This is the patch to add missing serverKeygen params for non-encryption certs. By default it is disabled.
thanks, Christina
>From 98c12f05c38c9d21389f03a99f849151d9b68c84 Mon Sep 17 00:00:00 2001 From: Christina Fu <c...@redhat.com> Date: Tue, 28 Jun 2016 11:28:42 -0700 Subject: [PATCH] Ticket #1308 [RFE] Provide ability to perform off-card key generation for non-encryption token keys This is the patch to add missing serverKeygen params for non-encryption certs. By default it is disabled. --- base/tps/shared/conf/CS.cfg | 43 +++++++++++++++++++++++++++++++++++-------- 1 file changed, 35 insertions(+), 8 deletions(-) diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg index f552a547d91e361d2d736cc83bb957fb58ebe600..258d5a76c5ec8e392634f6075f32ae9baa68b290 100644 --- a/base/tps/shared/conf/CS.cfg +++ b/base/tps/shared/conf/CS.cfg @@ -332,6 +332,9 @@ op.enroll.delegateIEtoken.keyGen.authentication.recovery.keyCompromise.scheme=Ge op.enroll.delegateIEtoken.keyGen.authentication.recovery.onHold.revokeCert=false op.enroll.delegateIEtoken.keyGen.authentication.recovery.onHold.revokeCert.reason=6 op.enroll.delegateIEtoken.keyGen.authentication.recovery.onHold.scheme=GenerateNewKey +op.enroll.delegateIEtoken.keyGen.authentication.serverKeygen.archive=false +op.enroll.delegateIEtoken.keyGen.authentication.serverKeygen.drm.conn=kra1 +op.enroll.delegateIEtoken.keyGen.authentication.serverKeygen.enable=false op.enroll.delegateIEtoken.keyGen.encryption.ca.conn=ca1 op.enroll.delegateIEtoken.keyGen.encryption.private.keyCapabilities.decrypt=true op.enroll.delegateIEtoken.keyGen.encryption.private.keyCapabilities.derive=false @@ -359,7 +362,7 @@ op.enroll.delegateIEtoken.keyGen.encryption.public.keyCapabilities.verifyRecover op.enroll.delegateIEtoken.keyGen.encryption.public.keyCapabilities.wrap=true op.enroll.delegateIEtoken.keyGen.encryption.serverKeygen.archive=true op.enroll.delegateIEtoken.keyGen.encryption.serverKeygen.drm.conn=kra1 -op.enroll.delegateIEtoken.keyGen.encryption.serverKeygen.enable=true +op.enroll.delegateIEtoken.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN] op.enroll.delegateIEtoken.keyGen.keyType.num=1 op.enroll.delegateIEtoken.keyGen.keyType.value.0=authentication op.enroll.delegateIEtoken.keyGen.recovery.destroyed.keyType.num=1 @@ -501,6 +504,9 @@ op.enroll.delegateISEtoken.keyGen.authentication.recovery.keyCompromise.scheme=G op.enroll.delegateISEtoken.keyGen.authentication.recovery.onHold.revokeCert=false op.enroll.delegateISEtoken.keyGen.authentication.recovery.onHold.revokeCert.reason=6 op.enroll.delegateISEtoken.keyGen.authentication.recovery.onHold.scheme=GenerateNewKey +op.enroll.delegateISEtoken.keyGen.authentication.serverKeygen.archive=false +op.enroll.delegateISEtoken.keyGen.authentication.serverKeygen.drm.conn=kra1 +op.enroll.delegateISEtoken.keyGen.authentication.serverKeygen.enable=false op.enroll.delegateISEtoken.keyGen.encryption.SANpattern=$auth.mail$,$auth.exec-edipi$.$auth.exec-pcc$@EXAMPLE.com op.enroll.delegateISEtoken.keyGen.encryption._000=######################################### op.enroll.delegateISEtoken.keyGen.encryption._001=# encryption cert/keys are "recovered" for this profile @@ -556,7 +562,7 @@ op.enroll.delegateISEtoken.keyGen.encryption.recovery.onHold.revokeCert.reason=6 op.enroll.delegateISEtoken.keyGen.encryption.recovery.onHold.scheme=GenerateNewKey op.enroll.delegateISEtoken.keyGen.encryption.serverKeygen.archive=true op.enroll.delegateISEtoken.keyGen.encryption.serverKeygen.drm.conn=kra1 -op.enroll.delegateISEtoken.keyGen.encryption.serverKeygen.enable=true +op.enroll.delegateISEtoken.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN] op.enroll.delegateISEtoken.keyGen.keyType.num=2 op.enroll.delegateISEtoken.keyGen.keyType.value.0=signing op.enroll.delegateISEtoken.keyGen.keyType.value.1=authentication @@ -618,6 +624,9 @@ op.enroll.delegateISEtoken.keyGen.signing.recovery.keyCompromise.scheme=Generate op.enroll.delegateISEtoken.keyGen.signing.recovery.onHold.revokeCert=false op.enroll.delegateISEtoken.keyGen.signing.recovery.onHold.revokeCert.reason=6 op.enroll.delegateISEtoken.keyGen.signing.recovery.onHold.scheme=GenerateNewKey +op.enroll.delegateISEtoken.keyGen.signing.serverKeygen.archive=false +op.enroll.delegateISEtoken.keyGen.signing.serverKeygen.drm.conn=kra1 +op.enroll.delegateISEtoken.keyGen.signing.serverKeygen.enable=false op.enroll.delegateISEtoken.keyGen.tokenName=$auth.cn$ op.enroll.delegateISEtoken.loginRequest.enable=true op.enroll.delegateISEtoken.pinReset.enable=true @@ -736,12 +745,12 @@ op.enroll.externalRegAddToToken.keyGen.encryption.public.keyCapabilities.wrap=tr op.enroll.externalRegAddToToken.keyGen.encryption.recovery.destroyed.revokeCert=false op.enroll.externalRegAddToToken.keyGen.encryption.recovery.keyCompromise.revokeCert=false op.enroll.externalRegAddToToken.keyGen.encryption.recovery.onHold.revokeCert=false -op.enroll.externalRegAddToToken.keyGen.signing.recovery.destroyed.revokeCert=false -op.enroll.externalRegAddToToken.keyGen.signing.recovery.keyCompromise.revokeCert=false -op.enroll.externalRegAddToToken.keyGen.signing.recovery.onHold.revokeCert=false +op.enroll.externalRegAddToToken.keyGen.encryption.recovery.destroyed.revokeCert=false +op.enroll.externalRegAddToToken.keyGen.encryption.recovery.keyCompromise.revokeCert=false +op.enroll.externalRegAddToToken.keyGen.encryption.recovery.onHold.revokeCert=false op.enroll.externalRegAddToToken.keyGen.encryption.serverKeygen.archive=true op.enroll.externalRegAddToToken.keyGen.encryption.serverKeygen.drm.conn=kra1 -op.enroll.externalRegAddToToken.keyGen.encryption.serverKeygen.enable=true +op.enroll.externalRegAddToToken.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN] op.enroll.externalRegAddToToken.keyGen.tokenName=$auth.cn$ op.enroll.externalRegAddToToken.loginRequest.enable=true op.enroll.externalRegAddToToken.pkcs11obj.compress.enable=true @@ -894,6 +903,9 @@ op.enroll.soKey.keyGen.signing.recovery.keyCompromise.scheme=GenerateNewKey op.enroll.soKey.keyGen.signing.recovery.onHold.revokeCert.reason=6 op.enroll.soKey.keyGen.signing.recovery.onHold.revokeCert=true op.enroll.soKey.keyGen.signing.recovery.onHold.scheme=GenerateNewKey +op.enroll.soKey.keyGen.signing.serverKeygen.archive=false +op.enroll.soKey.keyGen.signing.serverKeygen.drm.conn=kra1 +op.enroll.soKey.keyGen.signing.serverKeygen.enable=false op.enroll.soKey.keyGen.tokenName=$auth.cn$ op.enroll.soKey.loginRequest.enable=true op.enroll.soKey.pinReset.enable=true @@ -948,6 +960,9 @@ op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.unwrap=false op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.verifyRecover=true op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.verify=true op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.wrap=false +op.enroll.soKeyTemporary.keyGen.auth.serverKeygen.archive=false +op.enroll.soKeyTemporary.keyGen.auth.serverKeygen.drm.conn=kra1 +op.enroll.soKeyTemporary.keyGen.auth.serverKeygen.enable=false op.enroll.soKeyTemporary.keyGen.auth.publicKeyNumber=1 op.enroll.soKeyTemporary.keyGen.encryption.ca.conn=ca1 op.enroll.soKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment @@ -992,7 +1007,7 @@ op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert=true op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.scheme=RecoverLast op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.archive=true