Certificate Usages - dogtagpki/pki GitHub Wiki
-
CheckAllUsages
-
SSLServer
-
SSLServerWithStepUp
-
SSLClient
-
SSLCA
-
AnyCA
-
StatusResponder
-
ObjectSigner
-
UserCertImport
-
ProtectedObjectSigner
-
VerifyCA
-
EmailSigner
-
EmailRecipient
The system certificate usages are defined in the CS.cfg in the following parameter:
-
<subsystem>.cert.<cert>.certusage
For example:
ca.cert.signing.certusage=SSLCA ca.cert.ocsp_signing.certusage=StatusResponder ca.cert.sslserver.certusage=SSLServer ca.cert.subsystem.certusage=SSLClient ca.cert.audit_signing.certusage=ObjectSigner
The default values are defined below.
Subsystem | Certificate | Usages |
---|---|---|
ca |
signing |
SSLCA |
ca |
ocsp_signing |
StatusResponder |
ca |
sslserver |
SSLServer |
ca |
subsystem |
SSLClient |
ca |
audit_signing |
ObjectSigner |
Subsystem | Certificate | Usages |
---|---|---|
kra |
transport |
SSLClient |
kra |
storage |
SSLClient |
kra |
sslserver |
SSLServer |
kra |
subsystem |
SSLClient |
kra |
audit_signing |
ObjectSigner |
Subsystem | Certificate | Usages |
---|---|---|
ocsp |
signing |
StatusResponder |
ocsp |
sslserver |
SSLServer |
ocsp |
subsystem |
SSLClient |
ocsp |
audit_signing |
ObjectSigner |
Subsystem | Certificate | Usages |
---|---|---|
tks |
sslserver |
SSLServer |
tks |
subsystem |
SSLClient |
tks |
audit_signing |
ObjectSigner |
Subsystem | Certificate | Usages |
---|---|---|
tps |
sslserver |
SSLServer |
tps |
subsystem |
SSLClient |
tps |
audit_signing |
ObjectSigner |
To validate a system certificate on the server, specify the subsystem name and the certificate ID:
$ pki-server cert-validate ca_signing
The system certificate will be validated against the corresponding usage above.
To validate a certificate in the client NSS database, specify the nickname and the usage in the following command:
$ pki client-cert-validate caadmin --certusage SSLClient