Skip to content

ACME Server Certificate Profile

Endi S. Dewata edited this page Oct 12, 2021 · 9 revisions

Overview

The CA provides a profile for issuing a server certificate using the ACME responder. The profile is located at /usr/share/pki/ca/profiles/ca/acmeServerCert.cfg.

profileId=acmeServerCert
classId=caEnrollImpl
desc=This certificate profile is for enrolling server certificates via ACME protocol.
visible=true
enable=true
enableBy=admin
auth.instance_id=SessionAuthentication
authz.acl=group=Certificate Manager Agents
name=ACME Server Certificate Enrollment
input.list=i1,i2
input.i1.class_id=certReqInputImpl
input.i2.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=serverCertSet
policyset.serverCertSet.list=...

Key Usage Extension

This policy creates a critical key usage extension with the following values:

  • Digital Signature

  • Key Encipherment

<prefix>.constraint.class_id=keyUsageExtConstraintImpl
<prefix>.constraint.name=Key Usage Extension Constraint
<prefix>.constraint.params.keyUsageCritical=true
<prefix>.constraint.params.keyUsageDigitalSignature=true
<prefix>.constraint.params.keyUsageNonRepudiation=false
<prefix>.constraint.params.keyUsageDataEncipherment=false
<prefix>.constraint.params.keyUsageKeyEncipherment=true
<prefix>.constraint.params.keyUsageKeyAgreement=false
<prefix>.constraint.params.keyUsageKeyCertSign=false
<prefix>.constraint.params.keyUsageCrlSign=false
<prefix>.constraint.params.keyUsageEncipherOnly=false
<prefix>.constraint.params.keyUsageDecipherOnly=false
<prefix>.default.class_id=keyUsageExtDefaultImpl
<prefix>.default.name=Key Usage Default
<prefix>.default.params.keyUsageCritical=true
<prefix>.default.params.keyUsageDigitalSignature=true
<prefix>.default.params.keyUsageNonRepudiation=false
<prefix>.default.params.keyUsageDataEncipherment=false
<prefix>.default.params.keyUsageKeyEncipherment=true
<prefix>.default.params.keyUsageKeyAgreement=false
<prefix>.default.params.keyUsageKeyCertSign=false
<prefix>.default.params.keyUsageCrlSign=false
<prefix>.default.params.keyUsageEncipherOnly=false
<prefix>.default.params.keyUsageDecipherOnly=false

Extended Key Usage Extension

This policy creates an extended key usage extension with the following values:

  • TLS Web Server Authentication

  • TLS Web Client Authentication

<prefix>.constraint.class_id=noConstraintImpl
<prefix>.constraint.name=No Constraint
<prefix>.default.class_id=extendedKeyUsageExtDefaultImpl
<prefix>.default.name=Extended Key Usage Extension Default
<prefix>.default.params.exKeyUsageCritical=false
<prefix>.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2

Basic Constraints Extension

This policy adds a critical basic constraints extension with the following parameters:

  • CA: false

<prefix>.constraint.class_id=basicConstraintsExtConstraintImpl
<prefix>.constraint.name=Basic Constraint Extension Constraint
<prefix>.constraint.params.basicConstraintsCritical=true
<prefix>.constraint.params.basicConstraintsIsCA=false
<prefix>.constraint.params.basicConstraintsMinPathLen=-1
<prefix>.constraint.params.basicConstraintsMaxPathLen=-1
<prefix>.default.class_id=basicConstraintsExtDefaultImpl
<prefix>.default.name=Basic Constraints Extension Default
<prefix>.default.params.basicConstraintsCritical=true
<prefix>.default.params.basicConstraintsIsCA=false
<prefix>.default.params.basicConstraintsPathLen=-1

Authority Key Identifier Extension

<prefix>.constraint.class_id=noConstraintImpl
<prefix>.constraint.name=No Constraint
<prefix>.default.class_id=authorityKeyIdentifierExtDefaultImpl
<prefix>.default.name=Authority Key Identifier Default

Authority Information Access Extension

This policy generates an Authority Information Access extension with the following values:

