Unable to get the CDP in the issuing certificates. Taking the caUserCert profile, it looks like CDP isn't in the profiles by default, which appears to be the default for all certificates.
Using the PKI Console, I added the CRL Distribution Points Extension Default with No Constraints
* The information below was entered based on examples in the Red Hat documentation ( http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Defaults_Reference-CRL_Distribution_Points_Extension_Default.html ).
[Default] tab
crlDistPointsCritical = false
crlDistPointsPointType_0 = URIName
crlDistPointsPointName_0 = http://crl.company.com:80
crlDistPointsReasons_0 = unused,superseded
crlDistPointsIssuerType_0 = http://pkica.corp.company.com
crlDistPointsIssueName_0 = URIName
crlDistPointsEnable_0 = true
When generating the certificate the CDP field is still not visible.I've attached a summary of the profile below with the new CDP field added.Any ideas?
Thanks.Chris
--
------------------------------------
Certificate Profile Information:
Certificate Profile Id: caUserCert Certificate Profile Name: Manual User Dual-Use Certificate Enrollment Description: This certificate profile is for enrolling user certificates. Approved: false Approved By: Policy Information:
Policy Set: userCertSet
# Extensions / Fields Constraints 1 This default populates a User-Supplied Certificate Subject Name to the request. This constraint accepts the subject name that matches CN=.* 2 This default populates a Certificate Validity to the request. The default values are Range=180 in days This constraint rejects the validity that is not between 365 days 3 This default populates a User-Supplied Certificate Key to the request. This constraint accepts the key only if Key Type=-, Key Min Length=256, Key Max Length=4096 4 This default populates an Authority Key Identifier Extension (2.5.29.35) to the request.
No Constraint 5 This default populates a Authority Info Access Extension (1.3.6.1.5.5.7.1.1) to the request. The default values are Criticality=false, Record #0{Method:1.3.6.1.5.5.7.48.1,Location Type:URIName,Location:,Enable:true}
No Constraint 6 This default populates a Key Usage Extension (2.5.29.15) to the request. The default values are Criticality=true, Digital Signature=true, Non-Repudiation=true, Key Encipherment=true, Data Encipherment=false, Key Agreement=false, Key Certificate Sign=false, Key CRL Sign=false, Encipher Only=false, Decipher Only=false
This constraint accepts the Key Usage extension, if present, only when Criticality=true, Digital Signature=true, Non-Repudiation=true, Key Encipherment=true, Data Encipherment=false, Key Agreement=false, Key Certificate Sign=false, Key CRL Sign=false, Encipher Only=false, Decipher Only=false 7 This default populates an Extended Key Usage Extension () to the request. The default values are Criticality=false, OIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
No Constraint 9 This default populates the Certificate Signing Algorithm. The default values are Algorithm=SHA1withRSA This constraint accepts only the Signing Algorithms of SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC 12 This default populates a CRL Distribution Points Extension (2.5.29.31) to the request. The default values are Criticality=false, Record #0{Point Type:http://crl.company.com:80,Point Name:URIName,Reasons:unused,superseded,Issuer Type:http://pkica.company.com,Issuer Name:URIName,Enable:true}Record #1{Point Type:,Point Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false}Record #2{Point Type:,Point Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false}Record #3{Point Type:,Point Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false}Record #4{Point Type:,Point Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false}
No Constraint