X.509 Certificate Properties

Property

Value

ca.providers

<list of provider names>

List of CA (Certificate Authorization) providers, each provider has a number of properties on it,

Example:
nemidprod.

ca.certificates

<list of public certificate files>

A public ceritificate is stored in a public certificate bundle in the format of a p7b file. This property defines all the public certificates of the CA's that's supported by the PortalProtect system.

Example:
tdc_prod.p7b, tdc_preprod.p7b

ca.provider.xxxx.class

<java class>

Classname of the provider – the class must extend the class dk.itp.security.authentication.x509.CA. It contains the name of the root CA, as well as code for mapping between certificates and CPR/ID codes, if supported by the CA.
A special generic CA implementation ca be used to define basic CA functionality. The generic CA is defined using the following class:

dk.itp.security.authentication.x509.GenericCA

Using the generic CA, the ca.provider.xxxx.issuerdn property must be defined.

For NemID, this should be set to

ca.provider.xxxx.issuerdn

Issuer's DN

This property is only required if the GenericCA provider implementation is used, see property "ca.provider.xxxx.class" for more information on the GenericCA implementation.

Example:
CN=TDC OCES CA, O=TDC,C=DK

ca.provider.xxxx.crl

<url>

URL to the place where the Certificate Revocation List can be retrieved.

ca.provider.xxxx.crl.prefercertificateurl

<true | false> - Defaults to true

If true, the URL for the CRL lists embedded in the certificate will be used. If no URL is embedded in the certificate extensions, then the configured URL will be used.
Note that this value MUST be true for OCES II certificates since they are issued by different intermediate CA certificates and thus have different CRLs.

ca.provider.xxxx.crl.interval

<interval in minutes> (default 15)

Define the number of minutes between trying to update the CRL list by re-retrieving it from the server.

ca.provider..xxxx.check.signingcapability

<true | false>

If true, checks the X.509 extended key usage within the certificate, to make sure the certificate can be used to sign data with.

ca.provider.xxxx.check.crl

<true | false>

If true, the certificate will be checked against the CRL list to make sure it is not revoked.

ca.provider.xxxx.check.chain

<true | false>

If true, the X.509 certificate chain will be checked, to verify that each certificate is properly signed by the parent certificate.

ca.provider.xxxx. allow.obsolete.crl

<true | false>

If true, logins will be allowed even if the CRL is obsolete, if false logins will not be allowed if the CRL is too old. (default is false)

ca.provider.xxxx.crl.verifysignature

<true | false> (default true)

Specifies if the signature on the CRL should be verified against the issuer certificate – should only be disabled to guard against a bug in the CRL provider if they do not sign the CRL with the correct certificate, which should be the same one used to issue the users certificate which is checked against the CRL itself.

ca.provider.xxxx.check.ocsp

<true | false>

If true, the OCSP (Online Certificate Status Protocol) will be used to check a certificates validity – this as a good alternative to a CRL list, since the online check will immediately detect if a certificate is revoked without any time delay. Remember to set the URL too.

Default is false.

ca.provider.xxxx.ocsp.url

<URL>

The URL to use when checking if certificates are revoked using the OCSP protocol.

Example: http://ocsp.certifikat.dk/ocsp/status

ca.provider.xxxx.ocsp.prefercertificateurl

<true | false> - Defaults to true

If true, do not use the ca.provider.xxxx.ocsp.url configured, but prefer the URL embedded in the certificate – if no URL is embedded in the certificate the configured one will be used.
This value MUST be true for OCES II certificates.

ca.provider.xxxx.ocsp.ignoretimechecks

<true | false>

If true, the timestamp on the response from the OCSP server will be ignored – otherwise it has to be between now – 2 minutes and now + 2 minutes. If your server timestamp is different from the OCSP servers timestamp this can cause problems, so in that case set this flag to disable the time checks.

Default is false.

ca.provider.xxxx.ocsp.cachetimeout

<timeout in minutes>

Caches the certificates that have been checked via OCSP for the configured number of minutes. If they certificates login again with xxx minutes, they won't be rechecked to speed login up.

