-
Notifications
You must be signed in to change notification settings - Fork 137
Certificate Usages
-
CheckAllUsages -
SSLServer -
SSLServerWithStepUp -
SSLClient -
SSLCA -
AnyCA -
StatusResponder -
ObjectSigner -
UserCertImport -
ProtectedObjectSigner -
VerifyCA -
EmailSigner -
EmailRecipient
The system certificate usages are defined in the CS.cfg in the following parameter:
-
<subsystem>.cert.<cert>.certusage
For example:
ca.cert.signing.certusage=SSLCA ca.cert.ocsp_signing.certusage=StatusResponder ca.cert.sslserver.certusage=SSLServer ca.cert.subsystem.certusage=SSLClient ca.cert.audit_signing.certusage=ObjectSigner
The default values are defined below.
| Subsystem | Certificate | Usages |
|---|---|---|
ca |
signing |
SSLCA |
ca |
ocsp_signing |
StatusResponder |
ca |
sslserver |
SSLServer |
ca |
subsystem |
SSLClient |
ca |
audit_signing |
ObjectSigner |
| Subsystem | Certificate | Usages |
|---|---|---|
kra |
transport |
SSLClient |
kra |
storage |
SSLClient |
kra |
sslserver |
SSLServer |
kra |
subsystem |
SSLClient |
kra |
audit_signing |
ObjectSigner |
| Subsystem | Certificate | Usages |
|---|---|---|
ocsp |
signing |
StatusResponder |
ocsp |
sslserver |
SSLServer |
ocsp |
subsystem |
SSLClient |
ocsp |
audit_signing |
ObjectSigner |
| Subsystem | Certificate | Usages |
|---|---|---|
tks |
sslserver |
SSLServer |
tks |
subsystem |
SSLClient |
tks |
audit_signing |
ObjectSigner |
| Subsystem | Certificate | Usages |
|---|---|---|
tps |
sslserver |
SSLServer |
tps |
subsystem |
SSLClient |
tps |
audit_signing |
ObjectSigner |
To validate a system certificate on the server, specify the subsystem name and the certificate ID:
$ pki-server cert-validate ca_signing
The system certificate will be validated against the corresponding usage above.
To validate a certificate in the client NSS database, specify the nickname and the usage in the following command:
$ pki client-cert-validate caadmin --certusage SSLClient
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |