=No Constraint
+policyset.set1.gen.default.class_id=genericExtDefaultImpl
+policyset.set1.gen.default.name=Generic Extension
+#This is the Microsoft 'Certificate Template Name' Extensions. The Value is 'DomainController'
+policyset.set1.gen.default.params.genericExtOID=1.3.6.1.4.1.311.20.2
+policyset.set1.gen.default.params.genericExtData=1e200044006f006d00610069006e0043006f006e00740072006f006c006c00650072
diff --git a/pki/base/ca/shared/profiles/ca/caAdminCert.cfg b/pki/base/ca/shared/profiles/ca/caAdminCert.cfg
new file mode 100644
index 000000000..db15fe83f
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caAdminCert.cfg
@@ -0,0 +1,88 @@
+desc=This certificate profile is for enrolling Security Domain administrator's certificates with LDAP authentication against the internal LDAP database.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=TokenAuth
+authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
+name=Security Domain Administrator Certificate Enrollment
+input.list=i1,i2,i3
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+input.i3.class_id=subjectDNInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=adminCertSet
+policyset.adminCertSet.list=1,2,3,4,5,6,7,8
+policyset.adminCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.adminCertSet.1.constraint.name=Subject Name Constraint
+policyset.adminCertSet.1.constraint.params.pattern=.*
+policyset.adminCertSet.1.constraint.params.accept=true
+policyset.adminCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.adminCertSet.1.default.name=Subject Name Default
+policyset.adminCertSet.1.default.params.name=
+policyset.adminCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.adminCertSet.2.constraint.name=Validity Constraint
+policyset.adminCertSet.2.constraint.params.range=365
+policyset.adminCertSet.2.constraint.params.notBeforeCheck=false
+policyset.adminCertSet.2.constraint.params.notAfterCheck=false
+policyset.adminCertSet.2.default.class_id=validityDefaultImpl
+policyset.adminCertSet.2.default.name=Validity Default
+policyset.adminCertSet.2.default.params.range=365
+policyset.adminCertSet.2.default.params.startTime=0
+policyset.adminCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.adminCertSet.3.constraint.name=Key Constraint
+policyset.adminCertSet.3.constraint.params.keyType=-
+policyset.adminCertSet.3.constraint.params.keyMinLength=256
+policyset.adminCertSet.3.constraint.params.keyMaxLength=4096
+policyset.adminCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.adminCertSet.3.default.name=Key Default
+policyset.adminCertSet.4.constraint.class_id=noConstraintImpl
+policyset.adminCertSet.4.constraint.name=No Constraint
+policyset.adminCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.adminCertSet.4.default.name=Authority Key Identifier Default
+policyset.adminCertSet.5.constraint.class_id=noConstraintImpl
+policyset.adminCertSet.5.constraint.name=No Constraint
+policyset.adminCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.adminCertSet.5.default.name=AIA Extension Default
+policyset.adminCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.adminCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.adminCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.adminCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.adminCertSet.5.default.params.authInfoAccessCritical=false
+policyset.adminCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.adminCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.adminCertSet.6.constraint.params.keyUsageCritical=true
+policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.adminCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.adminCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.adminCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.adminCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.adminCertSet.6.default.name=Key Usage Default
+policyset.adminCertSet.6.default.params.keyUsageCritical=true
+policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.adminCertSet.6.default.params.keyUsageCrlSign=false
+policyset.adminCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.adminCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.adminCertSet.7.constraint.class_id=noConstraintImpl
+policyset.adminCertSet.7.constraint.name=No Constraint
+policyset.adminCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.adminCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.adminCertSet.7.default.params.exKeyUsageCritical=false
+policyset.adminCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.adminCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.adminCertSet.8.constraint.name=No Constraint
+policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC
+policyset.adminCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.adminCertSet.8.default.name=Signing Alg
+policyset.adminCertSet.8.default.params.signingAlg=-
diff --git a/pki/base/ca/shared/profiles/ca/caAgentFileSigning.cfg b/pki/base/ca/shared/profiles/ca/caAgentFileSigning.cfg
new file mode 100644
index 000000000..192756222
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caAgentFileSigning.cfg
@@ -0,0 +1,87 @@
+desc=This certificate profile is for file signing with agent authentication.
+visible=true
+enable=true
+enableBy=admin
+auth.instance_id=AgentCertAuth
+name=Agent-Authenticated File Signing
+input.list=i1,i2,i3
+input.i1.class_id=keyGenInputImpl
+input.i2.class_id=fileSigningInputImpl
+input.i3.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=pkcs7OutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=.*
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=(Name)$request.requestor_name$(Text)$request.file_signing_text$(Size)$request.file_signing_size$(DigestType)$request.file_signing_digest_type$(Digest)$request.file_signing_digest$
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=365
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=180
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=-
+policyset.serverCertSet.3.constraint.params.keyMinLength=256
+policyset.serverCertSet.3.constraint.params.keyMaxLength=4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.serverCertSet.6.default.name=Key Usage Default
+policyset.serverCertSet.6.default.params.keyUsageCritical=true
+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.8.constraint.name=No Constraint
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.8.default.name=Signing Alg
+policyset.serverCertSet.8.default.params.signingAlg=-
diff --git a/pki/base/ca/shared/profiles/ca/caAgentServerCert.cfg b/pki/base/ca/shared/profiles/ca/caAgentServerCert.cfg
new file mode 100644
index 000000000..534becd63
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caAgentServerCert.cfg
@@ -0,0 +1,86 @@
+desc=This certificate profile is for enrolling server certificates with agent authentication.
+visible=true
+enable=true
+enableBy=admin
+auth.instance_id=AgentCertAuth
+name=Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=.*
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=365
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=180
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=-
+policyset.serverCertSet.3.constraint.params.keyMinLength=256
+policyset.serverCertSet.3.constraint.params.keyMaxLength=4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.serverCertSet.6.default.name=Key Usage Default
+policyset.serverCertSet.6.default.params.keyUsageCritical=true
+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.8.constraint.name=No Constraint
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.8.default.name=Signing Alg
+policyset.serverCertSet.8.default.params.signingAlg=-
diff --git a/pki/base/ca/shared/profiles/ca/caCACert.cfg b/pki/base/ca/shared/profiles/ca/caCACert.cfg
new file mode 100644
index 000000000..0af20356b
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caCACert.cfg
@@ -0,0 +1,96 @@
+desc=This certificate profile is for enrolling Certificate Authority certificates.
+visible=true
+enable=true
+enableBy=admin
+auth.class_id=
+name=Manual Certificate Manager Signing Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=caCertSet
+policyset.caCertSet.list=1,2,3,4,5,6,8,9,10
+policyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.caCertSet.1.constraint.name=Subject Name Constraint
+policyset.caCertSet.1.constraint.params.pattern=CN=.*
+policyset.caCertSet.1.constraint.params.accept=true
+policyset.caCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.caCertSet.1.default.name=Subject Name Default
+policyset.caCertSet.1.default.params.name=
+policyset.caCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.caCertSet.2.constraint.name=Validity Constraint
+policyset.caCertSet.2.constraint.params.range=720
+policyset.caCertSet.2.constraint.params.notBeforeCheck=false
+policyset.caCertSet.2.constraint.params.notAfterCheck=false
+policyset.caCertSet.2.default.class_id=validityDefaultImpl
+policyset.caCertSet.2.default.name=Validity Default
+policyset.caCertSet.2.default.params.range=720
+policyset.caCertSet.2.default.params.startTime=0
+policyset.caCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.caCertSet.3.constraint.name=Key Constraint
+policyset.caCertSet.3.constraint.params.keyType=-
+policyset.caCertSet.3.constraint.params.keyMinLength=256
+policyset.caCertSet.3.constraint.params.keyMaxLength=4096
+policyset.caCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.caCertSet.3.default.name=Key Default
+policyset.caCertSet.4.constraint.class_id=noConstraintImpl
+policyset.caCertSet.4.constraint.name=No Constraint
+policyset.caCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.caCertSet.4.default.name=Authority Key Identifier Default
+policyset.caCertSet.5.constraint.class_id=basicConstraintsExtConstraintImpl
+policyset.caCertSet.5.constraint.name=Basic Constraint Extension Constraint
+policyset.caCertSet.5.constraint.params.basicConstraintsCritical=true
+policyset.caCertSet.5.constraint.params.basicConstraintsIsCA=true
+policyset.caCertSet.5.constraint.params.basicConstraintsMinPathLen=-1
+policyset.caCertSet.5.constraint.params.basicConstraintsMaxPathLen=-1
+policyset.caCertSet.5.default.class_id=basicConstraintsExtDefaultImpl
+policyset.caCertSet.5.default.name=Basic Constraints Extension Default
+policyset.caCertSet.5.default.params.basicConstraintsCritical=true
+policyset.caCertSet.5.default.params.basicConstraintsIsCA=true
+policyset.caCertSet.5.default.params.basicConstraintsPathLen=-1
+policyset.caCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.caCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.caCertSet.6.constraint.params.keyUsageCritical=true
+policyset.caCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.caCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.caCertSet.6.constraint.params.keyUsageDataEncipherment=false
+policyset.caCertSet.6.constraint.params.keyUsageKeyEncipherment=false
+policyset.caCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.caCertSet.6.constraint.params.keyUsageKeyCertSign=true
+policyset.caCertSet.6.constraint.params.keyUsageCrlSign=true
+policyset.caCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.caCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.caCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.caCertSet.6.default.name=Key Usage Default
+policyset.caCertSet.6.default.params.keyUsageCritical=true
+policyset.caCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.caCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.caCertSet.6.default.params.keyUsageDataEncipherment=false
+policyset.caCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.caCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.caCertSet.6.default.params.keyUsageKeyCertSign=true
+policyset.caCertSet.6.default.params.keyUsageCrlSign=true
+policyset.caCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.caCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.caCertSet.8.constraint.class_id=noConstraintImpl
+policyset.caCertSet.8.constraint.name=No Constraint
+policyset.caCertSet.8.default.class_id=subjectKeyIdentifierExtDefaultImpl
+policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default
+policyset.caCertSet.8.default.params.critical=false
+policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl
+policyset.caCertSet.9.constraint.name=No Constraint
+policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC
+policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl
+policyset.caCertSet.9.default.name=Signing Alg
+policyset.caCertSet.9.default.params.signingAlg=-
+policyset.caCertSet.10.constraint.class_id=noConstraintImpl
+policyset.caCertSet.10.constraint.name=No Constraint
+policyset.caCertSet.10.default.class_id=authInfoAccessExtDefaultImpl
+policyset.caCertSet.10.default.name=AIA Extension Default
+policyset.caCertSet.10.default.params.authInfoAccessADEnable_0=true
+policyset.caCertSet.10.default.params.authInfoAccessADLocationType_0=URIName
+policyset.caCertSet.10.default.params.authInfoAccessADLocation_0=
+policyset.caCertSet.10.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.caCertSet.10.default.params.authInfoAccessCritical=false
+policyset.caCertSet.10.default.params.authInfoAccessNumADs=1
diff --git a/pki/base/ca/shared/profiles/ca/caCMCUserCert.cfg b/pki/base/ca/shared/profiles/ca/caCMCUserCert.cfg
new file mode 100644
index 000000000..8b6936e06
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caCMCUserCert.cfg
@@ -0,0 +1,86 @@
+desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication.
+visible=true
+enable=true
+enableBy=admin
+auth.instance_id=CMCAuth
+name=Signed CMC-Authenticated User Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=cmcCertReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=cmcUserCertSet
+policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8
+policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
+policyset.cmcUserCertSet.1.constraint.params.pattern=.*
+policyset.cmcUserCertSet.1.constraint.params.accept=true
+policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.cmcUserCertSet.1.default.name=Subject Name Default
+policyset.cmcUserCertSet.1.default.params.name=
+policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.cmcUserCertSet.2.constraint.name=Validity Constraint
+policyset.cmcUserCertSet.2.constraint.params.range=365
+policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false
+policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false
+policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl
+policyset.cmcUserCertSet.2.default.name=Validity Default
+policyset.cmcUserCertSet.2.default.params.range=180
+policyset.cmcUserCertSet.2.default.params.startTime=0
+policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.cmcUserCertSet.3.constraint.name=Key Constraint
+policyset.cmcUserCertSet.3.constraint.params.keyType=-
+policyset.cmcUserCertSet.3.constraint.params.keyMinLength=256
+policyset.cmcUserCertSet.3.constraint.params.keyMaxLength=4096
+policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.cmcUserCertSet.3.default.name=Key Default
+policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl
+policyset.cmcUserCertSet.4.constraint.name=No Constraint
+policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default
+policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl
+policyset.cmcUserCertSet.5.constraint.name=No Constraint
+policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.cmcUserCertSet.5.default.name=AIA Extension Default
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false
+policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.cmcUserCertSet.6.default.name=Key Usage Default
+policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true
+policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false
+policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false
+policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl
+policyset.cmcUserCertSet.7.constraint.name=No Constraint
+policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false
+policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.cmcUserCertSet.8.constraint.name=No Constraint
+policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC
+policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.cmcUserCertSet.8.default.name=Signing Alg
+policyset.cmcUserCertSet.8.default.params.signingAlg=-
diff --git a/pki/base/ca/shared/profiles/ca/caDirUserCert.cfg b/pki/base/ca/shared/profiles/ca/caDirUserCert.cfg
new file mode 100644
index 000000000..3806d0b21
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caDirUserCert.cfg
@@ -0,0 +1,94 @@
+desc=This certificate profile is for enrolling user certificates with directory-based authentication.
