<div dir="ltr"><font face="arial, helvetica, sans-serif">Hi Christina,</font><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif">I really appreciate for your response and time. I did try your suggestion but with no luck, when enrolling through web form I get the message: "<span style="color:rgb(0,0,0)">Sorry, your request has been rejected. The reason is "Request Rejected - {0}".</span></font></div>

<div><font color="#000000" face="arial, helvetica, sans-serif">Attached is a picture of a real certificate, signed by a Brazilian CA and that is what I'm trying to accomplish using DogTag certificate system. The OID I'm trying to write to is marked in red and its value has some sort of Hex form (that would be the second step to be accomplished). One thing I realized is that the OID in question is in Subject Alternative Name and not as Generic Extension.</font></div>

<div><br></div><div><font color="#000000" face="PrimaSans BT, Verdana, Arial, Helvetica, sans-serif">thx,</font></div><div><font color="#000000" face="PrimaSans BT, Verdana, Arial, Helvetica, sans-serif">sp</font></div></div>

<div class="gmail_extra"><br><br><div class="gmail_quote">2014/1/23 Christina Fu <span dir="ltr"><<a href="mailto:cfu@redhat.com" target="_blank">cfu@redhat.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    Hi,<br>
    <br>
    If I understand it correctly, you just want the OID to appear in the
    cert?  if so, Generic Extension might be what you are looking for:<br>
<a href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#Generic_Extension_Default" target="_blank">https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#Generic_Extension_Default</a><br>


