Hi Sergio,
I did wonder if what you needed was Subject Alternative Name extension but since you said it's a "special attribute" I thought you want something different ;-).
SubjectAlternativeName Extension is easy to apply in Dogtag.
First, here is info regarding SubjectAlternativeName:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#Subject_Alternative_Name_Extension_Default
Scroll down a page or two then you will find Table B.21 Subject Alternative Name extension Default Configuration Parameters.
This is pretty much what you need. I think what you want for "Type" is "OIDName".
So for example, you would have:
policyset.set1.p06.constraint.class_id=noConstraintImplpolicyset.set1.p06.constraint.name=No Constraint
policyset.set1.p06.default.class_id=subjectAltNameExtDefaultImplpolicyset.set1.p06.default.name=Subject Alternative Name Extension Defaultpolicyset.set1.p06.default.params.subjAltExtGNEnable_0=true
policyset.set1.p06.default.params.subjectAltNameExtCritical=false
policyset.set1.p06.default.params.subjAltNameNumGNs=1
policyset.set1.p06.default.params.subjAltExtType_0=OIDName
policyset.set1.p06.default.params.subjAltExtPattern_0=2.16.76.1.3.3
again, the pattern part you can change it to take it from the input once it's working. However, unless you are in a controlled environment, it's better to have a constraint (You can write a plugin to suit your needs). And unless you have multiple OID's to insert, there is really no need to take from input.
Regarding Generic Extension, I know it should work. Maybe your value did not match the constraint. But it's a moot point now since you are looking for SAN.
hope this helps,
Christina
On 01/23/2014 04:12 AM, Sergio Pereira wrote:
Hi Christina,
I really appreciate for your response and time. I did try your suggestion but with no luck, when enrolling through web form I get the message: "Sorry, your request has been rejected. The reason is "Request Rejected - {0}".Attached is a picture of a real certificate, signed by a Brazilian CA and that is what I'm trying to accomplish using DogTag certificate system. The OID I'm trying to write to is marked in red and its value has some sort of Hex form (that would be the second step to be accomplished). One thing I realized is that the OID in question is in Subject Alternative Name and not as Generic Extension.
thx,sp
2014/1/23 Christina Fu <cfu@redhat.com>
Hi,
If I understand it correctly, you just want the OID to appear in the cert? if so, Generic Extension might be what you are looking for:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#Generic_Extension_Default
Here is an example of it:
policyset.set1.p06.constraint.class_id=extensionConstraintImplpolicyset.set1.p06.constraint.name=Extension Constraint
policyset.set1.p06.constraint.params.extCritical=-
policyset.set1.p06.constraint.params.extOID=2.16.76.1.3.3
policyset.set1.p06.default.class_id=userExtensionDefaultImplpolicyset.set1.p06.default.name=Generic Extension Defaultpolicyset.set1.p06.default.params.enericExtCritical=false
policyset.set1.p06.default.params.genericExtData=bz
policyset.set1.p06.default.params.genericExtOID=2.16.76.1.3.3
In the above example, I just put your country OID in the profile, but I imagine you could change it to take it from the input. If you do so, you might want to lighten up on the constraint. I suggest you try the above hard-coded profile first just to see if the cert comes out what you are looking for before adding input in the profile.
There is actually a bug in the GenericExtension area in regards to setting critical to true. I have yet to check the fix into Dogtag. Let me know if you do need that.
BTW, regarding userExtensionDefault, it can only be used if your CSR has the wanted extension in the request already, so it's not going to help you.
Hope this helps.
Christina
On 01/22/2014 02:41 AM, Sergio Pereira wrote:
hi guys,
I'm trying to create a certificate profile in a way to have at the end a certificate with a special attributes (supplied by the user through web enrollment form). I'm running dogtag 10.1 on Fedora 20...fresh install. I added a certificate profile using pkiconsole but I'm struggling in how to find the right Policies, Inputs and Outputs for the new profile. The OID I intent to write to it is the 2.16.76.1.3.3 (country specific OID). Here is my profile's config file:
auth.instance_id=desc=UserCNPJenable=falseenableBy=admininput.CNPJ.class_id=genericInputImplinput.CNPJ.name=Generic Inputinput.CNPJ.params.gi_display_name0=Cadastro Nacional Pessoa Juridicainput.CNPJ.params.gi_display_name1=input.CNPJ.params.gi_display_name2=input.CNPJ.params.gi_display_name3=input.CNPJ.params.gi_display_name4=input.CNPJ.params.gi_param_enable0=trueinput.CNPJ.params.gi_param_enable1=falseinput.CNPJ.params.gi_param_enable2=falseinput.CNPJ.params.gi_param_enable3=falseinput.CNPJ.params.gi_param_enable4=falseinput.CNPJ.params.gi_param_name0=cnpjinput.CNPJ.params.gi_param_name1=input.CNPJ.params.gi_param_name2=input.CNPJ.params.gi_param_name3=input.CNPJ.params.gi_param_name4=input.i1.class_id=keyGenInputImplinput.i1.name=Key Generation Inputinput.i2.class_id=subjectNameInputImplinput.i2.name=Subject Name Inputinput.i3.class_id=submitterInfoInputImplinput.i3.name=Submitter Information Inputinput.list=i1,i2,i3,CNPJinput.params.gi_display_name0=Cadastro Nacional Pessoa Juridicainput.params.gi_display_name1=input.params.gi_display_name2=input.params.gi_display_name3=input.params.gi_display_name4=input.params.gi_param_enable0=trueinput.params.gi_param_enable1=falseinput.params.gi_param_enable2=falseinput.params.gi_param_enable3=falseinput.params.gi_param_enable4=falseinput.params.gi_param_name0=cnpjinput.params.gi_param_name1=input.params.gi_param_name2=input.params.gi_param_name3=input.params.gi_param_name4=lastModified=1390319210315name=UserCNPJoutput.list=o1output.o1.class_id=certOutputImploutput.o1.name=Certificate Outputpolicyset.list=set1policyset.set1.list=p1,p2,p3,p4,p5,p06policyset.set1.p06.constraint.class_id=noConstraintImplpolicyset.set1.p06.constraint.name=No Constraintpolicyset.set1.p06.default.class_id=userExtensionDefaultImplpolicyset.set1.p06.default.name=User Supplied Extension Defaultpolicyset.set1.p06.default.params.userExtOID=Comment Here...policyset.set1.p1.constraint.class_id=noConstraintImplpolicyset.set1.p1.constraint.name=No Constraintpolicyset.set1.p1.default.class_id=userSubjectNameDefaultImplpolicyset.set1.p1.default.name=User Supplied Subject Name Defaultpolicyset.set1.p2.constraint.class_id=noConstraintImplpolicyset.set1.p2.constraint.name=No Constraintpolicyset.set1.p2.default.class_id=validityDefaultImplpolicyset.set1.p2.default.name=Validity Defaultpolicyset.set1.p2.default.params.range=180policyset.set1.p2.default.params.startTime=0policyset.set1.p3.constraint.class_id=noConstraintImplpolicyset.set1.p3.constraint.name=No Constraintpolicyset.set1.p3.default.class_id=userKeyDefaultImplpolicyset.set1.p3.default.name=User Supplied Key Defaultpolicyset.set1.p3.default.params.keyMaxLength=4096policyset.set1.p3.default.params.keyMinLength=512policyset.set1.p3.default.params.keyType=RSApolicyset.set1.p4.constraint.class_id=noConstraintImplpolicyset.set1.p4.constraint.name=No Constraintpolicyset.set1.p4.default.class_id=signingAlgDefaultImplpolicyset.set1.p4.default.name=Signing Algorithm Defaultpolicyset.set1.p4.default.params.signingAlg=-policyset.set1.p4.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,,SHA512withECpolicyset.set1.p5.constraint.class_id=noConstraintImplpolicyset.set1.p5.constraint.name=No Constraintpolicyset.set1.p5.default.class_id=keyUsageExtDefaultImplpolicyset.set1.p5.default.name=Key Usage Extension Defaultpolicyset.set1.p5.default.params.keyUsageCritical=truepolicyset.set1.p5.default.params.keyUsageCrlSign=truepolicyset.set1.p5.default.params.keyUsageDataEncipherment=truepolicyset.set1.p5.default.params.keyUsageDecipherOnly=truepolicyset.set1.p5.default.params.keyUsageDigitalSignature=truepolicyset.set1.p5.default.params.keyUsageEncipherOnly=truepolicyset.set1.p5.default.params.keyUsageKeyAgreement=truepolicyset.set1.p5.default.params.keyUsageKeyCertSign=truepolicyset.set1.p5.default.params.keyUsageKeyEncipherment=truepolicyset.set1.p5.default.params.keyUsageNonRepudiation=truevisible=truethx in advance,sergio
_______________________________________________ Pki-users mailing list Pki-users@redhat.com https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users