freeipa/ipatests/test_xmlrpc/data/smime-mod.cfg.tmpl

auth.instance_id=raCertAuth
classId=caEnrollImpl
desc=Certificate for S-MIME extension
enable=true
enableBy=ipara
input.i1.class_id=certReqInputImpl
input.i2.class_id=submitterInfoInputImpl
input.list=i1,i2
name=SMIME certificate profile
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=serverCertSet
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.serverCertSet.1.constraint.name=Subject Name Constraint
policyset.serverCertSet.1.constraint.params.accept=true
policyset.serverCertSet.1.constraint.params.pattern=CN=refuse sign
policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
policyset.serverCertSet.1.default.name=Subject Name Default
policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, O={iparealm}
policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
policyset.serverCertSet.2.constraint.name=Validity Constraint
policyset.serverCertSet.2.constraint.params.notAfterCheck=false
policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
policyset.serverCertSet.2.constraint.params.range=740
policyset.serverCertSet.2.default.class_id=validityDefaultImpl
policyset.serverCertSet.2.default.name=Validity Default
policyset.serverCertSet.2.default.params.range=731
policyset.serverCertSet.2.default.params.startTime=0
policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
policyset.serverCertSet.3.constraint.name=Key Constraint
policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
policyset.serverCertSet.3.constraint.params.keyType=RSA
policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
policyset.serverCertSet.3.default.name=Key Default
policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
policyset.serverCertSet.4.constraint.name=No Constraint
policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
policyset.serverCertSet.4.default.name=Authority Key Identifier Default
policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
policyset.serverCertSet.5.constraint.name=No Constraint
policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
policyset.serverCertSet.5.default.name=AIA Extension Default
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.{ipadomain}/ca/ocsp
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.serverCertSet.6.default.name=Key Usage Default
policyset.serverCertSet.6.default.params.keyUsageCritical=true
policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
policyset.serverCertSet.7.constraint.name=No Constraint
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.4
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
policyset.serverCertSet.9.constraint.name=No Constraint
policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl
policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default
policyset.serverCertSet.9.default.params.crlDistPointsCritical=false
policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true
policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca
policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
policyset.serverCertSet.9.default.params.crlDistPointsNum=1
policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.{ipadomain}/ipa/crl/MasterCRL.bin
policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName
policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=
policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
policyset.serverCertSet.10.constraint.name=No Constraint
policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default
policyset.serverCertSet.10.default.params.critical=false
policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
policyset.serverCertSet.11.constraint.name=No Constraint
policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.11.default.name=User Supplied Extension Default
policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
visible=false
ipatests: CA ACL and cert profile functional test https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com> 2015-09-22 08:22:25 -05:00			`auth.instance_id=raCertAuth`
			`classId=caEnrollImpl`
			`desc=Certificate for S-MIME extension`
			`enable=true`
			`enableBy=ipara`
			`input.i1.class_id=certReqInputImpl`
			`input.i2.class_id=submitterInfoInputImpl`
			`input.list=i1,i2`
			`name=SMIME certificate profile`
			`output.list=o1`
			`output.o1.class_id=certOutputImpl`
			`policyset.list=serverCertSet`
			`policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl`
			`policyset.serverCertSet.1.constraint.name=Subject Name Constraint`
			`policyset.serverCertSet.1.constraint.params.accept=true`
			`policyset.serverCertSet.1.constraint.params.pattern=CN=refuse sign`
			`policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl`
			`policyset.serverCertSet.1.default.name=Subject Name Default`
			`policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, O={iparealm}`
			`policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl`
			`policyset.serverCertSet.2.constraint.name=Validity Constraint`
			`policyset.serverCertSet.2.constraint.params.notAfterCheck=false`
			`policyset.serverCertSet.2.constraint.params.notBeforeCheck=false`
			`policyset.serverCertSet.2.constraint.params.range=740`
			`policyset.serverCertSet.2.default.class_id=validityDefaultImpl`
			`policyset.serverCertSet.2.default.name=Validity Default`
			`policyset.serverCertSet.2.default.params.range=731`
			`policyset.serverCertSet.2.default.params.startTime=0`
			`policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl`
			`policyset.serverCertSet.3.constraint.name=Key Constraint`
			`policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096`
			`policyset.serverCertSet.3.constraint.params.keyType=RSA`
			`policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl`
			`policyset.serverCertSet.3.default.name=Key Default`