  • OCSP - URI:http://ocsp.example.com

  • CA Issuers - URI:http://cert.example.com

<prefix>.constraint.class_id=noConstraintImpl
<prefix>.constraint.name=No Constraint
<prefix>.default.class_id=authInfoAccessExtDefaultImpl
<prefix>.default.name=AIA Extension Default
<prefix>.default.params.authInfoAccessADEnable_0=true
<prefix>.default.params.authInfoAccessADLocationType_0=URIName
<prefix>.default.params.authInfoAccessADLocation_0=http://ocsp.example.com
<prefix>.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
<prefix>.default.params.authInfoAccessADEnable_1=true
<prefix>.default.params.authInfoAccessADLocationType_1=URIName
<prefix>.default.params.authInfoAccessADLocation_1=http://cert.example.com
<prefix>.default.params.authInfoAccessADMethod_1=1.3.6.1.5.5.7.48.2
<prefix>.default.params.authInfoAccessCritical=false
<prefix>.default.params.authInfoAccessNumADs=2

User Supplied Extension in CSR

<prefix>.constraint.class_id=noConstraintImpl
<prefix>.constraint.name=No Constraint
<prefix>.default.class_id=userExtensionDefaultImpl
<prefix>.default.name=User supplied extension in CSR
<prefix>.default.params.userExtOID=2.5.29.17

Certificate Validity

This policy generates a certificate with a 90-day validity.

<prefix>.constraint.class_id=validityConstraintImpl
<prefix>.constraint.name=Validity Constraint
<prefix>.constraint.params.range=90
<prefix>.constraint.params.notBeforeCheck=false
<prefix>.constraint.params.notAfterCheck=false
<prefix>.default.class_id=validityDefaultImpl
<prefix>.default.name=Validity Default
<prefix>.default.params.range=90
<prefix>.default.params.startTime=0

Certificate Key

<prefix>.constraint.class_id=keyConstraintImpl
<prefix>.constraint.name=Key Constraint
<prefix>.constraint.params.keyType=RSA
<prefix>.constraint.params.keyParameters=1024,2048,3072,4096
<prefix>.default.class_id=userKeyDefaultImpl
<prefix>.default.name=Key Default

Certificate Signing Algorithm

<prefix>.constraint.class_id=signingAlgConstraintImpl
<prefix>.constraint.name=No Constraint
<prefix>.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
<prefix>.default.class_id=signingAlgDefaultImpl
<prefix>.default.name=Signing Alg
<prefix>.default.params.signingAlg=-

SAN Extension to CN

This policy sets the certificate subject DN to CN=<hostname> with the first DNS name in the SAN extension.

<prefix>.constraint.class_id=noConstraintImpl
<prefix>.constraint.name=No Constraint
<prefix>.default.class_id=sanToCNDefaultImpl
<prefix>.default.name=SAN to CN Default
<prefix>.default.params.name=

Certificate Policies Extension

This policy generates a Certificate Policies extension with the following values:

<prefix>.constraint.class_id=noConstraintImpl
<prefix>.constraint.name=No Constraint
<prefix>.default.class_id=certificatePoliciesExtDefaultImpl
<prefix>.default.name=Certificate Policies Extension Default
<prefix>.default.params.PoliciesExt.num=2
<prefix>.default.params.PoliciesExt.certPolicy0.enable=true
<prefix>.default.params.PoliciesExt.certPolicy0.policyId=2.23.140.1.2.1
<prefix>.default.params.PoliciesExt.certPolicy1.enable=true
<prefix>.default.params.PoliciesExt.certPolicy1.policyId=1.3.6.1.4.1.44947.1.1.1
<prefix>.default.params.PoliciesExt.certPolicy1.PolicyQualifiers.num=1
<prefix>.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=true
<prefix>.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=http://cps.example.com

Subject Key Identifier Extension

<prefix>.constraint.class_id=noConstraintImpl
<prefix>.constraint.name=No Constraint
<prefix>.default.class_id=subjectKeyIdentifierExtDefaultImpl
<prefix>.default.name=Subject Key Identifier Extension Default
<prefix>.default.params.critical=false

See Also

Clone this wiki locally