1:43 p.m.
Sorry, hit the send by mistake....
I've succesfully installed Dogtag. The documentation was clear and I didn't
have any issues.
My question is in regards to customizing certificate profiles. In the
current CA environment I manager, I deal with customizing profiles. Is there
a way to create customized certificate profiles?
The fields which apply are:
CertificatePolicies
- Policy Identifier
- User Notice with custom text
ExtendedKeyUsage
- New Key Usage OID
Also, in one profile, we've created a new field that programically ties to
the EKU
On our current CA software, a config file is modified to customize profiles.
Also there is some DER encoding required to convert the appropriate text.
Is this feature available?
2:10 p.m.
Profiles can be configured in <Dogtag install root>/profiles/ca. If you
add your own new profiles, you need to modify <Dogtag install
root>//conf/CS.cfg "profile.list" to contain the new profile name, and
add the corresponding "class_id" and "config" (see the existing
entries
in CS.cfg as example), and restart the CA.
In addition, Dogtag provides flexible plugin infrastructure that allows
people to customize various areas. Profile is one of them.
The standard profile related polugins code is in
pki/base/common/src/com/netscape/cms/profile/. That's for advanced
users who know what they are doing. Make sure the certs produced still
comply.
hope this helps.
Christina
Chris wrote:
Sorry, hit the send by mistake....
I've succesfully installed Dogtag. The documentation was clear and I
didn't have any issues.
My question is in regards to customizing certificate profiles. In the
current CA environment I manager, I deal with customizing profiles. Is
there a way to create customized certificate profiles?
The fields which apply are:
CertificatePolicies
- Policy Identifier
- User Notice with custom text
ExtendedKeyUsage
- New Key Usage OID
Also, in one profile, we've created a new field that programically
ties to the EKU
On our current CA software, a config file is modified to customize
profiles. Also there is some DER encoding required to convert the
appropriate text.
Is this feature available?
------------------------------------------------------------------------
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
12:09 a.m.
Thanks. That worked.
On Wed, Apr 9, 2008 at 12:10 PM, Christina Fu <cfu(a)redhat.com> wrote:
Profiles can be configured in <Dogtag install
root>/profiles/ca. If you
add your own new profiles, you need to modify <Dogtag install
root>//conf/CS.cfg "profile.list" to contain the new profile name, and add
the corresponding "class_id" and "config" (see the existing entries
in
CS.cfg as example), and restart the CA.
In addition, Dogtag provides flexible plugin infrastructure that allows
people to customize various areas. Profile is one of them.
The standard profile related polugins code is in
pki/base/common/src/com/netscape/cms/profile/. That's for advanced users
who know what they are doing. Make sure the certs produced still comply.
hope this helps.
Christina
Chris wrote:
>
> Sorry, hit the send by mistake....
>
> I've succesfully installed Dogtag. The documentation was clear and I
> didn't have any issues.
> My question is in regards to customizing certificate profiles. In the
> current CA environment I manager, I deal with customizing profiles. Is there
> a way to create customized certificate profiles?
> The fields which apply are:
> CertificatePolicies
> - Policy Identifier
> - User Notice with custom text
> ExtendedKeyUsage
> - New Key Usage OID
> Also, in one profile, we've created a new field that programically
> ties to the EKU
>
> On our current CA software, a config file is modified to customize
> profiles. Also there is some DER encoding required to convert the
> appropriate text.
>
> Is this feature available?
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
3:16 p.m.
Chris wrote:
Thanks. That worked.
On Wed, Apr 9, 2008 at 12:10 PM, Christina Fu <cfu(a)redhat.com
<mailto:cfu@redhat.com>> wrote:
Profiles can be configured in <Dogtag install root>/profiles/ca.
If you add your own new profiles, you need to modify <Dogtag
install root>//conf/CS.cfg "profile.list" to contain the new
profile name, and add the corresponding "class_id" and "config"
(see the existing entries in CS.cfg as example), and restart the CA.
In addition, Dogtag provides flexible plugin infrastructure that
allows people to customize various areas. Profile is one of them.
The standard profile related polugins code is in
pki/base/common/src/com/netscape/cms/profile/. That's for
advanced users who know what they are doing. Make sure the certs
produced still comply.
Chris,
Now that you understand this better, is there a place in the wiki you
think we (or you!) might want to improve?
Thanks,
-Bob
11:57 a.m.
New subject: Modify Certificate Profies - include SubjectAltName
Looking at the 'CAUserCert.cfg' profile (first profile on the WEB Agent
profile-list) it appears it should trigger the inclusion of the
"SubjectAltName" extension. I have not been successful generating any
certicites where the SubjectAltName extension is included!
In the Agents display the SubjectAltName is listed as 'Null' - even after
editing the 'Null' to the desired RFC822 value, the issued certificate
always comes without any SubjectAtltName extension?
What can I do to get the CA to include the SubjectAltName extension? I am
always specifying an email value in the request field!
Ebbe
"This message and any attached documents contain SPYRUS confidential and/or
proprietary information and may be subject to privilege or exempt from
disclosure under applicable law. These materials are intended only for the
use of the intended recipient. If you are not the intended recipient of this
electronic message, you are hereby notified that any use of this message is
strictly prohibited. Delivery of this message to any person other than the
intended recipient shall not constitute any waiver of any privilege. If you
have received this message in error, please delete this message from your
system and notify the sender immediately. Thank you."
_____
From: pki-users-bounces(a)redhat.com [mailto:pki-users-bounces@redhat.com] On
Behalf Of Chris
Sent: Wednesday, April 09, 2008 10:10 PM
To: pki-users(a)redhat.com
Subject: Re: [Pki-users] Modify Certificate Profies
Thanks. That worked.
On Wed, Apr 9, 2008 at 12:10 PM, Christina Fu <cfu(a)redhat.com> wrote:
Profiles can be configured in <Dogtag install root>/profiles/ca. If you add
your own new profiles, you need to modify <Dogtag install root>//conf/CS.cfg
"profile.list" to contain the new profile name, and add the corresponding
"class_id" and "config" (see the existing entries in CS.cfg as
example), and
restart the CA.
