From alee at redhat.com Thu Jan 2 14:34:41 2014 From: alee at redhat.com (Ade Lee) Date: Thu, 02 Jan 2014 09:34:41 -0500 Subject: [Pki-users] spinning forever trying to create the admin certificate In-Reply-To: References: Message-ID: <1388673281.2177.4.camel@localhost.localdomain> Just FYI - in case you want to play with the latest versions, I am in the process of getting Dogtag 10 packaged for debian. I currently have everything building and packaged, and am in the process of creating patches to make everything actually work. I should have some positive results, and packages to point to within the next week or so. Ade Lee On Sun, 2013-12-29 at 10:19 -0600, James White wrote: > Brand new install, Virtualbox (via vagrant) running Ubuntu Precise, > Safari as the client. I'm just labbing it up to see if it's viable in > my infrastructure. > > > On Sun, Dec 29, 2013 at 8:34 AM, Maurice James > wrote: > Forgot to include the list address > > > > Is this a brand new install? On what platform? I had similar > issues on CentOS > > > > > > > From: pki-users-bounces at redhat.com > [mailto:pki-users-bounces at redhat.com] On Behalf Of James White > > > Sent: Saturday, December 28, 2013 9:49 PM > To: pki-users at redhat.com > > Subject: Re: [Pki-users] spinning forever trying to create the > admin certificate > > > > And of course I attached the wrong screen shot... > > > > > Is it having trouble gathering entropy? > > > > > On Sat, Dec 28, 2013 at 8:34 PM, James White > wrote: > > I'm using dogtag 9.0 and when I try to perform the CA > process it just hangs forever trying to create the > administration cert. Is there something I can do to > fix this? > > > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From alee at redhat.com Thu Jan 2 14:36:44 2014 From: alee at redhat.com (Ade Lee) Date: Thu, 02 Jan 2014 09:36:44 -0500 Subject: [Pki-users] spinning forever trying to create the admin certificate In-Reply-To: References: Message-ID: <1388673404.2177.6.camel@localhost.localdomain> Yes, we only test and support installation using Firefox for dogtag 9 and rhcs 8.x. Dogtag 10, of course, requires no browser to install. Ade On Sun, 2013-12-29 at 10:28 -0600, James White wrote: > Yep. It "Just Worked(tm)" with firefox. Thanks Brian. > > > On Sat, Dec 28, 2013 at 10:36 PM, Brian Henson > wrote: > I had an issue using anything but firefox. Switching to > Firefox worked for me > > > On Sat, Dec 28, 2013 at 9:48 PM, James White > wrote: > > And of course I attached the wrong screen shot... > > > Is it having trouble gathering entropy? > > > On Sat, Dec 28, 2013 at 8:34 PM, James White > wrote: > I'm using dogtag 9.0 and when I try to perform > the CA process it just hangs forever trying to > create the administration cert. Is there > something I can do to fix this? > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From jindrich.dolezal at adaptivemobile.com Thu Jan 16 14:06:18 2014 From: jindrich.dolezal at adaptivemobile.com (Jindrich Dolezal) Date: Thu, 16 Jan 2014 15:06:18 +0100 Subject: [Pki-users] Adding subject alternative name into certificate Message-ID: <52D7E75A.6090508@adaptivemobile.com> hi all, im struggling in adding the subject alternative name (san) into the generated certificate. im doing scep request. when i print the cert req into a file and dump it, it seems that san is correctly added: $ openssl req -in certreq.csr -text -noout Certificate Request: ... Requested Extensions: X509v3 Subject Alternative Name: email:example at example.org Signature Algorithm: sha1WithRSAEncryption 1a:7e:d8:b7:80:a3:1f:ff:52:b5:28:be:9e:f2:53:03:22:f8: .... the profile that is then used on ca contains: policyset.serverCertSet.9.constraint.class_id=noConstraintImpl policyset.serverCertSet.9.constraint.name=No Constraint policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl policyset.serverCertSet.9.default.name=Subject Alt Name Constraint policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false policyset.serverCertSet.9.default.params.subjAltExtType_0=RFC822Name policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.requestor_email$ policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1 and in the log file: [16/Jan/2014:13:49:42][http-9180-1]: Found PKCS10 extension [16/Jan/2014:13:49:42][http-9180-1]: Set extensions [ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ [RFC822Name: example at example.org]] ] [16/Jan/2014:13:49:42][http-9180-1]: Finish parsePKCS10 - CN=testsubject ..... [16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: populate start [16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: createExtension i=0 [16/Jan/2014:13:49:42][http-9180-1]: gname is empty, not added [16/Jan/2014:13:49:42][http-9180-1]: count is 0 [16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: populate sees no extension. get out [16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: populate end and the san is not included in the certificate. i also tried other values for subjAltExtPattern_0 like $request.email$, $request.SAN1$, etc but this only ended with state where san was included into the certificate but has value as the parameter, i.e. '$request.email$' which is apparently not what i wanted. would anyone know what im doing wrong, where is the catch? thank a lot jd From cfu at redhat.com Thu Jan 16 18:05:21 2014 From: cfu at redhat.com (Christina Fu) Date: Thu, 16 Jan 2014 10:05:21 -0800 Subject: [Pki-users] Adding subject alternative name into certificate In-Reply-To: <52D7E75A.6090508@adaptivemobile.com> References: <52D7E75A.6090508@adaptivemobile.com> Message-ID: <52D81F61.509@redhat.com> In general, the two easiest ways to add SAN into the cert. The following documentation should help. 1. The subjectAlternativeName profile configuration : (use this if your CSR does not contain SAN, but you have relevant info in the accompanying request or ldap) https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#Subject_Alternative_Name_Extension_Default 2. The User Supplied Extension Default : (use this if you generate your own SAN in the CSR) https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#User_Supplied_Extension_Default Christina On 01/16/2014 06:06 AM, Jindrich Dolezal wrote: > hi all, > im struggling in adding the subject alternative name (san) into the > generated certificate. im doing scep request. when i print the cert > req into a file and dump it, it seems that san is correctly added: > $ openssl req -in certreq.csr -text -noout > Certificate Request: > ... > Requested Extensions: > X509v3 Subject Alternative Name: > email:example at example.org > Signature Algorithm: sha1WithRSAEncryption > 1a:7e:d8:b7:80:a3:1f:ff:52:b5:28:be:9e:f2:53:03:22:f8: > .... > > the profile that is then used on ca contains: > policyset.serverCertSet.9.constraint.class_id=noConstraintImpl > policyset.serverCertSet.9.constraint.name=No Constraint > policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl > policyset.serverCertSet.9.default.name=Subject Alt Name Constraint > policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false > policyset.serverCertSet.9.default.params.subjAltExtType_0=RFC822Name > policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.requestor_email$ > > policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true > policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1 > > and in the log file: > [16/Jan/2014:13:49:42][http-9180-1]: Found PKCS10 extension > [16/Jan/2014:13:49:42][http-9180-1]: Set extensions [ObjectId: > 2.5.29.17 Criticality=false > SubjectAlternativeName [ > [RFC822Name: example at example.org]] > ] > [16/Jan/2014:13:49:42][http-9180-1]: Finish parsePKCS10 - CN=testsubject > > ..... > > [16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: > populate start > [16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: > createExtension i=0 > [16/Jan/2014:13:49:42][http-9180-1]: gname is empty, not added > [16/Jan/2014:13:49:42][http-9180-1]: count is 0 > [16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: > populate sees no extension. get out > [16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: > populate end > > and the san is not included in the certificate. > > i also tried other values for subjAltExtPattern_0 like > $request.email$, $request.SAN1$, etc but this only ended with state > where san was included into the certificate but has value as the > parameter, i.e. '$request.email$' which is apparently not what i wanted. > > would anyone know what im doing wrong, where is the catch? > > thank a lot > > jd > > > > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From msauton at redhat.com Thu Jan 16 21:54:50 2014 From: msauton at redhat.com (Marc