Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

PKI Policy defines the trusted issuer certificates Certificate Authority certificates (trust anchors) and CRL/OCSP endpoints used when validating certificates or certificate chains and attributes generated from subject and issuer certificates.

On this page described:

Table of Contents
maxLevel6
minLevel1
include
outlinefalse
indent
exclude
stylenone
typelist
printabletrue
class

PKI Policy XML configuration file

...

Code Block
languagexml
<?xml version="1.0" encoding="iso-8859-1"?>
<Policy 
    xmlns="http://ubisecure.com/schema/certagent.xsd">
  <PKI>
    <Trust crl="ldap://ldap.fineid.fi:389/cn%3dVRK%20Gov.%20CA%20for%20Citizen%20Qualified%20Certificates,ou%3dValtion%20kansalaisvarmenteet,o%3dVaestorekisterikeskus%20CA,dmdName%3dFINEID,c%3dFI?certificateRevocationList??objectClass=cRLDistributionPoint">
      MIIFjDCCBHSgAwIBAgIDAYiZMA0GCSqGSIb3DQEBBQUAMIGjMQswCQYDVQQGEwJG
      STEQMA4GA1UECBMHRmlubGFuZDEhMB8GA1UEChMYVmFlc3RvcmVraXN0ZXJpa2Vz
      a3VzIENBMSkwJwYDVQQLEyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBTZXJ2aWNl
      czEZMBcGA1UECxMQVmFybWVubmVwYWx2ZWx1dDEZMBcGA1UEAxMQVlJLIEdvdi4g
      Um9vdCBDQTAeFw0wMzAxMTAxMjU5MDVaFw0xOTAxMDkxMjU4MzBaMIGhMQswCQYD
      VQQGEwJGSTEQMA4GA1UECBMHRmlubGFuZDEhMB8GA1UEChMYVmFlc3RvcmVraXN0
      ZXJpa2Vza3VzIENBMSQwIgYDVQQLExtWYWx0aW9uIGthbnNhbGFpc3Zhcm1lbnRl
      ZXQxNzA1BgNVBAMTLlZSSyBHb3YuIENBIGZvciBDaXRpemVuIFF1YWxpZmllZCBD
      ZXJ0aWZpY2F0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5Aj52
      7olxDHOtkQQU+BG1FUs0xOy8Qw2z3NmgV7yOkYRwi/C7aAbvaye712q8APGiDa+P
      f0N/XzQNynWWyzC2krv+fQq5YjGypRbnvciAtGbJQSXBoX58eV6sd5CWLKGMo1gH
      xsXNU6L9v9XlSWLUH4xbYvQt+oxfptgJbK5E+71OYC8DL0KU6xmlEfuPNQZ1Rf3p
      qqlEfmQjP24ubcgy3ZAHVTFBh7rT66pw+L5zAVPYBCyUG7rdXHS9hulRa4Y8w3BF
      RBxbChHsc7tuKk9kQmNGhQAJ7CdJx3V5kPsrxnuztOunimeBKoB5X3wgvk9f64n6
      0Jp0qumnY4l9V6oZAgMBAAGjggHHMIIBwzASBgNVHRMBAf8ECDAGAQH/AgEAMBEG
      CWCGSAGG+EIBAQQEAwIBBjCBywYDVR0gBIHDMIHAMIG9BgkqgXaEBQEKAQEwga8w
      gYQGCCsGAQUFBwICMHgadlZhcm1lbm5lcG9saXRpaWtrYSBvbiBzYWF0YXZpbGxh
      IC0gQ2VydGlmaWthdCBwb2xpY3kgZmlubnMgLSBDZXJ0aWZpY2F0ZSBwb2xpY3kg
      aXMgYXZhaWxhYmxlIGh0dHA6Ly93d3cuZmluZWlkLmZpL2NwczEwJgYIKwYBBQUH
      AgEWGmh0dHA6Ly93d3cuZmluZWlkLmZpL2NwczEvMEIGCCsGAQUFBwEBBDYwNDAy
      BggrBgEFBQcwAoYmaHR0cDovL3Byb3h5LmZpbmVpZC5maS9jYS92cmtyb290Yy5j
      cnQwDgYDVR0PAQH/BAQDAgHGMB8GA1UdIwQYMBaAFNvp4ZvS0SQL/KvjoGfqrpxL
      d/SwMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9wcm94eS5maW5laWQuZmkvYXJs
      L3Zya3Jvb3RhLmNybDAdBgNVHQ4EFgQUiFpvHUJHgob91+kNslfPTVAoBBcwDQYJ
      KoZIhvcNAQEFBQADggEBAEXit6ypQO+0RbVTK57SKT1jsqE8dUiwL8oevvdBiFpR
      4HxEZZy8e/OGAvF3Hc/Hjc8cOjlsYToqztg16cOFI4vHZ+yC8rWh4TpuWgvkS80h
      //jcweAayp6E/Z0z928vTNILBD34YJQvpU4u7jyhSaY3tzybKjlSAo5lahiI32a9
      MNZXGoNv+j+MKq1NJkpgpy6/VEa5Z4RdRx43/EZhs45WvxTfER+nUC1loQngFKOS
      jdWG3GhOAh13nM9jYASBtC7ONddvoByfzwUOQ+BOf08R2bvZA+2CDFI8PuYqxCFv
      BMCpQSCdVL6tEYxeWIQb+uIQsfAEfjC3AQuTNh/UiW8=
    </Trust>
  </PKI> 

