Re: [Pki-users] DogTAG PKI - crlDistributionPoints cert profile: Type_0 : URIName error

Hi, Usually there is a reference to a Impl classID so the CA knows what to function/class to call when generating this part of the cert. For my system (built on Redhat CS 8.0 instead of dogtag but those codebases are very similar) I have this in my cert profiles and it generates the Crl dp entry in the cert without errors. policyset.userCertSet.13.constraint.class_id=noConstraintImpl policyset.userCertSet.13constraint.name=No Constraint policyset.userCertSet.13.default.class_id=crlDistributionPointsExtDefaul tImpl policyset.userCertSet.13.default.name=CRL Distribution Points Extension Default policyset.userCertSet.13.default.params.crlDistPointsCritical=false policyset.userCertSet.13.default.params.crlDistPointsNum=1 policyset.userCertSet.13.default.params.crlDistPointsEnable_0=true policyset.userCertSet.13.default.params.crlDistPointsPointName_0=http:// xxx.xxx.xxx/crl/xxx.crl I don't believe you need to specify the No Constraint fields, as I just have them in there if later I wanted to enforce a specific CRL distribution point, it would require less updates to the profile. This line here is the one I think you need. policyset.userCertSet.13.default.class_id=crlDistributionPointsExtDefaul tImpl As it tells the CA what class to call into when generating this part of the cert. I don't think this is needed either, but it was in the example certs from the CS 8.0 install so I left it. policyset.userCertSet.13.default.params.crlDistPointsNum=1 I presume it is just letting the CA know after you added one CRL to the cert you can move on but I have dug into the code to find out. Sean This message and/or attachments may include information subject to GDC4S O.M. 1.8.6 and GD Corporate Policy 07-105 and are intended to be accessed only by authorized recipients. Use, storage and transmission are governed by General Dynamics and its policies. Contractual restrictions apply to third parties. Recipients should refer to the policies or contract to determine proper handling. Unauthorized review, use, disclosure or distribution is prohibited. If you are not an intended recipient, please contact the sender and destroy all copies of the original message. -----Original Message----- From: pki-users-bounces(a)redhat.com [mailto:pki-users-bounces@redhat.com] On Behalf Of Frederic d'Huart Sent: Friday, October 22, 2010 5:56 AM To: pki-users(a)redhat.com Subject: [Pki-users] DogTAG PKI - crlDistributionPoints cert profile: Type_0 : URIName error Hello Pki users, Section B.1.4. of the RH admin guide refers to the following acceptable values for crlDistributionPoint Type: DirectoryName URIName RelativeToIssuer Using PKIConsole, I have added to the caUserCert profile a policy for include a CDP as follow: policyset.userCertSet.13.default.name=CRL Distribution Points Extension Default policyset.userCertSet.13.default.params.crlDistPointsCritical=false policyset.userCertSet.13.default.params.crlDistPointsEnable_0=true policyset.userCertSet.13.default.params.crlDistPointsPointType_0=URIName policyset.userCertSet.13.default.params.crlDistPointsPointName_0=http:// xxx.xxx.xxx/crl/xxx.crl policyset.userCertSet.13.default.params.crlDistPointsReasons_0= after profile re-activated, and new request generated, I get the following error on the agent interface: The Certificate System has encountered an unrecoverable error. Error Message: /java.lang.ClassCastException: netscape.security.x509.Extension cannot be cast to netscape.security.x509.CRLDistributionPointsExtension/ Please contact your local administrator for assistance. Any Ideas what could be wrong ? Thank you. _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users