+visible=true
+enable=true
+enableBy=admin
+name=Directory-Authenticated User Dual-Use Certificate Enrollment
+auth.instance_id=UserDirEnrollment
+input.list=i1
+input.i1.class_id=keyGenInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=userCertSet
+policyset.userCertSet.list=1,2,3,4,5,6,7,8,9
+policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.userCertSet.1.constraint.name=Subject Name Constraint
+policyset.userCertSet.1.constraint.params.pattern=UID=.*
+policyset.userCertSet.1.constraint.params.accept=true
+policyset.userCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl
+policyset.userCertSet.1.default.name=Subject Name Default
+policyset.userCertSet.1.default.params.name=
+policyset.userCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.userCertSet.2.constraint.name=Validity Constraint
+policyset.userCertSet.2.constraint.params.range=365
+policyset.userCertSet.2.constraint.params.notBeforeCheck=false
+policyset.userCertSet.2.constraint.params.notAfterCheck=false
+policyset.userCertSet.2.default.class_id=validityDefaultImpl
+policyset.userCertSet.2.default.name=Validity Default
+policyset.userCertSet.2.default.params.range=180
+policyset.userCertSet.2.default.params.startTime=0
+policyset.userCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.userCertSet.3.constraint.name=Key Constraint
+policyset.userCertSet.3.constraint.params.keyType=-
+policyset.userCertSet.3.constraint.params.keyMinLength=256
+policyset.userCertSet.3.constraint.params.keyMaxLength=4096
+policyset.userCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.userCertSet.3.default.name=Key Default
+policyset.userCertSet.4.constraint.class_id=noConstraintImpl
+policyset.userCertSet.4.constraint.name=No Constraint
+policyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.userCertSet.4.default.name=Authority Key Identifier Default
+policyset.userCertSet.5.constraint.class_id=noConstraintImpl
+policyset.userCertSet.5.constraint.name=No Constraint
+policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.userCertSet.5.default.name=AIA Extension Default
+policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.userCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.userCertSet.5.default.params.authInfoAccessCritical=false
+policyset.userCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.userCertSet.6.constraint.params.keyUsageCritical=true
+policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false
+policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.userCertSet.6.default.name=Key Usage Default
+policyset.userCertSet.6.default.params.keyUsageCritical=true
+policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false
+policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.userCertSet.6.default.params.keyUsageCrlSign=false
+policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.userCertSet.7.constraint.class_id=noConstraintImpl
+policyset.userCertSet.7.constraint.name=No Constraint
+policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.userCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.userCertSet.7.default.params.exKeyUsageCritical=false
+policyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.userCertSet.8.constraint.class_id=noConstraintImpl
+policyset.userCertSet.8.constraint.name=No Constraint
+policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
+policyset.userCertSet.8.default.name=Subject Alt Name Constraint
+policyset.userCertSet.8.default.params.subjAltNameExtCritical=false
+policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name
+policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
+policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
+policyset.userCertSet.8.default.params.subjAltNameNumGNs=1
+policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl
+policyset.userCertSet.9.constraint.name=No Constraint
+policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC
+policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl
+policyset.userCertSet.9.default.name=Signing Alg
+policyset.userCertSet.9.default.params.signingAlg=-
diff --git a/pki/base/ca/shared/profiles/ca/caDualCert.cfg b/pki/base/ca/shared/profiles/ca/caDualCert.cfg
new file mode 100644
index 000000000..bd99199fa
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caDualCert.cfg
@@ -0,0 +1,170 @@
+desc=This certificate profile is for enrolling dual user certificates. It works only with Netscape 7.0 or later.
+visible=true
+enable=true
+enableBy=admin
+name=Manual User Signing & Encryption Certificates Enrollment
+auth.class_id=
+input.list=i1,i2,i3
+input.i1.class_id=dualKeyGenInputImpl
+input.i2.class_id=subjectNameInputImpl
+input.i3.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=encryptionCertSet,signingCertSet
+policyset.encryptionCertSet.list=1,2,3,4,5,6,7,8,9
+policyset.encryptionCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.encryptionCertSet.1.constraint.name=Subject Name Constraint
+policyset.encryptionCertSet.1.constraint.params.pattern=UID=.*
+policyset.encryptionCertSet.1.constraint.params.accept=true
+policyset.encryptionCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.encryptionCertSet.1.default.name=Subject Name Default
+policyset.encryptionCertSet.1.default.params.name=
+policyset.encryptionCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.encryptionCertSet.2.constraint.name=Validity Constraint
+policyset.encryptionCertSet.2.constraint.params.range=365
+policyset.encryptionCertSet.2.constraint.params.notBeforeCheck=false
+policyset.encryptionCertSet.2.constraint.params.notAfterCheck=false
+policyset.encryptionCertSet.2.default.class_id=validityDefaultImpl
+policyset.encryptionCertSet.2.default.name=Validity Default
+policyset.encryptionCertSet.2.default.params.range=180
+policyset.encryptionCertSet.2.default.params.startTime=0
+policyset.encryptionCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.encryptionCertSet.3.constraint.name=Key Constraint
+policyset.encryptionCertSet.3.constraint.params.keyType=-
+policyset.encryptionCertSet.3.constraint.params.keyMinLength=256
+policyset.encryptionCertSet.3.constraint.params.keyMaxLength=4096
+policyset.encryptionCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.encryptionCertSet.3.default.name=Key Default
+policyset.encryptionCertSet.4.constraint.class_id=noConstraintImpl
+policyset.encryptionCertSet.4.constraint.name=No Constraint
+policyset.encryptionCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.encryptionCertSet.4.default.name=Authority Key Identifier Default
+policyset.encryptionCertSet.5.constraint.class_id=noConstraintImpl
+policyset.encryptionCertSet.5.constraint.name=No Constraint
+policyset.encryptionCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.encryptionCertSet.5.default.name=AIA Extension Default
+policyset.encryptionCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.encryptionCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.encryptionCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.encryptionCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.encryptionCertSet.5.default.params.authInfoAccessCritical=false
+policyset.encryptionCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.encryptionCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.encryptionCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.encryptionCertSet.6.constraint.params.keyUsageCritical=true
+policyset.encryptionCertSet.6.constraint.params.keyUsageDigitalSignature=false
+policyset.encryptionCertSet.6.constraint.params.keyUsageNonRepudiation=false
+policyset.encryptionCertSet.6.constraint.params.keyUsageDataEncipherment=false
+policyset.encryptionCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.encryptionCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.encryptionCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.encryptionCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.encryptionCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.encryptionCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.encryptionCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.encryptionCertSet.6.default.name=Key Usage Default
+policyset.encryptionCertSet.6.default.params.keyUsageCritical=true
+policyset.encryptionCertSet.6.default.params.keyUsageDigitalSignature=false
+policyset.encryptionCertSet.6.default.params.keyUsageNonRepudiation=false
+policyset.encryptionCertSet.6.default.params.keyUsageDataEncipherment=false
+policyset.encryptionCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.encryptionCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.encryptionCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.encryptionCertSet.6.default.params.keyUsageCrlSign=false
+policyset.encryptionCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.encryptionCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.encryptionCertSet.7.constraint.class_id=noConstraintImpl
+policyset.encryptionCertSet.7.constraint.name=No Constraint
+policyset.encryptionCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.encryptionCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.encryptionCertSet.7.default.params.exKeyUsageCritical=false
+policyset.encryptionCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.encryptionCertSet.8.constraint.class_id=noConstraintImpl
+policyset.encryptionCertSet.8.constraint.name=No Constraint
+policyset.encryptionCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
+policyset.encryptionCertSet.8.default.name=Subject Alt Name Constraint
+policyset.encryptionCertSet.8.default.params.subjAltNameExtCritical=false
+policyset.encryptionCertSet.8.default.params.subjAltExtType_0=RFC822Name
+policyset.encryptionCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
+policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true
+policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1
+policyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl
+policyset.encryptionCertSet.9.constraint.name=No Constraint
+policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC
+policyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl
+policyset.encryptionCertSet.9.default.name=Signing Alg
+policyset.encryptionCertSet.9.default.params.signingAlg=-
+policyset.signingCertSet.list=1,2,3,4,6,7,8,9
+policyset.signingCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.signingCertSet.1.constraint.name=Subject Name Constraint
+policyset.signingCertSet.1.constraint.params.pattern=UID=.*
+policyset.signingCertSet.1.constraint.params.accept=true
+policyset.signingCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.signingCertSet.1.default.name=Subject Name Default
+policyset.signingCertSet.1.default.params.name=
+policyset.signingCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.signingCertSet.2.constraint.name=Validity Constraint
+policyset.signingCertSet.2.constraint.params.range=365
+policyset.signingCertSet.2.constraint.params.notBeforeCheck=false
+policyset.signingCertSet.2.constraint.params.notAfterCheck=false
+policyset.signingCertSet.2.default.class_id=validityDefaultImpl
+policyset.signingCertSet.2.default.name=Validity Default
+policyset.signingCertSet.2.default.params.range=180
+policyset.signingCertSet.2.default.params.startTime=60
+policyset.signingCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.signingCertSet.3.constraint.name=Key Constraint
+policyset.signingCertSet.3.constraint.params.keyType=RSA
+policyset.signingCertSet.3.constraint.params.keyMinLength=512
+policyset.signingCertSet.3.constraint.params.keyMaxLength=4096
+policyset.signingCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.signingCertSet.3.default.name=Key Default
+policyset.signingCertSet.4.constraint.class_id=noConstraintImpl
+policyset.signingCertSet.4.constraint.name=No Constraint
+policyset.signingCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.signingCertSet.4.default.name=Authority Key Identifier Default
+policyset.signingCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.signingCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.signingCertSet.6.constraint.params.keyUsageCritical=true
+policyset.signingCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.signingCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.signingCertSet.6.constraint.params.keyUsageDataEncipherment=false
+policyset.signingCertSet.6.constraint.params.keyUsageKeyEncipherment=false
+policyset.signingCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.signingCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.signingCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.signingCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.signingCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.signingCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.signingCertSet.6.default.name=Key Usage Default
+policyset.signingCertSet.6.default.params.keyUsageCritical=true
+policyset.signingCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.signingCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.signingCertSet.6.default.params.keyUsageDataEncipherment=false
+policyset.signingCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.signingCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.signingCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.signingCertSet.6.default.params.keyUsageCrlSign=false
+policyset.signingCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.signingCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.signingCertSet.7.constraint.class_id=noConstraintImpl
+policyset.signingCertSet.7.constraint.name=No Constraint
+policyset.signingCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.signingCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.signingCertSet.7.default.params.exKeyUsageCritical=false
+policyset.signingCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.signingCertSet.8.constraint.class_id=noConstraintImpl
+policyset.signingCertSet.8.constraint.name=No Constraint
+policyset.signingCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
+policyset.signingCertSet.8.default.name=Subject Alt Name Constraint
+policyset.signingCertSet.8.default.params.subjAltNameExtCritical=false
+policyset.signingCertSet.8.default.params.subjAltExtType_0=RFC822Name
+policyset.signingCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
+policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true
+policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1
+policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl
+policyset.signingCertSet.9.constraint.name=No Constraint
+policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA
+policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl
+policyset.signingCertSet.9.default.name=Signing Alg
+policyset.signingCertSet.9.default.params.signingAlg=SHA1withRSA
+policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA
diff --git a/pki/base/ca/shared/profiles/ca/caDualRAuserCert.cfg b/pki/base/ca/shared/profiles/ca/caDualRAuserCert.cfg
new file mode 100644
index 000000000..0f6036cf2
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caDualRAuserCert.cfg
@@ -0,0 +1,95 @@
+desc=This certificate profile is for enrolling user certificates with RA agent authentication.
+visible=true
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=RA Agent-Authenticated User Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=userCertSet
+policyset.userCertSet.list=1,2,3,4,5,6,7,8,9
+policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.userCertSet.1.constraint.name=Subject Name Constraint
+policyset.userCertSet.1.constraint.params.pattern=.*UID=.*
+policyset.userCertSet.1.constraint.params.accept=true
+policyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.userCertSet.1.default.name=Subject Name Default
+policyset.userCertSet.1.default.params.name=
+policyset.userCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.userCertSet.2.constraint.name=Validity Constraint
+policyset.userCertSet.2.constraint.params.range=365
+policyset.userCertSet.2.constraint.params.notBeforeCheck=false
+policyset.userCertSet.2.constraint.params.notAfterCheck=false
+policyset.userCertSet.2.default.class_id=validityDefaultImpl
+policyset.userCertSet.2.default.name=Validity Default
+policyset.userCertSet.2.default.params.range=180
+policyset.userCertSet.2.default.params.startTime=0
+policyset.userCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.userCertSet.3.constraint.name=Key Constraint
+policyset.userCertSet.3.constraint.params.keyType=-
+policyset.userCertSet.3.constraint.params.keyMinLength=256
+policyset.userCertSet.3.constraint.params.keyMaxLength=4096
+policyset.userCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.userCertSet.3.default.name=Key Default
+policyset.userCertSet.4.constraint.class_id=noConstraintImpl
+policyset.userCertSet.4.constraint.name=No Constraint
+policyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.userCertSet.4.default.name=Authority Key Identifier Default
+policyset.userCertSet.5.constraint.class_id=noConstraintImpl
+policyset.userCertSet.5.constraint.name=No Constraint
+policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.userCertSet.5.default.name=AIA Extension Default
+policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.userCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.userCertSet.5.default.params.authInfoAccessCritical=false
+policyset.userCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.userCertSet.6.constraint.params.keyUsageCritical=true
+policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false
+policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.userCertSet.6.default.name=Key Usage Default
+policyset.userCertSet.6.default.params.keyUsageCritical=true
+policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false
+policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.userCertSet.6.default.params.keyUsageCrlSign=false
+policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.userCertSet.7.constraint.class_id=noConstraintImpl
+policyset.userCertSet.7.constraint.name=No Constraint
+policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.userCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.userCertSet.7.default.params.exKeyUsageCritical=false
+policyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.userCertSet.8.constraint.class_id=noConstraintImpl
+policyset.userCertSet.8.constraint.name=No Constraint
+policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
+policyset.userCertSet.8.default.name=Subject Alt Name Constraint
+policyset.userCertSet.8.default.params.subjAltNameExtCritical=false
+policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name
+policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
+policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
+policyset.userCertSet.8.default.params.subjAltNameNumGNs=1
+policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl
+policyset.userCertSet.9.constraint.name=No Constraint
+policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC
+policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl
+policyset.userCertSet.9.default.name=Signing Alg
+policyset.userCertSet.9.default.params.signingAlg=-
diff --git a/pki/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg b/pki/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg
new file mode 100644
index 000000000..11a5475ec
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg
@@ -0,0 +1,86 @@
+desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication.
+enable=true
+enableBy=admin
+name=Signed CMC-Authenticated User Certificate Enrollment
+visible=false
+auth.instance_id=CMCAuth
+input.list=i1,i2
+input.i1.class_id=cmcCertReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=cmcUserCertSet
+policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8
+policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
+policyset.cmcUserCertSet.1.constraint.params.accept=true
+policyset.cmcUserCertSet.1.constraint.params.pattern=.*
+policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.cmcUserCertSet.1.default.name=Subject Name Default
+policyset.cmcUserCertSet.1.default.params.name=
+policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.cmcUserCertSet.2.constraint.name=Validity Constraint
+policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false
+policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false
+policyset.cmcUserCertSet.2.constraint.params.range=365
+policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl
+policyset.cmcUserCertSet.2.default.name=Validity Default
+policyset.cmcUserCertSet.2.default.params.range=180
+policyset.cmcUserCertSet.2.default.params.startTime=0
+policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.cmcUserCertSet.3.constraint.name=Key Constraint
+policyset.cmcUserCertSet.3.constraint.params.keyMaxLength=4096
+policyset.cmcUserCertSet.3.constraint.params.keyMinLength=256
+policyset.cmcUserCertSet.3.constraint.params.keyType=-
+policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.cmcUserCertSet.3.default.name=Key Default
+policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl
+policyset.cmcUserCertSet.4.constraint.name=No Constraint
+policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default
+policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl
+policyset.cmcUserCertSet.5.constraint.name=No Constraint
+policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.cmcUserCertSet.5.default.name=AIA Extension Default
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false
+policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.cmcUserCertSet.6.default.name=Key Usage Default
+policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true
+policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false
+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false
+policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl
+policyset.cmcUserCertSet.7.constraint.name=No Constraint
+policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false
+policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.cmcUserCertSet.8.constraint.name=No Constraint
+policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC
+policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.cmcUserCertSet.8.default.name=Signing Alg
+policyset.cmcUserCertSet.8.default.params.signingAlg=-
diff --git a/pki/base/ca/shared/profiles/ca/caInstallCACert.cfg b/pki/base/ca/shared/profiles/ca/caInstallCACert.cfg
new file mode 100644
index 000000000..2f01ee306
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caInstallCACert.cfg
@@ -0,0 +1,97 @@
+desc=This certificate profile is for enrolling Security Domain Certificate Authority certificates.
