.classpath

@@ -19,9 +19,9 @@
 	<classpathentry excluding="**/CMakeLists.txt" kind="src" path="base/ocsp/src"/>
 	<classpathentry excluding="**/CMakeLists.txt" kind="src" path="base/tks/src"/>
 	<classpathentry excluding="**/CMakeLists.txt" kind="src" path="base/tps/src"/>
-	<classpathentry excluding="**/CMakeLists.txt" kind="src" path="base/server/tomcat-8.5/src"/>
 	<classpathentry excluding="**/CMakeLists.txt" kind="src" path="base/common/examples/java"/>
 	<classpathentry excluding="**/CMakeLists.txt" kind="src" path="base/console/src"/>
+	<classpathentry kind="src" path="base/server/tomcat-8.5/src"/>
 	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER"/>
 	<classpathentry kind="lib" path="/usr/share/java/apache-commons-cli.jar"/>
 	<classpathentry kind="lib" path="/usr/share/java/apache-commons-logging.jar"/>

.travis.yml

@@ -10,74 +10,91 @@ jobs:
 
     # F27 Image
     - env:
-        - TASK_TO_RUN="pki-test"
-        - BASE_IMAGE=${IMAGE_REPO:-dogtagpki/pki-ci}:f27_106_46
+        - TASK="PKI Test on F27"
+        - IMAGE=f27_106_46
       before_install:
-        - set -a && source .travis/global_variables
+        - set -a && source travis/global_variables
         - echo -e $gerrit_ssh_key >> ~/.ssh/id_rsa && chmod 600 ~/.ssh/id_rsa
-        # Post the Travis Build URL
-        - TRAVIS_BUILD_URL="https://travis-ci.org/$TRAVIS_REPO_SLUG/builds/$TRAVIS_BUILD_ID"
-        - MESSAGE="$(printf "Build Started.\nTravis Build:"${TRAVIS_BUILD_URL})"
-        - .travis/set_gerrit_message.sh -m "${MESSAGE}"
-      install: .travis/init_task.sh | tee /dev/tty | grep -Eo '(http|https)://transfer.sh/[a-zA-Z0-9./?=_-]*.txt' | uniq >> ${TRANSFER_SH_URLS}
+        - touch ${LOGS}
+        - travis/post-test-started.sh
+      install:
+        - travis/builder-init.sh
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/pki-build.sh
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/pki-install.sh
       script:
-        - set -o pipefail
-        - travis_wait 20 .travis/pki-test.sh | tee /dev/tty | grep -Eo '(http|https)://transfer.sh/[a-zA-Z0-9./?=_-]*.txt' | uniq >> ${TRANSFER_SH_URLS}
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/ds-create.sh
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/ca-create.sh
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/kra-create.sh
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/ocsp-create.sh
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/tks-create.sh
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/tps-create.sh
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/tps-remove.sh
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/tks-remove.sh
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/ocsp-remove.sh
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/kra-remove.sh
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/ca-remove.sh
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/ds-remove.sh
       after_failure:
-        # Post the URL of Travis Job that failed
-        - TRAVIS_JOB_URL="https://travis-ci.org/$TRAVIS_REPO_SLUG/jobs/$TRAVIS_JOB_ID"
-        - MESSAGE="$(printf "Job 1 Failed\nTravis Job:"${TRAVIS_JOB_URL}"\n\nLogs:\n" )"$'\n'"$(cat ${TRANSFER_SH_URLS})"
-        - .travis/set_gerrit_message.sh -v -1 -m "${MESSAGE}"
+        - travis/post-test-failed.sh
       after_script:
-        - cat ${TRANSFER_SH_URLS}
+        - cat ${LOGS}
         - docker kill ${CONTAINER}
         - docker rm ${CONTAINER}
 
