[Pki-users] Re: No CDP by default?

Chris Cayetano crc408 at gmail.com
Sun Apr 13 07:13:08 UTC 2008 

Additional Info:

Some entries from the debug log:

[12/Apr/2008:23:54:42][http-9443-Processor20]:
CRLDistribtionPointsExtDefault: createExtension Invalid Property
http://pkica.company.com
[12/Apr/2008:23:54:42][http-9443-Processor20]:
CRLDistribtionPointsExtDefault: createExtension Invalid Property
http://pkica.company.com

>From the Red Hat documentation, when using the IssuerName_0=URIName,
the IssuerType_n= should be:

* For URIName, the value must be a non-relative URI following the URL syntax
and encoding rules. The name must include both a scheme, such as http, and a
fully qualified domain name or IP address of the host. For example,
http://testCA.example.com.*

So based on the Red Hat documentation, not sure what the value to be.

Thanks,
Chris Cayetano


On 4/11/08, Chris <crc408 at gmail.com> wrote:
>
>
> Unable to get the CDP in the issuing certificates. Taking the caUserCert
> profile, it looks like CDP isn't in the profiles by default, which appears
> to be the default for all certificates.
>
> Using the PKI Console, I added the CRL Distribution Points Extension
> Default with No Constraints
>
> * The information below was entered based on examples in the Red Hat
> documentation (
> http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Defaults_Reference-CRL_Distribution_Points_Extension_Default.html).
>
> [Default] tab
> crlDistPointsCritical = false
> crlDistPointsPointType_0 = URIName
> crlDistPointsPointName_0 = http://crl.company.com:80<http://crl.company.com/>
> crlDistPointsReasons_0 = unused,superseded
> crlDistPointsIssuerType_0 = http://pkica.corp.company.com
> crlDistPointsIssueName_0 = URIName
> crlDistPointsEnable_0 = true
>
> When generating the certificate the CDP field is still not visible.I've
> attached a summary of the profile below with the new CDP field added.
>
> Any ideas?
>
> Thanks.
>
> Chris
>
>
> --
> ------------------------------------
>
>
> *Certificate Profile Information:*
>   Certificate Profile Id: caUserCert  Certificate Profile Name: Manual
> User Dual-Use Certificate Enrollment
> <http://profileselect/?profileId=caUserCert> Description: This certificate
> profile is for enrolling user certificates.  Approved: false  Approved By:
>
>
> *Policy Information:*
>
> Policy Set: userCertSet
>
>   *#* *Extensions / Fields* *Constraints*  1 This default populates a
> User-Supplied Certificate Subject Name to the request.
> This constraint accepts the subject name that matches CN=.*  2 This
> default populates a Certificate Validity to the request. The default values
> are Range=180 in days
> This constraint rejects the validity that is not between 365 days  3 This
> default populates a User-Supplied Certificate Key to the request.
> This constraint accepts the key only if Key Type=-, Key Min Length=256,
> Key Max Length=4096  4 This default populates an Authority Key Identifier
> Extension (2.5.29.35) to the request.
> No Constraint  5 This default populates a Authority Info Access Extension
> (1.3.6.1.5.5.7.1.1) to the request. The default values are
> Criticality=false, Record #0{Method:1.3.6.1.5.5.7.48.1,Location
> Type:URIName,Location:,Enable:true}
> No Constraint  6 This default populates a Key Usage Extension (2.5.29.15)
> to the request. The default values are Criticality=true, Digital
> Signature=true, Non-Repudiation=true, Key Encipherment=true, Data
> Encipherment=false, Key Agreement=false, Key Certificate Sign=false, Key CRL
> Sign=false, Encipher Only=false, Decipher Only=false
> This constraint accepts the Key Usage extension, if present, only when
> Criticality=true, Digital Signature=true, Non-Repudiation=true, Key
> Encipherment=true, Data Encipherment=false, Key Agreement=false, Key
> Certificate Sign=false, Key CRL Sign=false, Encipher Only=false, Decipher
> Only=false  7 This default populates an Extended Key Usage Extension () to
> the request. The default values are Criticality=false,
> OIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
> No Constraint  9 This default populates the Certificate Signing Algorithm.
> The default values are Algorithm=SHA1withRSA
> This constraint accepts only the Signing Algorithms of
> SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC  12
> This default populates a CRL Distribution Points Extension (2.5.29.31) to
> the request. The default values are Criticality=false, Record #0{Point Type:
> http://crl.company.com:80 <http://crl.company.com/>,Point
> Name:URIName,Reasons:unused,superseded,Issuer Type:
> http://pkica.company.com,Issuer Name:URIName,Enable:true}Record #1{Point
> Type:,Point Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false}Record
> #2{Point Type:,Point Name:,Reasons:,Issuer Type:,Issuer
> Name:,Enable:false}Record #3{Point Type:,Point Name:,Reasons:,Issuer
> Type:,Issuer Name:,Enable:false}Record #4{Point Type:,Point
> Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false}
> No Constraint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20080413/82c04886/attachment.htm>

More information about the Pki-users mailing list