1pki-tps-connector(5)     PKI TPS Profile Configuration    pki-tps-connector(5)
2
3
4

NAME

6       pki-tps-profile - PKI TPS Profile Configuration
7
8

LOCATION

10       /var/lib/pki/instance/conf/tps/CS.cfg
11
12

DESCRIPTION

14       Token  profiles  are  defined using properties in the TPS configuration
15       file.
16
17
18   Enrollment Operation For CoolKey
19       The following property sets the size of the key the token should gener‐
20       ate:
21
22
23              op.enroll.<tokenType>.keyGen.<keyType>.keySize=1024
24
25
26
27       The maximum value is 1024.
28
29
30       The  following  properties  specify the PKCS11 attributes to set on the
31       token:
32
33
34              op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.encrypt=false
35              op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.sign=true
36              op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.signRecover=true
37              op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.decrypt=false
38              op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.derive=false
39              op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.unwrap=false
40              op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.wrap=false
41              op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.verifyRecover=true
42              op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.verify=true
43              op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.sensitive=true
44              op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.private=true
45              op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.token=true
46
47
48
49       The following property specifies the CUID shown in the certificate:
50
51
52              op.enroll.<tokenType>.keyGen.<keyType>.cuid_label
53
54
55
56       The following property specifies the token name:
57
58
59              op.enroll.<tokenType>.keyGen.<keyType>.label
60
61
62
63       The following variables can be used in the token name:
64
65
66              · $pretty_cuid$     -     Pretty      Print      CUID      (i.e.
67                4090-0062-FF02-0000-0B9C)
68
69              · $cuid$ - CUID (i.e. 40900062FF0200000B9C)
70
71              · $msn$ - MSN
72
73              · $userid$ - User ID
74
75              · $profileId$ - Profile ID
76
77
78
79       All  resulting  labels  for  co-existing keys on the same token must be
80       unique.
81
82
83       The following property determines whether TPS will  overwrite  key  and
84       certificate if they already exist:
85
86
87              op.enroll.<tokenType>.keyGen.<keyType>.overwrite=true|false
88
89
90
91       The following properties specify name PKCS11 object IDs:
92
93
94              op.enroll.<tokenType>.keyGen.<keyType>.certId=C1
95              op.enroll.<tokenType>.keyGen.<keyType>.certAttrId=c1
96              op.enroll.<tokenType>.keyGen.<keyType>.privateKeyAttrId=k2
97              op.enroll.<tokenType>.keyGen.<keyType>.publicKeyAttrId=k3
98              op.enroll.<tokenType>.keyGen.<keyType>.privateKeyNumber=2
99              op.enroll.<tokenType>.keyGen.<keyType>.publicKeyNumber=3
100
101
102
103       Lower  case letters signify objects containing PKCS11 object attributes
104       in the format described below:
105
106
107              · c - An object containing PKCS11 attributes for a certificate.
108
109              · k - An object containing PKCS11 attributes  for  a  public  or
110                private key
111
112              · r - An object containing PKCS11 attributes for an "reader".
113
114
115
116       Upper case letters signify objects containing raw data corresponding to
117       the lower case letters described above.  For example,  object  C0  con‐
118       tains raw data corresponding to object c0.
119
120
121              · C - This object contains an entire DER cert, and nothing else.
122
123              · K - This object contains a MUSCLE "key blob". TPS does not use
124                this.
125
126
127
128       The following properties specify the algorithm, the key size,  the  key
129       usage, and which PIN user should be granted:
130
131
132              op.enroll.<tokenType>.keyGen.<keyType>.alg=2
133              op.enroll.<tokenType>.keyGen.<keyType>.keySize=1024
134              op.enroll.<tokenType>.keyGen.<keyType>.keyUsage=0
135              op.enroll.<tokenType>.keyGen.<keyType>.keyUser=0
