caEnrollImpl IPA-RA Agent-Authenticated Server Certificate Enrollment This certificate profile is for enrolling server certificates with IPA-RA agent authentication. true false ipara raCertAuth false false certReqInputImpl Certificate Request Input cert_request_type Certificate Request Type cert_request Certificate Request submitterInfoInputImpl Requestor Information string Requestor Name string Requestor Email string Requestor Phone

Certificate Output certOutputImpl pretty_print Certificate Pretty Print pretty_print Certificate Base-64 Encoded

serverCertSet This default populates a Certificate Subject Name to the request. The default values are Subject Name=CN=$request.req_subject_name.cn$, O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM string Subject Name CN=$request.req_subject_name.cn$, {ipacertbase} This constraint accepts the subject name that matches CN=[^,]+,.+ subjectNameConstraintImpl string Subject Name Pattern CN=[^,]+,.+ This default populates a Certificate Validity to the request. The default values are Range=731 in days string Not Before string Not After 731 0 This constraint rejects the validity that is not between 740 days. validityConstraintImpl integer Validity Range 365 740 string Validity Range Unit (default: day) day integer Grace period for Not Before being set in the future (in seconds). 0 boolean Check Not Before against current time false false boolean Check Not After against Not Before false false This default populates a User-Supplied Certificate Key to the request. string readonly Key Type string readonly Key Length string readonly Key This constraint accepts the key only if Key Type=RSA, Key Parameters =1024,2048,3072,4096 keyConstraintImpl choice -,RSA,EC Key Type RSA RSA string Key Lengths or Curves. For EC use comma separated list of curves, otherise use list of key sizes. Ex: 1024,2048,4096,8192 or: nistp256,nistp384,nistp521,sect163k1,nistk163 for EC. 1024,2048,3072,4096 This default populates an Authority Key Identifier Extension (2.5.29.35) to the request. string readonly Criticality string readonly Key ID No Constraint noConstraintImpl This default populates a Authority Info Access Extension (1.3.6.1.5.5.7.1.1) to the request. The default values are Criticality=false, Record #0 ( Method:1.3.6.1.5.5.7.48.1,Location Type:URIName,Location:http://ipa-ca.{ipadomain}/ca/ocsp,Enable:true) boolean Criticality false string_list General Names false 1 1.3.6.1.5.5.7.48.1 URIName http://ipa-ca.{ipadomain}/ca/ocsp true No Constraint noConstraintImpl This default populates a Key Usage Extension (2.5.29.15) to the request. The default values are Criticality=true, Digital Signature=true, Non-Repudiation=true, Key Encipherment=true, Data Encipherment=true, Key Agreement=false, Key Certificate Sign=false, Key CRL Sign=false, Encipher Only=false, Decipher Only=false boolean Criticality false boolean Digital Signature false boolean Non-Repudiation false boolean Key Encipherment false boolean Data Encipherment false boolean Key Agreement false boolean Key CertSign false boolean CRL Sign false boolean Encipher Only false boolean Decipher Only false true true true true true false false false false false This constraint accepts the Key Usage extension, if present, only when Criticality=true, Digital Signature=true, Non-Repudiation=true, Key Encipherment=true, Data Encipherment=true, Key Agreement=false, Key Certificate Sign=false, Key CRL Sign=false, Encipher Only=false, Decipher Only=false keyUsageExtConstraintImpl choice true,false,- Criticality - true choice true,false,- Digital Signature - true choice true,false,- Non-Repudiation - true choice true,false,- Key Encipherment - true choice true,false,- Data Encipherment - true choice true,false,- Key Agreement - false choice true,false,- Key CertSign - false choice true,false,- CRL Sign - false choice true,false,- Encipher Only - false choice true,false,- Decipher Only - false This default populates an Extended Key Usage Extension () to the request. The default values are Criticality=false, OIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 boolean Criticality false string_list Comma-Separated list of Object Identifiers false 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 No Constraint noConstraintImpl This default populates the Certificate Signing Algorithm. The default values are Algorithm=SHA256withRSA choice SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA Signing Algorithm - This constraint accepts only the Signing Algorithms of SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC signingAlgConstraintImpl string Allowed Signing Algorithms SHA1withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC This default populates a CRL Distribution Points Extension (2.5.29.31) to the request. The default values are Criticality=false, Record #0 Point Type:URIName,Point Name:http://ipa-ca.{ipadomain}/ipa/crl/MasterCRL.bin,Reasons:,Issuer Type:DirectoryName,Issuer Name:CN=Certificate Authority,o=ipaca,Enable:true) boolean Criticality false string_list CRL Distribution Points false 1 URIName http://ipa-ca.{ipadomain}/ipa/crl/MasterCRL.bin DirectoryName CN=Certificate Authority,o=ipaca true No Constraint noConstraintImpl This default populates a Subject Key Identifier Extension (2.5.29.14) to the request. string readonly Criticality string readonly Key ID No Constraint noConstraintImpl This default populates a User-Supplied Extension (2.5.29.17) to the request. string readonly Object Identifier 2.5.29.17 No Constraint noConstraintImpl