I have been struggling with the yaml profile mapping of certificate extensions
to openxpki profiles. I need some examples or a profile node key legend to
assist me in understanding how this works.
I am under the impression that the contents of
config.d/realm/realmname/profile/default.yaml are inherited by specific
profiles wherever those profile do not themselves define identical 'keys'. Is
this correct?
If so then what is the expected mapping of these constraints into openxpki
profile yaml files:
X509v3 extensions:
Netscape CA Revocation Url:
http://ca.harte-lyne.ca/CA_HLL_ISSUER_2016/crl-v1.crl
Authority Information Access:
CA Issuers -
URI:http://ca.harte-lyne.ca/CA_HLL_ISSUER_2016/ca.crt
X509v3 CRL Distribution Points:
Full Name:
URI:http://ca.harte-lyne.ca/CA_HLL_ISSUER_2016/crl-v2.crl
X509v3 Subject Key Identifier:
X509v3 Authority Key Identifier:
keyid:FD:C6:20:77:C5:AA:E8:34:43:99:C4:3D:5B:65:9A:3C:2D:14:8E:AF
DirName:/CN=CA_HLL_ROOT_2016/ST=Ontario/O=Harte & Lyne
Limited/OU=Networked Data
Services/C=CA/domainComponent=harte-lyne/domainComponent=ca/L=Hamilton
serial:02
X509v3 Issuer Alternative Name:
email:[email protected], URI:http://ca.harte-lyne.ca
X509v3 Subject Alternative Name:
Netscape Cert Type:
SSL Client, SSL Server, S/MIME
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication,
E-mail Protection
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.44880.100.10.10.3.1
CPS: http://ca.harte-lyne.ca/CPS
User Notice:
Explicit Text: Limited Liability, see
http://ca.harte-lyne.ca/CPS
I have inferred that X509v3 Certificate Policies maps to:
policy_identifier:
critical: 0
# you can combine both notations but do not use the same OID twice
# short notation, if you just need OIDs
# this is the globally defined "any policy"
# oid: 2.5.29.32.0
# for OIDs with CPS/Notice, put the OID as key.
1.3.6.1.4.1.44880.100.10.10.3.1:
# CPS/Notice can be scalar or list
cps:
- http://ca.harte-lyne.ca/CPS
- http://ca.harte-lyne.ca/cps.html
user_notice: Limited Liability, see http://ca.harte-lyne.ca/CPS
And X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment maps
to:
extensions:
key_usage:
critical: 1
digital_signature: 1
non_repudiation: 1
key_encipherment: 1
And X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client
Authentication, E-mail Protection maps to:
extended_key_usage:
critical: 0
server_auth: 1
client_auth: 1
email_protection: 1
And this:
X509v3 Issuer Alternative Name: email:[email protected],
URI:http://ca.harte-lyne.ca
issuer_alt_name:
critical: 0
copy: 0
name: email:[email protected], URI:http://ca.harte-lyne.ca
But I am unsure of what is the proper key name here: (name: alt_name: something
else)??? The profile examples do not seem to answer this question.
If I could get these mappings checked and corrected that would be a great help
to me.
Thanks,
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Unencrypted messages have no legal claim to privacy
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:[email protected]
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