     - env:
-        - TASK_TO_RUN="ipa-test"
-        - BASE_IMAGE=${IMAGE_REPO:-dogtagpki/pki-ci}:f27_106_46
+        - TASK="IPA Test on F27"
+        - IMAGE=f27_106_46
       before_install:
-        - set -a && source .travis/global_variables
+        - set -a && source travis/global_variables
         - echo -e $gerrit_ssh_key >> ~/.ssh/id_rsa && chmod 600 ~/.ssh/id_rsa
-      install: .travis/init_task.sh
-      script: travis_wait 20 .travis/ipa-test.sh
+        - touch ${LOGS}
+      install:
+        - travis/builder-init.sh
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/pki-build.sh --with-pkgs=base,server,ca,kra
+        - travis/ipa-init.sh
+      script:
+        - travis_wait 20 travis/ipa-test.sh
       after_failure:
-        - docker exec ${CONTAINER} journalctl  -l > ${SYSTEMD_LOG}
-        - echo "Uploading CI Logs to transfer.sh ..."
-        - curl -w "\n" --upload-file ./${SYSTEMD_LOG} https://transfer.sh/systemd_logs.txt > ${TRANSFER_SH_URLS}
-        - curl -w "\n" --upload-file ./${CI_RESULTS_LOG} https://transfer.sh/freeipa-integration.txt >> ${TRANSFER_SH_URLS}
-        # Post the URL of Travis Job that failed
-        - TRAVIS_JOB_URL="https://travis-ci.org/$TRAVIS_REPO_SLUG/jobs/$TRAVIS_JOB_ID"
-        - MESSAGE="$(printf "Job 2 Failed\nTravis Job:"${TRAVIS_JOB_URL}"\n\nLogs:\n" )"$'\n'"$(cat ${TRANSFER_SH_URLS})"
-        - .travis/set_gerrit_message.sh -v -1 -m "${MESSAGE}"
+        - travis/post-test-failed.sh
       after_script:
-        - cat ${TRANSFER_SH_URLS}
+        - cat ${LOGS}
         - docker kill ${CONTAINER}
         - docker rm ${CONTAINER}
 
     # F28 image
     - env:
-        - TASK_TO_RUN="pki-test"
-        - BASE_IMAGE=${IMAGE_REPO:-dogtagpki/pki-ci}:f28_106_46
+        - TASK="PKI Test on F28"
+        - IMAGE=f28_106_46
       before_install:
-        - set -a && source .travis/global_variables
+        - set -a && source travis/global_variables
         - echo -e $gerrit_ssh_key >> ~/.ssh/id_rsa && chmod 600 ~/.ssh/id_rsa
-      install: .travis/init_task.sh | tee /dev/tty | grep -Eo '(http|https)://transfer.sh/[a-zA-Z0-9./?=_-]*.txt' | uniq >> ${TRANSFER_SH_URLS}
+        - touch ${LOGS}
+      install:
+        - travis/builder-init.sh
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/pki-build.sh
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/pki-install.sh
       script:
-        - set -o pipefail
-        - travis_wait 20 .travis/pki-test.sh | tee /dev/tty | grep -Eo '(http|https)://transfer.sh/[a-zA-Z0-9./?=_-]*.txt' | uniq >> ${TRANSFER_SH_URLS}
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/ds-create.sh
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/ca-create.sh
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/kra-create.sh
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/ocsp-create.sh
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/tks-create.sh
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/tps-create.sh
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/tps-remove.sh
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/tks-remove.sh
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/ocsp-remove.sh
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/kra-remove.sh
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/ca-remove.sh
+        - docker exec -i ${CONTAINER} ${SCRIPTDIR}/ds-remove.sh
       after_failure:
-        # Post the URL of Travis Job that failed
-        - TRAVIS_JOB_URL="https://travis-ci.org/$TRAVIS_REPO_SLUG/jobs/$TRAVIS_JOB_ID"
-        - MESSAGE="$(printf "Job 3 Failed\nTravis Job:"${TRAVIS_JOB_URL}"\n\nLogs:\n" )"$'\n'"$(cat ${TRANSFER_SH_URLS})"
-        - .travis/set_gerrit_message.sh -v -1 -m "${MESSAGE}"
+        - travis/post-test-failed.sh
       after_script:
-        - cat ${TRANSFER_SH_URLS}
+        - cat ${LOGS}
         - docker kill ${CONTAINER}
         - docker rm ${CONTAINER}
 
     - stage: Verification Label
-      before_install: echo -e $gerrit_ssh_key >> ~/.ssh/id_rsa && chmod 600 ~/.ssh/id_rsa
+      before_install:
+        - echo -e $gerrit_ssh_key >> ~/.ssh/id_rsa && chmod 600 ~/.ssh/id_rsa
       script:
-        - MESSAGE="$(printf "Travis Build Successful.")"
-        - .travis/set_gerrit_message.sh -v +1 -m "${MESSAGE}"
+        - travis/post-test-passed.sh

