1pki-tps-connector(5) PKI TPS Profile Configuration pki-tps-connector(5)
2
3
4
6 pki-tps-profile - PKI TPS Profile Configuration
7
8
10 /var/lib/pki/instance/conf/tps/CS.cfg
11
12
14 Token profiles are defined using properties in the TPS configuration
15 file.
16
17
18 Enrollment Operation For CoolKey
19 The following property sets the size of the key the token should gener‐
20 ate:
21
22
23 op.enroll.<tokenType>.keyGen.<keyType>.keySize=1024
24
25
26
27 The maximum value is 1024.
28
29
30 The following properties specify the PKCS11 attributes to set on the
31 token:
32
33
34 op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.encrypt=false
35 op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.sign=true
36 op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.signRecover=true
37 op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.decrypt=false
38 op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.derive=false
39 op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.unwrap=false
40 op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.wrap=false
41 op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.verifyRecover=true
42 op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.verify=true
43 op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.sensitive=true
44 op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.private=true
45 op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.token=true
46
47
48
49 The following property specifies the CUID shown in the certificate:
50
51
52 op.enroll.<tokenType>.keyGen.<keyType>.cuid_label
53
54
55
56 The following property specifies the token name:
57
58
59 op.enroll.<tokenType>.keyGen.<keyType>.label
60
61
62
63 The following variables can be used in the token name:
64
65
66 · $pretty_cuid$ - Pretty Print CUID (i.e.
67 4090-0062-FF02-0000-0B9C)
68
69 · $cuid$ - CUID (i.e. 40900062FF0200000B9C)
70
71 · $msn$ - MSN
72
73 · $userid$ - User ID
74
75 · $profileId$ - Profile ID
76
77
78
79 All resulting labels for co-existing keys on the same token must be
80 unique.
81
82
83 The following property determines whether TPS will overwrite key and
84 certificate if they already exist:
85
86
87 op.enroll.<tokenType>.keyGen.<keyType>.overwrite=true|false
88
89
90
91 The following properties specify name PKCS11 object IDs:
92
93
94 op.enroll.<tokenType>.keyGen.<keyType>.certId=C1
95 op.enroll.<tokenType>.keyGen.<keyType>.certAttrId=c1
96 op.enroll.<tokenType>.keyGen.<keyType>.privateKeyAttrId=k2
97 op.enroll.<tokenType>.keyGen.<keyType>.publicKeyAttrId=k3
98 op.enroll.<tokenType>.keyGen.<keyType>.privateKeyNumber=2
99 op.enroll.<tokenType>.keyGen.<keyType>.publicKeyNumber=3
100
101
102
103 Lower case letters signify objects containing PKCS11 object attributes
104 in the format described below:
105
106
107 · c - An object containing PKCS11 attributes for a certificate.
108
109 · k - An object containing PKCS11 attributes for a public or
110 private key
111
112 · r - An object containing PKCS11 attributes for an "reader".
113
114
115
116 Upper case letters signify objects containing raw data corresponding to
117 the lower case letters described above. For example, object C0 con‐
118 tains raw data corresponding to object c0.
119
120
121 · C - This object contains an entire DER cert, and nothing else.
122
123 · K - This object contains a MUSCLE "key blob". TPS does not use
124 this.
125
126
127
128 The following properties specify the algorithm, the key size, the key
129 usage, and which PIN user should be granted:
130
131
132 op.enroll.<tokenType>.keyGen.<keyType>.alg=2
133 op.enroll.<tokenType>.keyGen.<keyType>.keySize=1024
134 op.enroll.<tokenType>.keyGen.<keyType>.keyUsage=0
135 op.enroll.<tokenType>.keyGen.<keyType>.keyUser=0
136
137
138
139 The valid algorithms are:
140
141
142 · 2 - RSA
143
144 · 5 - ECC
145
146
147
148 For ECC, the valid key sizes are 256 and 384.
149
150
151 Use privilege of the generated private key, or 15 if all users have use
152 privilege for the private key. Valid usages: (only specifies the usage
153 for the private key)
154
155
156 · 0 - default usage (Signing only for this APDU)
157
158 · 1 - signing only
159
160 · 2 - decryption only
161
162 · 3 - signing and decryption
163
164
165
166 The following property determines whether to enable writing of PKCS11
167 cache object to the token:
168
169
170 op.enroll.<tokenType>.pkcs11obj.enable=true|false
171
172
173
174 The following property determines whether to enable compression for
175 writing of PKCS11 cache object to the token:
176
177
178 op.enroll.<tokenType>.pkcs11obj.compress.enable=true|false
179
180
181
182 The following property determines the maximum number of retries before
183 blocking the token:
184
185
186 op.enroll.<tokenType>.pinReset.pin.maxRetries=127
187
188
189
190 The maximum value is 127.
191
192
193 There is a special case of tokenType userKeyTemporary. Make sure the
194 profile specified by the profileId to have short validity period (e.g.
195 7 days) for the certificate.
196
197
198 op.enroll.userKey.keyGen.<keyType>.publisherId=fileBasedPublisher
199 op.enroll.userKeyTemporary.keyGen.<keyType>.publisherId=fileBasedPublisher
200
201
202
203 The folowing property describes the scheme used for recovery:
204
205
206 op.enroll.<tokenType>.keyGen.<keyType>.recovery.<tokenState>.scheme=GenerateNewKey
207
208
209
210 The three recovery schemes supported are:
211
212
213 · GenerateNewKey - Generate a new cert for the encryption cert.
214
215 · RecoverLast - Recover the most recent cert for the encryption
216 cert.
217
218 · GenerateNewKeyandRecoverLast - Generate new cert AND recover
219 last for encryption cert.
220
221
222
223 Token Renewal
224 The following properties are used to define token renewal:
225
226
227 op.enroll.<tokenType>.renewal.*
228
229
230
231 For each token in TPS UI, set the following to trigger renewal opera‐
232 tions:
233
234
235 RENEW=YES
236
237
238
239 Optional grace period enforcement must coincide exactly with what the
240 CA enforces.
241
242
243 In case of renewal, encryption certId values are for completeness only,
244 server code calculates actual values used.
245
246
247 Format Operation For tokenKey
248 The following property determines whether to update applet if the token
249 is empty:
250
251
252 op.format.<tokenType>.update.applet.emptyToken.enable=false
253
254
255
256 The property is applicable to:
257
258
259 · CoolKey
260
261 · HouseKey
262
263 · HouseKey with Legacy Applet
264
265
266
267 Certificate Chain Imports
268 op.enroll.certificates.num=1
269 op.enroll.certificates.value.0=caCert
270 op.enroll.certificates.caCert.nickName=caCert0 pki-tps
271 op.enroll.certificates.caCert.certId=C5
272 op.enroll.certificates.caCert.certAttrId=c5
273 op.enroll.certificates.caCert.label=caCert Label
274
275
276
277 Pin Reset Operation For CoolKey
278 The following property determines whether to update applet if the token
279 is empty:
280
281
282 op.pinReset.<tokenType>.update.applet.emptyToken.enable=false
283
284
285
286 The property is not applicable to:
287
288
289 · HouseKey
290
291 · HouseKey with Legacy Applet
292
293
294
296 pki-tps-profile(1)
297
298
300 Dogtag PKI Team <pki-devel@redhat.com>.
301
302
304 Copyright (c) 2014 Red Hat, Inc. This is licensed under the GNU Gen‐
305 eral Public License, version 2 (GPLv2). A copy of this license is
306 available at ⟨http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt⟩.
307
308
309
310PKI May 6, 2014 pki-tps-connector(5)