From f10ba33f3d6f9cbd31831d0fb571e15b818e9990 Mon Sep 17 00:00:00 2001

From: Christina Fu <cfu@redhat.com>

Date: Mon, 26 Jun 2017 18:09:55 -0700

Subject: [PATCH] Ticket #2757 CMC enrollment profiles for system certificates

This patch supports CMC-based system certificate requests.

This patch contains the following:

* The code in CMCAuth (agent-based) to check ssl client auth cert against the CMC signing cert

* The cmc-based system enrollment profiles:

caCMCauditSigningCert.cfg

caCMCcaCert.cfg

caCMCkraStorageCert.cfg

caCMCkraTransportCert.cfg

caCMCocspCert.cfg

caCMCserverCert.cfg

caCMCsubsystemCert.cfg

* new URI's in web.xml as new access points

Usage example can be found here:

http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Examples_.28System_Certificates.29

(cherry picked from commit 65b1242cd139e6306fb3e039193a3a6b223ea9b1)

---

 base/ca/shared/conf/CS.cfg                         |  20 ++-

 .../shared/profiles/ca/caCMCauditSigningCert.cfg   |  80 +++++++++

 base/ca/shared/profiles/ca/caCMCcaCert.cfg         |  96 ++++++++++

 base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg |  86 +++++++++

 .../shared/profiles/ca/caCMCkraTransportCert.cfg   |  86 +++++++++

 base/ca/shared/profiles/ca/caCMCocspCert.cfg       |  71 ++++++++

 base/ca/shared/profiles/ca/caCMCserverCert.cfg     |  90 ++++++++++

 base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg  |  86 +++++++++

 base/ca/shared/profiles/ca/caFullCMCUserCert.cfg   |   4 +-

 .../shared/profiles/ca/caFullCMCUserSignedCert.cfg |   2 +-

 base/ca/shared/webapps/ca/WEB-INF/web.xml          | 196 +++++++++++++++++++++

 .../src/com/netscape/cmstools/CMCRequest.java      |   2 +-

 .../com/netscape/cms/authentication/CMCAuth.java   |  48 ++++-

 .../cms/authentication/CMCUserSignedAuth.java      |   2 +

 .../netscape/cms/profile/common/EnrollProfile.java |  12 ++

 .../servlet/profile/ProfileSubmitCMCServlet.java   |   2 +-

 16 files changed, 872 insertions(+), 11 deletions(-)

 create mode 100644 base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg

 create mode 100644 base/ca/shared/profiles/ca/caCMCcaCert.cfg

 create mode 100644 base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg

 create mode 100644 base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg

 create mode 100644 base/ca/shared/profiles/ca/caCMCocspCert.cfg

 create mode 100644 base/ca/shared/profiles/ca/caCMCserverCert.cfg

 create mode 100644 base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg

diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg

index 5a244d7..8976575 100644

--- a/base/ca/shared/conf/CS.cfg

+++ b/base/ca/shared/conf/CS.cfg

@@ -969,7 +969,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18

 oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension

 oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11

 os.userid=nobody

-profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caFullCMCUserSignedCert,caFullCMCSelfSignedCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment

+profile.list=caCMCserverCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caFullCMCUserSignedCert,caFullCMCSelfSignedCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment

 profile.caUUIDdeviceCert.class_id=caEnrollImpl

 profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg

 profile.caManualRenewal.class_id=caEnrollImpl

@@ -988,12 +988,26 @@ profile.caAgentServerCert.class_id=caEnrollImpl

 profile.caAgentServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caAgentServerCert.cfg

 profile.caRAserverCert.class_id=caEnrollImpl

 profile.caRAserverCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caRAserverCert.cfg

+profile.caCMCUserCert.class_id=caEnrollImpl

+profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCUserCert.cfg

+profile.caCMCauditSigningCert.class_id=caEnrollImpl

+profile.caCMCauditSigningCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCauditSigningCert.cfg

+profile.caCMCcaCert.class_id=caEnrollImpl

+profile.caCMCcaCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCcaCert.cfg

+profile.caCMCkraStorageCert.class_id=caEnrollImpl

+profile.caCMCkraStorageCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCkraStorageCert.cfg

+profile.caCMCkraTransportCert.class_id=caEnrollImpl

+profile.caCMCkraTransportCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCkraTransportCert.cfg

+profile.caCMCocspCert.class_id=caEnrollImpl

+profile.caCMCocspCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCocspCert.cfg

+profile.caCMCserverCert.class_id=caEnrollImpl

+profile.caCMCserverCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCserverCert.cfg

+profile.caCMCsubsystemCert.class_id=caEnrollImpl

+profile.caCMCsubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCsubsystemCert.cfg

 profile.caCACert.class_id=caEnrollImpl

 profile.caCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCACert.cfg

 profile.caInstallCACert.class_id=caEnrollImpl

 profile.caInstallCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInstallCACert.cfg

-profile.caCMCUserCert.class_id=caEnrollImpl

-profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCUserCert.cfg

 profile.caCrossSignedCACert.class_id=caEnrollImpl

 profile.caCrossSignedCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCrossSignedCACert.cfg

 profile.caDirBasedDualCert.class_id=caEnrollImpl

diff --git a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg

new file mode 100644

index 0000000..ed5a1b2

--- /dev/null

+++ b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg

@@ -0,0 +1,80 @@

+desc=This certificate profile is for enrolling audit signing certificates using CMC.

