[Freeipa-users] Certificate Profile - Policy Set Not Found
Fraser Tweedale
ftweedal at redhat.com
Mon Dec 14 06:45:54 UTC 2015
Thanks for these details Wouter.
Logging at your CS.cfg, there is something wrong - the line:
subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem
should be:
subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem
What is the history of this IPA server? Was it a fresh
ipa-server-install on RHEL 7.2; an upgrade from an earlier version
of RHEL; or an ipa-replica-install from an IPA server of an earlier
release? Could you check the following logfiles (whichever are
present) for errors?
/var/log/ipareplica-install.log
/var/log/ipaserver-install.log
/var/log/ipaupgrade.log
Anyhow, I suggest switching to LDAPProfileSubsystem in CS.cfg,
restarting PKI and then seeing if the problem still occurs.
Cheers,
Fraser
On Fri, Dec 11, 2015 at 09:04:26AM +0000, wouter.hummelink at kpn.com wrote:
> ipa-admintools.x86_64 4.2.0-15.el7 @rhel-x86_64-server-7
> ipa-client.x86_64 4.2.0-15.el7 @rhel-x86_64-server-7
> ipa-python.x86_64 4.2.0-15.el7 @rhel-x86_64-server-7
> ipa-server.x86_64 4.2.0-15.el7 @rhel-x86_64-server-7
> ipa-server-dns.x86_64 4.2.0-15.el7 @rhel-x86_64-server-7
> ipa-server-trust-ad.x86_64 4.2.0-15.el7 @rhel-x86_64-server-7
>
> pki-base.noarch 10.2.5-6.el7 @rhel-x86_64-server-7
> pki-ca.noarch 10.2.5-6.el7 @rhel-x86_64-server-7
> pki-kra.noarch 10.2.5-6.el7 @rhel-x86_64-server-7
> pki-server.noarch 10.2.5-6.el7 @rhel-x86_64-server-7
> pki-symkey.x86_64 10.2.5-6.el7 @rhel-x86_64-server-7
> pki-tools.x86_64 10.2.5-6.el7 @rhel-x86_64-server-7
>
> CrossCertPair._000=##
> CrossCertPair._001=## CrossCertPair Import
> CrossCertPair._002=##
> CrossCertPair.ldap=internaldb
> _000=##
> _001=## Certificate Authority (CA) Configuration File
> _002=##
> accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator
> accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator
> accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator
> accessEvaluator.impl.user_origreq.class=com.netscape.cms.evaluators.UserOrigReqAccessEvaluator
> admin.interface.uri=ca/admin/console/config/wizard
> agent.interface.uri=ca/agent/ca
> authType=pwd
> auths._000=##
> auths._001=## new authentication
> auths._002=##
> auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication
> auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth
> auths.impl.FlatFileAuth.class=com.netscape.cms.authentication.FlatFileAuth
> auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth
> auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll
> auths.impl.SSLclientCertAuth.class=com.netscape.cms.authentication.SSLclientCertAuthentication
> auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication
> auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication
> auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication
> auths.impl.UidPwdGroupDirAuth.class=com.netscape.cms.authentication.UidPwdGroupDirAuthentication
> auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication
> auths.impl._000=##
> auths.impl._001=## authentication manager implementations
> auths.impl._002=##
> auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents
> auths.instance.AgentCertAuth.pluginName=AgentCertAuth
> auths.instance.SSLclientCertAuth.pluginName=SSLclientCertAuth
> auths.instance.TokenAuth.pluginName=TokenAuth
> auths.instance.flatFileAuth.authAttributes=PWD
> auths.instance.flatFileAuth.deferOnFailure=true
> auths.instance.flatFileAuth.fileName=/var/lib/pki/pki-tomcat/conf/ca/flatfile.txt
> auths.instance.flatFileAuth.keyAttributes=UID
> auths.instance.flatFileAuth.pluginName=FlatFileAuth
> auths.instance.raCertAuth.agentGroup=Registration Manager Agents
> auths.instance.raCertAuth.pluginName=AgentCertAuth
> auths.revocationChecking.bufferSize=50
> auths.revocationChecking.ca=ca
> auths.revocationChecking.enabled=true
> auths.revocationChecking.unknownStateInterval=0
> auths.revocationChecking.validityInterval=120
> authz._000=##
> authz._001=## new authorizatioin
> authz._002=##
> authz.evaluateOrder=deny,allow
> authz.impl.BasicAclAuthz.class=com.netscape.cms.authorization.BasicAclAuthz
> authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz
> authz.impl._000=##
> authz.impl._001=## authorization manager implementations
> authz.impl._002=##
> authz.instance.BasicAclAuthz.pluginName=BasicAclAuthz
> authz.instance.DirAclAuthz.ldap=internaldb
> authz.instance.DirAclAuthz.ldap._000=##
> authz.instance.DirAclAuthz.ldap._001=## Internal Database
> authz.instance.DirAclAuthz.ldap._002=##
> authz.instance.DirAclAuthz.ldap.ldapauth.authtype=SslClientAuth
> authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=uid=pkidbuser,ou=people,o=ipa-ca
> authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname=subsystemCert cert-pki-ca
> authz.instance.DirAclAuthz.ldap.ldapconn.port=636
> authz.instance.DirAclAuthz.ldap.ldapconn.secureConn=true
> authz.instance.DirAclAuthz.pluginName=DirAclAuthz
> authz.sourceType=ldap
> ca.Policy._000=##
> ca.Policy._001=## Certificate Policy Framework (deprecated)
> ca.Policy._002=##
> ca.Policy._003=## Set 'ca.Policy.enable=true' to allow the following:
> ca.Policy._004=##
> ca.Policy._005=## SERVLET-NAME URL-PATTERN
> ca.Policy._006=## ====================================================
> ca.Policy._007=## caadminEnroll ca/admin/ca/adminEnroll.html
> ca.Policy._008=## cabulkissuance ca/agent/ca/bulkissuance.html
> ca.Policy._009=## cacertbasedenrollment ca/certbasedenrollment.html
> ca.Policy._010=## caenrollment ca/enrollment.html
> ca.Policy._011=## capolicy ca/capolicy
> ca.Policy._012=##
> ca.Policy.enable=false
> ca.Policy.impl.AttributePresentConstraints.class=com.netscape.cms.policy.constraints.AttributePresentConstraints
> ca.Policy.impl.AuthInfoAccessExt.class=com.netscape.cms.policy.extensions.AuthInfoAccessExt
> ca.Policy.impl.AuthorityKeyIdentifierExt.class=com.netscape.cms.policy.extensions.AuthorityKeyIdentifierExt
> ca.Policy.impl.BasicConstraintsExt.class=com.netscape.cms.policy.extensions.BasicConstraintsExt
> ca.Policy.impl.CRLDistributionPointsExt.class=com.netscape.cms.policy.extensions.CRLDistributionPointsExt
> ca.Policy.impl.CertificatePoliciesExt.class=com.netscape.cms.policy.extensions.CertificatePoliciesExt
> ca.Policy.impl.CertificateRenewalWindowExt.class=com.netscape.cms.policy.extensions.CertificateRenewalWindowExt
> ca.Policy.impl.CertificateScopeOfUseExt.class=com.netscape.cms.policy.extensions.CertificateScopeOfUseExt
> ca.Policy.impl.DSAKeyConstraints.class=com.netscape.cms.policy.constraints.DSAKeyConstraints
> ca.Policy.impl.ExtendedKeyUsageExt.class=com.netscape.cms.policy.extensions.ExtendedKeyUsageExt
> ca.Policy.impl.GenericASN1Ext.class=com.netscape.cms.policy.extensions.GenericASN1Ext
> ca.Policy.impl.IssuerAltNameExt.class=com.netscape.cms.policy.extensions.IssuerAltNameExt
> ca.Policy.impl.IssuerConstraints.class=com.netscape.cms.policy.constraints.IssuerConstraints
> ca.Policy.impl.KeyAlgorithmConstraints.class=com.netscape.cms.policy.constraints.KeyAlgorithmConstraints
> ca.Policy.impl.KeyUsageExt.class=com.netscape.cms.policy.extensions.KeyUsageExt
> ca.Policy.impl.NSCCommentExt.class=com.netscape.cms.policy.extensions.NSCCommentExt
> ca.Policy.impl.NSCertTypeExt.class=com.netscape.cms.policy.extensions.NSCertTypeExt
> ca.Policy.impl.NameConstraintsExt.class=com.netscape.cms.policy.extensions.NameConstraintsExt
> ca.Policy.impl.OCSPNoCheckExt.class=com.netscape.cms.policy.extensions.OCSPNoCheckExt
> ca.Policy.impl.PolicyConstraintsExt.class=com.netscape.cms.policy.extensions.PolicyConstraintsExt
> ca.Policy.impl.PolicyMappingsExt.class=com.netscape.cms.policy.extensions.PolicyMappingsExt
> ca.Policy.impl.PrivateKeyUsagePeriodExt.class=com.netscape.cms.policy.extensions.PrivateKeyUsagePeriodExt
> ca.Policy.impl.RSAKeyConstraints.class=com.netscape.cms.policy.constraints.RSAKeyConstraints
> ca.Policy.impl.RemoveBasicConstraintsExt.class=com.netscape.cms.policy.extensions.RemoveBasicConstraintsExt
> ca.Policy.impl.RenewalConstraints.class=com.netscape.cms.policy.constraints.RenewalConstraints
> ca.Policy.impl.RenewalValidityConstraints.class=com.netscape.cms.policy.constraints.RenewalValidityConstraints
> ca.Policy.impl.RevocationConstraints.class=com.netscape.cms.policy.constraints.RevocationConstraints
> ca.Policy.impl.SigningAlgorithmConstraints.class=com.netscape.cms.policy.constraints.SigningAlgorithmConstraints
> ca.Policy.impl.SubCANameConstraints.class=com.netscape.cms.policy.constraints.SubCANameConstraints
> ca.Policy.impl.SubjectAltNameExt.class=com.netscape.cms.policy.extensions.SubjectAltNameExt
> ca.Policy.impl.SubjectDirectoryAttributesExt.class=com.netscape.cms.policy.extensions.SubjectDirectoryAttributesExt
> ca.Policy.impl.SubjectKeyIdentifierExt.class=com.netscape.cms.policy.extensions.SubjectKeyIdentifierExt
> ca.Policy.impl.UniqueSubjectNameConstraints.class=com.netscape.cms.policy.constraints.UniqueSubjectNameConstraints
> ca.Policy.impl.ValidityConstraints.class=com.netscape.cms.policy.constraints.ValidityConstraints
> ca.Policy.impl._000=##
> ca.Policy.impl._001=## Policy Implementations
> ca.Policy.impl._002=##
