Im fixed that :D
I'm only add this line 1.3.6.1.4.1.311.20.2.2 in
,policyset.userCertSet.7.default.params.exKeyUsageOIDs=
in only 3 profile im used and its work
policyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4,
*1.3.6.1.4.1.311.20.2.2*
* What version of Dogtag PKI are you using?
dogtag-pki.noarch 10.5.1-2.el7pki
* What platform are you using? Fedora, CentOS, Debian, RHEL?
Red Hat Enterprise Linux Server release 7.6 (Maipo)
* Can you attach debug logs?
* Can you share the profiles that you edited and its contents?
desc=Personal Clase 1
visible=true
enable=true
enableBy=admin
name=Personal Clase 1
auth.class_id=
input.list=i1,i2
input.i1.class_id=certReqInputImpl
input.i2.class_id=submitterInfoInputImpl
input.i3.params.gi_display_name0=ccm
input.i3.params.gi_param_enable0=true
input.i3.params.gi_param_name0=ccm
input.i3.class_id=subjectAltNameExtInputImpl
input.i3.name=subjectAltNameExtInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=userCertSet
policyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9,11,12,p7
policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.userCertSet.1.constraint.name
<
http://policyset.usercertset.1.constraint.name/>=Subject Name Constraint
policyset.userCertSet.1.constraint.params.pattern=.*CN=.*
policyset.userCertSet.1.constraint.params.accept=true
policyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl
policyset.userCertSet.1.default.name
<
http://policyset.usercertset.1.default.name/>=Subject Name Default
policyset.userCertSet.1.default.params.name
<
http://policyset.usercertset.1.default.params.name/>=
policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl
policyset.userCertSet.10.constraint.name
<
http://policyset.usercertset.10.constraint.name/>=Renewal Grace Period
Constraint
policyset.userCertSet.10.constraint.params.renewal.graceBefore=30
policyset.userCertSet.10.constraint.params.renewal.graceAfter=30
policyset.userCertSet.10.default.class_id=noDefaultImpl
policyset.userCertSet.10.default.name
<
http://policyset.usercertset.10.default.name/>=No Default
policyset.userCertSet.2.constraint.class_id=validityConstraintImpl
policyset.userCertSet.2.constraint.name
<
http://policyset.usercertset.2.constraint.name/>=Validity Constraint
policyset.userCertSet.2.constraint.params.range=1825
policyset.userCertSet.2.constraint.params.notBeforeCheck=false
policyset.userCertSet.2.constraint.params.notAfterCheck=false
policyset.userCertSet.2.default.class_id=validityDefaultImpl
policyset.userCertSet.2.default.name
<
http://policyset.usercertset.2.default.name/>=Validity Default
policyset.userCertSet.2.default.params.range=730
policyset.userCertSet.2.default.params.startTime=0
policyset.userCertSet.3.constraint.class_id=keyConstraintImpl
policyset.userCertSet.3.constraint.name
<
http://policyset.usercertset.3.constraint.name/>=Key Constraint
policyset.userCertSet.3.constraint.params.keyType=RSA
policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
policyset.userCertSet.3.default.class_id=userKeyDefaultImpl
policyset.userCertSet.3.default.name
<
http://policyset.usercertset.3.default.name/>=Key Default
policyset.userCertSet.4.constraint.class_id=noConstraintImpl
policyset.userCertSet.4.constraint.name
<
http://policyset.usercertset.4.constraint.name/>=No Constraint
policyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
policyset.userCertSet.4.default.name
<
http://policyset.usercertset.4.default.name/>=Authority Key Identifier
Default
policyset.userCertSet.5.constraint.class_id=noConstraintImpl
policyset.userCertSet.5.constraint.name
<
http://policyset.usercertset.5.constraint.name/>=No Constraint
policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
policyset.userCertSet.5.default.name
<
http://policyset.usercertset.5.default.name/>=AIA Extension Default
policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true
policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
policyset.userCertSet.5.default.params.authInfoAccessADLocation_0=
policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
policyset.userCertSet.5.default.params.authInfoAccessCritical=false
policyset.userCertSet.5.default.params.authInfoAccessNumADs=1
policyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.userCertSet.6.constraint.name
<
http://policyset.usercertset.6.constraint.name/>=Key Usage Extension
Constraint
policyset.userCertSet.6.constraint.params.keyUsageCritical=true
policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true
policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false
policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true
policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false
policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false
policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false
policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false
policyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false
policyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.userCertSet.6.default.name
<
http://policyset.usercertset.6.default.name/>=Key Usage Default
policyset.userCertSet.6.default.params.keyUsageCritical=true
policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true
policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false
policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false
policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.userCertSet.6.default.params.keyUsageCrlSign=false
policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false
policyset.userCertSet.7.constraint.class_id=noConstraintImpl
policyset.userCertSet.7.constraint.name
<
http://policyset.usercertset.7.constraint.name/>=No Constraint
policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.userCertSet.7.default.name
<
http://policyset.usercertset.7.default.name/>=Extended Key Usage Extension
Default
policyset.userCertSet.7.default.params.exKeyUsageCritical=false
policyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4,1.3.6.1.4.1.311.20.2.2
policyset.userCertSet.8.constraint.class_id=noConstraintImpl
policyset.userCertSet.8.constraint.name
<
http://policyset.usercertset.8.constraint.name/>=No Constraint
policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
policyset.userCertSet.8.default.name
<
http://policyset.usercertset.8.default.name/>=Subject Alt Name Constraint
policyset.userCertSet.8.default.params.subjAltNameExtCritical=false
policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name
policyset.userCertSet.8.default.params.subjAltExtType_1=DNSName
policyset.userCertSet.8.default.params.subjAltExtType_2=DNSName
policyset.userCertSet.8.default.params.subjAltExtType_3=DNSName
policyset.userCertSet.8.default.params.subjAltExtType_4=DNSName
policyset.userCertSet.8.default.params.subjAltExtType_5=DNSName
policyset.userCertSet.8.default.params.subjAltExtType_6=DNSName
policyset.userCertSet.8.default.params.subjAltExtType_7=DNSName
policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
policyset.userCertSet.8.default.params.subjAltExtPattern_1=$request.dnsname$
policyset.userCertSet.8.default.params.subjAltExtPattern_2=$request.dnsname$
policyset.userCertSet.8.default.params.subjAltExtPattern_3=Politica de
Certificados Clase 1 (Personal)
policyset.userCertSet.8.default.params.subjAltExtPattern_4=Name
policyset.userCertSet.8.default.params.subjAltExtPattern_5=Direction
policyset.userCertSet.8.default.params.subjAltExtPattern_6=Instituto
policyset.userCertSet.8.default.params.subjAltExtPattern_7=Directivo
policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.userCertSet.8.default.params.subjAltExtGNEnable_1=true
policyset.userCertSet.8.default.params.subjAltExtGNEnable_2=true
policyset.userCertSet.8.default.params.subjAltExtGNEnable_3=true
policyset.userCertSet.8.default.params.subjAltExtGNEnable_4=true
policyset.userCertSet.8.default.params.subjAltExtGNEnable_5=true
policyset.userCertSet.8.default.params.subjAltExtGNEnable_6=true
policyset.userCertSet.8.default.params.subjAltExtGNEnable_7=true
policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.userCertSet.8.default.params.subjAltNameNumGNs=8
policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.userCertSet.9.constraint.name
<
http://policyset.usercertset.9.constraint.name/>=No Constraint
policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.userCertSet.9.default.name
<
http://policyset.usercertset.9.default.name/>=Signing Alg
policyset.userCertSet.9.default.params.signingAlg=-
policyset.userCertSet.11.constraint.class_id=basicConstraintsExtConstraintImpl
policyset.userCertSet.11.constraint.name
<
http://policyset.usercertset.11.constraint.name/>=Basic Constraint
Extension Constraint
policyset.userCertSet.11.constraint.params.basicConstraintsIsCA=false
policyset.userCertSet.11.default.class_id=basicConstraintsExtDefaultImpl
policyset.userCertSet.11.default.name
<
http://policyset.usercertset.11.default.name/>=Basic Constraints Extension
Default
policyset.userCertSet.11.default.params.basicConstraintsCritical=false
policyset.userCertSet.11.default.params.basicConstraintsIsCA=false
policyset.userCertSet.11.default.params.basicConstraintsPathLen=-1
policyset.userCertSet.12.constraint.class_id=noConstraintImpl
policyset.userCertSet.12.constraint.name
<
http://policyset.usercertset.12.constraint.name/>=No Constraint
policyset.userCertSet.12.default.class_id=crlDistributionPointsExtDefaultImpl
policyset.userCertSet.12.default.name
<
http://policyset.usercertset.12.default.name/>=CRL Distribution Points
Extension Default
policyset.userCertSet.12.default.params.crlDistPointsCritical=false
policyset.userCertSet.12.default.params.crlDistPointsNum=1
policyset.userCertSet.12.default.params.crlDistPointsEnable_0=true
policyset.userCertSet.12.default.params.crlDistPointsIssuerName_0=O=Camara
policyset.userCertSet.12.default.params.crlDistPointsIssuerType_0=DirectoryName
policyset.userCertSet.12.default.params.crlDistPointsPointName_0=
http://list.mydomain.com:8080/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoi...
policyset.userCertSet.12.default.params.crlDistPointsPointType_0=URIName
policyset.userCertSet.12.default.params.crlDistPointsReasons_0=
policyset.userCertSet.p7.constraint.class_id=noConstraintImpl
policyset.userCertSet.p7.constraint.name
<
http://policyset.usercertset.p7.constraint.name/>=No Constraint
policyset.userCertSet.p7.default.class_id=certificatePoliciesExtDefaultImpl
policyset.userCertSet.p7.default.name
<
http://policyset.usercertset.p7.default.name/>=Certificate Policies
Extension Default
policyset.userCertSet.p7.default.params.Critical=true
policyset.userCertSet.p7.default.params.PoliciesExt.num=1
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.enable=true
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.26236.1.1.1.1
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=
http://cps.mydomain.com/
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=true
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=Politica
de Certificados Clase 1 (Personal)
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=1
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=Camara
On Fri, Sep 11, 2020 at 4:05 PM Marc Sauton <msauton(a)redhat.com> wrote:
is it possible there is a user provided extended key usage extension
in
the request?
or there may be a profile configuration issue related to
userExtensionDefaultImpl and keyUsageExtConstraintImpl, we may need to see
the whole enrollment profile (eventually send it to me privately if you
prefer).
Thanks,
M.
On Fri, Sep 11, 2020 at 7:02 AM Jose Antonio Mendoza Roa <
roa(a)unixmexico.org> wrote:
> Hello
>
>
> Hi everyone, I am new to this list and new to using dogtag.
> I have 3 profiles (types of certificates) which asked me to append this
> configuration Smart Card Logon (1.3.6.1.4.1.311.20.2.2) and add this
> configuration to the certificate profile
>
>
>
>
>
>
>
>
>
*policyset.userCertSet.p15.constraint.class_id=noConstraintImplpolicyset.userCertSet.p15.constraint.name
> <
http://policyset.userCertSet.p15.constraint.name>=No
>
Constraintpolicyset.userCertSet.p15.default.class_id=extendedKeyUsageExtDefaultImplpolicyset.userCertSet.p15.default.name
> <
http://policyset.userCertSet.p15.default.name>=Extended Key Usage
> Extension
>
Defaultpolicyset.userCertSet.p15.default.params.exKeyUsageCritical=falsepolicyset.userCertSet.p15.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.4.1.311.20.2.2*
>
> But when I did the tests I get this error in the dogtag logs.
>
>
> "duplicate extension attempted! Name: oid=2.5.29.37 val=48 0"
>
> --
> Ce courrier électronique et les fichiers qui y sont annexés peuvent
> renfermer des
> renseignements privilégiés et confidentiels à l'intention exclusive du
> destinataire. Si
> vous n'êtes pas le destinataire, vous n'êtes pas autorisé(e) à utiliser,
> à copier ou à
> divulguer à un tiers le contenu de ce courrier électronique ni des
> fichiers joints. Si
> vous avez reçu ce courrier électronique par erreur, veuillez en aviser
> l'expéditeur
> immédiatement par courrier électronique et détruire ce message ainsi que
> les fichiers
> en annexe.
>
> This electronic mail message -- and any attachments -- may contain
> privileged/confidential information, intended only for the use of the
> addressee. If you
> are not the addressee, you may not use, copy or disclose to a third party
> the content
> of this message or its attachments. If you have received this message by
> mistake,
> please notify us immediately by e-mail and destroy this message, along
> with all
> attachments
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/pki-users
--
Ce courrier électronique et les fichiers qui y sont annexés peuvent
renfermer des
renseignements privilégiés et confidentiels à l'intention exclusive du
destinataire. Si
vous n'êtes pas le destinataire, vous n'êtes pas autorisé(e) à utiliser, à
copier ou à
divulguer à un tiers le contenu de ce courrier électronique ni des fichiers
joints. Si
vous avez reçu ce courrier électronique par erreur, veuillez en aviser
l'expéditeur
immédiatement par courrier électronique et détruire ce message ainsi que
les fichiers
en annexe.
This electronic mail message -- and any attachments -- may contain
privileged/confidential information, intended only for the use of the
addressee. If you
are not the addressee, you may not use, copy or disclose to a third party
the content
of this message or its attachments. If you have received this message by
mistake,
please notify us immediately by e-mail and destroy this message, along with
all
attachments