+visible=true
+enable=true
+enableBy=admin
+auth.instance_id=TokenAuth
+authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
+name=Manual Security Domain Certificate Authority Signing Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=caCertSet
+policyset.caCertSet.list=1,2,3,4,5,6,8,9,10
+policyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.caCertSet.1.constraint.name=Subject Name Constraint
+policyset.caCertSet.1.constraint.params.pattern=CN=.*
+policyset.caCertSet.1.constraint.params.accept=true
+policyset.caCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.caCertSet.1.default.name=Subject Name Default
+policyset.caCertSet.1.default.params.name=
+policyset.caCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.caCertSet.2.constraint.name=Validity Constraint
+policyset.caCertSet.2.constraint.params.range=720
+policyset.caCertSet.2.constraint.params.notBeforeCheck=false
+policyset.caCertSet.2.constraint.params.notAfterCheck=false
+policyset.caCertSet.2.default.class_id=validityDefaultImpl
+policyset.caCertSet.2.default.name=Validity Default
+policyset.caCertSet.2.default.params.range=720
+policyset.caCertSet.2.default.params.startTime=0
+policyset.caCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.caCertSet.3.constraint.name=Key Constraint
+policyset.caCertSet.3.constraint.params.keyType=-
+policyset.caCertSet.3.constraint.params.keyMinLength=256
+policyset.caCertSet.3.constraint.params.keyMaxLength=4096
+policyset.caCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.caCertSet.3.default.name=Key Default
+policyset.caCertSet.4.constraint.class_id=noConstraintImpl
+policyset.caCertSet.4.constraint.name=No Constraint
+policyset.caCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.caCertSet.4.default.name=Authority Key Identifier Default
+policyset.caCertSet.5.constraint.class_id=basicConstraintsExtConstraintImpl
+policyset.caCertSet.5.constraint.name=Basic Constraint Extension Constraint
+policyset.caCertSet.5.constraint.params.basicConstraintsCritical=true
+policyset.caCertSet.5.constraint.params.basicConstraintsIsCA=true
+policyset.caCertSet.5.constraint.params.basicConstraintsMinPathLen=-1
+policyset.caCertSet.5.constraint.params.basicConstraintsMaxPathLen=-1
+policyset.caCertSet.5.default.class_id=basicConstraintsExtDefaultImpl
+policyset.caCertSet.5.default.name=Basic Constraints Extension Default
+policyset.caCertSet.5.default.params.basicConstraintsCritical=true
+policyset.caCertSet.5.default.params.basicConstraintsIsCA=true
+policyset.caCertSet.5.default.params.basicConstraintsPathLen=-1
+policyset.caCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.caCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.caCertSet.6.constraint.params.keyUsageCritical=true
+policyset.caCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.caCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.caCertSet.6.constraint.params.keyUsageDataEncipherment=false
+policyset.caCertSet.6.constraint.params.keyUsageKeyEncipherment=false
+policyset.caCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.caCertSet.6.constraint.params.keyUsageKeyCertSign=true
+policyset.caCertSet.6.constraint.params.keyUsageCrlSign=true
+policyset.caCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.caCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.caCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.caCertSet.6.default.name=Key Usage Default
+policyset.caCertSet.6.default.params.keyUsageCritical=true
+policyset.caCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.caCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.caCertSet.6.default.params.keyUsageDataEncipherment=false
+policyset.caCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.caCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.caCertSet.6.default.params.keyUsageKeyCertSign=true
+policyset.caCertSet.6.default.params.keyUsageCrlSign=true
+policyset.caCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.caCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.caCertSet.8.constraint.class_id=noConstraintImpl
+policyset.caCertSet.8.constraint.name=No Constraint
+policyset.caCertSet.8.default.class_id=subjectKeyIdentifierExtDefaultImpl
+policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default
+policyset.caCertSet.8.default.params.critical=false
+policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl
+policyset.caCertSet.9.constraint.name=No Constraint
+policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC
+policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl
+policyset.caCertSet.9.default.name=Signing Alg
+policyset.caCertSet.9.default.params.signingAlg=-
+policyset.caCertSet.10.constraint.class_id=noConstraintImpl
+policyset.caCertSet.10.constraint.name=No Constraint
+policyset.caCertSet.10.default.class_id=authInfoAccessExtDefaultImpl
+policyset.caCertSet.10.default.name=AIA Extension Default
+policyset.caCertSet.10.default.params.authInfoAccessADEnable_0=true
+policyset.caCertSet.10.default.params.authInfoAccessADLocationType_0=URIName
+policyset.caCertSet.10.default.params.authInfoAccessADLocation_0=
+policyset.caCertSet.10.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.caCertSet.10.default.params.authInfoAccessCritical=false
+policyset.caCertSet.10.default.params.authInfoAccessNumADs=1
diff --git a/pki/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg b/pki/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg
new file mode 100644
index 000000000..5702c7662
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg
@@ -0,0 +1,72 @@
+desc=This certificate profile is for enrolling Security Domain DRM storage certificates
+visible=true
+enable=true
+enableBy=admin
+auth.instance_id=TokenAuth
+authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
+name=Security Domain DRM storage Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=ocspCertSet
+policyset.ocspCertSet.list=1,2,3,4,5,6,8,9
+policyset.ocspCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.ocspCertSet.1.constraint.name=Subject Name Constraint
+policyset.ocspCertSet.1.constraint.params.pattern=CN=.*
+policyset.ocspCertSet.1.constraint.params.accept=true
+policyset.ocspCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.ocspCertSet.1.default.name=Subject Name Default
+policyset.ocspCertSet.1.default.params.name=
+policyset.ocspCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.ocspCertSet.2.constraint.name=Validity Constraint
+policyset.ocspCertSet.2.constraint.params.range=720
+policyset.ocspCertSet.2.constraint.params.notBeforeCheck=false
+policyset.ocspCertSet.2.constraint.params.notAfterCheck=false
+policyset.ocspCertSet.2.default.class_id=validityDefaultImpl
+policyset.ocspCertSet.2.default.name=Validity Default
+policyset.ocspCertSet.2.default.params.range=720
+policyset.ocspCertSet.2.default.params.startTime=0
+policyset.ocspCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.ocspCertSet.3.constraint.name=Key Constraint
+policyset.ocspCertSet.3.constraint.params.keyType=-
+policyset.ocspCertSet.3.constraint.params.keyMinLength=256
+policyset.ocspCertSet.3.constraint.params.keyMaxLength=4096
+policyset.ocspCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.ocspCertSet.3.default.name=Key Default
+policyset.ocspCertSet.4.constraint.class_id=noConstraintImpl
+policyset.ocspCertSet.4.constraint.name=No Constraint
+policyset.ocspCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.ocspCertSet.4.default.name=Authority Key Identifier Default
+policyset.ocspCertSet.5.constraint.class_id=noConstraintImpl
+policyset.ocspCertSet.5.constraint.name=No Constraint
+policyset.ocspCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.ocspCertSet.5.default.name=AIA Extension Default
+policyset.ocspCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.ocspCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.ocspCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.ocspCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.ocspCertSet.5.default.params.authInfoAccessCritical=false
+policyset.ocspCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.ocspCertSet.6.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.ocspCertSet.6.constraint.name=Extended Key Usage Extension
+policyset.ocspCertSet.6.constraint.params.exKeyUsageCritical=false
+policyset.ocspCertSet.6.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9
+policyset.ocspCertSet.6.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.ocspCertSet.6.default.name=Extended Key Usage Default
+policyset.ocspCertSet.6.default.params.exKeyUsageCritical=false
+policyset.ocspCertSet.6.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9
+policyset.ocspCertSet.8.constraint.class_id=extensionConstraintImpl
+policyset.ocspCertSet.8.constraint.name=No Constraint
+policyset.ocspCertSet.8.constraint.params.extCritical=false
+policyset.ocspCertSet.8.constraint.params.extOID=1.3.6.1.5.5.7.48.1.5
+policyset.ocspCertSet.8.default.class_id=ocspNoCheckExtDefaultImpl
+policyset.ocspCertSet.8.default.name=OCSP No Check Extension
+policyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false
+policyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl
+policyset.ocspCertSet.9.constraint.name=No Constraint
+policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC
+policyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl
+policyset.ocspCertSet.9.default.name=Signing Alg
+policyset.ocspCertSet.9.default.params.signingAlg=-
diff --git a/pki/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg b/pki/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg
new file mode 100644
index 000000000..453d31e06
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg
@@ -0,0 +1,72 @@
+desc=This certificate profile is for enrolling Security Domain OCSP Manager certificates.
+visible=true
+enable=true
+enableBy=admin
+auth.instance_id=TokenAuth
+authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
+name=Security Domain OCSP Manager Signing Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=ocspCertSet
+policyset.ocspCertSet.list=1,2,3,4,5,6,8,9
+policyset.ocspCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.ocspCertSet.1.constraint.name=Subject Name Constraint
+policyset.ocspCertSet.1.constraint.params.pattern=CN=.*
+policyset.ocspCertSet.1.constraint.params.accept=true
+policyset.ocspCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.ocspCertSet.1.default.name=Subject Name Default
+policyset.ocspCertSet.1.default.params.name=
+policyset.ocspCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.ocspCertSet.2.constraint.name=Validity Constraint
+policyset.ocspCertSet.2.constraint.params.range=720
+policyset.ocspCertSet.2.constraint.params.notBeforeCheck=false
+policyset.ocspCertSet.2.constraint.params.notAfterCheck=false
+policyset.ocspCertSet.2.default.class_id=validityDefaultImpl
+policyset.ocspCertSet.2.default.name=Validity Default
+policyset.ocspCertSet.2.default.params.range=720
+policyset.ocspCertSet.2.default.params.startTime=0
+policyset.ocspCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.ocspCertSet.3.constraint.name=Key Constraint
+policyset.ocspCertSet.3.constraint.params.keyType=-
+policyset.ocspCertSet.3.constraint.params.keyMinLength=256
+policyset.ocspCertSet.3.constraint.params.keyMaxLength=4096
+policyset.ocspCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.ocspCertSet.3.default.name=Key Default
+policyset.ocspCertSet.4.constraint.class_id=noConstraintImpl
+policyset.ocspCertSet.4.constraint.name=No Constraint
+policyset.ocspCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.ocspCertSet.4.default.name=Authority Key Identifier Default
+policyset.ocspCertSet.5.constraint.class_id=noConstraintImpl
+policyset.ocspCertSet.5.constraint.name=No Constraint
+policyset.ocspCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.ocspCertSet.5.default.name=AIA Extension Default
+policyset.ocspCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.ocspCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.ocspCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.ocspCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.ocspCertSet.5.default.params.authInfoAccessCritical=false
+policyset.ocspCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.ocspCertSet.6.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.ocspCertSet.6.constraint.name=Extended Key Usage Extension
+policyset.ocspCertSet.6.constraint.params.exKeyUsageCritical=false
+policyset.ocspCertSet.6.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9
+policyset.ocspCertSet.6.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.ocspCertSet.6.default.name=Extended Key Usage Default
+policyset.ocspCertSet.6.default.params.exKeyUsageCritical=false
+policyset.ocspCertSet.6.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9
+policyset.ocspCertSet.8.constraint.class_id=extensionConstraintImpl
+policyset.ocspCertSet.8.constraint.name=No Constraint
+policyset.ocspCertSet.8.constraint.params.extCritical=false
+policyset.ocspCertSet.8.constraint.params.extOID=1.3.6.1.5.5.7.48.1.5
+policyset.ocspCertSet.8.default.class_id=ocspNoCheckExtDefaultImpl
+policyset.ocspCertSet.8.default.name=OCSP No Check Extension
+policyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false
+policyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl
+policyset.ocspCertSet.9.constraint.name=No Constraint
+policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC
+policyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl
+policyset.ocspCertSet.9.default.name=Signing Alg
+policyset.ocspCertSet.9.default.params.signingAlg=-
diff --git a/pki/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg b/pki/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg
new file mode 100644
index 000000000..85aff8b4f
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg
@@ -0,0 +1,87 @@
+desc=This certificate profile is for enrolling Security Domain server certificates.
+visible=true
+enable=true
+enableBy=admin
+auth.instance_id=TokenAuth
+authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
+name=Security Domain Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=.*
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=720
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=720
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=-
+policyset.serverCertSet.3.constraint.params.keyMinLength=256
+policyset.serverCertSet.3.constraint.params.keyMaxLength=4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.serverCertSet.6.default.name=Key Usage Default
+policyset.serverCertSet.6.default.params.keyUsageCritical=true
+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.8.constraint.name=No Constraint
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.8.default.name=Signing Alg
+policyset.serverCertSet.8.default.params.signingAlg=-
diff --git a/pki/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg b/pki/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg
new file mode 100644
index 000000000..95534a15a
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg
@@ -0,0 +1,89 @@
+desc=This certificate profile is for enrolling Security Domain subsystem certificates.
+visible=true
+enable=true
+enableBy=admin
+auth.instance_id=TokenAuth
+authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
+name=Security Domain Subsysem Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+updater.list=u1
+updater.u1.class_id=subsystemGroupUpdaterImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=.*
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=720
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=720
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=-
+policyset.serverCertSet.3.constraint.params.keyMinLength=256
+policyset.serverCertSet.3.constraint.params.keyMaxLength=4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.serverCertSet.6.default.name=Key Usage Default
+policyset.serverCertSet.6.default.params.keyUsageCritical=true
+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.8.constraint.name=No Constraint
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.8.default.name=Signing Alg
+policyset.serverCertSet.8.default.params.signingAlg=-
diff --git a/pki/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg b/pki/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg
new file mode 100644
index 000000000..55896adb6
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg
@@ -0,0 +1,81 @@
+desc=This certificate profile is for enrolling Security Domain Data Recovery Manager transport certificates.
