mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
7995518921
The latest version of caIPAserviceCert profile includes a feature that is not available before Dogtag 10.4, and this version of the profile is intended for new installs only (otherwise, problems will arise in topologies containing CA replicas at an earlier version). But IPA versions before v4.2 did not use LDAP-based profiles, so the new version of the profile gets imported when upgrading from pre-v4.2 to v4.5 or later. We do not yet have a proper version- and topology-aware profile update mechanism, so to resolve this issue, ship the older version of the profile alongside the newer version, and make sure we use the older version when importing the profile in an upgrade context. https://pagure.io/freeipa/issue/7097 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
110 lines
6.8 KiB
INI
110 lines
6.8 KiB
INI
profileId=caIPAserviceCert
|
|
classId=caEnrollImpl
|
|
desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
|
|
visible=false
|
|
enable=true
|
|
enableBy=admin
|
|
auth.instance_id=raCertAuth
|
|
name=IPA-RA Agent-Authenticated Server Certificate Enrollment
|
|
input.list=i1,i2
|
|
input.i1.class_id=certReqInputImpl
|
|
input.i2.class_id=submitterInfoInputImpl
|
|
output.list=o1
|
|
output.o1.class_id=certOutputImpl
|
|
policyset.list=serverCertSet
|
|
policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
|
|
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
|
|
policyset.serverCertSet.1.constraint.name=Subject Name Constraint
|
|
policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
|
|
policyset.serverCertSet.1.constraint.params.accept=true
|
|
policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
|
|
policyset.serverCertSet.1.default.name=Subject Name Default
|
|
policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
|
|
policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
|
|
policyset.serverCertSet.2.constraint.name=Validity Constraint
|
|
policyset.serverCertSet.2.constraint.params.range=740
|
|
policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
|
|
policyset.serverCertSet.2.constraint.params.notAfterCheck=false
|
|
policyset.serverCertSet.2.default.class_id=validityDefaultImpl
|
|
policyset.serverCertSet.2.default.name=Validity Default
|
|
policyset.serverCertSet.2.default.params.range=731
|
|
policyset.serverCertSet.2.default.params.startTime=0
|
|
policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
|
|
policyset.serverCertSet.3.constraint.name=Key Constraint
|
|
policyset.serverCertSet.3.constraint.params.keyType=RSA
|
|
policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,8192
|
|
policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
|
|
policyset.serverCertSet.3.default.name=Key Default
|
|
policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
|
|
policyset.serverCertSet.4.constraint.name=No Constraint
|
|
policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
|
|
policyset.serverCertSet.4.default.name=Authority Key Identifier Default
|
|
policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
|
|
policyset.serverCertSet.5.constraint.name=No Constraint
|
|
policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
|
|
policyset.serverCertSet.5.default.name=AIA Extension Default
|
|
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
|
|
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
|
|
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://$IPA_CA_RECORD.$DOMAIN/ca/ocsp
|
|
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
|
|
policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
|
|
policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
|
|
policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
|
|
policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
|
|
policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
|
|
policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
|
|
policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
|
|
policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
|
|
policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
|
|
policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
|
|
policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
|
|
policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
|
|
policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
|
|
policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
|
|
policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
|
|
policyset.serverCertSet.6.default.name=Key Usage Default
|
|
policyset.serverCertSet.6.default.params.keyUsageCritical=true
|
|
policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
|
|
policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
|
|
policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
|
|
policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
|
|
policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
|
|
policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
|
|
policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
|
|
policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
|
|
policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
|
|
policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
|
|
policyset.serverCertSet.7.constraint.name=No Constraint
|
|
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
|
|
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
|
|
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
|
|
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
|
|
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
|
|
policyset.serverCertSet.8.constraint.name=No Constraint
|
|
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
|
|
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
|
|
policyset.serverCertSet.8.default.name=Signing Alg
|
|
policyset.serverCertSet.8.default.params.signingAlg=-
|
|
policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
|
|
policyset.serverCertSet.9.constraint.name=No Constraint
|
|
policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl
|
|
policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default
|
|
policyset.serverCertSet.9.default.params.crlDistPointsCritical=false
|
|
policyset.serverCertSet.9.default.params.crlDistPointsNum=1
|
|
policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true
|
|
policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER
|
|
policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
|
|
policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://$IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin
|
|
policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName
|
|
policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=
|
|
policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
|
|
policyset.serverCertSet.10.constraint.name=No Constraint
|
|
policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
|
|
policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default
|
|
policyset.serverCertSet.10.default.params.critical=false
|
|
policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
|
|
policyset.serverCertSet.11.constraint.name=No Constraint
|
|
policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
|
|
policyset.serverCertSet.11.default.name=User Supplied Extension Default
|
|
policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
|