+visible=false

+enable=true

+enableBy=admin

+auth.instance_id=CMCAuth

+authz.acl=group="Certificate Manager Agents"

+name=Audit Signing Certificate Enrollment using CMC

+input.list=i1,i2

+input.i1.class_id=certReqInputImpl

+input.i2.class_id=submitterInfoInputImpl

+output.list=o1

+output.o1.class_id=certOutputImpl

+policyset.list=auditSigningCertSet

+policyset.auditSigningCertSet.list=1,2,3,4,5,6,9

+policyset.auditSigningCertSet.1.constraint.class_id=subjectNameConstraintImpl

+policyset.auditSigningCertSet.1.constraint.name=Subject Name Constraint

+policyset.auditSigningCertSet.1.constraint.params.pattern=CN=.*

+policyset.auditSigningCertSet.1.constraint.params.accept=true

+policyset.auditSigningCertSet.1.default.class_id=userSubjectNameDefaultImpl

+policyset.auditSigningCertSet.1.default.name=Subject Name Default

+policyset.auditSigningCertSet.1.default.params.name=

+policyset.auditSigningCertSet.2.constraint.class_id=validityConstraintImpl

+policyset.auditSigningCertSet.2.constraint.name=Validity Constraint

+policyset.auditSigningCertSet.2.constraint.params.range=720

+policyset.auditSigningCertSet.2.constraint.params.notBeforeCheck=false

+policyset.auditSigningCertSet.2.constraint.params.notAfterCheck=false

+policyset.auditSigningCertSet.2.default.class_id=validityDefaultImpl

+policyset.auditSigningCertSet.2.default.name=Validity Default

+policyset.auditSigningCertSet.2.default.params.range=720

+policyset.auditSigningCertSet.2.default.params.startTime=0

+policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl

+policyset.auditSigningCertSet.3.constraint.name=Key Constraint

+policyset.auditSigningCertSet.3.constraint.params.keyType=RSA

+policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096

+policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl

+policyset.auditSigningCertSet.3.default.name=Key Default

+policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl

+policyset.auditSigningCertSet.4.constraint.name=No Constraint

+policyset.auditSigningCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl

+policyset.auditSigningCertSet.4.default.name=Authority Key Identifier Default

+policyset.auditSigningCertSet.5.constraint.class_id=noConstraintImpl

+policyset.auditSigningCertSet.5.constraint.name=No Constraint

+policyset.auditSigningCertSet.5.default.class_id=authInfoAccessExtDefaultImpl

+policyset.auditSigningCertSet.5.default.name=AIA Extension Default

+policyset.auditSigningCertSet.5.default.params.authInfoAccessADEnable_0=true

+policyset.auditSigningCertSet.5.default.params.authInfoAccessADLocationType_0=URIName

+policyset.auditSigningCertSet.5.default.params.authInfoAccessADLocation_0=

+policyset.auditSigningCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1

+policyset.auditSigningCertSet.5.default.params.authInfoAccessCritical=false

+policyset.auditSigningCertSet.5.default.params.authInfoAccessNumADs=1

+policyset.auditSigningCertSet.6.constraint.class_id=keyUsageExtConstraintImpl

+policyset.auditSigningCertSet.6.constraint.name=Key Usage Extension Constraint

+policyset.auditSigningCertSet.6.constraint.params.keyUsageCritical=true

+policyset.auditSigningCertSet.6.constraint.params.keyUsageDigitalSignature=true

+policyset.auditSigningCertSet.6.constraint.params.keyUsageNonRepudiation=true

+policyset.auditSigningCertSet.6.constraint.params.keyUsageDataEncipherment=false

+policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyEncipherment=false

+policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyAgreement=false

+policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyCertSign=false

+policyset.auditSigningCertSet.6.constraint.params.keyUsageCrlSign=false

+policyset.auditSigningCertSet.6.constraint.params.keyUsageEncipherOnly=false

+policyset.auditSigningCertSet.6.constraint.params.keyUsageDecipherOnly=false

+policyset.auditSigningCertSet.6.default.class_id=keyUsageExtDefaultImpl

+policyset.auditSigningCertSet.6.default.name=Key Usage Default

+policyset.auditSigningCertSet.6.default.params.keyUsageCritical=true

+policyset.auditSigningCertSet.6.default.params.keyUsageDigitalSignature=true

+policyset.auditSigningCertSet.6.default.params.keyUsageNonRepudiation=true

+policyset.auditSigningCertSet.6.default.params.keyUsageDataEncipherment=false

+policyset.auditSigningCertSet.6.default.params.keyUsageKeyEncipherment=false

+policyset.auditSigningCertSet.6.default.params.keyUsageKeyAgreement=false

+policyset.auditSigningCertSet.6.default.params.keyUsageKeyCertSign=false

+policyset.auditSigningCertSet.6.default.params.keyUsageCrlSign=false

+policyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false

+policyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false

+policyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl

+policyset.auditSigningCertSet.9.constraint.name=No Constraint

+policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC

+policyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl

+policyset.auditSigningCertSet.9.default.name=Signing Alg

+policyset.auditSigningCertSet.9.default.params.signingAlg=-

diff --git a/base/ca/shared/profiles/ca/caCMCcaCert.cfg b/base/ca/shared/profiles/ca/caCMCcaCert.cfg

new file mode 100644

index 0000000..f6df36f

--- /dev/null

+++ b/base/ca/shared/profiles/ca/caCMCcaCert.cfg

@@ -0,0 +1,96 @@

+desc=This certificate profile is for enrolling Certificate Authority certificates using CMC.

+visible=false

+enable=true

+enableBy=admin

+auth.instance_id=CMCAuth

+authz.acl=group="Certificate Manager Agents"

+name=Certificate Manager Signing Certificate Enrollment using CMC

+input.list=i1,i2

+input.i1.class_id=certReqInputImpl

+input.i2.class_id=submitterInfoInputImpl

+output.list=o1

+output.o1.class_id=certOutputImpl

+policyset.list=caCertSet

+policyset.caCertSet.list=1,2,3,4,5,6,8,9,10

+policyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl

+policyset.caCertSet.1.constraint.name=Subject Name Constraint

+policyset.caCertSet.1.constraint.params.pattern=CN=.*

+policyset.caCertSet.1.constraint.params.accept=true

+policyset.caCertSet.1.default.class_id=userSubjectNameDefaultImpl

+policyset.caCertSet.1.default.name=Subject Name Default

+policyset.caCertSet.1.default.params.name=

+policyset.caCertSet.2.constraint.class_id=validityConstraintImpl

+policyset.caCertSet.2.constraint.name=Validity Constraint

+policyset.caCertSet.2.constraint.params.range=7305

+policyset.caCertSet.2.constraint.params.notBeforeCheck=false

+policyset.caCertSet.2.constraint.params.notAfterCheck=false

+policyset.caCertSet.2.default.class_id=caValidityDefaultImpl

+policyset.caCertSet.2.default.name=CA Certificate Validity Default

+policyset.caCertSet.2.default.params.range=7305

+policyset.caCertSet.2.default.params.startTime=0

+policyset.caCertSet.3.constraint.class_id=keyConstraintImpl

+policyset.caCertSet.3.constraint.name=Key Constraint

+policyset.caCertSet.3.constraint.params.keyType=-

+policyset.caCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521

+policyset.caCertSet.3.default.class_id=userKeyDefaultImpl

+policyset.caCertSet.3.default.name=Key Default

+policyset.caCertSet.4.constraint.class_id=noConstraintImpl

+policyset.caCertSet.4.constraint.name=No Constraint

+policyset.caCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl

+policyset.caCertSet.4.default.name=Authority Key Identifier Default

+policyset.caCertSet.5.constraint.class_id=basicConstraintsExtConstraintImpl

+policyset.caCertSet.5.constraint.name=Basic Constraint Extension Constraint

+policyset.caCertSet.5.constraint.params.basicConstraintsCritical=true

+policyset.caCertSet.5.constraint.params.basicConstraintsIsCA=true

+policyset.caCertSet.5.constraint.params.basicConstraintsMinPathLen=-1

+policyset.caCertSet.5.constraint.params.basicConstraintsMaxPathLen=-1

+policyset.caCertSet.5.default.class_id=basicConstraintsExtDefaultImpl

+policyset.caCertSet.5.default.name=Basic Constraints Extension Default

+policyset.caCertSet.5.default.params.basicConstraintsCritical=true

+policyset.caCertSet.5.default.params.basicConstraintsIsCA=true

+policyset.caCertSet.5.default.params.basicConstraintsPathLen=-1

+policyset.caCertSet.6.constraint.class_id=keyUsageExtConstraintImpl

+policyset.caCertSet.6.constraint.name=Key Usage Extension Constraint

+policyset.caCertSet.6.constraint.params.keyUsageCritical=true

+policyset.caCertSet.6.constraint.params.keyUsageDigitalSignature=true

+policyset.caCertSet.6.constraint.params.keyUsageNonRepudiation=true

+policyset.caCertSet.6.constraint.params.keyUsageDataEncipherment=false

+policyset.caCertSet.6.constraint.params.keyUsageKeyEncipherment=false

+policyset.caCertSet.6.constraint.params.keyUsageKeyAgreement=false

+policyset.caCertSet.6.constraint.params.keyUsageKeyCertSign=true

+policyset.caCertSet.6.constraint.params.keyUsageCrlSign=true

+policyset.caCertSet.6.constraint.params.keyUsageEncipherOnly=false

+policyset.caCertSet.6.constraint.params.keyUsageDecipherOnly=false

+policyset.caCertSet.6.default.class_id=keyUsageExtDefaultImpl

+policyset.caCertSet.6.default.name=Key Usage Default

+policyset.caCertSet.6.default.params.keyUsageCritical=true

+policyset.caCertSet.6.default.params.keyUsageDigitalSignature=true

+policyset.caCertSet.6.default.params.keyUsageNonRepudiation=true

+policyset.caCertSet.6.default.params.keyUsageDataEncipherment=false

+policyset.caCertSet.6.default.params.keyUsageKeyEncipherment=false

+policyset.caCertSet.6.default.params.keyUsageKeyAgreement=false

+policyset.caCertSet.6.default.params.keyUsageKeyCertSign=true

+policyset.caCertSet.6.default.params.keyUsageCrlSign=true

+policyset.caCertSet.6.default.params.keyUsageEncipherOnly=false

+policyset.caCertSet.6.default.params.keyUsageDecipherOnly=false

+policyset.caCertSet.8.constraint.class_id=noConstraintImpl

+policyset.caCertSet.8.constraint.name=No Constraint

+policyset.caCertSet.8.default.class_id=subjectKeyIdentifierExtDefaultImpl

+policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default

+policyset.caCertSet.8.default.params.critical=false

+policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl

+policyset.caCertSet.9.constraint.name=No Constraint

+policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC

+policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl

+policyset.caCertSet.9.default.name=Signing Alg

+policyset.caCertSet.9.default.params.signingAlg=-

+policyset.caCertSet.10.constraint.class_id=noConstraintImpl

+policyset.caCertSet.10.constraint.name=No Constraint

+policyset.caCertSet.10.default.class_id=authInfoAccessExtDefaultImpl

+policyset.caCertSet.10.default.name=AIA Extension Default

+policyset.caCertSet.10.default.params.authInfoAccessADEnable_0=true

+policyset.caCertSet.10.default.params.authInfoAccessADLocationType_0=URIName

+policyset.caCertSet.10.default.params.authInfoAccessADLocation_0=

+policyset.caCertSet.10.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1

+policyset.caCertSet.10.default.params.authInfoAccessCritical=false

+policyset.caCertSet.10.default.params.authInfoAccessNumADs=1

diff --git a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg

new file mode 100644

index 0000000..259430b

--- /dev/null

+++ b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg

@@ -0,0 +1,86 @@

+desc=This certificate profile is for enrolling KRA storage certificates using CMC

+visible=false

+enable=true

+enableBy=admin

+auth.instance_id=CMCAuth

+authz.acl=group="Certificate Manager Agents"

+name=KRA storage Certificate Enrollment using CMC

+input.list=i1,i2

+input.i1.class_id=certReqInputImpl

+input.i2.class_id=submitterInfoInputImpl

+output.list=o1

+output.o1.class_id=certOutputImpl

+policyset.list=drmStorageCertSet

+policyset.drmStorageCertSet.list=1,2,3,4,5,6,7,9

+policyset.drmStorageCertSet.1.constraint.class_id=subjectNameConstraintImpl

+policyset.drmStorageCertSet.1.constraint.name=Subject Name Constraint

+policyset.drmStorageCertSet.1.constraint.params.pattern=CN=.*

+policyset.drmStorageCertSet.1.constraint.params.accept=true

+policyset.drmStorageCertSet.1.default.class_id=userSubjectNameDefaultImpl

+policyset.drmStorageCertSet.1.default.name=Subject Name Default

+policyset.drmStorageCertSet.1.default.params.name=

+policyset.drmStorageCertSet.2.constraint.class_id=validityConstraintImpl

+policyset.drmStorageCertSet.2.constraint.name=Validity Constraint

+policyset.drmStorageCertSet.2.constraint.params.range=720

+policyset.drmStorageCertSet.2.constraint.params.notBeforeCheck=false

+policyset.drmStorageCertSet.2.constraint.params.notAfterCheck=false

+policyset.drmStorageCertSet.2.default.class_id=validityDefaultImpl

+policyset.drmStorageCertSet.2.default.name=Validity Default

+policyset.drmStorageCertSet.2.default.params.range=720

+policyset.drmStorageCertSet.2.default.params.startTime=0

+policyset.drmStorageCertSet.3.constraint.class_id=keyConstraintImpl

+policyset.drmStorageCertSet.3.constraint.name=Key Constraint

+policyset.drmStorageCertSet.3.constraint.params.keyType=RSA

+policyset.drmStorageCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096

+policyset.drmStorageCertSet.3.default.class_id=userKeyDefaultImpl

+policyset.drmStorageCertSet.3.default.name=Key Default

+policyset.drmStorageCertSet.4.constraint.class_id=noConstraintImpl

+policyset.drmStorageCertSet.4.constraint.name=No Constraint

+policyset.drmStorageCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl

+policyset.drmStorageCertSet.4.default.name=Authority Key Identifier Default

+policyset.drmStorageCertSet.5.constraint.class_id=noConstraintImpl

+policyset.drmStorageCertSet.5.constraint.name=No Constraint

+policyset.drmStorageCertSet.5.default.class_id=authInfoAccessExtDefaultImpl

+policyset.drmStorageCertSet.5.default.name=AIA Extension Default

+policyset.drmStorageCertSet.5.default.params.authInfoAccessADEnable_0=true

+policyset.drmStorageCertSet.5.default.params.authInfoAccessADLocationType_0=URIName

