<div dir="ltr"><div>Hi Nadeera,</div><div><br></div><div>Please find my reply inline<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, May 29, 2020 at 5:28 AM Nadeera Galagedara <<a href="mailto:nadeeragalagedara@yahoo.com">nadeeragalagedara@yahoo.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><div style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"></div>
<div dir="ltr" style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px">Dear <span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif">Dinesh,</span></span></div><div dir="ltr" style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif"><br></span></span></div><div dir="ltr" style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif">I tried the method and still have the problem. I will tell you what i did and can you tell me where did I do wrong.</span></span></div><div dir="ltr" style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif"><br></span></span></div><div><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif">My root CA has "<span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><i>Maximum number of intermediate CAs: unlimited</i>" and now I am installing the issuing ca (what I use for to issue certificates for clients). For the issuing <i>CA </i><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><i>Maximum number of intermediate</i> CAs want to be <i>Zero</i>.</span></span></span></span></span></span> <br></div></div></div></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><div dir="ltr" style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif"><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><br></span></span></span></span></span></span></div><div dir="ltr" style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif"><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px">I basically follow <span><a href="https://www.dogtagpki.org/wiki/PKI_10.5_Installing_CA_with_External_CA_Signing_Certificate" rel="nofollow" target="_blank">https://www.dogtagpki.org/wiki/PKI_10.5_Installing_CA_with_External_CA_Signing_Certificate</a> steps (send the CSR to root CA and get back the signed certificate) and added </span></span></span></span></span></span></span></div><div dir="ltr" style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif"><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><span><br></span></span></span></span></span></span></span></div><div dir="ltr" style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif"><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><div><pre style="font-family:Consolas,Monaco,Andale Mono,monospace;margin-top:0px;margin-bottom:1.8em;line-height:1.42857;color:rgb(240,240,240);background:rgb(37,37,37) none repeat scroll 0% 0%;border:1px solid rgb(26,26,26);border-radius:0px;white-space:pre-wrap"><a href="http://policyset.caCertSet.5.default.name" target="_blank">policyset.caCertSet.5.default.name</a>=Basic Constraints Extension Default
policyset.caCertSet.5.default.params.basicConstraintsCritical=true
policyset.caCertSet.5.default.params.basicConstraintsIsCA=true
policyset.caCertSet.5.default.params.basicConstraintsPathLen=0</pre></div></span></span></span></span></span></span></div><div dir="ltr" style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif">lines to both step 1 and step 2 config files and installed the Issuing CA.</span></span></div></div></div></blockquote><div>The above lines need to be added to profiles, not to .cfg for pkispawn. My colleague, Fraser, wrote an awesome blog post [1] explaining how Dogtag profiles work. Though the post was written in 2014 this should give you a good understanding of how to configure profiles.</div><div><br></div><div>But, in your case, I believe you need to craft the CSR with this constraint. So, you need to use the `openssl` or `certutil` tools to specify the <b>basic Constraint</b>.</div><div><br></div><div>For example, using openssl: <br><pre><code>openssl req \
