diff options
author | Rob Crittenden <rcritten@redhat.com> | 2009-04-17 17:17:31 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2009-05-04 16:54:42 -0400 |
commit | dfe9db55484339a8a9f2ce3bd057bd9702bb9579 (patch) | |
tree | fb99b81da54e189d6ea08c47348b4e044990ecbc /install | |
parent | 36c239cda44c3e816a3ffd95957f2d49f434f62b (diff) | |
download | freeipa-dfe9db55484339a8a9f2ce3bd057bd9702bb9579.tar.gz freeipa-dfe9db55484339a8a9f2ce3bd057bd9702bb9579.tar.xz freeipa-dfe9db55484339a8a9f2ce3bd057bd9702bb9579.zip |
Add signing profile to CA installation so we can sign the firefox jar file.
Use the requestId we get back from the CA when requesting the RA agent cert
and use that to issue the certificate rather than hardcoding 7.
This also adds some clean-up of file permissions and leaking fds
Diffstat (limited to 'install')
-rw-r--r-- | install/share/Makefile.am | 1 | ||||
-rw-r--r-- | install/share/caJarSigningCert.cfg.template | 88 |
2 files changed, 89 insertions, 0 deletions
diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 6ef43ba24..3a2ef87d5 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -10,6 +10,7 @@ app_DATA = \ 60basev2.ldif \ 60policyv2.ldif \ bootstrap-template.ldif \ + caJarSigningCert.cfg.template \ default-aci.ldif \ default-keytypes.ldif \ kerberos.ldif \ diff --git a/install/share/caJarSigningCert.cfg.template b/install/share/caJarSigningCert.cfg.template new file mode 100644 index 000000000..9f018553a --- /dev/null +++ b/install/share/caJarSigningCert.cfg.template @@ -0,0 +1,88 @@ +desc=Jar Signing certificate to auto-configure Firefox +enable=true +enableBy=admin +lastModified=1239836280692 +name=Manual Jar Signing Certificate Enrollment +visible=true +auth.class_id= +auth.instance_id=raCertAuth +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=caJarSigningSet +policyset.caJarSigningSet.list=1,2,3,6,7,9 +policyset.caJarSigningSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.caJarSigningSet.1.constraint.name=Subject Name Constraint +policyset.caJarSigningSet.1.constraint.params.accept=true +policyset.caJarSigningSet.1.constraint.params.pattern=.* +policyset.caJarSigningSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.caJarSigningSet.1.default.name=Subject Name Default +policyset.caJarSigningSet.1.default.params.name= +policyset.caJarSigningSet.2.constraint.class_id=validityConstraintImpl +policyset.caJarSigningSet.2.constraint.name=Validity Constraint +policyset.caJarSigningSet.2.constraint.params.notAfterCheck=false +policyset.caJarSigningSet.2.constraint.params.notBeforeCheck=false +policyset.caJarSigningSet.2.constraint.params.range=2922 +policyset.caJarSigningSet.2.default.class_id=validityDefaultImpl +policyset.caJarSigningSet.2.default.name=Validity Default +policyset.caJarSigningSet.2.default.params.range=1461 +policyset.caJarSigningSet.2.default.params.startTime=60 +policyset.caJarSigningSet.3.constraint.class_id=keyConstraintImpl +policyset.caJarSigningSet.3.constraint.name=Key Constraint +policyset.caJarSigningSet.3.constraint.params.keyMaxLength=4096 +policyset.caJarSigningSet.3.constraint.params.keyMinLength=1024 +policyset.caJarSigningSet.3.constraint.params.keyType=- +policyset.caJarSigningSet.3.default.class_id=userKeyDefaultImpl +policyset.caJarSigningSet.3.default.name=Key Default +policyset.caJarSigningSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.caJarSigningSet.6.constraint.name=Key Usage Extension Constraint +policyset.caJarSigningSet.6.constraint.params.keyUsageCritical=- +policyset.caJarSigningSet.6.constraint.params.keyUsageCrlSign=- +policyset.caJarSigningSet.6.constraint.params.keyUsageDataEncipherment=- +policyset.caJarSigningSet.6.constraint.params.keyUsageDecipherOnly=- +policyset.caJarSigningSet.6.constraint.params.keyUsageDigitalSignature=- +policyset.caJarSigningSet.6.constraint.params.keyUsageEncipherOnly=- +policyset.caJarSigningSet.6.constraint.params.keyUsageKeyAgreement=- +policyset.caJarSigningSet.6.constraint.params.keyUsageKeyCertSign=- +policyset.caJarSigningSet.6.constraint.params.keyUsageKeyEncipherment=- +policyset.caJarSigningSet.6.constraint.params.keyUsageNonRepudiation=- +policyset.caJarSigningSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.caJarSigningSet.6.default.name=Key Usage Default +policyset.caJarSigningSet.6.default.params.keyUsageCritical=true +policyset.caJarSigningSet.6.default.params.keyUsageCrlSign=false +policyset.caJarSigningSet.6.default.params.keyUsageDataEncipherment=false +policyset.caJarSigningSet.6.default.params.keyUsageDecipherOnly=false +policyset.caJarSigningSet.6.default.params.keyUsageDigitalSignature=true +policyset.caJarSigningSet.6.default.params.keyUsageEncipherOnly=false +policyset.caJarSigningSet.6.default.params.keyUsageKeyAgreement=false +policyset.caJarSigningSet.6.default.params.keyUsageKeyCertSign=true +policyset.caJarSigningSet.6.default.params.keyUsageKeyEncipherment=false +policyset.caJarSigningSet.6.default.params.keyUsageNonRepudiation=false +policyset.caJarSigningSet.7.constraint.class_id=nsCertTypeExtConstraintImpl +policyset.caJarSigningSet.7.constraint.name=Netscape Certificate Type Extension Constraint +policyset.caJarSigningSet.7.constraint.params.nsCertCritical=- +policyset.caJarSigningSet.7.constraint.params.nsCertEmail=- +policyset.caJarSigningSet.7.constraint.params.nsCertEmailCA=- +policyset.caJarSigningSet.7.constraint.params.nsCertObjectSigning=- +policyset.caJarSigningSet.7.constraint.params.nsCertObjectSigningCA=- +policyset.caJarSigningSet.7.constraint.params.nsCertSSLCA=- +policyset.caJarSigningSet.7.constraint.params.nsCertSSLClient=- +policyset.caJarSigningSet.7.constraint.params.nsCertSSLServer=- +policyset.caJarSigningSet.7.default.class_id=nsCertTypeExtDefaultImpl +policyset.caJarSigningSet.7.default.name=Netscape Certificate Type Extension Default +policyset.caJarSigningSet.7.default.params.nsCertCritical=false +policyset.caJarSigningSet.7.default.params.nsCertEmail=false +policyset.caJarSigningSet.7.default.params.nsCertEmailCA=false +policyset.caJarSigningSet.7.default.params.nsCertObjectSigning=true +policyset.caJarSigningSet.7.default.params.nsCertObjectSigningCA=false +policyset.caJarSigningSet.7.default.params.nsCertSSLCA=false +policyset.caJarSigningSet.7.default.params.nsCertSSLClient=false +policyset.caJarSigningSet.7.default.params.nsCertSSLServer=false +policyset.caJarSigningSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.caJarSigningSet.9.constraint.name=No Constraint +policyset.caJarSigningSet.9.constraint.params.signingAlgsAllowed=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC +policyset.caJarSigningSet.9.default.class_id=signingAlgDefaultImpl +policyset.caJarSigningSet.9.default.name=Signing Alg +policyset.caJarSigningSet.9.default.params.signingAlg=- |