Set it to 0 to disable the cache.

Default is 5 minutes.

ca.provider.xxxx.ocsp.timedifference

<Time difference in minutes> (Default 2)

Specifies the maximum time difference allowed between the current time and the time in the OCSP response.

ca.provider.xxxx.nemid.appletparam.ZZ.keystore.file

<filename>

ZZ is replaced with the nemID provider ID.

Name of the file the keystore is stored in (unless the key is stored in hardware)

ca.provider.xxxx.nemid.appletparam.ZZ.keystore.type

<keystore type> - Default "PKCS12"

ZZ is replaced with the nemID provider ID.

Type of keystore, e.g. PKCS12, JKS or LUNA

ca.provider.xxxx.nemid.appletparam.ZZ.keystore.password

<password>

ZZ is replaced with the nemID provider ID.

Password to keystore used for NemID applet parameter signing - can optionally be encoded or encrypted using "java dk.itp.utils.PasswordUtils".

ca.provider.xxxx.nemid.appletparam.ZZ.keystore.provider

Name of JCE provider to use when loading the keystore – default is BC

ZZ is replaced with the nemID provider ID.

ca.provider.xxxx.nemid.appletparam.ZZ.keystore.privkeyalias

<private key alias name>

ZZ is replaced with the nemID provider ID.

Alias name of the private key within the keystore to use when signing.

If not specified, the first available private key in the keystore will be used.

ca.provider.xxxx.nemid.appletparam.ZZ.keystore.certalias

<certificate alias name>

ZZ is replaced with the nemID provider ID.

Alias name of the certificate to use when signing the applet parameters – the certificate will be included in the signed parameters, and must be known prior to NemID / DanID. Usually this will have to be an FOCES or VOCES certificate.

If not specified, the first available certificate in they keystore will be used.

ca.provider.xxxx.nemid.appletparam.ZZ.jceprovider

<provider name> - Default BC

ZZ is replaced with the nemID provider ID.

Name of JCE provider to use, e.g. BC for BouncyCastle, SUN for Sun JKS keystores, LunaJCAProvider for Luna SA HSM.

The JCE provider specified will be used for signing the applet parameters, and can in some cases be different from the keystore JCE provider, but will usually be the same.

ca.provider.xxxx.nemid.providerid

<List of integers, separated by , or ;> - Must be present when using NemID – you get the ID from DanID.

Each provider ID is used in the name of the appletparam* parameters to allow multiple applet signing certificates, each with its own company name which will be shown in the NemID applet.

List of DanID / NemID's service provider IDs.

ca.provider.xxxx.clientcert.keystore.file

<Filename>

Specify the name of the keystore containing an SSL client certificate for use with DanID PIDCPR lookup service.

ca.provider.xxxx.clientcert.keystore.type

<Keystore type> - Default PKCS12

Specify the keystore type.

ca.provider.xxxx.clientcert.keystore.provider

<JCE provider name> - Default BC

Set the name of the JCE keystore provider used to load the keystore.

ca.provider.xxxx.clientcert.keystore.password

<Password for keystore>

Specify the password to open the keystore – note that the password can be obfuscated or encrypted with PasswordUtils.

ca.provider.xxxx.clientcert.keystore.privatekeyalias

<Alias name>

If specified, this is the alias in the keystore where the private key is stored – if not specified, the SSL JCE Provider will select a private key to use from the keystore.

ca.provider.xxxx.clientcert.keystore.certificatealias

<Alias name>

If provided, the alias of the public certificate within the keystore – if not specified, the SSL JCE Provide rwill select a certificate to use from the keystore.

ca.provider.xxxx.http.verifyhostname

<true | false> - Default true

If set to false, SSL hostname verification will be turned off, this means that PortalProtect will not verify that the SSL certificate contains the correct hostname for PID lookups, DanID Attribute service lookups, CRL lookups and OCSP lookups.

You should only set this to false if required for testing, never in production.

ca.provider.xxxx.attr.url

<URL>

URL To TDC/DanID's attribute lookup service – e.g. https://test.lra.certifikat.tdc.dk/attributews/AttributeService or https://ws-erhverv.pp.certifikat.dk/attributeservice_serviceprovider_server/

This attribute service is used for looking up user attributes for MOCES certificates.

ca.provider.xxxx.attr.verifysslcert

<true or false - default is true>

Set to false to disable verification of SSL server certificate

ca.provider.xxxx.attr.acceptedsslcerts

<List of filenames, separated by comma or semicolon>

List of trusted CA certificates for the SSL server certificates, if JRE's cacerts is not enough.

ca.provider.xxxx.attr.keystore.provider
ca.provider.xxxx.attr.keystore.type
ca.provider.xxxx.attr.keystore.file
ca.provider.xxxx.attr.keystore.password

<JCE provider name> - Default "BC"
<Keystore type> - Default "PKCS12"
<Keystore filename>
<Password>

These settings provide the keystore used as client certificate when contacting the attribute service.

ca.provider.xxxx.attr.issuername

<Issuer name> - Default "TDC OCES CA"

Name of issuer to put in the attribute service request – some services/environments might require different issuer names. The "Digital signatur" attribute does not care what the issuer name is set to. Others, like "NemID Erhverv" might require specific issuer names.

ca.provider.xxxx.pidcpr.url

<URL>

URL to the PIDCPR lookup service at DanID/Nets

ca.provider.xxxx.pidcpr.verifysslcert

<true or false - default is true>

Set to false to disable verification of SSL server certificate

ca.provider.xxxx.pidcpr.acceptedsslcerts

<List of filenames, separated by comma or semicolon>

List of trusted CA certificates for the SSL server certificates, if JRE's cacerts is not enough.

ca.provider.xxxx.ssl.providername

<SSL Context provider name> - Default is blank (use JDK default)

Name of SSL provider to use when doing PIDCPR lookups.

ca.provider.xxxx.ssl.protocol

<SSL protocol – default TLS>

Specify the SSL protocol to use for PIDCPR lookups – e.g. "TLSv1.2"

proxy.enable

<true | false>

If true, the properties http.proxyHost, http.proxyPort, http.proxyUser and http.proxyPassword will be used when retrieving CRLs.

http.proxyHost

<ip address or hostname>

Address of the proxy server to use for HTTP and HTTPS URLs.

http.proxyPort

<port number>

TCP Port of the proxy server to use for HTTP and HTTPS URLs.

http.proxyUser

<userid> - default blank.

If not empty, the userid and corresponding password from http.proxyPassword will be used to add Proxy-Authorization header to the HTTP request to authenticate the request with the proxy server.

http.proxyPassword

<password>

Password to add to the Proxy-Authorization header to authenticate to the proxy.

tdc.oces.ldap.servers

<Comma separated list of LDAP servers>

The list of LDAP servers that contain listing of OCES public certificates – they are used from TDCOCESCertLookup which is able to lookup public OCES certificates in the LDAP servers based on serial number, email address or name.

Default is: "dir.certifikat.dk:389" which is the LDAP server for TDC OCES certificates.

tdc.oces.ldap.basedn

<Base DN>

Base DN of the LDAP tree to search for public OCES certificates in – should not be changed from the default value for TDC OCES certificates.

Default is: "c=DK"

jce.customproviders

<Comma or semicolon separated list of classes>

This property is used to load support for custom JCE providers that require specific non-JCE initialization. It must contain names of classes which implement the interface dk.itp.security.jce.ICustomJCESupport interface.

Currently only one JCE provider which requires this custom initialization is supported, and that is the Luna Hardware Security Module (HSM).

dk.itp.security.jce.luna.LunaSupport

It requires the following configuration property: luna.password which must be set to the password to log into the HSM.

Also, luna.provideroffset can be used to specify the index in the JCE provider chain to install the provider at – if nothing else is specified, 2 is assumed. Set it to -1 to add the provider at the end of the chain.

Example:
dk.itp.security.jce.luna.LunaSupport