Re: [Pki-users] Re: No CDP by default?

Additional Info: Some entries from the debug log: [12/Apr/2008:23:54:42][http-9443-Processor20]: CRLDistribtionPointsExtDefault: createExtension Invalid Property http://pkica.company.com <http://pkica.company.com/> [12/Apr/2008:23:54:42][http-9443-Processor20]: CRLDistribtionPointsExtDefault: createExtension Invalid Property http://pkica.company.com <http://pkica.company.com/> From the Red Hat documentation, when using the IssuerName_0=URIName, the IssuerType_n= should be: / For URIName, the value must be a non-relative URI following the URL syntax and encoding rules. The name must include both a scheme, such as http, and a fully qualified domain name or IP address of the host. For example, http://testCA.example.com./ So based on the Red Hat documentation, not sure what the value to be. Thanks, Chris Cayetano On 4/11/08, *Chris* <crc408(a)gmail.com <mailto:crc408@gmail.com>> wrote: Unable to get the CDP in the issuing certificates. Taking the caUserCert profile, it looks like CDP isn't in the profiles by default, which appears to be the default for all certificates. Using the PKI Console, I added the CRL Distribution Points Extension Default with No Constraints * The information below was entered based on examples in the Red Hat documentation ( http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Gu... ). [Default] tab crlDistPointsCritical = false crlDistPointsPointType_0 = URIName crlDistPointsPointName_0 = http://crl.company.com:80 <http://crl.company.com/> crlDistPointsReasons_0 = unused,superseded crlDistPointsIssuerType_0 = http://pkica.corp.company.com <http://pkica.corp.company.com/> crlDistPointsIssueName_0 = URIName crlDistPointsEnable_0 = true When generating the certificate the CDP field is still not visible.I've attached a summary of the profile below with the new CDP field added. Any ideas? Thanks. Chris -- ------------------------------------ *Certificate Profile Information:* Certificate Profile Id: caUserCert Certificate Profile Name: Manual User Dual-Use Certificate Enrollment <http://profileselect/?profileId=caUserCert> Description: This certificate profile is for enrolling user certificates. Approved: false Approved By: *Policy Information:* Policy Set: userCertSet *#* *Extensions / Fields* *Constraints* 1 This default populates a User-Supplied Certificate Subject Name to the request. This constraint accepts the subject name that matches CN=.* 2 This default populates a Certificate Validity to the request. The default values are Range=180 in days This constraint rejects the validity that is not between 365 days 3 This default populates a User-Supplied Certificate Key to the request. This constraint accepts the key only if Key Type=-, Key Min Length=256, Key Max Length=4096 4 This default populates an Authority Key Identifier Extension (2.5.29.35 <http://2.5.29.35/>) to the request. No Constraint 5 This default populates a Authority Info Access Extension (1.3.6.1.5.5.7.1.1) to the request. The default values are Criticality=false, Record #0{Method:1.3.6.1.5.5.7.48.1,Location Type:URIName,Location:,Enable:true} No Constraint 6 This default populates a Key Usage Extension (2.5.29.15 <http://2.5.29.15/>) to the request. The default values are Criticality=true, Digital Signature=true, Non-Repudiation=true, Key Encipherment=true, Data Encipherment=false, Key Agreement=false, Key Certificate Sign=false, Key CRL Sign=false, Encipher Only=false, Decipher Only=false This constraint accepts the Key Usage extension, if present, only when Criticality=true, Digital Signature=true, Non-Repudiation=true, Key Encipherment=true, Data Encipherment=false, Key Agreement=false, Key Certificate Sign=false, Key CRL Sign=false, Encipher Only=false, Decipher Only=false 7 This default populates an Extended Key Usage Extension () to the request. The default values are Criticality=false, OIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 No Constraint 9 This default populates the Certificate Signing Algorithm. The default values are Algorithm=SHA1withRSA This constraint accepts only the Signing Algorithms of SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC 12 This default populates a CRL Distribution Points Extension (2.5.29.31 <http://2.5.29.31/>) to the request. The default values are Criticality=false, Record #0{Point Type:http://crl.company.com:80 <http://crl.company.com/>,Point Name:URIName,Reasons:unused,superseded,Issuer Type:http://pkica.company.com <http://pkica.company.com/>,Issuer Name:URIName,Enable:true}Record #1{Point Type:,Point Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false}Record #2{Point Type:,Point Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false}Record #3{Point Type:,Point Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false}Record #4{Point Type:,Point Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false} No Constraint ------------------------------------------------------------------------ _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users