+visible=true
+enable=true
+enableBy=admin
+auth.instance_id=TokenAuth
+authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
+name=Security Domain Data Recovery Manager Transport Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=transportCertSet
+policyset.transportCertSet.list=1,2,3,4,5,6,8
+policyset.transportCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.transportCertSet.1.constraint.name=Subject Name Constraint
+policyset.transportCertSet.1.constraint.params.pattern=CN=.*
+policyset.transportCertSet.1.constraint.params.accept=true
+policyset.transportCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.transportCertSet.1.default.name=Subject Name Default
+policyset.transportCertSet.1.default.params.name=
+policyset.transportCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.transportCertSet.2.constraint.name=Validity Constraint
+policyset.transportCertSet.2.constraint.params.range=720
+policyset.transportCertSet.2.constraint.params.notBeforeCheck=false
+policyset.transportCertSet.2.constraint.params.notAfterCheck=false
+policyset.transportCertSet.2.default.class_id=validityDefaultImpl
+policyset.transportCertSet.2.default.name=Validity Default
+policyset.transportCertSet.2.default.params.range=720
+policyset.transportCertSet.2.default.params.startTime=0
+policyset.transportCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.transportCertSet.3.constraint.name=Key Constraint
+policyset.transportCertSet.3.constraint.params.keyType=-
+policyset.transportCertSet.3.constraint.params.keyMinLength=256
+policyset.transportCertSet.3.constraint.params.keyMaxLength=4096
+policyset.transportCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.transportCertSet.3.default.name=Key Default
+policyset.transportCertSet.4.constraint.class_id=noConstraintImpl
+policyset.transportCertSet.4.constraint.name=No Constraint
+policyset.transportCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.transportCertSet.4.default.name=Authority Key Identifier Default
+policyset.transportCertSet.5.constraint.class_id=noConstraintImpl
+policyset.transportCertSet.5.constraint.name=No Constraint
+policyset.transportCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.transportCertSet.5.default.name=AIA Extension Default
+policyset.transportCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.transportCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.transportCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.transportCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.transportCertSet.5.default.params.authInfoAccessCritical=false
+policyset.transportCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.transportCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.transportCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.transportCertSet.6.constraint.params.keyUsageCritical=true
+policyset.transportCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.transportCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.transportCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.transportCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.transportCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.transportCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.transportCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.transportCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.transportCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.transportCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.transportCertSet.6.default.name=Key Usage Default
+policyset.transportCertSet.6.default.params.keyUsageCritical=true
+policyset.transportCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.transportCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.transportCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.transportCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.transportCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.transportCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.transportCertSet.6.default.params.keyUsageCrlSign=false
+policyset.transportCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.transportCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.transportCertSet.8.constraint.name=No Constraint
+policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC
+policyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.transportCertSet.8.default.name=Signing Alg
+policyset.transportCertSet.8.default.params.signingAlg=-
diff --git a/pki/base/ca/shared/profiles/ca/caOCSPCert.cfg b/pki/base/ca/shared/profiles/ca/caOCSPCert.cfg
new file mode 100644
index 000000000..4f5204f1e
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caOCSPCert.cfg
@@ -0,0 +1,71 @@
+desc=This certificate profile is for enrolling OCSP Manager certificates.
+visible=true
+enable=true
+enableBy=admin
+auth.class_id=
+name=Manual OCSP Manager Signing Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=ocspCertSet
+policyset.ocspCertSet.list=1,2,3,4,5,6,8,9
+policyset.ocspCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.ocspCertSet.1.constraint.name=Subject Name Constraint
+policyset.ocspCertSet.1.constraint.params.pattern=CN=.*
+policyset.ocspCertSet.1.constraint.params.accept=true
+policyset.ocspCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.ocspCertSet.1.default.name=Subject Name Default
+policyset.ocspCertSet.1.default.params.name=
+policyset.ocspCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.ocspCertSet.2.constraint.name=Validity Constraint
+policyset.ocspCertSet.2.constraint.params.range=720
+policyset.ocspCertSet.2.constraint.params.notBeforeCheck=false
+policyset.ocspCertSet.2.constraint.params.notAfterCheck=false
+policyset.ocspCertSet.2.default.class_id=validityDefaultImpl
+policyset.ocspCertSet.2.default.name=Validity Default
+policyset.ocspCertSet.2.default.params.range=720
+policyset.ocspCertSet.2.default.params.startTime=0
+policyset.ocspCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.ocspCertSet.3.constraint.name=Key Constraint
+policyset.ocspCertSet.3.constraint.params.keyType=-
+policyset.ocspCertSet.3.constraint.params.keyMinLength=256
+policyset.ocspCertSet.3.constraint.params.keyMaxLength=4096
+policyset.ocspCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.ocspCertSet.3.default.name=Key Default
+policyset.ocspCertSet.4.constraint.class_id=noConstraintImpl
+policyset.ocspCertSet.4.constraint.name=No Constraint
+policyset.ocspCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.ocspCertSet.4.default.name=Authority Key Identifier Default
+policyset.ocspCertSet.5.constraint.class_id=noConstraintImpl
+policyset.ocspCertSet.5.constraint.name=No Constraint
+policyset.ocspCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.ocspCertSet.5.default.name=AIA Extension Default
+policyset.ocspCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.ocspCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.ocspCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.ocspCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.ocspCertSet.5.default.params.authInfoAccessCritical=false
+policyset.ocspCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.ocspCertSet.6.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.ocspCertSet.6.constraint.name=Extended Key Usage Extension
+policyset.ocspCertSet.6.constraint.params.exKeyUsageCritical=false
+policyset.ocspCertSet.6.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9
+policyset.ocspCertSet.6.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.ocspCertSet.6.default.name=Extended Key Usage Default
+policyset.ocspCertSet.6.default.params.exKeyUsageCritical=false
+policyset.ocspCertSet.6.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9
+policyset.ocspCertSet.8.constraint.class_id=extensionConstraintImpl
+policyset.ocspCertSet.8.constraint.name=No Constraint
+policyset.ocspCertSet.8.constraint.params.extCritical=false
+policyset.ocspCertSet.8.constraint.params.extOID=1.3.6.1.5.5.7.48.1.5
+policyset.ocspCertSet.8.default.class_id=ocspNoCheckExtDefaultImpl
+policyset.ocspCertSet.8.default.name=OCSP No Check Extension
+policyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false
+policyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl
+policyset.ocspCertSet.9.constraint.name=No Constraint
+policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC
+policyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl
+policyset.ocspCertSet.9.default.name=Signing Alg
+policyset.ocspCertSet.9.default.params.signingAlg=-
diff --git a/pki/base/ca/shared/profiles/ca/caOtherCert.cfg b/pki/base/ca/shared/profiles/ca/caOtherCert.cfg
new file mode 100644
index 000000000..2abdc36f8
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caOtherCert.cfg
@@ -0,0 +1,86 @@
+desc=This certificate profile is for enrolling other certificates.
+visible=true
+enable=true
+enableBy=admin
+auth.class_id=
+name=Other Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=otherCertSet
+policyset.otherCertSet.list=1,2,3,4,5,6,7,8
+policyset.otherCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.otherCertSet.1.constraint.name=Subject Name Constraint
+policyset.otherCertSet.1.constraint.params.pattern=CN=.*
+policyset.otherCertSet.1.constraint.params.accept=true
+policyset.otherCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.otherCertSet.1.default.name=Subject Name Default
+policyset.otherCertSet.1.default.params.name=
+policyset.otherCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.otherCertSet.2.constraint.name=Validity Constraint
+policyset.otherCertSet.2.constraint.params.range=720
+policyset.otherCertSet.2.constraint.params.notBeforeCheck=false
+policyset.otherCertSet.2.constraint.params.notAfterCheck=false
+policyset.otherCertSet.2.default.class_id=validityDefaultImpl
+policyset.otherCertSet.2.default.name=Validity Default
+policyset.otherCertSet.2.default.params.range=720
+policyset.otherCertSet.2.default.params.startTime=0
+policyset.otherCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.otherCertSet.3.constraint.name=Key Constraint
+policyset.otherCertSet.3.constraint.params.keyType=-
+policyset.otherCertSet.3.constraint.params.keyMinLength=256
+policyset.otherCertSet.3.constraint.params.keyMaxLength=4096
+policyset.otherCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.otherCertSet.3.default.name=Key Default
+policyset.otherCertSet.4.constraint.class_id=noConstraintImpl
+policyset.otherCertSet.4.constraint.name=No Constraint
+policyset.otherCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.otherCertSet.4.default.name=Authority Key Identifier Default
+policyset.otherCertSet.5.constraint.class_id=noConstraintImpl
+policyset.otherCertSet.5.constraint.name=No Constraint
+policyset.otherCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.otherCertSet.5.default.name=AIA Extension Default
+policyset.otherCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.otherCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.otherCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.otherCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.otherCertSet.5.default.params.authInfoAccessCritical=false
+policyset.otherCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.otherCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.otherCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.otherCertSet.6.constraint.params.keyUsageCritical=true
+policyset.otherCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.otherCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.otherCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.otherCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.otherCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.otherCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.otherCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.otherCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.otherCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.otherCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.otherCertSet.6.default.name=Key Usage Default
+policyset.otherCertSet.6.default.params.keyUsageCritical=true
+policyset.otherCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.otherCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.otherCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.otherCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.otherCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.otherCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.otherCertSet.6.default.params.keyUsageCrlSign=false
+policyset.otherCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.otherCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.otherCertSet.7.constraint.class_id=noConstraintImpl
+policyset.otherCertSet.7.constraint.name=No Constraint
+policyset.otherCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.otherCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.otherCertSet.7.default.params.exKeyUsageCritical=false
+policyset.otherCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1
+policyset.otherCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.otherCertSet.8.constraint.name=No Constraint
+policyset.otherCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC
+policyset.otherCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.otherCertSet.8.default.name=Signing Alg
+policyset.otherCertSet.8.default.params.signingAlg=-
diff --git a/pki/base/ca/shared/profiles/ca/caRACert.cfg b/pki/base/ca/shared/profiles/ca/caRACert.cfg
new file mode 100644
index 000000000..4910bd4b7
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caRACert.cfg
@@ -0,0 +1,86 @@
+desc=This certificate profile is for enrolling Registration Manager certificates.
+visible=true
+enable=true
+enableBy=admin
+auth.class_id=
+name=Manual Registration Manager Signing Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=raCertSet
+policyset.raCertSet.list=1,2,3,4,5,6,7,8
+policyset.raCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.raCertSet.1.constraint.name=Subject Name Constraint
+policyset.raCertSet.1.constraint.params.pattern=CN=.*
+policyset.raCertSet.1.constraint.params.accept=true
+policyset.raCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.raCertSet.1.default.name=Subject Name Default
+policyset.raCertSet.1.default.params.name=
+policyset.raCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.raCertSet.2.constraint.name=Validity Constraint
+policyset.raCertSet.2.constraint.params.range=720
+policyset.raCertSet.2.constraint.params.notBeforeCheck=false
+policyset.raCertSet.2.constraint.params.notAfterCheck=false
+policyset.raCertSet.2.default.class_id=validityDefaultImpl
+policyset.raCertSet.2.default.name=Validity Default
+policyset.raCertSet.2.default.params.range=720
+policyset.raCertSet.2.default.params.startTime=0
+policyset.raCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.raCertSet.3.constraint.name=Key Constraint
+policyset.raCertSet.3.constraint.params.keyType=-
+policyset.raCertSet.3.constraint.params.keyMinLength=256
+policyset.raCertSet.3.constraint.params.keyMaxLength=4096
+policyset.raCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.raCertSet.3.default.name=Key Default
+policyset.raCertSet.4.constraint.class_id=noConstraintImpl
+policyset.raCertSet.4.constraint.name=No Constraint
+policyset.raCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.raCertSet.4.default.name=Authority Key Identifier Default
+policyset.raCertSet.5.constraint.class_id=noConstraintImpl
+policyset.raCertSet.5.constraint.name=No Constraint
+policyset.raCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.raCertSet.5.default.name=AIA Extension Default
+policyset.raCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.raCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.raCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.raCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.raCertSet.5.default.params.authInfoAccessCritical=false
+policyset.raCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.raCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.raCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.raCertSet.6.constraint.params.keyUsageCritical=true
+policyset.raCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.raCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.raCertSet.6.constraint.params.keyUsageDataEncipherment=false
+policyset.raCertSet.6.constraint.params.keyUsageKeyEncipherment=false
+policyset.raCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.raCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.raCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.raCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.raCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.raCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.raCertSet.6.default.name=Key Usage Default
+policyset.raCertSet.6.default.params.keyUsageCritical=true
+policyset.raCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.raCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.raCertSet.6.default.params.keyUsageDataEncipherment=false
+policyset.raCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.raCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.raCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.raCertSet.6.default.params.keyUsageCrlSign=false
+policyset.raCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.raCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.raCertSet.7.constraint.class_id=noConstraintImpl
+policyset.raCertSet.7.constraint.name=No Constraint
+policyset.raCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.raCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.raCertSet.7.default.params.exKeyUsageCritical=false
+policyset.raCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
+policyset.raCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.raCertSet.8.constraint.name=No Constraint
+policyset.raCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC
+policyset.raCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.raCertSet.8.default.name=Signing Alg
+policyset.raCertSet.8.default.params.signingAlg=-
diff --git a/pki/base/ca/shared/profiles/ca/caRARouterCert.cfg b/pki/base/ca/shared/profiles/ca/caRARouterCert.cfg
new file mode 100644
index 000000000..a6df27a6e
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caRARouterCert.cfg
@@ -0,0 +1,86 @@
+desc=This certificate profile is for enrolling router certificates.
+visible=true
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=RA Agent-Authenticated Router Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=.*
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=720
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=720
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=-
+policyset.serverCertSet.3.constraint.params.keyMinLength=256
+policyset.serverCertSet.3.constraint.params.keyMaxLength=4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.serverCertSet.6.default.name=Key Usage Default
+policyset.serverCertSet.6.default.params.keyUsageCritical=true
+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=false
+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.8.constraint.name=No Constraint
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.8.default.name=Signing Alg
+policyset.serverCertSet.8.default.params.signingAlg=-
diff --git a/pki/base/ca/shared/profiles/ca/caRAagentCert.cfg b/pki/base/ca/shared/profiles/ca/caRAagentCert.cfg
new file mode 100644
index 000000000..97d4c9821
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caRAagentCert.cfg
@@ -0,0 +1,96 @@
+desc=This certificate profile is for enrolling RA agent user certificates with RA agent authentication.
+visible=true
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=RA Agent-Authenticated Agent User Certificate Enrollment
+input.list=i1,i2,i3
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+input.i3.class_id=subjectDNInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=userCertSet
+policyset.userCertSet.list=1,2,3,4,5,6,7,8,9
+policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.userCertSet.1.constraint.name=Subject Name Constraint
+policyset.userCertSet.1.constraint.params.pattern=UID=.*
+policyset.userCertSet.1.constraint.params.accept=true
+policyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.userCertSet.1.default.name=Subject Name Default
+policyset.userCertSet.1.default.params.name=
+policyset.userCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.userCertSet.2.constraint.name=Validity Constraint
+policyset.userCertSet.2.constraint.params.range=365
+policyset.userCertSet.2.constraint.params.notBeforeCheck=false
+policyset.userCertSet.2.constraint.params.notAfterCheck=false
+policyset.userCertSet.2.default.class_id=validityDefaultImpl
+policyset.userCertSet.2.default.name=Validity Default
+policyset.userCertSet.2.default.params.range=180
+policyset.userCertSet.2.default.params.startTime=0
+policyset.userCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.userCertSet.3.constraint.name=Key Constraint
+policyset.userCertSet.3.constraint.params.keyType=-
+policyset.userCertSet.3.constraint.params.keyMinLength=256
+policyset.userCertSet.3.constraint.params.keyMaxLength=4096
+policyset.userCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.userCertSet.3.default.name=Key Default
+policyset.userCertSet.4.constraint.class_id=noConstraintImpl
+policyset.userCertSet.4.constraint.name=No Constraint
+policyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.userCertSet.4.default.name=Authority Key Identifier Default
+policyset.userCertSet.5.constraint.class_id=noConstraintImpl
+policyset.userCertSet.5.constraint.name=No Constraint
+policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.userCertSet.5.default.name=AIA Extension Default
+policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.userCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.userCertSet.5.default.params.authInfoAccessCritical=false
+policyset.userCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.userCertSet.6.constraint.params.keyUsageCritical=true
+policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false
+policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.userCertSet.6.default.name=Key Usage Default
+policyset.userCertSet.6.default.params.keyUsageCritical=true
+policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false
+policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.userCertSet.6.default.params.keyUsageCrlSign=false
+policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.userCertSet.7.constraint.class_id=noConstraintImpl
+policyset.userCertSet.7.constraint.name=No Constraint
+policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.userCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.userCertSet.7.default.params.exKeyUsageCritical=false
+policyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.userCertSet.8.constraint.class_id=noConstraintImpl
+policyset.userCertSet.8.constraint.name=No Constraint
+policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
+policyset.userCertSet.8.default.name=Subject Alt Name Constraint
+policyset.userCertSet.8.default.params.subjAltNameExtCritical=false
+policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name
+policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
+policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
+policyset.userCertSet.8.default.params.subjAltNameNumGNs=1
+policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl
+policyset.userCertSet.9.constraint.name=No Constraint
+policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC
+policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl
+policyset.userCertSet.9.default.name=Signing Alg
+policyset.userCertSet.9.default.params.signingAlg=-
diff --git a/pki/base/ca/shared/profiles/ca/caRAserverCert.cfg b/pki/base/ca/shared/profiles/ca/caRAserverCert.cfg
new file mode 100644
index 000000000..e139a193f
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caRAserverCert.cfg
@@ -0,0 +1,86 @@
+desc=This certificate profile is for enrolling server certificates with RA agent authentication.
