From ed6e62100249bf099ec8b90a8ad147532b40372b Mon Sep 17 00:00:00 2001 From: Remigiusz Janeczek Date: Tue, 8 Sep 2020 13:00:50 +0200 Subject: [CONTRIB] Adjust EJBCA to issue certificates usable by servers. Add configuration to EJBCA that allows to create keystores with extendedKeyUsage containing serverAuth. Issue-ID: AAF-1121 Signed-off-by: Remigiusz Janeczek Change-Id: I6fc1d228acb4edc089be11d66186cfb5006e9ad1 --- .../certprofile_CUSTOM_ENDUSER-1834889499.xml | 595 +++++++++++++++++++++ 1 file changed, 595 insertions(+) create mode 100644 kubernetes/contrib/components/ejbca/resources/certprofile_CUSTOM_ENDUSER-1834889499.xml (limited to 'kubernetes/contrib/components/ejbca/resources/certprofile_CUSTOM_ENDUSER-1834889499.xml') diff --git a/kubernetes/contrib/components/ejbca/resources/certprofile_CUSTOM_ENDUSER-1834889499.xml b/kubernetes/contrib/components/ejbca/resources/certprofile_CUSTOM_ENDUSER-1834889499.xml new file mode 100644 index 0000000000..e163aed82a --- /dev/null +++ b/kubernetes/contrib/components/ejbca/resources/certprofile_CUSTOM_ENDUSER-1834889499.xml @@ -0,0 +1,595 @@ + + + + + version + 46.0 + + + type + 1 + + + certversion + X509v3 + + + encodedvalidity + 2y + + + usecertificatevalidityoffset + false + + + certificatevalidityoffset + -10m + + + useexpirationrestrictionforweekdays + false + + + expirationrestrictionforweekdaysbefore + true + + + expirationrestrictionweekdays + + + true + + + true + + + false + + + false + + + false + + + true + + + true + + + + + allowvalidityoverride + false + + + allowextensionoverride + false + + + allowdnoverride + false + + + allowdnoverridebyeei + false + + + allowbackdatedrevokation + false + + + usecertificatestorage + true + + + storecertificatedata + true + + + storesubjectaltname + true + + + usebasicconstrants + true + + + basicconstraintscritical + true + + + usesubjectkeyidentifier + true + + + subjectkeyidentifiercritical + false + + + useauthoritykeyidentifier + true + + + authoritykeyidentifiercritical + false + + + usesubjectalternativename + true + + + subjectalternativenamecritical + false + + + useissueralternativename + true + + + issueralternativenamecritical + false + + + usecrldistributionpoint + false + + + usedefaultcrldistributionpoint + false + + + crldistributionpointcritical + false + + + crldistributionpointuri + + + + usefreshestcrl + false + + + usecadefinedfreshestcrl + false + + + freshestcrluri + + + + crlissuer + + + + usecertificatepolicies + false + + + certificatepoliciescritical + false + + + certificatepolicies + + + + availablekeyalgorithms + + + DSA + + + ECDSA + + + RSA + + + + + availableeccurves + + + ANY_EC_CURVE + + + + + availablebitlengths + + + 0 + + + 192 + + + 224 + + + 239 + + + 256 + + + 384 + + + 512 + + + 521 + + + 1024 + + + 1536 + + + 2048 + + + 3072 + + + 4096 + + + 6144 + + + 8192 + + + + + minimumavailablebitlength + 0 + + + maximumavailablebitlength + 8192 + + + signaturealgorithm + + + + usekeyusage + true + + + keyusage + + + true + + + true + + + true + + + false + + + false + + + false + + + false + + + false + + + false + + + + + allowkeyusageoverride + false + + + keyusagecritical + true + + + useextendedkeyusage + true + + + extendedkeyusage + + + 1.3.6.1.5.5.7.3.2 + + + 1.3.6.1.5.5.7.3.4 + + + 1.3.6.1.5.5.7.3.1 + + + + + extendedkeyusagecritical + false + + + usedocumenttypelist + false + + + documenttypelistcritical + false + + + documenttypelist + + + + availablecas + + + -1 + + + + + usedpublishers + + + + useocspnocheck + false + + + useldapdnorder + true + + + usecustomdnorder + false + + + usemicrosofttemplate + false + + + microsofttemplate + + + + usecardnumber + false + + + usecnpostfix + false + + + cnpostfix + + + + usesubjectdnsubset + false + + + subjectdnsubset + + + + usesubjectaltnamesubset + false + + + subjectaltnamesubset + + + + usepathlengthconstraint + false + + + pathlengthconstraint + 0 + + + useqcstatement + false + + + usepkixqcsyntaxv2 + false + + + useqcstatementcritical + false + + + useqcstatementraname + + + + useqcsematicsid + + + + useqcetsiqccompliance + false + + + useqcetsisignaturedevice + false + + + useqcetsivaluelimit + false + + + qcetsivaluelimit + 0 + + + qcetsivaluelimitexp + 0 + + + qcetsivaluelimitcurrency + + + + useqcetsiretentionperiod + false + + + qcetsiretentionperiod + 0 + + + useqccustomstring + false + + + qccustomstringoid + + + + qccustomstringtext + + + + qcetsipds + + + + qcetsitype + + + + usecertificatetransparencyincerts + false + + + usecertificatetransparencyinocsp + false + + + usecertificatetransparencyinpublisher + false + + + usesubjectdirattributes + false + + + usenameconstraints + false + + + useauthorityinformationaccess + false + + + caissuers + + + + usedefaultcaissuer + false + + + usedefaultocspservicelocator + false + + + ocspservicelocatoruri + + + + cvcaccessrights + 3 + + + usedcertificateextensions + + + + approvals + + + + org.cesecore.certificates.ca.ApprovalRequestType + REVOCATION + + -1 + + + + org.cesecore.certificates.ca.ApprovalRequestType + KEYRECOVER + + -1 + + + + org.cesecore.certificates.ca.ApprovalRequestType + ADDEDITENDENTITY + + -1 + + + + + useprivkeyusageperiodnotbefore + false + + + useprivkeyusageperiod + false + + + useprivkeyusageperiodnotafter + false + + + privkeyusageperiodstartoffset + 0 + + + privkeyusageperiodlength + 63072000 + + + usesingleactivecertificateconstraint + false + + + overridableextensionoids + + + + nonoverridableextensionoids + + + + allowcertsnoverride + false + + + usecustomdnorderldap + false + + + -- cgit 1.2.3-korg