			`policyset.serverCertSet.4.constraint.class_id=noConstraintImpl`
			`policyset.serverCertSet.4.constraint.name=No Constraint`
			`policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl`
			`policyset.serverCertSet.4.default.name=Authority Key Identifier Default`
			`policyset.serverCertSet.5.constraint.class_id=noConstraintImpl`
			`policyset.serverCertSet.5.constraint.name=No Constraint`
			`policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl`
			`policyset.serverCertSet.5.default.name=AIA Extension Default`
			`policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true`
			`policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName`
			`policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.{ipadomain}/ca/ocsp`
			`policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1`
			`policyset.serverCertSet.5.default.params.authInfoAccessCritical=false`
			`policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1`
			`policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl`
			`policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint`
			`policyset.serverCertSet.6.constraint.params.keyUsageCritical=true`
			`policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false`
			`policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true`
			`policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false`
			`policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true`
			`policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false`
			`policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false`
			`policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false`
			`policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true`
			`policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true`
			`policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl`
			`policyset.serverCertSet.6.default.name=Key Usage Default`
			`policyset.serverCertSet.6.default.params.keyUsageCritical=true`
			`policyset.serverCertSet.6.default.params.keyUsageCrlSign=false`
			`policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true`
			`policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false`
			`policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true`
			`policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false`
			`policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false`
			`policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false`
			`policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true`
			`policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true`
			`policyset.serverCertSet.7.constraint.class_id=noConstraintImpl`
			`policyset.serverCertSet.7.constraint.name=No Constraint`
			`policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl`
			`policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default`
			`policyset.serverCertSet.7.default.params.exKeyUsageCritical=false`
			`policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.4`
			`policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl`
			`policyset.serverCertSet.8.constraint.name=No Constraint`
Add SHA384withRSA as a certificate signing algorithm It required support in dogtag which was added in 10.5.0. This is only easily configurable during installation because it will set ca.signing.defaultSigningAlgorithm to the selected algorithm in CS.cfg The certificate profiles will generally by default set default.params.signingAlg=- which means use the CA default. So while an existing installation will technically allow SHA384withRSA it will require profile changes and/or changing the defaultSigningAlgorithm in CS.cfg and restarting (completely untested). And that won't affect already issued-certificates. https://pagure.io/freeipa/issue/8906 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 2021-06-30 12:15:45 -05:00			`policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC`
ipatests: CA ACL and cert profile functional test https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com> 2015-09-22 08:22:25 -05:00			`policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl`
			`policyset.serverCertSet.8.default.name=Signing Alg`
			`policyset.serverCertSet.8.default.params.signingAlg=-`
			`policyset.serverCertSet.9.constraint.class_id=noConstraintImpl`
			`policyset.serverCertSet.9.constraint.name=No Constraint`
			`policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl`
			`policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default`
			`policyset.serverCertSet.9.default.params.crlDistPointsCritical=false`
			`policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true`
			`policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca`
			`policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName`
			`policyset.serverCertSet.9.default.params.crlDistPointsNum=1`
			`policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.{ipadomain}/ipa/crl/MasterCRL.bin`
			`policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName`
			`policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=`
			`policyset.serverCertSet.10.constraint.class_id=noConstraintImpl`
			`policyset.serverCertSet.10.constraint.name=No Constraint`
			`policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl`
			`policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default`
			`policyset.serverCertSet.10.default.params.critical=false`
			`policyset.serverCertSet.11.constraint.class_id=noConstraintImpl`
			`policyset.serverCertSet.11.constraint.name=No Constraint`
			`policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl`
			`policyset.serverCertSet.11.default.name=User Supplied Extension Default`
			`policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17`
			`policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11`
			`visible=false`