    <br>
    Here is an example of it:<br>
    <div>policyset.set1.p06.constraint.class_id=extensionConstraintImpl</div>
    <div><a href="http://policyset.set1.p06.constraint.name" target="_blank">policyset.set1.p06.constraint.name</a>=Extension Constraint<br>
      policyset.set1.p06.constraint.params.extCritical=-<br>
      policyset.set1.p06.constraint.params.extOID=2.16.76.1.3.3<br>
      policyset.set1.p06.default.class_id=userExtensionDefaultImpl</div>
    <div><a href="http://policyset.set1.p06.default.name" target="_blank">policyset.set1.p06.default.name</a>=Generic Extension Default<br>
      policyset.set1.p06.default.params.genericExtData=bz<br>
      policyset.set1.p06.default.params.genericExtOID=2.16.76.1.3.3</div>
    policyset.set1.p06.default.params.enericExtCritical=false<br>
    <br>
    In the above example, I just put your country OID in the profile,
    but I imagine you could change it to take it from the input.  If you
    do so, you might want to lighten up on the constraint.  I suggest
    you try the above hard-coded profile first just to see if the cert
    comes out what you are looking for before adding input in the
    profile.<br>
    <br>
    There is actually a bug in the GenericExtension area in regards to
    setting critical to true.  I have yet to check the fix into Dogtag. 
    Let me know if you do need that.<br>
    <br>
    BTW, regarding userExtensionDefault, it can only be used if your CSR
    has the wanted extension in the request already, so it's not going
    to help you.<br>
    <br>
    Hope this helps.<span class="HOEnZb"><font color="#888888"><br>
    Christina</font></span><div><div class="h5"><br>
    <br>
    <div>On 01/22/2014 02:41 AM, Sergio Pereira
      wrote:<br>
    </div>
    </div></div><blockquote type="cite"><div><div class="h5">
      <div dir="ltr">hi guys,
        <div><br>
        </div>
        <div>I'm trying to create a certificate profile in a way to have
          at the end a certificate with a special attributes (supplied
          by the user through web enrollment form). I'm running dogtag
          10.1 on Fedora 20...fresh install. I added a certificate
          profile using pkiconsole but I'm struggling in how to find the
          right Policies, Inputs and Outputs for the new profile. The
          OID I intent to write to it is the 2.16.76.1.3.3 (country
          specific OID). Here is my profile's config file:</div>
        <div><br>
        </div>
        <div>auth.instance_id=</div>
        <div>desc=UserCNPJ</div>
        <div>enable=false</div>
        <div>enableBy=admin</div>
        <div>input.CNPJ.class_id=genericInputImpl</div>
        <div><a href="http://input.CNPJ.name" target="_blank">input.CNPJ.name</a>=Generic
          Input</div>
        <div>input.CNPJ.params.gi_display_name0=Cadastro Nacional Pessoa
          Juridica</div>
        <div>input.CNPJ.params.gi_display_name1=</div>
        <div>input.CNPJ.params.gi_display_name2=</div>
        <div>input.CNPJ.params.gi_display_name3=</div>
        <div>
          input.CNPJ.params.gi_display_name4=</div>
        <div>input.CNPJ.params.gi_param_enable0=true</div>
        <div>input.CNPJ.params.gi_param_enable1=false</div>
        <div>input.CNPJ.params.gi_param_enable2=false</div>
        <div>input.CNPJ.params.gi_param_enable3=false</div>
        <div>input.CNPJ.params.gi_param_enable4=false</div>
        <div>input.CNPJ.params.gi_param_name0=cnpj</div>
        <div>input.CNPJ.params.gi_param_name1=</div>
        <div>input.CNPJ.params.gi_param_name2=</div>
        <div>input.CNPJ.params.gi_param_name3=</div>
        <div>input.CNPJ.params.gi_param_name4=</div>
        <div>input.i1.class_id=keyGenInputImpl</div>
        <div><a href="http://input.i1.name" target="_blank">input.i1.name</a>=Key
          Generation Input</div>
        <div>input.i2.class_id=subjectNameInputImpl</div>
        <div>
          <a href="http://input.i2.name" target="_blank">input.i2.name</a>=Subject
          Name Input</div>
        <div>input.i3.class_id=submitterInfoInputImpl</div>
        <div><a href="http://input.i3.name" target="_blank">input.i3.name</a>=Submitter
          Information Input</div>
        <div>input.list=i1,i2,i3,CNPJ</div>
        <div>input.params.gi_display_name0=Cadastro Nacional Pessoa
          Juridica</div>
        <div>input.params.gi_display_name1=</div>
        <div>input.params.gi_display_name2=</div>
        <div>input.params.gi_display_name3=</div>
        <div>input.params.gi_display_name4=</div>
        <div>input.params.gi_param_enable0=true</div>
        <div>input.params.gi_param_enable1=false</div>
        <div>input.params.gi_param_enable2=false</div>
        <div>input.params.gi_param_enable3=false</div>
        <div>input.params.gi_param_enable4=false</div>
        <div>input.params.gi_param_name0=cnpj</div>
        <div>input.params.gi_param_name1=</div>
        <div>input.params.gi_param_name2=</div>
        <div>input.params.gi_param_name3=</div>
        <div>input.params.gi_param_name4=</div>
        <div>lastModified=1390319210315</div>
        <div>name=UserCNPJ</div>
        <div>output.list=o1</div>
        <div>output.o1.class_id=certOutputImpl</div>
        <div><a href="http://output.o1.name" target="_blank">output.o1.name</a>=Certificate
          Output</div>
        <div>policyset.list=set1</div>
        <div>policyset.set1.list=p1,p2,p3,p4,p5,p06</div>
        <div>policyset.set1.p06.constraint.class_id=noConstraintImpl</div>
        <div><a href="http://policyset.set1.p06.constraint.name" target="_blank">policyset.set1.p06.constraint.name</a>=No
          Constraint</div>
        <div>policyset.set1.p06.default.class_id=userExtensionDefaultImpl</div>
        <div><a href="http://policyset.set1.p06.default.name" target="_blank">policyset.set1.p06.default.name</a>=User
          Supplied Extension Default</div>
        <div>policyset.set1.p06.default.params.userExtOID=Comment
          Here...</div>
        <div>policyset.set1.p1.constraint.class_id=noConstraintImpl</div>
        <div><a href="http://policyset.set1.p1.constraint.name" target="_blank">policyset.set1.p1.constraint.name</a>=No
          Constraint</div>
        <div>policyset.set1.p1.default.class_id=userSubjectNameDefaultImpl</div>
        <div><a href="http://policyset.set1.p1.default.name" target="_blank">policyset.set1.p1.default.name</a>=User
          Supplied Subject Name Default</div>
        <div>policyset.set1.p2.constraint.class_id=noConstraintImpl</div>
        <div><a href="http://policyset.set1.p2.constraint.name" target="_blank">policyset.set1.p2.constraint.name</a>=No
          Constraint</div>
        <div>policyset.set1.p2.default.class_id=validityDefaultImpl</div>
        <div><a href="http://policyset.set1.p2.default.name" target="_blank">policyset.set1.p2.default.name</a>=Validity
          Default</div>
        <div>policyset.set1.p2.default.params.range=180</div>
        <div>policyset.set1.p2.default.params.startTime=0</div>
        <div>
          policyset.set1.p3.constraint.class_id=noConstraintImpl</div>
        <div><a href="http://policyset.set1.p3.constraint.name" target="_blank">policyset.set1.p3.constraint.name</a>=No
          Constraint</div>
        <div>policyset.set1.p3.default.class_id=userKeyDefaultImpl</div>
        <div><a href="http://policyset.set1.p3.default.name" target="_blank">policyset.set1.p3.default.name</a>=User
          Supplied Key Default</div>
        <div>policyset.set1.p3.default.params.keyMaxLength=4096</div>
        <div>policyset.set1.p3.default.params.keyMinLength=512</div>
        <div>policyset.set1.p3.default.params.keyType=RSA</div>
        <div>policyset.set1.p4.constraint.class_id=noConstraintImpl</div>
        <div><a href="http://policyset.set1.p4.constraint.name" target="_blank">policyset.set1.p4.constraint.name</a>=No
          Constraint</div>
        <div>policyset.set1.p4.default.class_id=signingAlgDefaultImpl</div>
        <div><a href="http://policyset.set1.p4.default.name" target="_blank">policyset.set1.p4.default.name</a>=Signing
          Algorithm Default</div>
        <div>policyset.set1.p4.default.params.signingAlg=-</div>
        <div>policyset.set1.p4.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,,SHA512withEC</div>
        <div>policyset.set1.p5.constraint.class_id=noConstraintImpl</div>
        <div><a href="http://policyset.set1.p5.constraint.name" target="_blank">policyset.set1.p5.constraint.name</a>=No
          Constraint</div>
        <div>policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl</div>
        <div><a href="http://policyset.set1.p5.default.name" target="_blank">policyset.set1.p5.default.name</a>=Key
          Usage Extension Default</div>
        <div>policyset.set1.p5.default.params.keyUsageCritical=true</div>
        <div>policyset.set1.p5.default.params.keyUsageCrlSign=true</div>
        <div>policyset.set1.p5.default.params.keyUsageDataEncipherment=true</div>
        <div>policyset.set1.p5.default.params.keyUsageDecipherOnly=true</div>
        <div>policyset.set1.p5.default.params.keyUsageDigitalSignature=true</div>
        <div>policyset.set1.p5.default.params.keyUsageEncipherOnly=true</div>
        <div>policyset.set1.p5.default.params.keyUsageKeyAgreement=true</div>
        <div>policyset.set1.p5.default.params.keyUsageKeyCertSign=true</div>
        <div>policyset.set1.p5.default.params.keyUsageKeyEncipherment=true</div>
        <div>policyset.set1.p5.default.params.keyUsageNonRepudiation=true</div>
        <div>visible=true</div>
        <div> </div>
        <div>thx in advance,</div>
        <div>sergio</div>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
      </div></div><div class="im"><pre>_______________________________________________
Pki-users mailing list
<a href="mailto:Pki-users@redhat.com" target="_blank">Pki-users@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/pki-users" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a></pre>
    </div></blockquote>
    <br>
  </div>

<br>_______________________________________________<br>
Pki-users mailing list<br>
<a href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/pki-users" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a><br></blockquote></div><br></div>