| blob | d69f98fbbdc533cf1fee202ec97b7adc162ec5af |
1 <profiles id="default_profiles">
2 <crl>
3 <profile id="default">
4 <validity>
5 <!-- notbefore is not applicable here -->
6 <notafter format="relativedate">+000014</notafter>
7 </validity>
9 <digest>sha1</digest>
10 <extensions>
11 </extensions>
12 </profile>
14 [% FOREACH realmsection = global.pkirealm %]
15 [% FOREACH ca = $realmsection.issuingca %]
16 [% THROW config "No 'id' defined for issuing CA $ca" IF ! $ca.id.defined %]
17 <profile id="[% $ca.id %]"
18 super="../profile{default}"/>
19 [% END %]
20 [% END %]
21 </crl>
23 <!-- endentity profiles -->
24 <endentity>
26 <!-- default certificate profile -->
27 <profile id="default">
28 <validity>
29 <!-- notbefore defaults to 'now' -->
30 <notafter format="relativedate">+01</notafter>
31 </validity>
33 <digest>sha1</digest>
34 <increasing_serials>1</increasing_serials>
35 <randomized_serial_bytes>8</randomized_serial_bytes>
37 <extensions>
38 <basic_constraints critical="true">
39 <ca>false</ca>
40 </basic_constraints>
41 <key_usage critical="false">
42 <digital_signature>0</digital_signature>
43 <non_repudiation> 0</non_repudiation>
44 <key_encipherment> 0</key_encipherment>
45 <data_encipherment>0</data_encipherment>
46 <key_agreement> 0</key_agreement>
47 <key_cert_sign> 0</key_cert_sign>
48 <crl_sign> 0</crl_sign>
49 <encipher_only> 0</encipher_only>
50 <decipher_only> 0</decipher_only>
51 </key_usage>
52 <extended_key_usage critical="false">
53 <!-- these are OIDs -->
54 <!-- some OIDs are known and have names -->
55 <client_auth> 0</client_auth>
56 <email_protection>0</email_protection>
57 </extended_key_usage>
58 <subject_key_identifier critical="false" hash="true"/>
59 <authority_key_identifier critical="false" keyid="true" issuer="true"/>
60 <!-- If the issuer has no subject alternative name, copying returns
61 an empty extension, which is problematic with both RSA SecurId
62 tokens and Cisco devices!
63 <issuer_alt_name critical="false" copy="true"/>
64 -->
65 <crl_distribution_points critical="false">
66 <uri>http://localhost/cacrl.crt</uri>
67 <uri>ldap://localhost/cn=My%20CA,dc=OpenXPKI,dc=org</uri>
68 </crl_distribution_points>
69 <authority_info_access critical="false">
70 <ca_issuers>http://localhost/cacert.crt</ca_issuers>
71 <ocsp>http://ocsp.openxpki.org/</ocsp>
72 </authority_info_access>
73 <policy_identifier critical="false">
74 <!-- WARNING -->
75 <!-- if use_loa is set to yes -->
76 <!-- then policy_identifier and cps will be extended -->
77 <!-- by the values in the appropriate loa tag -->
78 <oid>1.2.3.4</oid>
79 </policy_identifier>
80 <cps critical="false">
81 <!-- WARNING -->
82 <!-- if use_loa is set to yes -->
83 <!-- then policy_identifier and cps will be extended -->
84 <!-- by the values in the appropriate loa tag -->
85 <uri>http://localhost/cps.html</uri>
86 </cps>
87 <netscape>
88 <comment critical="false">This is a generic certificate.