-addext basicConstraints=critical,CA:TRUE,pathlen:1 \<br></code></pre><pre><code> ...<br></code></pre></div><div><br></div><div>You can also refer how to create CSR in our wiki [2] </div><div><br></div><div>[1] <a href="https://frasertweedale.github.io/blog-redhat/posts/2014-05-14-dogtag-profile-definitions.html">https://frasertweedale.github.io/blog-redhat/posts/2014-05-14-dogtag-profile-definitions.html</a></div><div>[2] <a href="https://www.dogtagpki.org/wiki/Generating_CA_Signing_CSR_with_OpenSSL">https://www.dogtagpki.org/wiki/Generating_CA_Signing_CSR_with_OpenSSL</a></div><div> </div><div>HTH. Good luck!<br></div><div><br></div><div>Regards,</div><div>--Dinesh</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><div dir="ltr" style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif"><br></span></span></div><div dir="ltr"><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif">Then I went to the<i> </i>Issuing CA's <i> "SSL End Users Services" </i>-> "<i>Manual User Dual-Use Certificate </i></span></span><i>Enrollment"</i> and created a certificate. Then I wend to <i>Agent Services</i> and approve that request.</div><div dir="ltr"><br></div><div dir="ltr">I imported that certificate to browser. But still it shows my issuing CA <span><i style="color:rgb(0,0,0);font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px">Maximum number of intermediate CAs: unlimited. </i></span></div><div dir="ltr"><span><i style="color:rgb(0,0,0);font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><br></i></span></div><div dir="ltr">Can you tell me what did I do wrong.</div><div dir="ltr" style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif"><br></span></span></div><div style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><br></div>
</div><div id="gmail-m_-1365923146698595095yahoo_quoted_1670586124">
<div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;color:rgb(38,40,42)">
<div>
On Friday, May 22, 2020, 11:27:29 PM GMT+5:30, Dinesh Prasanth Moluguwan Krishnamoorthy <<a href="mailto:dmoluguw@redhat.com" target="_blank">dmoluguw@redhat.com</a>> wrote:
</div>
<div><br></div>
<div><br></div>
<div><div id="gmail-m_-1365923146698595095yiv7742330955"><div><div dir="ltr"><div dir="ltr"><div>Nadeera,</div><div><br clear="none"></div><div>(CC'ing pki-devel)</div><div><br clear="none"></div><div>Setting the number of intermediate CAs can be achieved by using "Basic Constraints Extension" [1] and setting the PathLen= to the required value.</div><div><br clear="none"></div><div>You need to set this extension on a CA profile and then issue a CA signing cert. You can't modify this value on an already issued CA cert. Read more on how to add this constraint to a profile here [2]<br clear="none"></div><div><br clear="none"></div><div>[1] <a rel="nofollow" shape="rect" href="https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html-single/administration_guide_common_criteria_edition/index#Basic_Constraints_Extension_Default" target="_blank">https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html-single/administration_guide_common_criteria_edition/index#Basic_Constraints_Extension_Default</a></div><div>[2] <a rel="nofollow" shape="rect" href="https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html-single/administration_guide_common_criteria_edition/index#about-extensions" target="_blank">https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html-single/administration_guide_common_criteria_edition/index#about-extensions</a></div><div><br clear="none"></div><div>Regards,</div><div>--Dinesh<br clear="none"></div></div><br clear="none"><div id="gmail-m_-1365923146698595095yiv7742330955yqt54981"><div><div dir="ltr">On Fri, May 22, 2020 at 8:57 AM Nadeera Galagedara <<a rel="nofollow" shape="rect" href="mailto:nadeeragalagedara@yahoo.com" target="_blank">nadeeragalagedara@yahoo.com</a>> wrote:<br clear="none"></div><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><div></div>
<div dir="ltr"> <div><div dir="ltr" style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px">Dear Dinesh,</div><div><br clear="none"></div></div>I want another help from you. How can I change the "<span>Maximum number of intermediate CAs: unlimited" value.</span></div>
</div><div id="gmail-m_-1365923146698595095yiv7742330955gmail-m_-8245546841587472426yahoo_quoted_0244021294">
<div style="font-family:Helvetica,Arial,sans-serif;font-size:13px;color:rgb(38,40,42)">
<div>
On Friday, May 22, 2020, 10:57:45 AM GMT+5:30, Nadeera Galagedara <<a rel="nofollow" shape="rect" href="mailto:nadeeragalagedara@yahoo.com" target="_blank">nadeeragalagedara@yahoo.com</a>> wrote:
</div>
<div><br clear="none"></div>
<div><br clear="none"></div>
<div><div id="gmail-m_-1365923146698595095yiv7742330955gmail-m_-8245546841587472426yiv2687879412"><div><div style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><div style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"></div>