In addition, Dogtag provides flexible plugin infrastructure that allows
people to customize various areas. Profile is one of them.
The standard profile related polugins code is in
pki/base/common/src/com/netscape/cms/profile/. That's for advanced users
who know what they are doing. Make sure the certs produced still comply.
hope this helps.
Christina
Chris wrote:
Sorry, hit the send by mistake....
I've succesfully installed Dogtag. The documentation was clear and I didn't
have any issues.
My question is in regards to customizing certificate profiles. In the
current CA environment I manager, I deal with customizing profiles. Is there
a way to create customized certificate profiles?
The fields which apply are:
CertificatePolicies
- Policy Identifier
- User Notice with custom text
ExtendedKeyUsage
- New Key Usage OID
Also, in one profile, we've created a new field that programically ties to
the EKU
On our current CA software, a config file is modified to customize profiles.
Also there is some DER encoding required to convert the appropriate text.
Is this feature available?
------------------------------------------------------------------------
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
12:16 p.m.
New subject: Modify Certificate Profies - include SubjectAltName
If in /var/lib/pki-ca/profiles/ca/caUserCert.cfg
has
policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
and the enrollment request has an e-mail, the subject alt name extension
field should be correctly initialized upon certificate issuance.
You may want to turn on some debug in CS.cfg
debug.enabled=true
debug.level=0
and see your debug log for more details.
M.
It depends how the request hadEbbe Hansen wrote:
Looking at the ‘CAUserCert.cfg’ profile (first profile on the WEB
Agent profile-list) it appears it should trigger the inclusion of the
“SubjectAltName” extension. I have not been successful generating any
certicites where the SubjectAltName extension is included!
In the Agents display the SubjectAltName is listed as ‘Null’ – even
after editing the ‘Null’ to the desired RFC822 value, the issued
certificate always comes without any SubjectAtltName extension?
What can I do to get the CA to include the SubjectAltName extension? I
am always specifying an email value in the request field!
Ebbe
"This message and any attached documents contain SPYRUS confidential
and/or proprietary information and may be subject to privilege or
exempt from disclosure under applicable law. These materials are
intended only for the use of the intended recipient. If you are not
the intended recipient of this electronic message, you are hereby
notified that any use of this message is strictly prohibited. Delivery
of this message to any person other than the intended recipient shall
not constitute any waiver of any privilege. If you have received this
message in error, please delete this message from your system and
notify the sender immediately. Thank you."
------------------------------------------------------------------------
*From:* pki-users-bounces(a)redhat.com
[mailto:pki-users-bounces@redhat.com] *On Behalf Of *Chris
*Sent:* Wednesday, April 09, 2008 10:10 PM
*To:* pki-users(a)redhat.com
*Subject:* Re: [Pki-users] Modify Certificate Profies
Thanks. That worked.
On Wed, Apr 9, 2008 at 12:10 PM, Christina Fu <cfu(a)redhat.com
<mailto:cfu@redhat.com>> wrote:
Profiles can be configured in <Dogtag install root>/profiles/ca. If
you add your own new profiles, you need to modify <Dogtag install
root>//conf/CS.cfg "profile.list" to contain the new profile name, and
add the corresponding "class_id" and "config" (see the existing
entries in CS.cfg as example), and restart the CA.
In addition, Dogtag provides flexible plugin infrastructure that
allows people to customize various areas. Profile is one of them.
The standard profile related polugins code is in
pki/base/common/src/com/netscape/cms/profile/. That's for advanced
users who know what they are doing. Make sure the certs produced still
comply.
hope this helps.
Christina
Chris wrote:
Sorry, hit the send by mistake....
I've succesfully installed Dogtag. The documentation was clear and I
didn't have any issues.
My question is in regards to customizing certificate profiles. In the
current CA environment I manager, I deal with customizing profiles. Is
there a way to create customized certificate profiles?
The fields which apply are:
CertificatePolicies
- Policy Identifier
- User Notice with custom text
ExtendedKeyUsage
- New Key Usage OID
Also, in one profile, we've created a new field that programically
ties to the EKU
On our current CA software, a config file is modified to customize
profiles. Also there is some DER encoding required to convert the
appropriate text.
Is this feature available?
------------------------------------------------------------------------
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
https://www.redhat.com/mailman/listinfo/pki-users
------------------------------------------------------------------------
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
3:50 p.m.
New subject: Modify Certificate Profies - include SubjectAltName
I have succeeded adding the SubjectAltName extension - it turns out the
Policy settings in the DogTac CA is set to capture the "Requestor Email"
field while the Subject's Email field is the value that go into the 'E='
part of the DN!
Is this by "intend" or can/should the Profile file(s) be modified to
guarantee the email values in the DN and the SubjectAltName cannot be
different (i.e. abounding a typical user-introduced error).
Ebbe @ SPYRUS
"This message and any attached documents contain SPYRUS confidential
and/or proprietary information and may be subject to privilege or exempt
from disclosure under applicable law. These materials are intended only
for the use of the intended recipient. If you are not the intended
recipient of this electronic message, you are hereby notified that any
use of this message is strictly prohibited. Delivery of this message to
any person other than the intended recipient shall not constitute any
waiver of any privilege. If you have received this message in error,
please delete this message from your system and notify the sender
immediately. Thank you."
-----Original Message-----
From: Marc Sauton [mailto:msauton@redhat.com]
Sent: Wednesday, April 30, 2008 10:17 AM
To: Ebbe Hansen
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] Modify Certificate Profies - include
SubjectAltName
If in /var/lib/pki-ca/profiles/ca/caUserCert.cfg
has
policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requ
estor_email$
policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
and the enrollment request has an e-mail, the subject alt name extension
field should be correctly initialized upon certificate issuance.
You may want to turn on some debug in CS.cfg
debug.enabled=true
debug.level=0
and see your debug log for more details.
M.
It depends how the request hadEbbe Hansen wrote:
Looking at the 'CAUserCert.cfg' profile (first profile on the WEB
Agent profile-list) it appears it should trigger the inclusion of the
"SubjectAltName" extension. I have not been successful generating any
certicites where the SubjectAltName extension is included!
