base64 CMC Request format
by Elliott William C OSS sIT
Hi all,
Can Dogtag (in this case v. 9.0.3-30.el6 ) be coerced into accepting base64-encoded CMC requests? Is there a parameter somewhere? Or would it require reprogramming?
We have a (smart-)card management system (runs under Windows) which sends the requests and expects the responses to both be base64 encoded.
Thanks and best regards,
William Elliott
s IT Solutions
Open System Services
8 years, 3 months
Add info to a new OID
by Sergio Pereira
hi guys,
I'm trying to create a certificate profile in a way to have at the end a
certificate with a special attributes (supplied by the user through web
enrollment form). I'm running dogtag 10.1 on Fedora 20...fresh install. I
added a certificate profile using pkiconsole but I'm struggling in how to
find the right Policies, Inputs and Outputs for the new profile. The OID I
intent to write to it is the 2.16.76.1.3.3 (country specific OID). Here is
my profile's config file:
auth.instance_id=
desc=UserCNPJ
enable=false
enableBy=admin
input.CNPJ.class_id=genericInputImpl
input.CNPJ.name=Generic Input
input.CNPJ.params.gi_display_name0=Cadastro Nacional Pessoa Juridica
input.CNPJ.params.gi_display_name1=
input.CNPJ.params.gi_display_name2=
input.CNPJ.params.gi_display_name3=
input.CNPJ.params.gi_display_name4=
input.CNPJ.params.gi_param_enable0=true
input.CNPJ.params.gi_param_enable1=false
input.CNPJ.params.gi_param_enable2=false
input.CNPJ.params.gi_param_enable3=false
input.CNPJ.params.gi_param_enable4=false
input.CNPJ.params.gi_param_name0=cnpj
input.CNPJ.params.gi_param_name1=
input.CNPJ.params.gi_param_name2=
input.CNPJ.params.gi_param_name3=
input.CNPJ.params.gi_param_name4=
input.i1.class_id=keyGenInputImpl
input.i1.name=Key Generation Input
input.i2.class_id=subjectNameInputImpl
input.i2.name=Subject Name Input
input.i3.class_id=submitterInfoInputImpl
input.i3.name=Submitter Information Input
input.list=i1,i2,i3,CNPJ
input.params.gi_display_name0=Cadastro Nacional Pessoa Juridica
input.params.gi_display_name1=
input.params.gi_display_name2=
input.params.gi_display_name3=
input.params.gi_display_name4=
input.params.gi_param_enable0=true
input.params.gi_param_enable1=false
input.params.gi_param_enable2=false
input.params.gi_param_enable3=false
input.params.gi_param_enable4=false
input.params.gi_param_name0=cnpj
input.params.gi_param_name1=
input.params.gi_param_name2=
input.params.gi_param_name3=
input.params.gi_param_name4=
lastModified=1390319210315
name=UserCNPJ
output.list=o1
output.o1.class_id=certOutputImpl
output.o1.name=Certificate Output
policyset.list=set1
policyset.set1.list=p1,p2,p3,p4,p5,p06
policyset.set1.p06.constraint.class_id=noConstraintImpl
policyset.set1.p06.constraint.name=No Constraint
policyset.set1.p06.default.class_id=userExtensionDefaultImpl
policyset.set1.p06.default.name=User Supplied Extension Default
policyset.set1.p06.default.params.userExtOID=Comment Here...
policyset.set1.p1.constraint.class_id=noConstraintImpl
policyset.set1.p1.constraint.name=No Constraint
policyset.set1.p1.default.class_id=userSubjectNameDefaultImpl
policyset.set1.p1.default.name=User Supplied Subject Name Default
policyset.set1.p2.constraint.class_id=noConstraintImpl
policyset.set1.p2.constraint.name=No Constraint
policyset.set1.p2.default.class_id=validityDefaultImpl
policyset.set1.p2.default.name=Validity Default
policyset.set1.p2.default.params.range=180
policyset.set1.p2.default.params.startTime=0
policyset.set1.p3.constraint.class_id=noConstraintImpl
policyset.set1.p3.constraint.name=No Constraint
policyset.set1.p3.default.class_id=userKeyDefaultImpl
policyset.set1.p3.default.name=User Supplied Key Default
policyset.set1.p3.default.params.keyMaxLength=4096
policyset.set1.p3.default.params.keyMinLength=512
policyset.set1.p3.default.params.keyType=RSA
policyset.set1.p4.constraint.class_id=noConstraintImpl
policyset.set1.p4.constraint.name=No Constraint
policyset.set1.p4.default.class_id=signingAlgDefaultImpl
policyset.set1.p4.default.name=Signing Algorithm Default
policyset.set1.p4.default.params.signingAlg=-
policyset.set1.p4.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,,SHA512withEC
policyset.set1.p5.constraint.class_id=noConstraintImpl
policyset.set1.p5.constraint.name=No Constraint
policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl
policyset.set1.p5.default.name=Key Usage Extension Default
policyset.set1.p5.default.params.keyUsageCritical=true
policyset.set1.p5.default.params.keyUsageCrlSign=true
policyset.set1.p5.default.params.keyUsageDataEncipherment=true
policyset.set1.p5.default.params.keyUsageDecipherOnly=true
policyset.set1.p5.default.params.keyUsageDigitalSignature=true
policyset.set1.p5.default.params.keyUsageEncipherOnly=true
policyset.set1.p5.default.params.keyUsageKeyAgreement=true
policyset.set1.p5.default.params.keyUsageKeyCertSign=true
policyset.set1.p5.default.params.keyUsageKeyEncipherment=true
policyset.set1.p5.default.params.keyUsageNonRepudiation=true
visible=true
thx in advance,
sergio
10 years, 8 months
using Dogtag as a time-stamping CA
by Moretti Luca
Hi all,
I've installed Dogtag 10.0.6 on Fedora 18. It's running fine.
