Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 11. Configuring certificate profiles

As part of the installation process of a CA, the certificate enrollment profiles can be modified directly on the file system by modifying the profiles' configuration files. Default files exist for the default profiles at installation; when new profiles are needed, new profile configuration files are to be created. The configuration files are stored in the CA profile directory, instance_directory/ca/profiles/ca/, such as /var/lib/pki/pki-ca/ca/profiles/ca/. The file is named profile_name.cfg. All of the parameters for profile rules can be set or modified in those profile configuration files. Profile rules can be inputs, outputs, authentication, authorization, defaults, and constraints.

The enrollment profiles for the CA certificates are located in the /var/lib/pki/instance_name/ca/conf directory with the name *.profile.

Note

For audit reasons, use this method only during the CA installation prior to deployment.

Restart the server after editing the profile configuration file for the changes to take effect.

11.1. Configuring non-CA system certificate profiles
Copiar o link

11.1.1. Profile configuration parameters
Copiar o link

All of the parameters for a profile rule - defaults, inputs, outputs, and constraints - are configured within a single policy set. A policy set for a profile has the name policyset.policyName.policyNumber. For example: 

policyset.cmcUserCertSet.6.constraint.class_id=noConstraintImpl
policyset.cmcUserCertSet.6.constraint.name=No Constraint
policyset.cmcUserCertSet.6.default.class_id=userExtensionDefaultImpl
policyset.cmcUserCertSet.6.default.name=User Supplied Key Default
policyset.cmcUserCertSet.6.default.params.userExtOID=2.5.29.15
Copy to Clipboard Toggle word wrap

The common profile configuration parameters are described in Table 11.1, “Profile configuration file parameters”.

Expand
Table 11.1. Profile configuration file parameters
ParameterDescription

desc

Gives a free text description of the certificate profile, which is shown on the end-entities page. For example, desc=This certificate profile is for enrolling server certificates with agent authentication.

enable

Sets whether the profile is enabled, and therefore accessible through the end-entities page. For example, enable=true.

auth.instance_id

Sets which authentication manager plugin to use to authenticate the certificate request submitted through the profile. For automatic enrollment, the CA issues a certificate immediately if the authentication is successful. If authentication fails or there is no authentication plugin specified, the request is queued to be manually approved by an agent. For example, auth.instance_id=CMCAuth. The authentication method must be one of the registered authentication instances from CS.cfg.

authz.acl

Specifies the authorization constraint. Most commonly, this us used to set the group evaluation ACL. For example, this caCMCUserCert parameter requires that the signer of the CMC request belong to the Certificate Manager Agents group:

authz.acl=group="Certificate Manager Agents"

In directory-based user certificate renewal, this option is used to ensure that the original requester and the currently-authenticated user are the same.

An entity must authenticate (bind or, essentially, log into the system) before authorization can be evaluated. The authorization method specified must be one of the registered authorization instances from CS.cfg.

name

Gives the name of the profile. For example, name=Agent-Authenticated Server Certificate Enrollment. This name is displayed in the end users enrollment or renewal page.

input.list

Lists the allowed inputs for the profile by name. For example, input.list=i1,i2.

input.input_id.class_id

Gives the java class name for the input by input ID (the name of the input listed in input.list). For example, input.i1.class_id=cmcCertReqInputImpl.

output.list

Lists the possible output formats for the profile by name. For example, output.list=o1.

output.output_id.class_id

Gives the java class name for the output format named in output.list. For example, output.o1.class_id=certOutputImpl.

policyset.list

Lists the configured profile rules. For dual certificates, one set of rules applies to the signing key and the other to the encryption key. Single certificates use only one set of profile rules. For example, policyset.list=serverCertSet.

policyset.policyset_id.list

Lists the policies within the policy set configured for the profile by policy ID number in the order in which they should be evaluated. For example, policyset.serverCertSet.list=1,2,3,4,5,6,7,8.

policyset._policyset_id.policy_number._constraint.class_id

Gives the java class name of the constraint plugin set for the default configured in the profile rule. For example, policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl.

policyset._policyset_id.policy_number._constraint.name

Gives the user-defined name of the constraint. For example, policyset.serverCertSet.1.constraint.name=Subject Name Constraint.

policyset.policyset_id.policy_number._constraint.params._attribute

Specifies a value for an allowed attribute for the constraint. The possible attributes vary depending on the type of constraint. For example, policyset.serverCertSet.1.constraint.params.pattern=CN=.*.

policyset._policyset_id.policy_number._default.class_id

Gives the java class name for the default set in the profile rule. For example, policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl

policyset._policyset_id.policy_number._default.name

Gives the user-defined name of the default. For example, policyset.serverCertSet.1.default.name=Subject Name Default

policyset.policyset_id.policy_number._default.params._attribute

Specifies a value for an allowed attribute for the default. The possible attributes vary depending on the type of default. For example, policyset.serverCertSet.1.default.params.name=CN=(Name)$request.requestor_name$.

