Im fixed that  :D 

I'm only add this line  1.3.6.1.4.1.311.20.2.2 in  ,policyset.userCertSet.7.default.params.exKeyUsageOIDs=
in only 3 profile im used and its work 

policyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4,1.3.6.1.4.1.311.20.2.2

* What version of Dogtag PKI are you using?
dogtag-pki.noarch                         10.5.1-2.el7pki 

* What platform are you using? Fedora, CentOS, Debian, RHEL?
Red Hat Enterprise Linux Server release 7.6 (Maipo)
* Can you attach debug logs?

* Can you share the profiles that you edited and its contents?

desc=Personal Clase 1
visible=true
enable=true
enableBy=admin
name=Personal Clase 1
auth.class_id=
input.list=i1,i2
input.i1.class_id=certReqInputImpl
input.i2.class_id=submitterInfoInputImpl
input.i3.params.gi_display_name0=ccm
input.i3.params.gi_param_enable0=true
input.i3.params.gi_param_name0=ccm
input.i3.class_id=subjectAltNameExtInputImpl
input.i3.name=subjectAltNameExtInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=userCertSet
policyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9,11,12,p7
policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.userCertSet.1.constraint.name=Subject Name Constraint
policyset.userCertSet.1.constraint.params.pattern=.*CN=.*
policyset.userCertSet.1.constraint.params.accept=true
policyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl
policyset.userCertSet.1.default.name=Subject Name Default
policyset.userCertSet.1.default.params.name=
policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl
policyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint
policyset.userCertSet.10.constraint.params.renewal.graceBefore=30
policyset.userCertSet.10.constraint.params.renewal.graceAfter=30
policyset.userCertSet.10.default.class_id=noDefaultImpl
policyset.userCertSet.10.default.name=No Default
policyset.userCertSet.2.constraint.class_id=validityConstraintImpl
policyset.userCertSet.2.constraint.name=Validity Constraint
policyset.userCertSet.2.constraint.params.range=1825
policyset.userCertSet.2.constraint.params.notBeforeCheck=false
policyset.userCertSet.2.constraint.params.notAfterCheck=false
policyset.userCertSet.2.default.class_id=validityDefaultImpl
policyset.userCertSet.2.default.name=Validity Default
policyset.userCertSet.2.default.params.range=730
policyset.userCertSet.2.default.params.startTime=0
policyset.userCertSet.3.constraint.class_id=keyConstraintImpl
policyset.userCertSet.3.constraint.name=Key Constraint
policyset.userCertSet.3.constraint.params.keyType=RSA
policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
policyset.userCertSet.3.default.class_id=userKeyDefaultImpl
policyset.userCertSet.3.default.name=Key Default
policyset.userCertSet.4.constraint.class_id=noConstraintImpl
policyset.userCertSet.4.constraint.name=No Constraint
policyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
policyset.userCertSet.4.default.name=Authority Key Identifier Default
policyset.userCertSet.5.constraint.class_id=noConstraintImpl
policyset.userCertSet.5.constraint.name=No Constraint
policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
policyset.userCertSet.5.default.name=AIA Extension Default
policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true
policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
policyset.userCertSet.5.default.params.authInfoAccessADLocation_0=
policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
policyset.userCertSet.5.default.params.authInfoAccessCritical=false
policyset.userCertSet.5.default.params.authInfoAccessNumADs=1
policyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.userCertSet.6.constraint.params.keyUsageCritical=true
policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true
policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false
policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true
policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false
policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false
policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false
policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false
policyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false
policyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.userCertSet.6.default.name=Key Usage Default
policyset.userCertSet.6.default.params.keyUsageCritical=true
policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true
policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false
policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false
policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.userCertSet.6.default.params.keyUsageCrlSign=false
policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false
policyset.userCertSet.7.constraint.class_id=noConstraintImpl
policyset.userCertSet.7.constraint.name=No Constraint
policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.userCertSet.7.default.name=Extended Key Usage Extension Default
policyset.userCertSet.7.default.params.exKeyUsageCritical=false
policyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4,1.3.6.1.4.1.311.20.2.2
policyset.userCertSet.8.constraint.class_id=noConstraintImpl
policyset.userCertSet.8.constraint.name=No Constraint
policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
policyset.userCertSet.8.default.name=Subject Alt Name Constraint
policyset.userCertSet.8.default.params.subjAltNameExtCritical=false
policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name
policyset.userCertSet.8.default.params.subjAltExtType_1=DNSName
policyset.userCertSet.8.default.params.subjAltExtType_2=DNSName
policyset.userCertSet.8.default.params.subjAltExtType_3=DNSName
policyset.userCertSet.8.default.params.subjAltExtType_4=DNSName
policyset.userCertSet.8.default.params.subjAltExtType_5=DNSName
policyset.userCertSet.8.default.params.subjAltExtType_6=DNSName
policyset.userCertSet.8.default.params.subjAltExtType_7=DNSName
policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
policyset.userCertSet.8.default.params.subjAltExtPattern_1=$request.dnsname$
policyset.userCertSet.8.default.params.subjAltExtPattern_2=$request.dnsname$
policyset.userCertSet.8.default.params.subjAltExtPattern_3=Politica de Certificados Clase 1 (Personal)
policyset.userCertSet.8.default.params.subjAltExtPattern_4=Name
policyset.userCertSet.8.default.params.subjAltExtPattern_5=Direction
policyset.userCertSet.8.default.params.subjAltExtPattern_6=Instituto
policyset.userCertSet.8.default.params.subjAltExtPattern_7=Directivo
policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.userCertSet.8.default.params.subjAltExtGNEnable_1=true
policyset.userCertSet.8.default.params.subjAltExtGNEnable_2=true
policyset.userCertSet.8.default.params.subjAltExtGNEnable_3=true
policyset.userCertSet.8.default.params.subjAltExtGNEnable_4=true
policyset.userCertSet.8.default.params.subjAltExtGNEnable_5=true
policyset.userCertSet.8.default.params.subjAltExtGNEnable_6=true
policyset.userCertSet.8.default.params.subjAltExtGNEnable_7=true
policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.userCertSet.8.default.params.subjAltNameNumGNs=8
policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.userCertSet.9.constraint.name=No Constraint
policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.userCertSet.9.default.name=Signing Alg
policyset.userCertSet.9.default.params.signingAlg=-
policyset.userCertSet.11.constraint.class_id=basicConstraintsExtConstraintImpl
policyset.userCertSet.11.constraint.name=Basic Constraint Extension Constraint
policyset.userCertSet.11.constraint.params.basicConstraintsIsCA=false
policyset.userCertSet.11.default.class_id=basicConstraintsExtDefaultImpl
policyset.userCertSet.11.default.name=Basic Constraints Extension Default
policyset.userCertSet.11.default.params.basicConstraintsCritical=false
policyset.userCertSet.11.default.params.basicConstraintsIsCA=false
policyset.userCertSet.11.default.params.basicConstraintsPathLen=-1
policyset.userCertSet.12.constraint.class_id=noConstraintImpl
policyset.userCertSet.12.constraint.name=No Constraint
policyset.userCertSet.12.default.class_id=crlDistributionPointsExtDefaultImpl
policyset.userCertSet.12.default.name=CRL Distribution Points Extension Default
policyset.userCertSet.12.default.params.crlDistPointsCritical=false
policyset.userCertSet.12.default.params.crlDistPointsNum=1
policyset.userCertSet.12.default.params.crlDistPointsEnable_0=true
policyset.userCertSet.12.default.params.crlDistPointsIssuerName_0=O=Camara
policyset.userCertSet.12.default.params.crlDistPointsIssuerType_0=DirectoryName
policyset.userCertSet.12.default.params.crlDistPointsPointName_0=http://list.mydomain.com:8080/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
policyset.userCertSet.12.default.params.crlDistPointsPointType_0=URIName
policyset.userCertSet.12.default.params.crlDistPointsReasons_0=
policyset.userCertSet.p7.constraint.class_id=noConstraintImpl
policyset.userCertSet.p7.constraint.name=No Constraint
policyset.userCertSet.p7.default.class_id=certificatePoliciesExtDefaultImpl
policyset.userCertSet.p7.default.name=Certificate Policies Extension Default
policyset.userCertSet.p7.default.params.Critical=true
policyset.userCertSet.p7.default.params.PoliciesExt.num=1
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.enable=true
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.26236.1.1.1.1
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=http://cps.mydomain.com/
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=true
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=Politica de Certificados Clase 1 (Personal)
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=1
policyset.userCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=Camara