> ca.Policy.order=KeyAlgRule, RSAKeyRule, DefaultValidityRule, RenewalConstraintsRule, DefaultRenewalValidityRule, RevocationConstraintsRule, NSCertTypeExt, CMCertKeyUsageExt, RMCertKeyUsageExt, ClientCertKeyUsageExt, ServerCertKeyUsageExt, ObjSignCertKeyUsageExt, CRLSignCertKeyUsageExt, SubjectKeyIdentifierExt, CertificatePoliciesExt, NSCCommentExt, OCSPNoCheckExt, OCSPSigningExt, CODESigningExt, GenericASN1Ext, CRLDistributionPointsExt, SubjectAltNameExt, SigningAlgRule, AuthorityKeyIdentifierExt, AuthInfoAccessExt, BasicConstraintsExt, UniqueSubjectNameConstraints, NameConstraintsExt, PolicyConstraintsExt, SubCANameConstraints, PolicyMappingsExt, IssuerRule
> ca.Policy.processor=classic
> ca.Policy.rule.AuthInfoAccessExt.ad0_location=http://pvlipa1001c.linux.infra.local:8080/ocsp
> ca.Policy.rule.AuthInfoAccessExt.ad0_location_type=URL
> ca.Policy.rule.AuthInfoAccessExt.ad0_method=ocsp
> ca.Policy.rule.AuthInfoAccessExt.enable=false
> ca.Policy.rule.AuthInfoAccessExt.implName=AuthInfoAccessExt
> ca.Policy.rule.AuthInfoAccessExt.numADs=1
> ca.Policy.rule.AuthInfoAccessExt.predicate=HTTP_PARAMS.certType==client
> ca.Policy.rule.AuthorityKeyIdentifierExt.enable=true
> ca.Policy.rule.AuthorityKeyIdentifierExt.implName=AuthorityKeyIdentifierExt
> ca.Policy.rule.AuthorityKeyIdentifierExt.predicate=
> ca.Policy.rule.BasicConstraintsExt.critical=true
> ca.Policy.rule.BasicConstraintsExt.enable=true
> ca.Policy.rule.BasicConstraintsExt.implName=BasicConstraintsExt
> ca.Policy.rule.BasicConstraintsExt.maxPathLen=
> ca.Policy.rule.BasicConstraintsExt.predicate=HTTP_PARAMS.certType == ca
> ca.Policy.rule.BasicConstraintsExt.removeBasicExt=true
> ca.Policy.rule.CMCertKeyUsageExt.crlSign=true
> ca.Policy.rule.CMCertKeyUsageExt.dataEncipherment=false
> ca.Policy.rule.CMCertKeyUsageExt.decipherOnly=false
> ca.Policy.rule.CMCertKeyUsageExt.digitalSignature=true
> ca.Policy.rule.CMCertKeyUsageExt.enable=true
> ca.Policy.rule.CMCertKeyUsageExt.encipherOnly=false
> ca.Policy.rule.CMCertKeyUsageExt.implName=KeyUsageExt
> ca.Policy.rule.CMCertKeyUsageExt.keyAgreement=false
> ca.Policy.rule.CMCertKeyUsageExt.keyCertsign=true
> ca.Policy.rule.CMCertKeyUsageExt.keyEncipherment=false
> ca.Policy.rule.CMCertKeyUsageExt.nonRepudiation=true
> ca.Policy.rule.CMCertKeyUsageExt.predicate=HTTP_PARAMS.certType==ca
> ca.Policy.rule.CODESigningExt.critical=false
> ca.Policy.rule.CODESigningExt.enable=true
> ca.Policy.rule.CODESigningExt.id0=1.3.6.1.5.5.7.3.3
> ca.Policy.rule.CODESigningExt.implName=ExtendedKeyUsageExt
> ca.Policy.rule.CODESigningExt.predicate=HTTP_PARAMS.certType==codeSignClient
> ca.Policy.rule.CRLDistributionPointsExt.enable=false
> ca.Policy.rule.CRLDistributionPointsExt.implName=CRLDistributionPointsExt
> ca.Policy.rule.CRLDistributionPointsExt.issuerName0=
> ca.Policy.rule.CRLDistributionPointsExt.issuerName1=
> ca.Policy.rule.CRLDistributionPointsExt.issuerName2=
> ca.Policy.rule.CRLDistributionPointsExt.issuerType0=
> ca.Policy.rule.CRLDistributionPointsExt.issuerType1=
> ca.Policy.rule.CRLDistributionPointsExt.issuerType2=
> ca.Policy.rule.CRLDistributionPointsExt.numPoints=0
> ca.Policy.rule.CRLDistributionPointsExt.pointName0=
> ca.Policy.rule.CRLDistributionPointsExt.pointName1=
> ca.Policy.rule.CRLDistributionPointsExt.pointName2=
> ca.Policy.rule.CRLDistributionPointsExt.pointType0=
> ca.Policy.rule.CRLDistributionPointsExt.pointType1=
> ca.Policy.rule.CRLDistributionPointsExt.pointType2=
> ca.Policy.rule.CRLDistributionPointsExt.predicate=
> ca.Policy.rule.CRLDistributionPointsExt.reasons0=
> ca.Policy.rule.CRLDistributionPointsExt.reasons1=
> ca.Policy.rule.CRLDistributionPointsExt.reasons2=
> ca.Policy.rule.CRLSignCertKeyUsageExt.crlSign=true
> ca.Policy.rule.CRLSignCertKeyUsageExt.dataEncipherment=false
> ca.Policy.rule.CRLSignCertKeyUsageExt.decipherOnly=false
> ca.Policy.rule.CRLSignCertKeyUsageExt.digitalSignature=false
> ca.Policy.rule.CRLSignCertKeyUsageExt.enable=true
> ca.Policy.rule.CRLSignCertKeyUsageExt.encipherOnly=false
> ca.Policy.rule.CRLSignCertKeyUsageExt.implName=KeyUsageExt
> ca.Policy.rule.CRLSignCertKeyUsageExt.keyAgreement=false
> ca.Policy.rule.CRLSignCertKeyUsageExt.keyCertsign=false
> ca.Policy.rule.CRLSignCertKeyUsageExt.keyEncipherment=false
> ca.Policy.rule.CRLSignCertKeyUsageExt.nonRepudiation=false
> ca.Policy.rule.CRLSignCertKeyUsageExt.predicate=HTTP_PARAMS.certType==caCrlSigning
> ca.Policy.rule.CertificatePoliciesExt.certPolicy0.cpsURI=
> ca.Policy.rule.CertificatePoliciesExt.certPolicy0.noticeRefNumbers=
> ca.Policy.rule.CertificatePoliciesExt.certPolicy0.noticeRefOrganization=
> ca.Policy.rule.CertificatePoliciesExt.certPolicy0.policyId=
> ca.Policy.rule.CertificatePoliciesExt.certPolicy0.userNoticeExplicitText=
> ca.Policy.rule.CertificatePoliciesExt.critical=false
> ca.Policy.rule.CertificatePoliciesExt.enable=false
> ca.Policy.rule.CertificatePoliciesExt.implName=CertificatePoliciesExt
> ca.Policy.rule.CertificatePoliciesExt.numCertPolicies=1
> ca.Policy.rule.CertificatePoliciesExt.predicate=
> ca.Policy.rule.ClientCertKeyUsageExt.crlSign=false
> ca.Policy.rule.ClientCertKeyUsageExt.dataEncipherment=false
> ca.Policy.rule.ClientCertKeyUsageExt.decipherOnly=false
> ca.Policy.rule.ClientCertKeyUsageExt.digitalSignature=true
> ca.Policy.rule.ClientCertKeyUsageExt.enable=true
> ca.Policy.rule.ClientCertKeyUsageExt.encipherOnly=false
> ca.Policy.rule.ClientCertKeyUsageExt.implName=KeyUsageExt
> ca.Policy.rule.ClientCertKeyUsageExt.keyAgreement=false
> ca.Policy.rule.ClientCertKeyUsageExt.keyCertsign=false
> ca.Policy.rule.ClientCertKeyUsageExt.keyEncipherment=true
> ca.Policy.rule.ClientCertKeyUsageExt.nonRepudiation=true
> ca.Policy.rule.ClientCertKeyUsageExt.predicate=HTTP_PARAMS.certType==client
> ca.Policy.rule.DSAKeyRule.enable=true
> ca.Policy.rule.DSAKeyRule.implName=DSAKeyConstraints
> ca.Policy.rule.DSAKeyRule.maxSize=1024
> ca.Policy.rule.DSAKeyRule.minSize=512
> ca.Policy.rule.DSAKeyRule.predicate=
> ca.Policy.rule.DefaultRenewalValidityRule.enable=true
> ca.Policy.rule.DefaultRenewalValidityRule.implName=RenewalValidityConstraints
> ca.Policy.rule.DefaultRenewalValidityRule.maxValidity=365
> ca.Policy.rule.DefaultRenewalValidityRule.minValidity=30
> ca.Policy.rule.DefaultRenewalValidityRule.predicate=
> ca.Policy.rule.DefaultRenewalValidityRule.renewalInterval=15
> ca.Policy.rule.DefaultValidityRule.enable=true
> ca.Policy.rule.DefaultValidityRule.implName=ValidityConstraints
> ca.Policy.rule.DefaultValidityRule.maxValidity=365
> ca.Policy.rule.DefaultValidityRule.minValidity=1
> ca.Policy.rule.DefaultValidityRule.predicate=
> ca.Policy.rule.GenericASN1Ext.attribute.0.source=
> ca.Policy.rule.GenericASN1Ext.attribute.0.type=
> ca.Policy.rule.GenericASN1Ext.attribute.0.value=
> ca.Policy.rule.GenericASN1Ext.attribute.1.source=
> ca.Policy.rule.GenericASN1Ext.attribute.1.type=
> ca.Policy.rule.GenericASN1Ext.attribute.1.value=
> ca.Policy.rule.GenericASN1Ext.attribute.2.source=
> ca.Policy.rule.GenericASN1Ext.attribute.2.type=
> ca.Policy.rule.GenericASN1Ext.attribute.2.value=
> ca.Policy.rule.GenericASN1Ext.attribute.3.source=
> ca.Policy.rule.GenericASN1Ext.attribute.3.type=
> ca.Policy.rule.GenericASN1Ext.attribute.3.value=
> ca.Policy.rule.GenericASN1Ext.attribute.4.source=
> ca.Policy.rule.GenericASN1Ext.attribute.4.type=
> ca.Policy.rule.GenericASN1Ext.attribute.4.value=
> ca.Policy.rule.GenericASN1Ext.attribute.5.source=
> ca.Policy.rule.GenericASN1Ext.attribute.5.type=
> ca.Policy.rule.GenericASN1Ext.attribute.5.value=
> ca.Policy.rule.GenericASN1Ext.attribute.6.source=
> ca.Policy.rule.GenericASN1Ext.attribute.6.type=
> ca.Policy.rule.GenericASN1Ext.attribute.6.value=
> ca.Policy.rule.GenericASN1Ext.attribute.7.source=
> ca.Policy.rule.GenericASN1Ext.attribute.7.type=
> ca.Policy.rule.GenericASN1Ext.attribute.7.value=
> ca.Policy.rule.GenericASN1Ext.attribute.8.source=
> ca.Policy.rule.GenericASN1Ext.attribute.8.type=
> ca.Policy.rule.GenericASN1Ext.attribute.8.value=
> ca.Policy.rule.GenericASN1Ext.attribute.9.source=
> ca.Policy.rule.GenericASN1Ext.attribute.9.type=
> ca.Policy.rule.GenericASN1Ext.attribute.9.value=
> ca.Policy.rule.GenericASN1Ext.critical=false
> ca.Policy.rule.GenericASN1Ext.enable=false
> ca.Policy.rule.GenericASN1Ext.implName=GenericASN1Ext
> ca.Policy.rule.GenericASN1Ext.name=
> ca.Policy.rule.GenericASN1Ext.oid=
> ca.Policy.rule.GenericASN1Ext.pattern=
> ca.Policy.rule.GenericASN1Ext.predicate=
> ca.Policy.rule.IssuerRule.enable=false
> ca.Policy.rule.IssuerRule.implName=IssuerConstraints
> ca.Policy.rule.IssuerRule.issuerDN=
> ca.Policy.rule.IssuerRule.predicate=HTTP_PARAMS.certType==client AND certauthEnroll==on
> ca.Policy.rule.KeyAlgRule.algorithms=RSA,DSA
> ca.Policy.rule.KeyAlgRule.enable=true
> ca.Policy.rule.KeyAlgRule.implName=KeyAlgorithmConstraints
> ca.Policy.rule.KeyAlgRule.predicate=
> ca.Policy.rule.NSCCommentExt.commentFile=
> ca.Policy.rule.NSCCommentExt.enable=false
> ca.Policy.rule.NSCCommentExt.implName=NSCCommentExt
> ca.Policy.rule.NSCCommentExt.inputType=Text
> ca.Policy.rule.NSCCommentExt.predicate=
> ca.Policy.rule.NSCertTypeExt.enable=true
> ca.Policy.rule.NSCertTypeExt.implName=NSCertTypeExt
> ca.Policy.rule.NSCertTypeExt.predicate=HTTP_PARAMS.certType!=CEP-Request
> ca.Policy.rule.NameConstraintsExt.critical=true
> ca.Policy.rule.NameConstraintsExt.enable=false
> ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.base.generalNameChoice=
> ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.base.generalNameValue=
> ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.max=-1
> ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.min=0
> ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.base.generalNameChoice=
> ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.base.generalNameValue=
> ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.max=-1
> ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.min=0
> ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.base.generalNameChoice=
> ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.base.generalNameValue=
> ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.max=-1
> ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.min=0
> ca.Policy.rule.NameConstraintsExt.implName=NameConstraintsExt
> ca.Policy.rule.NameConstraintsExt.numExcludedSubtrees=3
> ca.Policy.rule.NameConstraintsExt.numPermittedSubtrees=3
> ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.base.generalNameChoice=
> ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.base.generalNameValue=
> ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.max=-1
> ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.min=0
> ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.base.generalNameChoice=
> ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.base.generalNameValue=
> ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.max=-1
> ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.min=0
> ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.base.generalNameChoice=
> ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.base.generalNameValue=
> ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.max=-1
> ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.min=0
> ca.Policy.rule.NameConstraintsExt.predicate=HTTP_PARAMS.certType == ca
> ca.Policy.rule.OCSPNoCheckExt.critical=false
> ca.Policy.rule.OCSPNoCheckExt.enable=true
> ca.Policy.rule.OCSPNoCheckExt.implName=OCSPNoCheckExt
> ca.Policy.rule.OCSPNoCheckExt.predicate=HTTP_PARAMS.certType==ocspResponder
> ca.Policy.rule.OCSPSigningExt.critical=false
> ca.Policy.rule.OCSPSigningExt.enable=true
> ca.Policy.rule.OCSPSigningExt.id0=1.3.6.1.5.5.7.3.9
> ca.Policy.rule.OCSPSigningExt.implName=ExtendedKeyUsageExt
> ca.Policy.rule.OCSPSigningExt.predicate=HTTP_PARAMS.certType==ocspResponder
> ca.Policy.rule.ObjSignCertKeyUsageExt.crlSign=false
> ca.Policy.rule.ObjSignCertKeyUsageExt.dataEncipherment=false
> ca.Policy.rule.ObjSignCertKeyUsageExt.decipherOnly=false
> ca.Policy.rule.ObjSignCertKeyUsageExt.digitalSignature=true
> ca.Policy.rule.ObjSignCertKeyUsageExt.enable=true
> ca.Policy.rule.ObjSignCertKeyUsageExt.encipherOnly=false
> ca.Policy.rule.ObjSignCertKeyUsageExt.implName=KeyUsageExt
> ca.Policy.rule.ObjSignCertKeyUsageExt.keyAgreement=false
> ca.Policy.rule.ObjSignCertKeyUsageExt.keyCertsign=true
> ca.Policy.rule.ObjSignCertKeyUsageExt.keyEncipherment=false
> ca.Policy.rule.ObjSignCertKeyUsageExt.nonRepudiation=false
> ca.Policy.rule.ObjSignCertKeyUsageExt.predicate=HTTP_PARAMS.certType==objSignClient
> ca.Policy.rule.PolicyConstraintsExt.critical=false
> ca.Policy.rule.PolicyConstraintsExt.enable=false
> ca.Policy.rule.PolicyConstraintsExt.implName=PolicyConstraintsExt
> ca.Policy.rule.PolicyConstraintsExt.inhibitPolicyMapping=0
> ca.Policy.rule.PolicyConstraintsExt.predicate=HTTP_PARAMS.certType==ca
> ca.Policy.rule.PolicyConstraintsExt.reqExplicitPolicy=0
> ca.Policy.rule.PolicyMappingsExt.critical=false
> ca.Policy.rule.PolicyMappingsExt.enable=false
> ca.Policy.rule.PolicyMappingsExt.implName=PolicyMappingsExt
> ca.Policy.rule.PolicyMappingsExt.numPolicyMappings=1
> ca.Policy.rule.PolicyMappingsExt.policyMap0.issuerDomainPolicy=
> ca.Policy.rule.PolicyMappingsExt.policyMap0.subjectDomainPolicy=
> ca.Policy.rule.PolicyMappingsExt.predicate=HTTP_PARAMS.certType==ca
> ca.Policy.rule.RMCertKeyUsageExt.crlSign=false
> ca.Policy.rule.RMCertKeyUsageExt.dataEncipherment=false
> ca.Policy.rule.RMCertKeyUsageExt.decipherOnly=false
> ca.Policy.rule.RMCertKeyUsageExt.digitalSignature=true
> ca.Policy.rule.RMCertKeyUsageExt.enable=true
> ca.Policy.rule.RMCertKeyUsageExt.encipherOnly=false
> ca.Policy.rule.RMCertKeyUsageExt.implName=KeyUsageExt
> ca.Policy.rule.RMCertKeyUsageExt.keyAgreement=false
> ca.Policy.rule.RMCertKeyUsageExt.keyCertsign=false
> ca.Policy.rule.RMCertKeyUsageExt.keyEncipherment=false
> ca.Policy.rule.RMCertKeyUsageExt.nonRepudiation=true
> ca.Policy.rule.RMCertKeyUsageExt.predicate=HTTP_PARAMS.certType==ra
> ca.Policy.rule.RSAKeyRule.enable=false
> ca.Policy.rule.RSAKeyRule.exponents=3,7,17,65537
> ca.Policy.rule.RSAKeyRule.implName=RSAKeyConstraints
> ca.Policy.rule.RSAKeyRule.maxSize=2048
> ca.Policy.rule.RSAKeyRule.minSize=512
> ca.Policy.rule.RSAKeyRule.predicate=
> ca.Policy.rule.RenewalConstraintsRule.enable=true
> ca.Policy.rule.RenewalConstraintsRule.implName=RenewalConstraints
> ca.Policy.rule.RenewalConstraintsRule.predicate=
> ca.Policy.rule.RevocationConstraintsRule.enable=true
> ca.Policy.rule.RevocationConstraintsRule.implName=RevocationConstraints
> ca.Policy.rule.RevocationConstraintsRule.predicate=
> ca.Policy.rule.ServerCertKeyUsageExt.crlSign=false
> ca.Policy.rule.ServerCertKeyUsageExt.dataEncipherment=true
> ca.Policy.rule.ServerCertKeyUsageExt.decipherOnly=false
> ca.Policy.rule.ServerCertKeyUsageExt.digitalSignature=true
> ca.Policy.rule.ServerCertKeyUsageExt.enable=true
> ca.Policy.rule.ServerCertKeyUsageExt.encipherOnly=false
> ca.Policy.rule.ServerCertKeyUsageExt.implName=KeyUsageExt
> ca.Policy.rule.ServerCertKeyUsageExt.keyAgreement=false
> ca.Policy.rule.ServerCertKeyUsageExt.keyCertsign=false
> ca.Policy.rule.ServerCertKeyUsageExt.keyEncipherment=true
> ca.Policy.rule.ServerCertKeyUsageExt.nonRepudiation=true
> ca.Policy.rule.ServerCertKeyUsageExt.predicate=HTTP_PARAMS.certType==server
> ca.Policy.rule.SigningAlgRule.algorithms=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
> ca.Policy.rule.SigningAlgRule.enable=true
> ca.Policy.rule.SigningAlgRule.implName=SigningAlgorithmConstraints
> ca.Policy.rule.SigningAlgRule.predicate=
> ca.Policy.rule.SubCANameConstraints.enable=true
> ca.Policy.rule.SubCANameConstraints.implName=SubCANameConstraints
> ca.Policy.rule.SubCANameConstraints.predicate=HTTP_PARAMS.certType == ca
> ca.Policy.rule.SubjectAltNameExt.enable=true
> ca.Policy.rule.SubjectAltNameExt.generalName0.generalNameChoice=rfc822Name
> ca.Policy.rule.SubjectAltNameExt.generalName0.requestAttr=AUTH_TOKEN.mail
> ca.Policy.rule.SubjectAltNameExt.generalName1.generalNameChoice=rfc822Name
> ca.Policy.rule.SubjectAltNameExt.generalName1.requestAttr=AUTH_TOKEN.mailalternateaddress
> ca.Policy.rule.SubjectAltNameExt.generalName2.generalNameChoice=rfc822Name
> ca.Policy.rule.SubjectAltNameExt.generalName2.requestAttr=HTTP_PARAMS.csrRequestorEmail
> ca.Policy.rule.SubjectAltNameExt.implName=SubjectAltNameExt
> ca.Policy.rule.SubjectAltNameExt.numGeneralNames=3
> ca.Policy.rule.SubjectAltNameExt.predicate=HTTP_PARAMS.certType!=CEP-Request
> ca.Policy.rule.SubjectKeyIdentifierExt.enable=true
> ca.Policy.rule.SubjectKeyIdentifierExt.implName=SubjectKeyIdentifierExt
> ca.Policy.rule.SubjectKeyIdentifierExt.predicate=HTTP_PARAMS.certType==ca
> ca.Policy.rule.UniqueSubjectNameConstraints.enable=false
> ca.Policy.rule.UniqueSubjectNameConstraints.implName=UniqueSubjectNameConstraints
> ca.Policy.rule.UniqueSubjectNameConstraints.predicate=
> ca.audit_signing.cert=MIIDZzCCAk+gAwIBAgIBBTANBgkqhkiG9w0BAQsFADA8MRowGAYDVQQKDBFMSU5VWC5JTkZSQS5MT0NBTDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE1MDQxNDExNTM1NVoXDTE3MDQwMzExNTM1NVowLzEaMBgGA1UECgwRTElOVVguSU5GUkEuTE9DQUwxETAPBgNVBAMMCENBIEF1ZGl0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA85U4m8Gm5HCtaUJUP4v3c7E9Rmr1of+aD5sKJqtmKkrtxVJzYr/py9ZSz0i8nZLXNx2cHIDHMWTw9HXBEUg6yajiYTK2HpHiSX2nd1Wrg5bAmHWd7reN+rBMEyFFqmjxOdnueJJNwV/KVTbJybMt3W/EXLJZkDSr82r5Q21nJzRQr8hQfACwoICDNkyzqDv+Zuz3GrEIUd2t6qW0E4UnRByS531IhTx6TtxLJVrsueHM7glcB8IQgURzCirVewOrlKv22awR0GtLXKfJIGnVQYJnZRsHqoTD5qD99edQXoyoknsAPWUBHujbpmZsPJKXJHt/d6/aqs5wH+SHiXbBzQIDAQABo4GAMH4wHwYDVR0jBBgwFoAUZexymQXClfUG+N7hItMABoUSLYswDgYDVR0PAQH/BAQDAgbAMEsGCCsGAQUFBwEBBD8wPTA7BggrBgEFBQcwAYYvaHR0cDovL3B2bGlwYTEwMDFjLmxpbnV4LmluZnJhLmxvY2FsOjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAFOfCXvtU8Yf7TbgdqTQ5VSa/3u2PwrZf2z92+FO/0cGfttTsQ8pRRl2/5z6ZJEX/Zy8naaP0hmsJGlq8U5KOvxIE9zstvtw/L7iuk2H9q/GcZvm0HVWkPaRFqr8q8ZNLCoP4I72xVzmqcoyat3g7BJYnGTos5+2e5JviorIBHfvuBgqbVBzKnQ5UMcfw93W4F/5rRXU+jq0gtDK3sVK2UvDE3dgOzxrbtuzDjqpQ84l/atUcIKizaoRQ6mcDyL2z5Fy9hxIrScH8iQIAEIP93D2HrbniNsgDLS3WD9Y2ikyB4TlJc4NUo0vL1MhyDOZY/yxwdjoBiYXpUAxm8I84gU=
> ca.audit_signing.certreq=MIICdDCCAVwCAQAwLzEaMBgGA1UECgwRTElOVVguSU5GUkEuTE9DQUwxETAPBgNVBAMMCENBIEF1ZGl0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA85U4m8Gm5HCtaUJUP4v3c7E9Rmr1of+aD5sKJqtmKkrtxVJzYr/py9ZSz0i8nZLXNx2cHIDHMWTw9HXBEUg6yajiYTK2HpHiSX2nd1Wrg5bAmHWd7reN+rBMEyFFqmjxOdnueJJNwV/KVTbJybMt3W/EXLJZkDSr82r5Q21nJzRQr8hQfACwoICDNkyzqDv+Zuz3GrEIUd2t6qW0E4UnRByS531IhTx6TtxLJVrsueHM7glcB8IQgURzCirVewOrlKv22awR0GtLXKfJIGnVQYJnZRsHqoTD5qD99edQXoyoknsAPWUBHujbpmZsPJKXJHt/d6/aqs5wH+SHiXbBzQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAPCQNS91vUmhDUwuBO8dNGdjIMhzgKsWscvkwED6J6pMWThOAn4iUBHUWalrwEX4I6srOyY4r6EGXqlWsKCK9uoR1Ym3cBTP7lVd04ipr8/LNmkZtgZxjw/I5fA0tIkrbrQf/6CS0AqTtPxZXnjzcUdohrMsKdxSCmPcs9dNubUUoBUpKQjjdTDnB+N9Ey9Au6buSW2n5SE/ljlARPPl7HxNVf/18weU7ZcYIA+xO381XRC35jC4NV5u908zms0fGMBQ02egbp4ytej4dWnIp8R1yyODyMKDYcV9sbay1GJkgpbhVcaoZoQwwygYABOlq9SAYOUkgVjOqWhtb/Cm7Oo=
> ca.audit_signing.nickname=auditSigningCert cert-pki-ca
> ca.audit_signing.tokenname=Internal Key Storage Token
> ca.cert.audit_signing.certusage=ObjectSigner
