Configuring Key Generation For Temporary Tokens - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client
The policy describing which keys should be regenerated and which keys should be recovered is
defined in the following TPS CS.cfg parameters. For example:
op.enroll.userKey.keyGen.recovery.destroyed.keyType.num=2
op.enroll.userKey.keyGen.recovery.destroyed.keyType.value.0=signing
op.enroll.userKey.keyGen.recovery.destroyed.keyType.value.1=encryption
op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeCert=true
op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeCert.reason=0
op.enroll.userKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey
op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert=false
op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert.reason=0
op.enroll.userKey.keyGen.encryption.recovery.destroyed.scheme=RecoverLast
Set revokeCert=true to revoke certificates if a token's certificates are replaced after being lost.
... for the signing key ...
op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeCert=true
op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeCert.reason=0
op.enroll.userKey.keyGen.signing.recovery.keyCompromise.revokeCert=true
op.enroll.userKey.keyGen.signing.recovery.keyCompromise.revokeCert.reason=1
op.enroll.userKey.keyGen.signing.recovery.onHold.revokeCert=true
op.enroll.userKey.keyGen.signing.recovery.onHold.revokeCert.reason=6
op.enroll.userKey.keyGen.signing.revokeCert=true
... for the encryption key ...
op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert=false
op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert.reason=0
op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeCert=true
op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeCert.reason=1
op.enroll.userKey.keyGen.encryption.recovery.onHold.revokeCert=true
op.enroll.userKey.keyGen.encryption.recovery.onHold.revokeCert.reason=6
op.enroll.userKey.keyGen.encryption.revokeCert=true

5.5.2. Configuring Key Generation for Temporary Tokens

If the smart card loss is temporary, the user can be enrolled for a temporary replacement. The profile
for the replacement smart card is defined in the userKeyTemporary parameter in the TPS CS.cfg
file. The certificate used through this profile is valid for seven days by default.
... snip ...
op.enroll.userKeyTemporary.keyGen.encryption.ca.conn=ca1
op.enroll.userKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment
op.enroll.userKeyTemporary.keyGen.encryption.certAttrId=c2
op.enroll.userKeyTemporary.keyGen.encryption.certId=C2
op.enroll.userKeyTemporary.keyGen.encryption.cuid_label=$cuid$
op.enroll.userKeyTemporary.keyGen.encryption.keySize=1024
op.enroll.userKeyTemporary.keyGen.encryption.keyUsage=0
op.enroll.userKeyTemporary.keyGen.encryption.keyUser=0
op.enroll.userKeyTemporary.keyGen.encryption.label=encryption key for $userid$
op.enroll.userKeyTemporary.keyGen.encryption.overwrite=true
144