[Pki-users] Modify Certificate Profies - removing 'Critical' key-usage indication

Marc Sauton msauton at redhat.com
Thu May 1 02:56:09 UTC 2008 

Ebbe Hansen wrote:
> While attempting to test various Email clients in a windows environment
> (including Outlook Express and Outlook), I am having trouble getting the
> Email client (Outlook Express) to accept the certificates generated by
> the RedHat/DogTag CA. I am using the 'CAUserCert.cfg' profile and I am
> adding a SubjectAltName extension as described in my earlier message.
> However, I am still not successful getting the Email client to use the
> DogTag user certificates for signature purposes.
>
> Is there a documented procedure that describes how to generate user
> certificates accepted by the windows-based Outlook Express client?
>
> Comparing the RadHat user certificate with a Microsoft user certificate
> reveals that the RedHat CA sets the 'KeyUsage' extension to 'Critical'
> -- while the Microsoft CA does not! After modifying the DogTag CA
> Profile ('CAUserCert.cfg') to specify a "non critical" 'KeyUsage'
> extension, any new request using the modified profile fails -  error
> message is:
>
> "Sorry, your request has been rejected. The reason is "Request Rejected
> - Criticality Not Matched".
>   
I can see the error in the agent web ui
> Are there multiple places I need to adjust the Profile -- so far I have
> only modified the 'CAUserCert.cfg' file in the
> '<CA-instance>/profiles/ca' directory. 
>   
This should be the one place.
> Ebbe @ SPYRUS
>
>
> "This message and any attached documents contain SPYRUS confidential
> and/or proprietary information and may be subject to privilege or exempt
> from disclosure under applicable law. These materials are intended only
> for the use of the intended recipient. If you are not the intended
> recipient of this electronic message, you are hereby notified that any
> use of this message is strictly prohibited. Delivery of this message to
> any person other than the intended recipient shall not constitute any
> waiver of any privilege. If you have received this message in error,
> please delete this message from your system and notify the sender
> immediately. Thank you."
>
>
> -----Original Message-----
> From: Marc Sauton [mailto:msauton at redhat.com] 
> Sent: Wednesday, April 30, 2008 10:17 AM
> To: Ebbe Hansen
> Cc: pki-users at redhat.com
> Subject: Re: [Pki-users] Modify Certificate Profies - include
> SubjectAltName
>
> If in /var/lib/pki-ca/profiles/ca/caUserCert.cfg
> has
> policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requ
> estor_email$
> policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
> and the enrollment request has an e-mail, the subject alt name extension
>
> field should be correctly initialized upon certificate issuance.
> You may want to turn on some debug in CS.cfg
> debug.enabled=true
> debug.level=0
> and see your debug log for more details.
> M.
>
> It depends how the request hadEbbe Hansen wrote:
>   
>> Looking at the 'CAUserCert.cfg' profile (first profile on the WEB 
>> Agent profile-list) it appears it should trigger the inclusion of the 
>> "SubjectAltName" extension. I have not been successful generating any 
>> certicites where the SubjectAltName extension is included!
>>
>> In the Agents display the SubjectAltName is listed as 'Null' - even 
>> after editing the 'Null' to the desired RFC822 value, the issued 
>> certificate always comes without any SubjectAtltName extension?
>>
>> What can I do to get the CA to include the SubjectAltName extension? I
>>     
>
>   
>> am always specifying an email value in the request field!
>>
>> Ebbe
>>
>> "This message and any attached documents contain SPYRUS confidential 
>> and/or proprietary information and may be subject to privilege or 
>> exempt from disclosure under applicable law. These materials are 
>> intended only for the use of the intended recipient. If you are not 
>> the intended recipient of this electronic message, you are hereby 
>> notified that any use of this message is strictly prohibited. Delivery
>>     
>
>   
>> of this message to any person other than the intended recipient shall 
>> not constitute any waiver of any privilege. If you have received this 
>> message in error, please delete this message from your system and 
>> notify the sender immediately. Thank you."
>>
>>
>>     
> ------------------------------------------------------------------------
>   
>> *From:* pki-users-bounces at redhat.com 
>> [mailto:pki-users-bounces at redhat.com] *On Behalf Of *Chris
>> *Sent:* Wednesday, April 09, 2008 10:10 PM
>> *To:* pki-users at redhat.com
>> *Subject:* Re: [Pki-users] Modify Certificate Profies
>>
>> Thanks. That worked.
>>
>> On Wed, Apr 9, 2008 at 12:10 PM, Christina Fu <cfu at redhat.com 
>> <mailto:cfu at redhat.com>> wrote:
>>
>> Profiles can be configured in <Dogtag install root>/profiles/ca. If 
>> you add your own new profiles, you need to modify <Dogtag install 
>> root>//conf/CS.cfg "profile.list" to contain the new profile name, and
>>     
>
>   
>> add the corresponding "class_id" and "config" (see the existing 
>> entries in CS.cfg as example), and restart the CA.
>>
>> In addition, Dogtag provides flexible plugin infrastructure that 
>> allows people to customize various areas. Profile is one of them.
>> The standard profile related polugins code is in 
>> pki/base/common/src/com/netscape/cms/profile/. That's for advanced 
>> users who know what they are doing. Make sure the certs produced still
>>     
>
>   
>> comply.
>>
>> hope this helps.
>> Christina
>>
>> Chris wrote:
>>
>>
>> Sorry, hit the send by mistake....
>>
>> I've succesfully installed Dogtag. The documentation was clear and I 
>> didn't have any issues.
>> My question is in regards to customizing certificate profiles. In the 
>> current CA environment I manager, I deal with customizing profiles. Is
>>     
>
>   
>> there a way to create customized certificate profiles?
>> The fields which apply are:
>> CertificatePolicies
>> - Policy Identifier
>> - User Notice with custom text
>> ExtendedKeyUsage
>> - New Key Usage OID
>> Also, in one profile, we've created a new field that programically 
>> ties to the EKU
>>
>> On our current CA software, a config file is modified to customize 
>> profiles. Also there is some DER encoding required to convert the 
>> appropriate text.
>>
>> Is this feature available?
>>
>>
>>     
> ------------------------------------------------------------------------
>   
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>>
>>     
> ------------------------------------------------------------------------
>   
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>>   
>>     
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>

More information about the Pki-users mailing list