Re: [Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA

Thanks fo clue. RMFPopClientTool is a cli tool. I check implementation and I found this method wrapPrivateKey(...). Can it be used to wrap private key which could be added to CertEnrollRequest to request certificate from my rest client? And do You have ideas how to get symmetric key for that? I think better solution would be use CA public key to encrypt it but I don't have that much knowlege in PKI and Dogtag architecture. 2015-10-14 19:25 GMT+02:00 John Magne <jmagne(a)redhat.com&gt;: > If you see the email I sent the other day, > we make use of the CRMFPopClient tool that uses the transport key to wrap > the private key. > > > > ----- Original Message ----- > From: "Marcin Mierzejewski" <marcinmierzejewski1024(a)gmail.com&gt; > To: "Dave Sirrine" <dsirrine(a)redhat.com&gt; > Cc: pki-users(a)redhat.com > Sent: Wednesday, October 14, 2015 2:35:00 AM > Subject: Re: [Pki-users] Dogtag profile for encryption certificate with > storing private key in DRM/KRA > > But after this change it is not adding private key to DRM: / > > 2015-10-13 19:27 GMT+02:00 Dave Sirrine < dsirrine(a)redhat.com > : > > > > Marcin, > > Not sure what exactly you're looking for here, but the beauty of profiles > is you can create your own. If the ECC profile works as you would expect, > you can always create a copy with a new name and change the appropriate > lines. A quick diff of the two profiles you mention shows that there's not > a lot that's different between the two: > > diff caEncECUserCert.cfg caEncUserCert.cfg > 1c1 > < desc=This certificate profile is for enrolling user ECC encryption > certificates. It works only with latest Firefox. > --- > > desc=This certificate profile is for enrolling user encryption > certificates with option to archive keys. > 5c5 > < name=Manual User Encryption ECC Certificates Enrollment > --- > > name=Manual User Encryption Certificates Enrollment > 7,8c7,10 > < input.list=i1 > < input.i1.class_id=encKeyGenInputImpl > --- > > input.list=i1,i2,i3 > > input.i1.class_id=certReqInputImpl > > input.i2.class_id=subjectNameInputImpl > > input.i3.class_id=submitterInfoInputImpl > 31,32c33,34 > < policyset.encryptionCertSet.3.constraint.params.keyType=EC > < > policyset.encryptionCertSet.3.constraint.params.keyParameters=nistp256,nistp521 > --- > > policyset.encryptionCertSet.3.constraint.params.keyType=RSA > > > policyset.encryptionCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 > 93a96 > > > > In theory (I have not tested this) you should be able to change the lines > for 'policyset.encryptionCertSet.3.constraint.params.keyType' and > 'policyset.encryptionCertSet.3.constraint.params.keyParameters' to match > the caEncUserCert.cfg profile and keep everything else the same. If you > have the KRA installed and configured to work with your CA, the encryption > keys should automatically be archived in the KRA. > > -- Dave > > On Tue, Oct 13, 2015 at 10:36 AM, Marcin Mierzejewski < > marcinmierzejewski1024(a)gmail.com > wrote: > > > > there is a caEncECUserCert that works as I expect but generates Eliptic > curve certificate. Is there any eqiuvalent for RSA? And next question is: > could I use this profile to generate enduser certificate remote by calling > REST service? > > 2015-10-13 15:51 GMT+02:00 Marcin Mierzejewski < > marcinmierzejewski1024(a)gmail.com > : > > > > Hi All, > > What I want is simple profile for requesting encryption(not sign) > personal certificate that will private key be stored in KRA/DRM. I check > existing profiles and found profile that name and description meet the > goals I want to achieve. > > CaEncUserCert.cfg > > this profile was not visible I change that. I opened this profile in end > user CA application > > > Certificate Profile - Manual User Encryption Certificates Enrollment > > This certificate profile is for enrolling user encryption certificates > with option to archive keys. Certificate Request Input > * Certificate Request Type list ( pcks10 or crmf) > > * Certificate Request (text area for request) > Subject Name > -fields with info about user(propably should be same values that were in > certificate request) > Requestor Information > - info about requestor > > How it's possible to store private key without even sending it to CA? can > be private key enclosed into "Certificate Request"? If answer is no - as I > think why there is a "option to archieve keys"? > > > > > > > Marcin > > > > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > > > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-users >