<div dir="ltr" style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px">Dear <span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif">Dinesh,</span></span></div><div dir="ltr" style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif"><br clear="none"></span></span></div><div dir="ltr">That is a great explanation. That problem that problem is also solved. Again thank you.</div><div style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><br clear="none"></div>
</div><div id="gmail-m_-1365923146698595095yiv7742330955gmail-m_-8245546841587472426yiv2687879412yqt49147"><div id="gmail-m_-1365923146698595095yiv7742330955gmail-m_-8245546841587472426yiv2687879412yahoo_quoted_1087637813">
<div style="font-family:Helvetica,Arial,sans-serif;font-size:13px;color:rgb(38,40,42)">
<div>
On Wednesday, May 20, 2020, 08:27:56 PM GMT+5:30, Dinesh Prasanth Moluguwan Krishnamoorthy <<a rel="nofollow" shape="rect" href="mailto:dmoluguw@redhat.com" target="_blank">dmoluguw@redhat.com</a>> wrote:
</div>
<div><br clear="none"></div>
<div><br clear="none"></div>
<div><div id="gmail-m_-1365923146698595095yiv7742330955gmail-m_-8245546841587472426yiv2687879412"><div><div dir="ltr"><div>Hi Nadeera,</div><div><br clear="none"></div><div>I'm glad I could resolve your issues.</div><div><br clear="none"></div><div>As for the friendly/nickname, these names are customizable based on the system you use and are not specified during the certificate issuance.</div><div><br clear="none"></div><div>For instance, when you specified "<span><i>pki_ca_signing_nickname=<span><i>mycompany_nickname"</i></span></i><span> this nickname was used to import the CA system certificate in your PKI server's </span>NSSDB. You can view this by doing `certutil -L -d /etc/pki/pki-tomcat/alias` and you should see the <i>mycompany_nickname</i> listed.</span></div><div><br clear="none"></div><div>I have very limited knowledge of handling certificates in windows. From Googling around: you can try to <i>right-click on the certificate -> Properties -> "general" tab -> Set "Friendly Name"</i>. <br clear="none"></div><div><br clear="none"></div><div>HTH</div><div><br clear="none"></div><div>Regards,</div><div>--Dinesh<br clear="none"></div><div><span><i></i></span></div></div><br clear="none"><div id="gmail-m_-1365923146698595095yiv7742330955gmail-m_-8245546841587472426yiv2687879412yqt59416"><div><div dir="ltr">On Wed, May 20, 2020 at 3:28 AM Nadeera Galagedara <<a rel="nofollow" shape="rect" href="mailto:nadeeragalagedara@yahoo.com" target="_blank">nadeeragalagedara@yahoo.com</a>> wrote:<br clear="none"></div><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><div style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"></div>
<div dir="ltr" style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px">Dear <span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif">Dinesh,</span></span></div><div dir="ltr" style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif"><br clear="none"></span></span></div><div dir="ltr" style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif">Thank you for your support and it is been very helpful. I am using Centos 7 and the version came with it is 10.5. I am using that version. I think I have corrected the country (with c=LK). But I still have a problem with the nickname. </span></span></div><div dir="ltr" style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif"><br clear="none"></span></span></div><div dir="ltr">I used the <i style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px">pki_ca_signing_nickname=mycompany_nickname</i> line but still the friendly name show on windows PC (I have imported the issued certificate to a windows PC) format like <Common Name>'s <Organisation> ID. My requirement is to show the the Friendly Name (shows as in Windows PC) as "<span><i style="color:rgb(0,0,0);font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px">mycompany_nickname</i><span style="color:rgb(0,0,0);font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"> " </span></span>I have attached a screenshot also. Please tell me what did I do wrong.