.travis/01-install-dependencies

-#!/bin/bash
-
-## prepare additional build dependencies
-dnf builddep -y --spec ${BUILDDIR}/pki/specs/$1.spec.in
\ No newline at end of file

.travis/10-compose-rpms

-#!/bin/bash
-set -e
-
-BUILDLOG=/tmp/compose_$1.log
-
-function compose {
-    pushd ${BUILDDIR}/pki
-    sudo -u ${BUILDUSER} -- ./scripts/$1 rpms
-    popd
-}
-
-function upload {
-    if test -f $BUILDLOG; then
-        echo "Uploading build log to transfer"
-        curl --upload-file $BUILDLOG https://transfer.sh/pkitravis_$1.txt
-        # Add new line for readability of logs
-        printf "\n\n=====================================\n\n"
-    fi
-}
-
-if test "${TRAVIS}" != "true"; then
-    compose
-else
-    trap "upload $1" EXIT
-    echo "Runing $1 rpms."
-    echo "Build log will be posted to transfer.sh"
-    echo $(date) > $BUILDLOG
-    echo "Travis job ${TRAVIS_JOB_NUMBER}" >> $BUILDLOG
-    compose $1>>$BUILDLOG 2>&1
-fi
\ No newline at end of file

.travis/40-spawn-ca

-#!/bin/bash
-set -e
-
-pkispawn -vv -f ${BUILDDIR}/pki/.travis/pki.cfg -s CA

.travis/50-spawn-kra

-#!/bin/bash
-set -e
-
-pkispawn -vv -f ${BUILDDIR}/pki/.travis/pki.cfg -s KRA

.travis/99-destroy

-#!/bin/bash
-set -e
-
-if [ -d /etc/pki/pkitest/kra ]; then
-    pkidestroy -v -i pkitest -s KRA
-fi
-
-pkidestroy -v -i pkitest -s CA
-
-remove-ds.pl -f -i slapd-pkitest
-

.travis/global_variables

-CONTAINER=pkitest
-SCRIPTDIR=/tmp/workdir/pki/.travis
-SYSTEMD_LOG=systemd_log.log
-CI_RESULTS_LOG="ci_results_${TRAVIS_BRANCH}.log"
-CI_RUNNER_LOG_ARCHIVE="dogtag-ci-job-${TRAVIS_JOB_NUMBER}.tar.gz"
-RPMS_LOCATION=/tmp/workdir/packages/RPMS
-DOGTAG_PKI_RPMS=${TRAVIS_BUILD_DIR}/dogtag_rpms
-TRANSFER_SH_URLS=message.txt
\ No newline at end of file

.travis/py3rewrite

-#!/usr/bin/python3
-import os
-import shutil
-
-from distutils.sysconfig import get_python_lib
-
-
-BUILDDIR = os.environ['BUILDDIR']
-PKIBASE = os.path.join(BUILDDIR, 'pki', 'base')
-PKICLIENT = os.path.join(PKIBASE, 'common', 'python', 'pki')
-PKISERVER = os.path.join(PKIBASE, 'server', 'python', 'pki', 'server')
-PKISBIN = os.path.join(PKIBASE, 'server', 'sbin')
-
-SITEPACKAGES = get_python_lib()
-
-
-def copyfiles():
-    shutil.rmtree(os.path.join(SITEPACKAGES, 'pki'))
-    shutil.copytree(
-        PKICLIENT,
-        os.path.join(SITEPACKAGES, 'pki')
-    )
-    shutil.copytree(
-        PKISERVER,
-        os.path.join(SITEPACKAGES, 'pki', 'server')
-    )
-
-
-if __name__ == '__main__':
-    copyfiles()

CMakeLists.txt

@@ -6,16 +6,23 @@ cmake_minimum_required(VERSION 2.6.0)
 # global needed variables
 set(APPLICATION_NAME ${PROJECT_NAME})
 
+# Suppress install messages
+set(CMAKE_INSTALL_MESSAGE NEVER)
+
 # Un-comment the following line to add 'javac' options (e. g. - "-g" debugging)
-#set(CMAKE_JAVA_COMPILE_FLAGS "-g")
+set(CMAKE_JAVA_COMPILE_FLAGS "-Xlint:deprecation")
 
 if (NOT DEFINED VERSION)
     set(VERSION "10.0.0")
 endif(NOT DEFINED VERSION)
 