> ca.cert.audit_signing.nickname=auditSigningCert cert-pki-ca
> ca.cert.list=signing,ocsp_signing,sslserver,subsystem,audit_signing
> ca.cert.ocsp_signing.certusage=StatusResponder
> ca.cert.ocsp_signing.nickname=ocspSigningCert cert-pki-ca
> ca.cert.signing.certusage=SSLCA
> ca.cert.signing.nickname=caSigningCert cert-pki-ca
> ca.cert.sslserver.certusage=SSLServer
> ca.cert.sslserver.nickname=Server-Cert cert-pki-ca
> ca.cert.subsystem.certusage=SSLClient
> ca.cert.subsystem.nickname=subsystemCert cert-pki-ca
> ca.certdbInc=20
> ca.crl.MasterCRL.allowExtensions=true
> ca.crl.MasterCRL.alwaysUpdate=false
> ca.crl.MasterCRL.autoUpdateInterval=240
> ca.crl.MasterCRL.caCertsOnly=false
> ca.crl.MasterCRL.cacheUpdateInterval=15
> ca.crl.MasterCRL.class=com.netscape.ca.CRLIssuingPoint
> ca.crl.MasterCRL.dailyUpdates=1:00
> ca.crl.MasterCRL.description=CA's complete Certificate Revocation List
> ca.crl.MasterCRL.enable=true
> ca.crl.MasterCRL.enableCRLCache=false
> ca.crl.MasterCRL.enableCRLUpdates=false
> ca.crl.MasterCRL.enableCacheRecovery=true
> ca.crl.MasterCRL.enableCacheTesting=false
> ca.crl.MasterCRL.enableDailyUpdates=true
> ca.crl.MasterCRL.enableUpdateInterval=true
> ca.crl.MasterCRL.extendedNextUpdate=true
> ca.crl.MasterCRL.extension.AuthorityInformationAccess.accessLocation0=
> ca.crl.MasterCRL.extension.AuthorityInformationAccess.accessLocationType0=URI
> ca.crl.MasterCRL.extension.AuthorityInformationAccess.accessMethod0=caIssuers
> ca.crl.MasterCRL.extension.AuthorityInformationAccess.class=com.netscape.cms.crl.CMSAuthInfoAccessExtension
> ca.crl.MasterCRL.extension.AuthorityInformationAccess.critical=false
> ca.crl.MasterCRL.extension.AuthorityInformationAccess.enable=false
> ca.crl.MasterCRL.extension.AuthorityInformationAccess.numberOfAccessDescriptions=1
> ca.crl.MasterCRL.extension.AuthorityInformationAccess.type=CRLExtension
> ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.class=com.netscape.cms.crl.CMSAuthorityKeyIdentifierExtension
> ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.critical=false
> ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.enable=false
> ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.type=CRLExtension
> ca.crl.MasterCRL.extension.CRLNumber.class=com.netscape.cms.crl.CMSCRLNumberExtension
> ca.crl.MasterCRL.extension.CRLNumber.critical=false
> ca.crl.MasterCRL.extension.CRLNumber.enable=true
> ca.crl.MasterCRL.extension.CRLNumber.type=CRLExtension
> ca.crl.MasterCRL.extension.CRLReason.class=com.netscape.cms.crl.CMSCRLReasonExtension
> ca.crl.MasterCRL.extension.CRLReason.critical=false
> ca.crl.MasterCRL.extension.CRLReason.enable=true
> ca.crl.MasterCRL.extension.CRLReason.type=CRLEntryExtension
> ca.crl.MasterCRL.extension.DeltaCRLIndicator.class=com.netscape.cms.crl.CMSDeltaCRLIndicatorExtension
> ca.crl.MasterCRL.extension.DeltaCRLIndicator.critical=true
> ca.crl.MasterCRL.extension.DeltaCRLIndicator.enable=false
> ca.crl.MasterCRL.extension.DeltaCRLIndicator.type=CRLExtension
> ca.crl.MasterCRL.extension.FreshestCRL.class=com.netscape.cms.crl.CMSFreshestCRLExtension
> ca.crl.MasterCRL.extension.FreshestCRL.critical=false
> ca.crl.MasterCRL.extension.FreshestCRL.enable=false
> ca.crl.MasterCRL.extension.FreshestCRL.numPoints=0
> ca.crl.MasterCRL.extension.FreshestCRL.pointName0=
> ca.crl.MasterCRL.extension.FreshestCRL.pointType0=
> ca.crl.MasterCRL.extension.FreshestCRL.type=CRLExtension
> ca.crl.MasterCRL.extension.InvalidityDate.class=com.netscape.cms.crl.CMSInvalidityDateExtension
> ca.crl.MasterCRL.extension.InvalidityDate.critical=false
> ca.crl.MasterCRL.extension.InvalidityDate.enable=true
> ca.crl.MasterCRL.extension.InvalidityDate.type=CRLEntryExtension
> ca.crl.MasterCRL.extension.IssuerAlternativeName.class=com.netscape.cms.crl.CMSIssuerAlternativeNameExtension
> ca.crl.MasterCRL.extension.IssuerAlternativeName.critical=false
> ca.crl.MasterCRL.extension.IssuerAlternativeName.enable=false
> ca.crl.MasterCRL.extension.IssuerAlternativeName.name0=
> ca.crl.MasterCRL.extension.IssuerAlternativeName.nameType0=
> ca.crl.MasterCRL.extension.IssuerAlternativeName.numNames=0
> ca.crl.MasterCRL.extension.IssuerAlternativeName.type=CRLExtension
> ca.crl.MasterCRL.extension.IssuingDistributionPoint.class=com.netscape.cms.crl.CMSIssuingDistributionPointExtension
> ca.crl.MasterCRL.extension.IssuingDistributionPoint.critical=true
> ca.crl.MasterCRL.extension.IssuingDistributionPoint.enable=false
> ca.crl.MasterCRL.extension.IssuingDistributionPoint.indirectCRL=false
> ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlyContainsCACerts=false
> ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlyContainsUserCerts=false
> ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlySomeReasons=
> ca.crl.MasterCRL.extension.IssuingDistributionPoint.pointName=
> ca.crl.MasterCRL.extension.IssuingDistributionPoint.pointType=
> ca.crl.MasterCRL.extension.IssuingDistributionPoint.type=CRLExtension
> ca.crl.MasterCRL.includeExpiredCerts=false
> ca.crl.MasterCRL.minUpdateInterval=0
> ca.crl.MasterCRL.nextUpdateGracePeriod=0
> ca.crl.MasterCRL.publishOnStart=false
> ca.crl.MasterCRL.saveMemory=false
> ca.crl.MasterCRL.signingAlgorithm=SHA256withRSA
> ca.crl.MasterCRL.updateSchema=1
> ca.crl._000=##
> ca.crl._001=## CA CRL
> ca.crl._002=##
> ca.crl.pageSize=100
> ca.crldbInc=20
> ca.enableNonces=false
> ca.id=ca
> ca.listenToCloneModifications=false
> ca.local=true
> ca.maxNumberOfNonces=100
> ca.maxSearchReturns=1000
> ca.maxSearchReturns._000=##
> ca.maxSearchReturns._001=## limits number of search results
> ca.maxSearchReturns._002=## returned by SearchReqs and SrchCerts
> ca.maxSearchReturns._003=##
> ca.notification.certIssued.emailSubject=Your Certificate Request
> ca.notification.certIssued.emailTemplate=/var/lib/pki/pki-tomcat/ca/emails/certIssued_CA.html
> ca.notification.certIssued.enabled=false
> ca.notification.certIssued.senderEmail=
> ca.notification.certRevoked.emailSubject=Your Certificate Revoked
> ca.notification.certRevoked.emailTemplate=/var/lib/pki/pki-tomcat/ca/emails/certRevoked_CA.html
> ca.notification.certRevoked.enabled=false
> ca.notification.certRevoked.senderEmail=
> ca.notification.requestInQ.emailSubject=Certificate Request in Queue
> ca.notification.requestInQ.emailTemplate=/var/lib/pki/pki-tomcat/ca/emails/reqInQueue_CA.html
> ca.notification.requestInQ.enabled=false
> ca.notification.requestInQ.recipientEmail=
> ca.notification.requestInQ.senderEmail=
> ca.ocsp=true
> ca.ocspUseCache=false
> ca.ocsp_signing.cacertnickname=ocspSigningCert cert-pki-ca
> ca.ocsp_signing.cert=MIIDgzCCAmugAwIBAgIBAjANBgkqhkiG9w0BAQsFADA8MRowGAYDVQQKDBFMSU5VWC5JTkZSQS5MT0NBTDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE1MDQxNDExNTM1M1oXDTE3MDQwMzExNTM1M1owNTEaMBgGA1UECgwRTElOVVguSU5GUkEuTE9DQUwxFzAVBgNVBAMMDk9DU1AgU3Vic3lzdGVtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAze0A7XlQRdDVRIfbxoZWNji0OV7nYi8pw+Lm7cvBED2DLINmOTlNhcItXTJrek6GVQiJGdISU/467oLYkewIWOTnQxeEhI+xkU8Eh2QmJGxpMK3LH3ULsD13CP7r6KpnrenSiwJ9QjrYLgTUSits0swZT+1V6Qoty05uyVLMFPNh5nMjhMI2h9bJbYBnzGmWVZldgNfr5WfWnaMFf6g8+pHeSeozCJiYBtw7jpXBysJi4rbMMB4UtyglreXBEqBdEiio2nJ+1KmyImYGeyJjjgCozNuo7ykLJB3t6EqEroIy+l43DMmE4cxrre85hikgCNO9rWw91cu1XkC4ZF0hlwIDAQABo4GWMIGTMB8GA1UdIwQYMBaAFGXscpkFwpX1Bvje4SLTAAaFEi2LMA4GA1UdDwEB/wQEAwIBxjBLBggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAGGL2h0dHA6Ly9wdmxpcGExMDAxYy5saW51eC5pbmZyYS5sb2NhbDo4MC9jYS9vY3NwMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUAA4IBAQCTjcq7iSI8r3NZqhK/f+SRBh6t4RjHwXv0QHPQIpQcpQMu6VCsiaKIQ9t2h4s6o5rDQqg0KYpla7ie+4L+UuwSo7EYMhjD+afPIfLiUp67K41g5tQ3Wl3+ZBVp/w9732/oZDrmIS1/3zKdQ9JaQYB9Lth2A/qt9/CyYwG7bXV6PDf7ch/YqNtN/Dc2asjzmx9E5CTl82kMVX9Lij2XSN9Mzu8qFvse79SPvFIr8iAM34N1PF6wJSl8vWWYubQMm+j1mDlC9kS0r/JTmrHbTQXeKe/VIWhbnJe585szTqcCvtA0izFzHLt+RG7i6DVSdDwymeTRZERV3kyrmcPdU8sc
> ca.ocsp_signing.certnickname=ocspSigningCert cert-pki-ca
> ca.ocsp_signing.certreq=MIICejCCAWICAQAwNTEaMBgGA1UECgwRTElOVVguSU5GUkEuTE9DQUwxFzAVBgNVBAMMDk9DU1AgU3Vic3lzdGVtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAze0A7XlQRdDVRIfbxoZWNji0OV7nYi8pw+Lm7cvBED2DLINmOTlNhcItXTJrek6GVQiJGdISU/467oLYkewIWOTnQxeEhI+xkU8Eh2QmJGxpMK3LH3ULsD13CP7r6KpnrenSiwJ9QjrYLgTUSits0swZT+1V6Qoty05uyVLMFPNh5nMjhMI2h9bJbYBnzGmWVZldgNfr5WfWnaMFf6g8+pHeSeozCJiYBtw7jpXBysJi4rbMMB4UtyglreXBEqBdEiio2nJ+1KmyImYGeyJjjgCozNuo7ykLJB3t6EqEroIy+l43DMmE4cxrre85hikgCNO9rWw91cu1XkC4ZF0hlwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAGsMxgYXMV/V2iItgNQ9CJHmgZAfw2ZZp4NsPoF+Hk0oWwSaVIGpq6q+xIZiCgOtpkjKC8xwIJuYoZbTeiw9XEW+V63J6xWLIQl02rrtIC1Enr3mGsc3u+MbPY3/J4fmwX8ys+Cc44STVYxO8wMGi05PXfKLNuTRvZbuB7UPXuHAWIdaL+KXhSF7UU9MOW/AuSYXQDNke7YgQtk5VEIg5ZAdXeJHNVS7zB2/KgVXEfF2L6rZHyp7nPmRJCAWJpAF/9op6HNHway2+U6EjQhWttBn/mHhcWu8MC6n0pPa+TOA1cg4cxyHxZ5nbOJ/0e8lyMNKr0Q/ThxQVIQmdPdjZWs=
> ca.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA
> ca.ocsp_signing.newNickname=ocspSigningCert cert-pki-ca
> ca.ocsp_signing.nickname=ocspSigningCert cert-pki-ca
> ca.ocsp_signing.tokenname=Internal Key Storage Token
> ca.profiles.defaultSigningAlgsAllowed=SHA256withRSA,SHA1withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withEC,SHA1withEC,SHA384withEC,SHA512withEC
> ca.publish.createOwnDNEntry=false
> ca.publish.enable=true
> ca.publish.ldappublish.enable=false
> ca.publish.mapper.impl.LdapCaSimpleMap.class=com.netscape.cms.publish.mappers.LdapCaSimpleMap
> ca.publish.mapper.impl.LdapDNCompsMap.class=com.netscape.cms.publish.mappers.LdapCertCompsMap