In the Agents display the SubjectAltName is listed as 'Null' - even
after editing the 'Null' to the desired RFC822 value, the issued
certificate always comes without any SubjectAtltName extension?
What can I do to get the CA to include the SubjectAltName extension? I
am always specifying an email value in the request field!
Ebbe
"This message and any attached documents contain SPYRUS confidential
and/or proprietary information and may be subject to privilege or
exempt from disclosure under applicable law. These materials are
intended only for the use of the intended recipient. If you are not
the intended recipient of this electronic message, you are hereby
notified that any use of this message is strictly prohibited. Delivery
of this message to any person other than the intended recipient shall
not constitute any waiver of any privilege. If you have received this
message in error, please delete this message from your system and
notify the sender immediately. Thank you."
------------------------------------------------------------------------
*From:* pki-users-bounces(a)redhat.com
[mailto:pki-users-bounces@redhat.com] *On Behalf Of *Chris
*Sent:* Wednesday, April 09, 2008 10:10 PM
*To:* pki-users(a)redhat.com
*Subject:* Re: [Pki-users] Modify Certificate Profies
Thanks. That worked.
On Wed, Apr 9, 2008 at 12:10 PM, Christina Fu <cfu(a)redhat.com
<mailto:cfu@redhat.com>> wrote:
Profiles can be configured in <Dogtag install root>/profiles/ca. If
you add your own new profiles, you need to modify <Dogtag install
root>//conf/CS.cfg "profile.list" to contain the new profile name, and
add the corresponding "class_id" and "config"
(see the existing
entries in CS.cfg as example), and restart the CA.
In addition, Dogtag provides flexible plugin infrastructure that
allows people to customize various areas. Profile is one of them.
The standard profile related polugins code is in
pki/base/common/src/com/netscape/cms/profile/. That's for advanced
users who know what they are doing. Make sure the certs produced still
comply.
hope this helps.
Christina
Chris wrote:
Sorry, hit the send by mistake....
I've succesfully installed Dogtag. The documentation was clear and I
didn't have any issues.
My question is in regards to customizing certificate profiles. In the
current CA environment I manager, I deal with customizing profiles. Is
there a way to create customized certificate profiles?
The fields which apply are:
CertificatePolicies
- Policy Identifier
- User Notice with custom text
ExtendedKeyUsage
- New Key Usage OID
Also, in one profile, we've created a new field that programically
ties to the EKU
On our current CA software, a config file is modified to customize
profiles. Also there is some DER encoding required to convert the
appropriate text.
Is this feature available?
------------------------------------------------------------------------
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
https://www.redhat.com/mailman/listinfo/pki-users
------------------------------------------------------------------------
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
8:25 p.m.
New subject: Modify Certificate Profies - include SubjectAltName
Ebbe Hansen wrote:
I have succeeded adding the SubjectAltName extension - it turns out
the
Policy settings in the DogTac CA is set to capture the "Requestor Email"
field while the Subject's Email field is the value that go into the 'E='
part of the DN!
Is this by "intend" or can/should the Profile file(s) be modified to
guarantee the email values in the DN and the SubjectAltName cannot be
different (i.e. abounding a typical user-introduced error).
The dn can be customized in a profile, e.g.:
policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.userCertSet.1.constraint.name=Subject Name Constraint
policyset.userCertSet.1.constraint.params.pattern=UID=.*
The SubjectAltName extension configuration in a profile has just a
default value for an example which you can tune to your needs in a
profile, e.g.:
policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
Profiles and the web ui can be customized.
Some doc links:
http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Gu...
http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Gu...
M.
Ebbe @ SPYRUS
"This message and any attached documents contain SPYRUS confidential
and/or proprietary information and may be subject to privilege or exempt
from disclosure under applicable law. These materials are intended only
for the use of the intended recipient. If you are not the intended
recipient of this electronic message, you are hereby notified that any
use of this message is strictly prohibited. Delivery of this message to
any person other than the intended recipient shall not constitute any
waiver of any privilege. If you have received this message in error,
please delete this message from your system and notify the sender
immediately. Thank you."
-----Original Message-----
From: Marc Sauton [mailto:msauton@redhat.com]
Sent: Wednesday, April 30, 2008 10:17 AM
To: Ebbe Hansen
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] Modify Certificate Profies - include
SubjectAltName
If in /var/lib/pki-ca/profiles/ca/caUserCert.cfg
has
policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requ
estor_email$
policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
and the enrollment request has an e-mail, the subject alt name extension
field should be correctly initialized upon certificate issuance.
You may want to turn on some debug in CS.cfg
debug.enabled=true
debug.level=0
and see your debug log for more details.
M.
It depends how the request hadEbbe Hansen wrote:
> Looking at the 'CAUserCert.cfg' profile (first profile on the WEB
> Agent profile-list) it appears it should trigger the inclusion of the
> "SubjectAltName" extension. I have not been successful generating any
> certicites where the SubjectAltName extension is included!
>
> In the Agents display the SubjectAltName is listed as 'Null' - even
> after editing the 'Null' to the desired RFC822 value, the issued
> certificate always comes without any SubjectAtltName extension?
>
> What can I do to get the CA to include the SubjectAltName extension? I
>
> am always specifying an email value in the request field!
>
> Ebbe
>
> "This message and any attached documents contain SPYRUS confidential
> and/or proprietary information and may be subject to privilege or
> exempt from disclosure under applicable law. These materials are
> intended only for the use of the intended recipient. If you are not
> the intended recipient of this electronic message, you are hereby
> notified that any use of this message is strictly prohibited. Delivery
>
> of this message to any person other than the intended recipient shall
> not constitute any waiver of any privilege. If you have received this
> message in error, please delete this message from your system and
> notify the sender immediately. Thank you."
>
>
>
------------------------------------------------------------------------
> *From:* pki-users-bounces(a)redhat.com
> [mailto:pki-users-bounces@redhat.com] *On Behalf Of *Chris
> *Sent:* Wednesday, April 09, 2008 10:10 PM
> *To:* pki-users(a)redhat.com
> *Subject:* Re: [Pki-users] Modify Certificate Profies
>
> Thanks. That worked.