Sauton) Date: Thu, 16 Jan 2014 13:54:50 -0800 Subject: [Pki-users] Adding subject alternative name into certificate In-Reply-To: <52D81F61.509@redhat.com> References: <52D7E75A.6090508@adaptivemobile.com> <52D81F61.509@redhat.com> Message-ID: <52D8552A.4070200@redhat.com> Some more comments: In the case of user provided extension in the CSR, I would not use the subjectAltNameExtDefaultImpl in the profile: policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl The "gname is empty, not added" happens because there is no variable $request.requestor_email$ populated in the enrollment form. The problem is the profile does not know how to populate the "User-Supplied Extension" 2.5.29.17 to the request. I would modify the profile to remove the blob for policyset.serverCertSet.9 And for example change the test profile: policyset.serverCertSet.list=...,addUserSANcsr to add a "User Supplied Key Usage Extension" definition, for the oid of subjectAltNameExt, 2.5.29.17, like for example: policyset.serverCertSet.addUserSANcsr.constraint.class_id=noConstraintImpl policyset.serverCertSet.addUserSANcsr.constraint.name=No Constraint To keep it simple policyset.serverCertSet.addUserSANcsr.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.addUserSANcsr.default.name=User Supplied Key Usage Extension policyset.serverCertSet.addUserSANcsr.default.params.userExtOID=2.5.29.17 And try to enroll again. The debug log should list some entries about the user provided extensions, like for example: [16/Jan/2014:06:10:23][http-9444-Processor24]: UserExtensionDefault: populate start [16/Jan/2014:06:10:23][http-9444-Processor24]: UserExtensionDefault: using user supplied ext for 2.5.29.17 [16/Jan/2014:06:10:23][http-9444-Processor24]: UserExtensionDefault: populate end The one problem in this example is I did not add any constraints for this user provided data in the CSR. Thanks, Marc Sauton. On 01/16/2014 10:05 AM, Christina Fu wrote: > In general, the two easiest ways to add SAN into the cert. The > following documentation should help. > > 1. The subjectAlternativeName profile configuration : (use this if > your CSR does not contain SAN, but you have relevant info in the > accompanying request or ldap) > https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#Subject_Alternative_Name_Extension_Default > > > 2. The User Supplied Extension Default : (use this if you generate > your own SAN in the CSR) > https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#User_Supplied_Extension_Default > > > Christina > > On 01/16/2014 06:06 AM, Jindrich Dolezal wrote: >> hi all, >> im struggling in adding the subject alternative name (san) into the >> generated certificate. im doing scep request. when i print the cert >> req into a file and dump it, it seems that san is correctly added: >> $ openssl req -in certreq.csr -text -noout >> Certificate Request: >> ... >> Requested Extensions: >> X509v3 Subject Alternative Name: >> email:example at example.org >> Signature Algorithm: sha1WithRSAEncryption >> 1a:7e:d8:b7:80:a3:1f:ff:52:b5:28:be:9e:f2:53:03:22:f8: >> .... >> >> the profile that is then used on ca contains: >> policyset.serverCertSet.9.constraint.class_id=noConstraintImpl >> policyset.serverCertSet.9.constraint.name=No Constraint >> policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl >> policyset.serverCertSet.9.default.name=Subject Alt Name Constraint >> policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false >> policyset.serverCertSet.9.default.params.subjAltExtType_0=RFC822Name >> policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.requestor_email$ >> >> policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true >> policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1 >> >> and in the log file: >> [16/Jan/2014:13:49:42][http-9180-1]: Found PKCS10 extension >> [16/Jan/2014:13:49:42][http-9180-1]: Set extensions [ObjectId: >> 2.5.29.17 Criticality=false >> SubjectAlternativeName [ >> [RFC822Name: example at example.org]] >> ] >> [16/Jan/2014:13:49:42][http-9180-1]: Finish parsePKCS10 - CN=testsubject >> >> ..... >> >> [16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: >> populate start >> [16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: >> createExtension i=0 >> [16/Jan/2014:13:49:42][http-9180-1]: gname is empty, not added >> [16/Jan/2014:13:49:42][http-9180-1]: count is 0 >> [16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: >> populate sees no extension. get out >> [16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: >> populate end >> >> and the san is not included in the certificate. >> >> i also tried other values for subjAltExtPattern_0 like >> $request.email$, $request.SAN1$, etc but this only ended with state >> where san was included into the certificate but has value as the >> parameter, i.e. '$request.email$' which is apparently not what i wanted. >> >> would anyone know what im doing wrong, where is the catch? >> >> thank a lot >> >> jd >> >> >> >> >> >> >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From jindrich.dolezal at adaptivemobile.com Fri Jan 17 09:44:15 2014 From: jindrich.dolezal at adaptivemobile.com (Jindrich Dolezal) Date: Fri, 17 Jan 2014 10:44:15 +0100 Subject: [Pki-users] Adding subject alternative name into certificate In-Reply-To: <52D8552A.4070200@redhat.com> References: <52D7E75A.6090508@adaptivemobile.com> <52D81F61.509@redhat.com> <52D8552A.4070200@redhat.com> Message-ID: <52D8FB6F.8060400@adaptivemobile.com> great, that worked! big thanks jd On 01/16/2014 10:54 PM, Marc Sauton wrote: > Some more comments: > > In the case of user provided extension in the CSR, I would not use the > subjectAltNameExtDefaultImpl in the profile: > policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl > > The "gname is empty, not added" happens because there is no variable > $request.requestor_email$ populated in the enrollment form. > > The problem is the profile does not know how to populate the > "User-Supplied Extension" 2.5.29.17 to the request. > > I would modify the profile to remove the blob for > policyset.serverCertSet.9 > > And for example change the test profile: > > policyset.serverCertSet.list=...,addUserSANcsr > > to add a "User Supplied Key Usage Extension" definition, for the oid > of subjectAltNameExt, 2.5.29.17, like for example: > > policyset.serverCertSet.addUserSANcsr.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.addUserSANcsr.constraint.name=No Constraint To > keep it simple > policyset.serverCertSet.addUserSANcsr.default.class_id=userExtensionDefaultImpl > > policyset.serverCertSet.addUserSANcsr.default.name=User Supplied Key > Usage Extension > policyset.serverCertSet.addUserSANcsr.default.params.userExtOID=2.5.29.17 > > And try to enroll again. > > The debug log should list some entries about the user provided > extensions, like for example: > > [16/Jan/2014:06:10:23][http-9444-Processor24]: UserExtensionDefault: > populate start > [16/Jan/2014:06:10:23][http-9444-Processor24]: UserExtensionDefault: > using user supplied ext for 2.5.29.17 > [16/Jan/2014:06:10:23][http-9444-Processor24]: UserExtensionDefault: > populate end > > The one problem in this example is I did not add any constraints for > this user provided data in the CSR. > > Thanks, > Marc Sauton. > > > On 01/16/2014 10:05 AM, Christina Fu wrote: >> In general, the two easiest ways to add SAN into the cert. The >> following documentation should help. >> >> 1. The subjectAlternativeName profile configuration : (use this if >> your CSR does not contain SAN, but you have relevant info in the >> accompanying request or ldap) >> https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#Subject_Alternative_Name_Extension_Default >> >> >> 2. The User Supplied Extension Default : (use this if you generate >> your own SAN in the CSR) >> https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#User_Supplied_Extension_Default >> >> >> Christina >> >> On 01/16/2014 06:06 AM, Jindrich Dolezal wrote: >>> hi all, >>> im struggling in adding the subject alternative name (san) into the >>> generated certificate. im doing scep request. when i print the cert >>> req into a file and dump it, it seems that san is correctly added: >>> $ openssl req -in certreq.csr -text -noout >>> Certificate Request: >>> ... >>> Requested Extensions: >>> X509v3 Subject Alternative Name: >>> email:example at example.org >>> Signature Algorithm: sha1WithRSAEncryption >>> 1a:7e:d8:b7:80:a3:1f:ff:52:b5:28:be:9e:f2:53:03:22:f8: >>> .... >>> >>> the profile that is then used on ca contains: >>> policyset.serverCertSet.9.constraint.class_id=noConstraintImpl >>> policyset.serverCertSet.9.constraint.name=No Constraint >>> policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl >>> policyset.serverCertSet.9.default.name=Subject Alt Name Constraint >>> policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false >>> policyset.serverCertSet.9.default.params.subjAltExtType_0=RFC822Name >>> policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.requestor_email$ >>> >>> policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true >>> policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1 >>> >>> and in the log file: >>> [16/Jan/2014:13:49:42][http-9180-1]: Found PKCS10 extension >>> [16/Jan/2014:13:49:42][http-9180-1]: Set extensions [ObjectId: >>> 2.5.29.17 Criticality=false >>> SubjectAlternativeName [ >>> [RFC822Name: example at example.org]] >>> ] >>> [16/Jan/2014:13:49:42][http-9180-1]: Finish parsePKCS10 - >>> CN=testsubject >>> >>> ..... >>> >>> [16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: >>> populate start >>> [16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: >>> createExtension i=0 >>> [16/Jan/2014:13:49:42][http-9180-1]: gname is empty, not added >>> [16/Jan/2014:13:49:42][http-9180-1]: count is 0 >>> [16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: >>> populate sees no extension. get out >>> [16/Jan/2014:13:49:42][http-9180-1]: SubjectAltNameExtDefault: >>> populate end >>> >>> and the san is not included in the certificate. >>> >>> i also tried other values for subjAltExtPattern_0 like >>> $request.email$, $request.SAN1$, etc but this only ended with state >>> where san was included into the certificate but has value as the >>> parameter, i.e. '$request.email$' which is apparently not what i >>> wanted. >>> >>> would anyone know what im doing wrong, where is the catch? >>> >>> thank a lot >>> >>> jd >>> >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From david.w.wen at gmail.com Mon Jan 20 22:19:22 2014 From: david.w.wen at gmail.com (David Wen) Date: Mon, 20 Jan 2014 14:19:22 -0800 Subject: [Pki-users] Dogtag on BeagleBone black Message-ID: Hi, Has anyone tried this? We are working on an offline CA on a PC, and thought BeagleBone black will be perfect platform to replace it. Fedora works fine on it (it's ARM architecture) but not Dogtag. Any hint will be appreciated. David W -------------- next part -------------- An HTML attachment was scrubbed... URL: From shopereira at gmail.com Wed Jan 22 10:41:53 2014 From: shopereira at gmail.com (Sergio Pereira) Date: Wed, 22 Jan 2014 08:41:53 -0200 Subject: [Pki-users] Add info to a new OID Message-ID: hi guys, I'm trying to create a certificate profile in a way to have at the end a certificate with a special attributes (supplied by the user through web enrollment form). I'm running dogtag 10.1 on Fedora 20...fresh install. I added a certificate profile using pkiconsole but I'm struggling in how to find the right Policies, Inputs and Outputs for the new profile. The OID I intent to write to it is the 2.16.76.1.3.3 (country specific OID). Here is my profile's config file: auth.instance_id= desc=UserCNPJ enable=false enableBy=admin input.CNPJ.class_id=genericInputImpl input.CNPJ.name=Generic Input input.CNPJ.params.gi_display_name0=Cadastro Nacional Pessoa Juridica input.CNPJ.params.gi_display_name1= input.CNPJ.params.gi_display_name2= input.CNPJ.params.gi_display_name3= input.CNPJ.params.gi_display_name4= input.CNPJ.params.gi_param_enable0=true input.CNPJ.params.gi_param_enable1=false input.CNPJ.params.gi_param_enable2=false input.CNPJ.params.gi_param_enable3=false input.CNPJ.params.gi_param_enable4=false input.CNPJ.params.gi_param_name0=cnpj input.CNPJ.params.gi_param_name1= input.CNPJ.params.gi_param_name2= input.CNPJ.params.gi_param_name3= input.CNPJ.params.gi_param_name4= input.i1.class_id=keyGenInputImpl input.i1.name=Key Generation Input input.i2.class_id=subjectNameInputImpl input.i2.name=Subject Name Input input.i3.class_id=submitterInfoInputImpl input.i3.name=Submitter Information Input input.list=i1,i2,i3,CNPJ input.params.gi_display_name0=Cadastro Nacional Pessoa Juridica input.params.gi_display_name1= input.params.gi_display_name2= input.params.gi_display_name3= input.params.gi_display_name4= input.params.gi_param_enable0=true input.params.gi_param_enable1=false input.params.gi_param_enable2=false input.params.gi_param_enable3=false input.params.gi_param_enable4=false input.params.gi_param_name0=cnpj