PKI Policy defines the trusted issuer certificates Certificate Authority certificates (trust anchors) and CRL/OCSP endpoints used when validating certificates or certificate chains and attributes generated from subject and issuer certificates.
On this page described:
Table of Contents |
---|
maxLevel | 6 |
---|
minLevel | 1 |
---|
include | |
---|
outline | false |
---|
indent | |
---|
exclude | |
---|
style | none |
---|
type | list |
---|
printable | true |
---|
class | |
---|
|
PKI Policy XML configuration file
...
Code Block |
---|
| <?xml version="1.0" encoding="iso-8859-1"?>
<Policy
xmlns="http://ubisecure.com/schema/certagent.xsd">
<PKI>
<Trust crl="ldap://ldap.fineid.fi:389/cn%3dVRK%20Gov.%20CA%20for%20Citizen%20Qualified%20Certificates,ou%3dValtion%20kansalaisvarmenteet,o%3dVaestorekisterikeskus%20CA,dmdName%3dFINEID,c%3dFI?certificateRevocationList??objectClass=cRLDistributionPoint">
MIIFjDCCBHSgAwIBAgIDAYiZMA0GCSqGSIb3DQEBBQUAMIGjMQswCQYDVQQGEwJG
STEQMA4GA1UECBMHRmlubGFuZDEhMB8GA1UEChMYVmFlc3RvcmVraXN0ZXJpa2Vz
a3VzIENBMSkwJwYDVQQLEyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBTZXJ2aWNl
czEZMBcGA1UECxMQVmFybWVubmVwYWx2ZWx1dDEZMBcGA1UEAxMQVlJLIEdvdi4g
Um9vdCBDQTAeFw0wMzAxMTAxMjU5MDVaFw0xOTAxMDkxMjU4MzBaMIGhMQswCQYD
VQQGEwJGSTEQMA4GA1UECBMHRmlubGFuZDEhMB8GA1UEChMYVmFlc3RvcmVraXN0
ZXJpa2Vza3VzIENBMSQwIgYDVQQLExtWYWx0aW9uIGthbnNhbGFpc3Zhcm1lbnRl
ZXQxNzA1BgNVBAMTLlZSSyBHb3YuIENBIGZvciBDaXRpemVuIFF1YWxpZmllZCBD
ZXJ0aWZpY2F0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5Aj52
7olxDHOtkQQU+BG1FUs0xOy8Qw2z3NmgV7yOkYRwi/C7aAbvaye712q8APGiDa+P
f0N/XzQNynWWyzC2krv+fQq5YjGypRbnvciAtGbJQSXBoX58eV6sd5CWLKGMo1gH
xsXNU6L9v9XlSWLUH4xbYvQt+oxfptgJbK5E+71OYC8DL0KU6xmlEfuPNQZ1Rf3p
qqlEfmQjP24ubcgy3ZAHVTFBh7rT66pw+L5zAVPYBCyUG7rdXHS9hulRa4Y8w3BF
RBxbChHsc7tuKk9kQmNGhQAJ7CdJx3V5kPsrxnuztOunimeBKoB5X3wgvk9f64n6
0Jp0qumnY4l9V6oZAgMBAAGjggHHMIIBwzASBgNVHRMBAf8ECDAGAQH/AgEAMBEG
CWCGSAGG+EIBAQQEAwIBBjCBywYDVR0gBIHDMIHAMIG9BgkqgXaEBQEKAQEwga8w
gYQGCCsGAQUFBwICMHgadlZhcm1lbm5lcG9saXRpaWtrYSBvbiBzYWF0YXZpbGxh
IC0gQ2VydGlmaWthdCBwb2xpY3kgZmlubnMgLSBDZXJ0aWZpY2F0ZSBwb2xpY3kg
aXMgYXZhaWxhYmxlIGh0dHA6Ly93d3cuZmluZWlkLmZpL2NwczEwJgYIKwYBBQUH
AgEWGmh0dHA6Ly93d3cuZmluZWlkLmZpL2NwczEvMEIGCCsGAQUFBwEBBDYwNDAy
BggrBgEFBQcwAoYmaHR0cDovL3Byb3h5LmZpbmVpZC5maS9jYS92cmtyb290Yy5j
cnQwDgYDVR0PAQH/BAQDAgHGMB8GA1UdIwQYMBaAFNvp4ZvS0SQL/KvjoGfqrpxL
d/SwMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9wcm94eS5maW5laWQuZmkvYXJs
L3Zya3Jvb3RhLmNybDAdBgNVHQ4EFgQUiFpvHUJHgob91+kNslfPTVAoBBcwDQYJ
KoZIhvcNAQEFBQADggEBAEXit6ypQO+0RbVTK57SKT1jsqE8dUiwL8oevvdBiFpR
4HxEZZy8e/OGAvF3Hc/Hjc8cOjlsYToqztg16cOFI4vHZ+yC8rWh4TpuWgvkS80h
//jcweAayp6E/Z0z928vTNILBD34YJQvpU4u7jyhSaY3tzybKjlSAo5lahiI32a9
MNZXGoNv+j+MKq1NJkpgpy6/VEa5Z4RdRx43/EZhs45WvxTfER+nUC1loQngFKOS
jdWG3GhOAh13nM9jYASBtC7ONddvoByfzwUOQ+BOf08R2bvZA+2CDFI8PuYqxCFv
BMCpQSCdVL6tEYxeWIQb+uIQsfAEfjC3AQuTNh/UiW8=
</Trust>
</PKI>
<Subject KeyInfoConfirmationData="true"/>
<Attributes>
<!-- Subject's SHA-1 fingerprint -->
<Add name="subject.fingerprint">
<Digest source="subject" algorithm="sha1" />
</Add>
<!-- Subject's distinguished name -->
<Add name="subject.dn">
<Field source="subject"/>
</Add>
<!-- Issuer's distinguished name -->
<Add name="issuer.dn">
<Field source="issuer"/>
</Add>
<!-- Subject's attributes 2.5.4.4 (surname) and
2.5.4.42 (givenName) separated by space -->
<Add name="subject.name">
<Concat>
<Attribute source="subject" oid="2.5.4.4"/>
<Text content=" " />
<Attribute source="subject" oid="2.5.4.42"/>
</Concat>
</Add>
</Attributes>
</Policy> |
|
Trusted issuers Trust anchors are defined in the Trust elements enclosed in a PKI element. The corresponding CRL distribution point is defined in the crl attribute. Other trusted issuers may be added by defining a new Trust element for each trusted issuer.
...
Code Block |
---|
| <xs:element name="Trust" type="TrustType" />
<xs:complexType name="TrustType">
<xs:simpleContent>
<xs:extension base="xs:base64Binary">
<xs:attribute name="crl" type="xs:anyURI" use="optional" />
</xs:extension>
</xs:simpleContent>
</xs:complexType> |
|
...
<xs:attribute name="crlref" type="xs:IDREF" use="optional" />
<xs:attribute name="ocsp" type="xs:anyURI" use="optional" />
<xs:attribute name="ocspref" type="xs:IDREF" use="optional" />
</xs:extension>
</xs:simpleContent>
</xs:complexType> |
|
The <Trust /> element represents a trusted certificate authority. The element contains a Base64-encoded certificate. The element may also contain crl
attribute defining a CRL URL or ocsp
attribute defining an OCSP URL.
Optionally CRL and OCSP URLs can be defined in a separate element <CRL /> and <OCSP /> as child element for <Trust /> element, and refer to them by their id in crlref
and ocspref
attribute in <Trust /> element.
The <CRL /> and <OCSP /> elements
Code Block |
---|
|
<xs:element name="CRL" type="CRLType" />
<xs:element name="OCSP" type="OCSPType" />
<xs:complexType name="CRLType">
<xs:complexContent>
<xs:extension base="PropertiesType">
<xs:attribute name="uri" type="xs:anyURI" use="required" />
</xs:extension>
</xs:complexContent>
</xs:complexType>
<xs:complexType name="OCSPType">
<xs:complexContent>
<xs:extension base="PropertiesType">
<xs:attribute name="uri" type="xs:anyURI" use="required" />
</xs:extension>
</xs:complexContent>
</xs:complexType>
<xs:complexType name="PropertiesType" abstract="true">
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="Property" type="PropertyType" />
</xs:sequence>
<xs:attribute name="id" type="xs:ID" use="optional" />
</xs:complexType>
<xs:complexType name="PropertyType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="name" type="xs:string" use="required" />
</xs:extension>
</xs:simpleContent>
</xs:complexType> |
The <CRL /> and the <OCSP /> element represent a CRL and OCSP endpoint. The endpoint URL is defined in uri
attribute and an optional identifier in id
attribute. The identifier can be used in a <Trust /> element as value for crlref
or ocspref
attribute to refer to <CRL /> or <OCSP /> element, in which case the CRL or OCSP endpoint is used only with that trust anchor. A <CRL /> or <OCSP /> element without id attribute is used with any trust anchor.
PKI Policy supports only one OCSP endpoint per trust anchor.
For example:
Code Block |
---|
|
<Trust ocspref="gspersonalsign2g2">MIIEVz...7H34U=</Trust>
<OCSP uri="http://ocsp2.globalsign.com/gspersonalsign2g2" id="gspersonalsign2g2"/> |
The <Subject /> element
Code Block |
---|
| <xs:element name="Subject" type="SubjectType" />
<xs:complexType name="SubjectType">
<xs:attribute name="KeyInfoConfirmationData" type="xs:boolean" />
</xs:complexType> |
|
...