{ "end-entity-profiles": { "DeviceEEProfile": { "Object Type": "End Entity Profile", "Version": 1, "Name": "DeviceEEProfile", "Description": "", "Default CA": "IssuerCA", "Available CAs": ["IssuerCA"], "Default Certificate Profile": "DeviceCertProfile", "Available Certificate Profiles": [ "DeviceCertProfile", "ENDUSER", "SUBCA" ], "Default Token Type": "User Generated", "Available Token Types": [ "User Generated", "PKCS12 File", "BCFKS File", "JKS File", "PEM File" ], "Subject DN": { "CN": [{ "Required": true }] } } }, "extended-key-usage": { "extended-key-usages": { "Object Type": "Extended Key Usage", "Version": 1, "All extended key usages": { "2.5.29.37.0": "EKU_PKIX_ANYEXTENDEDKEYUSAGE", "1.3.6.1.5.5.7.3.1": "EKU_PKIX_SERVERAUTH", "1.3.6.1.5.5.7.3.2": "EKU_PKIX_CLIENTAUTH", "1.3.6.1.5.5.7.3.3": "EKU_PKIX_CODESIGNING", "1.3.6.1.5.5.7.3.4": "EKU_PKIX_EMAILPROTECTION", "1.3.6.1.5.5.7.3.8": "EKU_PKIX_TIMESTAMPING", "1.3.6.1.5.5.7.3.9": "EKU_PKIX_OCSPSIGNING", "1.3.6.1.5.5.7.3.13": "EKU_PKIX_EAPOVERPPP", "1.3.6.1.5.5.7.3.14": "EKU_PKIX_EAPOVERLAN", "1.3.6.1.5.5.7.3.15": "EKU_PKIX_SCVPSERVER", "1.3.6.1.5.5.7.3.16": "EKU_PKIX_SCVPCLIENT", "1.3.6.1.5.5.7.3.17": "EKU_PKIX_IPSECIKE", "1.3.6.1.5.5.7.3.20": "EKU_PKIX_SIPDOMAIN", "1.3.6.1.5.5.7.3.21": "EKU_PKIX_SSHCLIENT", "1.3.6.1.5.5.7.3.22": "EKU_PKIX_SSHSERVER", "1.3.6.1.4.1.311.20.2.2": "EKU_MS_SMARTCARDLOGON", "1.3.6.1.4.1.311.10.3.12": "EKU_MS_DOCUMENTSIGNING", "1.3.6.1.4.1.311.2.1.21": "EKU_MS_CODESIGNING_IND", "1.3.6.1.4.1.311.2.1.22": "EKU_MS_CODESIGNING_COM", "1.3.6.1.4.1.311.10.3.4": "EKU_MS_EFSCRYPTO", "1.3.6.1.4.1.311.10.3.4.1": "EKU_MS_EFSRECOVERY", "1.3.6.1.4.1.311.21.5": "EKU_MS_CA_EXCHANGE", "2.16.840.1.113741.1.2.3": "EKU_INTEL_AMT", "0.4.0.2231.3.0": "EKU_ETSI_TSLSIGNING", "1.2.840.113583.1.1.5": "EKU_ADOBE_PDFSIGNING", "1.2.203.7064.1.1.369791.1": "EKU_CSN_TLSCLIENT", "1.2.203.7064.1.1.369791.2": "EKU_CSN_TLSSERVER", "1.3.6.1.5.2.3.4": "EKU_KRB_PKINIT_CLIENT", "1.3.6.1.5.2.3.5": "EKU_KRB_PKINIT_KDC", "2.23.136.1.1.3": "EKU_ICAO_MASTERLISTSIGNING", "2.23.136.1.1.8": "EKU_ICAO_DEVIATIONLISTSIGNING", "2.16.840.1.101.3.6.8": "EKU_NIST_PIVCARDAUTH", "1.3.6.1.5.5.7.3.36": "EKU_PKIX_DOCUMENTSIGNING" } } }, "certificate-profiles": { "DeviceCertProfile": { "Object Type": "Certificate Profile", "Version": 1, "Name": "DeviceCertProfile", "Type": "End Entity", "Available Key Algorithms": [ "ECDSA", "RSA", "Ed25519", "Ed448", "FALCON-512", "FALCON-1024", "ML-KEM-512", "ML-KEM-768", "ML-KEM-1024", "ML-DSA-44", "ML-DSA-65", "ML-DSA-87" ], "Available Elliptic Curves": ["ANY_EC_CURVE"], "Available Bit Lengths": [ 0, 110, 112, 113, 126, 128, 131, 160, 161, 162, 163, 189, 190, 191, 192, 193, 224, 225, 232, 233, 236, 237, 238, 239, 256, 257, 281, 282, 289, 320, 353, 384, 407, 409, 418, 512, 521, 570, 1024, 1536, 2048, 3072, 4096, 6144, 8192 ], "Signature Algorithm": "Inherit from Issuing CA", "Validity": "2y", "Description": "", "Overridable Extension OIDs": [], "Non-overridable Extension OIDs": [], "Key Usage": ["Digital Signature", "Non-Repudiation", "Key Encipherment"], "Extended Key Usage Used": true, "Extended Key Usage": ["Client Authentication", "E-mail Protection"], "CVC Access Rights (Inspection System)": ["DG3", "DG4"], "Available CAs": ["IssuerCA"], "SSH Extensions": { "no-touch-required": "", "permit-X11-forwarding": "", "permit-agent-forwarding": "", "permit-port-forwarding": "", "permit-pty": "", "permit-user-rc": "" }, "Account Binding Namespace": [] } }, "peer-connectors": { "global-peer-configuration": { "Object Type": "Peer Global Configuration", "Version": 1, "Allow incoming connections": false, "Allow outgoing connections": true, "Max wait by caller (ms)": 19000, "Max wait by peer (ms)": 15000, "Max age for requests (ms)": 16000 }, "ejbca-ra1": { "Object Type": "Peer Connector", "Version": 1, "Name": "ejbca-ra1", "Peer Enabled": true, "URL": "https://ejbca-ra-nginx.radeployment/ejbca/peer/v1", "Long Hanging Connections Enabled": true, "Min Long Hanging Connections": 10, "Max Long Hanging Connections": 20, "Authentication Key Binding": "peer-key" } }, "internal-key-bindings": { "peer-key": { "Object Type": "Internal Key Binding", "Version": 1, "Name": "peer-key", "Type": "AuthenticationKeyBinding", "Status": "ACTIVE", "Crypto Token": "PeerToken", "Bound Certificate SHA-1": "584854551919c7bb1d546f61f09b7b58715adf31", "Key Pair Alias": "peerkey", "Next Key Pair Alias": null, "Signature Algorithm": "SHA256WithRSA", "Enrollment info: Key Binding SubjectDN": "CN=peer-key", "Enrollment info: Signing CA SubjectDN": "CN=ManagementCA,O=EJBCA Sample,C=SE", "Enrollment info: Certificate profile": "ENDUSER", "Enrollment info: End entity profile": "EMPTY", "Enrollment info: Key spec or curve": "RSA2048", "Trusted certificates": {}, "Signed on behalf of CAs": {}, "Properties": { "Protocol and Cipher Suite": "TLSv1.2;TLS_RSA_WITH_AES_256_CBC_SHA256" } } }, "acme-config": { "global-acme-configuration": { "Object Type": "ACME Global Configuration", "Version": 2, "Default Acme Configuration": null, "Replay-Nonce Validity In Milliseconds": 600000 } }, "admin-roles": { "Super Administrator Role": { "Object Type": "Role", "Version": 1, "Name": "Super Administrator Role", "Role Members": [ { "Token Type": "CertificateAuthenticationToken", "Issuer": "ManagementCA", "Match With": "WITH_COMMONNAME", "Match Value": "SuperAdmin" }, { "Token Type": "CliAuthenticationToken", "Issuer": null, "Match With": "USERNAME", "Match Value": "ejbca" }, { "Token Type": "PublicAccessAuthenticationToken", "Issuer": null, "Match With": "TRANSPORT_ANY", "Match Value": "" } ], "Namespace": "", "RA Style Id": 0, "Access Rules": { "/": "Allow" } }, "RA-Peer-Connection": { "Object Type": "Role", "Version": 1, "Name": "RA-Peer-Connection", "Role Members": [ { "Token Type": "CertificateAuthenticationToken", "Issuer": "ManagementCA", "Match With": "WITH_COMMONNAME", "Match Value": "ejbcara.testdomain.se" } ], "Namespace": "", "RA Style Id": 0, "Access Rules": { "/administrator/": "Allow", "/ca/": "Allow", "/ca_functionality/create_certificate/": "Allow", "/ca_functionality/use_approval_request_id/": "Allow", "/ca_functionality/use_username/": "Allow", "/ca_functionality/view_ca/": "Allow", "/ca_functionality/view_certificate/": "Allow", "/endentityprofilesrules/": "Allow", "/protocol/acme/": "Allow", "/protocol/cmp/": "Allow", "/protocol/est/": "Allow", "/protocol/rest/": "Allow", "/protocol/scep/": "Allow", "/protocol/web_services/": "Allow", "/ra_functionality/approve_end_entity/": "Allow", "/ra_functionality/create_end_entity/": "Allow", "/ra_functionality/delete_end_entity/": "Allow", "/ra_functionality/edit_end_entity/": "Allow", "/ra_functionality/revoke_end_entity/": "Allow", "/ra_functionality/view_approvals/": "Allow", "/ra_functionality/view_end_entity/": "Allow", "/ra_functionality/view_end_entity_history/": "Allow", "/ra_functionality/view_end_entity_profiles/": "Allow", "/ra_master/invoke_api/": "Allow" } } }, "crypto-tokens": { "IssuerCaToken": { "Object