CARA Bootstrapping: XML Templates
| The final name of each XML file is tied to your instance name. For example, if you are creating an instance for MTG AG the final name will be MTG AG ERS Server Certificate. |
| %s variables are placeholders that obtain their value dynamically from variables you have already chosen. |
ERS Server Certificate
Server Certificate (TLS)
<?xml version="1.0" encoding="UTF-8"?>
<certificateTemplate xmlns="http://cara2.project.mtg/certificate/template" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<x509CertificateTemplate>
<randomSerialNumber bitLength="126"/>
<dnDefinition>
<dnAttribute><oid>2.5.4.6</oid><identName>C</identName></dnAttribute>
<dnAttribute><oid>2.5.4.10</oid><identName>O</identName></dnAttribute>
<dnAttribute><oid>2.5.4.11</oid><identName>OU</identName></dnAttribute>
<dnAttribute mandatory="true"><oid>2.5.4.3</oid><identName>CN</identName></dnAttribute>
</dnDefinition>
<extensions>
<extension><authorityKeyIdentifier><keyIdentifier/></authorityKeyIdentifier></extension>
<extension><subjectKeyIdentifier/></extension>
<extension critical="true"><keyUsage digitalSignature="true"/></extension>
<extension><basicConstraints ca="false"/></extension>
<extension><extendedKeyUsage clientAuth="false" serverAuth="true"/></extension>
<extension>
<subjectAltName>
<generalName><dnsNameType><identName>id.dnsName1</identName></dnsNameType></generalName>
<generalName><dnsNameType><identName>id.dnsName2</identName></dnsNameType></generalName>
<generalName><dnsNameType><identName>id.dnsName3</identName></dnsNameType></generalName>
<generalName><dnsNameType><identName>id.dnsName4</identName></dnsNameType></generalName>
<generalName><dnsNameType><identName>id.dnsName5</identName></dnsNameType></generalName>
<generalName><dnsNameType><identName>id.dnsName6</identName></dnsNameType></generalName>
<generalName><dnsNameType><identName>id.dnsName7</identName></dnsNameType></generalName>
<generalName><dnsNameType><identName>id.dnsName8</identName></dnsNameType></generalName>
<generalName><dnsNameType><identName>id.dnsName9</identName></dnsNameType></generalName>
<generalName><dnsNameType><identName>id.dnsName10</identName></dnsNameType></generalName>
<generalName><ipAddressType><identName>id.ipAddress1</identName></ipAddressType></generalName>
<generalName><ipAddressType><identName>id.ipAddress2</identName></ipAddressType></generalName>
<generalName><ipAddressType><identName>id.ipAddress3</identName></ipAddressType></generalName>
<generalName><ipAddressType><identName>id.ipAddress4</identName></ipAddressType></generalName>
<generalName><ipAddressType><identName>id.ipAddress5</identName></ipAddressType></generalName>
<generalName><ipAddressType><identName>id.ipAddress6</identName></ipAddressType></generalName>
<generalName><ipAddressType><identName>id.ipAddress7</identName></ipAddressType></generalName>
<generalName><ipAddressType><identName>id.ipAddress8</identName></ipAddressType></generalName>
<generalName><ipAddressType><identName>id.ipAddress9</identName></ipAddressType></generalName>
<generalName><ipAddressType><identName>id.ipAddress10</identName></ipAddressType></generalName>
</subjectAltName>
</extension>
<extension><crlDistributionPoint><URL><part><default>http://%s/rev-info/crl/%s</default></part>%s</URL></crlDistributionPoint></extension>
<extension><authorityInfoAccess><accessMethod><OCSP>http://%s/rev-info/ocsp</OCSP></accessMethod></authorityInfoAccess></extension>
</extensions>
<signature><algorithm><default>%s</default></algorithm></signature>
<validity>
<max>
<year>3</year>
<month>0</month>
<day>0</day></max>
<default>
<year>3</year>
<month>0</month>
<day>0</day>
</default>
<verifyModel><shell cutToParentValidity="true"/></verifyModel>
</validity>
</x509CertificateTemplate>
</certificateTemplate>ERS Machine Certificate
Machine Certificate (TLS)
<?xml version="1.0" encoding="UTF-8"?>
<certificateTemplate xmlns="http://cara2.project.mtg/certificate/template" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<x509CertificateTemplate>
<randomSerialNumber bitLength="126"/>
<dnDefinition>
<dnAttribute><oid>2.5.4.6</oid><identName>C</identName></dnAttribute>
<dnAttribute><oid>2.5.4.10</oid><identName>O</identName></dnAttribute>
<dnAttribute><oid>2.5.4.11</oid><identName>OU</identName></dnAttribute>
<dnAttribute mandatory="true"><oid>2.5.4.3</oid><identName>CN</identName></dnAttribute>
</dnDefinition>
<extensions>
<extension><authorityKeyIdentifier><keyIdentifier/></authorityKeyIdentifier></extension>
<extension><subjectKeyIdentifier/></extension>
<extension critical="true"><keyUsage digitalSignature="true"/></extension>
<extension><basicConstraints ca="false"/></extension>
<extension><extendedKeyUsage clientAuth="true" serverAuth="true"/></extension>
<extension><crlDistributionPoint><URL><part><default>http://%s/rev-info/crl/%s</default></part>%s</URL></crlDistributionPoint></extension>
<extension><authorityInfoAccess><accessMethod><OCSP>http://%s/rev-info/ocsp</OCSP></accessMethod></authorityInfoAccess></extension>
</extensions>
<signature><algorithm><default>%s</default></algorithm></signature>
<validity>
<max>
<year>3</year>
<month>0</month>
<day>0</day></max>
<default>
<year>3</year>
<month>0</month>
<day>0</day>
</default>
<verifyModel><shell cutToParentValidity="true"/></verifyModel>
</validity>
</x509CertificateTemplate>
</certificateTemplate>ERS Person Certificate
For use with E-Mail and TLS client authentication (standard certificate for a person)
<?xml version="1.0" encoding="UTF-8"?>
<certificateTemplate xmlns="http://cara2.project.mtg/certificate/template" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<x509CertificateTemplate>
<randomSerialNumber bitLength="126"/>
<dnDefinition>
<dnAttribute><oid>2.5.4.6</oid><identName>C</identName></dnAttribute>
<dnAttribute><oid>2.5.4.10</oid><identName>O</identName></dnAttribute>
<dnAttribute><oid>2.5.4.11</oid><identName>OU</identName></dnAttribute>
<dnAttribute><oid>2.5.4.3</oid><identName>CN</identName></dnAttribute>
</dnDefinition>
<extensions>
<extension><authorityKeyIdentifier><keyIdentifier/></authorityKeyIdentifier></extension>
<extension><subjectKeyIdentifier/></extension>
<extension critical="true"><keyUsage digitalSignature="true"/></extension>
<extension><basicConstraints ca="false"/></extension>
<extension><extendedKeyUsage clientAuth="true" emailProtection="true"/></extension>
<extension><subjectAltName><generalName><rfc822NameType><identName>id.email</identName></rfc822NameType></generalName></subjectAltName></extension>
<extension><crlDistributionPoint><URL><part><default>http://%s/rev-info/crl/%s</default></part>%s</URL></crlDistributionPoint></extension>
<extension><authorityInfoAccess><accessMethod><OCSP>http://%s/rev-info/ocsp</OCSP></accessMethod></authorityInfoAccess></extension>
</extensions>
<signature><algorithm><default>%s</default></algorithm></signature>
<validity>
<max>
<year>3</year>
<month>0</month>
<day>0</day></max>
<default>
<year>3</year>
<month>0</month>
<day>0</day>
</default>
<verifyModel><shell cutToParentValidity="true"/></verifyModel>
</validity>
</x509CertificateTemplate>
</certificateTemplate>ERS User Active Directory (AD) Certificate
For use with E-Mail and TLS client authentication (standard certificate for a user)
<?xml version="1.0" encoding="UTF-8"?>
<certificateTemplate xmlns="http://cara2.project.mtg/certificate/template" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<x509CertificateTemplate>
<randomSerialNumber bitLength="126"/>
<dnDefinition>
<dnAttribute><oid>2.5.4.6</oid><identName>C</identName></dnAttribute>
<dnAttribute><oid>2.5.4.10</oid><identName>O</identName></dnAttribute>
<dnAttribute><oid>2.5.4.11</oid><identName>OU</identName></dnAttribute>
<dnAttribute><oid>2.5.4.3</oid><identName>CN</identName></dnAttribute>
</dnDefinition>
<extensions>
<extension><authorityKeyIdentifier><keyIdentifier/></authorityKeyIdentifier></extension>
<extension><subjectKeyIdentifier/></extension>
<extension critical="true"><keyUsage digitalSignature="true"/></extension>
<extension><basicConstraints ca="false"/></extension>
<extension><extendedKeyUsage clientAuth="true" emailProtection="true" smartcardLogon="true"/></extension>
<extension><subjectAltName>
<generalName><rfc822NameType><identName>id.email</identName></rfc822NameType></generalName>
</subjectAltName></extension>
<extension><crlDistributionPoint><URL><part><default>http://%s/rev-info/crl/%s</default></part>%s</URL></crlDistributionPoint></extension>
<extension><authorityInfoAccess><accessMethod><OCSP>http://%s/rev-info/ocsp</OCSP></accessMethod></authorityInfoAccess></extension>
<extension critical="false">
<skip><identName>id.certTemplateInfo.skip</identName><default>true</default></skip>
<genericExtension><oid>1.3.6.1.4.1.311.21.7</oid><value><identName>id.certTemplateInfo</identName></value></genericExtension>
</extension>
<extension critical="false">
<skip><identName>id.ntdsCaSecurityExt.skip</identName><default>true</default></skip>
<genericExtension><oid>1.3.6.1.4.1.311.25.2</oid><value><identName>id.ntdsCaSecurityExt</identName></value></genericExtension>
</extension>
</extensions>
<signature><algorithm><default>%s</default></algorithm></signature>
<validity>
<max>
<year>3</year>
<month>0</month>
<day>0</day></max>
<default>
<year>3</year>
<month>0</month>
<day>0</day>
</default>
<verifyModel><shell cutToParentValidity="true"/></verifyModel>
</validity>
</x509CertificateTemplate>
</certificateTemplate>ERS Computer Active Directory (AD) Certificate
For use with TLS server authentication
<?xml version="1.0" encoding="UTF-8"?>
<certificateTemplate xmlns="http://cara2.project.mtg/certificate/template" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<x509CertificateTemplate>
<randomSerialNumber bitLength="126"/>
<dnDefinition>
<dnAttribute><oid>2.5.4.6</oid><identName>C</identName></dnAttribute>
<dnAttribute><oid>2.5.4.10</oid><identName>O</identName></dnAttribute>
<dnAttribute><oid>2.5.4.11</oid><identName>OU</identName></dnAttribute>
<dnAttribute><oid>2.5.4.3</oid><identName>CN</identName></dnAttribute>
</dnDefinition>
<extensions>
<extension><authorityKeyIdentifier><keyIdentifier/></authorityKeyIdentifier></extension>
<extension><subjectKeyIdentifier/></extension>
<extension critical="true"><keyUsage digitalSignature="true"/></extension>
<extension><basicConstraints ca="false"/></extension>
<extension><extendedKeyUsage serverAuth="true" clientAuth="true"/></extension>
<extension><subjectAltName>
<generalName><dnsNameType><identName>id.dnsName1</identName></dnsNameType></generalName>
</subjectAltName></extension>
<extension><crlDistributionPoint><URL><part><default>http://%s/rev-info/crl/%s</default></part>%s</URL></crlDistributionPoint></extension>
<extension><authorityInfoAccess><accessMethod><OCSP>http://%s/rev-info/ocsp</OCSP></accessMethod></authorityInfoAccess></extension>
<extension critical="false">
<skip><identName>id.certTemplateInfo.skip</identName><default>true</default></skip>
<genericExtension><oid>1.3.6.1.4.1.311.21.7</oid><value><identName>id.certTemplateInfo</identName></value></genericExtension>
</extension>
<extension critical="false">
<skip><identName>id.ntdsCaSecurityExt.skip</identName><default>true</default></skip>
<genericExtension><oid>1.3.6.1.4.1.311.25.2</oid><value><identName>id.ntdsCaSecurityExt</identName></value></genericExtension>
</extension>
</extensions>
<signature><algorithm><default>%s</default></algorithm></signature>
<validity>
<max>
<year>3</year>
<month>0</month>
<day>0</day></max>
<default>
<year>3</year>
<month>0</month>
<day>0</day>
</default>
<verifyModel><shell cutToParentValidity="true"/></verifyModel>
</validity>
</x509CertificateTemplate>
</certificateTemplate>ERS Domain Controller Active Directory (AD) Certificate