+visible=true
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=.*
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=365
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=180
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=-
+policyset.serverCertSet.3.constraint.params.keyMinLength=256
+policyset.serverCertSet.3.constraint.params.keyMaxLength=4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.serverCertSet.6.default.name=Key Usage Default
+policyset.serverCertSet.6.default.params.keyUsageCritical=true
+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.8.constraint.name=No Constraint
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.8.default.name=Signing Alg
+policyset.serverCertSet.8.default.params.signingAlg=-
diff --git a/pki/base/ca/shared/profiles/ca/caRouterCert.cfg b/pki/base/ca/shared/profiles/ca/caRouterCert.cfg
new file mode 100644
index 000000000..d4f22ac16
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caRouterCert.cfg
@@ -0,0 +1,86 @@
+desc=This certificate profile is for enrolling router certificates.
+visible=true
+enable=true
+enableBy=admin
+auth.instance_id=flatFileAuth
+name=One Time Pin Router Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=.*
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=720
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=720
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=-
+policyset.serverCertSet.3.constraint.params.keyMinLength=256
+policyset.serverCertSet.3.constraint.params.keyMaxLength=4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.serverCertSet.6.default.name=Key Usage Default
+policyset.serverCertSet.6.default.params.keyUsageCritical=true
+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=false
+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.8.constraint.name=No Constraint
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.8.default.name=Signing Alg
+policyset.serverCertSet.8.default.params.signingAlg=-
diff --git a/pki/base/ca/shared/profiles/ca/caServerCert.cfg b/pki/base/ca/shared/profiles/ca/caServerCert.cfg
new file mode 100644
index 000000000..7f971429b
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caServerCert.cfg
@@ -0,0 +1,86 @@
+desc=This certificate profile is for enrolling server certificates.
+visible=true
+enable=true
+enableBy=admin
+auth.class_id=
+name=Manual Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=.*CN=.*
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=720
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=720
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=-
+policyset.serverCertSet.3.constraint.params.keyMinLength=256
+policyset.serverCertSet.3.constraint.params.keyMaxLength=4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.serverCertSet.6.default.name=Key Usage Default
+policyset.serverCertSet.6.default.params.keyUsageCritical=true
+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.8.constraint.name=No Constraint
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.8.default.name=Signing Alg
+policyset.serverCertSet.8.default.params.signingAlg=-
diff --git a/pki/base/ca/shared/profiles/ca/caSignedLogCert.cfg b/pki/base/ca/shared/profiles/ca/caSignedLogCert.cfg
new file mode 100644
index 000000000..00a35d386
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caSignedLogCert.cfg
@@ -0,0 +1,75 @@
+desc=This profile is for enrolling audit log signing certificates
+visible=true
+enable=true
+enableBy=admin
+auth.class_id=
+name=Manual Log Signing Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=caLogSigningSet
+policyset.caLogSigningSet.list=1,2,3,4,6,8,9
+policyset.caLogSigningSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.caLogSigningSet.1.constraint.name=Subject Name Constraint
+policyset.caLogSigningSet.1.constraint.params.pattern=CN=.*
+policyset.caLogSigningSet.1.constraint.params.accept=true
+policyset.caLogSigningSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.caLogSigningSet.1.default.name=Subject Name Default
+policyset.caLogSigningSet.1.default.params.name=
+policyset.caLogSigningSet.2.constraint.class_id=validityConstraintImpl
+policyset.caLogSigningSet.2.constraint.name=Validity Constraint
+policyset.caLogSigningSet.2.constraint.params.range=365
+policyset.caLogSigningSet.2.constraint.params.notBeforeCheck=false
+policyset.caLogSigningSet.2.constraint.params.notAfterCheck=false
+policyset.caLogSigningSet.2.default.class_id=validityDefaultImpl
+policyset.caLogSigningSet.2.default.name=Validity Default
+policyset.caLogSigningSet.2.default.params.range=180
+policyset.caLogSigningSet.2.default.params.startTime=60
+policyset.caLogSigningSet.3.constraint.class_id=keyConstraintImpl
+policyset.caLogSigningSet.3.constraint.name=Key Constraint
+policyset.caLogSigningSet.3.constraint.params.keyType=-
+policyset.caLogSigningSet.3.constraint.params.keyMinLength=256
+policyset.caLogSigningSet.3.constraint.params.keyMaxLength=4096
+policyset.caLogSigningSet.3.default.class_id=userKeyDefaultImpl
+policyset.caLogSigningSet.3.default.name=Key Default
+policyset.caLogSigningSet.4.constraint.class_id=noConstraintImpl
+policyset.caLogSigningSet.4.constraint.name=No Constraint
+policyset.caLogSigningSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.caLogSigningSet.4.default.name=Authority Key Identifier Default
+policyset.caLogSigningSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.caLogSigningSet.6.constraint.name=Key Usage Extension Constraint
+policyset.caLogSigningSet.6.constraint.params.keyUsageCritical=true
+policyset.caLogSigningSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.caLogSigningSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.caLogSigningSet.6.constraint.params.keyUsageDataEncipherment=false
+policyset.caLogSigningSet.6.constraint.params.keyUsageKeyEncipherment=false
+policyset.caLogSigningSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.caLogSigningSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.caLogSigningSet.6.constraint.params.keyUsageCrlSign=false
+policyset.caLogSigningSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.caLogSigningSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.caLogSigningSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.caLogSigningSet.6.default.name=Key Usage Default
+policyset.caLogSigningSet.6.default.params.keyUsageCritical=true
+policyset.caLogSigningSet.6.default.params.keyUsageDigitalSignature=true
+policyset.caLogSigningSet.6.default.params.keyUsageNonRepudiation=true
+policyset.caLogSigningSet.6.default.params.keyUsageDataEncipherment=false
+policyset.caLogSigningSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.caLogSigningSet.6.default.params.keyUsageKeyAgreement=false
+policyset.caLogSigningSet.6.default.params.keyUsageKeyCertSign=false
+policyset.caLogSigningSet.6.default.params.keyUsageCrlSign=false
+policyset.caLogSigningSet.6.default.params.keyUsageEncipherOnly=false
+policyset.caLogSigningSet.6.default.params.keyUsageDecipherOnly=false
+policyset.caLogSigningSet.8.constraint.class_id=noConstraintImpl
+policyset.caLogSigningSet.8.constraint.name=No Constraint
+policyset.caLogSigningSet.8.default.class_id=subjectKeyIdentifierExtDefaultImpl
+policyset.caLogSigningSet.8.default.name=Subject Key Identifier Extension Default
+policyset.caLogSigningSet.8.default.params.critical=false
+policyset.caLogSigningSet.9.constraint.class_id=signingAlgConstraintImpl
+policyset.caLogSigningSet.9.constraint.name=No Constraint
+policyset.caLogSigningSet.9.constraint.params.signingAlgsAllowed=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC
+policyset.caLogSigningSet.9.default.class_id=signingAlgDefaultImpl
+policyset.caLogSigningSet.9.default.name=Signing Alg
+policyset.caLogSigningSet.9.default.params.signingAlg=-
diff --git a/pki/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg b/pki/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg
new file mode 100644
index 000000000..91e34b8ab
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg
@@ -0,0 +1,85 @@
+desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication.
+enable=true
+enableBy=admin
+name=Simple CMC Enrollment Request for User Certificate
+visible=false
+auth.instance_id=
+input.list=i1
+input.i1.class_id=certReqInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=cmcUserCertSet
+policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8
+policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
+policyset.cmcUserCertSet.1.constraint.params.accept=true
+policyset.cmcUserCertSet.1.constraint.params.pattern=.*
+policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.cmcUserCertSet.1.default.name=Subject Name Default
+policyset.cmcUserCertSet.1.default.params.name=
+policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.cmcUserCertSet.2.constraint.name=Validity Constraint
+policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false
+policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false
+policyset.cmcUserCertSet.2.constraint.params.range=365
+policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl
+policyset.cmcUserCertSet.2.default.name=Validity Default
+policyset.cmcUserCertSet.2.default.params.range=180
+policyset.cmcUserCertSet.2.default.params.startTime=0
+policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.cmcUserCertSet.3.constraint.name=Key Constraint
+policyset.cmcUserCertSet.3.constraint.params.keyMaxLength=4096
+policyset.cmcUserCertSet.3.constraint.params.keyMinLength=256
+policyset.cmcUserCertSet.3.constraint.params.keyType=-
+policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.cmcUserCertSet.3.default.name=Key Default
+policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl
+policyset.cmcUserCertSet.4.constraint.name=No Constraint
+policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default
+policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl
+policyset.cmcUserCertSet.5.constraint.name=No Constraint
+policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.cmcUserCertSet.5.default.name=AIA Extension Default
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false
+policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.cmcUserCertSet.6.default.name=Key Usage Default
+policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true
+policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false
+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false
+policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl
+policyset.cmcUserCertSet.7.constraint.name=No Constraint
+policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false
+policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.cmcUserCertSet.8.constraint.name=No Constraint
+policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC
+policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.cmcUserCertSet.8.default.name=Signing Alg
+policyset.cmcUserCertSet.8.default.params.signingAlg=-
diff --git a/pki/base/ca/shared/profiles/ca/caTPSCert.cfg b/pki/base/ca/shared/profiles/ca/caTPSCert.cfg
new file mode 100644
index 000000000..b2233a4e7
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caTPSCert.cfg
@@ -0,0 +1,86 @@
+desc=This certificate profile is for enrolling TPS server certificates.
