[Pki-devel] Configuration of Friendly Name and Country

Dinesh Prasanth Moluguwan Krishnamoorthy dmoluguw at redhat.com
Fri May 22 17:57:06 UTC 2020 

Nadeera,

(CC'ing pki-devel)

Setting the number of intermediate CAs can be achieved by using "Basic
Constraints Extension" [1] and setting the PathLen= to the required value.

You need to set this extension on a CA profile and then issue a CA signing
cert. You can't modify this value on an already issued CA cert. Read more
on how to add this constraint to a profile here [2]

[1]
https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html-single/administration_guide_common_criteria_edition/index#Basic_Constraints_Extension_Default
[2]
https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html-single/administration_guide_common_criteria_edition/index#about-extensions

Regards,
--Dinesh

On Fri, May 22, 2020 at 8:57 AM Nadeera Galagedara <
nadeeragalagedara at yahoo.com> wrote:

> Dear Dinesh,
>
> I want another help from you. How can I change the "Maximum number of
> intermediate CAs: unlimited" value.
> On Friday, May 22, 2020, 10:57:45 AM GMT+5:30, Nadeera Galagedara <
> nadeeragalagedara at yahoo.com> wrote:
>
>
> Dear Dinesh,
>
> That is a great explanation. That problem that problem is also solved.
> Again thank you.
>
> On Wednesday, May 20, 2020, 08:27:56 PM GMT+5:30, Dinesh Prasanth
> Moluguwan Krishnamoorthy <dmoluguw at redhat.com> wrote:
>
>
> Hi Nadeera,
>
> I'm glad I could resolve your issues.
>
> As for the friendly/nickname, these names are customizable based on the
> system you use and are not specified during the certificate issuance.
>
> For instance, when you specified "
> *pki_ca_signing_nickname=mycompany_nickname"* this nickname was used to
> import the CA system certificate in your PKI server's NSSDB. You can view
> this by doing `certutil -L -d /etc/pki/pki-tomcat/alias` and you should see
> the *mycompany_nickname* listed.
>
> I have very limited knowledge of handling certificates in windows. From
> Googling around: you can try to *right-click on the certificate ->
> Properties -> "general" tab -> Set "Friendly Name"*.
>
> HTH
>
> Regards,
> --Dinesh
>
> On Wed, May 20, 2020 at 3:28 AM Nadeera Galagedara <
> nadeeragalagedara at yahoo.com> wrote:
>
> Dear Dinesh,
>
> Thank you for your support and it is been very helpful. I am using Centos
> 7 and the version came with it is 10.5. I am using that version. I think I
> have corrected the country (with c=LK). But I still have a problem with the
> nickname.
>
> I used the *pki_ca_signing_nickname=mycompany_nickname* line but still
> the friendly name show on windows PC (I have imported the issued
> certificate to a windows PC) format like <Common Name>'s <Organisation> ID.
> My requirement is to show the the Friendly Name (shows as in Windows PC) as
> "*mycompany_nickname* " I have attached a screenshot also. Please tell me
> what did I do wrong.
>
>
> [image: Inline image]
>
>
> The full config is mentioned below
>
>
> *Step 1*
>
> *[CA]*
> *pki_admin_email=mycompany at abc.lk <mycompany at abc.lk>*
> *pki_admin_name=caadmin*
> *pki_admin_nickname=caadmin*
> *pki_admin_password=Secret.123*
> *pki_admin_uid=caadmin*
>
> *pki_client_database_password=Secret.123*
> *pki_client_database_purge=False*
> *pki_client_pkcs12_password=Secret.123*
>
> *pki_ds_base_dn=dc=issueca,dc=mycompany,dc=lk*
> *pki_ds_database=ca2*
> *pki_ds_password=Secret.123*
>
> *pki_security_domain_name=mycompany_domain*
> *pki_token_password=Secret.123*
>
> *pki_external=True*
> *pki_external_step_two=False*
>
>
> *pki_ca_signing_subject_dn=cn=mycompany_cn,ou=mycompany_ou,o=mycompany_o,c=LK*
> *pki_ca_signing_csr_path=ca_signing.csr*
>
> *pki_ca_signing_nickname=mycompany_nickname*
>
> *pki_default_ocsp_uri=http://ocsp.mycompany.lk <http://ocsp.mycompany.lk>*
>
>
>
> *Step 2*
>
> *[CA]*
> *pki_admin_email=mycompany at abc.lk <mycompany at abc.lk>*
> *pki_admin_name=caadmin*
> *pki_admin_nickname=caadmin*
> *pki_admin_password=Secret.123*
> *pki_admin_uid=caadmin*
>
> *pki_client_database_password=Secret.123*
> *pki_client_database_purge=False*
> *pki_client_pkcs12_password=Secret.123*
>
> *pki_ds_base_dn=dc=issueca,dc=mycompany,dc=lk*
> *pki_ds_database=ca2*
> *pki_ds_password=Secret.123*
>
> *pki_security_domain_name=mycompany_domain*
> *pki_token_password=Secret.123*
>
> *pki_external=True*
> *pki_external_step_two=True*
>
> *pki_ca_signing_csr_path=ca_signing.csr*
> *pki_ca_signing_cert_path=ca_signing.crt*
>
> *pki_ca_signing_nickname=mycompany_nickname*
>
> *pki_default_ocsp_uri=http://ocsp.mycompany.lk <http://ocsp.mycompany.lk>*
>
>
>
>
> Thank you and best regards,
> Nadeera.
>
>
>
>
>
> On Wednesday, May 20, 2020, 03:29:15 AM GMT+5:30, Dinesh Prasanth
> Moluguwan Krishnamoorthy <dmoluguw at redhat.com> wrote:
>
>
> Hi Nadeera,
>
> What version of dogtag PKI are you trying to install? You are referring to
> PKI 10.5 docs. The latest release is 10.8.3
>
> If you are using the latest packages, our docs are available in our
> upstream repo: https://github.com/dogtagpki/pki/tree/v10.8/docs
>
> (see inline reply)
>
> On Tue, May 19, 2020 at 9:22 AM Nadeera Galagedara <
> nadeeragalagedara at yahoo.com> wrote:
>
> Dear all,
>
> I am new to dogtag and I am installing a sub ca using the method
> described  in
> https://www.dogtagpki.org/wiki/PKI_10.5_Installing_CA_with_External_CA_Signing_Certificate
> . I want to know.
>
> 1) What is the parameter to change the *Friendly Name*
>
> We do not use "Friendly Name". Instead, we use "nickname"
> To configure the nickname for CA signing certificate use:
> pki_ca_signing_nickname=
>
> 2) What is the parameter to change the *Country/Locality*
>
> This is set using subject dn. So, in your case specify the Country using
> this attribute: pki_ca_signing_subject_dn=
>
>
> 3) Where (a page link ) I can find details about each of this
> configuration parameters.
>
> I don't have a page that explains all the config parameters. But, I do
> have a page that can give you a list of parameters that you can use (since
> you mentioned 10.5, I'm listing the contents of 10.5 branch. Refer to the
> appropriate branch for an updated list)
>
> https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_BRANCH/base/server/etc/default.cfg
>
> HTH
>
> Regards,
> --Dinesh
>
>
>
>
> Thank you.
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20200522/44b6c79e/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Capture.JPG
Type: image/jpeg
Size: 19706 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20200522/44b6c79e/attachment.jpe>

More information about the Pki-devel mailing list