I would like to create a sub-CA with time-stamping extended key usage and then I would like to sign documents and their relative time-stamp with this certificate.
I've seen a tool named "signtool".
Is it possible to use Dogtag for time-stamping purposes? Any suggestion for implementing this?
Thanks,
Luca
This email and any attachments are confidential to the intended recipient and may also be privileged. If you are not the intended recipient please delete it from your system and notify the sender. You should not copy it or use it for any purpose nor disclose or distribute its contents to any other person.
Questa e-mail e tutti i suoi allegati sono da intendersi inviati in via riservata all'effettivo destinatario e possono essere soggetti a restrizioni legali. Se non siete l'effettivo destinatario o avete ricevuto il messaggio per errore siete pregati di cancellarlo dal vostro sistema e di avvisare il mittente. E' vietata la duplicazione, l'uso a qualsiasi titolo, la divulgazione o la distribuzione dei contenuti di questa e-mail a qualunque altro soggetto.
Prima di stampare questa comunicazione consideratene, per favore, l'impatto ambientale
Please consider the environment before printing this email
10 years, 8 months
Dogtag on BeagleBone black
by David Wen
Hi,
Has anyone tried this? We are working on an offline CA on a PC, and thought
BeagleBone black will be perfect platform to replace it. Fedora works fine
on it (it's ARM architecture) but not Dogtag.
Any hint will be appreciated.
David W
10 years, 8 months
Adding subject alternative name into certificate
by Jindrich Dolezal
hi all,
im struggling in adding the subject alternative name (san) into the
generated certificate. im doing scep request. when i print the cert req
into a file and dump it, it seems that san is correctly added:
$ openssl req -in certreq.csr -text -noout
Certificate Request:
...
Requested Extensions:
X509v3 Subject Alternative Name:
email:example@example.org
Signature Algorithm: sha1WithRSAEncryption
1a:7e:d8:b7:80:a3:1f:ff:52:b5:28:be:9e:f2:53:03:22:f8:
....
the profile that is then used on ca contains:
policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
policyset.serverCertSet.9.constraint.name=No Constraint
policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl
policyset.serverCertSet.9.default.name=Subject Alt Name Constraint
policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false
policyset.serverCertSet.9.default.params.subjAltExtType_0=RFC822Name
policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.requestor_email$
policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true
policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1
and in the log file:
[16/Jan/2014:13:49:42][http-9180-1]: Found PKCS10 extension
[16/Jan/2014:13:49:42][http-9180-1]: Set extensions [ObjectId: 2.5.29.17
Criticality=false
SubjectAlternativeName [
[RFC822Name: example(a)example.org]]
]
[16/Jan/2014:13:49:42][http-9180-1]: Finish parsePKCS10 - CN=testsubject
.....
[16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: populate
start
[16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault:
createExtension i=0
[16/Jan/2014:13:49:42][http-9180-1]: gname is empty, not added
[16/Jan/2014:13:49:42][http-9180-1]: count is 0
[16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: populate
sees no extension. get out
[16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: populate end
and the san is not included in the certificate.
i also tried other values for subjAltExtPattern_0 like $request.email$,
$request.SAN1$, etc but this only ended with state where san was
included into the certificate but has value as the parameter, i.e.
'$request.email$' which is apparently not what i wanted.
would anyone know what im doing wrong, where is the catch?
thank a lot
jd
10 years, 8 months