+visible=true
+enable=true
+enableBy=admin
+auth.class_id=
+name=Manual TPS Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=.*
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=720
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=720
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=-
+policyset.serverCertSet.3.constraint.params.keyMinLength=256
+policyset.serverCertSet.3.constraint.params.keyMaxLength=4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.serverCertSet.6.default.name=Key Usage Default
+policyset.serverCertSet.6.default.params.keyUsageCritical=true
+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.8.constraint.name=No Constraint
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.8.default.name=Signing Alg
+policyset.serverCertSet.8.default.params.signingAlg=-
diff --git a/pki/base/ca/shared/profiles/ca/caTempTokenDeviceKeyEnrollment.cfg b/pki/base/ca/shared/profiles/ca/caTempTokenDeviceKeyEnrollment.cfg
new file mode 100644
index 000000000..5d0c569fe
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caTempTokenDeviceKeyEnrollment.cfg
@@ -0,0 +1,144 @@
+desc=This profile is for enrolling token device keys
+enable=true
+enableBy=admin
+lastModified=1068835451090
+name=Temporary Device Certificate Enrollment
+visible=true
+auth.instance_id=AgentCertAuth
+input.list=i1
+input.i1.class_id=nsHKeyCertReqInputImpl
+input.i1.name=nsHKeyCertReqInputImpl
+output.list=o1
+output.o1.class_id=nsNKeyOutputImpl
+output.o2.name=nsNKeyOutputImpl
+policyset.list=set1
+#policyset.set1.list=p2,p3,p4,p5,p1,p7,p8,p9,p12,p6
+policyset.set1.list=p2,p4,p5,p1,p8,p9,p12
+policyset.set1.p1.constraint.class_id=noConstraintImpl
+policyset.set1.p1.constraint.name=No Constraint
+policyset.set1.p1.default.class_id=nsTokenDeviceKeySubjectNameDefaultImpl
+policyset.set1.p1.default.name=nsTokenDeviceKeySubjectNameDefault
+policyset.set1.p1.default.params.dnpattern=UID=Token Key Device - $request.tokencuid$
+policyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl
+policyset.set1.p12.constraint.name=Basic Constraints Extension Constraint
+policyset.set1.p12.constraint.params.basicConstraintsCritical=-
+policyset.set1.p12.constraint.params.basicConstraintsIsCA=-
+policyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1
+policyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1
+policyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl
+policyset.set1.p12.default.name=Basic Constraints Extension Default
+policyset.set1.p12.default.params.basicConstraintsCritical=false
+policyset.set1.p12.default.params.basicConstraintsIsCA=false
+policyset.set1.p12.default.params.basicConstraintsPathLen=-1
+policyset.set1.p2.constraint.class_id=noConstraintImpl
+policyset.set1.p2.constraint.name=No Constraint
+policyset.set1.p2.default.class_id=validityDefaultImpl
+policyset.set1.p2.default.name=Validity Default
+policyset.set1.p2.default.params.range=7
+policyset.set1.p2.default.params.startTime=0
+policyset.set1.p3.constraint.class_id=noConstraintImpl
+policyset.set1.p3.constraint.name=No Constraint
+policyset.set1.p3.default.class_id=crlDistributionPointsExtDefaultImpl
+policyset.set1.p3.default.name=crlDistributionPointsExtDefaultImpl
+policyset.set1.p3.default.params.crlDistPointsCritical=false
+policyset.set1.p3.default.params.crlDistPointsNum=0
+policyset.set1.p3.default.params.crlDistPointsEnable_0=false
+policyset.set1.p3.default.params.crlDistPointsIssuerName_0=
+policyset.set1.p3.default.params.crlDistPointsIssuerType_0=
+policyset.set1.p3.default.params.crlDistPointsPointName_0=
+policyset.set1.p3.default.params.crlDistPointsPointType_0=URIName
+policyset.set1.p3.default.params.crlDistPointsReasons_0=
+policyset.set1.p4.constraint.class_id=noConstraintImpl
+policyset.set1.p4.constraint.name=No Constraint
+policyset.set1.p4.default.class_id=signingAlgDefaultImpl
+policyset.set1.p4.default.name=Signing Algorithm Default
+policyset.set1.p4.default.params.signingAlg=-
+policyset.set1.p5.constraint.class_id=noConstraintImpl
+policyset.set1.p5.constraint.name=No Constraint
+policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl
+policyset.set1.p5.default.name=Key Usage Extension Default
+policyset.set1.p5.default.params.keyUsageCritical=true
+policyset.set1.p5.default.params.keyUsageCrlSign=false
+policyset.set1.p5.default.params.keyUsageDataEncipherment=false
+policyset.set1.p5.default.params.keyUsageDecipherOnly=false
+policyset.set1.p5.default.params.keyUsageDigitalSignature=true
+policyset.set1.p5.default.params.keyUsageEncipherOnly=false
+policyset.set1.p5.default.params.keyUsageKeyAgreement=false
+policyset.set1.p5.default.params.keyUsageKeyCertSign=false
+policyset.set1.p5.default.params.keyUsageKeyEncipherment=false
+policyset.set1.p5.default.params.keyUsageNonRepudiation=false
+policyset.set1.p7.constraint.class_id=noConstraintImpl
+policyset.set1.p7.constraint.name=No Constraint
+policyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl
+policyset.set1.p7.default.name=Certificate Policies Extension Default
+policyset.set1.p7.default.params.Critical=false
+policyset.set1.p7.default.params.PoliciesExt.num=5
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p8.constraint.class_id=noConstraintImpl
+policyset.set1.p8.constraint.name=No Constraint
+policyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl
+policyset.set1.p8.default.name=Subject Key Identifier Default
+policyset.set1.p9.constraint.class_id=noConstraintImpl
+policyset.set1.p9.constraint.name=No Constraint
+policyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.set1.p9.default.name=Authority Key Identifier Extension Default
+policyset.set1.p6.constraint.class_id=noConstraintImpl
+policyset.set1.p6.constraint.name=No Constraint
+policyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl
+policyset.set1.p6.default.name=Subject Alternative Name Extension Default
+policyset.set1.p6.default.params.subjAltExtGNEnable_0=false
+policyset.set1.p6.default.params.subjAltExtGNEnable_1=false
+policyset.set1.p6.default.params.subjAltExtGNEnable_2=false
+policyset.set1.p6.default.params.subjAltExtGNEnable_3=false
+policyset.set1.p6.default.params.subjAltExtGNEnable_4=false
+policyset.set1.p6.default.params.subjAltExtPattern_0=
+policyset.set1.p6.default.params.subjAltExtPattern_1=
+policyset.set1.p6.default.params.subjAltExtPattern_2=
+policyset.set1.p6.default.params.subjAltExtPattern_3=
+policyset.set1.p6.default.params.subjAltExtPattern_4=
+policyset.set1.p6.default.params.subjAltExtType_0=OtherName
+policyset.set1.p6.default.params.subjAltExtType_1=RFC822Name
+policyset.set1.p6.default.params.subjAltExtType_2=RFC822Name
+policyset.set1.p6.default.params.subjAltExtType_3=RFC822Name
+policyset.set1.p6.default.params.subjAltExtType_4=RFC822Name
+policyset.set1.p6.default.params.subjAltNameExtCritical=false
+policyset.set1.p6.default.params.subjAltNameNumGNs=0
diff --git a/pki/base/ca/shared/profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg b/pki/base/ca/shared/profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg
new file mode 100644
index 000000000..3d35c984a
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg
@@ -0,0 +1,166 @@
+desc=This profile is for enrolling Token Encryption key
+enable=true
+enableBy=admin
+name=Temporary Token User Encryption Certificate Enrollment
+visible=true
+auth.instance_id=AgentCertAuth
+input.list=i1
+input.i1.class_id=nsNKeyCertReqInputImpl
+input.i1.name=nsNKeyCertReqInputImpl
+output.list=o1
+output.o1.class_id=nsNKeyOutputImpl
+output.o2.name=nsNKeyOutputImpl
+policyset.list=set1
+#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14
+policyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12
+policyset.set1.p1.constraint.class_id=noConstraintImpl
+policyset.set1.p1.constraint.name=No Constraint
+policyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl
+policyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault
+#uncomment below to support SMIME
+#policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, E=$request.mail$, O=Token Key User
+policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User
+#changed ldap.enable to true to support SMIME
+policyset.set1.p1.default.params.ldap.enable=false
+policyset.set1.p1.default.params.ldap.searchName=uid
+policyset.set1.p1.default.params.ldapStringAttributes=uid,mail
+policyset.set1.p1.default.params.ldap.basedn=
+policyset.set1.p1.default.params.ldap.maxConns=4
+policyset.set1.p1.default.params.ldap.minConns=1
+policyset.set1.p1.default.params.ldap.ldapconn.Version=2
+policyset.set1.p1.default.params.ldap.ldapconn.host=
+policyset.set1.p1.default.params.ldap.ldapconn.port=
+policyset.set1.p1.default.params.ldap.ldapconn.secureConn=false
+policyset.set1.p2.constraint.class_id=noConstraintImpl
+policyset.set1.p2.constraint.name=No Constraint
+policyset.set1.p2.default.class_id=validityDefaultImpl
+policyset.set1.p2.default.name=Validity Default
+policyset.set1.p2.default.params.range=7
+policyset.set1.p2.default.params.startTime=0
+policyset.set1.p4.constraint.class_id=noConstraintImpl
+policyset.set1.p4.constraint.name=No Constraint
+policyset.set1.p4.default.class_id=signingAlgDefaultImpl
+policyset.set1.p4.default.name=Signing Algorithm Default
+policyset.set1.p4.default.params.signingAlg=-
+policyset.set1.p5.constraint.class_id=noConstraintImpl
+policyset.set1.p5.constraint.name=No Constraint
+policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl
+policyset.set1.p5.default.name=Key Usage Extension Default
+policyset.set1.p5.default.params.keyUsageCritical=true
+policyset.set1.p5.default.params.keyUsageCrlSign=false
+policyset.set1.p5.default.params.keyUsageDataEncipherment=false
+policyset.set1.p5.default.params.keyUsageDecipherOnly=false
+policyset.set1.p5.default.params.keyUsageDigitalSignature=false
+policyset.set1.p5.default.params.keyUsageEncipherOnly=false
+policyset.set1.p5.default.params.keyUsageKeyAgreement=false
+policyset.set1.p5.default.params.keyUsageKeyCertSign=false
+policyset.set1.p5.default.params.keyUsageKeyEncipherment=true
+policyset.set1.p5.default.params.keyUsageNonRepudiation=false
+policyset.set1.p6.constraint.class_id=noConstraintImpl
+policyset.set1.p6.constraint.name=No Constraint
+policyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl
+policyset.set1.p6.default.name=Subject Alternative Name Extension Default
+policyset.set1.p6.default.params.subjAltExtGNEnable_0=true
+policyset.set1.p6.default.params.subjAltExtGNEnable_1=false
+policyset.set1.p6.default.params.subjAltExtGNEnable_2=false
+policyset.set1.p6.default.params.subjAltExtGNEnable_3=false
+policyset.set1.p6.default.params.subjAltExtGNEnable_4=false
+policyset.set1.p6.default.params.subjAltExtPattern_0=$request.mail$
+policyset.set1.p6.default.params.subjAltExtPattern_1=
+policyset.set1.p6.default.params.subjAltExtPattern_2=
+policyset.set1.p6.default.params.subjAltExtPattern_3=
+policyset.set1.p6.default.params.subjAltExtPattern_4=
+policyset.set1.p6.default.params.subjAltExtType_0=RFC822Name
+policyset.set1.p6.default.params.subjAltExtType_1=OtherName
+policyset.set1.p6.default.params.subjAltExtType_2=RFC822Name
+policyset.set1.p6.default.params.subjAltExtType_3=RFC822Name
+policyset.set1.p6.default.params.subjAltExtType_4=RFC822Name
+policyset.set1.p6.default.params.subjAltNameExtCritical=false
+policyset.set1.p6.default.params.subjAltNameNumGNs=1
+policyset.set1.p7.constraint.class_id=noConstraintImpl
+policyset.set1.p7.constraint.name=No Constraint
+policyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl
+policyset.set1.p7.default.name=Certificate Policies Extension Default
+policyset.set1.p7.default.params.Critical=false
+policyset.set1.p7.default.params.PoliciesExt.num=5
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p8.constraint.class_id=noConstraintImpl
+policyset.set1.p8.constraint.name=No Constraint
+policyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl
+policyset.set1.p8.default.name=Subject Key Identifier Default
+policyset.set1.p9.constraint.class_id=noConstraintImpl
+policyset.set1.p9.constraint.name=No Constraint
+policyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.set1.p9.default.name=Authority Key Identifier Extension Default
+policyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl
+policyset.set1.p12.constraint.name=Basic Constraints Extension Constraint
+policyset.set1.p12.constraint.params.basicConstraintsCritical=-
+policyset.set1.p12.constraint.params.basicConstraintsIsCA=-
+policyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1
+policyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1
+policyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl
+policyset.set1.p12.default.name=Basic Constraints Extension Default
+policyset.set1.p12.default.params.basicConstraintsCritical=false
+policyset.set1.p12.default.params.basicConstraintsIsCA=false
+policyset.set1.p12.default.params.basicConstraintsPathLen=-1
+policyset.set1.p13.constraint.class_id=noConstraintImpl
+policyset.set1.p13.constraint.name=No Constraint
+policyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl
+policyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl
+policyset.set1.p13.default.params.crlDistPointsCritical=false
+policyset.set1.p13.default.params.crlDistPointsNum=0
+policyset.set1.p13.default.params.crlDistPointsEnable_0=false
+policyset.set1.p13.default.params.crlDistPointsIssuerName_0=
+policyset.set1.p13.default.params.crlDistPointsIssuerType_0=
+policyset.set1.p13.default.params.crlDistPointsPointName_0=
+policyset.set1.p13.default.params.crlDistPointsPointType_0=URIName
+policyset.set1.p13.default.params.crlDistPointsReasons_0=
+policyset.set1.p14.constraint.class_id=noConstraintImpl
+policyset.set1.p14.constraint.name=No Constraint
+policyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl
+policyset.set1.p14.default.name=AIA Extension Default
+policyset.set1.p14.default.params.authInfoAccessADEnable_0=false
+policyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName
+policyset.set1.p14.default.params.authInfoAccessADLocation_0=
+policyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.set1.p14.default.params.authInfoAccessCritical=false
+policyset.set1.p14.default.params.authInfoAccessNumADs=0
diff --git a/pki/base/ca/shared/profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg b/pki/base/ca/shared/profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg
new file mode 100644
index 000000000..538a17db3
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg
@@ -0,0 +1,166 @@
+desc=This profile is for enrolling Token Signing key
+enable=true
+enableBy=admin
+name=Temporary Token User Signing Certificate Enrollment
+visible=true
+auth.instance_id=AgentCertAuth
+input.list=i1
+input.i1.class_id=nsNKeyCertReqInputImpl
+input.i1.name=nsNKeyCertReqInputImpl
+output.list=o1
+output.o1.class_id=nsNKeyOutputImpl
+output.o2.name=nsNKeyOutputImpl
+policyset.list=set1
+#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14
+policyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12
+policyset.set1.p1.constraint.class_id=noConstraintImpl
+policyset.set1.p1.constraint.name=No Constraint
+policyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl
+policyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault
+#uncomment below to support SMIME
+#policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, E=$request.mail$, O=Token Key User
+policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User
+#changed ldap.enable to true to support SMIME
+policyset.set1.p1.default.params.ldap.enable=false
+policyset.set1.p1.default.params.ldap.searchName=uid
+policyset.set1.p1.default.params.ldapStringAttributes=uid,mail
+policyset.set1.p1.default.params.ldap.basedn=
+policyset.set1.p1.default.params.ldap.maxConns=4
+policyset.set1.p1.default.params.ldap.minConns=1
+policyset.set1.p1.default.params.ldap.ldapconn.Version=2
+policyset.set1.p1.default.params.ldap.ldapconn.host=
+policyset.set1.p1.default.params.ldap.ldapconn.port=
+policyset.set1.p1.default.params.ldap.ldapconn.secureConn=false
+policyset.set1.p2.constraint.class_id=noConstraintImpl
+policyset.set1.p2.constraint.name=No Constraint
+policyset.set1.p2.default.class_id=validityDefaultImpl
+policyset.set1.p2.default.name=Validity Default
+policyset.set1.p2.default.params.range=7
+policyset.set1.p2.default.params.startTime=0
+policyset.set1.p4.constraint.class_id=noConstraintImpl
+policyset.set1.p4.constraint.name=No Constraint
+policyset.set1.p4.default.class_id=signingAlgDefaultImpl
+policyset.set1.p4.default.name=Signing Algorithm Default
+policyset.set1.p4.default.params.signingAlg=-
+policyset.set1.p5.constraint.class_id=noConstraintImpl
+policyset.set1.p5.constraint.name=No Constraint
+policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl
+policyset.set1.p5.default.name=Key Usage Extension Default
+policyset.set1.p5.default.params.keyUsageCritical=true
+policyset.set1.p5.default.params.keyUsageCrlSign=false
+policyset.set1.p5.default.params.keyUsageDataEncipherment=false
+policyset.set1.p5.default.params.keyUsageDecipherOnly=false
