[Pki-users] DogTAG PKI - crlDistributionPoints cert profile: Type_0 : URIName error
Elliott William C OSS sIT
WilliamC.Elliott at s-itsolutions.at
Mon Feb 28 14:06:06 UTC 2011
Hallo,
I have exactly the same problem described in October in the Pki-users mailing list.
In the list, there is no resolution. Was someone able to work around the problem?
We are running Dogtag on RHEL5 64-bit.
The beautiful thing is, the profile works in RH CS 8.0, but throws the java error with Dogtag.
The java is slightly newer on the Dogtag system: 1.6.0_24 (where the error occurs) vs. 1.6.0_21 on the CS 8.0.
Dogtag version is pki-common-1.3.8-1.el5.
Any Ideas?
Thanks in advance,
Bill
-----Original Message-----
From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of sean.veale at gdc4s.com
Sent: Freitag, 29. Oktober 2010 15:21
To: fdh at x-zone.org
Cc: pki-users at redhat.com
Subject: Re: [Pki-users] DogTAG PKI - crlDistributionPoints cert profile: Type_0 : URIName error [bayes][heur]
Hi
I'm using RH Enterprise Linux 5.3
Java -version gives
Java Version "1.6.0.0"
OpenJDK Runtime Environment (IcedTea6 1.6) (rhel-1.11.b16.el5-x86_64)
OpenJDK 64 Bit Server VM (build 14.0-b16, mixed mode)
Looks like I'm running a slightly older version of the OpenJDK vm, and
I'm on a 64 bit platform instead of the 32 bit one you are on.
A red-hat rep would have to weigh in if either would be significant in
this case.
Sean
On 10/22/2010 03:14 PM, sean.veale at gdc4s.com wrote:
> Hi, Usually there is a reference to a Impl classID so the CA knows
what
> to function/class to call when generating this part of the cert.
>
> For my system (built on Redhat CS 8.0 instead of dogtag but those
> codebases are very similar) I have this in my cert profiles and it
> generates the Crl dp entry in the cert without errors.
>
> policyset.userCertSet.13.constraint.class_id=noConstraintImpl
> policyset.userCertSet.13constraint.name=No Constraint
>
policyset.userCertSet.13.default.class_id=crlDistributionPointsExtDefaul
> tImpl
> policyset.userCertSet.13.default.name=CRL Distribution Points
Extension
> Default
> policyset.userCertSet.13.default.params.crlDistPointsCritical=false
> policyset.userCertSet.13.default.params.crlDistPointsNum=1
> policyset.userCertSet.13.default.params.crlDistPointsEnable_0=true
>
policyset.userCertSet.13.default.params.crlDistPointsPointName_0=http://
> xxx.xxx.xxx/crl/xxx.crl
>
>
> I don't believe you need to specify the No Constraint fields, as I
just
> have them in there if later I wanted to enforce a specific CRL
> distribution point, it would require less updates to the profile.
>
> This line here is the one I think you need.
>
policyset.userCertSet.13.default.class_id=crlDistributionPointsExtDefaul
> tImpl
>
> As it tells the CA what class to call into when generating this part
of
> the cert.
>
> I don't think this is needed either, but it was in the example certs
> from the CS 8.0 install so I left it.
> policyset.userCertSet.13.default.params.crlDistPointsNum=1
>
> I presume it is just letting the CA know after you added one CRL to
the
> cert you can move on but I have dug into the code to find out.
>
> Sean
>
>
> This message and/or attachments may include information subject to
GDC4S
> O.M. 1.8.6 and GD Corporate Policy 07-105 and are intended to be
> accessed only by authorized recipients. Use, storage and transmission
> are governed by General Dynamics and its policies. Contractual
> restrictions apply to third parties. Recipients should refer to the
> policies or contract to determine proper handling. Unauthorized
review,
> use, disclosure or distribution is prohibited. If you are not an
> intended recipient, please contact the sender and destroy all copies
of
> the original message.
>
>
> -----Original Message-----
> From: pki-users-bounces at redhat.com
[mailto:pki-users-bounces at redhat.com]
> On Behalf Of Frederic d'Huart
> Sent: Friday, October 22, 2010 5:56 AM
> To: pki-users at redhat.com
> Subject: [Pki-users] DogTAG PKI - crlDistributionPoints cert profile:
> Type_0 : URIName error
>
> Hello Pki users,
>
>
> Section B.1.4. of the RH admin guide refers to the following
acceptable
> values
> for crlDistributionPoint Type:
>
> DirectoryName
> URIName
> RelativeToIssuer
>
>
>
> Using PKIConsole, I have added to the caUserCert profile a policy for
> include a CDP as follow:
>
> policyset.userCertSet.13.default.name=CRL Distribution Points
Extension
> Default
> policyset.userCertSet.13.default.params.crlDistPointsCritical=false
> policyset.userCertSet.13.default.params.crlDistPointsEnable_0=true
>
policyset.userCertSet.13.default.params.crlDistPointsPointType_0=URIName
>
policyset.userCertSet.13.default.params.crlDistPointsPointName_0=http://
> xxx.xxx.xxx/crl/xxx.crl
> policyset.userCertSet.13.default.params.crlDistPointsReasons_0=
>
> after profile re-activated, and new request generated, I get the
> following error on the agent interface:
>
> The Certificate System has encountered an unrecoverable error.
>
> Error Message:
> /java.lang.ClassCastException: netscape.security.x509.Extension cannot
> be cast to netscape.security.x509.CRLDistributionPointsExtension/
>
> Please contact your local administrator for assistance.
>
>
> Any Ideas what could be wrong ?
>
>
> Thank you.
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
_______________________________________________
Pki-users mailing list
Pki-users at redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
More information about the Pki-users
mailing list