> ca.publish.mapper.impl.LdapDNExactMap.class=com.netscape.cms.publish.mappers.LdapCertExactMap
> ca.publish.mapper.impl.LdapEnhancedMap.class=com.netscape.cms.publish.mappers.LdapEnhancedMap
> ca.publish.mapper.impl.LdapSimpleMap.class=com.netscape.cms.publish.mappers.LdapSimpleMap
> ca.publish.mapper.impl.LdapSubjAttrMap.class=com.netscape.cms.publish.mappers.LdapCertSubjMap
> ca.publish.mapper.impl.NoMap.class=com.netscape.cms.publish.mappers.NoMap
> ca.publish.mapper.instance.LdapCaCertMap.createCAEntry=true
> ca.publish.mapper.instance.LdapCaCertMap.dnPattern=UID=$subj.cn,OU=people,O=$subj.o
> ca.publish.mapper.instance.LdapCaCertMap.pluginName=LdapCaSimpleMap
> ca.publish.mapper.instance.LdapCrlMap.createCAEntry=true
> ca.publish.mapper.instance.LdapCrlMap.dnPattern=UID=$subj.cn,OU=people,O=$subj.o
> ca.publish.mapper.instance.LdapCrlMap.pluginName=LdapCaSimpleMap
> ca.publish.mapper.instance.LdapUserCertMap.dnPattern=UID=$subj.UID,OU=people,O=$subj.o
> ca.publish.mapper.instance.LdapUserCertMap.pluginName=LdapSimpleMap
> ca.publish.mapper.instance.NoMap.pluginName=NoMap
> ca.publish.publisher.impl.FileBasedPublisher.class=com.netscape.cms.publish.publishers.FileBasedPublisher
> ca.publish.publisher.impl.LdapCaCertPublisher.class=com.netscape.cms.publish.publishers.LdapCaCertPublisher
> ca.publish.publisher.impl.LdapCertificatePairPublisher.class=com.netscape.cms.publish.publishers.LdapCertificatePairPublisher
> ca.publish.publisher.impl.LdapCrlPublisher.class=com.netscape.cms.publish.publishers.LdapCrlPublisher
> ca.publish.publisher.impl.LdapDeltaCrlPublisher.class=com.netscape.cms.publish.publishers.LdapCrlPublisher
> ca.publish.publisher.impl.LdapUserCertPublisher.class=com.netscape.cms.publish.publishers.LdapUserCertPublisher
> ca.publish.publisher.impl.OCSPPublisher.class=com.netscape.cms.publish.publishers.OCSPPublisher
> ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.b64=false
> ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.der=true
> ca.publish.publisher.instance.FileBaseCRLPublisher.crlLinkExt=bin
> ca.publish.publisher.instance.FileBaseCRLPublisher.directory=/var/lib/ipa/pki-ca/publish
> ca.publish.publisher.instance.FileBaseCRLPublisher.latestCrlLink=true
> ca.publish.publisher.instance.FileBaseCRLPublisher.pluginName=FileBasedPublisher
> ca.publish.publisher.instance.FileBaseCRLPublisher.timeStamp=LocalTime
> ca.publish.publisher.instance.FileBaseCRLPublisher.zipCRLs=false
> ca.publish.publisher.instance.FileBaseCRLPublisher.zipLevel=9
> ca.publish.publisher.instance.LdapCaCertPublisher.caCertAttr=caCertificate;binary
> ca.publish.publisher.instance.LdapCaCertPublisher.caObjectClass=pkiCA
> ca.publish.publisher.instance.LdapCaCertPublisher.pluginName=LdapCaCertPublisher
> ca.publish.publisher.instance.LdapCrlPublisher.crlAttr=certificateRevocationList;binary
> ca.publish.publisher.instance.LdapCrlPublisher.crlObjectClass=pkiCA
> ca.publish.publisher.instance.LdapCrlPublisher.pluginName=LdapCrlPublisher
> ca.publish.publisher.instance.LdapCrossCertPairPublisher.caObjectClass=pkiCA
> ca.publish.publisher.instance.LdapCrossCertPairPublisher.crossCertPairAttr=crossCertificatePair;binary
> ca.publish.publisher.instance.LdapCrossCertPairPublisher.pluginName=LdapCertificatePairPublisher
> ca.publish.publisher.instance.LdapDeltaCrlPublisher.crlAttr=deltaRevocationList;binary
> ca.publish.publisher.instance.LdapDeltaCrlPublisher.crlObjectClass=pkiCA,deltaCRL
> ca.publish.publisher.instance.LdapDeltaCrlPublisher.pluginName=LdapDeltaCrlPublisher
> ca.publish.publisher.instance.LdapUserCertPublisher.certAttr=userCertificate;binary
> ca.publish.publisher.instance.LdapUserCertPublisher.pluginName=LdapUserCertPublisher
> ca.publish.queue.enable=true
> ca.publish.queue.maxNumberOfThreads=3
> ca.publish.queue.pageSize=40
> ca.publish.queue.priorityLevel=0
> ca.publish.queue.saveStatus=200
> ca.publish.rule.impl.Rule.class=com.netscape.cmscore.ldap.LdapRule
> ca.publish.rule.instance.FileCrlRule.enable=true
> ca.publish.rule.instance.FileCrlRule.mapper=NoMap
> ca.publish.rule.instance.FileCrlRule.pluginName=Rule
> ca.publish.rule.instance.FileCrlRule.predicate=
> ca.publish.rule.instance.FileCrlRule.publisher=FileBaseCRLPublisher
> ca.publish.rule.instance.FileCrlRule.type=crl
> ca.publish.rule.instance.LdapCaCertRule.enable=false
> ca.publish.rule.instance.LdapCaCertRule.mapper=LdapCaCertMap
> ca.publish.rule.instance.LdapCaCertRule.pluginName=Rule
> ca.publish.rule.instance.LdapCaCertRule.predicate=
> ca.publish.rule.instance.LdapCaCertRule.publisher=LdapCaCertPublisher
> ca.publish.rule.instance.LdapCaCertRule.type=cacert
> ca.publish.rule.instance.LdapCrlRule.enable=false
> ca.publish.rule.instance.LdapCrlRule.mapper=LdapCrlMap
> ca.publish.rule.instance.LdapCrlRule.pluginName=Rule
> ca.publish.rule.instance.LdapCrlRule.predicate=
> ca.publish.rule.instance.LdapCrlRule.publisher=LdapCrlPublisher
> ca.publish.rule.instance.LdapCrlRule.type=crl
> ca.publish.rule.instance.LdapUserCertRule.enable=false
> ca.publish.rule.instance.LdapUserCertRule.mapper=LdapUserCertMap
> ca.publish.rule.instance.LdapUserCertRule.pluginName=Rule
> ca.publish.rule.instance.LdapUserCertRule.predicate=
> ca.publish.rule.instance.LdapUserCertRule.publisher=LdapUserCertPublisher
> ca.publish.rule.instance.LdapUserCertRule.type=certs
> ca.publish.rule.instance.LdapXCertRule.enable=false
> ca.publish.rule.instance.LdapXCertRule.mapper=LdapCaCertMap
> ca.publish.rule.instance.LdapXCertRule.pluginName=Rule
> ca.publish.rule.instance.LdapXCertRule.predicate=
> ca.publish.rule.instance.LdapXCertRule.publisher=LdapCrossCertPairPublisher
> ca.publish.rule.instance.LdapXCertRule.type=xcert
> ca.reqdbInc=20
> ca.scep._000=##
> ca.scep._001=## Enable the following parameters to enable SCEP requests
> ca.scep._002=## to be signed by a separate key pair:
> ca.scep._003=##
> ca.scep._004=## ca.scep.nickname=
> ca.scep._005=## ca.scep.tokenname=
> ca.scep._006=##
> ca.scep.allowedEncryptionAlgorithms=DES3
> ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512
> ca.scep.enable=false
> ca.scep.encryptionAlgorithm=DES3
> ca.scep.hashAlgorithm=SHA1
> ca.scep.nonceSizeLimit=16
> ca.signing.cacertnickname=caSigningCert cert-pki-ca
> ca.signing.cert=MIIDpTCCAo2gAwIBAgIBATANBgkqhkiG9w0BAQsFADA8MRowGAYDVQQKDBFMSU5VWC5JTkZSQS5MT0NBTDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE1MDQxNDExNTM1MloXDTM1MDQxNDExNTM1MlowPDEaMBgGA1UECgwRTElOVVguSU5GUkEuTE9DQUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL+VeKVdtRqM1Nodjp7hrrLsoT1jSqEo1FEe7FrLXBv/nrnMXJwUR9SbivhIrQFHf11MD2hHzFVzKq4rtoslT5sb8IojAmdxscx2WeHANEl6ydWKyCsWsv6/1n1/YEZBrKXpMfZFkrp286vTk0y2L4SScebtRc8zfpHBS2rA/gHxuOuGtyRLRNxJSGwdicdDgBPJSkJuXpZGrIaNLOcjL22Q7wb/a8HcuV9DxxfEDGbkNUPLx/dTkRBmf5pZnAyu7MYMJ9QZaCvxGLk6HEP++PBiBMxMcFgULrS0UrS7OXvHXtwnA8LPnlwZqa/i54MVfpQ5KIzCoFGDA9YiSwsNBYcCAwEAAaOBsTCBrjAfBgNVHSMEGDAWgBRl7HKZBcKV9Qb43uEi0wAGhRItizAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUZexymQXClfUG+N7hItMABoUSLYswSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzABhi9odHRwOi8vcHZsaXBhMTAwMWMubGludXguaW5mcmEubG9jYWw6ODAvY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAQEALSZSv9EQIWfKWaiIDnfi6E0YQKQ/gqXL14v5wysSVQWfEky2JtmV2pKz8hsFys8bB+3nxvM2MV/a8j8eCAcgIeFx0Vm6VPYEGf73KnJL9NKVTpe7yksBQVYTgOGiCm1t88pBPmVlaucSv9H/Hl+7sDFZgkIQae0Ghhij+lC3TrtXMdPRNXCdWAgjgWdy7qDdDRoBZK514pfSbhLrMsuz5OlUKvBS+pQ7y/tU4opRw48ZMcrUHT5uaDl3VzrjOyW+WCaq3HPUdVJQvcQ/Sf9QJB6jiocG5v3kmV3hSbgztZYIaDdFt4UKnmSfPRaF5dDwDRn3aHGd93GKSsaC91vFkg==
> ca.signing.certnickname=caSigningCert cert-pki-ca
> ca.signing.certreq=MIICszCCAZsCAQAwPDEaMBgGA1UECgwRTElOVVguSU5GUkEuTE9DQUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL+VeKVdtRqM1Nodjp7hrrLsoT1jSqEo1FEe7FrLXBv/nrnMXJwUR9SbivhIrQFHf11MD2hHzFVzKq4rtoslT5sb8IojAmdxscx2WeHANEl6ydWKyCsWsv6/1n1/YEZBrKXpMfZFkrp286vTk0y2L4SScebtRc8zfpHBS2rA/gHxuOuGtyRLRNxJSGwdicdDgBPJSkJuXpZGrIaNLOcjL22Q7wb/a8HcuV9DxxfEDGbkNUPLx/dTkRBmf5pZnAyu7MYMJ9QZaCvxGLk6HEP++PBiBMxMcFgULrS0UrS7OXvHXtwnA8LPnlwZqa/i54MVfpQ5KIzCoFGDA9YiSwsNBYcCAwEAAaAyMDAGCSqGSIb3DQEJDjEjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwDQYJKoZIhvcNAQELBQADggEBAD0p97jh3nGT+fYWcUAOA547WJDm+cP5dvCCAUCm8L0/5T/9lu0bxmdbCR0P+pAgMkCQgOkV9wcEXuHmlxp7bFe8C+codYgVBGXFiHGelPsmPYjRpR1tFTpbd7SXkc1C3W2v6ND9+bE104H0C6Bqb9eK+HqyaPw1mplPL2zRSPYK8bq+6fpxWhQ4nTgrS5PZXvWzcd6NlTE90XaUd1E6EyjGlQhxjDkmAP5qbDWyA8lzWl2lFm2bWwO5pD/BRLJXd99ghRc7hyVrCiral800+KR5GE8hDBxoHUT7Qlr8jSRLm90teFd6sSJURI9dd+MG/Cn63iDoAMCcKGRVYwqBs7o=
> ca.signing.defaultSigningAlgorithm=SHA256withRSA
> ca.signing.newNickname=caSigningCert cert-pki-ca
> ca.signing.nickname=caSigningCert cert-pki-ca
> ca.signing.tokenname=Internal Key Storage Token
> ca.sslserver.cert=MIIDqTCCApGgAwIBAgIED/8ACDANBgkqhkiG9w0BAQsFADA8MRowGAYDVQQKDBFMSU5VWC5JTkZSQS5MT0NBTDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE1MDgxMjA4MjA1MVoXDTE3MDgwMTA4MjA1MVowRDEaMBgGA1UECgwRTElOVVguSU5GUkEuTE9DQUwxJjAkBgNVBAMMHXB2bGlwYTEwMDFjLmxpbnV4LmluZnJhLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA43686s6CsHibKz+JKpQFkLkgisSNTaFqEUE1t7+0mmCP9BPLAmeA74Hv1xXYXsjaSrZUypRQReYLgOnwkSD0zU0uBxMjlQCcvJcHe6XFyBo0UH3fA+K9aFmnpM2CDL2HTsaN7hhWKxQlwz85iLUXM1/kDR6+FNUTfXEJLtodko6BjuJdv/zKaNZOhdXgA1PjApDgMhiIdT/dqOL7tc5pxP2w411qFjGoIzmo4GHQnKNh6k3jkZgVXmpE0tPO3hqNGrn5rZglQNUB89Kargt8uiI9oRQPAGgq/sz+jh3AHJZiEt7vSOc53hG8sBOfT/jvaHjqL2FEDwvZ+a6ZOcYdxQIDAQABo4GqMIGnMB8GA1UdIwQYMBaAFGXscpkFwpX1Bvje4SLTAAaFEi2LMEsGCCsGAQUFBwEBBD8wPTA7BggrBgEFBQcwAYYvaHR0cDovL3B2bGlwYTEwMDFhLmxpbnV4LmluZnJhLmxvY2FsOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMCcGA1UdJQQgMB4GCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZIhvcNAQELBQADggEBACm5WGj8sfjeD3UUD9nor+vuItcOF9HLevfV/68ryD0auMBfc8/+V4X0y5PPsiYW6vxE4bA35C1gTrh1eJg9QwpRuLqgVrOoTjJych+5gLS/wYFmTElmjLW3c3VpyB+UJC6Qh7SfFFz6q7felhqhX7OpJIsBycZAYjJ2D0cFzCm0JE0wFSXwKHeHSdij2aMbMCUrlP5tP1Chh18RMCXUPLaouj/8csyTeqZtI3IfCxOACG9yx3R8iLDC4APG64PiDuP8Jo6juh494xKwqIhZQwRhxI05C84cHkfDVB0InvYHkzrhmOpJz1KtJGbPPpTRD961ZOXGqGy06Pusmx+WWyg=
