[Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (synchronize)
simo5's pull request #62: "Configure Anonymous PKINIT on server install" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/62 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From 973fe140d2c3a5fb13738fa3381d3cec1c02688d Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce --- client/ipa-client-install| 2 +- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipaplatform/base/paths.py| 3 +- ipapython/certmonger.py | 32 +--- ipapython/dogtag.py | 4 + ipaserver/install/certs.py | 10 ++- ipaserver/install/krbinstance.py | 49 ipaserver/install/server/common.py | 5 +- ipaserver/install/server/install.py | 26 --- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/plugins/cert.py| 65 +--- ipaserver/plugins/dogtag.py | 2 + 14 files changed, 261 insertions(+), 53 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/client/ipa-client-install b/client/ipa-client-install index 6330f1d..30b78ed 100755 --- a/client/ipa-client-install +++ b/client/ipa-client-install @@ -1175,7 +1175,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options, subject = str(DN(('CN', hostname), subject_base)) passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt') try: -certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR, +certmonger.request_cert(certpath=paths.IPA_NSSDB_DIR, nickname='Local IPA host', subject=subject, dns=[hostname], principal=principal, diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCe
[Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (synchronize)
simo5's pull request #62: "Configure Anonymous PKINIT on server install" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/62 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From 0fdf1369c9402e9df76cd74ca32238eb480a1e4c Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce --- client/ipa-client-install| 2 +- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipaplatform/base/paths.py| 3 +- ipapython/certmonger.py | 32 +--- ipapython/dogtag.py | 4 + ipaserver/install/certs.py | 10 ++- ipaserver/install/krbinstance.py | 49 ipaserver/install/server/common.py | 5 +- ipaserver/install/server/install.py | 26 --- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/plugins/cert.py| 65 +--- ipaserver/plugins/dogtag.py | 1 + 14 files changed, 260 insertions(+), 53 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/client/ipa-client-install b/client/ipa-client-install index 4a263b3..590f598 100755 --- a/client/ipa-client-install +++ b/client/ipa-client-install @@ -1175,7 +1175,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options, subject = str(DN(('CN', hostname), subject_base)) passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt') try: -certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR, +certmonger.request_cert(certpath=paths.IPA_NSSDB_DIR, nickname='Local IPA host', subject=subject, dns=[hostname], principal=principal, diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCe
[Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (synchronize)
simo5's pull request #62: "Configure Anonymous PKINIT on server install" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/62 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From 255f171fcaa443bac586e38a2f7f30aff676739d Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce --- client/ipa-client-install| 2 +- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipaplatform/base/paths.py| 3 +- ipapython/certmonger.py | 32 +--- ipapython/dogtag.py | 4 + ipaserver/install/certs.py | 10 ++- ipaserver/install/krbinstance.py | 49 ipaserver/install/server/common.py | 5 +- ipaserver/install/server/install.py | 26 --- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/plugins/cert.py| 65 +--- ipaserver/plugins/dogtag.py | 1 + 14 files changed, 260 insertions(+), 53 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/client/ipa-client-install b/client/ipa-client-install index 4a263b3..590f598 100755 --- a/client/ipa-client-install +++ b/client/ipa-client-install @@ -1175,7 +1175,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options, subject = str(DN(('CN', hostname), subject_base)) passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt') try: -certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR, +certmonger.request_cert(certpath=paths.IPA_NSSDB_DIR, nickname='Local IPA host', subject=subject, dns=[hostname], principal=principal, diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCe
[Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (synchronize)
simo5's pull request #62: "Configure Anonymous PKINIT on server install" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/62 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From b8525fc326bfc6ef57bdfc308fe37bfbe175ca7c Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. Signed-off-by: Simo Sorce --- client/ipa-client-install| 2 +- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipaplatform/base/paths.py| 3 +- ipapython/certmonger.py | 32 +--- ipapython/dogtag.py | 4 + ipaserver/install/certs.py | 10 ++- ipaserver/install/krbinstance.py | 49 ipaserver/install/server/common.py | 5 +- ipaserver/install/server/install.py | 26 --- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/plugins/cert.py| 65 +--- ipaserver/plugins/dogtag.py | 1 + 14 files changed, 260 insertions(+), 53 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/client/ipa-client-install b/client/ipa-client-install index 4a263b3..590f598 100755 --- a/client/ipa-client-install +++ b/client/ipa-client-install @@ -1175,7 +1175,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options, subject = str(DN(('CN', hostname), subject_base)) passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt') try: -certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR, +certmonger.request_cert(certpath=paths.IPA_NSSDB_DIR, nickname='Local IPA host', subject=subject, dns=[hostname], principal=principal, diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +
[Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (synchronize)
simo5's pull request #62: "Configure Anonymous PKINIT on server install" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/62 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From 32ab40ceae858310c4780504ed1696f30270ade4 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. Signed-off-by: Simo Sorce --- client/ipa-client-install| 2 +- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipaplatform/base/paths.py| 3 +- ipapython/certmonger.py | 32 +--- ipapython/dogtag.py | 4 + ipaserver/install/certs.py | 10 ++- ipaserver/install/krbinstance.py | 49 ipaserver/install/server/common.py | 5 +- ipaserver/install/server/install.py | 26 --- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/plugins/cert.py| 64 +--- ipaserver/plugins/dogtag.py | 1 + 14 files changed, 259 insertions(+), 53 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/client/ipa-client-install b/client/ipa-client-install index 4a263b3..590f598 100755 --- a/client/ipa-client-install +++ b/client/ipa-client-install @@ -1175,7 +1175,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options, subject = str(DN(('CN', hostname), subject_base)) passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt') try: -certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR, +certmonger.request_cert(certpath=paths.IPA_NSSDB_DIR, nickname='Local IPA host', subject=subject, dns=[hostname], principal=principal, diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +