January 2014 - Pki-users - Dogtag Pki List Archives

by Elliott William C OSS sIT

Hi all, Can Dogtag (in this case v. 9.0.3-30.el6 ) be coerced into accepting base64-encoded CMC requests? Is there a parameter somewhere? Or would it require reprogramming? We have a (smart-)card management system (runs under Windows) which sends the requests and expects the responses to both be base64 encoded. Thanks and best regards, William Elliott s IT Solutions Open System Services

8 years, 6 months

4
6
0 / 0

Add info to a new OID

by Sergio Pereira

hi guys, I'm trying to create a certificate profile in a way to have at the end a certificate with a special attributes (supplied by the user through web enrollment form). I'm running dogtag 10.1 on Fedora 20...fresh install. I added a certificate profile using pkiconsole but I'm struggling in how to find the right Policies, Inputs and Outputs for the new profile. The OID I intent to write to it is the 2.16.76.1.3.3 (country specific OID). Here is my profile's config file: auth.instance_id= desc=UserCNPJ enable=false enableBy=admin input.CNPJ.class_id=genericInputImpl input.CNPJ.name=Generic Input input.CNPJ.params.gi_display_name0=Cadastro Nacional Pessoa Juridica input.CNPJ.params.gi_display_name1= input.CNPJ.params.gi_display_name2= input.CNPJ.params.gi_display_name3= input.CNPJ.params.gi_display_name4= input.CNPJ.params.gi_param_enable0=true input.CNPJ.params.gi_param_enable1=false input.CNPJ.params.gi_param_enable2=false input.CNPJ.params.gi_param_enable3=false input.CNPJ.params.gi_param_enable4=false input.CNPJ.params.gi_param_name0=cnpj input.CNPJ.params.gi_param_name1= input.CNPJ.params.gi_param_name2= input.CNPJ.params.gi_param_name3= input.CNPJ.params.gi_param_name4= input.i1.class_id=keyGenInputImpl input.i1.name=Key Generation Input input.i2.class_id=subjectNameInputImpl input.i2.name=Subject Name Input input.i3.class_id=submitterInfoInputImpl input.i3.name=Submitter Information Input input.list=i1,i2,i3,CNPJ input.params.gi_display_name0=Cadastro Nacional Pessoa Juridica input.params.gi_display_name1= input.params.gi_display_name2= input.params.gi_display_name3= input.params.gi_display_name4= input.params.gi_param_enable0=true input.params.gi_param_enable1=false input.params.gi_param_enable2=false input.params.gi_param_enable3=false input.params.gi_param_enable4=false input.params.gi_param_name0=cnpj input.params.gi_param_name1= input.params.gi_param_name2= input.params.gi_param_name3= input.params.gi_param_name4= lastModified=1390319210315 name=UserCNPJ output.list=o1 output.o1.class_id=certOutputImpl output.o1.name=Certificate Output policyset.list=set1 policyset.set1.list=p1,p2,p3,p4,p5,p06 policyset.set1.p06.constraint.class_id=noConstraintImpl policyset.set1.p06.constraint.name=No Constraint policyset.set1.p06.default.class_id=userExtensionDefaultImpl policyset.set1.p06.default.name=User Supplied Extension Default policyset.set1.p06.default.params.userExtOID=Comment Here... policyset.set1.p1.constraint.class_id=noConstraintImpl policyset.set1.p1.constraint.name=No Constraint policyset.set1.p1.default.class_id=userSubjectNameDefaultImpl policyset.set1.p1.default.name=User Supplied Subject Name Default policyset.set1.p2.constraint.class_id=noConstraintImpl policyset.set1.p2.constraint.name=No Constraint policyset.set1.p2.default.class_id=validityDefaultImpl policyset.set1.p2.default.name=Validity Default policyset.set1.p2.default.params.range=180 policyset.set1.p2.default.params.startTime=0 policyset.set1.p3.constraint.class_id=noConstraintImpl policyset.set1.p3.constraint.name=No Constraint policyset.set1.p3.default.class_id=userKeyDefaultImpl policyset.set1.p3.default.name=User Supplied Key Default policyset.set1.p3.default.params.keyMaxLength=4096 policyset.set1.p3.default.params.keyMinLength=512 policyset.set1.p3.default.params.keyType=RSA policyset.set1.p4.constraint.class_id=noConstraintImpl policyset.set1.p4.constraint.name=No Constraint policyset.set1.p4.default.class_id=signingAlgDefaultImpl policyset.set1.p4.default.name=Signing Algorithm Default policyset.set1.p4.default.params.signingAlg=- policyset.set1.p4.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,,SHA512withEC policyset.set1.p5.constraint.class_id=noConstraintImpl policyset.set1.p5.constraint.name=No Constraint policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl policyset.set1.p5.default.name=Key Usage Extension Default policyset.set1.p5.default.params.keyUsageCritical=true policyset.set1.p5.default.params.keyUsageCrlSign=true policyset.set1.p5.default.params.keyUsageDataEncipherment=true policyset.set1.p5.default.params.keyUsageDecipherOnly=true policyset.set1.p5.default.params.keyUsageDigitalSignature=true policyset.set1.p5.default.params.keyUsageEncipherOnly=true policyset.set1.p5.default.params.keyUsageKeyAgreement=true policyset.set1.p5.default.params.keyUsageKeyCertSign=true policyset.set1.p5.default.params.keyUsageKeyEncipherment=true policyset.set1.p5.default.params.keyUsageNonRepudiation=true visible=true thx in advance, sergio

11 years

3
8
0 / 0

using Dogtag as a time-stamping CA

by Moretti Luca

Hi all, I've installed Dogtag 10.0.6 on Fedora 18. It's running fine. I would like to create a sub-CA with time-stamping extended key usage and then I would like to sign documents and their relative time-stamp with this certificate. I've seen a tool named "signtool". Is it possible to use Dogtag for time-stamping purposes? Any suggestion for implementing this? Thanks, Luca This email and any attachments are confidential to the intended recipient and may also be privileged. If you are not the intended recipient please delete it from your system and notify the sender. You should not copy it or use it for any purpose nor disclose or distribute its contents to any other person. Questa e-mail e tutti i suoi allegati sono da intendersi inviati in via riservata all'effettivo destinatario e possono essere soggetti a restrizioni legali. Se non siete l'effettivo destinatario o avete ricevuto il messaggio per errore siete pregati di cancellarlo dal vostro sistema e di avvisare il mittente. E' vietata la duplicazione, l'uso a qualsiasi titolo, la divulgazione o la distribuzione dei contenuti di questa e-mail a qualunque altro soggetto. Prima di stampare questa comunicazione consideratene, per favore, l'impatto ambientale Please consider the environment before printing this email

11 years

1
0
0 / 0

Dogtag on BeagleBone black

by David Wen

Hi, Has anyone tried this? We are working on an offline CA on a PC, and thought BeagleBone black will be perfect platform to replace it. Fedora works fine on it (it's ARM architecture) but not Dogtag. Any hint will be appreciated. David W

11 years

1
0
0 / 0

Adding subject alternative name into certificate

by Jindrich Dolezal

hi all, im struggling in adding the subject alternative name (san) into the generated certificate. im doing scep request. when i print the cert req into a file and dump it, it seems that san is correctly added: $ openssl req -in certreq.csr -text -noout Certificate Request: ... Requested Extensions: X509v3 Subject Alternative Name: email:example@example.org Signature Algorithm: sha1WithRSAEncryption 1a:7e:d8:b7:80:a3:1f:ff:52:b5:28:be:9e:f2:53:03:22:f8: .... the profile that is then used on ca contains: policyset.serverCertSet.9.constraint.class_id=noConstraintImpl policyset.serverCertSet.9.constraint.name=No Constraint policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl policyset.serverCertSet.9.default.name=Subject Alt Name Constraint policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false policyset.serverCertSet.9.default.params.subjAltExtType_0=RFC822Name policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.requestor_email$ policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1 and in the log file: [16/Jan/2014:13:49:42][http-9180-1]: Found PKCS10 extension [16/Jan/2014:13:49:42][http-9180-1]: Set extensions [ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ [RFC822Name: example(a)example.org]] ] [16/Jan/2014:13:49:42][http-9180-1]: Finish parsePKCS10 - CN=testsubject ..... [16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: populate start [16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: createExtension i=0 [16/Jan/2014:13:49:42][http-9180-1]: gname is empty, not added [16/Jan/2014:13:49:42][http-9180-1]: count is 0 [16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: populate sees no extension. get out [16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: populate end and the san is not included in the certificate. i also tried other values for subjAltExtPattern_0 like $request.email$, $request.SAN1$, etc but this only ended with state where san was included into the certificate but has value as the parameter, i.e. '$request.email$' which is apparently not what i wanted. would anyone know what im doing wrong, where is the catch? thank a lot jd

11 years

3
3
0 / 0

spinning forever trying to create the admin certificate

by James White

I'm using dogtag 9.0 and when I try to perform the CA process it just hangs forever trying to create the administration cert. Is there something I can do to fix this?

11 years, 1 month

4
7
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Pki-users January 2014