11.1.2. Modifying certificate extensions directly on the file system
Copiar o link

Changing constraints changes the restrictions on the type of information which can be supplied. Changing the defaults and constraints can also add, delete, or modify the extensions which are accepted or required from a certificate request.

For example, the default caFullCMCUserCert profile is set to create a Key Usage extension from information in the request. 

policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true
policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false
policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false
policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false
policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false
policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false
policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false
policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true
policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true
policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.cmcUserCertSet.6.default.name=Key Usage Default
policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true
policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false
policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false
policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false
policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false
policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true
Copy to Clipboard Toggle word wrap

The default is updated to allow user-supplied key extensions: 

policyset.cmcUserCertSet.6.default.class_id=userExtensionDefaultImpl
policyset.cmcUserCertSet.6.default.name=User Supplied Key Default
policyset.cmcUserCertSet.6.default.params.userExtOID=2.5.29.15
Copy to Clipboard Toggle word wrap

This sets the server to accept the extension OID 2.5.29.15 in the certificate request.

Other constraints and defaults can be changed similarly. Make sure that any required constraints are included with appropriate defaults, that defaults are changed when a different constraint is required, and that only allowed constraints are used with the default. For more information, see the B.1 Defaults Reference and B.2 Constraints Reference reference sections in the Administration Guide (Common Criteria Edition).

11.1.2.1. key usage and extended key usage consistency
Copiar o link

Red Hat Certificate System provides a flexible infrastructure for administrators to create customized enrollment profiles to meet the requirements of their environment. However, it is important that profiles do not allow issuing certificates that violate the requirements defined in RFC 5280. When creating an enrollment profile where both Key Usage (KU) and Extended Key Usage (EKU) extensions are present, it is important to make sure that the consistency between the two extensions is maintained as per section 4.2.1.12. Extended Key Usage of RFC 5280.

For details about the KU extension, see:

The following table provides the guidelines that maps consistent Key Usage bits to the Extended Key Usage Extension for each purpose:

Expand
Purpose / Extended Key UsagesKey Usages

TLS Server Authentication command

id-kp-serverAuth

digitalSignature, keyEncipherment, or KeyAgreement

TLS Client (Mutual) Authentication

id-kp-clientAuth

digitalSignature, keyEncipherment, and/or KeyAgreement

Code Signing

id-kp-codeSigning

digitalSignature

Email Protection

id-kp-emailProtection

digitalSignature, nonRepudiation, and/or (keyEncipherment or keyAgreement)

OCSP Response Signing

id-kp-OCSPSigning

KeyAgreement and/or nonRepudiation

The following shows two examples of inconsistent EKU/KU:

  • An enrollment profile that is intended for purpose of OCSP response signing contains Extended key usage id-kp-OCSPSigning but with keyEncipherment key usage bit: 

    policyset.ocspCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.ocspCertSet..6.default.name=Key Usage Default
policyset.ocspCertSet..6.default.params.keyUsageCritical=true
policyset.ocspCertSet..6.default.params.keyUsageCrlSign=false
policyset.ocspCertSet..6.default.params.keyUsageDataEncipherment=false
policyset.ocspCertSet..6.default.params.keyUsageDecipherOnly=false
policyset.ocspCertSet..6.default.params.keyUsageDigitalSignature=true
policyset.ocspCertSet..6.default.params.keyUsageEncipherOnly=false
policyset.ocspCertSet..6.default.params.keyUsageKeyAgreement=false
policyset.ocspCertSet..6.default.params.keyUsageKeyCertSign=false
policyset.ocspCertSet..6.default.params.keyUsageKeyEncipherment=true
policyset.ocspCertSet..6.default.params.keyUsageNonRepudiation=true
policyset.ocspCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9
policyset.ocspCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.ocspCertSet.7.default.name=Extended Key Usage Default
policyset.ocspCertSet.7.default.params.exKeyUsageCritical=false
policyset.ocspCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9
    Copy to Clipboard Toggle word wrap

  • An enrollment profile that is intended for the purpose of TLS server authentication contains Extended key usage id-kp-serverAuth but with CRL signing key usage bit: 

    policyset.serverCertSet.6.default.name=Key Usage Default
policyset.serverCertSet.6.default.params.keyUsageCritical=true
policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false
policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=false
policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=true
policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.default.params.keyUsageCrlSign=true
policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default
policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1
    Copy to Clipboard Toggle word wrap

For details about the KU extension, see:

For details about the EKU extension, see:

11.1.2.2. Configuring cross-pair profiles
Copiar o link

Cross-pair certificates are distinct CA signing certificates that establish a trust partner relationship whereby entities from these two distinct PKIs will trust each other. Both partner CAs store the other CA signing certificate in its database, so all of the certificates issued within the other PKI are trusted and recognized.

Two extensions supported by the Certificate System can be used to establish such a trust partner relationship (cross-certification):

  • The Certificate Policies Extension (CertificatePoliciesExtension) specifies the terms that the certificate fall under, which is often unique for each PKI.
  • The Policy Mapping Extension (PolicyMappingExtension) seals the trust between two PKI’s by mapping the certificate profiles of the two environments.

Issuing cross-pair certificates requires the Certificate Policies Extension, explained in the B.3.4 certificatePoliciesExt annex in the Administration Guide (Common Criteria Edition).

To ensure that the issued certificate contains the CertificatePoliciesExtension, the enrollment profile needs to include an appropriate policy rule, for example: 

policyset.userCertSet.p7.constraint.class_id=noConstraintImpl
policyset.userCertSet.p7.constraint.name=No Constraint
policyset.userCertSet.p7.default.class_id=certificatePoliciesExtDefaultImpl
policyset.userCertSet.p7.default.name=Certificate Policies Extension Default
policyset.userCertSet.p7.default.params.Critical=false
policyset.userCertSet.p7.default.params.PoliciesExt.num=1
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.enable=true
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.policyId=1.1.1.1
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=false
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=
Copy to Clipboard Toggle word wrap

Certificates issued with the enrollment profile in this example would contain the following information: 

Identifier: Certificate Policies: - 2.5.29.32
Critical: no
Certificate Policies:
Policy Identifier: 1.1.1.1
Copy to Clipboard Toggle word wrap

For more information on using cross-pair certificates, see 13.4 Using Cross-Pair Certificates in the Administration Guide (Common Criteria Edition).

For more information on publishing cross-pair certificates, see 7.8 Publishing Cross-Pair Certificates in the Administration Guide (Common Criteria Edition).

11.1.3. Adding profile inputs directly on the file system
Copiar o link

The certificate profile configuration file in the CA’s profiles/ca directory contains the input information for that particular certificate profile form. Inputs are the fields in the end-entities page enrollment forms. There is a parameter, input.list, which lists the inputs included in that profile. Other parameters define the inputs; these are identified by the format input.ID. For example, this adds a generic input to a profile: 

input.list=i1,i2,i3,i4
...
input.i4.class_id=genericInputImpl
input.i4.params.gi_display_name0=Name0
input.i4.params.gi_display_name1=Name1
input.i4.params.gi_display_name2=Name2
input.i4.params.gi_display_name3=Name3
input.i4.params.gi_param_enable0=true
input.i4.params.gi_param_enable1=true
input.i4.params.gi_param_enable2=true
input.i4.params.gi_param_enable3=true
input.i4.params.gi_param_name0=gname0
input.i4.params.gi_param_name1=gname1
input.i4.params.gi_param_name2=gname2
input.i4.params.gi_param_name3=gname3
input.i4.params.gi_num=4
Copy to Clipboard Toggle word wrap

For more information on what inputs, or form fields, are available, see the A.1 Input Reference annex in the Administration Guide (Common Criteria Edition).

11.2. Changing the default validity time of certificates
Copiar o link

In each profile on a Certificate Authority (CA), you can set how long certificates issued using a profile are valid. You can change this value for security reasons.

For example, to set the validity of the generated Certificate Authority (CA) signing certificate to 825 days (approximately 27 months), open the /var/lib/pki/instance_name/ca/profiles/ca/caCACert.cfg file in an editor and set: 

policyset.caCertSet.2.default.params.range=825
Copy to Clipboard Toggle word wrap

11.3. Setting the signing algorithm default in a profile
Copiar o link

Each profile has a Signing Algorithm Default extension defined. The default has two settings: a default algorithm and a list of allowed algorithms, if the certificate request specifies a different algorithm. If no signing algorithms are specified, then the profile uses whatever is set as the default for the CA.

