Certificate Extensions: Defaults And Constraints - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

Certificate Extensions: Defaults and Constraints

output.list=o1
output.o1.class_id=certOutputImpl
For caUserCert, the output displays the certificate in pretty print format. This output needs to be
specified for any automated enrollment. Once a user successfully authenticates and is authorized
using the automated enrollment method, the certificate is automatically generated, and this output
page is returned to the user. In an agent-approved enrollment, the user can get the certificate, once it
is issued, by providing the request ID in the CA end entities page.
The last — largest — block of configuration is the policy set for the profile. Policy sets list all of the
settings that are applied to the final certificate, like its validity period, its renewal settings, and the
actions the certificate can be used for. The policyset.list parameter identifies the block name
of the policies that apply to one certificate; the policyset.userCertSet.list lists the individual
policies to apply.
For example, the sixth policy populates the Key Usage Extension automatically in the certificate,
according to the configuration in the policy. It sets the defaults and requires the certificate to use those
defaults by setting the constraints:
policyset.list=userCertSet
policyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9
...
policyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.userCertSet.6.constraint.params.keyUsageCritical=true
policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true
policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false
policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true
policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false
policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false
policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false
policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false
policyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false
policyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.userCertSet.6.default.name=Key Usage Default
policyset.userCertSet.6.default.params.keyUsageCritical=true
policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true
policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false
policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false
policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.userCertSet.6.default.params.keyUsageCrlSign=false
policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false
...
Example 2.1. Example caUserCert Profile
2.1.2. Certificate Extensions: Defaults and Constraints
A extension configures additional information to include in a certificate or rules about how the
certificate can be used. These extensions can either be specified in the certificate request or taken
from the profile default definition and then enforced by the constraints.
A certificate extension is added or identified in a profile by adding the default which corresponds to the
extension and sets default values, if the certificate extension is not set in the request. For example, the
25