Additional Info: Some entries from the debug log: [12/Apr/2008:23:54:42][http-9443-Processor20]: CRLDistribtionPointsExtDefault: createExtension Invalid Property http://pkica.company.com <http://pkica.company.com/> [12/Apr/2008:23:54:42][http-9443-Processor20]: CRLDistribtionPointsExtDefault: createExtension Invalid Property http://pkica.company.com <http://pkica.company.com/> From the Red Hat documentation, when using the IssuerName_0=URIName, the IssuerType_n= should be: / For URIName, the value must be a non-relative URI following the URL syntax and encoding rules. The name must include both a scheme, such as http, and a fully qualified domain name or IP address of the host. For example, http://testCA.example.com./ So based on the Red Hat documentation, not sure what the value to be. Thanks, Chris Cayetano On 4/11/08, *Chris* <crc408(a)gmail.com <mailto:crc408@gmail.com>> wrote: Unable to get the CDP in the issuing certificates. Taking the caUserCert profile, it looks like CDP isn't in the profiles by default, which appears to be the default for all certificates. Using the PKI Console, I added the CRL Distribution Points Extension Default with No Constraints * The information below was entered based on examples in the Red Hat documentation ( http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Gu... ). [Default] tab crlDistPointsCritical = false crlDistPointsPointType_0 = URIName crlDistPointsPointName_0 = http://crl.company.com:80 <http://crl.company.com/> crlDistPointsReasons_0 = unused,superseded crlDistPointsIssuerType_0 = http://pkica.corp.company.com <http://pkica.corp.company.com/> crlDistPointsIssueName_0 = URIName crlDistPointsEnable_0 = true When generating the certificate the CDP field is still not visible.I've attached a summary of the profile below with the new CDP field added. Any ideas? Thanks. Chris -- ------------------------------------ *Certificate Profile Information:* Certificate Profile Id: caUserCert Certificate Profile Name: Manual User Dual-Use Certificate Enrollment <http://profileselect/?profileId=caUserCert> Description: This certificate profile is for enrolling user certificates. Approved: false Approved By: *Policy Information:* Policy Set: userCertSet *#* *Extensions / Fields* *Constraints* 1 This default populates a User-Supplied Certificate Subject Name to the request. This constraint accepts the subject name that matches CN=.* 2 This default populates a Certificate Validity to the request. The default values are Range=180 in days This constraint rejects the validity that is not between 365 days 3 This default populates a User-Supplied Certificate Key to the request. This constraint accepts the key only if Key Type=-, Key Min Length=256, Key Max Length=4096 4 This default populates an Authority Key Identifier Extension (2.5.29.35 <http://2.5.29.35/>) to the request. No Constraint 5 This default populates a Authority Info Access Extension (1.3.6.1.5.5.7.1.1) to the request. The default values are Criticality=false, Record #0{Method:1.3.6.1.5.5.7.48.1,Location Type:URIName,Location:,Enable:true} No Constraint 6 This default populates a Key Usage Extension (2.5.29.15 <http://2.5.29.15/>) to the request. The default values are Criticality=true, Digital Signature=true, Non-Repudiation=true, Key Encipherment=true, Data Encipherment=false, Key Agreement=false, Key Certificate Sign=false, Key CRL Sign=false, Encipher Only=false, Decipher Only=false This constraint accepts the Key Usage extension, if present, only when Criticality=true, Digital Signature=true, Non-Repudiation=true, Key Encipherment=true, Data Encipherment=false, Key Agreement=false, Key Certificate Sign=false, Key CRL Sign=false, Encipher Only=false, Decipher Only=false 7 This default populates an Extended Key Usage Extension () to the request. The default values are Criticality=false, OIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 No Constraint 9 This default populates the Certificate Signing Algorithm. The default values are Algorithm=SHA1withRSA This constraint accepts only the Signing Algorithms of SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC 12 This default populates a CRL Distribution Points Extension (2.5.29.31 <http://2.5.29.31/>) to the request. The default values are Criticality=false, Record #0{Point Type:http://crl.company.com:80 <http://crl.company.com/>,Point Name:URIName,Reasons:unused,superseded,Issuer Type:http://pkica.company.com <http://pkica.company.com/>,Issuer Name:URIName,Enable:true}Record #1{Point Type:,Point Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false}Record #2{Point Type:,Point Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false}Record #3{Point Type:,Point Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false}Record #4{Point Type:,Point Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false} No Constraint ------------------------------------------------------------------------ _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users

Hi Christina, That worked. Thanks for your help. Though minor, it appears the Red Hat documentation for IssuerType and IssuerName is also switched, correct? Thanks, Chris Cayetano http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Gu... *IssuerName_ /n/ * Specifies the name of the issuer that has signed the CRL maintained at the distribution point. The name can be in any of the following formats: * RFC822Name * DirectoryName * DNSName * EDIPartyName * *URIName* * IPAddress * OIDName * OtherName *IssuerType_ /n/ * Specifies the general name type of the CRL issuer that signed the CRL. The permissible values are as follows: * For RFC822Name, the value must be a valid Internet mail address. For example, testCA(a)example.com <mailto:testCA@example.com>. * For DirectoryName, the value must be a string form of X.500 name, similar to the subject name in a certificate. For example, cn=SubCA, ou=Research Dept, o=Example Corporation, c=US. * For DNSName, the value must be a valid fully-qualified domain name. For example, testCA.example.com <http://testCA.example.com>;. * For EDIPartyName, the value must be an IA5String. For example, Example Corporation. * * For URIName, the value must be a non-relative URI following the URL syntax and encoding rules. The name must include both a scheme, such as http, and a fully qualified domain name or IP address of the host. For example, http://testCA.example.com.* * For IPAddress, the value must be a valid IP address. An IPv4 address must be in the format n.n.n.n or n.n.n.n,m.m.m.m. For example, 128.21.39.40 <http://128.21.39.40> or 128.21.39.40 <http://128.21.39.40>,255.255.255.00 <http://255.255.255.00>;. An IPv 6 address with netmask is separated by a comma. For example, 0:0:0:0:0:0:13.1.68.3 <http://13.1.68.3>;, FF01::43, 0:0:0:0:0:0:13.1.68.3 <http://13.1.68.3>,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:255.255.255.0 <http://255.255.255.0>;, and FF01::43,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FF00:0000. * For OIDName, the value must be a unique, valid OID specified in dot-separated numeric component notation. For example, 1.2.3.4.55.6.5.99. * OtherName is used for names with any other format; this supports PrintableString, IA5String, UTF8String, BMPString, Any, and KerberosName. PrintableString, IA5String, UTF8String, BMPString, and Any set a string to a base-64 encoded file specifying the subtree, such as /var/lib/rhpki-ca/othername.txt. KerberosName has the format /Realm|NameType|NameStrings/, such as realm1|0|userID1,userID2. The value for this parameter must correspond to the value in the issuerName field. On Mon, Apr 14, 2008 at 7:30 AM, Christina Fu <cfu(a)redhat.com <mailto:cfu@redhat.com>> wrote: Hi, your values for crlDistPointsIssuerType_0 and crlDistPointsIssueName_0 need to be switched. Let me know if this helps. Christina ------------------------------------------------------------------------ _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users