Skip to content

Using caServerCert Profile

Endi S. Dewata edited this page Oct 12, 2021 · 4 revisions

Overview

The CA provides a profile for issuing a server certificate. The profile is located at /usr/share/pki/ca/profiles/ca/caServerCert.cfg.

desc=This certificate profile is for enrolling server certificates.
visible=true
enable=true
enableBy=admin
auth.class_id=
name=Manual Server Certificate Enrollment
input.list=i1,i2
input.i1.class_id=certReqInputImpl
input.i2.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=serverCertSet
policyset.serverCertSet.list=...

Certificate Subject Name

<prefix>.constraint.class_id=subjectNameConstraintImpl
<prefix>.constraint.name=Subject Name Constraint
<prefix>.constraint.params.pattern=.*CN=.*
<prefix>.constraint.params.accept=true
<prefix>.default.class_id=userSubjectNameDefaultImpl
<prefix>.default.name=Subject Name Default
<prefix>.default.params.name=

Certificate Validity

<prefix>.constraint.class_id=validityConstraintImpl
<prefix>.constraint.name=Validity Constraint
<prefix>.constraint.params.range=720
<prefix>.constraint.params.notBeforeCheck=false
<prefix>.constraint.params.notAfterCheck=false
<prefix>.default.class_id=validityDefaultImpl
<prefix>.default.name=Validity Default
<prefix>.default.params.range=720
<prefix>.default.params.startTime=0

Certificate Key

<prefix>.constraint.class_id=keyConstraintImpl
<prefix>.constraint.name=Key Constraint
<prefix>.constraint.params.keyType=RSA
<prefix>.constraint.params.keyParameters=1024,2048,3072,4096
<prefix>.default.class_id=userKeyDefaultImpl
<prefix>.default.name=Key Default

Authority Key Identifier Extension

<prefix>.constraint.class_id=noConstraintImpl
<prefix>.constraint.name=No Constraint
<prefix>.default.class_id=authorityKeyIdentifierExtDefaultImpl
<prefix>.default.name=Authority Key Identifier Default

Authority Information Access Extension

<prefix>.constraint.class_id=noConstraintImpl
<prefix>.constraint.name=No Constraint
<prefix>.default.class_id=authInfoAccessExtDefaultImpl
<prefix>.default.name=AIA Extension Default
<prefix>.default.params.authInfoAccessADEnable_0=true
<prefix>.default.params.authInfoAccessADLocationType_0=URIName
<prefix>.default.params.authInfoAccessADLocation_0=
<prefix>.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
<prefix>.default.params.authInfoAccessCritical=false
<prefix>.default.params.authInfoAccessNumADs=1

Key Usage Extension

<prefix>.constraint.class_id=keyUsageExtConstraintImpl
<prefix>.constraint.name=Key Usage Extension Constraint
<prefix>.constraint.params.keyUsageCritical=true
<prefix>.constraint.params.keyUsageDigitalSignature=true
<prefix>.constraint.params.keyUsageNonRepudiation=false
<prefix>.constraint.params.keyUsageDataEncipherment=true
<prefix>.constraint.params.keyUsageKeyEncipherment=true
<prefix>.constraint.params.keyUsageKeyAgreement=false
<prefix>.constraint.params.keyUsageKeyCertSign=false
<prefix>.constraint.params.keyUsageCrlSign=false
<prefix>.constraint.params.keyUsageEncipherOnly=false
<prefix>.constraint.params.keyUsageDecipherOnly=false
<prefix>.default.class_id=keyUsageExtDefaultImpl
<prefix>.default.name=Key Usage Default
<prefix>.default.params.keyUsageCritical=true
<prefix>.default.params.keyUsageDigitalSignature=true
<prefix>.default.params.keyUsageNonRepudiation=false
<prefix>.default.params.keyUsageDataEncipherment=true
<prefix>.default.params.keyUsageKeyEncipherment=true
<prefix>.default.params.keyUsageKeyAgreement=false
<prefix>.default.params.keyUsageKeyCertSign=false
<prefix>.default.params.keyUsageCrlSign=false
<prefix>.default.params.keyUsageEncipherOnly=false
<prefix>.default.params.keyUsageDecipherOnly=false

Extended Key Usage Extension

<prefix>.constraint.class_id=noConstraintImpl
<prefix>.constraint.name=No Constraint
<prefix>.default.class_id=extendedKeyUsageExtDefaultImpl
<prefix>.default.name=Extended Key Usage Extension Default
<prefix>.default.params.exKeyUsageCritical=false
<prefix>.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2

Certificate Signing Algorithm

<prefix>.constraint.class_id=signingAlgConstraintImpl
<prefix>.constraint.name=No Constraint
<prefix>.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
<prefix>.default.class_id=signingAlgDefaultImpl
<prefix>.default.name=Signing Alg
<prefix>.default.params.signingAlg=-

Subject Alternative Name Extension

<prefix>.constraint.class_id=noConstraintImpl
<prefix>.constraint.name=No Constraint
<prefix>.default.class_id=commonNameToSANDefaultImpl
<prefix>.default.name=Copy Common Name to Subject Alternative Name Extension

Usage

This certificate profile is for enrolling server certificates.

$ pki client-cert-request "cn=server.example.com" --profile caServerCert
Clone this wiki locally