Type": "Crypto Token", "Version": 2, "Name": "IssuerCaToken", "Used": true, "PKCS11 Library": "/opt/keyfactor/p11proxy-client/p11proxy-client.so", "PKCS11 Reference Type": "SLOT_LABEL", "PKCS11 Reference": "Token-1", "PKCS11 Attribute File": "", "Key Pair Info": [ ], "Authentication Code": "${CONFIGDUMP_TOKENPASS}", "Type": "Pkcs11NgCryptoToken", "Active": true, "Auto Activation": true }, "ManagmentCAToken": { "Object Type": "Crypto Token", "Version": 2, "Name": "ManagmentCAToken", "Used": true, "PKCS11 Library": "/opt/keyfactor/p11proxy-client/p11proxy-client.so", "PKCS11 Reference Type": "SLOT_LABEL", "PKCS11 Reference": "Token-1", "PKCS11 Attribute File": "", "Key Pair Info": [ ], "Authentication Code": "${CONFIGDUMP_TOKENPASS}", "Type": "Pkcs11NgCryptoToken", "Active": true, "Auto Activation": true }, "PeerToken": { "Object Type": "Crypto Token", "Version": 2, "Name": "PeerToken", "Used": true, "Key Pair Info": [ ], "Authentication Code": "${CONFIGDUMP_TOKENPASS}", "Type": "SoftCryptoToken", "Active": true, "Auto Activation": true } }, "available-protocols": { "available-protocol-configuration": { "Object Type": "Available Protocols", "Version": 1, "Name": "available-protocol-configuration", "ACME": false, "Certstore": true, "CMP": true, "CRLstore": true, "EST": false, "MSAE": false, "OCSP": true, "SCEP": true, "RA Web": true, "REST CA Management": false, "REST Certificate Management": true, "REST Coap Management": false, "REST Crypto Token Management": false, "REST End Entity Management": false, "REST End Entity Management V2": false, "REST Configdump": false, "REST Certificate Management V2": false, "REST SSH V1": false, "REST System V1": false, "Webdist": true, "Web Service": true, "ITS Certificate Management": false, "Custom header name for REST calls from browser": "X-Keyfactor-Requested-With" } }, "services": { "CrlService001": { "Object Type": "Service", "Version": 1, "Name": "CrlService001", "Worker Type": "CRL Updater", "Worker Properties": { "CAs to Check": ["Any CA"] }, "Interval Type": "Periodical Interval", "Interval Properties": { "Periodical Value": 1, "Periodical Unit": "DAYS" }, "Action Type": "No Action", "Action Properties": {}, "Description": "", "Active": true, "Hidden": false, "Pin to Specific Nodes": [], "Run on All Nodes": false } }, "ocsp-configuration": { "ocsp-configuration": { "Object Type": "OCSP Configuration", "Version": 1, "Name": "OCSP", "Default Responder": null, "Responder ID Type for CAs": "KeyHash", "Nonce extension in OCSP replies from CAs enabled": true, "OCSP signing cache update enabled": false, "OCSP explicit no cache unauthorized responses enabled": false, "Audit Logging Enabled": false, "Audit Log Pattern": "\\$\\{(.+?)\\}", "Audit Log Values": "SESSION_ID:${SESSION_ID};LOG ID:${LOG_ID};\"${LOG_TIME}\";TIME TO PROCESS:${REPLY_TIME};\\nOCSP REQUEST:\\n\"${OCSPREQUEST}\";\\nOCSP RESPONSE:\\n\"${OCSPRESPONSE}\";\\nSTATUS:${STATUS}", "Transaction Logging Enabled": false, "Transaction Log Pattern": "\\$\\{(.+?)\\}", "Transaction Log Values": "${SESSION_ID};${LOG_ID};${STATUS};${REQ_NAME}\"${CLIENT_IP}\";\"${SIGN_ISSUER_NAME_DN}\";\"${SIGN_SUBJECT_NAME}\";${SIGN_SERIAL_NO};\"${LOG_TIME}\";${REPLY_TIME};${NUM_CERT_ID};0;0;0;0;0;0;0;\"${ISSUER_NAME_DN}\";${ISSUER_NAME_HASH};${ISSUER_KEY};\"${OCSP_CERT_ISSUER_NAME_DN}\";${DIGEST_ALGOR};${SERIAL_NOHEX};${CERT_STATUS};${CERT_PROFILE_ID};${FORWARDED_FOR}", "OCSP Logging Date Format": "yyyy-MM-dd HH:mm:ss.SSSZ", "Default Response Validity Time": 0, "Default Response Max Age": 30, "Use Max AGE for expired responses": false } }, "certification-authorities": { "IssuerCA": { "Object Type": "Certification Authority", "Version": 2, "Name": "IssuerCA", "Type of CA": "X.509", "Serial Number Octet Size": 20, "Pre-produce OCSP Responses": false, "Microsoft CA Compatible Mode Used": false, "Store responses on-demand": false, "Pre-produce OCSP Responses Upon certificate issuance/revocation": false, "Certificate Profile": "Not used", "Default Certificate Profile": "Not used", "Use Append-Only Table": false, "CA Token": { "Signature Algorithm": "SHA256WithRSA", "Encryption Algorithm": "SHA256WithRSA", "Crypto Token": "IssuerCaToken", "Default Key": "defaultkey002", "Certificate Signing Key": "signkey002", "CRL Signing Key": "signkey002", "Key Encryption Key": "defaultkey002", "Test Key": "testkey", "Key Sequence Format": "Numeric", "Key Sequence": "00000" }, "Enforce Unique Public Keys": true, "Enforce key renewal": false, "Enforce Unique DN": true, "User Storage": true, "Certificate Storage": true, "Accept Revocations for Non-Existing Entries": false, "Subject DN": "CN=IssuerCA", "Signed By": "Signed by External CA", "Validity": "0d", "Use UTF-8 in Policy Notice Text": true, "LDAP DN Order": true, "Authority Key Id Used": true, "CRL Number Used": true, "Partitioned CRL Used": false, "CRL Expiration Period": "1d", "CRL Issue Interval": "0m", "CRL Overlap Time": "10m", "Delta CRL Period": "0m", "Generate CRL Upon Revocation": false, "Allow Changing Revocation Reason": false, "Finish User": true, "CA Healthcheck Enabled": false, "Request Processor": null }, "ManagementCA": { "Object Type": "Certification Authority", "Version": 2, "Name": "ManagementCA", "Type of CA": "X.509", "Serial Number Octet Size": 20, "Pre-produce OCSP Responses": false, "Microsoft CA Compatible Mode Used": false, "Store responses on-demand": false, "Pre-produce OCSP Responses Upon certificate issuance/revocation": false, "Certificate Profile": "ROOTCA", "Default Certificate Profile": "Not used", "Use Append-Only Table": false, "CA Token": { "Signature Algorithm": "SHA256WithRSA", "Encryption Algorithm": "SHA1WithRSA", "Crypto Token": "ManagmentCAToken", "Default Key": "defaultkey001", "Certificate Signing Key": "signkey001", "CRL Signing Key": "signkey001", "Key Encryption Key": "defaultkey001", "Test Key": "testkey", "Key Sequence Format": "Numeric", "Key Sequence": "00000" }, "Enforce Unique Public Keys": true, "Enforce key renewal": false, "Enforce Unique DN": true, "User Storage": true, "Certificate Storage": true, "Accept Revocations for Non-Existing Entries": false, "Subject DN": "CN=ManagementCA,O=EJBCA Sample,C=SE", "Signed By": "Self Signed", "Validity": "10y", "Subject Alternative Name": null, "Use UTF-8 in Policy Notice Text": true, "LDAP DN Order": true, "Authority Key Id Used": true, "CRL Number Used": true, "Partitioned CRL Used": false, "CRL Expiration Period": "1d", "CRL Issue Interval": "0m", "CRL Overlap Time": "10m", "Delta CRL Period": "0m", "Generate CRL Upon Revocation": false, "Allow Changing Revocation Reason": false, "Finish User": true, "Request Processor": null } } }