  <Subject KeyInfoConfirmationData="true"/> 

  <Attributes>
    <!-- Subject's SHA-1 fingerprint -->
    <Add name="subject.fingerprint">
      <Digest source="subject" algorithm="sha1" />
    </Add>
    <!-- Subject's distinguished name -->
    <Add name="subject.dn">
      <Field source="subject"/>
    </Add>
    <!-- Issuer's distinguished name -->
    <Add name="issuer.dn">
      <Field source="issuer"/>
    </Add>
    <!-- Subject's attributes 2.5.4.4 (surname) and 
         2.5.4.42 (givenName) separated by space -->
    <Add name="subject.name">
      <Concat>
        <Attribute source="subject" oid="2.5.4.4"/>
        <Text content="&#32;" />
        <Attribute source="subject" oid="2.5.4.42"/>
      </Concat>
    </Add>
  </Attributes>
</Policy>

Trusted issuers Trust anchors are defined in the Trust elements enclosed in a PKI element. The corresponding CRL distribution point is defined in the crl attribute. Other trusted issuers may be added by defining a new Trust element for each trusted issuer.

...

Code Block
languagexml
<xs:element name="Trust" type="TrustType" /> 
<xs:complexType name="TrustType">
  	<xs:simpleContent>
		    <xs:extension base="xs:base64Binary">
			      <xs:attribute name="crl" type="xs:anyURI" use="optional" />
		</xs:extension>
	</xs:simpleContent>
</xs:complexType>

...


      <xs:attribute name="crlref" type="xs:IDREF" use="optional" />
      <xs:attribute name="ocsp" type="xs:anyURI" use="optional" />
      <xs:attribute name="ocspref" type="xs:IDREF" use="optional" />
    </xs:extension>
  </xs:simpleContent>
</xs:complexType>

The <Trust /> element represents a trusted certificate authority. The element contains a Base64-encoded certificate. The element may also contain crl attribute defining a CRL URL or ocsp attribute defining an OCSP URL.

Optionally CRL and OCSP URLs can be defined in a separate element <CRL /> and <OCSP /> as child element for <Trust /> element, and refer to them by their id in crlref and ocspref attribute in <Trust /> element.

The <CRL /> and <OCSP /> elements

Code Block
languagexml
<xs:element name="CRL" type="CRLType" />
<xs:element name="OCSP" type="OCSPType" />
<xs:complexType name="CRLType">
  <xs:complexContent>
    <xs:extension base="PropertiesType">
      <xs:attribute name="uri" type="xs:anyURI" use="required" />
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
<xs:complexType name="OCSPType">
  <xs:complexContent>
    <xs:extension base="PropertiesType">
      <xs:attribute name="uri" type="xs:anyURI" use="required" />
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
<xs:complexType name="PropertiesType" abstract="true">
  <xs:sequence minOccurs="0" maxOccurs="unbounded">
    <xs:element name="Property" type="PropertyType" />
  </xs:sequence>
  <xs:attribute name="id" type="xs:ID" use="optional" />
</xs:complexType>
<xs:complexType name="PropertyType">
  <xs:simpleContent>
    <xs:extension base="xs:string">
      <xs:attribute name="name" type="xs:string" use="required" />
    </xs:extension>
  </xs:simpleContent>
</xs:complexType>

The <CRL /> and the <OCSP /> element represent a CRL and OCSP endpoint. The endpoint URL is defined in uri attribute and an optional identifier in id attribute. The identifier can be used in a <Trust /> element as value for crlref or ocspref attribute to refer to <CRL /> or <OCSP /> element, in which case the CRL or OCSP endpoint is used only with that trust anchor. A <CRL /> or <OCSP /> element without id attribute is used with any trust anchor.

PKI Policy supports only one OCSP endpoint per trust anchor.

For example:

Code Block
languagexml
<Trust ocspref="gspersonalsign2g2">MIIEVz...7H34U=</Trust>
<OCSP uri="http://ocsp2.globalsign.com/gspersonalsign2g2" id="gspersonalsign2g2"/>

The <Subject /> element

Code Block
languagexml
<xs:element name="Subject" type="SubjectType" />
<xs:complexType name="SubjectType">
	<xs:attribute name="KeyInfoConfirmationData" type="xs:boolean" />
</xs:complexType>

...