89 Generated with OpenXPKI trustcenter software.</comment>
90 <certificate_type critical="false">
91 <ssl_client> false</ssl_client>
92 <smime_client> false</smime_client>
93 <object_signing> false</object_signing>
94 <ssl_ca> false</ssl_ca>
95 <smime_ca> false</smime_ca>
96 <object_signing_ca>false</object_signing_ca>
97 </certificate_type>
98 <cdp critical="false">
99 <url>http://localhost/cacrl.crt</url>
100 <ca_url>http://localhost/cacrl.crt</ca_url>
101 </cdp>
102 </netscape>
103 </extensions>
104 </profile>
106 <!-- User profile -->
107 <profile id="I18N_OPENXPKI_PROFILE_USER"
108 super="../profile{default}">
110 <subject id="00_user_basic_style">
111 <label>I18N_OPENXPKI_PROFILE_USER_BASIC_STYLE</label>
112 <description>I18N_OPENXPKI_PROFILE_USER_BASIC_DESC</description>
113 <template>
114 <!-- default: min=1, max=1 -->
115 <!-- note that the regex is pretty restrictive, one might
116 want to change that to something more liberal -->
117 <input id="username"
118 label="I18N_OPENXPKI_USERNAME"
119 description="I18N_OPENXPKI_USERNAME_DESC"
120 type="freetext"
121 match="\A [A-Za-z]+ \z"
122 width="20"
123 default="testuser"/>
124 <input id="realname"
125 label="I18N_OPENXPKI_REALNAME"
126 description="I18N_OPENXPKI_REALNAME_DESC"
127 type="freetext"
128 match=".+"
129 width="40"
130 default=""/>
131 <input id="email"
132 label="I18N_OPENXPKI_EMAILADDRESS"
133 description="I18N_OPENXPKI_EMAILADDRESS_DESC"
134 type="freetext"
135 match=".+@.+"
136 width="30"
137 default=""/>
138 </template>
139 <dn>CN=[- realname -]+UID=[- username -],DC=Test Deployment,DC=OpenXPKI,DC=org</dn>
140 <additional_information super="../../../subject{05_advanced_style}/additional_information"/>
141 <subject_alternative_names>
142 <san id="dns">
143 <key type="fixed">email</key>
144 <value type="fixed">[- email -]</value>
145 </san>
146 </subject_alternative_names>
147 </subject>
148 <subject super="../../subject{05_advanced_style}"/>
150 <role>User</role>
151 <role>RA Operator</role>
152 <role>CA Operator</role>
154 <validity>
155 <notafter format="relativedate">+0006</notafter>
156 </validity>
158 <extensions>
159 <key_usage critical="false">
160 <digital_signature>1</digital_signature>
161 <non_repudiation> 1</non_repudiation>
162 <key_encipherment> 1</key_encipherment>
163 <data_encipherment>1</data_encipherment>
164 <key_agreement> 1</key_agreement>
165 <key_cert_sign> 0</key_cert_sign>
166 <crl_sign> 0</crl_sign>
167 <encipher_only> 0</encipher_only>
168 <decipher_only> 0</decipher_only>
169 </key_usage>
170 <extended_key_usage critical="false">
171 <!-- these are OIDs -->
172 <!-- some OIDs are known and have names -->
173 <client_auth> 1</client_auth>
174 <email_protection>1</email_protection>
175 <oid>1.3.6.1.4.1.311.20.2.2</oid>
176 </extended_key_usage>
177 <!-- Microsoft Certificate Template "SmartcardUser" (bmp string) -->
178 <oid critical="false" numeric="1.3.6.1.4.1.311.20.2" format="DER" encoding="HEX">
179 1e:1a:00:53:00:6d:00:61:00:72:00:74:00:63:00:61:00:72:00:64:00:55:00:73:00:65:00:72
180 </oid>
181 <netscape>
182 <comment critical="false">This is a user certificate.
183 Generated with OpenXPKI trustcenter software.</comment>
184 <certificate_type critical="false">
185 <ssl_client> true </ssl_client>
186 <smime_client> true </smime_client>
187 <object_signing> false</object_signing>
188 <ssl_ca> false</ssl_ca>
189 <smime_ca> false</smime_ca>
190 <object_signing_ca>false</object_signing_ca>
191 </certificate_type>
192 </netscape>
193 </extensions>
194 </profile>
197 <!-- TLS Server profile -->
198 <profile id="I18N_OPENXPKI_PROFILE_TLS_SERVER"
199 super="../profile{default}">
201 <role>Web Server</role>
203 <subject id="00_tls_basic_style">
204 <label>I18N_OPENXPKI_PROFILE_TLS_BASIC_STYLE</label>
205 <description>I18N_OPENXPKI_PROFILE_TLS_BASIC_DESC</description>
206 <template>
207 <!-- not that the regex is not exact, this might still not
208 be a valid hostname -->
209 <!-- default: min=1, max=1 -->
210 <input id="hostname"
211 label="I18N_OPENXPKI_HOSTNAME"
212 description="I18N_OPENXPKI_HOSTNAME_DESC"
213 type="freetext"
214 source="CN:([^:]+)"
215 match="\A [A-Za-z\d-\.]+ \z"
216 width="60"
217 default="fully.qualified.example.com"/>
218 <input id="port"
219 label="I18N_OPENXPKI_PORT"
220 description="I18N_OPENXPKI_PORT_DESC"
221 type="freetext"
222 source="CN:.+:(.+)"
223 match="\A \d+ \z"
224 width="5"
225 min="0"
226 default=""/>
227 </template>
228 <dn>CN=[- hostname -][- IF port AND port != 443 -]:[- port -][- END -],DC=Test Deployment,DC=OpenXPKI,DC=org</dn>
229 <additional_information super="../../../subject{05_advanced_style}/additional_information"/>
230 <subject_alternative_names>
231 <san id="dns">
232 <key type="fixed">DNS</key>
233 <value type="fixed">[- hostname -]</value>
234 </san>
235 </subject_alternative_names>
236 </subject>
237 <subject super="../../subject{05_advanced_style}"/>
238 <validity>
239 <notafter format="relativedate">+0003</notafter>
240 </validity>
242 <extensions>
243 <key_usage critical="false">
244 <digital_signature>0</digital_signature>
245 <non_repudiation> 0</non_repudiation>
246 <key_encipherment> 1</key_encipherment>
247 <data_encipherment>0</data_encipherment>
248 <key_agreement> 0</key_agreement>
249 <key_cert_sign> 0</key_cert_sign>
250 <crl_sign> 0</crl_sign>
251 <encipher_only> 0</encipher_only>
252 <decipher_only> 0</decipher_only>
253 </key_usage>
254 <extended_key_usage critical="false">
255 <!-- these are OIDs -->
256 <!-- some OIDs are known and have names -->
257 <!-- at least for server_auth, this is not true (server_auth
258 is not found within the whole source tree except for here
259 <server_auth> 1</server_auth>
260 -->
261 <oid>1.3.6.1.5.5.7.3.1</oid> <!-- = serverAuth -->
262 </extended_key_usage>
263 <netscape>
264 <comment critical="false">This is a TLS Server certificate.