>
> On Wed, Apr 9, 2008 at 12:10 PM, Christina Fu <cfu(a)redhat.com
> <mailto:cfu@redhat.com>> wrote:
>
> Profiles can be configured in <Dogtag install root>/profiles/ca. If
> you add your own new profiles, you need to modify <Dogtag install
> root>//conf/CS.cfg "profile.list" to contain the new profile name, and
>
> add the corresponding "class_id" and "config" (see the existing
> entries in CS.cfg as example), and restart the CA.
>
> In addition, Dogtag provides flexible plugin infrastructure that
> allows people to customize various areas. Profile is one of them.
> The standard profile related polugins code is in
> pki/base/common/src/com/netscape/cms/profile/. That's for advanced
> users who know what they are doing. Make sure the certs produced still
>
> comply.
>
> hope this helps.
> Christina
>
> Chris wrote:
>
>
> Sorry, hit the send by mistake....
>
> I've succesfully installed Dogtag. The documentation was clear and I
> didn't have any issues.
> My question is in regards to customizing certificate profiles. In the
> current CA environment I manager, I deal with customizing profiles. Is
>
> there a way to create customized certificate profiles?
> The fields which apply are:
> CertificatePolicies
> - Policy Identifier
> - User Notice with custom text
> ExtendedKeyUsage
> - New Key Usage OID
> Also, in one profile, we've created a new field that programically
> ties to the EKU
>
> On our current CA software, a config file is modified to customize
> profiles. Also there is some DER encoding required to convert the
> appropriate text.
>
> Is this feature available?
>
>
>
------------------------------------------------------------------------
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
------------------------------------------------------------------------
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
1:23 p.m.
New subject: Modify Certificate Profies - include SubjectAltName
Ebbe Hansen wrote:
I have succeeded adding the SubjectAltName extension - it turns out
the
Policy settings in the DogTac CA is set to capture the "Requestor Email"
field while the Subject's Email field is the value that go into the 'E='
part of the DN!
Is this by "intend" or can/should the Profile file(s) be modified to
guarantee the email values in the DN and the SubjectAltName cannot be
different (i.e. abounding a typical user-introduced error).
Ebbe @ SPYRUS
Hi Ebbe,
I noticed that you have posted a few questions in the profile area and I
intended to answer them one by one.
First of all, our enrollment profile feature is a very flexible system
that allows administrators to configure the enrollment pages and how
certificates are produced and validated to their will (to a certain
extend, of course ;-).
Here is something that's not in the document that'll help you do what
you want with SubjectAltName. There is an "Input" implementation called
"genericInputImpl" that allows the admin to place any number of input
boxes on the enrollment page, add their own parameter names, and take
whatever input from the user and these input will end up in the
"request." What this means is, you can then use $request.<the param
name>$ in things in the profile such as dnpattern, subjAltExtPattern, etc.
Without going into detail on how to configure this, how about take a
look of the DomainController.cfg, look specifically at input.i3 and
notice how it defines "ccm" and later it refers to "$request.ccm$ in
both the dnpattern and subjAltExtPattern. Go to the enrollment page and
look at "Domain Controller" enrollment page and you'll see the
correspondence between what's specified in the profile and what will
automatically show up on the enrollment page (yes, the enrollment page
is automatically configured to your specification in the profile!).
Please let me know if this works for you. If you have trouble figure it
out, feel free to give me a copy of your profile and I can edit it for you.
Christina
"This message and any attached documents contain SPYRUS
confidential
and/or proprietary information and may be subject to privilege or exempt
from disclosure under applicable law. These materials are intended only
for the use of the intended recipient. If you are not the intended
recipient of this electronic message, you are hereby notified that any
use of this message is strictly prohibited. Delivery of this message to
any person other than the intended recipient shall not constitute any
waiver of any privilege. If you have received this message in error,
please delete this message from your system and notify the sender
immediately. Thank you."
-----Original Message-----
From: Marc Sauton [mailto:msauton@redhat.com]
Sent: Wednesday, April 30, 2008 10:17 AM
To: Ebbe Hansen
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] Modify Certificate Profies - include
SubjectAltName
If in /var/lib/pki-ca/profiles/ca/caUserCert.cfg
has
policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requ
estor_email$
policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
and the enrollment request has an e-mail, the subject alt name extension
field should be correctly initialized upon certificate issuance.
You may want to turn on some debug in CS.cfg
debug.enabled=true
debug.level=0
and see your debug log for more details.
M.
It depends how the request hadEbbe Hansen wrote:
> Looking at the 'CAUserCert.cfg' profile (first profile on the WEB
> Agent profile-list) it appears it should trigger the inclusion of the
> "SubjectAltName" extension. I have not been successful generating any
> certicites where the SubjectAltName extension is included!
>
> In the Agents display the SubjectAltName is listed as 'Null' - even
> after editing the 'Null' to the desired RFC822 value, the issued
> certificate always comes without any SubjectAtltName extension?
>
> What can I do to get the CA to include the SubjectAltName extension? I
>
> am always specifying an email value in the request field!
>
> Ebbe
>
> "This message and any attached documents contain SPYRUS confidential
> and/or proprietary information and may be subject to privilege or
> exempt from disclosure under applicable law. These materials are
> intended only for the use of the intended recipient. If you are not
> the intended recipient of this electronic message, you are hereby
> notified that any use of this message is strictly prohibited. Delivery
>
> of this message to any person other than the intended recipient shall
> not constitute any waiver of any privilege. If you have received this
> message in error, please delete this message from your system and
> notify the sender immediately. Thank you."
>
>
>
------------------------------------------------------------------------
> *From:* pki-users-bounces(a)redhat.com
> [mailto:pki-users-bounces@redhat.com] *On Behalf Of *Chris
> *Sent:* Wednesday, April 09, 2008 10:10 PM
> *To:* pki-users(a)redhat.com
> *Subject:* Re: [Pki-users] Modify Certificate Profies
>
> Thanks. That worked.
>
> On Wed, Apr 9, 2008 at 12:10 PM, Christina Fu <cfu(a)redhat.com
> <mailto:cfu@redhat.com>> wrote:
>
> Profiles can be configured in <Dogtag install root>/profiles/ca. If
> you add your own new profiles, you need to modify <Dogtag install
> root>//conf/CS.cfg "profile.list" to contain the new profile name, and
>
> add the corresponding "class_id" and "config" (see the existing
> entries in CS.cfg as example), and restart the CA.
