[Pki-users] DogTAG PKI - crlDistributionPoints cert profile: Type_0 : URIName error

Elliott William C OSS sIT WilliamC.Elliott at s-itsolutions.at
Mon Feb 28 14:06:06 UTC 2011 

Hallo,

I have exactly the same problem described in October in the Pki-users mailing list.
In the list, there is no resolution. Was someone able to work around the problem?

We are running Dogtag on RHEL5 64-bit.  
The beautiful thing is, the profile works in RH CS 8.0,  but throws the java error with Dogtag.

The java is slightly newer on the Dogtag system: 1.6.0_24 (where the error occurs) vs. 1.6.0_21 on the CS 8.0.
Dogtag version is pki-common-1.3.8-1.el5.

Any Ideas?

Thanks in advance,
Bill

-----Original Message-----
From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of sean.veale at gdc4s.com
Sent: Freitag, 29. Oktober 2010 15:21
To: fdh at x-zone.org
Cc: pki-users at redhat.com
Subject: Re: [Pki-users] DogTAG PKI - crlDistributionPoints cert profile: Type_0 : URIName error [bayes][heur]

Hi 

I'm using RH Enterprise Linux 5.3

Java -version gives 

Java Version "1.6.0.0"
OpenJDK Runtime Environment (IcedTea6 1.6) (rhel-1.11.b16.el5-x86_64)
OpenJDK 64 Bit Server VM (build 14.0-b16, mixed mode)

Looks like I'm running a slightly older version of the OpenJDK vm,  and
I'm on a 64 bit platform instead of the 32 bit one you are on.

A red-hat rep would have to weigh in if either would be significant in
this case. 

Sean 



On 10/22/2010 03:14 PM, sean.veale at gdc4s.com wrote:
> Hi, Usually there is  a reference to a Impl classID so the CA knows
what
> to function/class to call when generating this part of the cert. 
>
> For my system (built on Redhat CS 8.0 instead of dogtag but those
> codebases are very similar) I have this in my cert profiles and it
> generates the Crl dp entry in the cert without errors. 
>
> policyset.userCertSet.13.constraint.class_id=noConstraintImpl
> policyset.userCertSet.13constraint.name=No Constraint
>
policyset.userCertSet.13.default.class_id=crlDistributionPointsExtDefaul
> tImpl
> policyset.userCertSet.13.default.name=CRL Distribution Points
Extension
> Default
> policyset.userCertSet.13.default.params.crlDistPointsCritical=false
> policyset.userCertSet.13.default.params.crlDistPointsNum=1
> policyset.userCertSet.13.default.params.crlDistPointsEnable_0=true
>
policyset.userCertSet.13.default.params.crlDistPointsPointName_0=http://
> xxx.xxx.xxx/crl/xxx.crl
>
>
> I don't believe you need to specify the No Constraint fields, as I
just
> have them in there if later I wanted to enforce a specific CRL
> distribution point, it would require less updates to the profile. 
>
> This line here is the one I think you need. 
>
policyset.userCertSet.13.default.class_id=crlDistributionPointsExtDefaul
> tImpl
>
> As it tells the CA what class to call into when generating this part
of
> the cert. 
>
> I don't think this is needed either, but it was in the example certs
> from the CS 8.0 install so I left it.
> policyset.userCertSet.13.default.params.crlDistPointsNum=1 
>
> I presume it is just letting the CA know after you added one CRL to
the
> cert you can move on but I have dug into the code to find out.
>
> Sean 
>
>
> This message and/or attachments may include information subject to
GDC4S
> O.M. 1.8.6 and GD Corporate Policy 07-105 and are intended to be
> accessed only by authorized recipients.  Use, storage and transmission
> are governed by General Dynamics and its policies. Contractual
> restrictions apply to third parties.  Recipients should refer to the
> policies or contract to determine proper handling.  Unauthorized
review,
> use, disclosure or distribution is prohibited.  If you are not an
> intended recipient, please contact the sender and destroy all copies
of
> the original message.
>
>
> -----Original Message-----
> From: pki-users-bounces at redhat.com
[mailto:pki-users-bounces at redhat.com]
> On Behalf Of Frederic d'Huart
> Sent: Friday, October 22, 2010 5:56 AM
> To: pki-users at redhat.com
> Subject: [Pki-users] DogTAG PKI - crlDistributionPoints cert profile:
> Type_0 : URIName error
>
> Hello Pki users,
>
>
> Section B.1.4. of the RH admin guide refers to the following
acceptable
> values
> for crlDistributionPoint Type:
>
> DirectoryName
> URIName
> RelativeToIssuer
>
>
>
> Using PKIConsole, I have added to the caUserCert profile a policy for
> include a CDP as follow:
>
> policyset.userCertSet.13.default.name=CRL Distribution Points
Extension
> Default
> policyset.userCertSet.13.default.params.crlDistPointsCritical=false
> policyset.userCertSet.13.default.params.crlDistPointsEnable_0=true
>
policyset.userCertSet.13.default.params.crlDistPointsPointType_0=URIName
>
policyset.userCertSet.13.default.params.crlDistPointsPointName_0=http://
> xxx.xxx.xxx/crl/xxx.crl
> policyset.userCertSet.13.default.params.crlDistPointsReasons_0=
>
> after profile re-activated, and new request generated, I get the
> following error on the agent interface:
>
> The Certificate System has encountered an unrecoverable error.
>
> Error Message:
> /java.lang.ClassCastException: netscape.security.x509.Extension cannot
> be cast to netscape.security.x509.CRLDistributionPointsExtension/
>
> Please contact your local administrator for assistance.
>
>
> Any Ideas what could be wrong ?
>
>
> Thank you.
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>   


_______________________________________________
Pki-users mailing list
Pki-users at redhat.com
https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list