op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.drm.conn=kra1 -op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.enable=true +op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN] op.enroll.soKeyTemporary.keyGen.keyType.num=3 op.enroll.soKeyTemporary.keyGen.keyType.value.0=auth op.enroll.soKeyTemporary.keyGen.keyType.value.1=signing @@ -1041,6 +1056,9 @@ op.enroll.soKeyTemporary.keyGen.signing.publicKeyNumber=3 op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.revokeCert.reason=0 op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.revokeCert=true op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.scheme=GenerateNewKey +op.enroll.soKeyTemporary.keyGen.signing.serverKeygen.archive=false +op.enroll.soKeyTemporary.keyGen.signing.serverKeygen.drm.conn=kra1 +op.enroll.soKeyTemporary.keyGen.signing.serverKeygen.enable=false op.enroll.soKeyTemporary.keyGen.tokenName=$auth.cn$ (Temporary) op.enroll.soKeyTemporary.loginRequest.enable=true op.enroll.soKeyTemporary.pinReset.enable=true @@ -1187,6 +1205,9 @@ op.enroll.userKey.keyGen.signing.recovery.keyCompromise.scheme=GenerateNewKey op.enroll.userKey.keyGen.signing.recovery.onHold.revokeCert.reason=6 op.enroll.userKey.keyGen.signing.recovery.onHold.revokeCert=true op.enroll.userKey.keyGen.signing.recovery.onHold.scheme=GenerateNewKey +op.enroll.userKey.keyGen.signing.serverKeygen.archive=false +op.enroll.userKey.keyGen.signing.serverKeygen.drm.conn=kra1 +op.enroll.userKey.keyGen.signing.serverKeygen.enable=false op.enroll.userKey.keyGen.tokenName=$auth.cn$ op.enroll.userKey.loginRequest.enable=true op.enroll.userKey.pinReset.enable=true @@ -1255,6 +1276,9 @@ op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.verifyRecover=true op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.verify=true op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.wrap=false op.enroll.userKeyTemporary.keyGen.auth.publicKeyNumber=1 +op.enroll.userKeyTemporary.keyGen.auth.serverKeygen.archive=false +op.enroll.userKeyTemporary.keyGen.auth.serverKeygen.drm.conn=kra1 +op.enroll.userKeyTemporary.keyGen.auth.serverKeygen.enable=false op.enroll.userKeyTemporary.keyGen.encryption.ca.conn=ca1 op.enroll.userKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment op.enroll.userKeyTemporary.keyGen.encryption.certAttrId=c2 @@ -1298,7 +1322,7 @@ op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert=true op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.scheme=RecoverLast op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.archive=true op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.drm.conn=kra1 -op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable=true +op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN] op.enroll.userKeyTemporary.keyGen.keyType.num=3 op.enroll.userKeyTemporary.keyGen.keyType.value.0=auth op.enroll.userKeyTemporary.keyGen.keyType.value.1=signing @@ -1347,6 +1371,9 @@ op.enroll.userKeyTemporary.keyGen.signing.publicKeyNumber=3 op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.revokeCert.reason=0 op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.revokeCert=true op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.scheme=GenerateNewKey +op.enroll.userKeyTemporary.keyGen.signing.serverKeygen.archive=false +op.enroll.userKeyTemporary.keyGen.signing.serverKeygen.drm.conn=kra1 +op.enroll.userKeyTemporary.keyGen.signing.serverKeygen.enable=false op.enroll.userKeyTemporary.keyGen.tokenName=$auth.cn$ (Temporary) op.enroll.userKeyTemporary.loginRequest.enable=true op.enroll.userKeyTemporary.pinReset.enable=true -- 2.4.3
_______________________________________________ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
