Re: [Pki-users] how to use both CA ISSUER and OCSP URLs in AIA
Dear Marcin,
thank you for the reply.
I have tried the same with the UserCert profile. But didn't work for me.
Anyway I'll give another try.
Kamal
On Tue, Apr 5, 2016 at 4:07 PM, marcin kowalski <yoshi314(a)gmail.com> wrote:
I did something like this, a while ago, on DogTag. Seems to work for
me.
I did that on server certificate profile ; so you may need to adjust it a
bit.
/var/lib/pki/<instance>/ca/profiles/ca/caServerCert.cfg
================================================
policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
policyset.serverCertSet.5.constraint.name=No Constraint
policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
policyset.serverCertSet.5.default.name=AIA Extension Default
<!-- this is the default OCSP entry, configured elsewhere in your pki
instance, i just left it here -->
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
<!-- these are custom entries -->
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_1=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_1=URIName
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_1=
http://server1/root.crt
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_1=1.3.6.1.5.5.7.48.2
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_2=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_2=URIName
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_2=
http://server2/root.crt
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_2=1.3.6.1.5.5.7.48.2
<!-- adjust as necessary the amount of entries here -->
policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
policyset.serverCertSet.5.default.params.authInfoAccessNumADs=3
After that, restart your instance and review the certificate request in
agent. Hope it works fine.
2016-04-01 15:08 GMT+02:00 Kamal Perera <techpkiuser(a)gmail.com>:
> Dear All,
>
> Hope you guys are doing great.
>
> I just want to know how to configure the user certificate profile to have
> both OCSP URL and CA ISSUERs certificate URL to be present in the
> certificate.
>
> Thanks.
> Kaml
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
Attachments:
- attachment.html (text/html — 4.0 KB)