> ca.sslserver.certreq=MIICiTCCAXECAQAwRDEaMBgGA1UECgwRTElOVVguSU5GUkEuTE9DQUwxJjAkBgNVBAMMHXB2bGlwYTEwMDFjLmxpbnV4LmluZnJhLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA43686s6CsHibKz+JKpQFkLkgisSNTaFqEUE1t7+0mmCP9BPLAmeA74Hv1xXYXsjaSrZUypRQReYLgOnwkSD0zU0uBxMjlQCcvJcHe6XFyBo0UH3fA+K9aFmnpM2CDL2HTsaN7hhWKxQlwz85iLUXM1/kDR6+FNUTfXEJLtodko6BjuJdv/zKaNZOhdXgA1PjApDgMhiIdT/dqOL7tc5pxP2w411qFjGoIzmo4GHQnKNh6k3jkZgVXmpE0tPO3hqNGrn5rZglQNUB89Kargt8uiI9oRQPAGgq/sz+jh3AHJZiEt7vSOc53hG8sBOfT/jvaHjqL2FEDwvZ+a6ZOcYdxQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAOGzg7Nc+rFjLwzbR2k7pVbbEAI3Kt4PGTfPX+X4r9lbwKAovcwdmeJzs5m/g/nRVwMLV+hEJ99d8nyB1lFRIfeJ1jTrRCvOw/gTxOd2PMNwn+jk1m22JIms+LCfYqYmUoLEG9M8l9iVhbLqK+0coSv7nBkJhoexE3MH5MhEUPFC0cI+O6veb7PUHxBKVKNWdrWJUZTnuCN2MzbqCNUKhUFvCw3vvNpofPXv3xmWG8Ep6+j/Wj4ZTqn15HyyC4hNh2kVWK2ysMrx8Gy/iINpFHmCLF53JAFhkl7afVAihUy8yFi0KTCuiW86KdTkFAsPrZo2iFnt3OSlCOCr4NjOpP0=
> ca.sslserver.nickname=Server-Cert cert-pki-ca
> ca.sslserver.tokenname=Internal Key Storage Token
> ca.subsystem.cert=MIIDizCCAnOgAwIBAgIBBDANBgkqhkiG9w0BAQsFADA8MRowGAYDVQQKDBFMSU5VWC5JTkZSQS5MT0NBTDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE1MDQxNDExNTM1NVoXDTE3MDQwMzExNTM1NVowMzEaMBgGA1UECgwRTElOVVguSU5GUkEuTE9DQUwxFTATBgNVBAMMDENBIFN1YnN5c3RlbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwOK1ztTX2M8Inf3Or1KGVwK5qHfh40e9raijd1loSGrtFUi4bkA3Gex1F+EqHpSSOnHBihlAD+cu17k8gvyXbJmiepxcdmpq8XuJXg37L+yUVrZqLkAV8dO8gcDkmJfWhGAVcMS7qFAjS2X4+6bWiKusRCtfnV8FRbw8R4bNGo7wiAsdsvZ6y6FzvGvHqQJQYtx56DslxTdHqxUdiM6aNUi6L3KfNL5VBSf7KgFNWvkVjJPzdeBVcpT5vFDhFYQVS5y0KqfnWKx18LAjxhVXOzy0Ge/El0zYhkA619BloQXrz20VTQrfQ5jK235ds0yGpK3lt5GfD0Pbgi9hD/D2MCAwEAAaOBoDCBnTAfBgNVHSMEGDAWgBRl7HKZBcKV9Qb43uEi0wAGhRItizBLBggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAGGL2h0dHA6Ly9wdmxpcGExMDAxYy5saW51eC5pbmZyYS5sb2NhbDo4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAGy4GR+cJorC7XtT+9UiU7cJ/aF6T8iBSsanLQKZS27NL769yOP61MgXA0ZEjRxZBMBEPvGPw01XsOk+ejjTximrERKVqBYqDO9d/U2DJQtdgEmqgX5yaixwjj8N3eDqma+ekV9L90hlfz1Plas8LndtvqILOC+lsL/nec162xzbUUv21ptLQr/aMB8NyjCRxTsB81oN73FWNmgB4hcr7CmnIq2WFcazeO5Eu0As5XGMfIWtzehRX5dKR1xSbDYo/wcUzYFmXlXFhaDqhInowHoTurskc4iCMN0gwrvsECYpdPdoL5IhsHk+dkxCpqSH4Xv+ga4k2S/Elmqo4OdiZOA=
> ca.subsystem.certreq=MIICeDCCAWACAQAwMzEaMBgGA1UECgwRTElOVVguSU5GUkEuTE9DQUwxFTATBgNVBAMMDENBIFN1YnN5c3RlbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwOK1ztTX2M8Inf3Or1KGVwK5qHfh40e9raijd1loSGrtFUi4bkA3Gex1F+EqHpSSOnHBihlAD+cu17k8gvyXbJmiepxcdmpq8XuJXg37L+yUVrZqLkAV8dO8gcDkmJfWhGAVcMS7qFAjS2X4+6bWiKusRCtfnV8FRbw8R4bNGo7wiAsdsvZ6y6FzvGvHqQJQYtx56DslxTdHqxUdiM6aNUi6L3KfNL5VBSf7KgFNWvkVjJPzdeBVcpT5vFDhFYQVS5y0KqfnWKx18LAjxhVXOzy0Ge/El0zYhkA619BloQXrz20VTQrfQ5jK235ds0yGpK3lt5GfD0Pbgi9hD/D2MCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQCU5X7i4/apRvKJZ8r2j3P39MCDVyMQvPstWTmYF53Lv49uKbyW/At5oqpgO35DCqIkW9Ydsdr+MhzAUj58mXTk05GJBNFTr5/C+yPAgxnZBQxvkAIxqKdSvZbyMMQ71lX3G62YJzY8lRmIBdxsQRhXnk5HfqSE5zthlzhwy/GhXguAQsLTc0y4rJFFxSUBYsAQC7YHZaJB5dU984/Odw2ZwgtXLZbH2BXbKfY22h2xwjLiJaDQMBGYE/NQYB8Pqo58elm5E6Mm8U/gH6LSiykDHOdvsFC9wsKfIy3sfHtd/POkJ58rh2gaZV7Y9+qEF0hsJNKoBKJYdpC1hAl/2fMN
> ca.subsystem.nickname=subsystemCert cert-pki-ca
> ca.subsystem.tokenname=Internal Key Storage Token
> ca.transitMaxRecords=1000000
> ca.transitRecordPageSize=200
> cloning.audit_signing.dn=cn=CA Audit,O=LINUX.INFRA.LOCAL
> cloning.audit_signing.keyalgorithm=SHA256withRSA
> cloning.audit_signing.keytype=rsa
> cloning.audit_signing.nickname=auditSigningCert cert-pki-ca
> cloning.audit_signing.privkey.id=7eb573e78696f55ee7238dfcaf4f61075ce62a95
> cloning.audit_signing.pubkey.encoded=
> cloning.audit_signing.pubkey.exponent=10001
> cloning.audit_signing.pubkey.modulus=f395389bc1a6e470ad6942543f8bf773b13d466af5a1ff9a0f9b0a26ab662a4aedc5527362bfe9cbd652cf48bc9d92d7371d9c1c80c73164f0f475c111483ac9a8e26132b61e91e2497da77755ab8396c098759deeb78dfab04c132145aa68f139d9ee78924dc15fca5536c9c9b32ddd6fc45cb2599034abf36af9436d67273450afc8507c00b0a08083364cb3a83bfe66ecf71ab10851ddadeaa5b4138527441c92e77d48853c7a4edc4b255aecb9e1ccee095c07c2108144730a2ad57b03ab94abf6d9ac11d06b4b5ca7c92069d5418267651b07aa84c3e6a0fdf5e7505e8ca8927b003d65011ee8dba6666c3c9297247b7f77afdaaace701fe4878976c1cd
> cloning.list=signing,ocsp_signing,sslserver,subsystem,audit_signing
> cloning.module.token=Internal Key Storage Token
> cloning.ocsp_signing.dn=cn=OCSP Subsystem,O=LINUX.INFRA.LOCAL
> cloning.ocsp_signing.keyalgorithm=SHA256withRSA
> cloning.ocsp_signing.keytype=rsa
> cloning.ocsp_signing.nickname=ocspSigningCert cert-pki-ca
> cloning.ocsp_signing.privkey.id=-18f290f3a3da4d8310f60b063df7732722a55d00
> cloning.ocsp_signing.pubkey.encoded=
> cloning.ocsp_signing.pubkey.exponent=10001
> cloning.ocsp_signing.pubkey.modulus=cded00ed795045d0d54487dbc686563638b4395ee7622f29c3e2e6edcbc1103d832c836639394d85c22d5d326b7a4e8655088919d21253fe3aee82d891ec0858e4e7431784848fb1914f04876426246c6930adcb1f750bb03d7708feebe8aa67ade9d28b027d423ad82e04d44a2b6cd2cc194fed55e90a2dcb4e6ec952cc14f361e6732384c23687d6c96d8067cc699655995d80d7ebe567d69da3057fa83cfa91de49ea3308989806dc3b8e95c1cac262e2b6cc301e14b72825ade5c112a05d1228a8da727ed4a9b22266067b22638e00a8ccdba8ef290b241dede84a84ae8232fa5e370cc984e1cc6badef3986292008d3bdad6c3dd5cbb55e40b8645d2197
> cloning.signing.dn=cn=Certificate Authority,O=LINUX.INFRA.LOCAL
> cloning.signing.keyalgorithm=SHA256withRSA
> cloning.signing.keytype=rsa
> cloning.signing.nickname=caSigningCert cert-pki-ca
> cloning.signing.privkey.id=76205073d25285bf3c60068f0ad56cb8fae5343a
> cloning.signing.pubkey.encoded=
> cloning.signing.pubkey.exponent=10001
> cloning.signing.pubkey.modulus=bf9578a55db51a8cd4da1d8e9ee1aeb2eca13d634aa128d4511eec5acb5c1bff9eb9cc5c9c1447d49b8af848ad01477f5d4c0f6847cc55732aae2bb68b254f9b1bf08a23026771b1cc7659e1c034497ac9d58ac82b16b2febfd67d7f604641aca5e931f64592ba76f3abd3934cb62f849271e6ed45cf337e91c14b6ac0fe01f1b8eb86b7244b44dc49486c1d89c7438013c94a426e5e9646ac868d2ce7232f6d90ef06ff6bc1dcb95f43c717c40c66e43543cbc7f7539110667f9a599c0caeecc60c27d419682bf118b93a1c43fef8f06204cc4c7058142eb4b452b4bb397bc75edc2703c2cf9e5c19a9afe2e783157e9439288cc2a0518303d6224b0b0d0587
> cloning.subsystem.dn=cn=CA Subsystem,O=LINUX.INFRA.LOCAL
> cloning.subsystem.keyalgorithm=SHA256withRSA
> cloning.subsystem.keytype=rsa
> cloning.subsystem.nickname=subsystemCert cert-pki-ca
> cloning.subsystem.privkey.id=2abd0a72de1599cc3c68f0191ba6dabb49b1ed3
> cloning.subsystem.pubkey.encoded=
> cloning.subsystem.pubkey.exponent=10001
> cloning.subsystem.pubkey.modulus=cc0e2b5ced4d7d8cf089dfdceaf52865702b9a877e1e347bdada8a3775968486aed1548b86e403719ec7517e12a1e94923a71c18a19400fe72ed7b93c82fc976c99a27a9c5c766a6af17b895e0dfb2fec9456b66a2e4015f1d3bc81c0e49897d684601570c4bba850234b65f8fba6d688abac442b5f9d5f0545bc3c4786cd1a8ef0880b1db2f67acba173bc6bc7a9025062dc79e83b25c53747ab151d88ce9a3548ba2f729f34be550527fb2a014d5af9158c93f375e0557294f9bc50e11584154b9cb42aa7e758ac75f0b023c615573b3cb419efc4974cd886403ad7d065a105ebcf6d154d0adf4398cadb7e5db34c86a4ade5b7919f0f43db822f610ff0f63
> cmc.cert.confirmRequired=false
> cmc.lraPopWitness.verify.allow=true
> cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret
> cmc.revokeCert.verify=true
> cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret
> cms.password.ignore.publishing.failure=true
> cms.passwordlist=internaldb,replicationdb
> cms.product.version=10.2.5
> cms.version=10.1
> cmsgateway._000=##
> cmsgateway._001=## In the event that all Admin Certificates have been lost
> cmsgateway._002=## for a given instance, perform the following steps to
> cmsgateway._003=## re-enroll for a new Admin Certificate:
> cmsgateway._004=##
> cmsgateway._005=## (1) Become 'root'
> cmsgateway._006=## (2) Type: 'service pki-tomcat stop'
> cmsgateway._007=## (3) Edit '/etc/pki/pki-tomcat/ca/CS.cfg'
> cmsgateway._008=## and set the following name-value pairs (if necessary):
> cmsgateway._009=##
> cmsgateway._010=## ca.Policy.enable=true
> cmsgateway._011=## cmsgateway.enableAdminEnroll=true
> cmsgateway._012=##
> cmsgateway._013=## (4) Type: 'service pki-tomcat start'
> cmsgateway._014=## (5) Launch a browser and re-enroll for
> cmsgateway._015=## a new Admin Certificate by typing:
> cmsgateway._016=##
> cmsgateway._017=## https://pvlipa1001c.linux.infra.local:8443/ca/admin/ca/adminEnroll.html
> cmsgateway._018=##
> cmsgateway._019=## (6) Verify that the browser contains the new
> cmsgateway._020=## Admin Certificate by successfully navigating to:
> cmsgateway._021=##
> cmsgateway._022=## https://pvlipa1001c.linux.infra.local:8443/ca/agent/ca/
> cmsgateway._023=##
> cmsgateway._024=## (7) Optionally, disable the Certificate Policies Framework
> cmsgateway._025=## by following steps (1) - (4), but ONLY resetting
> cmsgateway._026=## 'ca.Policy.enable=false', as
> cmsgateway._027=## 'cmsgateway.enableAdminEnroll=false' should have
> cmsgateway._028=## already been reset.
> cmsgateway._029=##
> cmsgateway.enableAdminEnroll=false
> configurationRoot=/ca/conf/
> cs.state=1
> cs.state._000=##
> cs.state._001=## cs.state=0 (pre-operational)
> cs.state._002=## cs.state=1 (running)
> cs.state._003=##
> cs.type=CA
> dbs.beginReplicaNumber=1096
> dbs.beginRequestNumber=19990001
> dbs.beginSerialNumber=1fff0001
> dbs.enableRandomSerialNumbers=false
> dbs.enableSerialManagement=true
> dbs.endReplicaNumber=1099
> dbs.endRequestNumber=20000000
> dbs.endSerialNumber=20000000
> dbs.ldap=internaldb
> dbs.newSchemaEntryAdded=true
> dbs.nextBeginRequestNumber=40000001
> dbs.nextBeginSerialNumber=40000001
> dbs.nextEndRequestNumber=50000000
> dbs.nextEndSerialNumber=50000000
> dbs.randomSerialNumberCounter=-1
> dbs.replicaCloneTransferNumber=5
> dbs.replicaDN=ou=replica
> dbs.replicaIncrement=100
> dbs.replicaLowWaterMark=20
> dbs.replicaRangeDN=ou=replica, ou=ranges
> dbs.requestCloneTransferNumber=10000
> dbs.requestDN=ou=ca, ou=requests
> dbs.requestIncrement=10000000
> dbs.requestLowWaterMark=2000000
> dbs.requestRangeDN=ou=requests, ou=ranges
> dbs.serialCloneTransferNumber=10000
> dbs.serialDN=ou=certificateRepository, ou=ca
> dbs.serialIncrement=10000000
> dbs.serialLowWaterMark=2000000
> dbs.serialRangeDN=ou=certificateRepository, ou=ranges
> debug.append=true
> debug.enabled=true
> debug.filename=/var/lib/pki/pki-tomcat/logs/ca/debug
> debug.hashkeytypes=
> debug.level=0
> debug.showcaller=false
> ee.interface.uri=ca/ee/ca
> http.port=8080
> https.port=8443
> installDate=Wed Aug 12 10:19:32 2015
> instanceId=pki-tomcat
> instanceRoot=/var/lib/pki/pki-tomcat
> internaldb._000=##
> internaldb._001=## Internal Database
> internaldb._002=##
> internaldb.basedn=o=ipaca
> internaldb.database=ipaca
> internaldb.ldapauth.authtype=SslClientAuth
> internaldb.ldapauth.bindDN=uid=pkidbuser,ou=people,o=ipa-ca
> internaldb.ldapauth.bindPWPrompt=internaldb
> internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca
> internaldb.ldapconn.cloneReplicationPort=389
> internaldb.ldapconn.host=pvlipa1001c.linux.infra.local
> internaldb.ldapconn.masterReplicationPort=389
> internaldb.ldapconn.port=636
> internaldb.ldapconn.replicationSecurity=TLS
> internaldb.ldapconn.secureConn=true
> internaldb.maxConns=15
> internaldb.minConns=3
> internaldb.multipleSuffix.enable=false
> internaldb.replication.consumer=cloneAgreement1-pvlipa1001c.linux.infra.local-pki-tomcat
> internaldb.replication.master=masterAgreement1-pvlipa1001c.linux.infra.local-pki-tomcat
> jobsScheduler._000=##
> jobsScheduler._001=## jobScheduler
> jobsScheduler._002=##
> jobsScheduler.enabled=false
> jobsScheduler.impl.PublishCertsJob.class=com.netscape.cms.jobs.PublishCertsJob
> jobsScheduler.impl.RenewalNotificationJob.class=com.netscape.cms.jobs.RenewalNotificationJob
> jobsScheduler.impl.RequestInQueueJob.class=com.netscape.cms.jobs.RequestInQueueJob
> jobsScheduler.impl.UnpublishExpiredJob.class=com.netscape.cms.jobs.UnpublishExpiredJob
> jobsScheduler.interval=1
> jobsScheduler.job.certRenewalNotifier.cron=0 3 * * 1-5
> jobsScheduler.job.certRenewalNotifier.emailSubject=Certificate Renewal Notification
> jobsScheduler.job.certRenewalNotifier.emailTemplate=/var/lib/pki/pki-tomcat/ca/emails/rnJob1.txt
> jobsScheduler.job.certRenewalNotifier.enabled=false
> jobsScheduler.job.certRenewalNotifier.notifyEndOffset=30
> jobsScheduler.job.certRenewalNotifier.notifyTriggerOffset=30
> jobsScheduler.job.certRenewalNotifier.pluginName=RenewalNotificationJob
> jobsScheduler.job.certRenewalNotifier.senderEmail=
> jobsScheduler.job.certRenewalNotifier.summary.emailSubject=Certificate Renewal Notification Summary
> jobsScheduler.job.certRenewalNotifier.summary.emailTemplate=/var/lib/pki/pki-tomcat/ca/emails/rnJob1Summary.txt
> jobsScheduler.job.certRenewalNotifier.summary.enabled=true
> jobsScheduler.job.certRenewalNotifier.summary.itemTemplate=/var/lib/pki/pki-tomcat/ca/emails/rnJob1Item.txt
> jobsScheduler.job.certRenewalNotifier.summary.recipientEmail=
> jobsScheduler.job.certRenewalNotifier.summary.senderEmail=
> jobsScheduler.job.publishCerts.cron=0 0 * * 2
> jobsScheduler.job.publishCerts.enabled=false
> jobsScheduler.job.publishCerts.pluginName=PublishCertsJob
> jobsScheduler.job.publishCerts.summary.emailSubject=Certs Publishing Summary
> jobsScheduler.job.publishCerts.summary.emailTemplate=/var/lib/pki/pki-tomcat/ca/emails/publishCerts.html
> jobsScheduler.job.publishCerts.summary.enabled=true
> jobsScheduler.job.publishCerts.summary.itemTemplate=/var/lib/pki/pki-tomcat/ca/emails/publishCertsItem.html
> jobsScheduler.job.publishCerts.summary.recipientEmail=
> jobsScheduler.job.publishCerts.summary.senderEmail=
> jobsScheduler.job.requestInQueueNotifier.cron=0 0 * * 0
> jobsScheduler.job.requestInQueueNotifier.enabled=false
> jobsScheduler.job.requestInQueueNotifier.pluginName=RequestInQueueJob
> jobsScheduler.job.requestInQueueNotifier.subsystemId=ca
> jobsScheduler.job.requestInQueueNotifier.summary.emailSubject=Requests in Queue Summary Report
> jobsScheduler.job.requestInQueueNotifier.summary.emailTemplate=/var/lib/pki/pki-tomcat/ca/emails/riq1Summary.html
> jobsScheduler.job.requestInQueueNotifier.summary.enabled=true
> jobsScheduler.job.requestInQueueNotifier.summary.recipientEmail=
> jobsScheduler.job.requestInQueueNotifier.summary.senderEmail=
> jobsScheduler.job.unpublishExpiredCerts.cron=0 0 * * 6
> jobsScheduler.job.unpublishExpiredCerts.enabled=false
> jobsScheduler.job.unpublishExpiredCerts.pluginName=UnpublishExpiredJob
> jobsScheduler.job.unpublishExpiredCerts.summary.emailSubject=Expired Certs Unpublished Summary
> jobsScheduler.job.unpublishExpiredCerts.summary.emailTemplate=/var/lib/pki/pki-tomcat/ca/emails/euJob1.html
> jobsScheduler.job.unpublishExpiredCerts.summary.enabled=true
> jobsScheduler.job.unpublishExpiredCerts.summary.itemTemplate=/var/lib/pki/pki-tomcat/ca/emails/euJob1Item.html
> jobsScheduler.job.unpublishExpiredCerts.summary.recipientEmail=
> jobsScheduler.job.unpublishExpiredCerts.summary.senderEmail=
> jss._000=##
> jss._001=## JSS
> jss._002=##
> jss.configDir=/var/lib/pki/pki-tomcat/alias/
> jss.enable=true
> jss.ocspcheck.enable=false
> jss.secmodName=secmod.db
> jss.ssl.cipherfortezza=true
> jss.ssl.cipherpref=
> jss.ssl.cipherversion=cipherdomestic
> jss.ssl.sslserver.ectype=ECDHE
> keys.ecc.curve.default=nistp256
> keys.ecc.curve.display.list=nistp256 (secp256r1),nistp384 (secp384r1),nistp521 (secp521r1),nistk163 (sect163k1),sect163r1,nistb163 (sect163r2),sect193r1,sect193r2,nistk233 (sect233k1),nistb233 (sect233r1),sect239k1,nistk283 (sect283k1),nistb283 (sect283r1),nistk409 (sect409k1),nistb409 (sect409r1),nistk571 (sect571k1),nistb571 (sect571r1),secp160k1,secp160r1,secp160r2,secp192k1,nistp192 (secp192r1, prime192v1),secp224k1,nistp224 (secp224r1),secp256k1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2
> keys.ecc.curve.list=nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2
> keys.rsa.keysize.default=2048
> log._000=##
> log._001=## Logging
> log._002=##
> log.impl.file.class=com.netscape.cms.logging.RollingLogFile
> log.instance.SignedAudit._000=##
> log.instance.SignedAudit._001=## Signed Audit Logging
> log.instance.SignedAudit._002=##
> log.instance.SignedAudit._003=##
> log.instance.SignedAudit._004=## Available Audit events:
> log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER
> log.instance.SignedAudit._006=##
> log.instance.SignedAudit.bufferSize=512
> log.instance.SignedAudit.enable=true
> log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER
> log.instance.SignedAudit.expirationTime=0
> log.instance.SignedAudit.fileName=/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit
> log.instance.SignedAudit.flushInterval=5
> log.instance.SignedAudit.level=1
> log.instance.SignedAudit.logSigning=false
> log.instance.SignedAudit.maxFileSize=2000
> log.instance.SignedAudit.pluginName=file
> log.instance.SignedAudit.rolloverInterval=2592000
> log.instance.SignedAudit.signedAudit=_002=##
> log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-pki-ca
> log.instance.SignedAudit.type=signedAudit
> log.instance.System._000=##
> log.instance.System._001=## System Logging
> log.instance.System._002=##
> log.instance.System.bufferSize=512
> log.instance.System.enable=true
> log.instance.System.expirationTime=0
> log.instance.System.fileName=/var/lib/pki/pki-tomcat/logs/ca/system
> log.instance.System.flushInterval=5
> log.instance.System.level=3
> log.instance.System.maxFileSize=2000
> log.instance.System.pluginName=file
> log.instance.System.rolloverInterval=2592000
> log.instance.System.type=system
> log.instance.Transactions._000=##
> log.instance.Transactions._001=## Transaction Logging
> log.instance.Transactions._002=##
> log.instance.Transactions.bufferSize=512
> log.instance.Transactions.enable=true
> log.instance.Transactions.expirationTime=0
> log.instance.Transactions.fileName=/var/lib/pki/pki-tomcat/logs/ca/transactions
> log.instance.Transactions.flushInterval=5
> log.instance.Transactions.level=1
> log.instance.Transactions.maxFileSize=2000
> log.instance.Transactions.pluginName=file
> log.instance.Transactions.rolloverInterval=2592000
> log.instance.Transactions.type=transaction
> logAudit.fileName=/var/lib/pki/pki-tomcat/logs/ca/access
> logError.fileName=/var/lib/pki/pki-tomcat/logs/ca/error
> machineName=pvlipa1001c.linux.infra.local
> multiroles._000=##
> multiroles._001=## multiroles
> multiroles._002=##
> multiroles.enable=true
> multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Administrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group,ClonedSubsystems
> oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension
> oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1
> oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword
> oidmap.challenge_password.oid=1.2.840.113549.1.9.7
> oidmap.extended_key_usage.class=netscape.security.extensions.ExtendedKeyUsageExtension
> oidmap.extended_key_usage.oid=2.5.29.37
> oidmap.extensions_requested_pkcs9.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested
> oidmap.extensions_requested_pkcs9.oid=1.2.840.113549.1.9.14
> oidmap.extensions_requested_vsgn.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested
> oidmap.extensions_requested_vsgn.oid=2.16.840.1.113733.1.9.8
> oidmap.netscape_comment.class=netscape.security.x509.NSCCommentExtension
> oidmap.netscape_comment.oid=2.16.840.1.113730.1.13
> oidmap.ocsp_no_check.class=netscape.security.extensions.OCSPNoCheckExtension
> oidmap.ocsp_no_check.oid=1.3.6.1.5.5.7.48.1.5
> oidmap.pse.class=netscape.security.extensions.PresenceServerExtension
> oidmap.pse.oid=2.16.840.1.113730.1.18
> oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension
> oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11
> os.userid=nobody
> passwordClass=com.netscape.cmsutil.password.PlainPasswordFile
> passwordFile=/var/lib/pki/pki-tomcat/conf/password.conf
> pidDir=/var/run/pki/tomcat
> pkicreate.admin_secure_port=8443
> pkicreate.agent_secure_port=8443
> pkicreate.arg11.group=pkiuser
> pkicreate.ee_secure_client_auth_port=8443
> pkicreate.ee_secure_port=8443
> pkicreate.pki_instance_name=pki-tomcat
> pkicreate.pki_instance_root=/var/lib/pki
> pkicreate.secure_port=8443
> pkicreate.subsystem_type=ca
> pkicreate.systemd.servicename=pki-tomcatd at pki-tomcat.service
> pkicreate.tomcat_server_port=8005
> pkicreate.unsecure_port=8080
> pkicreate.user=pkiuser
> pkiremove.cert.subsystem.nickname=subsystemCert cert-pki-tomcat
> processor.caDoRevoke-agent.authMgr=certUserDBAuthMgr
> processor.caDoRevoke-agent.authorityId=ca
> processor.caDoRevoke-agent.authzMgr=BasicAclAuthz
> processor.caDoRevoke-agent.authzResourceName=certServer.ca.certificates
> processor.caDoRevoke-agent.getClientCert=true
> processor.caDoRevoke.authorityId=ca
> processor.caDoRevoke.authzMgr=BasicAclAuthz
> processor.caDoRevoke.authzResourceName=certServer.ee.certificates
> processor.caDoRevoke.getClientCert=false
> processor.caDoUnrevoke.authMgr=certUserDBAuthMgr
> processor.caDoUnrevoke.authorityId=ca
> processor.caDoUnrevoke.authzMgr=BasicAclAuthz
> processor.caDoUnrevoke.authzResourceName=certServer.ca.certificate
> processor.caDoUnrevoke.getClientCert=true
> processor.caProfileProcess.authMgr=certUserDBAuthMgr
> processor.caProfileProcess.authorityId=ca
> processor.caProfileProcess.authzMgr=BasicAclAuthz
> processor.caProfileProcess.authzResourceName=certServer.ca.request.profile
> processor.caProfileProcess.getClientCert=true
> processor.caProfileSubmit.authorityId=ca
> processor.caProfileSubmit.authzMgr=BasicAclAuthz
> processor.caProfileSubmit.authzResourceName=certServer.ee.profile
> processor.caProfileSubmit.getClientCert=false
> profile.AdminCert.class_id=caEnrollImpl
> profile.AdminCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/AdminCert.cfg
> profile.DomainController.class_id=caEnrollImpl
> profile.DomainController.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/DomainController.cfg
> profile.KPNWebhostingAEM.class_id=caEnrollImpl
> profile.KPNWebhostingAEM.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/KPNWebhostingAEM.cfg
> profile.KPNWebhostingServiceCertAEM.class_id=caEnrollImpl
> profile.KPNWebhostingServiceCertAEM.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/KPNWebhostingServiceCertAEM.cfg
> profile.caAdminCert.class_id=caEnrollImpl
> profile.caAdminCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caAdminCert.cfg
> profile.caAgentFileSigning.class_id=caEnrollImpl
> profile.caAgentFileSigning.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caAgentFileSigning.cfg
> profile.caAgentServerCert.class_id=caEnrollImpl
> profile.caAgentServerCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caAgentServerCert.cfg
> profile.caCACert.class_id=caEnrollImpl
> profile.caCACert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caCACert.cfg
> profile.caCMCUserCert.class_id=caEnrollImpl
> profile.caCMCUserCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caCMCUserCert.cfg
> profile.caCrossSignedCACert.class_id=caEnrollImpl
> profile.caCrossSignedCACert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caCrossSignedCACert.cfg
> profile.caDirPinUserCert.class_id=caEnrollImpl
> profile.caDirPinUserCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caDirPinUserCert.cfg
> profile.caDirUserCert.class_id=caEnrollImpl
> profile.caDirUserCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caDirUserCert.cfg
> profile.caDirUserRenewal.class_id=caEnrollImpl
> profile.caDirUserRenewal.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caDirUserRenewal.cfg
> profile.caDualCert.class_id=caEnrollImpl
> profile.caDualCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caDualCert.cfg
> profile.caDualRAuserCert.class_id=caEnrollImpl
> profile.caDualRAuserCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caDualRAuserCert.cfg
> profile.caECDirUserCert.class_id=caEnrollImpl
> profile.caECDirUserCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caECDirUserCert.cfg
> profile.caECDualCert.class_id=caEnrollImpl
> profile.caECDualCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caECDualCert.cfg
> profile.caECUserCert.class_id=caEnrollImpl
> profile.caECUserCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caECUserCert.cfg
> profile.caEncECUserCert.class_id=caEnrollImpl
> profile.caEncECUserCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caEncECUserCert.cfg
> profile.caEncUserCert.class_id=caEnrollImpl
> profile.caEncUserCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caEncUserCert.cfg
> profile.caFullCMCUserCert.class_id=caEnrollImpl
> profile.caFullCMCUserCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caFullCMCUserCert.cfg
> profile.caIPAserviceCert.class_id=caEnrollImpl
> profile.caIPAserviceCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caIPAserviceCert.cfg
> profile.caInstallCACert.class_id=caEnrollImpl
> profile.caInstallCACert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caInstallCACert.cfg
> profile.caInternalAuthAuditSigningCert.class_id=caEnrollImpl
> profile.caInternalAuthAuditSigningCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caInternalAuthAuditSigningCert.cfg
> profile.caInternalAuthDRMstorageCert.class_id=caEnrollImpl
> profile.caInternalAuthDRMstorageCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caInternalAuthDRMstorageCert.cfg
> profile.caInternalAuthOCSPCert.class_id=caEnrollImpl
> profile.caInternalAuthOCSPCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caInternalAuthOCSPCert.cfg
> profile.caInternalAuthServerCert.class_id=caEnrollImpl
> profile.caInternalAuthServerCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caInternalAuthServerCert.cfg
> profile.caInternalAuthSubsystemCert.class_id=caEnrollImpl
> profile.caInternalAuthSubsystemCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caInternalAuthSubsystemCert.cfg
> profile.caInternalAuthTransportCert.class_id=caEnrollImpl
> profile.caInternalAuthTransportCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caInternalAuthTransportCert.cfg
> profile.caJarSigningCert.class_id=caEnrollImpl
> profile.caJarSigningCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caJarSigningCert.cfg
> profile.caManualRenewal.class_id=caEnrollImpl
> profile.caManualRenewal.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caManualRenewal.cfg
> profile.caOCSPCert.class_id=caEnrollImpl
> profile.caOCSPCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caOCSPCert.cfg
> profile.caOtherCert.class_id=caEnrollImpl
> profile.caOtherCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caOtherCert.cfg
> profile.caRACert.class_id=caEnrollImpl
> profile.caRACert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caRACert.cfg
> profile.caRARouterCert.class_id=caEnrollImpl
> profile.caRARouterCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caRARouterCert.cfg
> profile.caRAagentCert.class_id=caEnrollImpl
> profile.caRAagentCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caRAagentCert.cfg
> profile.caRAserverCert.class_id=caEnrollImpl
> profile.caRAserverCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caRAserverCert.cfg
> profile.caRouterCert.class_id=caEnrollImpl
> profile.caRouterCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caRouterCert.cfg
> profile.caSSLClientSelfRenewal.class_id=caEnrollImpl
> profile.caSSLClientSelfRenewal.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caSSLClientSelfRenewal.cfg
> profile.caServerCert.class_id=caEnrollImpl
> profile.caServerCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg
> profile.caSignedLogCert.class_id=caEnrollImpl
> profile.caSignedLogCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caSignedLogCert.cfg
> profile.caSimpleCMCUserCert.class_id=caEnrollImpl
> profile.caSimpleCMCUserCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caSimpleCMCUserCert.cfg
> profile.caStorageCert.class_id=caEnrollImpl
> profile.caStorageCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caStorageCert.cfg
> profile.caSubsystemCert.class_id=caEnrollImpl
> profile.caSubsystemCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caSubsystemCert.cfg
> profile.caTPSCert.class_id=caEnrollImpl
> profile.caTPSCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caTPSCert.cfg
> profile.caTempTokenDeviceKeyEnrollment.class_id=caUserCertEnrollImpl
> profile.caTempTokenDeviceKeyEnrollment.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caTempTokenDeviceKeyEnrollment.cfg
> profile.caTempTokenUserEncryptionKeyEnrollment.class_id=caUserCertEnrollImpl
> profile.caTempTokenUserEncryptionKeyEnrollment.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg
> profile.caTempTokenUserSigningKeyEnrollment.class_id=caUserCertEnrollImpl
> profile.caTempTokenUserSigningKeyEnrollment.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg
> profile.caTokenDeviceKeyEnrollment.class_id=caUserCertEnrollImpl
> profile.caTokenDeviceKeyEnrollment.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caTokenDeviceKeyEnrollment.cfg
> profile.caTokenMSLoginEnrollment.class_id=caUserCertEnrollImpl
> profile.caTokenMSLoginEnrollment.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caTokenMSLoginEnrollment.cfg
> profile.caTokenUserEncryptionKeyEnrollment.class_id=caUserCertEnrollImpl
> profile.caTokenUserEncryptionKeyEnrollment.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg
> profile.caTokenUserEncryptionKeyRenewal.class_id=caUserCertEnrollImpl
> profile.caTokenUserEncryptionKeyRenewal.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caTokenUserEncryptionKeyRenewal.cfg
> profile.caTokenUserSigningKeyEnrollment.class_id=caUserCertEnrollImpl
> profile.caTokenUserSigningKeyEnrollment.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caTokenUserSigningKeyEnrollment.cfg
> profile.caTokenUserSigningKeyRenewal.class_id=caUserCertEnrollImpl
> profile.caTokenUserSigningKeyRenewal.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caTokenUserSigningKeyRenewal.cfg
> profile.caTransportCert.class_id=caEnrollImpl
> profile.caTransportCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caTransportCert.cfg
> profile.caUUIDdeviceCert.class_id=caEnrollImpl
> profile.caUUIDdeviceCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caUUIDdeviceCert.cfg
> profile.caUserCert.class_id=caEnrollImpl
> profile.caUserCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caUserCert.cfg
> profile.caUserSMIMEcapCert.class_id=caEnrollImpl
> profile.caUserSMIMEcapCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caUserSMIMEcapCert.cfg
> profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caEncECUserCert,KPNWebhostingServiceCertAEM,KPNWebhostingAEM
> proxy.securePort=443
> proxy.unsecurePort=80
> registry.file=/var/lib/pki/pki-tomcat/conf/ca/registry.cfg
> request.assignee.enable=true
> securitydomain.checkIP=false
> securitydomain.checkinterval=300000
> securitydomain.flushinterval=86400000
> securitydomain.host=pvlipa1001c.linux.infra.local
> securitydomain.httpport=80
> securitydomain.httpsadminport=443
> securitydomain.httpsagentport=443
> securitydomain.httpseeport=443
> securitydomain.name=IPA
> securitydomain.select=new
> securitydomain.source=ldap
> securitydomain.store=ldap
> selftests._000=##
> selftests._001=## Self Tests
> selftests._002=##
> selftests._003=## The Self-Test plugin SystemCertsVerification uses the
> selftests._004=## following parameters (where certusage is optional):
> selftests._005=## ca.cert.list = <list of cert tag names deliminated by ",">
> selftests._006=## ca.cert.<cert tag name>.nickname
> selftests._007=## ca.cert.<cert tag name>.certusage
> selftests._008=##
> selftests.container.instance.CAPresence=com.netscape.cms.selftests.ca.CAPresence
> selftests.container.instance.CAValidity=com.netscape.cms.selftests.ca.CAValidity
> selftests.container.instance.SystemCertsVerification=com.netscape.cms.selftests.common.SystemCertsVerification
> selftests.container.logger.bufferSize=512
> selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile
> selftests.container.logger.enable=true
> selftests.container.logger.expirationTime=0
> selftests.container.logger.fileName=/var/lib/pki/pki-tomcat/logs/ca/selftests.log
> selftests.container.logger.flushInterval=5
> selftests.container.logger.level=1
> selftests.container.logger.maxFileSize=2000
> selftests.container.logger.register=false
> selftests.container.logger.rolloverInterval=2592000
> selftests.container.logger.type=transaction
> selftests.container.order.onDemand=CAPresence:critical, SystemCertsVerification:critical, CAValidity:critical
> selftests.container.order.startup=CAPresence:critical, SystemCertsVerification:critical
> selftests.plugin.CAPresence.CaSubId=ca
> selftests.plugin.CAValidity.CaSubId=ca
> selftests.plugin.SystemCertsVerification.SubId=ca
> service.clientauth_securePort=8443
> service.instanceDir=/var/lib/pki
> service.instanceID=pki-tomcat
> service.machineName=pvlipa1001c.linux.infra.local
> service.non_clientauth_securePort=8443
> service.securePort=8443
> service.securityDomainPort=443
> service.unsecurePort=8080
> smtp.host=localhost
> smtp.port=25
> subsystem.0.class=com.netscape.ca.CertificateAuthority
> subsystem.0.id=ca
> subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem
> subsystem.1.id=profile
> subsystem.2.class=com.netscape.cmscore.selftests.SelfTestSubsystem
> subsystem.2.id=selftests
> subsystem.3.class=com.netscape.cmscore.cert.CrossCertPairSubsystem
> subsystem.3.id=CrossCertPair
> subsystem.4.class=com.netscape.cmscore.util.StatsSubsystem
> subsystem.4.id=stats
> subsystem.count=0
> subsystem.select=Clone
> usrgrp._000=##
> usrgrp._001=## User/Group
> usrgrp._002=##
> usrgrp.ldap=internaldb
>
> -----Oorspronkelijk bericht-----
> Van: Fraser Tweedale [mailto:ftweedal at redhat.com]
> Verzonden: vrijdag 11 december 2015 08:14
> Aan: Hummelink, Wouter
> Onderwerp: Re: [Freeipa-users] Certificate Profile - Policy Set Not Found
>
> Can you please check the version of your pki packages on the host on which the CA is running and also provide your /etc/pki/pki-tomcat/ca/CS.cfg ?
>
> To confirm, the IPA server and PKI host are RHEL 7.2?
>
> Cheers,
> Fraser
>
> On Thu, Dec 10, 2015 at 07:32:13AM +0000, wouter.hummelink at kpn.com wrote:
> > Attached are yesterdays debug log from pki-tomcat
> >
> > I tried these actions several times, both scripted and manually
> > Curiously, I did a resubmit just now and I got issued a correct certificate.
> >
> >
> >
> >
> > Van: freeipa-users-bounces at redhat.com
> > [mailto:freeipa-users-bounces at redhat.com] Namens
> > wouter.hummelink at kpn.com
> > Verzonden: donderdag 10 december 2015 08:05
> > Aan: ftweedal at redhat.com
> > CC: freeipa-users at redhat.com
> > Onderwerp: Re: [Freeipa-users] Certificate Profile - Policy Set Not
> > Found
> >
> > I'll send the log as soon as I get a chance. After the mail I also
> > tried fetching a cert on another server cent7.1 that never had a cert
> > issued. This resulted in a cert conformant With caIpaServiceCert
> >
> >
> > Verzonden vanaf mijn Samsung-apparaat
> >
> >
> > -------- Oorspronkelijk bericht --------
> > Van: Fraser Tweedale <ftweedal at redhat.com<mailto:ftweedal at redhat.com>>
> > Datum: 2015-12-10 03:58 (GMT+01:00)
> > Aan: "Hummelink, Wouter"
> > <wouter.hummelink at kpn.com<mailto:wouter.hummelink at kpn.com>>
> > Cc: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
> > Onderwerp: Re: [Freeipa-users] Certificate Profile - Policy Set Not
> > Found On Thu, Dec 10, 2015 at 09:48:35AM +1000, Fraser Tweedale wrote:
> > > On Wed, Dec 09, 2015 at 10:46:06AM +0000, wouter.hummelink at kpn.com<mailto:wouter.hummelink at kpn.com> wrote:
> > > > Hello,
> > > >
> > > > Im trying to import and use a certificate profile in IPAv4.2 on RHEL.
> > > >
> > > > I've exported the default caIPAServiceCert profile and did the following modification:
> > > > < profileId=caIPAserviceCert
> > > > ---
> > > > > profileId=KPNWebhostingAEM
> > > > 87c87
> > > > <
> > > > policyset.serverCertSet.1.default.params.name=CN=$request.req_subj
> > > > ect_name.cn$, O=IPADOMAIN
> > > > ---
> > > > > policyset.serverCertSet.1.default.params.name=CN=$request.req_su
> > > > > bject_name.cn$, OU=TESTAEM, O=IPADOMAIN
> > > >
> > > > Profile
> > > > Profile ID: KPNWebhostingAEM
> > > > Profile description: KPN Webhosting AEM
> > > > Store issued certificates: TRUE
> > > >
> > > > CAACL
> > > > ACL name: ING Intermediairs AEM Application Servers
> > > > Enabled: TRUE
> > > > Profiles: KPNWebhostingServiceCertAEM, KPNWebhostingAEM
> > > > Host Groups: xxx_accp_applications, xxx_prod_applications
> > > >
> > > > Trying to request a certificate for a server ipa-getcert request
> > > > -r -I mongo2 -f /etc/pki/tls/certs/host.crt -k
> > > > /etc/pki/tls/certs/host.key -TKPNWebhostingAEM
> > > >
> > > > Results in:
> > > > ipa-getcert list
> > > > Number of certificates and requests being tracked: 1.
> > > > Request ID 'mongo2':
> > > > status: CA_UNREACHABLE
> > > > ca-error: Server at https://pvlipa1001c.ipadomain/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: FAILURE (Policy Set Not Found)).
> > > > stuck: no
> > > > key pair storage: type=FILE,location='/etc/pki/tls/certs/host.key'
> > > > certificate: type=FILE,location='/etc/pki/tls/certs/host.crt'
> > > > CA: IPA
> > > > issuer:
> > > > subject:
> > > > expires: unknown
> > > > pre-save command:
> > > > post-save command:
> > > > track: yes
> > > > auto-renew: yes
> > > >
> > > > Since the same setup was working to request certificates on my lab environment I'm at a loss what is causing the error.
> > > >
> > > > Met vriendelijke groet,
> > > >
> > > Hi Wouter,
> > >
> > > I'm looking into this; stay tuned.
> > >
> > OK, I could not reproduce. Is the issue reproducible for you? Did
> > you execute the commands by hand or as part of a script? Can you
> > provide your PKI debug log (/var/log/pki/pki-tomcat/ca/debug/)?
> >
> > Cheers,
> > Fraser
>
>
More information about the Freeipa-users
mailing list