>
> In addition, Dogtag provides flexible plugin infrastructure that
> allows people to customize various areas. Profile is one of them.
> The standard profile related polugins code is in
> pki/base/common/src/com/netscape/cms/profile/. That's for advanced
> users who know what they are doing. Make sure the certs produced still
>
> comply.
>
> hope this helps.
> Christina
>
> Chris wrote:
>
>
> Sorry, hit the send by mistake....
>
> I've succesfully installed Dogtag. The documentation was clear and I
> didn't have any issues.
> My question is in regards to customizing certificate profiles. In the
> current CA environment I manager, I deal with customizing profiles. Is
>
> there a way to create customized certificate profiles?
> The fields which apply are:
> CertificatePolicies
> - Policy Identifier
> - User Notice with custom text
> ExtendedKeyUsage
> - New Key Usage OID
> Also, in one profile, we've created a new field that programically
> ties to the EKU
>
> On our current CA software, a config file is modified to customize
> profiles. Also there is some DER encoding required to convert the
> appropriate text.
>
> Is this feature available?
>
>
>
------------------------------------------------------------------------
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
------------------------------------------------------------------------
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
4:14 p.m.
New subject: Modify Certificate Profies - removing 'Critical' key-usage indication
While attempting to test various Email clients in a windows environment
(including Outlook Express and Outlook), I am having trouble getting the
Email client (Outlook Express) to accept the certificates generated by
the RedHat/DogTag CA. I am using the 'CAUserCert.cfg' profile and I am
adding a SubjectAltName extension as described in my earlier message.
However, I am still not successful getting the Email client to use the
DogTag user certificates for signature purposes.
Is there a documented procedure that describes how to generate user
certificates accepted by the windows-based Outlook Express client?
Comparing the RadHat user certificate with a Microsoft user certificate
reveals that the RedHat CA sets the 'KeyUsage' extension to 'Critical'
-- while the Microsoft CA does not! After modifying the DogTag CA
Profile ('CAUserCert.cfg') to specify a "non critical"
'KeyUsage'
extension, any new request using the modified profile fails - error
message is:
"Sorry, your request has been rejected. The reason is "Request Rejected
- Criticality Not Matched".
Are there multiple places I need to adjust the Profile -- so far I have
only modified the 'CAUserCert.cfg' file in the
'<CA-instance>/profiles/ca' directory.
Ebbe @ SPYRUS
"This message and any attached documents contain SPYRUS confidential
and/or proprietary information and may be subject to privilege or exempt
from disclosure under applicable law. These materials are intended only
for the use of the intended recipient. If you are not the intended
recipient of this electronic message, you are hereby notified that any
use of this message is strictly prohibited. Delivery of this message to
any person other than the intended recipient shall not constitute any
waiver of any privilege. If you have received this message in error,
please delete this message from your system and notify the sender
immediately. Thank you."
-----Original Message-----
From: Marc Sauton [mailto:msauton@redhat.com]
Sent: Wednesday, April 30, 2008 10:17 AM
To: Ebbe Hansen
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] Modify Certificate Profies - include
SubjectAltName
If in /var/lib/pki-ca/profiles/ca/caUserCert.cfg
has
policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requ
estor_email$
policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
and the enrollment request has an e-mail, the subject alt name extension
field should be correctly initialized upon certificate issuance.
You may want to turn on some debug in CS.cfg
debug.enabled=true
debug.level=0
and see your debug log for more details.
M.
It depends how the request hadEbbe Hansen wrote:
Looking at the 'CAUserCert.cfg' profile (first profile on the WEB
Agent profile-list) it appears it should trigger the inclusion of the
"SubjectAltName" extension. I have not been successful generating any
certicites where the SubjectAltName extension is included!
In the Agents display the SubjectAltName is listed as 'Null' - even
after editing the 'Null' to the desired RFC822 value, the issued
certificate always comes without any SubjectAtltName extension?
What can I do to get the CA to include the SubjectAltName extension? I
am always specifying an email value in the request field!
Ebbe
"This message and any attached documents contain SPYRUS confidential
and/or proprietary information and may be subject to privilege or
exempt from disclosure under applicable law. These materials are
intended only for the use of the intended recipient. If you are not
the intended recipient of this electronic message, you are hereby
notified that any use of this message is strictly prohibited. Delivery
of this message to any person other than the intended recipient shall
not constitute any waiver of any privilege. If you have received this
message in error, please delete this message from your system and
notify the sender immediately. Thank you."
------------------------------------------------------------------------
*From:* pki-users-bounces(a)redhat.com
[mailto:pki-users-bounces@redhat.com] *On Behalf Of *Chris
*Sent:* Wednesday, April 09, 2008 10:10 PM
*To:* pki-users(a)redhat.com
*Subject:* Re: [Pki-users] Modify Certificate Profies
Thanks. That worked.
On Wed, Apr 9, 2008 at 12:10 PM, Christina Fu <cfu(a)redhat.com
<mailto:cfu@redhat.com>> wrote:
Profiles can be configured in <Dogtag install root>/profiles/ca. If
you add your own new profiles, you need to modify <Dogtag install
root>//conf/CS.cfg "profile.list" to contain the new profile name, and
add the corresponding "class_id" and "config"
(see the existing
entries in CS.cfg as example), and restart the CA.
In addition, Dogtag provides flexible plugin infrastructure that
allows people to customize various areas. Profile is one of them.
The standard profile related polugins code is in
pki/base/common/src/com/netscape/cms/profile/. That's for advanced
users who know what they are doing. Make sure the certs produced still
comply.
hope this helps.
Christina
Chris wrote:
Sorry, hit the send by mistake....
I've succesfully installed Dogtag. The documentation was clear and I
didn't have any issues.
My question is in regards to customizing certificate profiles. In the
current CA environment I manager, I deal with customizing profiles. Is
there a way to create customized certificate profiles?