+policyset.drmStorageCertSet.5.default.params.authInfoAccessADLocation_0=

+policyset.drmStorageCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1

+policyset.drmStorageCertSet.5.default.params.authInfoAccessCritical=false

+policyset.drmStorageCertSet.5.default.params.authInfoAccessNumADs=1

+policyset.drmStorageCertSet.6.constraint.class_id=keyUsageExtConstraintImpl

+policyset.drmStorageCertSet.6.constraint.name=Key Usage Extension Constraint

+policyset.drmStorageCertSet.6.constraint.params.keyUsageCritical=true

+policyset.drmStorageCertSet.6.constraint.params.keyUsageDigitalSignature=true

+policyset.drmStorageCertSet.6.constraint.params.keyUsageNonRepudiation=true

+policyset.drmStorageCertSet.6.constraint.params.keyUsageDataEncipherment=true

+policyset.drmStorageCertSet.6.constraint.params.keyUsageKeyEncipherment=true

+policyset.drmStorageCertSet.6.constraint.params.keyUsageKeyAgreement=false

+policyset.drmStorageCertSet.6.constraint.params.keyUsageKeyCertSign=false

+policyset.drmStorageCertSet.6.constraint.params.keyUsageCrlSign=false

+policyset.drmStorageCertSet.6.constraint.params.keyUsageEncipherOnly=false

+policyset.drmStorageCertSet.6.constraint.params.keyUsageDecipherOnly=false

+policyset.drmStorageCertSet.6.default.class_id=keyUsageExtDefaultImpl

+policyset.drmStorageCertSet.6.default.name=Key Usage Default

+policyset.drmStorageCertSet.6.default.params.keyUsageCritical=true

+policyset.drmStorageCertSet.6.default.params.keyUsageDigitalSignature=true

+policyset.drmStorageCertSet.6.default.params.keyUsageNonRepudiation=true

+policyset.drmStorageCertSet.6.default.params.keyUsageDataEncipherment=true

+policyset.drmStorageCertSet.6.default.params.keyUsageKeyEncipherment=true

+policyset.drmStorageCertSet.6.default.params.keyUsageKeyAgreement=false

+policyset.drmStorageCertSet.6.default.params.keyUsageKeyCertSign=false

+policyset.drmStorageCertSet.6.default.params.keyUsageCrlSign=false

+policyset.drmStorageCertSet.6.default.params.keyUsageEncipherOnly=false

+policyset.drmStorageCertSet.6.default.params.keyUsageDecipherOnly=false

+policyset.drmStorageCertSet.7.constraint.class_id=noConstraintImpl

+policyset.drmStorageCertSet.7.constraint.name=No Constraint

+policyset.drmStorageCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl

+policyset.drmStorageCertSet.7.default.name=Extended Key Usage Extension Default

+policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false

+policyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2

+policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl

+policyset.drmStorageCertSet.9.constraint.name=No Constraint

+policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC

+policyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl

+policyset.drmStorageCertSet.9.default.name=Signing Alg

+policyset.drmStorageCertSet.9.default.params.signingAlg=-

diff --git a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg

new file mode 100644

index 0000000..ec54f9c

--- /dev/null

+++ b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg

@@ -0,0 +1,86 @@

+desc=This certificate profile is for enrolling Key Archival Authority transport certificates using CMC.

+visible=false

+enable=true

+enableBy=admin

+auth.instance_id=CMCAuth

+authz.acl=group="Certificate Manager Agents"

