mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
c0d55ce6de
The initial implementation of ACME in dogtag and IPA required that ACME be manually enabled on each CA. dogtag added a REST API that can be access directly or through the `pki acme` CLI tool to enable or disable the service. It also abstracted the database connection and introduced the concept of a realm which defines the DIT for ACME users and groups, the URL and the identity. This is configured in realm.conf. A new group was created, Enterprise ACME Administrators, that controls the users allowed to modify ACME configuration. The IPA RA is added to this group for the ipa-acme-manage tool to authenticate to the API to enable/disable ACME. Related dogtag installation documentation: https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring_ACME_Database.md https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring_ACME_Realm.md https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Installing_PKI_ACME_Responder.md ACME REST API: https://github.com/dogtagpki/pki/wiki/PKI-ACME-Enable-REST-API https://pagure.io/freeipa/issue/8524 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
108 lines
6.5 KiB
INI
108 lines
6.5 KiB
INI
profileId=acmeIPAServerCert
|
|
classId=caEnrollImpl
|
|
desc=ACME profile for use in IPA deployments
|
|
visible=true
|
|
enable=true
|
|
enableBy=admin
|
|
auth.instance_id=SessionAuthentication
|
|
authz.acl=group="$ACME_AGENT_GROUP"
|
|
name=IPA ACME Service Certificate Enrollment
|
|
input.list=i1,i2
|
|
input.i1.class_id=certReqInputImpl
|
|
input.i2.class_id=submitterInfoInputImpl
|
|
output.list=o1
|
|
output.o1.class_id=certOutputImpl
|
|
policyset.list=serverCertSet
|
|
policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
|
|
policyset.serverCertSet.1.constraint.class_id=keyUsageExtConstraintImpl
|
|
policyset.serverCertSet.1.constraint.name=Key Usage Extension Constraint
|
|
policyset.serverCertSet.1.constraint.params.keyUsageCritical=true
|
|
policyset.serverCertSet.1.constraint.params.keyUsageDigitalSignature=true
|
|
policyset.serverCertSet.1.constraint.params.keyUsageNonRepudiation=false
|
|
policyset.serverCertSet.1.constraint.params.keyUsageDataEncipherment=false
|
|
policyset.serverCertSet.1.constraint.params.keyUsageKeyEncipherment=true
|
|
policyset.serverCertSet.1.constraint.params.keyUsageKeyAgreement=false
|
|
policyset.serverCertSet.1.constraint.params.keyUsageKeyCertSign=false
|
|
policyset.serverCertSet.1.constraint.params.keyUsageCrlSign=false
|
|
policyset.serverCertSet.1.constraint.params.keyUsageEncipherOnly=false
|
|
policyset.serverCertSet.1.constraint.params.keyUsageDecipherOnly=false
|
|
policyset.serverCertSet.1.default.class_id=keyUsageExtDefaultImpl
|
|
policyset.serverCertSet.1.default.name=Key Usage Default
|
|
policyset.serverCertSet.1.default.params.keyUsageCritical=true
|
|
policyset.serverCertSet.1.default.params.keyUsageDigitalSignature=true
|
|
policyset.serverCertSet.1.default.params.keyUsageNonRepudiation=false
|
|
policyset.serverCertSet.1.default.params.keyUsageDataEncipherment=false
|
|
policyset.serverCertSet.1.default.params.keyUsageKeyEncipherment=true
|
|
policyset.serverCertSet.1.default.params.keyUsageKeyAgreement=false
|
|
policyset.serverCertSet.1.default.params.keyUsageKeyCertSign=false
|
|
policyset.serverCertSet.1.default.params.keyUsageCrlSign=false
|
|
policyset.serverCertSet.1.default.params.keyUsageEncipherOnly=false
|
|
policyset.serverCertSet.1.default.params.keyUsageDecipherOnly=false
|
|
policyset.serverCertSet.2.constraint.class_id=noConstraintImpl
|
|
policyset.serverCertSet.2.constraint.name=No Constraint
|
|
policyset.serverCertSet.2.default.class_id=extendedKeyUsageExtDefaultImpl
|
|
policyset.serverCertSet.2.default.name=Extended Key Usage Extension Default
|
|
policyset.serverCertSet.2.default.params.exKeyUsageCritical=false
|
|
policyset.serverCertSet.2.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
|
|
policyset.serverCertSet.3.constraint.class_id=noConstraintImpl
|
|
policyset.serverCertSet.3.constraint.name=No Constraint
|
|
policyset.serverCertSet.3.default.class_id=subjectKeyIdentifierExtDefaultImpl
|
|
policyset.serverCertSet.3.default.name=Subject Key Identifier Extension Default
|
|
policyset.serverCertSet.3.default.params.critical=false
|
|
policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
|
|
policyset.serverCertSet.4.constraint.name=No Constraint
|
|
policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
|
|
policyset.serverCertSet.4.default.name=Authority Key Identifier Default
|
|
policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
|
|
policyset.serverCertSet.5.constraint.name=No Constraint
|
|
policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
|
|
policyset.serverCertSet.5.default.name=AIA Extension Default
|
|
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
|
|
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
|
|
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://$IPA_CA_RECORD.$DOMAIN/ca/ocsp
|
|
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
|
|
policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
|
|
policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
|
|
policyset.serverCertSet.6.constraint.class_id=noConstraintImpl
|
|
policyset.serverCertSet.6.constraint.name=No Constraint
|
|
policyset.serverCertSet.6.default.class_id=userExtensionDefaultImpl
|
|
policyset.serverCertSet.6.default.name=User supplied extension in CSR
|
|
policyset.serverCertSet.6.default.params.userExtOID=2.5.29.17
|
|
policyset.serverCertSet.7.constraint.class_id=validityConstraintImpl
|
|
policyset.serverCertSet.7.constraint.name=Validity Constraint
|
|
policyset.serverCertSet.7.constraint.params.range=90
|
|
policyset.serverCertSet.7.constraint.params.notBeforeCheck=false
|
|
policyset.serverCertSet.7.constraint.params.notAfterCheck=false
|
|
policyset.serverCertSet.7.default.class_id=validityDefaultImpl
|
|
policyset.serverCertSet.7.default.name=Validity Default
|
|
policyset.serverCertSet.7.default.params.range=90
|
|
policyset.serverCertSet.7.default.params.startTime=0
|
|
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
|
|
policyset.serverCertSet.8.constraint.name=No Constraint
|
|
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
|
|
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
|
|
policyset.serverCertSet.8.default.name=Signing Alg
|
|
policyset.serverCertSet.8.default.params.signingAlg=-
|
|
policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
|
|
policyset.serverCertSet.9.constraint.name=No Constraint
|
|
policyset.serverCertSet.9.default.class_id=sanToCNDefaultImpl
|
|
policyset.serverCertSet.9.default.name=SAN to CN Default
|
|
policyset.serverCertSet.10.constraint.class_id=keyConstraintImpl
|
|
policyset.serverCertSet.10.constraint.name=Key Constraint
|
|
policyset.serverCertSet.10.constraint.params.keyType=RSA
|
|
policyset.serverCertSet.10.constraint.params.keyParameters=2048,3072,4096,8192
|
|
policyset.serverCertSet.10.default.class_id=userKeyDefaultImpl
|
|
policyset.serverCertSet.10.default.name=Key Default
|
|
policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
|
|
policyset.serverCertSet.11.constraint.name=No Constraint
|
|
policyset.serverCertSet.11.default.class_id=crlDistributionPointsExtDefaultImpl
|
|
policyset.serverCertSet.11.default.name=CRL Distribution Points Extension Default
|
|
policyset.serverCertSet.11.default.params.crlDistPointsCritical=false
|
|
policyset.serverCertSet.11.default.params.crlDistPointsNum=1
|
|
policyset.serverCertSet.11.default.params.crlDistPointsEnable_0=true
|
|
policyset.serverCertSet.11.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER
|
|
policyset.serverCertSet.11.default.params.crlDistPointsIssuerType_0=DirectoryName
|
|
policyset.serverCertSet.11.default.params.crlDistPointsPointName_0=http://$IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin
|
|
policyset.serverCertSet.11.default.params.crlDistPointsPointType_0=URIName
|
|
policyset.serverCertSet.11.default.params.crlDistPointsReasons_0=
|