The fields which apply are:
CertificatePolicies
- Policy Identifier
- User Notice with custom text
ExtendedKeyUsage
- New Key Usage OID
Also, in one profile, we've created a new field that programically
ties to the EKU
On our current CA software, a config file is modified to customize
profiles. Also there is some DER encoding required to convert the
appropriate text.
Is this feature available?
------------------------------------------------------------------------
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
https://www.redhat.com/mailman/listinfo/pki-users
------------------------------------------------------------------------
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
9:56 p.m.
New subject: Modify Certificate Profies - removing 'Critical' key-usage indication
Ebbe Hansen wrote:
While attempting to test various Email clients in a windows
environment
(including Outlook Express and Outlook), I am having trouble getting the
Email client (Outlook Express) to accept the certificates generated by
the RedHat/DogTag CA. I am using the 'CAUserCert.cfg' profile and I am
adding a SubjectAltName extension as described in my earlier message.
However, I am still not successful getting the Email client to use the
DogTag user certificates for signature purposes.
Is there a documented procedure that describes how to generate user
certificates accepted by the windows-based Outlook Express client?
Comparing the RadHat user certificate with a Microsoft user certificate
reveals that the RedHat CA sets the 'KeyUsage' extension to 'Critical'
-- while the Microsoft CA does not! After modifying the DogTag CA
Profile ('CAUserCert.cfg') to specify a "non critical"
'KeyUsage'
extension, any new request using the modified profile fails - error
message is:
"Sorry, your request has been rejected. The reason is "Request Rejected
- Criticality Not Matched".
I can see the error in the agent web ui
Are there multiple places I need to adjust the Profile -- so far I
have
only modified the 'CAUserCert.cfg' file in the
'<CA-instance>/profiles/ca' directory.
This should be the one place.
Ebbe @ SPYRUS
"This message and any attached documents contain SPYRUS confidential
and/or proprietary information and may be subject to privilege or exempt
from disclosure under applicable law. These materials are intended only
for the use of the intended recipient. If you are not the intended
recipient of this electronic message, you are hereby notified that any
use of this message is strictly prohibited. Delivery of this message to
any person other than the intended recipient shall not constitute any
waiver of any privilege. If you have received this message in error,
please delete this message from your system and notify the sender
immediately. Thank you."
-----Original Message-----
From: Marc Sauton [mailto:msauton@redhat.com]
Sent: Wednesday, April 30, 2008 10:17 AM
To: Ebbe Hansen
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] Modify Certificate Profies - include
SubjectAltName
If in /var/lib/pki-ca/profiles/ca/caUserCert.cfg
has
policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requ
estor_email$
policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
and the enrollment request has an e-mail, the subject alt name extension
field should be correctly initialized upon certificate issuance.
You may want to turn on some debug in CS.cfg
debug.enabled=true
debug.level=0
and see your debug log for more details.
M.
It depends how the request hadEbbe Hansen wrote:
> Looking at the 'CAUserCert.cfg' profile (first profile on the WEB
> Agent profile-list) it appears it should trigger the inclusion of the
> "SubjectAltName" extension. I have not been successful generating any
> certicites where the SubjectAltName extension is included!
>
> In the Agents display the SubjectAltName is listed as 'Null' - even
> after editing the 'Null' to the desired RFC822 value, the issued
> certificate always comes without any SubjectAtltName extension?
>
> What can I do to get the CA to include the SubjectAltName extension? I
>
> am always specifying an email value in the request field!
>
> Ebbe
>
> "This message and any attached documents contain SPYRUS confidential
> and/or proprietary information and may be subject to privilege or
> exempt from disclosure under applicable law. These materials are
> intended only for the use of the intended recipient. If you are not
> the intended recipient of this electronic message, you are hereby
> notified that any use of this message is strictly prohibited. Delivery
>
> of this message to any person other than the intended recipient shall
> not constitute any waiver of any privilege. If you have received this
> message in error, please delete this message from your system and
> notify the sender immediately. Thank you."
>
>
>
------------------------------------------------------------------------
> *From:* pki-users-bounces(a)redhat.com
> [mailto:pki-users-bounces@redhat.com] *On Behalf Of *Chris
> *Sent:* Wednesday, April 09, 2008 10:10 PM
> *To:* pki-users(a)redhat.com
> *Subject:* Re: [Pki-users] Modify Certificate Profies
>
> Thanks. That worked.
>
> On Wed, Apr 9, 2008 at 12:10 PM, Christina Fu <cfu(a)redhat.com
> <mailto:cfu@redhat.com>> wrote:
>
> Profiles can be configured in <Dogtag install root>/profiles/ca. If
> you add your own new profiles, you need to modify <Dogtag install
> root>//conf/CS.cfg "profile.list" to contain the new profile name, and
>
> add the corresponding "class_id" and "config" (see the existing
> entries in CS.cfg as example), and restart the CA.
>
> In addition, Dogtag provides flexible plugin infrastructure that
> allows people to customize various areas. Profile is one of them.
> The standard profile related polugins code is in
> pki/base/common/src/com/netscape/cms/profile/. That's for advanced
> users who know what they are doing. Make sure the certs produced still
>
> comply.
>
> hope this helps.
> Christina
>
> Chris wrote:
>
>
> Sorry, hit the send by mistake....
>
> I've succesfully installed Dogtag. The documentation was clear and I
> didn't have any issues.
> My question is in regards to customizing certificate profiles. In the
> current CA environment I manager, I deal with customizing profiles. Is
>
> there a way to create customized certificate profiles?
> The fields which apply are:
> CertificatePolicies
> - Policy Identifier
> - User Notice with custom text
> ExtendedKeyUsage
> - New Key Usage OID
> Also, in one profile, we've created a new field that programically
> ties to the EKU
>
> On our current CA software, a config file is modified to customize
> profiles. Also there is some DER encoding required to convert the
> appropriate text.
>
> Is this feature available?
>
>
>
------------------------------------------------------------------------
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
------------------------------------------------------------------------
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
11:26 a.m.
New subject: Modify Certificate Profies - removing 'Critical' key-usage indication
Pki-users support,
Does your message "I can see the error in the agent web ui" indicate you
were able to replicate the problem?
I still do not know how to generate user certicites without the
"criticality" bit set in the 'KeyUsage' extension?
Ebbe
-----Original Message-----
From: Marc Sauton [mailto:msauton@redhat.com]
Sent: Wednesday, April 30, 2008 7:56 PM
To: Ebbe Hansen
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] Modify Certificate Profies - removing
'Critical' key-usage indication
Ebbe Hansen wrote:
While attempting to test various Email clients in a windows
environment
(including Outlook Express and Outlook), I am having trouble getting
the
Email client (Outlook Express) to accept the certificates generated
by
the RedHat/DogTag CA. I am using the 'CAUserCert.cfg' profile and I am
adding a SubjectAltName extension as described in my earlier message.
However, I am still not successful getting the Email client to use the
DogTag user certificates for signature purposes.
Is there a documented procedure that describes how to generate user
certificates accepted by the windows-based Outlook Express client?
Comparing the RadHat user certificate with a Microsoft user
certificate
reveals that the RedHat CA sets the 'KeyUsage' extension to
'Critical'
-- while the Microsoft CA does not! After modifying the DogTag CA
Profile ('CAUserCert.cfg') to specify a "non critical"
'KeyUsage'
extension, any new request using the modified profile fails - error
message is:
"Sorry, your request has been rejected. The reason is "Request
Rejected
- Criticality Not Matched".
I can see the error in the agent web ui
Are there multiple places I need to adjust the Profile -- so far I
have
only modified the 'CAUserCert.cfg' file in the
'<CA-instance>/profiles/ca' directory.
This should be the one place.
Ebbe @ SPYRUS
"This message and any attached documents contain SPYRUS confidential
and/or proprietary information and may be subject to privilege or
exempt
from disclosure under applicable law. These materials are intended
only
for the use of the intended recipient. If you are not the intended
recipient of this electronic message, you are hereby notified that any
use of this message is strictly prohibited. Delivery of this message
to
any person other than the intended recipient shall not constitute
any
waiver of any privilege. If you have received this message in error,
please delete this message from your system and notify the sender
immediately. Thank you."
-----Original Message-----
From: Marc Sauton [mailto:msauton@redhat.com]
Sent: Wednesday, April 30, 2008 10:17 AM
To: Ebbe Hansen
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] Modify Certificate Profies - include
SubjectAltName
If in /var/lib/pki-ca/profiles/ca/caUserCert.cfg
has
policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requ
estor_email$
policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
and the enrollment request has an e-mail, the subject alt name
extension
field should be correctly initialized upon certificate issuance.
You may want to turn on some debug in CS.cfg
debug.enabled=true
debug.level=0
and see your debug log for more details.
M.
It depends how the request hadEbbe Hansen wrote:
> Looking at the 'CAUserCert.cfg' profile (first profile on the WEB
> Agent profile-list) it appears it should trigger the inclusion of the
> "SubjectAltName" extension. I have not been successful
generating any
> certicites where the SubjectAltName extension is included!
>
> In the Agents display the SubjectAltName is listed as 'Null' - even
> after editing the 'Null' to the desired RFC822 value, the issued
> certificate always comes without any SubjectAtltName extension?
>
> What can I do to get the CA to include the SubjectAltName extension?
I
>
> am always specifying an email value in the request field!
>
> Ebbe
>
> "This message and any attached documents contain SPYRUS confidential
> and/or proprietary information and may be subject to privilege or
> exempt from disclosure under applicable law. These materials are
> intended only for the use of the intended recipient. If you are not
> the intended recipient of this electronic message, you are hereby
> notified that any use of this message is strictly prohibited.
Delivery
>
> of this message to any person other than the intended recipient shall
> not constitute any waiver of any privilege. If you have received
this
> message in error, please delete this message from your system and
> notify the sender immediately. Thank you."
>
>
>
------------------------------------------------------------------------
> *From:* pki-users-bounces(a)redhat.com
> [mailto:pki-users-bounces@redhat.com] *On Behalf Of *Chris
> *Sent:* Wednesday, April 09, 2008 10:10 PM
> *To:* pki-users(a)redhat.com
> *Subject:* Re: [Pki-users] Modify Certificate Profies
>
> Thanks. That worked.
>
> On Wed, Apr 9, 2008 at 12:10 PM, Christina Fu <cfu(a)redhat.com
> <mailto:cfu@redhat.com>> wrote:
>
> Profiles can be configured in <Dogtag install root>/profiles/ca. If
> you add your own new profiles, you need to modify <Dogtag install
> root>//conf/CS.cfg "profile.list" to contain the new profile name,
and
>
> add the corresponding "class_id" and "config" (see the existing
> entries in CS.cfg as example), and restart the CA.
>
> In addition, Dogtag provides flexible plugin infrastructure that
> allows people to customize various areas. Profile is one of them.
> The standard profile related polugins code is in
> pki/base/common/src/com/netscape/cms/profile/. That's for advanced
> users who know what they are doing. Make sure the certs produced
still
>
> comply.
>
> hope this helps.
> Christina
>
> Chris wrote:
>
>
> Sorry, hit the send by mistake....
>
> I've succesfully installed Dogtag. The documentation was clear and I
> didn't have any issues.
> My question is in regards to customizing certificate profiles. In the
> current CA environment I manager, I deal with customizing
profiles.
Is
>
> there a way to create customized certificate profiles?
> The fields which apply are:
> CertificatePolicies
> - Policy Identifier
> - User Notice with custom text
> ExtendedKeyUsage
> - New Key Usage OID
> Also, in one profile, we've created a new field that programically
> ties to the EKU
>
> On our current CA software, a config file is modified to customize
> profiles. Also there is some DER encoding required to convert the
> appropriate text.
>
> Is this feature available?
>
>
>
------------------------------------------------------------------------
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
------------------------------------------------------------------------
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
1:59 p.m.
New subject: Modify Certificate Profies - removing 'Critical' key-usage indication
Hi Ebbe,
Two major lists of items in an enrollment profile are the "default" and
"constraint." They correspond to each other and are tied in by the same
set name and id.
e.g.
policyset.userCertSet.6.default.params.keyUsageCritical=true
for default, would have a corresponding constraint:
policyset.userCertSet.6.constraint.params.keyUsageCritical=true
What the above example shows is, by default, the keyUsageCritical is
true, and when it is run through the constraint for validation, it
expects it to be true.
If you want it to be "false," then you'll need to change the constraint
value to be "false."
Here is the doc that describes the default fields for Key Usage Extension:
http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Gu...
Here is the doc that describes the constraint fields for Key Usage
Extension:
If you don't care about the values (no validation), then you need to
specifically set no constraint:
e.g.
policyset.userCertSet.7.constraint.class_id=noConstraintImpl
policyset.userCertSet.7.constraint.name=No Constraint
...
Hope this helps.
Christina
Ebbe Hansen wrote:
While attempting to test various Email clients in a windows
environment
(including Outlook Express and Outlook), I am having trouble getting the
Email client (Outlook Express) to accept the certificates generated by
the RedHat/DogTag CA. I am using the 'CAUserCert.cfg' profile and I am
adding a SubjectAltName extension as described in my earlier message.
However, I am still not successful getting the Email client to use the
DogTag user certificates for signature purposes.
Is there a documented procedure that describes how to generate user
certificates accepted by the windows-based Outlook Express client?
Comparing the RadHat user certificate with a Microsoft user certificate
reveals that the RedHat CA sets the 'KeyUsage' extension to 'Critical'
-- while the Microsoft CA does not! After modifying the DogTag CA
Profile ('CAUserCert.cfg') to specify a "non critical"
'KeyUsage'
extension, any new request using the modified profile fails - error
message is:
"Sorry, your request has been rejected. The reason is "Request Rejected
- Criticality Not Matched".
Are there multiple places I need to adjust the Profile -- so far I have
only modified the 'CAUserCert.cfg' file in the
'<CA-instance>/profiles/ca' directory.
Ebbe @ SPYRUS
"This message and any attached documents contain SPYRUS confidential
and/or proprietary information and may be subject to privilege or exempt
from disclosure under applicable law. These materials are intended only
for the use of the intended recipient. If you are not the intended
recipient of this electronic message, you are hereby notified that any
use of this message is strictly prohibited. Delivery of this message to
any person other than the intended recipient shall not constitute any
waiver of any privilege. If you have received this message in error,
please delete this message from your system and notify the sender
immediately. Thank you."
-----Original Message-----
From: Marc Sauton [mailto:msauton@redhat.com]
Sent: Wednesday, April 30, 2008 10:17 AM
To: Ebbe Hansen
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] Modify Certificate Profies - include
SubjectAltName
If in /var/lib/pki-ca/profiles/ca/caUserCert.cfg
has
policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requ
estor_email$
policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
and the enrollment request has an e-mail, the subject alt name extension
field should be correctly initialized upon certificate issuance.
You may want to turn on some debug in CS.cfg
debug.enabled=true
debug.level=0
and see your debug log for more details.
M.
It depends how the request hadEbbe Hansen wrote:
> Looking at the 'CAUserCert.cfg' profile (first profile on the WEB
> Agent profile-list) it appears it should trigger the inclusion of the
> "SubjectAltName" extension. I have not been successful generating any
> certicites where the SubjectAltName extension is included!
>
> In the Agents display the SubjectAltName is listed as 'Null' - even
> after editing the 'Null' to the desired RFC822 value, the issued
> certificate always comes without any SubjectAtltName extension?
>
> What can I do to get the CA to include the SubjectAltName extension? I
>
> am always specifying an email value in the request field!
>
> Ebbe
>
> "This message and any attached documents contain SPYRUS confidential
> and/or proprietary information and may be subject to privilege or
> exempt from disclosure under applicable law. These materials are
> intended only for the use of the intended recipient. If you are not
> the intended recipient of this electronic message, you are hereby
> notified that any use of this message is strictly prohibited. Delivery
>
> of this message to any person other than the intended recipient shall
> not constitute any waiver of any privilege. If you have received this
> message in error, please delete this message from your system and
> notify the sender immediately. Thank you."
>
>
>
------------------------------------------------------------------------
> *From:* pki-users-bounces(a)redhat.com
> [mailto:pki-users-bounces@redhat.com] *On Behalf Of *Chris
> *Sent:* Wednesday, April 09, 2008 10:10 PM
> *To:* pki-users(a)redhat.com
> *Subject:* Re: [Pki-users] Modify Certificate Profies
>
> Thanks. That worked.
>
> On Wed, Apr 9, 2008 at 12:10 PM, Christina Fu <cfu(a)redhat.com
> <mailto:cfu@redhat.com>> wrote:
>
> Profiles can be configured in <Dogtag install root>/profiles/ca. If
> you add your own new profiles, you need to modify <Dogtag install
> root>//conf/CS.cfg "profile.list" to contain the new profile name, and
>
> add the corresponding "class_id" and "config" (see the existing
> entries in CS.cfg as example), and restart the CA.
>
> In addition, Dogtag provides flexible plugin infrastructure that
> allows people to customize various areas. Profile is one of them.
> The standard profile related polugins code is in
> pki/base/common/src/com/netscape/cms/profile/. That's for advanced
> users who know what they are doing. Make sure the certs produced still
>
> comply.
>
> hope this helps.
> Christina
>
> Chris wrote:
>
>
> Sorry, hit the send by mistake....
>
> I've succesfully installed Dogtag. The documentation was clear and I
> didn't have any issues.
> My question is in regards to customizing certificate profiles. In the
> current CA environment I manager, I deal with customizing profiles. Is
>
> there a way to create customized certificate profiles?
> The fields which apply are:
> CertificatePolicies
> - Policy Identifier
> - User Notice with custom text
> ExtendedKeyUsage
> - New Key Usage OID
> Also, in one profile, we've created a new field that programically
> ties to the EKU
>
> On our current CA software, a config file is modified to customize
> profiles. Also there is some DER encoding required to convert the
> appropriate text.
>
> Is this feature available?
>
>
>
------------------------------------------------------------------------
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
------------------------------------------------------------------------
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
6087
days inactive
6109
days old
12 comments
5 participants
participants (5)
-
Bob Lord -
Chris -
Christina Fu -
Ebbe Hansen -
Marc Sauton