Skip to content

Configuring Certificate Profiles

Endi S. Dewata edited this page May 11, 2023 · 7 revisions

Overview

Certificate profile templates are stored in /usr/share/pki/ca/profiles/ca. During CA installation, the certificate profiles will be copied into /var/lib/pki/<instance>/ca/profiles/ca. The profiles can be configured during installation (see Two-Step Installation) or after installation.

For IPA, the profiles will be imported into the database as well.

To manage CA certificate profiles, use PKI CA Profile CLI to ensure the profiles are updated properly regardless of storage location.

See also Bootstrap Profiles.

Configuration

To configure the certificate profile, edit the profile configuration file in /var/lib/pki/<instance>/ca/profiles/ca (not in /usr/share/pki/ca/profiles/ca):

desc=...
visible=...
enable=...
enableBy=...
auth.class_id=...
name=...
input.list=<list of inputs>
input.<input>.class_id=...
output.list=<list of outputs>
output.<output>.class_id=...
policyset.list=<list of policies>
policyset.<policy>.list=<list of numbers>
policyset.<policy>.<number>.constraint.class_id=...
policyset.<policy>.<number>.constraint.name=...
policyset.<policy>.<number>.constraint.params.<name>=...
policyset.<policy>.<number>.default.class_id=...
policyset.<policy>.<number>.default.name=...
policyset.<policy>.<number>.default.params.<name>=...

Enabling/Disabling Profile

To enable or disable a profile, set the enable to true to false:

enable=<true|false>

Configuring Profile Visibility

To show or hide a profile, set the visible to true to false:

visible=<true|false>

Configuring Profile Authentication

Profile authentication is configured using the auth.instance_id parameter. Supported authentications are:

  • No authentication (blank)

  • AgentCertAuth

  • CMCAuth

  • flatFileAuth

  • PinDirEnrollment

  • raCertAuth

  • SSLclientCertAuth

  • TokenAuth

  • UserDirEnrollment

Configuring SAN Extension

To add a SAN extension, add the following parameters:

policyset.<policy>.<number>.constraint.class_id=noConstraintImpl
policyset.<policy>.<number>.constraint.name=No Constraint
policyset.<policy>.<number>.constraint.subjAltNameExtCritical=false
policyset.<policy>.<number>.default.class_id=userExtensionDefaultImpl
policyset.<policy>.<number>.default.name=User Supplied Extension Default
policyset.<policy>.<number>.default.params.userExtOID=2.5.29.17
Clone this wiki locally