Security Policy
SecurityPolicy defines attributes of security applied to the profileName or KeyStore.
This policy is applied during the initialization of the profile, but sometimes it's also used during the installation of the certificate, so it must be informed on several methods of the certificate provider.
There are specific policies for each kind of Keystore, like:
Microsoft CryptoAPI security policy
{
"exportable": true,
"protectionLevel": 1,
"description": "John Doe - Digicert",
"friendlyName": "Sign and Authenticate services",
"title": "Digital Certificate"
}
| Field | Description | Default |
|---|---|---|
| exportable | Indicates if the certificate can be exported from this repository. | true |
| protectionLevel | Value [ 0 .. 2 ] used to indicate the level of protection to access the private key. Value==1 requires that users approve access to the key. Value==2, user must protect the key with a password. | 0 |
| description | Name of the keystore where the certificate will be stored. | |
| friendlyName | Friendly name to identify the certificate in an easier mode. | |
| title | Title of the certificate to protect. |
Password security policy
Used by PFX keystores
{
"passComplexity" : 2,
"passMinLength" : 5
}
| Field | Description | Default |
|---|---|---|
| passComplexity | integer value [1..4]. It indicates how many different kinds of letters must be used to generate a password that protects the certificate. Possible groups are uppercase, lowercase, number, symbol. | 2 |
| passMinLength | minimum length of characters. | 6 |
Device security policy
Used by some kind of devices
{
"installDummy" : false,
"generateOnBoard" : true
}
| Field | Description | Default |
|---|---|---|
| generateOnBoard | Used to indicate if the generation of keypair must be done inside of the device. | true |
| installDummy | After the keypair generation, a dummy certificate is created and installed into the device to register the key. This certificate is overwritten when the final certificate is issued and installed. | false |
PKCS11 security policy
Used by PKCS11 keystores
{
"passComplexity" : 2,
"passMinLength" : 5,
"installDummy" : false,
"generateOnBoard" : true
}
It combines the features of Password and Device security policies. This policy is used when the device can be initialized during the generation of keypair, and a new password must be entered to protect the key.
CSK security policy
Used on Alison KeyStore profiles.
{
"id": "polIdv-A",
"passComplexity": 3,
"passMinLength": 8,
"passExpiration": 365,
"passLockCount": 10,
"lockTimeout": 15,
"idleTimeout": 10,
"certExport": 15
}
| Field | Description | Default |
|---|---|---|
| id | Unique ID used to identify the security password applied. | |
| passComplexity | integer value [1..4]. It indicates how many different kinds of letters must be used to generate a password that protects the certificate. Possible groups are uppercase, lowercase, number, symbol. | 2 |
| passMinLength | Minimum length of characters. | 6 |
| passExpiration | Days of password validity. 30 days before, profile returns a warning code (CLOSE_TO_EXPIRE). Use 0 to disable this feature. | 0 |
| passLockCount | Invalid login tries before of lock the profile. | 10 |
| lockTimeout | Minutes to wait when the profile is locked. After unlocking the profile, the user can try 1 more time. 0 value indicates that the profile must be locked permanently if the user fails passLockCount times. | 20 |
| idleTimeout | Minutes during the profile are maintained open without requires a new password. | 10 |
| certExport | Mask used to indicate if the certificate can be exportable. 0 indicates that certificates installed on the profile can't be exported. 15 for enabled exportable to PKCS12 files and other kinds of devices. | 15 |