Skip to content

Exporting Certificate Profile

Endi S. Dewata edited this page May 11, 2023 · 2 revisions

Overview

This page describes the process to export a certificate profile from CA.

Exporting Certificate Profile into XML Format

To export the profile configuration into XML format:

$ pki -n caadmin ca-profile-show caUserCert --output caUserCert.xml
--------------------
Profile "caUserCert"
--------------------
------------------------------------------
Saved profile caUserCert to caUserCert.xml
------------------------------------------

The output file will look like the following:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Profile xmlns:ns2="http://www.w3.org/2005/Atom" id="caUserCert">

    <classId>caEnrollImpl</classId>
    <name>Manual User Dual-Use Certificate Enrollment</name>
    <description>This certificate profile is for enrolling user certificates.</description>
    <enabled>true</enabled>
    <visible>true</visible>
    <enabledBy>caadmin</enabledBy>
    <authzAcl></authzAcl>
    <renewal>false</renewal>
    <xmlOutput>false</xmlOutput>

    <Input id="i1">
        <ClassID>keyGenInputImpl</ClassID>
        <Name>Key Generation</Name>
        <Attribute name="cert_request_type">
            <Descriptor>
                <Syntax>keygen_request_type</Syntax>
                <Description>Key Generation Request Type</Description>
            </Descriptor>
        </Attribute>
        <Attribute name="cert_request">
            <Descriptor>
                <Syntax>keygen_request</Syntax>
                <Description>Key Generation Request</Description>
            </Descriptor>
        </Attribute>
    </Input>

    ...

    <Output id="o1">
        <name>Certificate Output</name>
        <classId>certOutputImpl</classId>
        <attributes name="pretty_cert">
            <Descriptor>
                <Syntax>pretty_print</Syntax>
                <Description>Certificate Pretty Print</Description>
            </Descriptor>
        </attributes>
        <attributes name="b64_cert">
            <Descriptor>
                <Syntax>pretty_print</Syntax>
                <Description>Certificate Base-64 Encoded</Description>
            </Descriptor>
        </attributes>
    </Output>

    <PolicySets>
        <PolicySet>
            <id>userCertSet</id>
            <value id="1">
                <def id="Subject Name Default" classId="userSubjectNameDefaultImpl">
                    <description>This default populates a User-Supplied Certificate Subject Name to the request.</description>
                    <policyAttribute name="name">
                        <Descriptor>
                            <Syntax>string</Syntax>
                            <Description>Subject Name</Description>
                        </Descriptor>
                    </policyAttribute>
                </def>
                <constraint id="Subject Name Constraint">
                    <description>This constraint accepts the subject name that matches UID=.*</description>
                    <classId>subjectNameConstraintImpl</classId>
                    <constraint id="pattern">
                        <descriptor>
                            <Syntax>string</Syntax>
                            <Description>Subject Name Pattern</Description>
                        </descriptor>
                        <value>UID=.*</value>
                    </constraint>
                </constraint>
            </value>

            ...

        </PolicySet>
    </PolicySets>

    <link href="https://pki.example.com:8443/ca/rest/profiles/caUserCert" rel="self"/>

</Profile>

Exporting Certificate Profile into Raw Format

To export the profile configuration into Raw format:

$ pki -n caadmin ca-profile-show caUserCert --output caUserCert.cfg --raw
------------------------------------------
Saved profile caUserCert to caUserCert.cfg
------------------------------------------

The output file will look like the following:

#Tue Jul 10 00:58:57 CEST 2018
policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true
policyset.userCertSet.7.constraint.class_id=noConstraintImpl
policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false
policyset.userCertSet.3.constraint.params.keyType=RSA
input.i2.class_id=subjectNameInputImpl
policyset.userCertSet.7.default.params.exKeyUsageCritical=false
policyset.userCertSet.10.constraint.params.renewal.graceBefore=30
output.o1.class_id=certOutputImpl
policyset.userCertSet.3.default.name=Key Default
...
Clone this wiki locally