+policyset.set1.p5.default.params.keyUsageDigitalSignature=true
+policyset.set1.p5.default.params.keyUsageEncipherOnly=false
+policyset.set1.p5.default.params.keyUsageKeyAgreement=false
+policyset.set1.p5.default.params.keyUsageKeyCertSign=false
+policyset.set1.p5.default.params.keyUsageKeyEncipherment=false
+policyset.set1.p5.default.params.keyUsageNonRepudiation=true
+policyset.set1.p6.constraint.class_id=noConstraintImpl
+policyset.set1.p6.constraint.name=No Constraint
+policyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl
+policyset.set1.p6.default.name=Subject Alternative Name Extension Default
+policyset.set1.p6.default.params.subjAltExtGNEnable_0=true
+policyset.set1.p6.default.params.subjAltExtGNEnable_1=false
+policyset.set1.p6.default.params.subjAltExtGNEnable_2=false
+policyset.set1.p6.default.params.subjAltExtGNEnable_3=false
+policyset.set1.p6.default.params.subjAltExtGNEnable_4=false
+policyset.set1.p6.default.params.subjAltExtPattern_0=$request.mail$
+policyset.set1.p6.default.params.subjAltExtPattern_1=
+policyset.set1.p6.default.params.subjAltExtPattern_2=
+policyset.set1.p6.default.params.subjAltExtPattern_3=
+policyset.set1.p6.default.params.subjAltExtPattern_4=
+policyset.set1.p6.default.params.subjAltExtType_0=RFC822Name
+policyset.set1.p6.default.params.subjAltExtType_1=OtherName
+policyset.set1.p6.default.params.subjAltExtType_2=RFC822Name
+policyset.set1.p6.default.params.subjAltExtType_3=RFC822Name
+policyset.set1.p6.default.params.subjAltExtType_4=RFC822Name
+policyset.set1.p6.default.params.subjAltNameExtCritical=false
+policyset.set1.p6.default.params.subjAltNameNumGNs=1
+policyset.set1.p7.constraint.class_id=noConstraintImpl
+policyset.set1.p7.constraint.name=No Constraint
+policyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl
+policyset.set1.p7.default.name=Certificate Policies Extension Default
+policyset.set1.p7.default.params.Critical=false
+policyset.set1.p7.default.params.PoliciesExt.num=5
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p8.constraint.class_id=noConstraintImpl
+policyset.set1.p8.constraint.name=No Constraint
+policyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl
+policyset.set1.p8.default.name=Subject Key Identifier Default
+policyset.set1.p9.constraint.class_id=noConstraintImpl
+policyset.set1.p9.constraint.name=No Constraint
+policyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.set1.p9.default.name=Authority Key Identifier Extension Default
+policyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl
+policyset.set1.p12.constraint.name=Basic Constraints Extension Constraint
+policyset.set1.p12.constraint.params.basicConstraintsCritical=-
+policyset.set1.p12.constraint.params.basicConstraintsIsCA=-
+policyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1
+policyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1
+policyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl
+policyset.set1.p12.default.name=Basic Constraints Extension Default
+policyset.set1.p12.default.params.basicConstraintsCritical=false
+policyset.set1.p12.default.params.basicConstraintsIsCA=false
+policyset.set1.p12.default.params.basicConstraintsPathLen=-1
+policyset.set1.p13.constraint.class_id=noConstraintImpl
+policyset.set1.p13.constraint.name=No Constraint
+policyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl
+policyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl
+policyset.set1.p13.default.params.crlDistPointsCritical=false
+policyset.set1.p13.default.params.crlDistPointsNum=0
+policyset.set1.p13.default.params.crlDistPointsEnable_0=false
+policyset.set1.p13.default.params.crlDistPointsIssuerName_0=
+policyset.set1.p13.default.params.crlDistPointsIssuerType_0=
+policyset.set1.p13.default.params.crlDistPointsPointName_0=
+policyset.set1.p13.default.params.crlDistPointsPointType_0=URIName
+policyset.set1.p13.default.params.crlDistPointsReasons_0=
+policyset.set1.p14.constraint.class_id=noConstraintImpl
+policyset.set1.p14.constraint.name=No Constraint
+policyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl
+policyset.set1.p14.default.name=AIA Extension Default
+policyset.set1.p14.default.params.authInfoAccessADEnable_0=false
+policyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName
+policyset.set1.p14.default.params.authInfoAccessADLocation_0=
+policyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.set1.p14.default.params.authInfoAccessCritical=false
+policyset.set1.p14.default.params.authInfoAccessNumADs=0
diff --git a/pki/base/ca/shared/profiles/ca/caTokenDeviceKeyEnrollment.cfg b/pki/base/ca/shared/profiles/ca/caTokenDeviceKeyEnrollment.cfg
new file mode 100644
index 000000000..7eaf6f96f
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caTokenDeviceKeyEnrollment.cfg
@@ -0,0 +1,143 @@
+desc=This profile is for enrolling token device keys
+enable=true
+enableBy=admin
+lastModified=1068835451090
+name=Token Device Key Enrollment
+visible=true
+auth.instance_id=AgentCertAuth
+input.list=i1
+input.i1.class_id=nsHKeyCertReqInputImpl
+input.i1.name=nsHKeyCertReqInputImpl
+output.list=o1
+output.o1.class_id=nsNKeyOutputImpl
+output.o2.name=nsNKeyOutputImpl
+policyset.list=set1
+#policyset.set1.list=p2,p3,p4,p5,p1,p7,p8,p9,p12,p6
+policyset.set1.list=p2,p4,p5,p1,p8,p9,p12
+policyset.set1.p1.constraint.class_id=noConstraintImpl
+policyset.set1.p1.constraint.name=No Constraint
+policyset.set1.p1.default.class_id=nsTokenDeviceKeySubjectNameDefaultImpl
+policyset.set1.p1.default.name=nsTokenDeviceKeySubjectNameDefault
+policyset.set1.p1.default.params.dnpattern=UID=Token Key Device - $request.tokencuid$
+policyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl
+policyset.set1.p12.constraint.name=Basic Constraints Extension Constraint
+policyset.set1.p12.constraint.params.basicConstraintsCritical=-
+policyset.set1.p12.constraint.params.basicConstraintsIsCA=-
+policyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1
+policyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1
+policyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl
+policyset.set1.p12.default.name=Basic Constraints Extension Default
+policyset.set1.p12.default.params.basicConstraintsCritical=false
+policyset.set1.p12.default.params.basicConstraintsIsCA=false
+policyset.set1.p12.default.params.basicConstraintsPathLen=-1
+policyset.set1.p2.constraint.class_id=noConstraintImpl
+policyset.set1.p2.constraint.name=No Constraint
+policyset.set1.p2.default.class_id=validityDefaultImpl
+policyset.set1.p2.default.name=Validity Default
+policyset.set1.p2.default.params.range=1825
+policyset.set1.p2.default.params.startTime=0
+policyset.set1.p3.constraint.class_id=noConstraintImpl
+policyset.set1.p3.constraint.name=No Constraint
+policyset.set1.p3.default.class_id=crlDistributionPointsExtDefaultImpl
+policyset.set1.p3.default.name=crlDistributionPointsExtDefaultImpl
+policyset.set1.p3.default.params.crlDistPointsCritical=false
+policyset.set1.p3.default.params.crlDistPointsNum=0
+policyset.set1.p3.default.params.crlDistPointsEnable_0=false
+policyset.set1.p3.default.params.crlDistPointsIssuerName_0=
+policyset.set1.p3.default.params.crlDistPointsIssuerType_0=
+policyset.set1.p3.default.params.crlDistPointsPointName_0=
+policyset.set1.p3.default.params.crlDistPointsPointType_0=URIName
+policyset.set1.p3.default.params.crlDistPointsReasons_0=
+policyset.set1.p4.constraint.class_id=noConstraintImpl
+policyset.set1.p4.constraint.name=No Constraint
+policyset.set1.p4.default.class_id=signingAlgDefaultImpl
+policyset.set1.p4.default.name=Signing Algorithm Default
+policyset.set1.p4.default.params.signingAlg=-
+policyset.set1.p5.constraint.class_id=noConstraintImpl
+policyset.set1.p5.constraint.name=No Constraint
+policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl
+policyset.set1.p5.default.name=Key Usage Extension Default
+policyset.set1.p5.default.params.keyUsageCritical=true
+policyset.set1.p5.default.params.keyUsageCrlSign=false
+policyset.set1.p5.default.params.keyUsageDataEncipherment=false
+policyset.set1.p5.default.params.keyUsageDecipherOnly=false
+policyset.set1.p5.default.params.keyUsageDigitalSignature=true
+policyset.set1.p5.default.params.keyUsageEncipherOnly=false
+policyset.set1.p5.default.params.keyUsageKeyAgreement=false
+policyset.set1.p5.default.params.keyUsageKeyCertSign=false
+policyset.set1.p5.default.params.keyUsageKeyEncipherment=false
+policyset.set1.p5.default.params.keyUsageNonRepudiation=false
+policyset.set1.p7.constraint.class_id=noConstraintImpl
+policyset.set1.p7.constraint.name=No Constraint
+policyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl
+policyset.set1.p7.default.name=Certificate Policies Extension Default
+policyset.set1.p7.default.params.Critical=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p8.constraint.class_id=noConstraintImpl
+policyset.set1.p8.constraint.name=No Constraint
+policyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl
+policyset.set1.p8.default.name=Subject Key Identifier Default
+policyset.set1.p9.constraint.class_id=noConstraintImpl
+policyset.set1.p9.constraint.name=No Constraint
+policyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.set1.p9.default.name=Authority Key Identifier Extension Default
+policyset.set1.p6.constraint.class_id=noConstraintImpl
+policyset.set1.p6.constraint.name=No Constraint
+policyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl
+policyset.set1.p6.default.name=Subject Alternative Name Extension Default
+policyset.set1.p6.default.params.subjAltExtGNEnable_0=false
+policyset.set1.p6.default.params.subjAltExtGNEnable_1=false
+policyset.set1.p6.default.params.subjAltExtGNEnable_2=false
+policyset.set1.p6.default.params.subjAltExtGNEnable_3=false
+policyset.set1.p6.default.params.subjAltExtGNEnable_4=false
+policyset.set1.p6.default.params.subjAltExtPattern_0=
+policyset.set1.p6.default.params.subjAltExtPattern_1=
+policyset.set1.p6.default.params.subjAltExtPattern_2=
+policyset.set1.p6.default.params.subjAltExtPattern_3=
+policyset.set1.p6.default.params.subjAltExtPattern_4=
+policyset.set1.p6.default.params.subjAltExtType_0=OtherName
+policyset.set1.p6.default.params.subjAltExtType_1=RFC822Name
+policyset.set1.p6.default.params.subjAltExtType_2=RFC822Name
+policyset.set1.p6.default.params.subjAltExtType_3=RFC822Name
+policyset.set1.p6.default.params.subjAltExtType_4=RFC822Name
+policyset.set1.p6.default.params.subjAltNameExtCritical=false
+policyset.set1.p6.default.params.subjAltNameNumGNs=0
diff --git a/pki/base/ca/shared/profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg b/pki/base/ca/shared/profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg
new file mode 100644
index 000000000..724f3dc18
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg
@@ -0,0 +1,164 @@
+desc=This profile is for enrolling Token Encryption key
+enable=true
+enableBy=admin
+name=Token User Encryption Certificate Enrollment
+visible=true
+auth.instance_id=AgentCertAuth
+input.list=i1
+input.i1.class_id=nsNKeyCertReqInputImpl
+input.i1.name=nsNKeyCertReqInputImpl
+output.list=o1
+output.o1.class_id=nsNKeyOutputImpl
+output.o2.name=nsNKeyOutputImpl
+policyset.list=set1
+#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14
+policyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12
+policyset.set1.p1.constraint.class_id=noConstraintImpl
+policyset.set1.p1.constraint.name=No Constraint
+policyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl
+policyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault
+policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User
+#changed ldap.enable to true to support SMIME
+policyset.set1.p1.default.params.ldap.enable=false
+policyset.set1.p1.default.params.ldap.searchName=uid
+policyset.set1.p1.default.params.ldapStringAttributes=uid,mail
+policyset.set1.p1.default.params.ldap.basedn=
+policyset.set1.p1.default.params.ldap.maxConns=4
+policyset.set1.p1.default.params.ldap.minConns=1
+policyset.set1.p1.default.params.ldap.ldapconn.Version=2
+policyset.set1.p1.default.params.ldap.ldapconn.host=
+policyset.set1.p1.default.params.ldap.ldapconn.port=
+policyset.set1.p1.default.params.ldap.ldapconn.secureConn=false
+policyset.set1.p2.constraint.class_id=noConstraintImpl
+policyset.set1.p2.constraint.name=No Constraint
+policyset.set1.p2.default.class_id=validityDefaultImpl
+policyset.set1.p2.default.name=Validity Default
+policyset.set1.p2.default.params.range=1825
+policyset.set1.p2.default.params.startTime=0
+policyset.set1.p4.constraint.class_id=noConstraintImpl
+policyset.set1.p4.constraint.name=No Constraint
+policyset.set1.p4.default.class_id=signingAlgDefaultImpl
+policyset.set1.p4.default.name=Signing Algorithm Default
+policyset.set1.p4.default.params.signingAlg=-
+policyset.set1.p5.constraint.class_id=noConstraintImpl
+policyset.set1.p5.constraint.name=No Constraint
+policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl
+policyset.set1.p5.default.name=Key Usage Extension Default
+policyset.set1.p5.default.params.keyUsageCritical=true
+policyset.set1.p5.default.params.keyUsageCrlSign=false
+policyset.set1.p5.default.params.keyUsageDataEncipherment=false
+policyset.set1.p5.default.params.keyUsageDecipherOnly=false
+policyset.set1.p5.default.params.keyUsageDigitalSignature=false
+policyset.set1.p5.default.params.keyUsageEncipherOnly=false
+policyset.set1.p5.default.params.keyUsageKeyAgreement=false
+policyset.set1.p5.default.params.keyUsageKeyCertSign=false
+policyset.set1.p5.default.params.keyUsageKeyEncipherment=true
+policyset.set1.p5.default.params.keyUsageNonRepudiation=false
+policyset.set1.p6.constraint.class_id=noConstraintImpl
+policyset.set1.p6.constraint.name=No Constraint
+policyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl
+policyset.set1.p6.default.name=Subject Alternative Name Extension Default
+policyset.set1.p6.default.params.subjAltExtGNEnable_0=true
+policyset.set1.p6.default.params.subjAltExtGNEnable_1=false
+policyset.set1.p6.default.params.subjAltExtGNEnable_2=false
+policyset.set1.p6.default.params.subjAltExtGNEnable_3=false
+policyset.set1.p6.default.params.subjAltExtGNEnable_4=false
+policyset.set1.p6.default.params.subjAltExtPattern_0=$request.mail$
+policyset.set1.p6.default.params.subjAltExtPattern_1=
+policyset.set1.p6.default.params.subjAltExtPattern_2=
+policyset.set1.p6.default.params.subjAltExtPattern_3=
+policyset.set1.p6.default.params.subjAltExtPattern_4=
+policyset.set1.p6.default.params.subjAltExtType_0=RFC822Name
+policyset.set1.p6.default.params.subjAltExtType_1=OtherName
+policyset.set1.p6.default.params.subjAltExtType_2=RFC822Name
+policyset.set1.p6.default.params.subjAltExtType_3=RFC822Name
+policyset.set1.p6.default.params.subjAltExtType_4=RFC822Name
+policyset.set1.p6.default.params.subjAltNameExtCritical=false
+policyset.set1.p6.default.params.subjAltNameNumGNs=1
+policyset.set1.p7.constraint.class_id=noConstraintImpl
+policyset.set1.p7.constraint.name=No Constraint
+policyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl
+policyset.set1.p7.default.name=Certificate Policies Extension Default
+policyset.set1.p7.default.params.Critical=false
+policyset.set1.p7.default.params.PoliciesExt.num=5
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p8.constraint.class_id=noConstraintImpl
+policyset.set1.p8.constraint.name=No Constraint
+policyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl
+policyset.set1.p8.default.name=Subject Key Identifier Default
+policyset.set1.p9.constraint.class_id=noConstraintImpl
+policyset.set1.p9.constraint.name=No Constraint
+policyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.set1.p9.default.name=Authority Key Identifier Extension Default
+policyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl
+policyset.set1.p12.constraint.name=Basic Constraints Extension Constraint
+policyset.set1.p12.constraint.params.basicConstraintsCritical=-
+policyset.set1.p12.constraint.params.basicConstraintsIsCA=-
+policyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1
+policyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1
+policyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl
+policyset.set1.p12.default.name=Basic Constraints Extension Default
+policyset.set1.p12.default.params.basicConstraintsCritical=false
+policyset.set1.p12.default.params.basicConstraintsIsCA=false
+policyset.set1.p12.default.params.basicConstraintsPathLen=-1
+policyset.set1.p13.constraint.class_id=noConstraintImpl
+policyset.set1.p13.constraint.name=No Constraint
+policyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl
+policyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl
+policyset.set1.p13.default.params.crlDistPointsCritical=false
+policyset.set1.p13.default.params.crlDistPointsNum=0
+policyset.set1.p13.default.params.crlDistPointsEnable_0=false
+policyset.set1.p13.default.params.crlDistPointsIssuerName_0=
+policyset.set1.p13.default.params.crlDistPointsIssuerType_0=
+policyset.set1.p13.default.params.crlDistPointsPointName_0=
+policyset.set1.p13.default.params.crlDistPointsPointType_0=URIName
+policyset.set1.p13.default.params.crlDistPointsReasons_0=