+name=Key Archival Authority Transport Certificate Enrollment using CMC

+input.list=i1,i2

+input.i1.class_id=certReqInputImpl

+input.i2.class_id=submitterInfoInputImpl

+output.list=o1

+output.o1.class_id=certOutputImpl

+policyset.list=transportCertSet

+policyset.transportCertSet.list=1,2,3,4,5,6,7,8

+policyset.transportCertSet.1.constraint.class_id=subjectNameConstraintImpl

+policyset.transportCertSet.1.constraint.name=Subject Name Constraint

+policyset.transportCertSet.1.constraint.params.pattern=CN=.*

+policyset.transportCertSet.1.constraint.params.accept=true

+policyset.transportCertSet.1.default.class_id=userSubjectNameDefaultImpl

+policyset.transportCertSet.1.default.name=Subject Name Default

+policyset.transportCertSet.1.default.params.name=

+policyset.transportCertSet.2.constraint.class_id=validityConstraintImpl

+policyset.transportCertSet.2.constraint.name=Validity Constraint

+policyset.transportCertSet.2.constraint.params.range=720

+policyset.transportCertSet.2.constraint.params.notBeforeCheck=false

+policyset.transportCertSet.2.constraint.params.notAfterCheck=false

+policyset.transportCertSet.2.default.class_id=validityDefaultImpl

+policyset.transportCertSet.2.default.name=Validity Default

+policyset.transportCertSet.2.default.params.range=720

+policyset.transportCertSet.2.default.params.startTime=0

+policyset.transportCertSet.3.constraint.class_id=keyConstraintImpl

+policyset.transportCertSet.3.constraint.name=Key Constraint

+policyset.transportCertSet.3.constraint.params.keyType=RSA

+policyset.transportCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096

+policyset.transportCertSet.3.default.class_id=userKeyDefaultImpl

+policyset.transportCertSet.3.default.name=Key Default

+policyset.transportCertSet.4.constraint.class_id=noConstraintImpl

+policyset.transportCertSet.4.constraint.name=No Constraint

+policyset.transportCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl

+policyset.transportCertSet.4.default.name=Authority Key Identifier Default

+policyset.transportCertSet.5.constraint.class_id=noConstraintImpl

+policyset.transportCertSet.5.constraint.name=No Constraint

+policyset.transportCertSet.5.default.class_id=authInfoAccessExtDefaultImpl

+policyset.transportCertSet.5.default.name=AIA Extension Default

+policyset.transportCertSet.5.default.params.authInfoAccessADEnable_0=true

+policyset.transportCertSet.5.default.params.authInfoAccessADLocationType_0=URIName

+policyset.transportCertSet.5.default.params.authInfoAccessADLocation_0=

+policyset.transportCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1

+policyset.transportCertSet.5.default.params.authInfoAccessCritical=false

+policyset.transportCertSet.5.default.params.authInfoAccessNumADs=1

+policyset.transportCertSet.6.constraint.class_id=keyUsageExtConstraintImpl

+policyset.transportCertSet.6.constraint.name=Key Usage Extension Constraint

+policyset.transportCertSet.6.constraint.params.keyUsageCritical=true

+policyset.transportCertSet.6.constraint.params.keyUsageDigitalSignature=true

+policyset.transportCertSet.6.constraint.params.keyUsageNonRepudiation=true

+policyset.transportCertSet.6.constraint.params.keyUsageDataEncipherment=true

+policyset.transportCertSet.6.constraint.params.keyUsageKeyEncipherment=true

+policyset.transportCertSet.6.constraint.params.keyUsageKeyAgreement=false

+policyset.transportCertSet.6.constraint.params.keyUsageKeyCertSign=false

+policyset.transportCertSet.6.constraint.params.keyUsageCrlSign=false

+policyset.transportCertSet.6.constraint.params.keyUsageEncipherOnly=false

+policyset.transportCertSet.6.constraint.params.keyUsageDecipherOnly=false

+policyset.transportCertSet.6.default.class_id=keyUsageExtDefaultImpl

+policyset.transportCertSet.6.default.name=Key Usage Default

+policyset.transportCertSet.6.default.params.keyUsageCritical=true

+policyset.transportCertSet.6.default.params.keyUsageDigitalSignature=true

+policyset.transportCertSet.6.default.params.keyUsageNonRepudiation=true

+policyset.transportCertSet.6.default.params.keyUsageDataEncipherment=true

+policyset.transportCertSet.6.default.params.keyUsageKeyEncipherment=true

+policyset.transportCertSet.6.default.params.keyUsageKeyAgreement=false

+policyset.transportCertSet.6.default.params.keyUsageKeyCertSign=false

+policyset.transportCertSet.6.default.params.keyUsageCrlSign=false

+policyset.transportCertSet.6.default.params.keyUsageEncipherOnly=false

+policyset.transportCertSet.6.default.params.keyUsageDecipherOnly=false

+policyset.transportCertSet.7.constraint.class_id=noConstraintImpl

+policyset.transportCertSet.7.constraint.name=No Constraint

+policyset.transportCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl

+policyset.transportCertSet.7.default.name=Extended Key Usage Extension Default

+policyset.transportCertSet.7.default.params.exKeyUsageCritical=false

+policyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2

+policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl

+policyset.transportCertSet.8.constraint.name=No Constraint

+policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC

+policyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl

+policyset.transportCertSet.8.default.name=Signing Alg

+policyset.transportCertSet.8.default.params.signingAlg=-

diff --git a/base/ca/shared/profiles/ca/caCMCocspCert.cfg b/base/ca/shared/profiles/ca/caCMCocspCert.cfg

new file mode 100644

index 0000000..8afbd46

--- /dev/null

+++ b/base/ca/shared/profiles/ca/caCMCocspCert.cfg

@@ -0,0 +1,71 @@

+desc=This certificate profile is for enrolling OCSP Responder signing certificates using CMC.

