[Pki-users] DogTAG PKI - crlDistributionPoints cert profile: Type_0 : URIName error
sean.veale at gdc4s.com
sean.veale at gdc4s.com
Fri Oct 29 13:20:35 UTC 2010
Hi
I'm using RH Enterprise Linux 5.3
Java -version gives
Java Version "1.6.0.0"
OpenJDK Runtime Environment (IcedTea6 1.6) (rhel-1.11.b16.el5-x86_64)
OpenJDK 64 Bit Server VM (build 14.0-b16, mixed mode)
Looks like I'm running a slightly older version of the OpenJDK vm, and
I'm on a 64 bit platform instead of the 32 bit one you are on.
A red-hat rep would have to weigh in if either would be significant in
this case.
Sean
On 10/22/2010 03:14 PM, sean.veale at gdc4s.com wrote:
> Hi, Usually there is a reference to a Impl classID so the CA knows
what
> to function/class to call when generating this part of the cert.
>
> For my system (built on Redhat CS 8.0 instead of dogtag but those
> codebases are very similar) I have this in my cert profiles and it
> generates the Crl dp entry in the cert without errors.
>
> policyset.userCertSet.13.constraint.class_id=noConstraintImpl
> policyset.userCertSet.13constraint.name=No Constraint
>
policyset.userCertSet.13.default.class_id=crlDistributionPointsExtDefaul
> tImpl
> policyset.userCertSet.13.default.name=CRL Distribution Points
Extension
> Default
> policyset.userCertSet.13.default.params.crlDistPointsCritical=false
> policyset.userCertSet.13.default.params.crlDistPointsNum=1
> policyset.userCertSet.13.default.params.crlDistPointsEnable_0=true
>
policyset.userCertSet.13.default.params.crlDistPointsPointName_0=http://
> xxx.xxx.xxx/crl/xxx.crl
>
>
> I don't believe you need to specify the No Constraint fields, as I
just
> have them in there if later I wanted to enforce a specific CRL
> distribution point, it would require less updates to the profile.
>
> This line here is the one I think you need.
>
policyset.userCertSet.13.default.class_id=crlDistributionPointsExtDefaul
> tImpl
>
> As it tells the CA what class to call into when generating this part
of
> the cert.
>
> I don't think this is needed either, but it was in the example certs
> from the CS 8.0 install so I left it.
> policyset.userCertSet.13.default.params.crlDistPointsNum=1
>
> I presume it is just letting the CA know after you added one CRL to
the
> cert you can move on but I have dug into the code to find out.
>
> Sean
>
>
> This message and/or attachments may include information subject to
GDC4S
> O.M. 1.8.6 and GD Corporate Policy 07-105 and are intended to be
> accessed only by authorized recipients. Use, storage and transmission
> are governed by General Dynamics and its policies. Contractual
> restrictions apply to third parties. Recipients should refer to the
> policies or contract to determine proper handling. Unauthorized
review,
> use, disclosure or distribution is prohibited. If you are not an
> intended recipient, please contact the sender and destroy all copies
of
> the original message.
>
>
> -----Original Message-----
> From: pki-users-bounces at redhat.com
[mailto:pki-users-bounces at redhat.com]
> On Behalf Of Frederic d'Huart
> Sent: Friday, October 22, 2010 5:56 AM
> To: pki-users at redhat.com
> Subject: [Pki-users] DogTAG PKI - crlDistributionPoints cert profile:
> Type_0 : URIName error
>
> Hello Pki users,
>
>
> Section B.1.4. of the RH admin guide refers to the following
acceptable
> values
> for crlDistributionPoint Type:
>
> DirectoryName
> URIName
> RelativeToIssuer
>
>
>
> Using PKIConsole, I have added to the caUserCert profile a policy for
> include a CDP as follow:
>
> policyset.userCertSet.13.default.name=CRL Distribution Points
Extension
> Default
> policyset.userCertSet.13.default.params.crlDistPointsCritical=false
> policyset.userCertSet.13.default.params.crlDistPointsEnable_0=true
>
policyset.userCertSet.13.default.params.crlDistPointsPointType_0=URIName
>
policyset.userCertSet.13.default.params.crlDistPointsPointName_0=http://
> xxx.xxx.xxx/crl/xxx.crl
> policyset.userCertSet.13.default.params.crlDistPointsReasons_0=
>
> after profile re-activated, and new request generated, I get the
> following error on the agent interface:
>
> The Certificate System has encountered an unrecoverable error.
>
> Error Message:
> /java.lang.ClassCastException: netscape.security.x509.Extension cannot
> be cast to netscape.security.x509.CRLDistributionPointsExtension/
>
> Please contact your local administrator for assistance.
>
>
> Any Ideas what could be wrong ?
>
>
> Thank you.
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
More information about the Pki-users
mailing list