7 a.m.
Hi all ; I am running a subordinate ca dogtag instance, and i would like to
copy AuthInfoExtension fields from the master ca cert into final
certificates signed in dogtag
I am struggling to add a few caIssuers fields to authInfoExtension fields
in issued certificates
the fields in question are to be like so (from openssl output of the master
ca certificate)
CA Issuers - URI:http://server/name.crt
CA Issuers - URI:http://backupserver/name.crt
Are there any examples out there so that i can figure this out?
12:36 p.m.
New subject: [dogtag] CA Issuers fields in authinfoaccess extension - how?
Here is an example in the file we ship DomainController.cfg
There are others in the directory /var/lib/pki/pki-tomcat/ca/profiles/ca if you need
more:
policyset.set1.5.default.class_id=authInfoAccessExtDefaultImpl
policyset.set1.5.default.name=AIA Extension Default
policyset.set1.5.default.params.authInfoAccessADEnable_0=true
policyset.set1.5.default.params.authInfoAccessADLocationType_0=URIName
policyset.set1.5.default.params.authInfoAccessADLocation_0=http://localhost.localdomain:9180/ca/ee/ca/getCRL?crlIssuingPoint=MasterCRL&op=getCRL&crlDisplayType=cachedCRL&submit=Submit
policyset.set1.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.2
policyset.set1.5.default.params.authInfoAccessCritical=false
policyset.set1.5.default.params.authInfoAccessNumADs=1
----- Original Message -----
From: "marcin kowalski" <yoshi314(a)gmail.com>
To: pki-users(a)redhat.com
Sent: Thursday, January 14, 2016 5:00:56 AM
Subject: [Pki-users] [dogtag] CA Issuers fields in authinfoaccess extension - how?
Hi all ; I am running a subordinate ca dogtag instance, and i would like to
copy AuthInfoExtension fields from the master ca cert into final
certificates signed in dogtag
I am struggling to add a few caIssuers fields to authInfoExtension fields in
issued certificates
the fields in question are to be like so (from openssl output of the master
ca certificate)
CA Issuers - URI: http://server/name.crt
CA Issuers - URI: http://backupserver/name.crt
Are there any examples out there so that i can figure this out?
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
5:48 a.m.
Thanks. The problem is that i have to specify multiple entries, and this is
when things go weird.
policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
policyset.serverCertSet.5.constraint.name=No Constraint
policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
policyset.serverCertSet.5.default.name=AIA Extension Default
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_1=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_1=URI
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_1=
http://server1/cert1.crt
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_1=1.3.6.1.5.5.7.48.2
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_2=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_2=URI
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_2=
http://server2/cert2.crt
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_2=1.3.6.1.5.5.7.48.2
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_3=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_3=URI
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_3=ldap:///CN=someconnectionstring
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_3=1.3.6.1.5.5.7.48.2
policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
policyset.serverCertSet.5.default.params.authInfoAccessNumADs=4
What happens in dogtag is that the first field is filled out with values,
but there are empty records following like so :
Record #0
Method:1.3.6.1.5.5.7.48.1
Location Type:URIName
Location:http://dogtaginstance:8080/ca/ocsp
Enable:true
Record #1
Method:
Location Type:
Location:
Enable:false
Record #2
Method:
Location Type:
Location:
Enable:false
Record #3
Method:
Location Type:
Location:
Enable:false
And i have to fill them out manually. Then the fields get passed to the
certificate. What could possibly be wrong here?
2016-01-14 19:36 GMT+01:00 John Magne <jmagne(a)redhat.com>:
Here is an example in the file we ship DomainController.cfg
There are others in the directory /var/lib/pki/pki-tomcat/ca/profiles/ca
if you need more:
policyset.set1.5.default.class_id=authInfoAccessExtDefaultImpl
policyset.set1.5.default.name=AIA Extension Default
policyset.set1.5.default.params.authInfoAccessADEnable_0=true
policyset.set1.5.default.params.authInfoAccessADLocationType_0=URIName
policyset.set1.5.default.params.authInfoAccessADLocation_0=
http://localhost.localdomain:9180/ca/ee/ca/getCRL?crlIssuingPoint=MasterC...
policyset.set1.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.2
policyset.set1.5.default.params.authInfoAccessCritical=false
policyset.set1.5.default.params.authInfoAccessNumADs=1
----- Original Message -----
> From: "marcin kowalski" <yoshi314(a)gmail.com>
> To: pki-users(a)redhat.com
> Sent: Thursday, January 14, 2016 5:00:56 AM
> Subject: [Pki-users] [dogtag] CA Issuers fields in authinfoaccess
extension - how?
>
> Hi all ; I am running a subordinate ca dogtag instance, and i would like
to
> copy AuthInfoExtension fields from the master ca cert into final
> certificates signed in dogtag
>
> I am struggling to add a few caIssuers fields to authInfoExtension
fields in
> issued certificates
>
> the fields in question are to be like so (from openssl output of the
master
> ca certificate)
>
> CA Issuers - URI: http://server/name.crt
> CA Issuers - URI: http://backupserver/name.crt
>
>
> Are there any examples out there so that i can figure this out?
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
3263
days inactive
3264
days old
2 comments
2 participants
participants (2)
-
John Magne -
marcin kowalski