+policyset.set1.p14.constraint.class_id=noConstraintImpl
+policyset.set1.p14.constraint.name=No Constraint
+policyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl
+policyset.set1.p14.default.name=AIA Extension Default
+policyset.set1.p14.default.params.authInfoAccessADEnable_0=false
+policyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName
+policyset.set1.p14.default.params.authInfoAccessADLocation_0=
+policyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.set1.p14.default.params.authInfoAccessCritical=false
+policyset.set1.p14.default.params.authInfoAccessNumADs=0
diff --git a/pki/base/ca/shared/profiles/ca/caTokenUserSigningKeyEnrollment.cfg b/pki/base/ca/shared/profiles/ca/caTokenUserSigningKeyEnrollment.cfg
new file mode 100644
index 000000000..9f9bf20c3
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caTokenUserSigningKeyEnrollment.cfg
@@ -0,0 +1,164 @@
+desc=This profile is for enrolling Token Signing key
+enable=true
+enableBy=admin
+name=Token User Signing Certificate Enrollment
+visible=true
+auth.instance_id=AgentCertAuth
+input.list=i1
+input.i1.class_id=nsNKeyCertReqInputImpl
+input.i1.name=nsNKeyCertReqInputImpl
+output.list=o1
+output.o1.class_id=nsNKeyOutputImpl
+output.o2.name=nsNKeyOutputImpl
+policyset.list=set1
+#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14
+policyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12
+policyset.set1.p1.constraint.class_id=noConstraintImpl
+policyset.set1.p1.constraint.name=No Constraint
+policyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl
+policyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault
+policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User
+#changed ldap.enable to true to support SMIME
+policyset.set1.p1.default.params.ldap.enable=false
+policyset.set1.p1.default.params.ldap.searchName=uid
+policyset.set1.p1.default.params.ldapStringAttributes=uid,mail
+policyset.set1.p1.default.params.ldap.basedn=
+policyset.set1.p1.default.params.ldap.maxConns=4
+policyset.set1.p1.default.params.ldap.minConns=1
+policyset.set1.p1.default.params.ldap.ldapconn.Version=2
+policyset.set1.p1.default.params.ldap.ldapconn.host=
+policyset.set1.p1.default.params.ldap.ldapconn.port=
+policyset.set1.p1.default.params.ldap.ldapconn.secureConn=false
+policyset.set1.p2.constraint.class_id=noConstraintImpl
+policyset.set1.p2.constraint.name=No Constraint
+policyset.set1.p2.default.class_id=validityDefaultImpl
+policyset.set1.p2.default.name=Validity Default
+policyset.set1.p2.default.params.range=1825
+policyset.set1.p2.default.params.startTime=0
+policyset.set1.p4.constraint.class_id=noConstraintImpl
+policyset.set1.p4.constraint.name=No Constraint
+policyset.set1.p4.default.class_id=signingAlgDefaultImpl
+policyset.set1.p4.default.name=Signing Algorithm Default
+policyset.set1.p4.default.params.signingAlg=-
+policyset.set1.p5.constraint.class_id=noConstraintImpl
+policyset.set1.p5.constraint.name=No Constraint
+policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl
+policyset.set1.p5.default.name=Key Usage Extension Default
+policyset.set1.p5.default.params.keyUsageCritical=true
+policyset.set1.p5.default.params.keyUsageCrlSign=false
+policyset.set1.p5.default.params.keyUsageDataEncipherment=false
+policyset.set1.p5.default.params.keyUsageDecipherOnly=false
+policyset.set1.p5.default.params.keyUsageDigitalSignature=true
+policyset.set1.p5.default.params.keyUsageEncipherOnly=false
+policyset.set1.p5.default.params.keyUsageKeyAgreement=false
+policyset.set1.p5.default.params.keyUsageKeyCertSign=false
+policyset.set1.p5.default.params.keyUsageKeyEncipherment=false
+policyset.set1.p5.default.params.keyUsageNonRepudiation=true
+policyset.set1.p6.constraint.class_id=noConstraintImpl
+policyset.set1.p6.constraint.name=No Constraint
+policyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl
+policyset.set1.p6.default.name=Subject Alternative Name Extension Default
+policyset.set1.p6.default.params.subjAltExtGNEnable_0=true
+policyset.set1.p6.default.params.subjAltExtGNEnable_1=false
+policyset.set1.p6.default.params.subjAltExtGNEnable_2=false
+policyset.set1.p6.default.params.subjAltExtGNEnable_3=false
+policyset.set1.p6.default.params.subjAltExtGNEnable_4=false
+policyset.set1.p6.default.params.subjAltExtPattern_0=$request.mail$
+policyset.set1.p6.default.params.subjAltExtPattern_1=
+policyset.set1.p6.default.params.subjAltExtPattern_2=
+policyset.set1.p6.default.params.subjAltExtPattern_3=
+policyset.set1.p6.default.params.subjAltExtPattern_4=
+policyset.set1.p6.default.params.subjAltExtType_0=RFC822Name
+policyset.set1.p6.default.params.subjAltExtType_1=OtherName
+policyset.set1.p6.default.params.subjAltExtType_2=RFC822Name
+policyset.set1.p6.default.params.subjAltExtType_3=RFC822Name
+policyset.set1.p6.default.params.subjAltExtType_4=RFC822Name
+policyset.set1.p6.default.params.subjAltNameExtCritical=false
+policyset.set1.p6.default.params.subjAltNameNumGNs=1
+policyset.set1.p7.constraint.class_id=noConstraintImpl
+policyset.set1.p7.constraint.name=No Constraint
+policyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl
+policyset.set1.p7.default.name=Certificate Policies Extension Default
+policyset.set1.p7.default.params.Critical=false
+policyset.set1.p7.default.params.PoliciesExt.num=5
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
+policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=
+policyset.set1.p8.constraint.class_id=noConstraintImpl
+policyset.set1.p8.constraint.name=No Constraint
+policyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl
+policyset.set1.p8.default.name=Subject Key Identifier Default
+policyset.set1.p9.constraint.class_id=noConstraintImpl
+policyset.set1.p9.constraint.name=No Constraint
+policyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.set1.p9.default.name=Authority Key Identifier Extension Default
+policyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl
+policyset.set1.p12.constraint.name=Basic Constraints Extension Constraint
+policyset.set1.p12.constraint.params.basicConstraintsCritical=-
+policyset.set1.p12.constraint.params.basicConstraintsIsCA=-
+policyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1
+policyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1
+policyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl
+policyset.set1.p12.default.name=Basic Constraints Extension Default
+policyset.set1.p12.default.params.basicConstraintsCritical=false
+policyset.set1.p12.default.params.basicConstraintsIsCA=false
+policyset.set1.p12.default.params.basicConstraintsPathLen=-1
+policyset.set1.p13.constraint.class_id=noConstraintImpl
+policyset.set1.p13.constraint.name=No Constraint
+policyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl
+policyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl
+policyset.set1.p13.default.params.crlDistPointsCritical=false
+policyset.set1.p13.default.params.crlDistPointsNum=0
+policyset.set1.p13.default.params.crlDistPointsEnable_0=false
+policyset.set1.p13.default.params.crlDistPointsIssuerName_0=
+policyset.set1.p13.default.params.crlDistPointsIssuerType_0=
+policyset.set1.p13.default.params.crlDistPointsPointName_0=
+policyset.set1.p13.default.params.crlDistPointsPointType_0=URIName
+policyset.set1.p13.default.params.crlDistPointsReasons_0=
+policyset.set1.p14.constraint.class_id=noConstraintImpl
+policyset.set1.p14.constraint.name=No Constraint
+policyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl
+policyset.set1.p14.default.name=AIA Extension Default
+policyset.set1.p14.default.params.authInfoAccessADEnable_0=false
+policyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName
+policyset.set1.p14.default.params.authInfoAccessADLocation_0=
+policyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.set1.p14.default.params.authInfoAccessCritical=false
+policyset.set1.p14.default.params.authInfoAccessNumADs=0
diff --git a/pki/base/ca/shared/profiles/ca/caTransportCert.cfg b/pki/base/ca/shared/profiles/ca/caTransportCert.cfg
new file mode 100644
index 000000000..a63e254c1
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caTransportCert.cfg
@@ -0,0 +1,80 @@
+desc=This certificate profile is for enrolling Data Recovery Manager transport certificates.
+visible=true
+enable=true
+enableBy=admin
+auth.class_id=
+name=Manual Data Recovery Manager Transport Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=transportCertSet
+policyset.transportCertSet.list=1,2,3,4,5,6,8
+policyset.transportCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.transportCertSet.1.constraint.name=Subject Name Constraint
+policyset.transportCertSet.1.constraint.params.pattern=CN=.*
+policyset.transportCertSet.1.constraint.params.accept=true
+policyset.transportCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.transportCertSet.1.default.name=Subject Name Default
+policyset.transportCertSet.1.default.params.name=
+policyset.transportCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.transportCertSet.2.constraint.name=Validity Constraint
+policyset.transportCertSet.2.constraint.params.range=720
+policyset.transportCertSet.2.constraint.params.notBeforeCheck=false
+policyset.transportCertSet.2.constraint.params.notAfterCheck=false
+policyset.transportCertSet.2.default.class_id=validityDefaultImpl
+policyset.transportCertSet.2.default.name=Validity Default
+policyset.transportCertSet.2.default.params.range=720
+policyset.transportCertSet.2.default.params.startTime=0
+policyset.transportCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.transportCertSet.3.constraint.name=Key Constraint
+policyset.transportCertSet.3.constraint.params.keyType=-
+policyset.transportCertSet.3.constraint.params.keyMinLength=256
+policyset.transportCertSet.3.constraint.params.keyMaxLength=4096
+policyset.transportCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.transportCertSet.3.default.name=Key Default
+policyset.transportCertSet.4.constraint.class_id=noConstraintImpl
+policyset.transportCertSet.4.constraint.name=No Constraint
+policyset.transportCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.transportCertSet.4.default.name=Authority Key Identifier Default
+policyset.transportCertSet.5.constraint.class_id=noConstraintImpl
+policyset.transportCertSet.5.constraint.name=No Constraint
+policyset.transportCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.transportCertSet.5.default.name=AIA Extension Default
+policyset.transportCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.transportCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.transportCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.transportCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.transportCertSet.5.default.params.authInfoAccessCritical=false
+policyset.transportCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.transportCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.transportCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.transportCertSet.6.constraint.params.keyUsageCritical=true
+policyset.transportCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.transportCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.transportCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.transportCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.transportCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.transportCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.transportCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.transportCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.transportCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.transportCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.transportCertSet.6.default.name=Key Usage Default
+policyset.transportCertSet.6.default.params.keyUsageCritical=true
+policyset.transportCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.transportCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.transportCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.transportCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.transportCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.transportCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.transportCertSet.6.default.params.keyUsageCrlSign=false
+policyset.transportCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.transportCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.transportCertSet.8.constraint.name=No Constraint
+policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC
+policyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.transportCertSet.8.default.name=Signing Alg
+policyset.transportCertSet.8.default.params.signingAlg=-
diff --git a/pki/base/ca/shared/profiles/ca/caUserCert.cfg b/pki/base/ca/shared/profiles/ca/caUserCert.cfg
new file mode 100644
index 000000000..bd5932a76
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caUserCert.cfg
@@ -0,0 +1,96 @@
+desc=This certificate profile is for enrolling user certificates.
+visible=true
+enable=true
+enableBy=admin
+name=Manual User Dual-Use Certificate Enrollment
+auth.class_id=
+input.list=i1,i2,i3
+input.i1.class_id=keyGenInputImpl
+input.i2.class_id=subjectNameInputImpl
+input.i3.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=userCertSet
+policyset.userCertSet.list=1,2,3,4,5,6,7,8,9
+policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.userCertSet.1.constraint.name=Subject Name Constraint
+policyset.userCertSet.1.constraint.params.pattern=UID=.*
+policyset.userCertSet.1.constraint.params.accept=true
+policyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.userCertSet.1.default.name=Subject Name Default
+policyset.userCertSet.1.default.params.name=
+policyset.userCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.userCertSet.2.constraint.name=Validity Constraint
+policyset.userCertSet.2.constraint.params.range=365
+policyset.userCertSet.2.constraint.params.notBeforeCheck=false
+policyset.userCertSet.2.constraint.params.notAfterCheck=false
+policyset.userCertSet.2.default.class_id=validityDefaultImpl
+policyset.userCertSet.2.default.name=Validity Default
+policyset.userCertSet.2.default.params.range=180
+policyset.userCertSet.2.default.params.startTime=0
+policyset.userCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.userCertSet.3.constraint.name=Key Constraint
+policyset.userCertSet.3.constraint.params.keyType=-
+policyset.userCertSet.3.constraint.params.keyMinLength=256
+policyset.userCertSet.3.constraint.params.keyMaxLength=4096
+policyset.userCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.userCertSet.3.default.name=Key Default
+policyset.userCertSet.4.constraint.class_id=noConstraintImpl
+policyset.userCertSet.4.constraint.name=No Constraint
+policyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.userCertSet.4.default.name=Authority Key Identifier Default
+policyset.userCertSet.5.constraint.class_id=noConstraintImpl
+policyset.userCertSet.5.constraint.name=No Constraint
+policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.userCertSet.5.default.name=AIA Extension Default
+policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.userCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.userCertSet.5.default.params.authInfoAccessCritical=false
+policyset.userCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.userCertSet.6.constraint.params.keyUsageCritical=true
+policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false
+policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.userCertSet.6.default.name=Key Usage Default
+policyset.userCertSet.6.default.params.keyUsageCritical=true
+policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false
+policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.userCertSet.6.default.params.keyUsageCrlSign=false
+policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.userCertSet.7.constraint.class_id=noConstraintImpl
+policyset.userCertSet.7.constraint.name=No Constraint
+policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.userCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.userCertSet.7.default.params.exKeyUsageCritical=false
+policyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.userCertSet.8.constraint.class_id=noConstraintImpl
+policyset.userCertSet.8.constraint.name=No Constraint
+policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
+policyset.userCertSet.8.default.name=Subject Alt Name Constraint
+policyset.userCertSet.8.default.params.subjAltNameExtCritical=false
+policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name
+policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
+policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
+policyset.userCertSet.8.default.params.subjAltNameNumGNs=1
+policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl
+policyset.userCertSet.9.constraint.name=No Constraint
+policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC
+policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl
+policyset.userCertSet.9.default.name=Signing Alg
+policyset.userCertSet.9.default.params.signingAlg=-
generated by cgit (git 2.34.1) at 2024-07-05 00:15:45 +0000