pki-tps-profile man page
pki-tps-profile ā PKI TPS Profile Configuration /var/lib/pki/instance/conf/tps/CS.cfg Token profiles are defined using properties in the TPS configuration file. The following property sets the size of the key the token should generate: The maximum value is 1024. The following properties specify the PKCS11 attributes to set on the token: The following property specifies the CUID shown in the certificate: The following property specifies the token name: The following variables can be used in the token name: All resulting labels for co-existing keys on the same token must be unique. The following property determines whether TPS will overwrite key and certificate if they already exist: The following properties specify name PKCS11 object IDs: Lower case letters signify objects containing PKCS11 object attributes in the format described below: Upper case letters signify objects containing raw data corresponding to the lower case letters described above. For example, object C0 contains raw data corresponding to object c0. The following properties specify the algorithm, the key size, the key usage, and which PIN user should be granted: The valid algorithms are: For ECC, the valid key sizes are 256 and 384. Use privilege of the generated private key, or 15 if all users have use privilege for the private key. Valid usages: (only specifies the usage for the private key) The following property determines whether to enable writing of PKCS11 cache object to the token: The following property determines whether to enable compression for writing of PKCS11 cache object to the token: The following property determines the maximum number of retries before blocking the token: The maximum value is 127. There is a special case of tokenType userKeyTemporary. Make sure the profile specified by the profileId to have short validity period (e.g. 7 days) for the certificate. The folowing property describes the scheme used for recovery: The three recovery schemes supported are: The following properties are used to define token renewal: For each token in TPS UI, set the following to trigger renewal operations: Optional grace period enforcement must coincide exactly with what the CA enforces. In case of renewal, encryption certId values are for completeness only, server code calculates actual values used. The following property determines whether to update applet if the token is empty: The property is applicable to: The following property determines whether to update applet if the token is empty: The property is not applicable to: Dogtag PKI Team lt;pki-devel@redhat.comgt;. Copyright (c) 2014 Red Hat, Inc. This is licensed under the GNU General Public License, version 2 (GPLv2). A copy of this license is available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.Location
Description
Enrollment Operation For CoolKey
op.enroll.<tokenType>.keyGen.<keyType>.keySize=1024
op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.encrypt=false
op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.sign=true
op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.signRecover=true
op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.decrypt=false
op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.derive=false
op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.unwrap=false
op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.wrap=false
op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.verifyRecover=true
op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.verify=true
op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.sensitive=true
op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.private=true
op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.token=true
op.enroll.<tokenType>.keyGen.<keyType>.cuid_label
op.enroll.<tokenType>.keyGen.<keyType>.label
op.enroll.<tokenType>.keyGen.<keyType>.overwrite=true|false
op.enroll.<tokenType>.keyGen.<keyType>.certId=C1
op.enroll.<tokenType>.keyGen.<keyType>.certAttrId=c1
op.enroll.<tokenType>.keyGen.<keyType>.privateKeyAttrId=k2
op.enroll.<tokenType>.keyGen.<keyType>.publicKeyAttrId=k3
op.enroll.<tokenType>.keyGen.<keyType>.privateKeyNumber=2
op.enroll.<tokenType>.keyGen.<keyType>.publicKeyNumber=3
op.enroll.<tokenType>.keyGen.<keyType>.alg=2
op.enroll.<tokenType>.keyGen.<keyType>.keySize=1024
op.enroll.<tokenType>.keyGen.<keyType>.keyUsage=0
op.enroll.<tokenType>.keyGen.<keyType>.keyUser=0
op.enroll.<tokenType>.pkcs11obj.enable=true|false
op.enroll.<tokenType>.pkcs11obj.compress.enable=true|false
op.enroll.<tokenType>.pinReset.pin.maxRetries=127
op.enroll.userKey.keyGen.<keyType>.publisherId=fileBasedPublisher
op.enroll.userKeyTemporary.keyGen.<keyType>.publisherId=fileBasedPublisher
op.enroll.<tokenType>.keyGen.<keyType>.recovery.<tokenState>.scheme=GenerateNewKey
Token Renewal
op.enroll.<tokenType>.renewal.*
RENEW=YES
Format Operation For tokenKey
op.format.<tokenType>.update.applet.emptyToken.enable=false
Certificate Chain Imports
op.enroll.certificates.num=1
op.enroll.certificates.value.0=caCert
op.enroll.certificates.caCert.nickName=caCert0 pki-tps
op.enroll.certificates.caCert.certId=C5
op.enroll.certificates.caCert.certAttrId=c5
op.enroll.certificates.caCert.label=caCert Label
Pin Reset Operation For CoolKey
op.pinReset.<tokenType>.update.applet.emptyToken.enable=false
See Also
Authors
Copyright
Referenced By