+visible=false

+enable=true

+enableBy=admin

+auth.instance_id=CMCAuth

+authz.acl=group="Certificate Manager Agents"

+name=OCSP Responder Signing Certificate Enrollment using CMC

+input.list=i1,i2

+input.i1.class_id=certReqInputImpl

+input.i2.class_id=submitterInfoInputImpl

+output.list=o1

+output.o1.class_id=certOutputImpl

+policyset.list=ocspCertSet

+policyset.ocspCertSet.list=1,2,3,4,5,6,8,9

+policyset.ocspCertSet.1.constraint.class_id=subjectNameConstraintImpl

+policyset.ocspCertSet.1.constraint.name=Subject Name Constraint

+policyset.ocspCertSet.1.constraint.params.pattern=CN=.*

+policyset.ocspCertSet.1.constraint.params.accept=true

+policyset.ocspCertSet.1.default.class_id=userSubjectNameDefaultImpl

+policyset.ocspCertSet.1.default.name=Subject Name Default

+policyset.ocspCertSet.1.default.params.name=

+policyset.ocspCertSet.2.constraint.class_id=validityConstraintImpl

+policyset.ocspCertSet.2.constraint.name=Validity Constraint

+policyset.ocspCertSet.2.constraint.params.range=720

+policyset.ocspCertSet.2.constraint.params.notBeforeCheck=false

+policyset.ocspCertSet.2.constraint.params.notAfterCheck=false

+policyset.ocspCertSet.2.default.class_id=validityDefaultImpl

+policyset.ocspCertSet.2.default.name=Validity Default

+policyset.ocspCertSet.2.default.params.range=720

+policyset.ocspCertSet.2.default.params.startTime=0

+policyset.ocspCertSet.3.constraint.class_id=keyConstraintImpl

+policyset.ocspCertSet.3.constraint.name=Key Constraint

+policyset.ocspCertSet.3.constraint.params.keyType=-

+policyset.ocspCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521

+policyset.ocspCertSet.3.default.class_id=userKeyDefaultImpl

+policyset.ocspCertSet.3.default.name=Key Default

+policyset.ocspCertSet.4.constraint.class_id=noConstraintImpl

+policyset.ocspCertSet.4.constraint.name=No Constraint

+policyset.ocspCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl

+policyset.ocspCertSet.4.default.name=Authority Key Identifier Default

+policyset.ocspCertSet.5.constraint.class_id=noConstraintImpl

+policyset.ocspCertSet.5.constraint.name=No Constraint

+policyset.ocspCertSet.5.default.class_id=authInfoAccessExtDefaultImpl

+policyset.ocspCertSet.5.default.name=AIA Extension Default

+policyset.ocspCertSet.5.default.params.authInfoAccessADEnable_0=true

+policyset.ocspCertSet.5.default.params.authInfoAccessADLocationType_0=URIName

+policyset.ocspCertSet.5.default.params.authInfoAccessADLocation_0=

+policyset.ocspCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1

+policyset.ocspCertSet.5.default.params.authInfoAccessCritical=false

+policyset.ocspCertSet.5.default.params.authInfoAccessNumADs=1

+policyset.ocspCertSet.6.constraint.class_id=extendedKeyUsageExtConstraintImpl

+policyset.ocspCertSet.6.constraint.name=Extended Key Usage Extension

+policyset.ocspCertSet.6.constraint.params.exKeyUsageCritical=false

+policyset.ocspCertSet.6.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9

+policyset.ocspCertSet.6.default.class_id=extendedKeyUsageExtDefaultImpl

+policyset.ocspCertSet.6.default.name=Extended Key Usage Default

+policyset.ocspCertSet.6.default.params.exKeyUsageCritical=false

+policyset.ocspCertSet.6.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9

+policyset.ocspCertSet.8.constraint.class_id=extensionConstraintImpl

+policyset.ocspCertSet.8.constraint.name=No Constraint

+policyset.ocspCertSet.8.constraint.params.extCritical=false

+policyset.ocspCertSet.8.constraint.params.extOID=1.3.6.1.5.5.7.48.1.5

+policyset.ocspCertSet.8.default.class_id=ocspNoCheckExtDefaultImpl

+policyset.ocspCertSet.8.default.name=OCSP No Check Extension

+policyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false

+policyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl

+policyset.ocspCertSet.9.constraint.name=No Constraint

+policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC

+policyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl

+policyset.ocspCertSet.9.default.name=Signing Alg

+policyset.ocspCertSet.9.default.params.signingAlg=-

diff --git a/base/ca/shared/profiles/ca/caCMCserverCert.cfg b/base/ca/shared/profiles/ca/caCMCserverCert.cfg

new file mode 100644

index 0000000..8215d65

--- /dev/null

+++ b/base/ca/shared/profiles/ca/caCMCserverCert.cfg

@@ -0,0 +1,90 @@

+desc=This certificate profile is for enrolling server certificates using CMC.

