Populating Certificates With Directory Attributes - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

This extension can be removed so that the server accepts the key usage set in the request. In this
example, the key extension constraint is removed and replaced by no constraint, and the default is
updated to allow user-supplied key extensions:
policyset.cmcUserCertSet.6.constraint.class_id=noConstraintImpl
policyset.cmcUserCertSet.6.constraint.name=No Constraint to keep it simple
policyset.cmcUserCertSet.6.default.class_id=userExtensionDefaultImpl
policyset.cmcUserCertSet.6.default.name=User Supplied Key Default
policyset.cmcUserCertSet.6.default.params.userExtOID=2.5.29.15
This sets the server to accept the extension OID 2.5.29.15 in the certificate request.
Other constraints and defaults can be changed similarly. Make sure that any required constraints and
included with the appropriate default, that defaults are changed when a different constraint is required,
and that only allowed constraints are used with the default. For more information, see
"Defaults Reference"
and
13.3.2.3. Adding Inputs through the Command Line
The certificate profile configuration file in the CA's profiles/ca directory contains the input
information for the that particular certificate profile form. Inputs are the fields in the end-entities page
enrollment forms. There is a parameter, input.list, which lists the inputs included in that profile.
Other parameters define the inputs; these are identified by the format input.ID. For example, this
adds a generic input to a profile:
input.list=i1,i2,i3,i4
...
input.i4.class_id=genericInputImpl
input.i4.params.gi_display_name0=Name0
input.i4.params.gi_display_name1=Name1
input.i4.params.gi_display_name2=Name2
input.i4.params.gi_display_name3=Name3
input.i4.params.gi_param_enable0=true
input.i4.params.gi_param_enable1=true
input.i4.params.gi_param_enable2=true
input.i4.params.gi_param_enable3=true
input.i4.params.gi_param_name0=gname0
input.i4.params.gi_param_name1=gname1
input.i4.params.gi_param_name2=gname2
input.i4.params.gi_param_name3=gname3
input.i4.params.gi_num=4
For more information on what inputs, or form fields, are available, see

13.3.3. Populating Certificates with Directory Attributes

It is possible to populate certificates with data retrieved from LDAP entries. This is done by setting
the certificate profile to use an LDAP attribute variable set in the authentication plug-in whenever a
particular extension is used. To populate certificates with LDAP attribute values, do the following:
1. Enable the user directory authentication plug-in, UidPwdDirAuth.
a. Open the CA Console.
pkiconsole https://server.example.com:9443/ca
Section 13.8, "Constraints
Populating Certificates with Directory Attributes
Reference".
Section 13.5, "Input
Section 13.7,
Reference".
285