[Pki-devel] [Pki-users] How to generate the certificate in pkcs #12 format using Dogtag PKI

Alex Scheel ascheel at redhat.com
Thu Nov 7 20:21:13 UTC 2019 

Hi Sarath,


I think a X509 Certificate with "digital signature" key usage would
suffice based on what I can tell:

 - https://helpx.adobe.com/acrobat/using/certificate-based-signatures.html
 - https://tools.ietf.org/html/rfc5280#section-4.2.1.3
 - https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/standard_x.509_v3_certificate_extensions

Per a digicert article on the subject, you might want timestamping as
an extended key usage as well:

 - https://www.digicert.com/document-signing/how-to-sign-a-pdf.htm
 - https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/Standard_X.509_v3_Certificate_Extensions#Discussion-PKIX_Extended_Key_Usage_Extension_Uses

Details are kinda sparse about what else you'd need, or if those
are sufficient. You might try reading Section 12.7.4.5 "Signature
Fields", Section 12.8 "Digital Signatures", and in particular,
Section 12.8.3.3 "PKCS#7 Signatures as used in ISO 32000" of the
PDF 1.7 specification for more information:

 - https://www.adobe.com/content/dam/acom/en/devnet/pdf/pdfs/PDF32000_2008.pdf


You'd probably want to create a certificate profile with this
information at any rate:

 - https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/certificate_profiles


Hope that helps,

- Alex

----- Original Message -----
> From: "Sharath" <sharathkumar.gundu at tecra.com>
> To: "Fraser Tweedale" <ftweedal at redhat.com>
> Cc: pki-users at redhat.com, pki-devel at redhat.com
> Sent: Monday, November 4, 2019 2:09:54 AM
> Subject: Re: [Pki-users] [Pki-devel] How to generate the certificate in pkcs #12 format using Dogtag PKI
> 
> HI Fraser,
> 
> I have use case like need to certify the PDF document with "handwritten
> user signature with associated certificate and it should be validate
> with the password" ??
> 
> How can we achieve this using Dogtag PKI??
> 
> Thanks,
> 
> Sharath
> 
> On 04/11/19 9:59 AM, Fraser Tweedale wrote:
> > On Fri, Nov 01, 2019 at 05:29:40PM +0530, Sharath wrote:
> >> HI Team,
> >>
> >> 1. Can you please help, how to generate the certificate using pkcs #12
> >> format??
> >>
> > Hi Sharath,
> >
> > PKCS #12 is a key and certificate archival format.  The main use of
> > PKCS #12 in Dogtag is retrieving archived keys from the KRA (key
> > recovery authority).
> >
> > If you have a certificate and the corresponding private key you can
> > create a PKCS #12 file using 'openssl pkcs12', or for keys in NSS
> > databases 'pk12util'.
> >
> > If provide more context about your use case, we may be able to
> > provide more assistance :)
> >
> >> 2. Is there any to validate the certificate with password using Dogtag PKI
> >> ??
> >>
> > Again, it's not clear what you're trying to do.  But with PKI you
> > never need a passphrase or private key to validate certificate
> > signatures.
> >
> > Cheers,
> > Fraser
> >
> >> Thanks,
> >>
> >> Sharath
> >>
> >>
> >> _______________________________________________
> >> Pki-devel mailing list
> >> Pki-devel at redhat.com
> >> https://www.redhat.com/mailman/listinfo/pki-devel
> >
> 
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>

More information about the Pki-devel mailing list