<div dir="ltr">Hi Christina,<div>Your help was just the key to find the right answer to my question. ;-)</div><div><br></div><div>here is what I did to accomplish what I want:</div><div><br></div><div><div>policyset.set1.p6.constraint.class_id=noConstraintImpl</div>
<div><a href="http://policyset.set1.p6.constraint.name">policyset.set1.p6.constraint.name</a>=No Constraint</div><div>policyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl</div><div><a href="http://policyset.set1.p6.default.name">policyset.set1.p6.default.name</a>=Subject Alternative Name Extension Default</div>
<div>policyset.set1.p6.default.params.subjAltExtGNEnable_0=true</div><div>policyset.set1.p6.default.params.subjAltExtPattern_0=(PrintableString)2.16.76.1.3.3,$request.cnpj$</div><div>policyset.set1.p6.default.params.subjAltExtType_0=OtherName</div>
<div>policyset.set1.p6.default.params.subjAltNameExtCritical=true</div><div>policyset.set1.p6.default.params.subjAltNameNumGNs=1</div></div><div><br></div><div><br></div><div>worked like a charm ;-)</div><div><br></div><div>
thank you again.</div><div>sp</div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2014-01-23 Christina Fu <span dir="ltr"><<a href="mailto:cfu@redhat.com" target="_blank">cfu@redhat.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Hi Sergio,<br>
<br>
I did wonder if what you needed was Subject Alternative Name
extension but since you said it's a "special attribute" I thought
you want something different ;-).<br>
<br>
SubjectAlternativeName Extension is easy to apply in Dogtag.<br>
<br>
First, here is info regarding SubjectAlternativeName:<br>
<a href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#Subject_Alternative_Name_Extension_Default" target="_blank">https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#Subject_Alternative_Name_Extension_Default</a><br>
<br>
Scroll down a page or two then you will find Table B.21 Subject
Alternative Name extension Default Configuration Parameters.<br>
This is pretty much what you need. I think what you want for "Type"
is "OIDName". <br>
<br>
So for example, you would have:<br>
<div>policyset.set1.p06.constraint.class_id=noConstraintImpl</div>
<div><a href="http://policyset.set1.p06.constraint.name" target="_blank">policyset.set1.p06.constraint.name</a>=No Constraint<br>
policyset.set1.p06.default.class_id=subjectAltNameExtDefaultImpl</div>
<div><a href="http://policyset.set1.p06.default.name" target="_blank">policyset.set1.p06.default.name</a>=Subject Alternative Name
Extension Default<br>
policyset.set1.p06.default.params.subjectAltNameExtCritical=false<br>
policyset.set1.p06.default.params.subjAltNameNumGNs=1<br>
policyset.set1.p06.default.params.subjAltExtType_0=OIDName<br>
policyset.set1.p06.default.params.subjAltExtPattern_0=2.16.76.1.3.3</div>
policyset.set1.p06.default.params.subjAltExtGNEnable_0=true<br>
<br>
again, the pattern part you can change it to take it from the input
once it's working. However, unless you are in a controlled
environment, it's better to have a constraint (You can write a
plugin to suit your needs). And unless you have multiple OID's to
insert, there is really no need to take from input.<br>
<br>
Regarding Generic Extension, I know it should work. Maybe your
value did not match the constraint. But it's a moot point now since
you are looking for SAN.<br>
<br>
hope this helps,<br>
Christina<div><div class="h5"><br>
<br>
<div>On 01/23/2014 04:12 AM, Sergio Pereira
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><font face="arial, helvetica, sans-serif">Hi
Christina,</font>
<div><font face="arial, helvetica, sans-serif"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">I really
appreciate for your response and time. I did try your
suggestion but with no luck, when enrolling through web form
I get the message: "<span style>Sorry,
your request has been rejected. The reason is "Request
Rejected - {0}".</span></font></div>
<div><font color="#000000" face="arial, helvetica, sans-serif">Attached
is a picture of a real certificate, signed by a Brazilian CA
and that is what I'm trying to accomplish using
DogTag certificate system. The OID I'm trying to write to is
marked in red and its value has some sort of Hex form (that
would be the second step to be accomplished). One thing I
realized is that the OID in question is in Subject
Alternative Name and not as Generic Extension.</font></div>
<div><br>
</div>
<div><font color="#000000" face="PrimaSans BT, Verdana, Arial,
Helvetica, sans-serif">thx,</font></div>
<div><font color="#000000" face="PrimaSans BT, Verdana, Arial,
Helvetica, sans-serif">sp</font></div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2014/1/23 Christina Fu <span dir="ltr"><<a href="mailto:cfu@redhat.com" target="_blank">cfu@redhat.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi,<br>