</div><div dir="ltr" style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif"><span><br clear="none"></span></span></span></div><div dir="ltr"><br clear="none"></div><div dir="ltr" style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><div><div><div><div><img src="cid:ii_kax8ha5y4" alt="image.jpeg" width="565" height="44"><br><br></div><br><br></div><br><br></div><br><br></div><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif"><span><br clear="none"><br clear="none"></span></span></span></div><div dir="ltr" style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><span></span><div><div dir="ltr" style="color:rgb(0,0,0);font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><br clear="none"></div><div dir="ltr" style="color:rgb(0,0,0);font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px">The full config is mentioned below</div><div><br clear="none"></div></div><div><br clear="none"></div></div><div dir="ltr" style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><span></span><div><div dir="ltr"><b>Step 1</b></div><div><br clear="none"></div><div><i>[CA]</i></div><div><i>pki_admin_email=<a rel="nofollow" shape="rect" href="mailto:mycompany@abc.lk" target="_blank">mycompany@abc.lk</a></i></div><div><i>pki_admin_name=caadmin</i></div><div><i>pki_admin_nickname=caadmin</i></div><div><i>pki_admin_password=Secret.123</i></div><div><i>pki_admin_uid=caadmin</i></div><div><i><br clear="none"></i></div><div><i>pki_client_database_password=Secret.123</i></div><div><i>pki_client_database_purge=False</i></div><div><i>pki_client_pkcs12_password=Secret.123</i></div><div><i><br clear="none"></i></div><div><i>pki_ds_base_dn=dc=issueca,dc=mycompany,dc=lk</i></div><div><i>pki_ds_database=ca2</i></div><div><i>pki_ds_password=Secret.123</i></div><div><i><br clear="none"></i></div><div><i>pki_security_domain_name=mycompany_domain</i></div><div><i>pki_token_password=Secret.123</i></div><div><i><br clear="none"></i></div><div><i>pki_external=True</i></div><div><i>pki_external_step_two=False</i></div><div><i><br clear="none"></i></div><div><i>pki_ca_signing_subject_dn=cn=mycompany_cn,ou=mycompany_ou,o=mycompany_o,c=LK</i></div><div><i>pki_ca_signing_csr_path=ca_signing.csr</i></div><div><i><br clear="none"></i></div><div><i>pki_ca_signing_nickname=mycompany_nickname</i></div><div><br clear="none"></div><div><i>pki_default_ocsp_uri=<a rel="nofollow" shape="rect" href="http://ocsp.mycompany.lk" target="_blank">http://ocsp.mycompany.lk</a></i></div><div><br clear="none"></div><div><br clear="none"></div><div><br clear="none"></div><div dir="ltr"><b>Step 2</b></div><div><br clear="none"></div><div><i>[CA]</i></div><div><i>pki_admin_email=<a rel="nofollow" shape="rect" href="mailto:mycompany@abc.lk" target="_blank">mycompany@abc.lk</a></i></div><div><i>pki_admin_name=caadmin</i></div><div><i>pki_admin_nickname=caadmin</i></div><div><i>pki_admin_password=Secret.123</i></div><div><i>pki_admin_uid=caadmin</i></div><div><i><br clear="none"></i></div><div><i>pki_client_database_password=Secret.123</i></div><div><i>pki_client_database_purge=False</i></div><div><i>pki_client_pkcs12_password=Secret.123</i></div><div><i><br clear="none"></i></div><div><i>pki_ds_base_dn=dc=issueca,dc=mycompany,dc=lk</i></div><div><i>pki_ds_database=ca2</i></div><div><i>pki_ds_password=Secret.123</i></div><div><i><br clear="none"></i></div><div><i>pki_security_domain_name=mycompany_domain</i></div><div><i>pki_token_password=Secret.123</i></div><div><i><br clear="none"></i></div><div><i>pki_external=True</i></div><div><i>pki_external_step_two=True</i></div><div><i><br clear="none"></i></div><div><i>pki_ca_signing_csr_path=ca_signing.csr</i></div><div><i>pki_ca_signing_cert_path=ca_signing.crt</i></div><div><i><br clear="none"></i></div><div><i>pki_ca_signing_nickname=mycompany_nickname</i></div><div><i><br clear="none"></i></div><div><i>pki_default_ocsp_uri=<a rel="nofollow" shape="rect" href="http://ocsp.mycompany.lk" target="_blank">http://ocsp.mycompany.lk</a></i></div><div><br clear="none"></div></div><div><br clear="none"></div><div><br clear="none"></div><div><br clear="none"></div><div dir="ltr">Thank you and best regards,</div><div dir="ltr">Nadeera.</div><div dir="ltr"><br clear="none"></div></div><div dir="ltr" style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif"><br clear="none"></span></span></div><div dir="ltr" style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif"><br clear="none"></span></span></div><div dir="ltr" style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><span><span style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif"><br clear="none"></span></span></div><div style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><br clear="none"></div>
</div><div id="gmail-m_-1365923146698595095yiv7742330955gmail-m_-8245546841587472426yiv2687879412gmail-m_6485029878252713423ydp2cd1c1c2yahoo_quoted_0399287569">
<div style="font-family:Helvetica,Arial,sans-serif;font-size:13px;color:rgb(38,40,42)">
<div>
On Wednesday, May 20, 2020, 03:29:15 AM GMT+5:30, Dinesh Prasanth Moluguwan Krishnamoorthy <<a rel="nofollow" shape="rect" href="mailto:dmoluguw@redhat.com" target="_blank">dmoluguw@redhat.com</a>> wrote:
</div>
<div><br clear="none"></div>
<div><br clear="none"></div>
<div><div id="gmail-m_-1365923146698595095yiv7742330955gmail-m_-8245546841587472426yiv2687879412gmail-m_6485029878252713423ydp2cd1c1c2yiv8853450738"><div><div dir="ltr"><div dir="ltr"><div>Hi Nadeera,</div><div><br clear="none"></div><div>What version of dogtag PKI are you trying to install? You are referring to PKI 10.5 docs. The latest release is 10.8.3<br clear="none"></div><div><br clear="none"></div><div>If you are using the latest packages, our docs are available in our upstream repo: <a rel="nofollow" shape="rect" href="https://github.com/dogtagpki/pki/tree/v10.8/docs" target="_blank">https://github.com/dogtagpki/pki/tree/v10.8/docs</a></div><div><br clear="none"></div><div>(see inline reply)<br clear="none"></div></div><br clear="none"><div><div dir="ltr">On Tue, May 19, 2020 at 9:22 AM Nadeera Galagedara <<a rel="nofollow" shape="rect" href="mailto:nadeeragalagedara@yahoo.com" target="_blank">nadeeragalagedara@yahoo.com</a>> wrote:<br clear="none"></div><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><div dir="ltr">Dear all,</div><div dir="ltr"><br clear="none"></div><div dir="ltr">I am new to dogtag and I am installing a sub ca using the method described in <span><a rel="nofollow" shape="rect" href="https://www.dogtagpki.org/wiki/PKI_10.5_Installing_CA_with_External_CA_Signing_Certificate" target="_blank">https://www.dogtagpki.org/wiki/PKI_10.5_Installing_CA_with_External_CA_Signing_Certificate</a> . I want to know.</span></div><div dir="ltr"><span><br clear="none"></span></div><div dir="ltr">1) What is the parameter to change the <b>Friendly Name</b></div></div></div></blockquote><div>We do not use "Friendly Name". Instead, we use "nickname"</div><div>To configure the nickname for CA signing certificate use: <code>pki_ca_signing_nickname=</code></div><div><code></code><br clear="none"></div><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><div dir="ltr"><span>2) <span><span style="color:rgb(0,0,0);font-family:Helvetica,Arial,sans-serif;font-size:16px">What is the parameter to change the <b>Country/Locality</b></span></span></span></div></div></div></blockquote><div>This is set using subject dn. So, in your case specify the Country using this attribute: <span>pki_ca_signing_subject_dn=</span></div><div> </div><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><div dir="ltr"><span><span>3) Where (a page link ) I can find details about each of this configuration parameters.</span></span></div></div></div></blockquote><div>I don't have a page that explains all the config parameters. But, I do have a page that can give you a list of parameters that you can use (since you mentioned 10.5, I'm listing the contents of 10.5 branch. Refer to the appropriate branch for an updated list)<br clear="none"></div><div><a rel="nofollow" shape="rect" href="https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_BRANCH/base/server/etc/default.cfg" target="_blank">https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_BRANCH/base/server/etc/default.cfg</a></div><div><br clear="none"></div><div>HTH</div><div><br clear="none"></div><div>Regards,</div><div>--Dinesh<div id="gmail-m_-1365923146698595095yiv7742330955gmail-m_-8245546841587472426yiv2687879412gmail-m_6485029878252713423ydp2cd1c1c2yiv8853450738yqtfd57998"><br clear="none"></div></div><div id="gmail-m_-1365923146698595095yiv7742330955gmail-m_-8245546841587472426yiv2687879412gmail-m_6485029878252713423ydp2cd1c1c2yiv8853450738yqtfd43981"><div> </div></div><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><div id="gmail-m_-1365923146698595095yiv7742330955gmail-m_-8245546841587472426yiv2687879412gmail-m_6485029878252713423ydp2cd1c1c2yiv8853450738yqtfd91423"><div dir="ltr"><span><span><br clear="none"></span></span></div><div dir="ltr"><span><span>Thank you.</span></span></div></div><div dir="ltr"><span><br clear="none"></span></div></div></div>_______________________________________________<br clear="none">
Pki-devel mailing list<br clear="none">
<a rel="nofollow" shape="rect" href="mailto:Pki-devel@redhat.com" target="_blank">Pki-devel@redhat.com</a><br clear="none">
<a rel="nofollow" shape="rect" href="https://www.redhat.com/mailman/listinfo/pki-devel" target="_blank">https://www.redhat.com/mailman/listinfo/pki-devel</a></blockquote></div></div></div></div></div>
</div>
</div></div></blockquote></div></div></div></div></div>
</div>
</div></div></div></div></div>
</div>
</div></div></blockquote></div></div></div></div></div></div>
</div>
</div></div></blockquote></div></div>