[Pki-users] Modify Certificate Profies - removing 'Critical' key-usage indication

Christina Fu cfu at redhat.com
Thu May 1 18:59:23 UTC 2008 

Hi Ebbe,
Two major lists of items in an enrollment profile are the "default" and 
"constraint." They correspond to each other and are tied in by the same 
set name and id.
e.g.
policyset.userCertSet.6.default.params.keyUsageCritical=true
for default, would have a corresponding constraint:
policyset.userCertSet.6.constraint.params.keyUsageCritical=true

What the above example shows is, by default, the keyUsageCritical is 
true, and when it is run through the constraint for validation, it 
expects it to be true.
If you want it to be "false," then you'll need to change the constraint 
value to be "false."

Here is the doc that describes the default fields for Key Usage Extension:
http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Defaults_Reference-Key_Usage_Extension_Default.html
Here is the doc that describes the constraint fields for Key Usage 
Extension:

If you don't care about the values (no validation), then you need to 
specifically set no constraint:
e.g.
policyset.userCertSet.7.constraint.class_id=noConstraintImpl
policyset.userCertSet.7.constraint.name=No Constraint
...

Hope this helps.
Christina

Ebbe Hansen wrote:
> While attempting to test various Email clients in a windows environment
> (including Outlook Express and Outlook), I am having trouble getting the
> Email client (Outlook Express) to accept the certificates generated by
> the RedHat/DogTag CA. I am using the 'CAUserCert.cfg' profile and I am
> adding a SubjectAltName extension as described in my earlier message.
> However, I am still not successful getting the Email client to use the
> DogTag user certificates for signature purposes.
>
> Is there a documented procedure that describes how to generate user
> certificates accepted by the windows-based Outlook Express client?
>
> Comparing the RadHat user certificate with a Microsoft user certificate
> reveals that the RedHat CA sets the 'KeyUsage' extension to 'Critical'
> -- while the Microsoft CA does not! After modifying the DogTag CA
> Profile ('CAUserCert.cfg') to specify a "non critical" 'KeyUsage'
> extension, any new request using the modified profile fails -  error
> message is:
>
> "Sorry, your request has been rejected. The reason is "Request Rejected
> - Criticality Not Matched".
>
> Are there multiple places I need to adjust the Profile -- so far I have
> only modified the 'CAUserCert.cfg' file in the
> '<CA-instance>/profiles/ca' directory. 
>
> Ebbe @ SPYRUS
>
>
> "This message and any attached documents contain SPYRUS confidential
> and/or proprietary information and may be subject to privilege or exempt
> from disclosure under applicable law. These materials are intended only
> for the use of the intended recipient. If you are not the intended
> recipient of this electronic message, you are hereby notified that any
> use of this message is strictly prohibited. Delivery of this message to
> any person other than the intended recipient shall not constitute any
> waiver of any privilege. If you have received this message in error,
> please delete this message from your system and notify the sender
> immediately. Thank you."
>
>
> -----Original Message-----
> From: Marc Sauton [mailto:msauton at redhat.com] 
> Sent: Wednesday, April 30, 2008 10:17 AM
> To: Ebbe Hansen
> Cc: pki-users at redhat.com
> Subject: Re: [Pki-users] Modify Certificate Profies - include
> SubjectAltName
>
> If in /var/lib/pki-ca/profiles/ca/caUserCert.cfg
> has
> policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requ
> estor_email$
> policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
> and the enrollment request has an e-mail, the subject alt name extension
>
> field should be correctly initialized upon certificate issuance.
> You may want to turn on some debug in CS.cfg
> debug.enabled=true
> debug.level=0
> and see your debug log for more details.
> M.
>
> It depends how the request hadEbbe Hansen wrote:
>   
>> Looking at the 'CAUserCert.cfg' profile (first profile on the WEB 
>> Agent profile-list) it appears it should trigger the inclusion of the 
>> "SubjectAltName" extension. I have not been successful generating any 
>> certicites where the SubjectAltName extension is included!
>>
>> In the Agents display the SubjectAltName is listed as 'Null' - even 
>> after editing the 'Null' to the desired RFC822 value, the issued 
>> certificate always comes without any SubjectAtltName extension?
>>
>> What can I do to get the CA to include the SubjectAltName extension? I
>>     
>
>   
>> am always specifying an email value in the request field!
>>
>> Ebbe
>>
>> "This message and any attached documents contain SPYRUS confidential 
>> and/or proprietary information and may be subject to privilege or 
>> exempt from disclosure under applicable law. These materials are 
>> intended only for the use of the intended recipient. If you are not 
>> the intended recipient of this electronic message, you are hereby 
>> notified that any use of this message is strictly prohibited. Delivery
>>     
>
>   
>> of this message to any person other than the intended recipient shall 
>> not constitute any waiver of any privilege. If you have received this 
>> message in error, please delete this message from your system and 
>> notify the sender immediately. Thank you."
>>
>>
>>     
> ------------------------------------------------------------------------
>   
>> *From:* pki-users-bounces at redhat.com 
>> [mailto:pki-users-bounces at redhat.com] *On Behalf Of *Chris
>> *Sent:* Wednesday, April 09, 2008 10:10 PM
>> *To:* pki-users at redhat.com
>> *Subject:* Re: [Pki-users] Modify Certificate Profies
>>
>> Thanks. That worked.
>>
>> On Wed, Apr 9, 2008 at 12:10 PM, Christina Fu <cfu at redhat.com 
>> <mailto:cfu at redhat.com>> wrote:
>>
>> Profiles can be configured in <Dogtag install root>/profiles/ca. If 
>> you add your own new profiles, you need to modify <Dogtag install 
>> root>//conf/CS.cfg "profile.list" to contain the new profile name, and
>>     
>
>   
>> add the corresponding "class_id" and "config" (see the existing 
>> entries in CS.cfg as example), and restart the CA.
>>
>> In addition, Dogtag provides flexible plugin infrastructure that 
>> allows people to customize various areas. Profile is one of them.
>> The standard profile related polugins code is in 
>> pki/base/common/src/com/netscape/cms/profile/. That's for advanced 
>> users who know what they are doing. Make sure the certs produced still
>>     
>
>   
>> comply.
>>
>> hope this helps.
>> Christina
>>
>> Chris wrote:
>>
>>
>> Sorry, hit the send by mistake....
>>
>> I've succesfully installed Dogtag. The documentation was clear and I 
>> didn't have any issues.
>> My question is in regards to customizing certificate profiles. In the 
>> current CA environment I manager, I deal with customizing profiles. Is
>>     
>
>   
>> there a way to create customized certificate profiles?
>> The fields which apply are:
>> CertificatePolicies
>> - Policy Identifier
>> - User Notice with custom text
>> ExtendedKeyUsage
>> - New Key Usage OID
>> Also, in one profile, we've created a new field that programically 
>> ties to the EKU
>>
>> On our current CA software, a config file is modified to customize 
>> profiles. Also there is some DER encoding required to convert the 
>> appropriate text.
>>
>> Is this feature available?
>>
>>
>>     
> ------------------------------------------------------------------------
>   
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>>
>>     
> ------------------------------------------------------------------------
>   
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>>   
>>     
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>

More information about the Pki-users mailing list