<br>
If I understand it correctly, you just want the OID to
appear in the cert? if so, Generic Extension might be
what you are looking for:<br>
<a href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#Generic_Extension_Default" target="_blank">https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#Generic_Extension_Default</a><br>
<br>
Here is an example of it:<br>
<div>policyset.set1.p06.constraint.class_id=extensionConstraintImpl</div>
<div><a href="http://policyset.set1.p06.constraint.name" target="_blank">policyset.set1.p06.constraint.name</a>=Extension
Constraint<br>
policyset.set1.p06.constraint.params.extCritical=-<br>
policyset.set1.p06.constraint.params.extOID=2.16.76.1.3.3<br>
policyset.set1.p06.default.class_id=userExtensionDefaultImpl</div>
<div><a href="http://policyset.set1.p06.default.name" target="_blank">policyset.set1.p06.default.name</a>=Generic
Extension Default<br>
policyset.set1.p06.default.params.genericExtData=bz<br>
policyset.set1.p06.default.params.genericExtOID=2.16.76.1.3.3</div>
policyset.set1.p06.default.params.enericExtCritical=false<br>
<br>
In the above example, I just put your country OID in the
profile, but I imagine you could change it to take it from
the input. If you do so, you might want to lighten up on
the constraint. I suggest you try the above hard-coded
profile first just to see if the cert comes out what you
are looking for before adding input in the profile.<br>
<br>
There is actually a bug in the GenericExtension area in
regards to setting critical to true. I have yet to check
the fix into Dogtag. Let me know if you do need that.<br>
<br>
BTW, regarding userExtensionDefault, it can only be used
if your CSR has the wanted extension in the request
already, so it's not going to help you.<br>
<br>
Hope this helps.<span><font color="#888888"><br>
Christina</font></span>
<div>
<div><br>
<br>
<div>On 01/22/2014 02:41 AM, Sergio Pereira wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">hi guys,
<div><br>
</div>
<div>I'm trying to create a certificate profile in
a way to have at the end a certificate with a
special attributes (supplied by the user through
web enrollment form). I'm running dogtag 10.1 on
Fedora 20...fresh install. I added a certificate
profile using pkiconsole but I'm struggling in
how to find the right Policies, Inputs and
Outputs for the new profile. The OID I intent to
write to it is the 2.16.76.1.3.3 (country
specific OID). Here is my profile's config file:</div>
<div><br>
</div>
<div>auth.instance_id=</div>
<div>desc=UserCNPJ</div>
<div>enable=false</div>
<div>enableBy=admin</div>
<div>input.CNPJ.class_id=genericInputImpl</div>
<div><a href="http://input.CNPJ.name" target="_blank">input.CNPJ.name</a>=Generic
Input</div>
<div>input.CNPJ.params.gi_display_name0=Cadastro
Nacional Pessoa Juridica</div>
<div>input.CNPJ.params.gi_display_name1=</div>
<div>input.CNPJ.params.gi_display_name2=</div>
<div>input.CNPJ.params.gi_display_name3=</div>
<div> input.CNPJ.params.gi_display_name4=</div>
<div>input.CNPJ.params.gi_param_enable0=true</div>
<div>input.CNPJ.params.gi_param_enable1=false</div>
<div>input.CNPJ.params.gi_param_enable2=false</div>
<div>input.CNPJ.params.gi_param_enable3=false</div>
<div>input.CNPJ.params.gi_param_enable4=false</div>
<div>input.CNPJ.params.gi_param_name0=cnpj</div>
<div>input.CNPJ.params.gi_param_name1=</div>
<div>input.CNPJ.params.gi_param_name2=</div>
<div>input.CNPJ.params.gi_param_name3=</div>
<div>input.CNPJ.params.gi_param_name4=</div>
<div>input.i1.class_id=keyGenInputImpl</div>
<div><a href="http://input.i1.name" target="_blank">input.i1.name</a>=Key
Generation Input</div>
<div>input.i2.class_id=subjectNameInputImpl</div>
<div> <a href="http://input.i2.name" target="_blank">input.i2.name</a>=Subject
Name Input</div>
<div>input.i3.class_id=submitterInfoInputImpl</div>
<div><a href="http://input.i3.name" target="_blank">input.i3.name</a>=Submitter
Information Input</div>
<div>input.list=i1,i2,i3,CNPJ</div>
<div>input.params.gi_display_name0=Cadastro
Nacional Pessoa Juridica</div>
<div>input.params.gi_display_name1=</div>
<div>input.params.gi_display_name2=</div>
<div>input.params.gi_display_name3=</div>
<div>input.params.gi_display_name4=</div>
<div>input.params.gi_param_enable0=true</div>
<div>input.params.gi_param_enable1=false</div>
<div>input.params.gi_param_enable2=false</div>
<div>input.params.gi_param_enable3=false</div>
<div>input.params.gi_param_enable4=false</div>
<div>input.params.gi_param_name0=cnpj</div>
<div>input.params.gi_param_name1=</div>
<div>input.params.gi_param_name2=</div>
<div>input.params.gi_param_name3=</div>
<div>input.params.gi_param_name4=</div>
<div>lastModified=1390319210315</div>
<div>name=UserCNPJ</div>
<div>output.list=o1</div>
<div>output.o1.class_id=certOutputImpl</div>
<div><a href="http://output.o1.name" target="_blank">output.o1.name</a>=Certificate
Output</div>
<div>policyset.list=set1</div>
<div>policyset.set1.list=p1,p2,p3,p4,p5,p06</div>
<div>policyset.set1.p06.constraint.class_id=noConstraintImpl</div>
<div><a href="http://policyset.set1.p06.constraint.name" target="_blank">policyset.set1.p06.constraint.name</a>=No
Constraint</div>
<div>policyset.set1.p06.default.class_id=userExtensionDefaultImpl</div>
<div><a href="http://policyset.set1.p06.default.name" target="_blank">policyset.set1.p06.default.name</a>=User
Supplied Extension Default</div>
<div>policyset.set1.p06.default.params.userExtOID=Comment
Here...</div>
<div>policyset.set1.p1.constraint.class_id=noConstraintImpl</div>
<div><a href="http://policyset.set1.p1.constraint.name" target="_blank">policyset.set1.p1.constraint.name</a>=No
Constraint</div>
<div>policyset.set1.p1.default.class_id=userSubjectNameDefaultImpl</div>
<div><a href="http://policyset.set1.p1.default.name" target="_blank">policyset.set1.p1.default.name</a>=User
Supplied Subject Name Default</div>
<div>policyset.set1.p2.constraint.class_id=noConstraintImpl</div>
<div><a href="http://policyset.set1.p2.constraint.name" target="_blank">policyset.set1.p2.constraint.name</a>=No
Constraint</div>
<div>policyset.set1.p2.default.class_id=validityDefaultImpl</div>
<div><a href="http://policyset.set1.p2.default.name" target="_blank">policyset.set1.p2.default.name</a>=Validity
Default</div>
<div>policyset.set1.p2.default.params.range=180</div>
<div>policyset.set1.p2.default.params.startTime=0</div>
<div>
policyset.set1.p3.constraint.class_id=noConstraintImpl</div>
<div><a href="http://policyset.set1.p3.constraint.name" target="_blank">policyset.set1.p3.constraint.name</a>=No
Constraint</div>
<div>policyset.set1.p3.default.class_id=userKeyDefaultImpl</div>
<div><a href="http://policyset.set1.p3.default.name" target="_blank">policyset.set1.p3.default.name</a>=User
Supplied Key Default</div>
<div>policyset.set1.p3.default.params.keyMaxLength=4096</div>
<div>policyset.set1.p3.default.params.keyMinLength=512</div>
<div>policyset.set1.p3.default.params.keyType=RSA</div>
<div>policyset.set1.p4.constraint.class_id=noConstraintImpl</div>
<div><a href="http://policyset.set1.p4.constraint.name" target="_blank">policyset.set1.p4.constraint.name</a>=No
Constraint</div>
<div>policyset.set1.p4.default.class_id=signingAlgDefaultImpl</div>
<div><a href="http://policyset.set1.p4.default.name" target="_blank">policyset.set1.p4.default.name</a>=Signing
Algorithm Default</div>
<div>policyset.set1.p4.default.params.signingAlg=-</div>
<div>policyset.set1.p4.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,,SHA512withEC</div>
<div>policyset.set1.p5.constraint.class_id=noConstraintImpl</div>
<div><a href="http://policyset.set1.p5.constraint.name" target="_blank">policyset.set1.p5.constraint.name</a>=No
Constraint</div>
<div>policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl</div>
<div><a href="http://policyset.set1.p5.default.name" target="_blank">policyset.set1.p5.default.name</a>=Key
Usage Extension Default</div>
<div>policyset.set1.p5.default.params.keyUsageCritical=true</div>
<div>policyset.set1.p5.default.params.keyUsageCrlSign=true</div>
<div>policyset.set1.p5.default.params.keyUsageDataEncipherment=true</div>
<div>policyset.set1.p5.default.params.keyUsageDecipherOnly=true</div>
<div>policyset.set1.p5.default.params.keyUsageDigitalSignature=true</div>
<div>policyset.set1.p5.default.params.keyUsageEncipherOnly=true</div>
<div>policyset.set1.p5.default.params.keyUsageKeyAgreement=true</div>
<div>policyset.set1.p5.default.params.keyUsageKeyCertSign=true</div>
<div>policyset.set1.p5.default.params.keyUsageKeyEncipherment=true</div>
<div>policyset.set1.p5.default.params.keyUsageNonRepudiation=true</div>
<div>visible=true</div>
<div> </div>
<div>thx in advance,</div>
<div>sergio</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<div>
<pre>_______________________________________________
Pki-users mailing list
<a href="mailto:Pki-users@redhat.com" target="_blank">Pki-users@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/pki-users" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a></pre>
</div>
</blockquote>
<br>
</div>
<br>
_______________________________________________<br>
Pki-users mailing list<br>
<a href="mailto:Pki-users@redhat.com" target="_blank">Pki-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/pki-users" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
<br>_______________________________________________<br>
Pki-users mailing list<br>
<a href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/pki-users" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a><br></blockquote></div><br></div>