Skip to content

X.509 Profiles in SeaCat PKI

X.509 profiles are used to automatically generate certificate from CSR.

It is applied in PUT /{tenant}/x509/csr call.

Profiles are located in the prescribed directory. The directory location is specified in the configuration:

[seacatpki:x509:profile]
path=/var/lib/seacat-pki/profiles/

The structure of the profile directory:

/var/lib/seacat-pki/profiles/<tenant>/<profile>.yaml

The default profile is named default.

Important

If you operate the TeskaLabs SeaCat PKI in the cluster, make sure that profiles are identical on each cluster node.

Example of the profile

ca: default

renew:
  days: 30  # 30 days before expiration

subject:
  L:
    # Set `L` to `London`
    action: set
    value: London

  CN:
    # Copy `CN` from the CSR, validate by the regex
    action: csr
    regex: .{3,30}

not_before:
  # Set `not_before` to today (midnight)
  action: today

not_after:
  # Set `not_after` to 90 days from `not_before`
  action: duration
  days: 90

signature_algorithm: sha256

extensions:
  subject_key_identifier:
    enabled: false
    critical: false

  authority_key_identifier:
    enabled: true
    critical: false

  basic_constraints:
    critical: true
    ca: false

  key_usage:
    critical: false
    values:
    - digital_signature
    - key_encipherment

  extended_key_usage:
    critical: false
    values: []

SCEP profile

ca: default

# /CN=TestCA/C=CZ/L=Prague/O=TeskaLabs Ltd/OU=SeaCat
subject:
  CN:
    # Copy `CN` from the CSR, validate by the regex
    action: csr
    regex: .{3,30}

  C:
    # Copy `CN` from the CSR, validate by the regex
    action: csr
    regex: .{2}

  L:
    # Copy `CN` from the CSR, validate by the regex
    action: csr
    regex: .{3,30}

  O:
    # Copy `CN` from the CSR, validate by the regex
    action: csr
    regex: .{3,30}

  OU:
    # Copy `CN` from the CSR, validate by the regex
    action: csr
    regex: .{3,30}


not_before:
  # Set `not_before` to today (midnight)
  action: today

not_after:
  # Set `not_after` to 90 days from `not_before`
  action: duration
  days: 90

signature_algorithm: sha256

extensions:
  subject_key_identifier:
    enabled: false
    critical: false

  authority_key_identifier:
    enabled: true
    critical: false

  basic_constraints:
    critical: true
    ca: false

  key_usage:
    critical: false
    values:
    - digital_signature
    - key_encipherment

  extended_key_usage:
    critical: false
    values: []

DLMS/COSEM profile

ca: default

renew:
  days: 30  # 30 days before expiration

subject:
  CN:
    # Copy `CN` from the CSR, validate by the regex
    # It is a 16-character hexadecimal encoding of the DLMS/COSEM system title
    action: csr
    regex: ^[A-F0-9]{16}$

not_before:
  # Set `not_before` to today (midnight)
  action: today

not_after:
  # Set `not_after` to 90 days from `not_before`
  action: duration
  days: 365

signature_algorithm: sha384

extensions:
  authority_key_identifier:
    enabled: true
    critical: false

  basic_constraints:
    critical: true
    ca: false

  key_usage:
    critical: false
    values:
    - digital_signature
    - key_encipherment