-if (NOT DEFINED PKI_NSS_DB_TYPE)
-    set(PKI_NSS_DB_TYPE "dbm")
-endif(NOT DEFINED PKI_NSS_DB_TYPE)
+if (NOT DEFINED NSS_DEFAULT_DB_TYPE)
+    set(NSS_DEFAULT_DB_TYPE "dbm")
+endif(NOT DEFINED NSS_DEFAULT_DB_TYPE)
+
+if (NOT DEFINED THEME)
+    set(VERSION "dogtag")
+endif(NOT DEFINED THEME)
 
 string(REGEX REPLACE "^([0-9]+).*" "\\1" APPLICATION_VERSION_MAJOR ${VERSION})
 string(REGEX REPLACE "^[0-9]+\\.([0-9]+).*" "\\1" APPLICATION_VERSION_MINOR ${VERSION})
@@ -80,12 +87,12 @@ set(CMAKE_THREAD_PREFER_PTHREADS ON)
 find_package(Threads)
 
 # NSS default database type
-if (PKI_NSS_DB_TYPE STREQUAL "dbm")
+if (NSS_DEFAULT_DB_TYPE STREQUAL "dbm")
     message(STATUS "Using old 'dbm' format for NSS_DEFAULT_DB_TYPE")
-elseif (PKI_NSS_DB_TYPE STREQUAL "sql")
+elseif (NSS_DEFAULT_DB_TYPE STREQUAL "sql")
     message(STATUS "Using new 'sql' format for NSS_DEFAULT_DB_TYPE")
 else()
-    message(FATAL_ERROR "Unsupported PKI_NSS_DB_TYPE=${PKI_NSS_DB_TYPE}")
+    message(FATAL_ERROR "Unsupported NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE}")
 endif()
 
 # Detect default Python interpreter
@@ -138,9 +145,6 @@ if (BUILD_PKI_CORE OR BUILD_PKI_CONSOLE)
     add_subdirectory(base)
 endif ()
 
-# 'Themes' MUST be "mutually-exclusive"!
-if (BUILD_DOGTAG_PKI_THEME)
-    add_subdirectory(dogtag)
-elseif (BUILD_REDHAT_PKI_THEME)
-    add_subdirectory(redhat)
+if (NOT "${THEME}" STREQUAL "")
+    add_subdirectory(themes)
 endif ()

README

-# BEGIN COPYRIGHT BLOCK
-# (C) 2008 Red Hat, Inc.
-# All rights reserved.
-# END COPYRIGHT BLOCK
-
-This Certificate System is open-source software.
-
-Please comply with the LICENSE contained in each of
-the individual components, and the EXPORT CONTROL
-regulations defined at:
-
-    http://www.dogtagpki.org/wiki/PKI_Download
-
-
-These directories contain the following:
-
-   CMakeLists.txt
-   COPYING
-   cmake/    - These files and this directory contain
-               the top-level files necessary to integrate
-               the CMake build system in pki.
-
-    README   - This file.
-
-    base/    - Contains most of the base source code
-               needed to build this project.  Note that
-               this directory does NOT contain
-               implementation specific user-interface
-               components required to build a working
-               Certificate System.
-
-    dogtag/  - Contains the scripts and user-interface
-               components necessary to build a sample
-               working "Dogtag Certificate System".
-               The scripts in this directory leverage
-               the base source code located in the
-               "base/" directory, and are known to
-               work on both 32-bit and 64-bit
-               "Fedora" operating systems.  Users
-               who wish to experiment with this project
-               should focus on this directory first.
-
-    scripts/ - Contains "scripts" used by this
-               certificate system.  This directory
-               contains numerous "compose" scripts
-               useful for building RPMS/SRPMS of the
-               various certificate system components.
-
-    specs/   - Contains RPM spec files used for
-               building RPMS/SRPMS of the various
-               certificate system components.
-
-    tools/   - Contains utilities useful to
-               certificate system components.
-
-Detailed instructions for building, installing, and
-running this project are located at:
-
-    http://www.dogtagpki.org/wiki/PKI_Main_Page
-

README.md

+Dogtag PKI
+==========
+
+[![Build Status](https://travis-ci.org/dogtagpki/pki-nightly-test.svg?branch=master)](https://travis-ci.org/dogtagpki/pki-nightly-test)
+
+(C) 2008 Red Hat, Inc.
+All rights reserved.
+
+This Certificate System is open-source software.
+
+Please comply with the LICENSE contained in each of
+the individual components, and the EXPORT CONTROL
+regulations defined at:
+
+http://www.dogtagpki.org/wiki/PKI_Download
+
+These directories contain the following:
+
+* CMakeLists.txt
+* LICENSE
+* cmake
+
+  These files and this directory contain
+  the top-level files necessary to integrate
+  the CMake build system in pki.
+
+* README.md
+
+  This file.
+
+* base
+
+  Contains most of the base source code
+  needed to build this project.  Note that
+  this directory does NOT contain
+  implementation specific user-interface
+  components required to build a working
+  Certificate System.
+
+* themes
+
+  Contains the scripts and user-interface
+  components to customize PKI web UI and
+  console.
+
+* scripts
+
+  Contains "scripts" used by this
+  certificate system.  This directory
+  contains numerous "compose" scripts
+  useful for building RPMS/SRPMS of the
+  various certificate system components.
+
+* tools
+
+  Contains utilities useful to
+  certificate system components.
+
+Detailed instructions for building, installing, and
+running this project are located at:
+
+http://www.dogtagpki.org/wiki/PKI_Main_Page
+

base/ca/shared/conf/CS.cfg

@@ -909,7 +909,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
 log.instance.SignedAudit._006=##
 log.instance.SignedAudit.bufferSize=512
 log.instance.SignedAudit.enable=true
-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CERT_PROFILE_APPROVAL,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_ACL,CONFIG_DRM,AUTHORITY_CONFIG
 log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
 log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
 log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure)

base/ca/shared/conf/eccAdminCert.profile

+#
+# Admin Certificate
+#
+id=adminCert.profile
+name=All Purpose admin cert with ECC keys Profile
+description=This profile creates an administrator's certificate with ECC keys
+profileIDMapping=caAdminCert
+profileSetIDMapping=adminCertSet
+list=2,4,5,6,7
+2.default.class=com.netscape.cms.profile.def.ValidityDefault
+2.default.name=Validity Default
+2.default.params.range=720
+2.default.params.startTime=0
+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
+4.default.name=Authority Key Identifier Default
+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
+5.default.name=AIA Extension Default
+5.default.params.authInfoAccessADEnable_0=true
+5.default.params.authInfoAccessADLocationType_0=URIName
+5.default.params.authInfoAccessADLocation_0=
+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+5.default.params.authInfoAccessCritical=false
+5.default.params.authInfoAccessNumADs=1
+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
+6.default.name=Key Usage Default
+6.default.params.keyUsageCritical=true
+6.default.params.keyUsageDigitalSignature=true
+6.default.params.keyUsageNonRepudiation=true
+6.default.params.keyUsageDataEncipherment=true
+6.default.params.keyUsageKeyEncipherment=false
+6.default.params.keyUsageKeyAgreement=true
+6.default.params.keyUsageKeyCertSign=false
+6.default.params.keyUsageCrlSign=false
+6.default.params.keyUsageEncipherOnly=false
+6.default.params.keyUsageDecipherOnly=false
+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
+7.default.name=Extended Key Usage Extension Default
+7.default.params.exKeyUsageCritical=false
+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4

base/ca/shared/conf/eccServerCert.profile

+#
+# ECC Server Certificate
+#
+id=serverCert.profile
+name=All Purpose SSL server cert with ECC keys Profile
+description=This profile creates an SSL server certificate with ECC keys that is valid for SSL servers
+profileIDMapping=caECServerCert
+profileSetIDMapping=serverCertSet
+list=2,4,5,6,7
+2.default.class=com.netscape.cms.profile.def.ValidityDefault
+2.default.name=Validity Default
+2.default.params.range=720
+2.default.params.startTime=0
+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
+4.default.name=Authority Key Identifier Default
+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
+5.default.name=AIA Extension Default
+5.default.params.authInfoAccessADEnable_0=true
+5.default.params.authInfoAccessADLocationType_0=URIName
+5.default.params.authInfoAccessADLocation_0=
+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+5.default.params.authInfoAccessCritical=false
+5.default.params.authInfoAccessNumADs=1
+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
+6.default.name=Key Usage Default
+6.default.params.keyUsageCritical=true
+6.default.params.keyUsageDigitalSignature=true
+6.default.params.keyUsageNonRepudiation=false
+6.default.params.keyUsageDataEncipherment=true
+6.default.params.keyUsageKeyEncipherment=false
+6.default.params.keyUsageKeyAgreement=true
+6.default.params.keyUsageKeyCertSign=false
+6.default.params.keyUsageCrlSign=false
+6.default.params.keyUsageEncipherOnly=false
+6.default.params.keyUsageDecipherOnly=false
+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
+7.default.name=Extended Key Usage Extension Default
+7.default.params.exKeyUsageCritical=false
+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1

