Nadeera,

(CC'ing pki-devel)

Setting the number of intermediate CAs can be achieved by using "Basic Constraints Extension" [1] and setting the PathLen= to the required value.

You need to set this extension on a CA profile and then issue a CA signing cert. You can't modify this value on an already issued CA cert. Read more on how to add this constraint to a profile here [2]

[1] https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html-single/administration_guide_common_criteria_edition/index#Basic_Constraints_Extension_Default

[2] https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html-single/administration_guide_common_criteria_edition/index#about-extensions

Regards,

--Dinesh

On Fri, May 22, 2020 at 8:57 AM Nadeera Galagedara <nadeeragalagedara@yahoo.com> wrote:

Dear Dinesh,

I want another help from you. How can I change the "Maximum number of intermediate CAs: unlimited" value.

On Friday, May 22, 2020, 10:57:45 AM GMT+5:30, Nadeera Galagedara <nadeeragalagedara@yahoo.com> wrote:

Dear Dinesh,

That is a great explanation. That problem that problem is also solved. Again thank you.

On Wednesday, May 20, 2020, 08:27:56 PM GMT+5:30, Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw@redhat.com> wrote:

Hi Nadeera,

I'm glad I could resolve your issues.

As for the friendly/nickname, these names are customizable based on the system you use and are not specified during the certificate issuance.

For instance, when you specified "pki_ca_signing_nickname=mycompany_nickname" this nickname was used to import the CA system certificate in your PKI server's NSSDB. You can view this by doing `certutil -L -d /etc/pki/pki-tomcat/alias` and you should see the mycompany_nickname listed.

I have very limited knowledge of handling certificates in windows. From Googling around: you can try to right-click on the certificate -> Properties -> "general" tab -> Set "Friendly Name".

HTH

Regards,
--Dinesh

On Wed, May 20, 2020 at 3:28 AM Nadeera Galagedara <nadeeragalagedara@yahoo.com> wrote:

Dear Dinesh,

Thank you for your support and it is been very helpful. I am using Centos 7 and the version came with it is 10.5. I am using that version. I think I have corrected the country (with c=LK). But I still have a problem with the nickname.

I used the pki_ca_signing_nickname=mycompany_nickname line but still the friendly name show on windows PC (I have imported the issued certificate to a windows PC) format like <Common Name>'s <Organisation> ID. My requirement is to show the the Friendly Name (shows as in Windows PC) as "mycompany_nickname " I have attached a screenshot also. Please tell me what did I do wrong.

The full config is mentioned below

Step 1

[CA]
pki_admin_email=mycompany@abc.lk
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=Secret.123
pki_admin_uid=caadmin

pki_client_database_password=Secret.123
pki_client_database_purge=False
pki_client_pkcs12_password=Secret.123

pki_ds_base_dn=dc=issueca,dc=mycompany,dc=lk
pki_ds_database=ca2
pki_ds_password=Secret.123

pki_security_domain_name=mycompany_domain
pki_token_password=Secret.123

pki_external=True
pki_external_step_two=False

pki_ca_signing_subject_dn=cn=mycompany_cn,ou=mycompany_ou,o=mycompany_o,c=LK
pki_ca_signing_csr_path=ca_signing.csr

pki_ca_signing_nickname=mycompany_nickname

pki_default_ocsp_uri=http://ocsp.mycompany.lk

Step 2

[CA]
pki_admin_email=mycompany@abc.lk
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=Secret.123
pki_admin_uid=caadmin

pki_client_database_password=Secret.123
pki_client_database_purge=False
pki_client_pkcs12_password=Secret.123

pki_ds_base_dn=dc=issueca,dc=mycompany,dc=lk
pki_ds_database=ca2
pki_ds_password=Secret.123

pki_security_domain_name=mycompany_domain
pki_token_password=Secret.123

pki_external=True
pki_external_step_two=True

pki_ca_signing_csr_path=ca_signing.csr
pki_ca_signing_cert_path=ca_signing.crt

pki_ca_signing_nickname=mycompany_nickname

pki_default_ocsp_uri=http://ocsp.mycompany.lk

Thank you and best regards,
Nadeera.

On Wednesday, May 20, 2020, 03:29:15 AM GMT+5:30, Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw@redhat.com> wrote:

Hi Nadeera,

What version of dogtag PKI are you trying to install? You are referring to PKI 10.5 docs. The latest release is 10.8.3

If you are using the latest packages, our docs are available in our upstream repo: https://github.com/dogtagpki/pki/tree/v10.8/docs

(see inline reply)

On Tue, May 19, 2020 at 9:22 AM Nadeera Galagedara <nadeeragalagedara@yahoo.com> wrote:
Dear all,

I am new to dogtag and I am installing a sub ca using the method described in https://www.dogtagpki.org/wiki/PKI_10.5_Installing_CA_with_External_CA_Signing_Certificate . I want to know.

1) What is the parameter to change the Friendly Name
We do not use "Friendly Name". Instead, we use "nickname"
To configure the nickname for CA signing certificate use: pki_ca_signing_nickname=

2) What is the parameter to change the Country/Locality
This is set using subject dn. So, in your case specify the Country using this attribute: pki_ca_signing_subject_dn=

3) Where (a page link ) I can find details about each of this configuration parameters.
I don't have a page that explains all the config parameters. But, I do have a page that can give you a list of parameters that you can use (since you mentioned 10.5, I'm listing the contents of 10.5 branch. Refer to the appropriate branch for an updated list)
https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_BRANCH/base/server/etc/default.cfg

HTH

Regards,
--Dinesh

Thank you.

_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel