Re: [Pki-users] Add info to a new OID

Wednesday, 22 January 2014

Hi,

If I understand it correctly, you just want the OID to appear in the 
cert?  if so, Generic Extension might be what you are looking for:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_Sy...

Here is an example of it:
policyset.set1.p06.constraint.class_id=extensionConstraintImpl
policyset.set1.p06.constraint.name=Extension Constraint
policyset.set1.p06.constraint.params.extCritical=-
policyset.set1.p06.constraint.params.extOID=2.16.76.1.3.3
policyset.set1.p06.default.class_id=userExtensionDefaultImpl
policyset.set1.p06.default.name=Generic Extension Default
policyset.set1.p06.default.params.genericExtData=bz
policyset.set1.p06.default.params.genericExtOID=2.16.76.1.3.3
policyset.set1.p06.default.params.enericExtCritical=false

In the above example, I just put your country OID in the profile, but I 
imagine you could change it to take it from the input.  If you do so, 
you might want to lighten up on the constraint.  I suggest you try the 
above hard-coded profile first just to see if the cert comes out what 
you are looking for before adding input in the profile.

There is actually a bug in the GenericExtension area in regards to 
setting critical to true.  I have yet to check the fix into Dogtag. Let 
me know if you do need that.

BTW, regarding userExtensionDefault, it can only be used if your CSR has 
the wanted extension in the request already, so it's not going to help you.

Hope this helps.
Christina

On 01/22/2014 02:41 AM, Sergio Pereira wrote:
...
 hi guys,

 I'm trying to create a certificate profile in a way to have at the end 
 a certificate with a special attributes (supplied by the user through 
 web enrollment form). I'm running dogtag 10.1 on Fedora 20...fresh 
 install. I added a certificate profile using pkiconsole but I'm 
 struggling in how to find the right Policies, Inputs and Outputs for 
 the new profile. The OID I intent to write to it is the 2.16.76.1.3.3 
 (country specific OID). Here is my profile's config file:

 auth.instance_id=
 desc=UserCNPJ
 enable=false
 enableBy=admin
 input.CNPJ.class_id=genericInputImpl
 input.CNPJ.name <http://input.CNPJ.name>=Generic Input
 input.CNPJ.params.gi_display_name0=Cadastro Nacional Pessoa Juridica
 input.CNPJ.params.gi_display_name1=
 input.CNPJ.params.gi_display_name2=
 input.CNPJ.params.gi_display_name3=
 input.CNPJ.params.gi_display_name4=
 input.CNPJ.params.gi_param_enable0=true
 input.CNPJ.params.gi_param_enable1=false
 input.CNPJ.params.gi_param_enable2=false
 input.CNPJ.params.gi_param_enable3=false
 input.CNPJ.params.gi_param_enable4=false
 input.CNPJ.params.gi_param_name0=cnpj
 input.CNPJ.params.gi_param_name1=
 input.CNPJ.params.gi_param_name2=
 input.CNPJ.params.gi_param_name3=
 input.CNPJ.params.gi_param_name4=
 input.i1.class_id=keyGenInputImpl
 input.i1.name <http://input.i1.name>=Key Generation Input
 input.i2.class_id=subjectNameInputImpl
 input.i2.name <http://input.i2.name>=Subject Name Input
 input.i3.class_id=submitterInfoInputImpl
 input.i3.name <http://input.i3.name>=Submitter Information Input
 input.list=i1,i2,i3,CNPJ
 input.params.gi_display_name0=Cadastro Nacional Pessoa Juridica
 input.params.gi_display_name1=
 input.params.gi_display_name2=
 input.params.gi_display_name3=
 input.params.gi_display_name4=
 input.params.gi_param_enable0=true
 input.params.gi_param_enable1=false
 input.params.gi_param_enable2=false
 input.params.gi_param_enable3=false
 input.params.gi_param_enable4=false
 input.params.gi_param_name0=cnpj
 input.params.gi_param_name1=
 input.params.gi_param_name2=
 input.params.gi_param_name3=
 input.params.gi_param_name4=
 lastModified=1390319210315
 name=UserCNPJ
 output.list=o1
 output.o1.class_id=certOutputImpl
 output.o1.name <http://output.o1.name>=Certificate Output
 policyset.list=set1
 policyset.set1.list=p1,p2,p3,p4,p5,p06
 policyset.set1.p06.constraint.class_id=noConstraintImpl
 policyset.set1.p06.constraint.name 
 <http://policyset.set1.p06.constraint.name>=No Constraint
 policyset.set1.p06.default.class_id=userExtensionDefaultImpl
 policyset.set1.p06.default.name 
 <http://policyset.set1.p06.default.name>=User Supplied Extension Default
 policyset.set1.p06.default.params.userExtOID=Comment Here...
 policyset.set1.p1.constraint.class_id=noConstraintImpl
 policyset.set1.p1.constraint.name 
 <http://policyset.set1.p1.constraint.name>=No Constraint
 policyset.set1.p1.default.class_id=userSubjectNameDefaultImpl
 policyset.set1.p1.default.name 
 <http://policyset.set1.p1.default.name>=User Supplied Subject Name Default
 policyset.set1.p2.constraint.class_id=noConstraintImpl
 policyset.set1.p2.constraint.name 
 <http://policyset.set1.p2.constraint.name>=No Constraint
 policyset.set1.p2.default.class_id=validityDefaultImpl
 policyset.set1.p2.default.name 
 <http://policyset.set1.p2.default.name>=Validity Default
 policyset.set1.p2.default.params.range=180
 policyset.set1.p2.default.params.startTime=0
 policyset.set1.p3.constraint.class_id=noConstraintImpl
 policyset.set1.p3.constraint.name 
 <http://policyset.set1.p3.constraint.name>=No Constraint
 policyset.set1.p3.default.class_id=userKeyDefaultImpl
 policyset.set1.p3.default.name 
 <http://policyset.set1.p3.default.name>=User Supplied Key Default
 policyset.set1.p3.default.params.keyMaxLength=4096
 policyset.set1.p3.default.params.keyMinLength=512
 policyset.set1.p3.default.params.keyType=RSA
 policyset.set1.p4.constraint.class_id=noConstraintImpl
 policyset.set1.p4.constraint.name 
 <http://policyset.set1.p4.constraint.name>=No Constraint
 policyset.set1.p4.default.class_id=signingAlgDefaultImpl
 policyset.set1.p4.default.name 
 <http://policyset.set1.p4.default.name>=Signing Algorithm Default
 policyset.set1.p4.default.params.signingAlg=-

policyset.set1.p4.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,,SHA512withEC
 policyset.set1.p5.constraint.class_id=noConstraintImpl
 policyset.set1.p5.constraint.name 
 <http://policyset.set1.p5.constraint.name>=No Constraint
 policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl
 policyset.set1.p5.default.name 
 <http://policyset.set1.p5.default.name>=Key Usage Extension Default
 policyset.set1.p5.default.params.keyUsageCritical=true
 policyset.set1.p5.default.params.keyUsageCrlSign=true
 policyset.set1.p5.default.params.keyUsageDataEncipherment=true
 policyset.set1.p5.default.params.keyUsageDecipherOnly=true
 policyset.set1.p5.default.params.keyUsageDigitalSignature=true
 policyset.set1.p5.default.params.keyUsageEncipherOnly=true
 policyset.set1.p5.default.params.keyUsageKeyAgreement=true
 policyset.set1.p5.default.params.keyUsageKeyCertSign=true
 policyset.set1.p5.default.params.keyUsageKeyEncipherment=true
 policyset.set1.p5.default.params.keyUsageNonRepudiation=true
 visible=true
 thx in advance,
 sergio

 _______________________________________________
 Pki-users mailing list
 Pki-users(a)redhat.com
 https://www.redhat.com/mailman/listinfo/pki-users 

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Re: [Pki-users] Add info to a new OID