base/ca/shared/conf/eccSubsystemCert.profile

+#
+# ECC Subsystem Certificate
+#
+id=subsystemCert.profile
+name=Subsystem cert with ECC keys Profile
+description=This profile creates a subsystem certificate with ECC keys that is valid for SSL clients
+profileIDMapping=caECSubsystemCert
+profileSetIDMapping=serverCertSet
+list=2,4,5,6,7
+2.default.class=com.netscape.cms.profile.def.ValidityDefault
+2.default.name=Validity Default
+2.default.params.range=720
+2.default.params.startTime=0
+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
+4.default.name=Authority Key Identifier Default
+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
+5.default.name=AIA Extension Default
+5.default.params.authInfoAccessADEnable_0=true
+5.default.params.authInfoAccessADLocationType_0=URIName
+5.default.params.authInfoAccessADLocation_0=
+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+5.default.params.authInfoAccessCritical=false
+5.default.params.authInfoAccessNumADs=1
+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
+6.default.name=Key Usage Default
+6.default.params.keyUsageCritical=true
+6.default.params.keyUsageDigitalSignature=true
+6.default.params.keyUsageNonRepudiation=false
+6.default.params.keyUsageDataEncipherment=true
+6.default.params.keyUsageKeyEncipherment=false
+6.default.params.keyUsageKeyAgreement=true
+6.default.params.keyUsageKeyCertSign=false
+6.default.params.keyUsageCrlSign=false
+6.default.params.keyUsageEncipherOnly=false
+6.default.params.keyUsageDecipherOnly=false
+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
+7.default.name=Extended Key Usage Extension Default
+7.default.params.exKeyUsageCritical=false
+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2

base/ca/shared/conf/registry.cfg

 types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater
-constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl
+constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcSelfSignedSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl
 constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint
 constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint
 constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint
@@ -36,9 +36,12 @@ constraintPolicy.uniqueSubjectNameConstraintImpl.name=Unique Subject Name Constr
 constraintPolicy.userSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.UserSubjectNameConstraint
 constraintPolicy.userSubjectNameConstraintImpl.desc=User Subject Name Constraint
 constraintPolicy.userSubjectNameConstraintImpl.name=User Subject Name Constraint
+constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCSelfSignedSubjectNameConstraint
+constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.desc=CMC Self-Signed request User Subject Name Constraint
+constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.name=CMC Self-Signed request User Subject Name Constraint
 constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCUserSignedSubjectNameConstraint
-constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.desc=CMC User Subject Name Constraint
-constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User Subject Name Constraint
+constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.desc=CMC User-Signed request User Subject Name Constraint
+constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User-Signed request User Subject Name Constraint
 constraintPolicy.validityConstraintImpl.class=com.netscape.cms.profile.constraint.ValidityConstraint
 constraintPolicy.validityConstraintImpl.desc=Validity Constraint
 constraintPolicy.validityConstraintImpl.name=Validity Constraint

base/ca/shared/conf/serverCert.profile → base/ca/shared/conf/rsaServerCert.profile

@@ -6,7 +6,7 @@ name=All Purpose SSL server cert Profile
 description=This profile creates an SSL server certificate that is valid for SSL servers
 profileIDMapping=caServerCert
 profileSetIDMapping=serverCertSet
-list=2,4,5,6,7
+list=2,4,5,6,7,8
 2.default.class=com.netscape.cms.profile.def.ValidityDefault
 2.default.name=Validity Default
 2.default.params.range=720
@@ -37,3 +37,5 @@ list=2,4,5,6,7
 7.default.name=Extended Key Usage Extension Default
 7.default.params.exKeyUsageCritical=false
 7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1
+8.default.class=com.netscape.cms.profile.def.CommonNameToSANDefault
+8.default.name=Copy Common Name to Subjec Alternative Name Extension