265 Generated with OpenXPKI trustcenter software.</comment>
266 <certificate_type critical="false">
267 <ssl_client> false</ssl_client>
268 <smime_client> false</smime_client>
269 <object_signing> false</object_signing>
270 <ssl_ca> false</ssl_ca>
271 <smime_ca> false</smime_ca>
272 <object_signing_ca>false</object_signing_ca>
273 </certificate_type>
274 </netscape>
275 </extensions>
276 </profile>
278 <subject id="05_advanced_style">
279 <label>I18N_OPENXPKI_PROFILE_ADVANCED_STYLE</label>
280 <description>I18N_OPENXPKI_PROFILE_ADVANCED_DESC</description>
281 <bulk>1</bulk> <!-- this is the subject style for bulk requests -->
282 <template>
283 <!-- not that the regex is not exact, this might still not
284 be a valid hostname -->
285 <!-- default: min=1, max=1 -->
286 <input id="CN"
287 label="CN"
288 description="I18N_OPENXPKI_CN_DESC"
289 type="freetext"
290 source="CN:(.+)"
291 width="60"
292 default=""/>
293 <input id="O"
294 label="O"
295 description="I18N_OPENXPKI_O_DESC"
296 type="freetext"
297 source="O:(.+)"
298 min="0"
299 max="1"
300 width="40"/>
301 <input id="OU"
302 label="OU"
303 description="I18N_OPENXPKI_OU_DESC"
304 type="freetext"
305 source="OU:(.+)"
306 width="40"
307 min="0"
308 max="1000"/> <!-- if min or max is present, result is an arrayref -->
309 <input id="DC"
310 label="DC"
311 description="I18N_OPENXPKI_DC_DESC"
312 type="freetext"
313 width="40"
314 min="0"
315 max="1000"/>
316 <input id="C"
317 label="C"
318 description="I18N_OPENXPKI_C_DESC"
319 type="freetext"
320 width="2"
321 source="C:(.+)"
322 min="0"
323 max="1"/>
324 </template>
325 <dn>CN=[- CN -][- IF OU -][- FOREACH entry = OU -],OU=[- entry -][- END -][- END -][- IF O -],O=[- O -][- END -][- FOREACH entry = DC -],DC=[- entry -][- END -][- IF C -],C=[- C -][- END -]</dn>
326 <additional_information>
327 <input id="phone"
328 label="I18N_OPENXPKI_PHONE"
329 description="I18N_OPENXPKI_PHONE_DESC"
330 type="freetext"
331 width="20"
332 default=""/>
333 <input id="comment"
334 label="I18N_OPENXPKI_COMMENT"
335 description="I18N_OPENXPKI_COMMENT_DESC"
336 type="textarea"
337 width="40"
338 height="10"/>
339 </additional_information>
340 <subject_alternative_names>
341 <san id="choice">
342 <key type="select" max="1000">
343 <option label="I18N_OPENXPKI_SAN_EMAIL"
344 description="I18N_OPENXPKI_SAN_EMAIL_DESCRIPTION">email</option>
345 <option label="I18N_OPENXPKI_SAN_DNS"
346 description="I18N_OPENXPKI_SAN_DNS_DESCRIPTION">DNS</option>
347 <option label="I18N_OPENXPKI_SAN_IP"
348 description="I18N_OPENXPKI_SAN_IP_DESCRIPTION">IP</option>
349 <option label="I18N_OPENXPKI_SAN_URI"
350 description="I18N_OPENXPKI_SAN_URI_DESCRIPTION">URI</option>
351 <option label="I18N_OPENXPKI_SAN_GUID"
352 description="I18N_OPENXPKI_SAN_GUID_DESCRIPTION">GUID</option>
353 <option label="I18N_OPENXPKI_SAN_UPN"
354 description="I18N_OPENXPKI_SAN_UPN_DESCRIPTION">UPN</option>
355 <option label="I18N_OPENXPKI_SAN_RID"
356 description="I18N_OPENXPKI_SAN_RID_DESCRIPTION">RID</option>
357 </key>
358 <value type="freetext" width="40"/>
359 </san>
360 <san id="oid">
361 <key type="oid" max="1000" width="20"/>
362 <value type="freetext" width="40"/>
363 </san>
364 </subject_alternative_names>
365 </subject>
366 </endentity>
368 </profiles>