[Pki-devel] Configuration of Friendly Name and Country
Dinesh Prasanth Moluguwan Krishnamoorthy
dmoluguw at redhat.com
Tue Jun 2 01:19:50 UTC 2020
Hi Nadeera,
Please find my reply inline
On Fri, May 29, 2020 at 5:28 AM Nadeera Galagedara <
nadeeragalagedara at yahoo.com> wrote:
> Dear Dinesh,
>
> I tried the method and still have the problem. I will tell you what i did
> and can you tell me where did I do wrong.
>
> My root CA has "*Maximum number of intermediate CAs: unlimited*" and now
> I am installing the issuing ca (what I use for to issue certificates for
> clients). For the issuing *CA **Maximum number of intermediate* CAs want
> to be *Zero*.
>
> I basically follow
> https://www.dogtagpki.org/wiki/PKI_10.5_Installing_CA_with_External_CA_Signing_Certificate steps
> (send the CSR to root CA and get back the signed certificate) and added
>
> policyset.caCertSet.5.default.name=Basic Constraints Extension Default
> policyset.caCertSet.5.default.params.basicConstraintsCritical=true
> policyset.caCertSet.5.default.params.basicConstraintsIsCA=true
> policyset.caCertSet.5.default.params.basicConstraintsPathLen=0
>
> lines to both step 1 and step 2 config files and installed the Issuing CA.
>
The above lines need to be added to profiles, not to .cfg for pkispawn. My
colleague, Fraser, wrote an awesome blog post [1] explaining how Dogtag
profiles work. Though the post was written in 2014 this should give you a
good understanding of how to configure profiles.
But, in your case, I believe you need to craft the CSR with this
constraint. So, you need to use the `openssl` or `certutil` tools to
specify the *basic Constraint*.
For example, using openssl:
openssl req \
-addext basicConstraints=critical,CA:TRUE,pathlen:1 \
...
You can also refer how to create CSR in our wiki [2]
[1]
https://frasertweedale.github.io/blog-redhat/posts/2014-05-14-dogtag-profile-definitions.html
[2] https://www.dogtagpki.org/wiki/Generating_CA_Signing_CSR_with_OpenSSL
HTH. Good luck!
Regards,
--Dinesh
> Then I went to the Issuing CA's * "SSL End Users Services" *-> "*Manual
> User Dual-Use Certificate **Enrollment"* and created a certificate. Then
> I wend to *Agent Services* and approve that request.
>
> I imported that certificate to browser. But still it shows my issuing CA *Maximum
> number of intermediate CAs: unlimited. *
>
> Can you tell me what did I do wrong.
>
>
> On Friday, May 22, 2020, 11:27:29 PM GMT+5:30, Dinesh Prasanth Moluguwan
> Krishnamoorthy <dmoluguw at redhat.com> wrote:
>
>
> Nadeera,
>
> (CC'ing pki-devel)
>
> Setting the number of intermediate CAs can be achieved by using "Basic
> Constraints Extension" [1] and setting the PathLen= to the required value.
>
> You need to set this extension on a CA profile and then issue a CA signing
> cert. You can't modify this value on an already issued CA cert. Read more
> on how to add this constraint to a profile here [2]
>
> [1]
> https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html-single/administration_guide_common_criteria_edition/index#Basic_Constraints_Extension_Default
> [2]
> https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html-single/administration_guide_common_criteria_edition/index#about-extensions
>
> Regards,
> --Dinesh
>
> On Fri, May 22, 2020 at 8:57 AM Nadeera Galagedara <
> nadeeragalagedara at yahoo.com> wrote:
>
> Dear Dinesh,
>
> I want another help from you. How can I change the "Maximum number of
> intermediate CAs: unlimited" value.
> On Friday, May 22, 2020, 10:57:45 AM GMT+5:30, Nadeera Galagedara <
> nadeeragalagedara at yahoo.com> wrote:
>
>
> Dear Dinesh,
>
> That is a great explanation. That problem that problem is also solved.
> Again thank you.
>
> On Wednesday, May 20, 2020, 08:27:56 PM GMT+5:30, Dinesh Prasanth
> Moluguwan Krishnamoorthy <dmoluguw at redhat.com> wrote:
>
>
> Hi Nadeera,
>
> I'm glad I could resolve your issues.
>
> As for the friendly/nickname, these names are customizable based on the
> system you use and are not specified during the certificate issuance.
>
> For instance, when you specified "
> *pki_ca_signing_nickname=mycompany_nickname"* this nickname was used to
> import the CA system certificate in your PKI server's NSSDB. You can view
> this by doing `certutil -L -d /etc/pki/pki-tomcat/alias` and you should see
> the *mycompany_nickname* listed.
>
> I have very limited knowledge of handling certificates in windows. From
> Googling around: you can try to *right-click on the certificate ->
> Properties -> "general" tab -> Set "Friendly Name"*.
>
> HTH
>
> Regards,
> --Dinesh
>
> On Wed, May 20, 2020 at 3:28 AM Nadeera Galagedara <
> nadeeragalagedara at yahoo.com> wrote:
>
> Dear Dinesh,
>
> Thank you for your support and it is been very helpful. I am using Centos
> 7 and the version came with it is 10.5. I am using that version. I think I
> have corrected the country (with c=LK). But I still have a problem with the
> nickname.
>
> I used the *pki_ca_signing_nickname=mycompany_nickname* line but still
> the friendly name show on windows PC (I have imported the issued
> certificate to a windows PC) format like <Common Name>'s <Organisation> ID.
> My requirement is to show the the Friendly Name (shows as in Windows PC) as
> "*mycompany_nickname* " I have attached a screenshot also. Please tell me
> what did I do wrong.
>
>
> [image: image.jpeg]
>
>
>
>
>
>
>
>
>
>
> The full config is mentioned below
>
>
> *Step 1*
>
> *[CA]*
> *pki_admin_email=mycompany at abc.lk <mycompany at abc.lk>*
> *pki_admin_name=caadmin*
> *pki_admin_nickname=caadmin*
> *pki_admin_password=Secret.123*
> *pki_admin_uid=caadmin*
>
> *pki_client_database_password=Secret.123*
> *pki_client_database_purge=False*
> *pki_client_pkcs12_password=Secret.123*
>
> *pki_ds_base_dn=dc=issueca,dc=mycompany,dc=lk*
> *pki_ds_database=ca2*
> *pki_ds_password=Secret.123*
>
> *pki_security_domain_name=mycompany_domain*
> *pki_token_password=Secret.123*
>
> *pki_external=True*
> *pki_external_step_two=False*
>
>
> *pki_ca_signing_subject_dn=cn=mycompany_cn,ou=mycompany_ou,o=mycompany_o,c=LK*
> *pki_ca_signing_csr_path=ca_signing.csr*
>
> *pki_ca_signing_nickname=mycompany_nickname*
>
> *pki_default_ocsp_uri=http://ocsp.mycompany.lk <http://ocsp.mycompany.lk>*
>
>
>
> *Step 2*
>
> *[CA]*
> *pki_admin_email=mycompany at abc.lk <mycompany at abc.lk>*
> *pki_admin_name=caadmin*
> *pki_admin_nickname=caadmin*
> *pki_admin_password=Secret.123*
> *pki_admin_uid=caadmin*
>
> *pki_client_database_password=Secret.123*
> *pki_client_database_purge=False*
> *pki_client_pkcs12_password=Secret.123*
>
> *pki_ds_base_dn=dc=issueca,dc=mycompany,dc=lk*
> *pki_ds_database=ca2*
> *pki_ds_password=Secret.123*
>
> *pki_security_domain_name=mycompany_domain*
> *pki_token_password=Secret.123*
>
> *pki_external=True*
> *pki_external_step_two=True*
>
> *pki_ca_signing_csr_path=ca_signing.csr*
> *pki_ca_signing_cert_path=ca_signing.crt*
>
> *pki_ca_signing_nickname=mycompany_nickname*
>
> *pki_default_ocsp_uri=http://ocsp.mycompany.lk <http://ocsp.mycompany.lk>*
>
>
>
>
> Thank you and best regards,
> Nadeera.
>
>
>
>
>
> On Wednesday, May 20, 2020, 03:29:15 AM GMT+5:30, Dinesh Prasanth
> Moluguwan Krishnamoorthy <dmoluguw at redhat.com> wrote:
>
>
> Hi Nadeera,
>
> What version of dogtag PKI are you trying to install? You are referring to
> PKI 10.5 docs. The latest release is 10.8.3
>
> If you are using the latest packages, our docs are available in our
> upstream repo: https://github.com/dogtagpki/pki/tree/v10.8/docs
>
> (see inline reply)
>
> On Tue, May 19, 2020 at 9:22 AM Nadeera Galagedara <
> nadeeragalagedara at yahoo.com> wrote:
>
> Dear all,
>
> I am new to dogtag and I am installing a sub ca using the method
> described in
> https://www.dogtagpki.org/wiki/PKI_10.5_Installing_CA_with_External_CA_Signing_Certificate
> . I want to know.
>
> 1) What is the parameter to change the *Friendly Name*
>
> We do not use "Friendly Name". Instead, we use "nickname"
> To configure the nickname for CA signing certificate use:
> pki_ca_signing_nickname=
>
> 2) What is the parameter to change the *Country/Locality*
>
> This is set using subject dn. So, in your case specify the Country using
> this attribute: pki_ca_signing_subject_dn=
>
>
> 3) Where (a page link ) I can find details about each of this
> configuration parameters.
>
> I don't have a page that explains all the config parameters. But, I do
> have a page that can give you a list of parameters that you can use (since
> you mentioned 10.5, I'm listing the contents of 10.5 branch. Refer to the
> appropriate branch for an updated list)
>
> https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_BRANCH/base/server/etc/default.cfg
>
> HTH
>
> Regards,
> --Dinesh
>
>
>
>
> Thank you.
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20200601/ba5794bd/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.jpeg
Type: image/jpeg
Size: 11889 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20200601/ba5794bd/attachment.jpeg>
More information about the Pki-devel
mailing list