For use at domain controllers
<?xml version="1.0" encoding="UTF-8"?>
<certificateTemplate xmlns="http://cara2.project.mtg/certificate/template" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<x509CertificateTemplate>
<randomSerialNumber bitLength="126"/>
<dnDefinition>
<dnAttribute><oid>2.5.4.6</oid><identName>C</identName></dnAttribute>
<dnAttribute><oid>2.5.4.10</oid><identName>O</identName></dnAttribute>
<dnAttribute><oid>2.5.4.11</oid><identName>OU</identName></dnAttribute>
<dnAttribute><oid>2.5.4.3</oid><identName>CN</identName></dnAttribute>
</dnDefinition>
<extensions>
<extension><authorityKeyIdentifier><keyIdentifier/></authorityKeyIdentifier></extension>
<extension><subjectKeyIdentifier/></extension>
<extension critical="true"><keyUsage digitalSignature="true"/></extension>
<extension><basicConstraints ca="false"/></extension>
<extension>
<extendedKeyUsage serverAuth="true" clientAuth="true" smartcardLogon="true">
<keyPurposeId><default>1.3.6.1.5.2.3.5</default></keyPurposeId>
</extendedKeyUsage>
</extension>
<extension><subjectAltName>
<generalName><dnsNameType><identName>id.dnsName1</identName></dnsNameType></generalName>
</subjectAltName></extension>
<extension><crlDistributionPoint><URL><part><default>http://%s/rev-info/crl/%s</default></part>%s</URL></crlDistributionPoint></extension>
<extension><authorityInfoAccess><accessMethod><OCSP>http://%s/rev-info/ocsp</OCSP></accessMethod></authorityInfoAccess></extension>
<extension critical="false">
<skip><identName>id.certTemplateInfo.skip</identName><default>true</default></skip>
<genericExtension><oid>1.3.6.1.4.1.311.21.7</oid><value><identName>id.certTemplateInfo</identName></value></genericExtension>
</extension>
<extension critical="false">
<skip><identName>id.ntdsCaSecurityExt.skip</identName><default>true</default></skip>
<genericExtension><oid>1.3.6.1.4.1.311.25.2</oid><value><identName>id.ntdsCaSecurityExt</identName></value></genericExtension>
</extension>
</extensions>
<signature><algorithm><default>%s</default></algorithm></signature>
<validity>
<max>
<year>3</year>
<month>0</month>
<day>0</day></max>
<default>
<year>3</year>
<month>0</month>
<day>0</day>
</default>
<verifyModel><shell cutToParentValidity="true"/></verifyModel>
</validity>
</x509CertificateTemplate>
</certificateTemplate>ERS Code Signing Certificate
Template for creating certificates to sign software packages and deliverables
<?xml version="1.0" encoding="UTF-8"?>
<certificateTemplate xmlns="http://cara2.project.mtg/certificate/template" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<x509CertificateTemplate>
<randomSerialNumber bitLength="126"/>
<dnDefinition>
<dnAttribute><oid>2.5.4.6</oid><identName>C</identName></dnAttribute>
<dnAttribute><oid>2.5.4.10</oid><identName>O</identName></dnAttribute>
<dnAttribute><oid>2.5.4.11</oid><identName>OU</identName></dnAttribute>
<dnAttribute><oid>2.5.4.3</oid><identName>CN</identName></dnAttribute>
</dnDefinition>
<extensions>
<extension><authorityKeyIdentifier><keyIdentifier/></authorityKeyIdentifier></extension>
<extension><subjectKeyIdentifier/></extension>
<extension critical="true"><keyUsage digitalSignature="true"/></extension>
<extension><basicConstraints ca="false"/></extension>
<extension><extendedKeyUsage codeSigning="true"/></extension>
<extension><crlDistributionPoint><URL><part><default>http://%s/rev-info/crl/%s</default></part>%s</URL></crlDistributionPoint></extension>
<extension><authorityInfoAccess><accessMethod><OCSP>http://%s/rev-info/ocsp</OCSP></accessMethod></authorityInfoAccess></extension>
</extensions>
<signature><algorithm><default>%s</default></algorithm></signature>
<validity>
<max>
<year>3</year>
<month>0</month>
<day>0</day></max>
<default>
<year>3</year>
<month>0</month>
<day>0</day>
</default>
<verifyModel><shell cutToParentValidity="true"/></verifyModel>
</validity>
</x509CertificateTemplate>
</certificateTemplate>