+visible=false

+enable=true

+enableBy=admin

+auth.instance_id=CMCAuth

+authz.acl=group="Certificate Manager Agents"

+name=Server Certificate Enrollment using CMC

+input.list=i1,i2

+input.i1.class_id=certReqInputImpl

+input.i2.class_id=submitterInfoInputImpl

+output.list=o1

+output.o1.class_id=certOutputImpl

+policyset.list=serverCertSet

+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9

+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl

+policyset.serverCertSet.1.constraint.name=Subject Name Constraint

+policyset.serverCertSet.1.constraint.params.pattern=.*CN=.*

+policyset.serverCertSet.1.constraint.params.accept=true

+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl

+policyset.serverCertSet.1.default.name=Subject Name Default

+policyset.serverCertSet.1.default.params.name=

+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl

+policyset.serverCertSet.2.constraint.name=Validity Constraint

+policyset.serverCertSet.2.constraint.params.range=720

+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false

+policyset.serverCertSet.2.constraint.params.notAfterCheck=false

+policyset.serverCertSet.2.default.class_id=validityDefaultImpl

+policyset.serverCertSet.2.default.name=Validity Default

+policyset.serverCertSet.2.default.params.range=720

+policyset.serverCertSet.2.default.params.startTime=0

+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl

+policyset.serverCertSet.3.constraint.name=Key Constraint

+policyset.serverCertSet.3.constraint.params.keyType=-

+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521

+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl

+policyset.serverCertSet.3.default.name=Key Default

+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl

+policyset.serverCertSet.4.constraint.name=No Constraint

+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl

+policyset.serverCertSet.4.default.name=Authority Key Identifier Default

+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl

+policyset.serverCertSet.5.constraint.name=No Constraint

+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl

+policyset.serverCertSet.5.default.name=AIA Extension Default

+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true

+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName

+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=

+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1

+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false

+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1

+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl

+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint

+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true

+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true

+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true

+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true

+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true

+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false

+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false

+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false

+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false

+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false

+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl

+policyset.serverCertSet.6.default.name=Key Usage Default

+policyset.serverCertSet.6.default.params.keyUsageCritical=true

+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true

+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true

+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true

+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true

+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false

+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false

+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false

+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false

+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false

+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl

+policyset.serverCertSet.7.constraint.name=No Constraint

+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl

+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default

+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false

+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2

+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl

+policyset.serverCertSet.8.constraint.name=No Constraint

+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC

+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl

+policyset.serverCertSet.8.default.name=Signing Alg

+policyset.serverCertSet.8.default.params.signingAlg=-

+policyset.serverCertSet.9.constraint.class_id=noConstraintImpl

+policyset.serverCertSet.9.constraint.name=No Constraint

+policyset.serverCertSet.9.default.class_id=commonNameToSANDefaultImpl

+policyset.serverCertSet.9.default.name=copy CN to SAN Default

diff --git a/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg b/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg

new file mode 100644

index 0000000..f473f98

--- /dev/null

+++ b/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg

@@ -0,0 +1,86 @@

+desc=This certificate profile is for enrolling subsystem certificates using CMC.

+visible=false

+enable=true

+enableBy=admin

+auth.instance_id=CMCAuth

+authz.acl=group="Certificate Manager Agents"

+name=Subsystem Certificate Enrollment using CMC

+input.list=i1,i2

+input.i1.class_id=certReqInputImpl

+input.i2.class_id=submitterInfoInputImpl

+output.list=o1

+output.o1.class_id=certOutputImpl

+policyset.list=serverCertSet

+policyset.serverCertSet.list=1,2,3,4,5,6,7,8

+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl

+policyset.serverCertSet.1.constraint.name=Subject Name Constraint

+policyset.serverCertSet.1.constraint.params.pattern=CN=.*

+policyset.serverCertSet.1.constraint.params.accept=true

+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl

+policyset.serverCertSet.1.default.name=Subject Name Default

+policyset.serverCertSet.1.default.params.name=

+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl

+policyset.serverCertSet.2.constraint.name=Validity Constraint

+policyset.serverCertSet.2.constraint.params.range=720

+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false

+policyset.serverCertSet.2.constraint.params.notAfterCheck=false

+policyset.serverCertSet.2.default.class_id=validityDefaultImpl

+policyset.serverCertSet.2.default.name=Validity Default

+policyset.serverCertSet.2.default.params.range=720

+policyset.serverCertSet.2.default.params.startTime=0

+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl

+policyset.serverCertSet.3.constraint.name=Key Constraint

+policyset.serverCertSet.3.constraint.params.keyType=-

+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521

+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl

+policyset.serverCertSet.3.default.name=Key Default

+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl

+policyset.serverCertSet.4.constraint.name=No Constraint

+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl

+policyset.serverCertSet.4.default.name=Authority Key Identifier Default

+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl

+policyset.serverCertSet.5.constraint.name=No Constraint

+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl

+policyset.serverCertSet.5.default.name=AIA Extension Default

+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true

+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName

+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=

+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1

+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false

+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1

+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl

+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint

+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true

+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true

+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true

+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true

+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true

+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false

+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false

+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false

+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false

+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false

+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl

+policyset.serverCertSet.6.default.name=Key Usage Default

+policyset.serverCertSet.6.default.params.keyUsageCritical=true

+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true

+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true

+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true

+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true

+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false

+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false

+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false

+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false

+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false

+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl

+policyset.serverCertSet.7.constraint.name=No Constraint

+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl