[Pki-users] Anybody got dual kay certs and key archiving working with Dogtag?

Aleksander Adamowski aleksander.adamowski.dogtag at altkom.pl
Thu May 22 13:54:04 UTC 2008 

Marc Sauton wrote:
>> The remaining question I have is - can I customise the LDAP-based 
>> enrollment profile (caDirUserCert) to generate dual keys just like 
>> caDualCert does?
>>
> Yes, all the pages are customizable, with templates, see for example:
> /var/lib/pki-<ca-instance-name>/webapps/ca/ee/ca/
> and
> DirUserEnroll.html
> Also:
> http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Setting_up_Certificate_Profiles-Customizing_the_Enrollment_Form.html 
>
> M.
Thanks for the hint!

However, it wasn't what I were looking for. Note that I wanted to 
customise the enrollment *profile*, not *page*.

I had a look at DirUserEnroll.html and decided that customising it won't 
probably allow me to implement directory-populated dual certs since they 
require a new profile on the CA server and the page is static, so it's 
executed purely on the client. Even if my browser did submit dual 
certificate request, it wouldnt have a corresponding profile on the server.

Also, analysing a spaghetti of VBScript and old Netscape-specific JS 
didn't seem inspiring.

Instead, I've figured out that it's sufficient to modify certificate 
profiles (placed /var/lib/pki-<ca-instance-name>/profiles/ca/) and 
register the changes in /etc/pki-<ca-instance-name>/CS.cfg.

So I've made a copy caDualCert.cfg named caDualDirUserCert.cfg and made 
some changes inspired by caDirUserCert.cfg. In other words, I did a 
semantic merge of caDualCert.cfg and caDirUserCert.cfg.

Here's the unified diff describing the changes (may get messed up by my 
automatic line wrap, so I'm also sending it as an attachment):

--- caDualCert.cfg      2008-05-09 14:40:09.000000000 +0200
+++ caDualDirUserCert.cfg       2008-05-22 14:12:47.000000000 +0200
@@ -1,13 +1,11 @@
-desc=This certificate profile is for enrolling dual user certificates. 
It works only with Netscape 7.0 or later.
+desc=This certificate profile is for enrolling dual user certificates 
(encryption/signing certificate pairs) with directory-based authentication.
 visible=true
 enable=true
 enableBy=admin
-name=Manual User Signing & Encryption Certificates Enrollment
-auth.class_id=
-input.list=i1,i2,i3
+name=Directory-Authenticated User Dual-key Certificate Enrollment
+auth.instance_id=UserDirEnrollment
+input.list=i1
 input.i1.class_id=dualKeyGenInputImpl
-input.i2.class_id=subjectNameInputImpl
-input.i3.class_id=submitterInfoInputImpl
 output.list=o1
 output.o1.class_id=certOutputImpl
 policyset.list=encryptionCertSet,signingCertSet
@@ -16,7 +14,7 @@
 policyset.encryptionCertSet.1.constraint.name=Subject Name Constraint
 policyset.encryptionCertSet.1.constraint.params.pattern=UID=.*
 policyset.encryptionCertSet.1.constraint.params.accept=true
-policyset.encryptionCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.encryptionCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl
 policyset.encryptionCertSet.1.default.name=Subject Name Default
 policyset.encryptionCertSet.1.default.params.name=
 policyset.encryptionCertSet.2.constraint.class_id=validityConstraintImpl
@@ -85,7 +83,7 @@
 policyset.encryptionCertSet.8.default.name=Subject Alt Name Constraint
 policyset.encryptionCertSet.8.default.params.subjAltNameExtCritical=false
 policyset.encryptionCertSet.8.default.params.subjAltExtType_0=RFC822Name
-policyset.encryptionCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
+policyset.encryptionCertSet.8.default.params.subjAltExtPattern_0=$request.auth_token.mail[0]$
 policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true
 policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1
 policyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl
@@ -99,7 +97,7 @@
 policyset.signingCertSet.1.constraint.name=Subject Name Constraint
 policyset.signingCertSet.1.constraint.params.pattern=UID=.*
 policyset.signingCertSet.1.constraint.params.accept=true
-policyset.signingCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.signingCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl
 policyset.signingCertSet.1.default.name=Subject Name Default
 policyset.signingCertSet.1.default.params.name=
 policyset.signingCertSet.2.constraint.class_id=validityConstraintImpl
@@ -158,7 +156,7 @@
 policyset.signingCertSet.8.default.name=Subject Alt Name Constraint
 policyset.signingCertSet.8.default.params.subjAltNameExtCritical=false
 policyset.signingCertSet.8.default.params.subjAltExtType_0=RFC822Name
-policyset.signingCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
+policyset.signingCertSet.8.default.params.subjAltExtPattern_0=$request.auth_token.mail[0]$
 policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true
 policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1
 policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl

Registering a new profile requires corresponding changes in CS.cfg:

Index: CS.cfg
===================================================================
--- CS.cfg      (revision 983)
+++ CS.cfg      (revision 985)
@@ -781,7 +781,7 @@
 oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension
 oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11
 os.userid=nobody
-profile.list=caUserCert,caDualCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caOtherCert,caCACert,caInstallCACert,caRACert,caOCSPCert,caTransportCert,caDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert
+profile.list=caDualDirUserCert
 profile.DomainController.class_id=caEnrollImpl
 profile.DomainController.config=/var/lib/pki-ca/profiles/ca/DomainController.cfg
 profile.caAdminCert.class_id=caEnrollImpl
@@ -852,6 +852,8 @@
 profile.caTransportCert.config=/var/lib/pki-ca/profiles/ca/caTransportCert.cfg
 profile.caUserCert.class_id=caEnrollImpl
 profile.caUserCert.config=/var/lib/pki-ca/profiles/ca/caUserCert.cfg
+profile.caDualDirUserCert.class_id=caEnrollImpl
+profile.caDualDirUserCert.config=/var/lib/pki-ca/profiles/ca/caDualDirUserCert.cfg
 registry.file=/var/lib/pki-ca/conf/registry.cfg
 request.assignee.enable=true
 securitydomain.flushinterval=86400000

Note that additionally I've removed all the other profiles from the list 
and left only my profile as active (profile.list=caDualDirUserCert). You 
may not want to do this in your case.

After restarting pki-ca instance, I can visit 
https://CA_SERVER:9443/ca/ee/ca/profileList and I can see only my new 
profile.
Then I can visit 
https://CA_SERVER:9443/ca/ee/ca/profileSelect?profileId=caDualDirUserCert 
and, as expected, I have a LDAP directory-based authentication form and 
the generated certificate will be dual:

===============
Authentication - LDAP UID & Password Authentication
This plugin authenticates the username and password provided by the user 
against an LDAP directory. It works with the Dir-Based Enrollment HTML form.

# LDAP User ID [          ]
   
# LDAP User Password [          ]
   

Inputs

Dual Key Generation
# Key Generation Request Type
    crmf
# Key Generation Request
    1024 (Encryption), 1024 (Signing)
===============

This is exactly what I were trying to accomplish.

BTW, this procedure deserves a detailed documentation on 
http://www.redhat.com/docs/manuals/cert-system/.

I've also found a problem with generating subject names from LDAP, but 
this is a different, unrelated story, so I'll post it as a new thread.

Thanks for your suggestions!

-- 
Best Regards,
    Aleksander Adamowski
        GG#: 274614
        ICQ UIN: 19780575 
	http://olo.org.pl

-------------- next part --------------
A non-text attachment was scrubbed...
Name: caDualCert-caDualDirUserCert.cfg.patch
Type: text/x-diff
Size: 3232 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-users/attachments/20080522/d3020b5a/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: adding_caDualDirUserCert_profile_to_CS.cfg.patch
Type: text/x-diff
Size: 1668 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-users/attachments/20080522/d3020b5a/attachment-0001.bin>

More information about the Pki-users mailing list