On Fri, Sep 11, 2020 at 4:05 PM Marc Sauton <msauton@redhat.com> wrote:
is it possible there is a user provided extended key usage extension in the request?
or there may be a profile configuration issue related to userExtensionDefaultImpl and keyUsageExtConstraintImpl, we may need to see the whole enrollment profile (eventually send it to me privately if you prefer).
Thanks,
M.

On Fri, Sep 11, 2020 at 7:02 AM Jose Antonio Mendoza Roa <roa@unixmexico.org> wrote:
Hello 


Hi everyone, I am new to this list and new to using dogtag.
I have 3 profiles (types of certificates) which asked me to append this configuration Smart Card Logon (1.3.6.1.4.1.311.20.2.2) and add this configuration to the certificate profile


policyset.userCertSet.p15.constraint.class_id=noConstraintImpl
policyset.userCertSet.p15.constraint.name=No Constraint
policyset.userCertSet.p15.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.userCertSet.p15.default.name=Extended Key Usage Extension Default
policyset.userCertSet.p15.default.params.exKeyUsageCritical=false
policyset.userCertSet.p15.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.4.1.311.20.2.2

But when I did the tests I get this error in the dogtag logs.


"duplicate extension attempted! Name: oid=2.5.29.37 val=48 0"

--
Ce courrier électronique et les fichiers qui y sont annexés peuvent renfermer des 
renseignements privilégiés et confidentiels à l'intention exclusive du destinataire. Si 
vous n'êtes pas le destinataire, vous n'êtes pas autorisé(e) à utiliser, à copier ou à 
divulguer à un tiers le contenu de ce courrier électronique ni des fichiers joints. Si 
vous avez reçu ce courrier électronique par erreur, veuillez en aviser l'expéditeur 
immédiatement par courrier électronique et détruire ce message ainsi que les fichiers 
en annexe.

This electronic mail message -- and any attachments -- may contain 
privileged/confidential information, intended only for the use of the addressee. If you 
are not the addressee, you may not use, copy or disclose to a third party the content 
of this message or its attachments. If you have received this message by mistake, 
please notify us immediately by e-mail and destroy this message, along with all 
attachments
_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users


--
Ce courrier électronique et les fichiers qui y sont annexés peuvent renfermer des 
renseignements privilégiés et confidentiels à l'intention exclusive du destinataire. Si 
vous n'êtes pas le destinataire, vous n'êtes pas autorisé(e) à utiliser, à copier ou à 
divulguer à un tiers le contenu de ce courrier électronique ni des fichiers joints. Si 
vous avez reçu ce courrier électronique par erreur, veuillez en aviser l'expéditeur 
immédiatement par courrier électronique et détruire ce message ainsi que les fichiers 
en annexe.

This electronic mail message -- and any attachments -- may contain 
privileged/confidential information, intended only for the use of the addressee. If you 
are not the addressee, you may not use, copy or disclose to a third party the content 
of this message or its attachments. If you have received this message by mistake, 
please notify us immediately by e-mail and destroy this message, along with all 
attachments