IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-26 17:01:14 -06:00
Code Issues Packages Projects Releases Wiki Activity
3568a3d1e7
freeipa/install/share/profiles/acmeIPAServerCert.cfg
Rob Crittenden 02e19d0a39 Add SHA384withRSA as a certificate signing algorithm 
It required support in dogtag which was added in 10.5.0.

This is only easily configurable during installation because
it will set ca.signing.defaultSigningAlgorithm to the
selected algorithm in CS.cfg

The certificate profiles will generally by default set
default.params.signingAlg=- which means use the CA default.

So while an existing installation will technically allow
SHA384withRSA it will require profile changes and/or
changing the defaultSigningAlgorithm in CS.cfg and
restarting (completely untested). And that won't affect
already issued-certificates.

https://pagure.io/freeipa/issue/8906

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-07-09 13:21:00 -04:00

108 lines
6.6 KiB
INI
Raw Blame History

profileId=acmeIPAServerCert
classId=caEnrollImpl
desc=ACME profile for use in IPA deployments
visible=true
enable=true
enableBy=admin
auth.instance_id=SessionAuthentication
authz.acl=group="$ACME_AGENT_GROUP"
name=IPA ACME Service Certificate Enrollment
input.list=i1,i2
input.i1.class_id=certReqInputImpl
input.i2.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=serverCertSet
policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
policyset.serverCertSet.1.constraint.class_id=keyUsageExtConstraintImpl
policyset.serverCertSet.1.constraint.name=Key Usage Extension Constraint
policyset.serverCertSet.1.constraint.params.keyUsageCritical=true
policyset.serverCertSet.1.constraint.params.keyUsageDigitalSignature=true
policyset.serverCertSet.1.constraint.params.keyUsageNonRepudiation=false
policyset.serverCertSet.1.constraint.params.keyUsageDataEncipherment=false
policyset.serverCertSet.1.constraint.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.1.constraint.params.keyUsageKeyAgreement=false
policyset.serverCertSet.1.constraint.params.keyUsageKeyCertSign=false
policyset.serverCertSet.1.constraint.params.keyUsageCrlSign=false
policyset.serverCertSet.1.constraint.params.keyUsageEncipherOnly=false
policyset.serverCertSet.1.constraint.params.keyUsageDecipherOnly=false
policyset.serverCertSet.1.default.class_id=keyUsageExtDefaultImpl
policyset.serverCertSet.1.default.name=Key Usage Default
policyset.serverCertSet.1.default.params.keyUsageCritical=true
policyset.serverCertSet.1.default.params.keyUsageDigitalSignature=true
policyset.serverCertSet.1.default.params.keyUsageNonRepudiation=false
policyset.serverCertSet.1.default.params.keyUsageDataEncipherment=false
policyset.serverCertSet.1.default.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.1.default.params.keyUsageKeyAgreement=false
policyset.serverCertSet.1.default.params.keyUsageKeyCertSign=false
policyset.serverCertSet.1.default.params.keyUsageCrlSign=false
policyset.serverCertSet.1.default.params.keyUsageEncipherOnly=false
policyset.serverCertSet.1.default.params.keyUsageDecipherOnly=false
policyset.serverCertSet.2.constraint.class_id=noConstraintImpl
policyset.serverCertSet.2.constraint.name=No Constraint
policyset.serverCertSet.2.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.serverCertSet.2.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.2.default.params.exKeyUsageCritical=false
policyset.serverCertSet.2.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
policyset.serverCertSet.3.constraint.class_id=noConstraintImpl
policyset.serverCertSet.3.constraint.name=No Constraint
policyset.serverCertSet.3.default.class_id=subjectKeyIdentifierExtDefaultImpl
policyset.serverCertSet.3.default.name=Subject Key Identifier Extension Default
policyset.serverCertSet.3.default.params.critical=false
policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
policyset.serverCertSet.4.constraint.name=No Constraint
policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
policyset.serverCertSet.4.default.name=Authority Key Identifier Default
policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
policyset.serverCertSet.5.constraint.name=No Constraint
policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
policyset.serverCertSet.5.default.name=AIA Extension Default
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://$IPA_CA_RECORD.$DOMAIN/ca/ocsp
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
policyset.serverCertSet.6.constraint.class_id=noConstraintImpl
policyset.serverCertSet.6.constraint.name=No Constraint
policyset.serverCertSet.6.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.6.default.name=User supplied extension in CSR
policyset.serverCertSet.6.default.params.userExtOID=2.5.29.17
policyset.serverCertSet.7.constraint.class_id=validityConstraintImpl
policyset.serverCertSet.7.constraint.name=Validity Constraint
policyset.serverCertSet.7.constraint.params.range=90
policyset.serverCertSet.7.constraint.params.notBeforeCheck=false
policyset.serverCertSet.7.constraint.params.notAfterCheck=false
policyset.serverCertSet.7.default.class_id=validityDefaultImpl
policyset.serverCertSet.7.default.name=Validity Default
policyset.serverCertSet.7.default.params.range=90
policyset.serverCertSet.7.default.params.startTime=0
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
policyset.serverCertSet.9.constraint.name=No Constraint
policyset.serverCertSet.9.default.class_id=sanToCNDefaultImpl
policyset.serverCertSet.9.default.name=SAN to CN Default
policyset.serverCertSet.10.constraint.class_id=keyConstraintImpl
policyset.serverCertSet.10.constraint.name=Key Constraint
policyset.serverCertSet.10.constraint.params.keyType=RSA
policyset.serverCertSet.10.constraint.params.keyParameters=2048,3072,4096,8192
policyset.serverCertSet.10.default.class_id=userKeyDefaultImpl
policyset.serverCertSet.10.default.name=Key Default
policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
policyset.serverCertSet.11.constraint.name=No Constraint
policyset.serverCertSet.11.default.class_id=crlDistributionPointsExtDefaultImpl
policyset.serverCertSet.11.default.name=CRL Distribution Points Extension Default
policyset.serverCertSet.11.default.params.crlDistPointsCritical=false
policyset.serverCertSet.11.default.params.crlDistPointsNum=1
policyset.serverCertSet.11.default.params.crlDistPointsEnable_0=true
policyset.serverCertSet.11.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER
policyset.serverCertSet.11.default.params.crlDistPointsIssuerType_0=DirectoryName
policyset.serverCertSet.11.default.params.crlDistPointsPointName_0=http://$IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin
policyset.serverCertSet.11.default.params.crlDistPointsPointType_0=URIName
policyset.serverCertSet.11.default.params.crlDistPointsReasons_0=
Reference in New Issue View Git Blame Copy Permalink