ACME Server Certificate Profile - dogtagpki/pki GitHub Wiki
The CA provides a profile for issuing a server certificate using the ACME responder. The profile is located at /usr/share/pki/ca/profiles/ca/acmeServerCert.cfg.
profileId=acmeServerCert classId=caEnrollImpl desc=This certificate profile is for enrolling server certificates via ACME protocol. visible=true enable=true enableBy=admin auth.instance_id=SessionAuthentication authz.acl=group=Certificate Manager Agents name=ACME Server Certificate Enrollment input.list=i1,i2 input.i1.class_id=certReqInputImpl input.i2.class_id=submitterInfoInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=serverCertSet policyset.serverCertSet.list=...
This policy creates a critical key usage extension with the following values:
-
Digital Signature
-
Key Encipherment
<prefix>.constraint.class_id=keyUsageExtConstraintImpl <prefix>.constraint.name=Key Usage Extension Constraint <prefix>.constraint.params.keyUsageCritical=true <prefix>.constraint.params.keyUsageDigitalSignature=true <prefix>.constraint.params.keyUsageNonRepudiation=false <prefix>.constraint.params.keyUsageDataEncipherment=false <prefix>.constraint.params.keyUsageKeyEncipherment=true <prefix>.constraint.params.keyUsageKeyAgreement=false <prefix>.constraint.params.keyUsageKeyCertSign=false <prefix>.constraint.params.keyUsageCrlSign=false <prefix>.constraint.params.keyUsageEncipherOnly=false <prefix>.constraint.params.keyUsageDecipherOnly=false <prefix>.default.class_id=keyUsageExtDefaultImpl <prefix>.default.name=Key Usage Default <prefix>.default.params.keyUsageCritical=true <prefix>.default.params.keyUsageDigitalSignature=true <prefix>.default.params.keyUsageNonRepudiation=false <prefix>.default.params.keyUsageDataEncipherment=false <prefix>.default.params.keyUsageKeyEncipherment=true <prefix>.default.params.keyUsageKeyAgreement=false <prefix>.default.params.keyUsageKeyCertSign=false <prefix>.default.params.keyUsageCrlSign=false <prefix>.default.params.keyUsageEncipherOnly=false <prefix>.default.params.keyUsageDecipherOnly=false
This policy creates an extended key usage extension with the following values:
-
TLS Web Server Authentication
-
TLS Web Client Authentication
<prefix>.constraint.class_id=noConstraintImpl <prefix>.constraint.name=No Constraint <prefix>.default.class_id=extendedKeyUsageExtDefaultImpl <prefix>.default.name=Extended Key Usage Extension Default <prefix>.default.params.exKeyUsageCritical=false <prefix>.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
This policy adds a critical basic constraints extension with the following parameters:
-
CA: false
<prefix>.constraint.class_id=basicConstraintsExtConstraintImpl <prefix>.constraint.name=Basic Constraint Extension Constraint <prefix>.constraint.params.basicConstraintsCritical=true <prefix>.constraint.params.basicConstraintsIsCA=false <prefix>.constraint.params.basicConstraintsMinPathLen=-1 <prefix>.constraint.params.basicConstraintsMaxPathLen=-1 <prefix>.default.class_id=basicConstraintsExtDefaultImpl <prefix>.default.name=Basic Constraints Extension Default <prefix>.default.params.basicConstraintsCritical=true <prefix>.default.params.basicConstraintsIsCA=false <prefix>.default.params.basicConstraintsPathLen=-1
<prefix>.constraint.class_id=noConstraintImpl <prefix>.constraint.name=No Constraint <prefix>.default.class_id=authorityKeyIdentifierExtDefaultImpl <prefix>.default.name=Authority Key Identifier Default
This policy generates an Authority Information Access extension with the following values:
-
OCSP - URI:http://ocsp.example.com
-
CA Issuers - URI:http://cert.example.com
<prefix>.constraint.class_id=noConstraintImpl <prefix>.constraint.name=No Constraint <prefix>.default.class_id=authInfoAccessExtDefaultImpl <prefix>.default.name=AIA Extension Default <prefix>.default.params.authInfoAccessADEnable_0=true <prefix>.default.params.authInfoAccessADLocationType_0=URIName <prefix>.default.params.authInfoAccessADLocation_0=http://ocsp.example.com <prefix>.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 <prefix>.default.params.authInfoAccessADEnable_1=true <prefix>.default.params.authInfoAccessADLocationType_1=URIName <prefix>.default.params.authInfoAccessADLocation_1=http://cert.example.com <prefix>.default.params.authInfoAccessADMethod_1=1.3.6.1.5.5.7.48.2 <prefix>.default.params.authInfoAccessCritical=false <prefix>.default.params.authInfoAccessNumADs=2
<prefix>.constraint.class_id=noConstraintImpl <prefix>.constraint.name=No Constraint <prefix>.default.class_id=userExtensionDefaultImpl <prefix>.default.name=User supplied extension in CSR <prefix>.default.params.userExtOID=2.5.29.17
This policy generates a certificate with a 90-day validity.
<prefix>.constraint.class_id=validityConstraintImpl <prefix>.constraint.name=Validity Constraint <prefix>.constraint.params.range=90 <prefix>.constraint.params.notBeforeCheck=false <prefix>.constraint.params.notAfterCheck=false <prefix>.default.class_id=validityDefaultImpl <prefix>.default.name=Validity Default <prefix>.default.params.range=90 <prefix>.default.params.startTime=0
<prefix>.constraint.class_id=keyConstraintImpl <prefix>.constraint.name=Key Constraint <prefix>.constraint.params.keyType=RSA <prefix>.constraint.params.keyParameters=1024,2048,3072,4096 <prefix>.default.class_id=userKeyDefaultImpl <prefix>.default.name=Key Default
<prefix>.constraint.class_id=signingAlgConstraintImpl <prefix>.constraint.name=No Constraint <prefix>.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC <prefix>.default.class_id=signingAlgDefaultImpl <prefix>.default.name=Signing Alg <prefix>.default.params.signingAlg=-
This policy sets the certificate subject DN to CN=<hostname> with the first DNS name in the SAN extension.
<prefix>.constraint.class_id=noConstraintImpl <prefix>.constraint.name=No Constraint <prefix>.default.class_id=sanToCNDefaultImpl <prefix>.default.name=SAN to CN Default <prefix>.default.params.name=
This policy generates a Certificate Policies extension with the following values:
-
Policy: 2.23.140.1.2.1
-
Policy: 1.3.6.1.4.1.44947.1.1.1
<prefix>.constraint.class_id=noConstraintImpl <prefix>.constraint.name=No Constraint <prefix>.default.class_id=certificatePoliciesExtDefaultImpl <prefix>.default.name=Certificate Policies Extension Default <prefix>.default.params.PoliciesExt.num=2 <prefix>.default.params.PoliciesExt.certPolicy0.enable=true <prefix>.default.params.PoliciesExt.certPolicy0.policyId=2.23.140.1.2.1 <prefix>.default.params.PoliciesExt.certPolicy1.enable=true <prefix>.default.params.PoliciesExt.certPolicy1.policyId=1.3.6.1.4.1.44947.1.1.1 <prefix>.default.params.PoliciesExt.certPolicy1.PolicyQualifiers.num=1 <prefix>.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=true <prefix>.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=http://cps.example.com
<prefix>.constraint.class_id=noConstraintImpl <prefix>.constraint.name=No Constraint <prefix>.default.class_id=subjectKeyIdentifierExtDefaultImpl <prefix>.default.name=Subject Key Identifier Extension Default <prefix>.default.params.critical=false