136
137
138
139       The valid algorithms are:
140
141
142              · 2 - RSA
143
144              · 5 - ECC
145
146
147
148       For ECC, the valid key sizes are 256 and 384.
149
150
151       Use privilege of the generated private key, or 15 if all users have use
152       privilege for the private key.  Valid usages: (only specifies the usage
153       for the private key)
154
155
156              · 0 - default usage (Signing only for this APDU)
157
158              · 1 - signing only
159
160              · 2 - decryption only
161
162              · 3 - signing and decryption
163
164
165
166       The  following  property determines whether to enable writing of PKCS11
167       cache object to the token:
168
169
170              op.enroll.<tokenType>.pkcs11obj.enable=true|false
171
172
173
174       The following property determines whether  to  enable  compression  for
175       writing of PKCS11 cache object to the token:
176
177
178              op.enroll.<tokenType>.pkcs11obj.compress.enable=true|false
179
180
181
182       The  following property determines the maximum number of retries before
183       blocking the token:
184
185
186              op.enroll.<tokenType>.pinReset.pin.maxRetries=127
187
188
189
190       The maximum value is 127.
191
192
193       There is a special case of tokenType userKeyTemporary.  Make  sure  the
194       profile  specified by the profileId to have short validity period (e.g.
195       7 days) for the certificate.
196
197
198              op.enroll.userKey.keyGen.<keyType>.publisherId=fileBasedPublisher
199              op.enroll.userKeyTemporary.keyGen.<keyType>.publisherId=fileBasedPublisher
200
201
202
203       The folowing property describes the scheme used for recovery:
204
205
206              op.enroll.<tokenType>.keyGen.<keyType>.recovery.<tokenState>.scheme=GenerateNewKey
207
208
209
210       The three recovery schemes supported are:
211
212
213              · GenerateNewKey - Generate a new cert for the encryption cert.
214
215              · RecoverLast - Recover the most recent cert for the  encryption
216                cert.
217
218              · GenerateNewKeyandRecoverLast  -  Generate new cert AND recover
219                last for encryption cert.
220
221
222
223   Token Renewal
224       The following properties are used to define token renewal:
225
226
227              op.enroll.<tokenType>.renewal.*
228
229
230
231       For each token in TPS UI, set the following to trigger  renewal  opera‐
232       tions:
233
234
235              RENEW=YES
236
237
238
239       Optional  grace  period enforcement must coincide exactly with what the
240       CA enforces.
241
242
243       In case of renewal, encryption certId values are for completeness only,
244       server code calculates actual values used.
245
246
247   Format Operation For tokenKey
248       The following property determines whether to update applet if the token
249       is empty:
250
251
252              op.format.<tokenType>.update.applet.emptyToken.enable=false
253
254
255
256       The property is applicable to:
257
258
259              · CoolKey
260
261              · HouseKey
262
263              · HouseKey with Legacy Applet
264
265
266
267   Certificate Chain Imports
268              op.enroll.certificates.num=1
269              op.enroll.certificates.value.0=caCert
270              op.enroll.certificates.caCert.nickName=caCert0 pki-tps
271              op.enroll.certificates.caCert.certId=C5
272              op.enroll.certificates.caCert.certAttrId=c5
273              op.enroll.certificates.caCert.label=caCert Label
274
275
276
277   Pin Reset Operation For CoolKey
278       The following property determines whether to update applet if the token
279       is empty:
280
281
282              op.pinReset.<tokenType>.update.applet.emptyToken.enable=false
283
284
285
286       The property is not applicable to:
287
288
289              · HouseKey
290
291              · HouseKey with Legacy Applet
292
293
294

SEE ALSO

296       pki-tps-profile(1)
297
298

AUTHORS

300       Dogtag PKI Team <pki-devel@redhat.com>.
301
302
304       Copyright  (c)  2014 Red Hat, Inc.  This is licensed under the GNU Gen‐
305       eral Public License, version 2 (GPLv2).  A  copy  of  this  license  is
306       available at ⟨http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt⟩.
307
308
309
310PKI                               May 6, 2014             pki-tps-connector(5)
Impressum