<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> Hi,<br> <br> If I understand it correctly, you just want the OID to appear in the cert? if so, Generic Extension might be what you are looking for:<br> <a class="moz-txt-link-freetext" href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#Generic_Extension_Default">https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#Generic_Extension_Default</a><br> <br> Here is an example of it:<br> <div>policyset.set1.p06.constraint.class_id=extensionConstraintImpl</div> <div>policyset.set1.p06.constraint.name=Extension Constraint<br> policyset.set1.p06.constraint.params.extCritical=-<br> policyset.set1.p06.constraint.params.extOID=2.16.76.1.3.3<br> policyset.set1.p06.default.class_id=userExtensionDefaultImpl</div> <div>policyset.set1.p06.default.name=Generic Extension Default<br> policyset.set1.p06.default.params.genericExtData=bz<br> policyset.set1.p06.default.params.genericExtOID=2.16.76.1.3.3</div> policyset.set1.p06.default.params.enericExtCritical=false<br> <br> In the above example, I just put your country OID in the profile, but I imagine you could change it to take it from the input. If you do so, you might want to lighten up on the constraint. I suggest you try the above hard-coded profile first just to see if the cert comes out what you are looking for before adding input in the profile.<br> <br> There is actually a bug in the GenericExtension area in regards to setting critical to true. I have yet to check the fix into Dogtag. Let me know if you do need that.<br> <br> BTW, regarding userExtensionDefault, it can only be used if your CSR has the wanted extension in the request already, so it's not going to help you.<br> <br> Hope this helps.<br> Christina<br> <br> <div class="moz-cite-prefix">On 01/22/2014 02:41 AM, Sergio Pereira wrote:<br> </div> <blockquote cite="mid:CAHwx8Ye=O3URKdh_xADuquf2+BwJpg9SaZmJb8gTWsvLs6xiRQ@mail.gmail.com" type="cite"> <div dir="ltr">hi guys, <div><br> </div> <div>I'm trying to create a certificate profile in a way to have at the end a certificate with a special attributes (supplied by the user through web enrollment form). I'm running dogtag 10.1 on Fedora 20...fresh install. I added a certificate profile using pkiconsole but I'm struggling in how to find the right Policies, Inputs and Outputs for the new profile. The OID I intent to write to it is the 2.16.76.1.3.3 (country specific OID). Here is my profile's config file:</div> <div><br> </div> <div>auth.instance_id=</div> <div>desc=UserCNPJ</div> <div>enable=false</div> <div>enableBy=admin</div> <div>input.CNPJ.class_id=genericInputImpl</div> <div><a moz-do-not-send="true" href="http://input.CNPJ.name">input.CNPJ.name</a>=Generic Input</div> <div>input.CNPJ.params.gi_display_name0=Cadastro Nacional Pessoa Juridica</div> <div>input.CNPJ.params.gi_display_name1=</div> <div>input.CNPJ.params.gi_display_name2=</div> <div>input.CNPJ.params.gi_display_name3=</div> <div> input.CNPJ.params.gi_display_name4=</div> <div>input.CNPJ.params.gi_param_enable0=true</div> <div>input.CNPJ.params.gi_param_enable1=false</div> <div>input.CNPJ.params.gi_param_enable2=false</div> <div>input.CNPJ.params.gi_param_enable3=false</div> <div>input.CNPJ.params.gi_param_enable4=false</div> <div>input.CNPJ.params.gi_param_name0=cnpj</div> <div>input.CNPJ.params.gi_param_name1=</div> <div>input.CNPJ.params.gi_param_name2=</div> <div>input.CNPJ.params.gi_param_name3=</div> <div>input.CNPJ.params.gi_param_name4=</div> <div>input.i1.class_id=keyGenInputImpl</div> <div><a moz-do-not-send="true" href="http://input.i1.name">input.i1.name</a>=Key Generation Input</div> <div>input.i2.class_id=subjectNameInputImpl</div> <div> <a moz-do-not-send="true" href="http://input.i2.name">input.i2.name</a>=Subject Name Input</div> <div>input.i3.class_id=submitterInfoInputImpl</div> <div><a moz-do-not-send="true" href="http://input.i3.name">input.i3.name</a>=Submitter Information Input</div> <div>input.list=i1,i2,i3,CNPJ</div> <div>input.params.gi_display_name0=Cadastro Nacional Pessoa Juridica</div> <div>input.params.gi_display_name1=</div> <div>input.params.gi_display_name2=</div> <div>input.params.gi_display_name3=</div> <div>input.params.gi_display_name4=</div> <div>input.params.gi_param_enable0=true</div> <div>input.params.gi_param_enable1=false</div> <div>input.params.gi_param_enable2=false</div> <div>input.params.gi_param_enable3=false</div> <div>input.params.gi_param_enable4=false</div> <div>input.params.gi_param_name0=cnpj</div> <div>input.params.gi_param_name1=</div> <div>input.params.gi_param_name2=</div> <div>input.params.gi_param_name3=</div> <div>input.params.gi_param_name4=</div> <div>lastModified=1390319210315</div> <div>name=UserCNPJ</div> <div>output.list=o1</div> <div>output.o1.class_id=certOutputImpl</div> <div><a moz-do-not-send="true" href="http://output.o1.name">output.o1.name</a>=Certificate Output</div> <div>policyset.list=set1</div> <div>policyset.set1.list=p1,p2,p3,p4,p5,p06</div> <div>policyset.set1.p06.constraint.class_id=noConstraintImpl</div> <div><a moz-do-not-send="true" href="http://policyset.set1.p06.constraint.name">policyset.set1.p06.constraint.name</a>=No Constraint</div> <div>policyset.set1.p06.default.class_id=userExtensionDefaultImpl</div> <div><a moz-do-not-send="true" href="http://policyset.set1.p06.default.name">policyset.set1.p06.default.name</a>=User Supplied Extension Default</div> <div>policyset.set1.p06.default.params.userExtOID=Comment Here...</div> <div>policyset.set1.p1.constraint.class_id=noConstraintImpl</div> <div><a moz-do-not-send="true" href="http://policyset.set1.p1.constraint.name">policyset.set1.p1.constraint.name</a>=No Constraint</div> <div>policyset.set1.p1.default.class_id=userSubjectNameDefaultImpl</div> <div><a moz-do-not-send="true" href="http://policyset.set1.p1.default.name">policyset.set1.p1.default.name</a>=User Supplied Subject Name Default</div> <div>policyset.set1.p2.constraint.class_id=noConstraintImpl</div> <div><a moz-do-not-send="true" href="http://policyset.set1.p2.constraint.name">policyset.set1.p2.constraint.name</a>=No Constraint</div> <div>policyset.set1.p2.default.class_id=validityDefaultImpl</div> <div><a moz-do-not-send="true" href="http://policyset.set1.p2.default.name">policyset.set1.p2.default.name</a>=Validity Default</div> <div>policyset.set1.p2.default.params.range=180</div> <div>policyset.set1.p2.default.params.startTime=0</div> <div> policyset.set1.p3.constraint.class_id=noConstraintImpl</div> <div><a moz-do-not-send="true" href="http://policyset.set1.p3.constraint.name">policyset.set1.p3.constraint.name</a>=No Constraint</div> <div>policyset.set1.p3.default.class_id=userKeyDefaultImpl</div> <div><a moz-do-not-send="true" href="http://policyset.set1.p3.default.name">policyset.set1.p3.default.name</a>=User Supplied Key Default</div> <div>policyset.set1.p3.default.params.keyMaxLength=4096</div> <div>policyset.set1.p3.default.params.keyMinLength=512</div> <div>policyset.set1.p3.default.params.keyType=RSA</div> <div>policyset.set1.p4.constraint.class_id=noConstraintImpl</div> <div><a moz-do-not-send="true" href="http://policyset.set1.p4.constraint.name">policyset.set1.p4.constraint.name</a>=No Constraint</div> <div>policyset.set1.p4.default.class_id=signingAlgDefaultImpl</div> <div><a moz-do-not-send="true" href="http://policyset.set1.p4.default.name">policyset.set1.p4.default.name</a>=Signing Algorithm Default</div> <div>policyset.set1.p4.default.params.signingAlg=-</div> <div>policyset.set1.p4.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,,SHA512withEC</div> <div>policyset.set1.p5.constraint.class_id=noConstraintImpl</div> <div><a moz-do-not-send="true" href="http://policyset.set1.p5.constraint.name">policyset.set1.p5.constraint.name</a>=No Constraint</div> <div>policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl</div> <div><a moz-do-not-send="true" href="http://policyset.set1.p5.default.name">policyset.set1.p5.default.name</a>=Key Usage Extension Default</div> <div>policyset.set1.p5.default.params.keyUsageCritical=true</div> <div>policyset.set1.p5.default.params.keyUsageCrlSign=true</div> <div>policyset.set1.p5.default.params.keyUsageDataEncipherment=true</div> <div>policyset.set1.p5.default.params.keyUsageDecipherOnly=true</div> <div>policyset.set1.p5.default.params.keyUsageDigitalSignature=true</div> <div>policyset.set1.p5.default.params.keyUsageEncipherOnly=true</div> <div>policyset.set1.p5.default.params.keyUsageKeyAgreement=true</div> <div>policyset.set1.p5.default.params.keyUsageKeyCertSign=true</div> <div>policyset.set1.p5.default.params.keyUsageKeyEncipherment=true</div> <div>policyset.set1.p5.default.params.keyUsageNonRepudiation=true</div> <div>visible=true</div> <div> </div> <div>thx in advance,</div> <div>sergio</div> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre wrap="">_______________________________________________ Pki-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a></pre> </blockquote> <br> </body> </html>