I see nothing that seem incorrect in your configurations, I will try a test, meanwhile, could you indicate the exact RHEL or Fedora versions and rpm -q pki-ca ?

and are there any other related debug log entries? (like about PolicyQualifiers0.usernotice.enable )

Thanks,

M.

On Wed, Apr 24, 2019 at 10:19 AM Jonathan Montero <jmrxto@gmail.com> wrote:

Hi, thanks for your answer

- in the profile, that policyset.caCertSet.list has p7                DONE

- the CA was restarted after the custom profile changes       DONE

- debug log   DONE?

[24/Apr/2019:12:45:33][http-bio-8443-exec-1]: RequestProcessor: profileId=caClase1

[24/Apr/2019:12:46:29][localhost-startStop-1]: Start Profile Creation - caClase1 caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile

[24/Apr/2019:12:46:29][localhost-startStop-1]: Done Profile Creation - caClase1

[24/Apr/2019:12:46:29][localhost-startStop-1]: Registered Confirmation - caClase1

Also looked for more logs...

I see and XML section for some reason i see this in the XML

<description>This default populates a Certificate Policies Extension to the request. The default values are Criticality=true, {PoliciesExt.num:1,{Enable:true,Policy Id:1.3.6.1.4.1.6.1.1.1.1,PolicyQualifiers.num:,{CPSuri Enable:true,UserNotice Enable:true,UserNoticeReference Organization:Company text Here,UserNoticeReference Numbers:1,UserNoticeReference Explicit Text:Some Text Here,CPS uri:http://url.com/}}}</description>

BUTTTTT, if i go down in the file i see

PoliciesExt.certPolicy0.enable:true&#xD;

PoliciesExt.certPolicy0.policyId:1.3.6.1.4.1.6.1.1.1.1&#xD;

PoliciesExt.certPolicy0.PolicyQualifiers.num:1&#xD;

PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable:true&#xD;

PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value:http://url.com/&#xD;

PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable:false&#xD;

PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization:&#xD;

PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers:&#xD;

PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value:&#xD;

The last 3 lines are EMPTY.

Jonathan Montero   IT Professional | IT Trainer M: 809-609-3003 S: tuxmontero E: jmrxto@gmail.com A: Santo Domingo, DR   jonathanmontero.com

On Wed, Apr 24, 2019 at 12:26 PM Marc Sauton <msauton@redhat.com> wrote:

make sure:

- in the profile, that policyset.caCertSet.list has p7

- the CA was restarted after the custom profile changes

- a review of the CA debug log, the profile you modified should be listed after a restart as, for example:

[14/Feb/2019:00:30:49][localhost-startStop-1]: added plugin profile caServerCertEnrollImpl Server Certificate Enrollment Profile Certificate Authority Server Certificate Enrollment Profile com.netscape.cms.profile.common.ServerCertCAEnrollProfile

[14/Feb/2019:00:31:43][localhost-startStop-1]: added plugin profile caServerCertEnrollImpl Server Certificate Enrollment Profile Certificate Authority Server Certificate Enrollment Profile com.netscape.cms.profile.common.ServerCertCAEnrollProfile

[14/Feb/2019:00:31:45][localhost-startStop-1]: Start Profile Creation - caServerCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile

[14/Feb/2019:00:31:45][localhost-startStop-1]: Done Profile Creation - caServerCert

[14/Feb/2019:00:31:45][localhost-startStop-1]: Registered Confirmation - caServerCert

and between the "Start" and "Done", there should be the details of the profile, with string "BasicProfile: createProfilePolicy" and more info

- review the same debug log after enrollment, for more details.

Thanks,

Marc S.

On Tue, Apr 23, 2019 at 9:23 PM Jonathan Montero <jmrxto@gmail.com> wrote:

Hi, I'm having an issue regarding the certificates policies.

It is as follows...

policyset.caCertSet.p7.constraint.class_id=noConstraintImpl

policyset.caCertSet.p7.constraint.name=No Constraint

policyset.caCertSet.p7.default.class_id=certificatePoliciesExtDefaultImpl

policyset.caCertSet.p7.default.name=Certificate Policies Extension Default

policyset.caCertSet.p7.default.params.Critical=true

policyset.caCertSet.p7.default.params.PoliciesExt.num=1

policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.enable=true

policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1

policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true

policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=http://url.com/

policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=true

policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=Some Text Here

policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=1

policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=Company text Here

So, with this configuration i got not all the result i want, don't know why....

i obtain 

policyId=1.3.6.1.4.1.6.1.1.1.1

Also

CPSURI.value=http://url.com/

But can't get the explicitText.value and organization...

For some reason, those 2 latter options don't appear in the certificate.

What could this be?

Jonathan Montero   IT Professional | IT Trainer M: 809-609-3003 S: tuxmontero E: jmrxto@gmail.com A: Santo Domingo, DR   jonathanmontero.com

_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users