Re: [Pki-users] Certificate Policies

There's an error in the configuration, but as pointed out in another branch of the thread there is also a bug with arguement order which is fatal to the UserNotice use case. So that will have to be triaged and fix. I did work out how to include multiple policy qualifiers, though. UserNotice is broken but as an example, here's how to get two URIs (common prefix elided): PoliciesExt.num=1 PolicyQualifiers.num=2 PoliciesExt.certPolicy0.enable=true PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1 PoliciesExt.certPolicy0.PolicyQualifiers.num=2 PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=http://foo.com/ PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false PoliciesExt.certPolicy0.PolicyQualifiers1.CPSURI.enable=true PoliciesExt.certPolicy0.PolicyQualifiers1.CPSURI.value=http://bar.com/ PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.enable=false It is necessary to include both CPSURL.enable=bool and usernotice.enable=bool, with CPSURL taking precedence. The PolicyQualifiers.num=N applies to all policies, which is a bug (it prevents defining policies with different numbers of qualifiers). But it is adequate for a single-policy, multiple-qualifier use case. Cheers, Fraser

On Sun, Apr 28, 2019 at 10:52:22PM -0400, Jonathan Montero wrote: > Thanks for your answer, but no, it didn't work... > > i got a java error when i try to approve the certificate, meaning that > something is wrong with the configuration. > > To be a good config i had to take all those 1 to 0 back again. > > > > Jonathan Montero > > IT Professional | IT Trainer > M: 809-609-3003 > S: tuxmontero > E: jmrxto(a)gmail.com > A: Santo Domingo, DR > > jonathanmontero.com > > <https://www.linkedin.com/in/monterojonathan> > <https://twitter.com/tuxmontero> <https://www.facebook.com/jmrxto> > <https://github.com/tuxmontero> > > > > On Sun, Apr 28, 2019 at 9:19 PM Fraser Tweedale <ftweedal(a)redhat.com&gt; wrote: > > > On Wed, Apr 24, 2019 at 12:21:23AM -0400, Jonathan Montero wrote: > > > Hi, I'm having an issue regarding the certificates policies. > > > > > > It is as follows... > > > policyset.caCertSet.p7.constraint.class_id=noConstraintImpl > > > policyset.caCertSet.p7.constraint.name=No Constraint > > > policyset.caCertSet.p7.default.class_id=certificatePoliciesExtDefaultImpl > > > policyset.caCertSet.p7.default.name=Certificate Policies Extension > > Default > > > policyset.caCertSet.p7.default.params.Critical=true > > > policyset.caCertSet.p7.default.params.PoliciesExt.num=1 > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.enable=true > > > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1 > > > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true > > > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value= > > > http://url.com/ > > > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=true > > > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=Some > > > Text Here > > > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=1 > > > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=Company > > > text Here > > > > > > > > > So, with this configuration i got not all the result i want, don't know > > > why.... > > > > > > i obtain > > > policyId=1.3.6.1.4.1.6.1.1.1.1 > > > > > > Also > > > CPSURI.value=http://url.com/ > > > > > > But can't get the explicitText.value and organization... > > > > > > For some reason, those 2 latter options don't appear in the certificate. > > > > > > What could this be? > > > > > Dogtag cert policies config is very unfriendly. Without having > > confirmed, I'm pretty sure you need something like: > > > > PoliciesExt.certPolicy0.enable=true > > PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1 > > PoliciesExt.certPolicy0.PolicyQualifiers.num=2 > > PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true > > PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=http://url.com/ > > PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.enable=true > > PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.explicitText.value=Some > > text Here > > > > PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.noticeReference.noticeNumbers=1 > > PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.noticeReference.organization=Company > > text Here > > > > Each policy qualified can be either a CPS URI or a user notice, so > > if you want both, you need two qualifiers. This is not a > > restriction in Dogtag, rather it is part of X.509 standard: > > > > > > Qualifier ::= CHOICE { > > cPSuri CPSuri, > > userNotice UserNotice } > > > > Hope that helps! > > > > Cheers, > > Fraser > >