Server Certificate Profile - dogtagpki/pki GitHub Wiki
The CA provides a profile for issuing a server certificate. The profile is located at /usr/share/pki/ca/profiles/ca/caServerCert.cfg.
desc=This certificate profile is for enrolling server certificates. visible=true enable=true enableBy=admin auth.class_id= name=Manual Server Certificate Enrollment input.list=i1,i2 input.i1.class_id=certReqInputImpl input.i2.class_id=submitterInfoInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=serverCertSet policyset.serverCertSet.list=...
<prefix>.constraint.class_id=subjectNameConstraintImpl <prefix>.constraint.name=Subject Name Constraint <prefix>.constraint.params.pattern=.*CN=.* <prefix>.constraint.params.accept=true <prefix>.default.class_id=userSubjectNameDefaultImpl <prefix>.default.name=Subject Name Default <prefix>.default.params.name=
<prefix>.constraint.class_id=validityConstraintImpl <prefix>.constraint.name=Validity Constraint <prefix>.constraint.params.range=720 <prefix>.constraint.params.notBeforeCheck=false <prefix>.constraint.params.notAfterCheck=false <prefix>.default.class_id=validityDefaultImpl <prefix>.default.name=Validity Default <prefix>.default.params.range=720 <prefix>.default.params.startTime=0
<prefix>.constraint.class_id=keyConstraintImpl <prefix>.constraint.name=Key Constraint <prefix>.constraint.params.keyType=RSA <prefix>.constraint.params.keyParameters=1024,2048,3072,4096 <prefix>.default.class_id=userKeyDefaultImpl <prefix>.default.name=Key Default
<prefix>.constraint.class_id=noConstraintImpl <prefix>.constraint.name=No Constraint <prefix>.default.class_id=authorityKeyIdentifierExtDefaultImpl <prefix>.default.name=Authority Key Identifier Default
<prefix>.constraint.class_id=noConstraintImpl <prefix>.constraint.name=No Constraint <prefix>.default.class_id=authInfoAccessExtDefaultImpl <prefix>.default.name=AIA Extension Default <prefix>.default.params.authInfoAccessADEnable_0=true <prefix>.default.params.authInfoAccessADLocationType_0=URIName <prefix>.default.params.authInfoAccessADLocation_0= <prefix>.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 <prefix>.default.params.authInfoAccessCritical=false <prefix>.default.params.authInfoAccessNumADs=1
<prefix>.constraint.class_id=keyUsageExtConstraintImpl <prefix>.constraint.name=Key Usage Extension Constraint <prefix>.constraint.params.keyUsageCritical=true <prefix>.constraint.params.keyUsageDigitalSignature=true <prefix>.constraint.params.keyUsageNonRepudiation=false <prefix>.constraint.params.keyUsageDataEncipherment=true <prefix>.constraint.params.keyUsageKeyEncipherment=true <prefix>.constraint.params.keyUsageKeyAgreement=false <prefix>.constraint.params.keyUsageKeyCertSign=false <prefix>.constraint.params.keyUsageCrlSign=false <prefix>.constraint.params.keyUsageEncipherOnly=false <prefix>.constraint.params.keyUsageDecipherOnly=false <prefix>.default.class_id=keyUsageExtDefaultImpl <prefix>.default.name=Key Usage Default <prefix>.default.params.keyUsageCritical=true <prefix>.default.params.keyUsageDigitalSignature=true <prefix>.default.params.keyUsageNonRepudiation=false <prefix>.default.params.keyUsageDataEncipherment=true <prefix>.default.params.keyUsageKeyEncipherment=true <prefix>.default.params.keyUsageKeyAgreement=false <prefix>.default.params.keyUsageKeyCertSign=false <prefix>.default.params.keyUsageCrlSign=false <prefix>.default.params.keyUsageEncipherOnly=false <prefix>.default.params.keyUsageDecipherOnly=false
<prefix>.constraint.class_id=noConstraintImpl <prefix>.constraint.name=No Constraint <prefix>.default.class_id=extendedKeyUsageExtDefaultImpl <prefix>.default.name=Extended Key Usage Extension Default <prefix>.default.params.exKeyUsageCritical=false <prefix>.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
<prefix>.constraint.class_id=signingAlgConstraintImpl <prefix>.constraint.name=No Constraint <prefix>.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS <prefix>.default.class_id=signingAlgDefaultImpl <prefix>.default.name=Signing Alg <prefix>.default.params.signingAlg=-
<prefix>.constraint.class_id=noConstraintImpl <prefix>.constraint.name=No Constraint <prefix>.default.class_id=commonNameToSANDefaultImpl <prefix>.default.name=Copy Common Name to Subject Alternative Name Extension
This certificate profile is for enrolling server certificates.
$ pki client-cert-request "cn=pki.example.com" --profile caServerCert