In the profile’s .cfg file, the algorithm is set with two parameters: 

policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.cmcUserCertSet.8.constraint.name=No Constraint
policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.cmcUserCertSet.8.default.name=Signing Alg
policyset.cmcUserCertSet.8.default.params.signingAlg=-
Copy to Clipboard Toggle word wrap
Note

The - value for the policyset.cmcUserCertSet.8.default.params.signingAlg parameter means that the default signing algorithm will be used.

11.4. Configuring CA system certificate profiles
Copiar o link

Unlike the non-CA subsystems, the enrollment profiles for CA’s own system certificates are kept in the /var/lib/pki/[instance name]/ca/conf file. Those profiles are:

  • caAuditSigningCert.profile
  • eccAdminCert.profile
  • rsaAdminCert.profile
  • caCert.profile
  • eccServerCert.profile
  • saServerCert.profile
  • caOCSPCert.profile
  • eccSubsystemCert.profile
  • rsaSubsystemCert.profile

11.4.1. Changing the default values of certificate profiles
Copiar o link

If you wish to change the default values in the profiles above, make changes to the profiles before you perform the second step of a two-step installation (as described in Between step customization). The following is an example that demonstrates:

  • How to change validity to CA signing certificate.

  • How to add extensions (e.g. Certificate policies extension).

    1. Back up the original CA certificate profile used by pkispawn. 

      # cp -p /usr/share/pki/ca/conf/caCert.profile /usr/share/pki/ca/conf/caCert.profile.orig
      Copy to Clipboard Toggle word wrap

    2. Open the CA certificate profile used by the configuration wizard. 

      # vim /usr/share/pki/ca/conf/caCert.profile
      Copy to Clipboard Toggle word wrap

    3. Reset the validity period in the Validity Default to your desired value. For example, to change the period to two years: 

      2.default.class=com.netscape.cms.profile.def.ValidityDefault
2.default.name=Validity Default
2.default.params.range=720
      Copy to Clipboard Toggle word wrap

    4. Add any extensions by creating a new default entry in the profile and adding it to the list. For example, to add the Certificate Policies Extension, add the default (which, in this example, is default #9): 

      9.default.class_id=certificatePoliciesExtDefaultImpl
9.default.name=Certificate Policies Extension Default
9.default.params.Critical=false
9.default.params.PoliciesExt.certPolicy0.enable=false
9.default.params.PoliciesExt.certPolicy0.policyId=
9.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true
9.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=CertificatePolicies.example.com
9.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false
9.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=
9.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=
9.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=
      Copy to Clipboard Toggle word wrap

      Then, add the default number to the list of defaults to use the new default: 

      list=2,4,5,6,7,8,9
      Copy to Clipboard Toggle word wrap

11.4.2. Allowing a CA certificate to be renewed past the validity period
Copiar o link

Normally, a certificate cannot be issued with a validity period that ends after the issuing CA certificate’s expiration date. If a CA certificate has an expiration date of December 31, 2023, then all of the certificates it issues must expire by or before December 31, 2023.

This rule applies to other CA signing certificates issued by a CA - and this makes renewing a root CA certificate almost impossible. Renewing a CA signing certificate means it would necessarily have to have a validity period past its own expiration date.

This behavior can be altered using the CA Validity Default. This default allows a setting (bypassCAnotafter) which allows a CA certificate to be issued with a validity period that extends past the issuing CA’s expiration (notAfter) date.

Figure 11.1. CA validity default configuration

cavalidity console
View larger image
cavalidity console

In real deployments, what this means is that a CA certificate for a root CA can be renewed, when it might otherwise be prevented.

To enable CA certificate renewals past the original CA’s validity date:

  1. Stop the CA: 

    # systemctl stop pki-tomcatd@instance_name.service
    Copy to Clipboard Toggle word wrap

    OR if using the Nuxwdog watchdog: 

    # systemctl stop pki-tomcatd-nuxwdog@instance_name.service
    Copy to Clipboard Toggle word wrap

  2. Open the caCACert.cfg file. 

    # var/lib/pki/instance_name/ca/profiles/ca/caCACert.cfg
    Copy to Clipboard Toggle word wrap

  3. The CA Validity Default should be present by default. Set the value to true to allow a CA certificate to be renewed past the issuing CA’s validity period. 

    policyset.caCertSet.2.default.name=CA Certificate Validity Default
policyset.caCertSet.2.default.params.range=2922
policyset.caCertSet.2.default.params.startTime=0
policyset.caCertSet.2.default.params.bypassCAnotafter=true
    Copy to Clipboard Toggle word wrap

  4. Start the CA to apply the changes. 

    # systemctl start pki-tomcatd@instance_name.service
    Copy to Clipboard Toggle word wrap

    OR if using the Nuxwdog watchdog: 

    # systemctl start pki-tomcatd-nuxwdog@instance_name.service
    Copy to Clipboard Toggle word wrap

When an agent reviews a renewal request, there is an option in the Extensions/Fields area that allows the agent to choose to bypass the normal validity period constraint. If the agent selects false, the constraint is enforced, even if bypassCAnotafter=true is set in the profile. If the agent selects true when the bypassCAnotafter value is not enabled, then the renewal request is rejected by the CA.

Figure 11.2. Bypass CA constraints option in the agent services page

cavalidity after
View larger image
cavalidity after
NOTE

The CA Validity Default only applies to CA signing certificate renewals. Other certificates must still be issued and renewed within the CA’s validity period.

A separate configuration setting for the CA, ca.enablePastCATime, can be used to allow certificates to be renewed past the CA’s validity period. However, this applies to every certificate issued by that CA. Because of the potential security issues, this setting is not recommended for production environments.

11.5. Managing smart card CA profiles
Copiar o link

Note

Features in this section on TMS are not tested in the evaluation. This section is for reference only.

The TPS does not generate or approve certificate requests; it sends any requests approved through the Enterprise Security Client to the configured CA to issue the certificate. This means that the CA actually contains the profiles to use for tokens and smart cards. The profiles to use can be automatically assigned, based on the card type.

The profile configuration files are in the /var/lib/instance_name/ca/profiles/ca/ directory with the other CA profiles. The default profiles are listed in Table 11.2, “Default token certificate profiles”.

Expand
Table 11.2. Default token certificate profiles
Profile NameConfiguration FileDescription

Regular Enrollment Profiles

Token Device Key Enrollment

caTokenDeviceKeyEnrollment.cfg

For enrolling tokens used for devices or servers.

Token User Encryption Certificate Enrollment

caTokenUserEncryptionKeyEnrollment.cfg

For enrolling encryption certificates on the token for a user.

Token User Signing Certificate Enrollment

caTokenUserSigningKeyEnrollment.cfg

For enrolling signing certificates on the token for a user.

Token User MS Login Certificate Enrollment

caTokenMSLoginEnrollment.cfg

For enrolling user certificates to use for single sign-on to a Windows domain or PC.

Temporary Token Profiles

Temporary Device Certificate Enrollment

caTempTokenDeviceKeyEnrollment.cfg

For enrolling certificates for a device on a temporary token.

Temporary Token User Encryption Certificate Enrollment

caTempTokenUserEncryptionKeyEnrollment.cfg

For enrolling an encryption certificate on a temporary token for a user.

Temporary Token User Signing Certificate Enrollment

caTempTokenUserSigningKeyEnrollment.cfg

For enrolling a signing certificates on a temporary token for a user.

Renewal Profiles

Token User Encryption Certificate Enrollment (Renewal)

caTokenUserEncryptionKeyRenewal.cfg

For renewing encryption certificates on the token for a user, if renewal is allowed.

Token User Signing Certificate Enrollment (Renewal)

caTokenUserSigningKeyRenewal.cfg

For renewing signing certificates on the token for a user, if renewal is allowed.

Note

Renewal profiles can only be used in conjunction with the profile that issued the original certificate. There are two settings that are beneficial:

  • It is important the original enrollment profile name does not change.
  • The Renew Grace Period Constraint should be set in the original enrollment profile. This defines the amount of time before and after the certificate’s expiration date when the user is allowed to renew the certificate. There are only a few examples of these in the default profiles, and they are mostly not enabled by default.

11.5.1. Editing enrollment profiles for the tps
Copiar o link

Administrators have the ability to customize the default smart card enrollment profiles, used with the TPS. For instance, a profile could be edited to include the user’s email address in the Subject Alternative Name extension. The email address for the user is retrieved from the authentication directory. To configure the CA for LDAP access, change the following parameters in the profile files, with the appropriate directory information: 

policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User
policyset.set1.p1.default.params.ldap.enable=true
policyset.set1.p1.default.params.ldap.basedn=ou=people,dc=host,dc=example,dc=com
policyset.set1.p1.default.params.ldapStringAttributes=uid,mail
policyset.set1.p1.default.params.ldap.ldapconn.host=localhost.example.com
policyset.set1.p1.default.params.ldap.ldapconn.port=389
Copy to Clipboard Toggle word wrap

These CA profiles come with LDAP lookup disabled by default. The ldapStringAttributes parameter tells the CA which LDAP attributes to retrieve from the company directory. For example, if the directory contains uid as an LDAP attribute name, and this will be used in the subject name of the certificate, then uid must be listed in the ldapStringAttributes parameter, and request.uid listed as one of the components in the dnpattern.

Editing certificate profiles is covered in 3.2 Setting up Certificate Profiles in the Administration Guide (Common Criteria Edition).

The format for the dnpattern parameter is covered in the B.2.11 Subject Name Constraint annex and B.1.27 Subject Name Default references in the Administration Guide (Common Criteria Edition).

11.5.2. Creating custom TPS profiles
Copiar o link

Certificate profiles are created as normal in the CA, but they also have to be configured in the TPS for it to be available for token enrollments.

TIP

New profiles are added with new releases of Red Hat Certificate System. If you migrate an instance to Red Hat Certificate System 10, then you need to add the new profiles to the migrated instance as if they are custom profiles.

  1. Create a new token profile for the issuing CA. Setting up profiles is covered in 3.2 Setting up Certificate Profiles in the Administration Guide (Common Criteria Edition).
  2. Copy the profile into the CA’s profiles directory, /var/lib/instance_name/ca/profiles/ca/.

  3. Edit the CA’s CS.cfg file, and add the new profile references and the profile name to the CA’s list of profiles. For example: 

    # vim etc/pki/instance_name/ca/CS.cfg

				profile.list=caUserCert,...,caManualRenewal,tpsExampleEnrollProfile
				...
				profile.caTokenMSLoginEnrollment.class_id=caUserCertEnrollImpl
				profile.caTokenMSLoginEnrollment.config=/var/lib/pki/instance_name/profiles/ca/tpsExampleEnrollProfile.cfg
    Copy to Clipboard Toggle word wrap

  4. Edit the TPS CS.cfg file, and add a line to point to the new CA enrollment profile. For example: 

    # vim /etc/pki/instance_name/tps/CS.cfg

				op.enroll.userKey.keyGen.signing.ca.profileId=tpsExampleEnrollProfile
    Copy to Clipboard Toggle word wrap

  5. Restart the instance after editing the smart card profiles: 

    # systemctl restart pki-tomcatd-nuxwdog@instance_name.service
    Copy to Clipboard Toggle word wrap

    If the CA and TPS are in separate instances, restart both instances.

Note

Enrollment profiles for the External Registration (externalReg) setting are configured in the user LDAP entry.

11.5.3. Using the Windows smart card logon profile
Copiar o link

The TPS uses a profile to generate certificates to use for single sign-on to a Windows domain or PC; this is the Token User MS Login Certificate Enrollment profile (caTokenMSLoginEnrollment.cfg).

However, there are some special considerations that administrators must account for when configuring Windows smart card login.

  • Issue a certificate to the domain controller, if it is not already configured for TLS.
  • Configure the smart card login per user, rather than as a global policy, to prevent locking out the domain administrator.
  • Enable CRL publishing to the Active Directory server because the domain controller checks the CRL at every login.

11.6. Disabling certificate enrollment profiles
Copiar o link

This section provides instructions on how to disable selected profiles.

To disable a certificate profile, edit the corresponding *.cfg file in the /var/lib/pki/instance_name/ca/profiles/ca/ directory and set the visible and enable parameters to false.

For example, to disable all non-CMC profiles:

  1. List all non-CMC profiles: 

    # ls -l /var/lib/pki/instance_name/ca/profiles/ca/ | grep -v "CMC"
    Copy to Clipboard Toggle word wrap

  2. In each of the displayed files, set the following parameters to false: 

    visible=false
enable=false
    Copy to Clipboard Toggle word wrap

Additionally, set visible=false in all CMC profiles to make them invisible on the end entity page:

  1. List all CMC profiles: 

    # ls -l /var/lib/pki/instance_name/ca/profiles/ca/*CMC*
    Copy to Clipboard Toggle word wrap

  2. In each of the displayed files, set: 

    visible=false
    Copy to Clipboard Toggle word wrap

For an alternative way to disable non-CMC profiles, also see Section 7.6.5, “Disable non-CMC and non-installation profiles”.

Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat