[Pki-users] DogTAG PKI - crlDistributionPoints cert profile: Type_0 : URIName error

Frederic d'Huart fdh at x-zone.org
Wed Oct 27 21:19:44 UTC 2010 

Thank  you Very much Sean for your answer, and sorry for my late answer.

In fact :

policyset.userCertSet.13.default.class_id=crlDistributionPointsExtDefaul
tImpl

was already enabled ...

In fact the Java Error occur when I enable 

policyset.userCertSet.13.default.params.crlDistPointsPointType_0=URIName

If I remove the URIName or If I replace it with any other possible values, 
I don't get this error any more.

May I ask you which Java and Os Version are you using on your system ?

I'm Using 

FC12 and OpenJDK Runtime Environment (IcedTea6 1.8.1) (fedora-40.b18.fc12-i386)
OpenJDK Client VM (build 14.0-b16, mixed mode)


Thank you.
Kind Regards.


On 10/22/2010 03:14 PM, sean.veale at gdc4s.com wrote:
> Hi, Usually there is  a reference to a Impl classID so the CA knows what
> to function/class to call when generating this part of the cert. 
>
> For my system (built on Redhat CS 8.0 instead of dogtag but those
> codebases are very similar) I have this in my cert profiles and it
> generates the Crl dp entry in the cert without errors. 
>
> policyset.userCertSet.13.constraint.class_id=noConstraintImpl
> policyset.userCertSet.13constraint.name=No Constraint
> policyset.userCertSet.13.default.class_id=crlDistributionPointsExtDefaul
> tImpl
> policyset.userCertSet.13.default.name=CRL Distribution Points Extension
> Default
> policyset.userCertSet.13.default.params.crlDistPointsCritical=false
> policyset.userCertSet.13.default.params.crlDistPointsNum=1
> policyset.userCertSet.13.default.params.crlDistPointsEnable_0=true
> policyset.userCertSet.13.default.params.crlDistPointsPointName_0=http://
> xxx.xxx.xxx/crl/xxx.crl
>
>
> I don't believe you need to specify the No Constraint fields, as I just
> have them in there if later I wanted to enforce a specific CRL
> distribution point, it would require less updates to the profile. 
>
> This line here is the one I think you need. 
> policyset.userCertSet.13.default.class_id=crlDistributionPointsExtDefaul
> tImpl
>
> As it tells the CA what class to call into when generating this part of
> the cert. 
>
> I don't think this is needed either, but it was in the example certs
> from the CS 8.0 install so I left it.
> policyset.userCertSet.13.default.params.crlDistPointsNum=1 
>
> I presume it is just letting the CA know after you added one CRL to the
> cert you can move on but I have dug into the code to find out.
>
> Sean 
>
>
> This message and/or attachments may include information subject to GDC4S
> O.M. 1.8.6 and GD Corporate Policy 07-105 and are intended to be
> accessed only by authorized recipients.  Use, storage and transmission
> are governed by General Dynamics and its policies. Contractual
> restrictions apply to third parties.  Recipients should refer to the
> policies or contract to determine proper handling.  Unauthorized review,
> use, disclosure or distribution is prohibited.  If you are not an
> intended recipient, please contact the sender and destroy all copies of
> the original message.
>
>
> -----Original Message-----
> From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com]
> On Behalf Of Frederic d'Huart
> Sent: Friday, October 22, 2010 5:56 AM
> To: pki-users at redhat.com
> Subject: [Pki-users] DogTAG PKI - crlDistributionPoints cert profile:
> Type_0 : URIName error
>
> Hello Pki users,
>
>
> Section B.1.4. of the RH admin guide refers to the following acceptable
> values
> for crlDistributionPoint Type:
>
> DirectoryName
> URIName
> RelativeToIssuer
>
>
>
> Using PKIConsole, I have added to the caUserCert profile a policy for
> include a CDP as follow:
>
> policyset.userCertSet.13.default.name=CRL Distribution Points Extension
> Default
> policyset.userCertSet.13.default.params.crlDistPointsCritical=false
> policyset.userCertSet.13.default.params.crlDistPointsEnable_0=true
> policyset.userCertSet.13.default.params.crlDistPointsPointType_0=URIName
> policyset.userCertSet.13.default.params.crlDistPointsPointName_0=http://
> xxx.xxx.xxx/crl/xxx.crl
> policyset.userCertSet.13.default.params.crlDistPointsReasons_0=
>
> after profile re-activated, and new request generated, I get the
> following error on the agent interface:
>
> The Certificate System has encountered an unrecoverable error.
>
> Error Message:
> /java.lang.ClassCastException: netscape.security.x509.Extension cannot
> be cast to netscape.security.x509.CRLDistributionPointsExtension/
>
> Please contact your local administrator for assistance.
>
>
> Any Ideas what could be wrong ?
>
>
> Thank you.
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>

More information about the Pki-users mailing list