Re: [Pki-devel] Configuration of Friendly Name and Country

Dear Dinesh, I tried the method and still have the problem. I will tell you what i did and can you tell me where did I do wrong. My root CA has "*Maximum number of intermediate CAs: unlimited*" and now I am installing the issuing ca (what I use for to issue certificates for clients). For the issuing *CA **Maximum number of intermediate* CAs want to be *Zero*.

I basically follow https://www.dogtagpki.org/wiki/PKI_10.5_Installing_CA_with_External_CA_Si... steps (send the CSR to root CA and get back the signed certificate) and added policyset.caCertSet.5.default.name=Basic Constraints Extension Default policyset.caCertSet.5.default.params.basicConstraintsCritical=true policyset.caCertSet.5.default.params.basicConstraintsIsCA=true policyset.caCertSet.5.default.params.basicConstraintsPathLen=0 lines to both step 1 and step 2 config files and installed the Issuing CA.

Then I went to the Issuing CA's * "SSL End Users Services" *-> "*Manual User Dual-Use Certificate **Enrollment"* and created a certificate. Then I wend to *Agent Services* and approve that request. I imported that certificate to browser. But still it shows my issuing CA *Maximum number of intermediate CAs: unlimited. * Can you tell me what did I do wrong. On Friday, May 22, 2020, 11:27:29 PM GMT+5:30, Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw(a)redhat.com&gt; wrote: Nadeera, (CC'ing pki-devel) Setting the number of intermediate CAs can be achieved by using "Basic Constraints Extension" [1] and setting the PathLen= to the required value. You need to set this extension on a CA profile and then issue a CA signing cert. You can't modify this value on an already issued CA cert. Read more on how to add this constraint to a profile here [2] [1] https://access.redhat.com/documentation/en-us/red_hat_certificate_system/... [2] https://access.redhat.com/documentation/en-us/red_hat_certificate_system/... Regards, --Dinesh On Fri, May 22, 2020 at 8:57 AM Nadeera Galagedara < nadeeragalagedara(a)yahoo.com&gt; wrote: Dear Dinesh, I want another help from you. How can I change the "Maximum number of intermediate CAs: unlimited" value. On Friday, May 22, 2020, 10:57:45 AM GMT+5:30, Nadeera Galagedara < nadeeragalagedara(a)yahoo.com&gt; wrote: Dear Dinesh, That is a great explanation. That problem that problem is also solved. Again thank you. On Wednesday, May 20, 2020, 08:27:56 PM GMT+5:30, Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw(a)redhat.com&gt; wrote: Hi Nadeera, I'm glad I could resolve your issues. As for the friendly/nickname, these names are customizable based on the system you use and are not specified during the certificate issuance. For instance, when you specified " *pki_ca_signing_nickname=mycompany_nickname"* this nickname was used to import the CA system certificate in your PKI server's NSSDB. You can view this by doing `certutil -L -d /etc/pki/pki-tomcat/alias` and you should see the *mycompany_nickname* listed. I have very limited knowledge of handling certificates in windows. From Googling around: you can try to *right-click on the certificate -> Properties -> "general" tab -> Set "Friendly Name"*. HTH Regards, --Dinesh On Wed, May 20, 2020 at 3:28 AM Nadeera Galagedara < nadeeragalagedara(a)yahoo.com&gt; wrote: Dear Dinesh, Thank you for your support and it is been very helpful. I am using Centos 7 and the version came with it is 10.5. I am using that version. I think I have corrected the country (with c=LK). But I still have a problem with the nickname. I used the *pki_ca_signing_nickname=mycompany_nickname* line but still the friendly name show on windows PC (I have imported the issued certificate to a windows PC) format like <Common Name>'s <Organisation> ID. My requirement is to show the the Friendly Name (shows as in Windows PC) as "*mycompany_nickname* " I have attached a screenshot also. Please tell me what did I do wrong. [image: image.jpeg] The full config is mentioned below *Step 1* *[CA]* *pki_admin_email=mycompany(a)abc.lk <mycompany(a)abc.lk&gt;* *pki_admin_name=caadmin* *pki_admin_nickname=caadmin* *pki_admin_password=Secret.123* *pki_admin_uid=caadmin* *pki_client_database_password=Secret.123* *pki_client_database_purge=False* *pki_client_pkcs12_password=Secret.123* *pki_ds_base_dn=dc=issueca,dc=mycompany,dc=lk* *pki_ds_database=ca2* *pki_ds_password=Secret.123* *pki_security_domain_name=mycompany_domain* *pki_token_password=Secret.123* *pki_external=True* *pki_external_step_two=False* *pki_ca_signing_subject_dn=cn=mycompany_cn,ou=mycompany_ou,o=mycompany_o,c=LK* *pki_ca_signing_csr_path=ca_signing.csr* *pki_ca_signing_nickname=mycompany_nickname* *pki_default_ocsp_uri=http://ocsp.mycompany.lk <http://ocsp.mycompany.lk>* *Step 2* *[CA]* *pki_admin_email=mycompany(a)abc.lk <mycompany(a)abc.lk&gt;* *pki_admin_name=caadmin* *pki_admin_nickname=caadmin* *pki_admin_password=Secret.123* *pki_admin_uid=caadmin* *pki_client_database_password=Secret.123* *pki_client_database_purge=False* *pki_client_pkcs12_password=Secret.123* *pki_ds_base_dn=dc=issueca,dc=mycompany,dc=lk* *pki_ds_database=ca2* *pki_ds_password=Secret.123* *pki_security_domain_name=mycompany_domain* *pki_token_password=Secret.123* *pki_external=True* *pki_external_step_two=True* *pki_ca_signing_csr_path=ca_signing.csr* *pki_ca_signing_cert_path=ca_signing.crt* *pki_ca_signing_nickname=mycompany_nickname* *pki_default_ocsp_uri=http://ocsp.mycompany.lk <http://ocsp.mycompany.lk>* Thank you and best regards, Nadeera. On Wednesday, May 20, 2020, 03:29:15 AM GMT+5:30, Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw(a)redhat.com&gt; wrote: Hi Nadeera, What version of dogtag PKI are you trying to install? You are referring to PKI 10.5 docs. The latest release is 10.8.3 If you are using the latest packages, our docs are available in our upstream repo: https://github.com/dogtagpki/pki/tree/v10.8/docs (see inline reply) On Tue, May 19, 2020 at 9:22 AM Nadeera Galagedara < nadeeragalagedara(a)yahoo.com&gt; wrote: Dear all, I am new to dogtag and I am installing a sub ca using the method described in https://www.dogtagpki.org/wiki/PKI_10.5_Installing_CA_with_External_CA_Si... . I want to know. 1) What is the parameter to change the *Friendly Name* We do not use "Friendly Name". Instead, we use "nickname" To configure the nickname for CA signing certificate use: pki_ca_signing_nickname= 2) What is the parameter to change the *Country/Locality* This is set using subject dn. So, in your case specify the Country using this attribute: pki_ca_signing_subject_dn= 3) Where (a page link ) I can find details about each of this configuration parameters. I don't have a page that explains all the config parameters. But, I do have a page that can give you a list of parameters that you can use (since you mentioned 10.5, I'm listing the contents of 10.5 branch. Refer to the appropriate branch for an updated list) https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_BRANCH/base/server/etc/... HTH Regards, --Dinesh Thank you. _______________________________________________ Pki-devel mailing list Pki-devel(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-devel