input.params.gi_param_name1= input.params.gi_param_name2= input.params.gi_param_name3= input.params.gi_param_name4= lastModified=1390319210315 name=UserCNPJ output.list=o1 output.o1.class_id=certOutputImpl output.o1.name=Certificate Output policyset.list=set1 policyset.set1.list=p1,p2,p3,p4,p5,p06 policyset.set1.p06.constraint.class_id=noConstraintImpl policyset.set1.p06.constraint.name=No Constraint policyset.set1.p06.default.class_id=userExtensionDefaultImpl policyset.set1.p06.default.name=User Supplied Extension Default policyset.set1.p06.default.params.userExtOID=Comment Here... policyset.set1.p1.constraint.class_id=noConstraintImpl policyset.set1.p1.constraint.name=No Constraint policyset.set1.p1.default.class_id=userSubjectNameDefaultImpl policyset.set1.p1.default.name=User Supplied Subject Name Default policyset.set1.p2.constraint.class_id=noConstraintImpl policyset.set1.p2.constraint.name=No Constraint policyset.set1.p2.default.class_id=validityDefaultImpl policyset.set1.p2.default.name=Validity Default policyset.set1.p2.default.params.range=180 policyset.set1.p2.default.params.startTime=0 policyset.set1.p3.constraint.class_id=noConstraintImpl policyset.set1.p3.constraint.name=No Constraint policyset.set1.p3.default.class_id=userKeyDefaultImpl policyset.set1.p3.default.name=User Supplied Key Default policyset.set1.p3.default.params.keyMaxLength=4096 policyset.set1.p3.default.params.keyMinLength=512 policyset.set1.p3.default.params.keyType=RSA policyset.set1.p4.constraint.class_id=noConstraintImpl policyset.set1.p4.constraint.name=No Constraint policyset.set1.p4.default.class_id=signingAlgDefaultImpl policyset.set1.p4.default.name=Signing Algorithm Default policyset.set1.p4.default.params.signingAlg=- policyset.set1.p4.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,,SHA512withEC policyset.set1.p5.constraint.class_id=noConstraintImpl policyset.set1.p5.constraint.name=No Constraint policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl policyset.set1.p5.default.name=Key Usage Extension Default policyset.set1.p5.default.params.keyUsageCritical=true policyset.set1.p5.default.params.keyUsageCrlSign=true policyset.set1.p5.default.params.keyUsageDataEncipherment=true policyset.set1.p5.default.params.keyUsageDecipherOnly=true policyset.set1.p5.default.params.keyUsageDigitalSignature=true policyset.set1.p5.default.params.keyUsageEncipherOnly=true policyset.set1.p5.default.params.keyUsageKeyAgreement=true policyset.set1.p5.default.params.keyUsageKeyCertSign=true policyset.set1.p5.default.params.keyUsageKeyEncipherment=true policyset.set1.p5.default.params.keyUsageNonRepudiation=true visible=true thx in advance, sergio -------------- next part -------------- An HTML attachment was scrubbed... URL: From jindrich.dolezal at adaptivemobile.com Wed Jan 22 11:09:56 2014 From: jindrich.dolezal at adaptivemobile.com (Jindrich Dolezal) Date: Wed, 22 Jan 2014 12:09:56 +0100 Subject: [Pki-users] Add info to a new OID In-Reply-To: References: Message-ID: <52DFA704.4000202@adaptivemobile.com> hi, have you tried something like this: policyset.set1.p6.constraint.class_id=noConstraintImpl policyset.set1.p6.constraint.name=No Constraint policyset.set1.p6.default.class_id=userExtensionDefaultImpl policyset.set1.p6.default.name=User Supplied Key Usage Extension policyset.set1.p6.default.params.userExtOID=2.16.76.1.3.3 jd On 01/22/2014 11:41 AM, Sergio Pereira wrote: > hi guys, > > I'm trying to create a certificate profile in a way to have at the end > a certificate with a special attributes (supplied by the user through > web enrollment form). I'm running dogtag 10.1 on Fedora 20...fresh > install. I added a certificate profile using pkiconsole but I'm > struggling in how to find the right Policies, Inputs and Outputs for > the new profile. The OID I intent to write to it is the 2.16.76.1.3.3 > (country specific OID). Here is my profile's config file: > > auth.instance_id= > desc=UserCNPJ > enable=false > enableBy=admin > input.CNPJ.class_id=genericInputImpl > input.CNPJ.name =Generic Input > input.CNPJ.params.gi_display_name0=Cadastro Nacional Pessoa Juridica > input.CNPJ.params.gi_display_name1= > input.CNPJ.params.gi_display_name2= > input.CNPJ.params.gi_display_name3= > input.CNPJ.params.gi_display_name4= > input.CNPJ.params.gi_param_enable0=true > input.CNPJ.params.gi_param_enable1=false > input.CNPJ.params.gi_param_enable2=false > input.CNPJ.params.gi_param_enable3=false > input.CNPJ.params.gi_param_enable4=false > input.CNPJ.params.gi_param_name0=cnpj > input.CNPJ.params.gi_param_name1= > input.CNPJ.params.gi_param_name2= > input.CNPJ.params.gi_param_name3= > input.CNPJ.params.gi_param_name4= > input.i1.class_id=keyGenInputImpl > input.i1.name =Key Generation Input > input.i2.class_id=subjectNameInputImpl > input.i2.name =Subject Name Input > input.i3.class_id=submitterInfoInputImpl > input.i3.name =Submitter Information Input > input.list=i1,i2,i3,CNPJ > input.params.gi_display_name0=Cadastro Nacional Pessoa Juridica > input.params.gi_display_name1= > input.params.gi_display_name2= > input.params.gi_display_name3= > input.params.gi_display_name4= > input.params.gi_param_enable0=true > input.params.gi_param_enable1=false > input.params.gi_param_enable2=false > input.params.gi_param_enable3=false > input.params.gi_param_enable4=false > input.params.gi_param_name0=cnpj > input.params.gi_param_name1= > input.params.gi_param_name2= > input.params.gi_param_name3= > input.params.gi_param_name4= > lastModified=1390319210315 > name=UserCNPJ > output.list=o1 > output.o1.class_id=certOutputImpl > output.o1.name =Certificate Output > policyset.list=set1 > policyset.set1.list=p1,p2,p3,p4,p5,p06 > policyset.set1.p06.constraint.class_id=noConstraintImpl > policyset.set1.p06.constraint.name > =No Constraint > policyset.set1.p06.default.class_id=userExtensionDefaultImpl > policyset.set1.p06.default.name > =User Supplied Extension Default > policyset.set1.p06.default.params.userExtOID=Comment Here... > policyset.set1.p1.constraint.class_id=noConstraintImpl > policyset.set1.p1.constraint.name > =No Constraint > policyset.set1.p1.default.class_id=userSubjectNameDefaultImpl > policyset.set1.p1.default.name > =User Supplied Subject Name Default > policyset.set1.p2.constraint.class_id=noConstraintImpl > policyset.set1.p2.constraint.name > =No Constraint > policyset.set1.p2.default.class_id=validityDefaultImpl > policyset.set1.p2.default.name > =Validity Default > policyset.set1.p2.default.params.range=180 > policyset.set1.p2.default.params.startTime=0 > policyset.set1.p3.constraint.class_id=noConstraintImpl > policyset.set1.p3.constraint.name > =No Constraint > policyset.set1.p3.default.class_id=userKeyDefaultImpl > policyset.set1.p3.default.name > =User Supplied Key Default > policyset.set1.p3.default.params.keyMaxLength=4096 > policyset.set1.p3.default.params.keyMinLength=512 > policyset.set1.p3.default.params.keyType=RSA > policyset.set1.p4.constraint.class_id=noConstraintImpl > policyset.set1.p4.constraint.name > =No Constraint > policyset.set1.p4.default.class_id=signingAlgDefaultImpl > policyset.set1.p4.default.name > =Signing Algorithm Default > policyset.set1.p4.default.params.signingAlg=- > policyset.set1.p4.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,,SHA512withEC > policyset.set1.p5.constraint.class_id=noConstraintImpl > policyset.set1.p5.constraint.name > =No Constraint > policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl > policyset.set1.p5.default.name > =Key Usage Extension Default > policyset.set1.p5.default.params.keyUsageCritical=true > policyset.set1.p5.default.params.keyUsageCrlSign=true > policyset.set1.p5.default.params.keyUsageDataEncipherment=true > policyset.set1.p5.default.params.keyUsageDecipherOnly=true > policyset.set1.p5.default.params.keyUsageDigitalSignature=true > policyset.set1.p5.default.params.keyUsageEncipherOnly=true > policyset.set1.p5.default.params.keyUsageKeyAgreement=true > policyset.set1.p5.default.params.keyUsageKeyCertSign=true > policyset.set1.p5.default.params.keyUsageKeyEncipherment=true > policyset.set1.p5.default.params.keyUsageNonRepudiation=true > visible=true > thx in advance, > sergio > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users ****************************************************************************************
This email and any files transmitted with are confidential and intended solely for the
use of the individual or entity to whom they are addressed. If you have received this
email in error then please delete it and notify the sender. Do not make a copy or forward
it to anyone. This footnote also confirms that this email message has been swept for the
presence of computer viruses.

Adaptive Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, Ireland
Directors: B. Collins, G. Maclachlan (UK), N. Grierson (UK), J. Ennis (UK), D. Summers (UK).
Registered in Ireland, Company No. 370343, VAT Reg.No.IE6390343O
**************************************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: From shopereira at gmail.com Wed Jan 22 12:07:02 2014 From: shopereira at gmail.com (Sergio Pereira) Date: Wed, 22 Jan 2014 10:07:02 -0200 Subject: [Pki-users] Add info to a new OID In-Reply-To: <52DFA704.4000202@adaptivemobile.com> References: <52DFA704.4000202@adaptivemobile.com> Message-ID: Hi JD, Just did it and I could sign the certificate. Any idea how to verify (list) the new OID info from a base64 cert? thx, sp 2014/1/22 Jindrich Dolezal > hi, > have you tried something like this: > policyset.set1.p6.constraint.class_id=noConstraintImpl > policyset.set1.p6.constraint.name=No Constraint > policyset.set1.p6.default.class_id=userExtensionDefaultImpl > policyset.set1.p6.default.name=User Supplied Key Usage Extension > policyset.set1.p6.default.params.userExtOID=2.16.76.1.3.3 > > jd > > > On 01/22/2014 11:41 AM, Sergio Pereira wrote: > > hi guys, > > I'm trying to create a certificate profile in a way to have at the end a > certificate with a special attributes (supplied by the user through web > enrollment form). I'm running dogtag 10.1 on Fedora 20...fresh install. I > added a certificate profile using pkiconsole but I'm struggling in how to > find the right Policies, Inputs and Outputs for the new profile. The OID I > intent to write to it is the 2.16.76.1.3.3 (country specific OID). Here is > my profile's config file: > > auth.instance_id= > desc=UserCNPJ > enable=false > enableBy=admin > input.CNPJ.class_id=genericInputImpl > input.CNPJ.name=Generic Input > input.CNPJ.params.gi_display_name0=Cadastro Nacional Pessoa Juridica > input.CNPJ.params.gi_display_name1= > input.CNPJ.params.gi_display_name2= > input.CNPJ.params.gi_display_name3= > input.CNPJ.params.gi_display_name4= > input.CNPJ.params.gi_param_enable0=true > input.CNPJ.params.gi_param_enable1=false > input.CNPJ.params.gi_param_enable2=false > input.CNPJ.params.gi_param_enable3=false > input.CNPJ.params.gi_param_enable4=false > input.CNPJ.params.gi_param_name0=cnpj > input.CNPJ.params.gi_param_name1= > input.CNPJ.params.gi_param_name2= > input.CNPJ.params.gi_param_name3= > input.CNPJ.params.gi_param_name4= > input.i1.class_id=keyGenInputImpl > input.i1.name=Key Generation Input > input.i2.class_id=subjectNameInputImpl > input.i2.name=Subject Name Input > input.i3.class_id=submitterInfoInputImpl > input.i3.name=Submitter Information Input > input.list=i1,i2,i3,CNPJ > input.params.gi_display_name0=Cadastro Nacional Pessoa Juridica > input.params.gi_display_name1= > input.params.gi_display_name2= > input.params.gi_display_name3= > input.params.gi_display_name4= > input.params.gi_param_enable0=true > input.params.gi_param_enable1=false > input.params.gi_param_enable2=false > input.params.gi_param_enable3=false > input.params.gi_param_enable4=false > input.params.gi_param_name0=cnpj > input.params.gi_param_name1= > input.params.gi_param_name2= > input.params.gi_param_name3= > input.params.gi_param_name4= > lastModified=1390319210315 > name=UserCNPJ > output.list=o1 > output.o1.class_id=certOutputImpl > output.o1.name=Certificate Output > policyset.list=set1 > policyset.set1.list=p1,p2,p3,p4,p5,p06 > policyset.set1.p06.constraint.class_id=noConstraintImpl > policyset.set1.p06.constraint.name=No Constraint > policyset.set1.p06.default.class_id=userExtensionDefaultImpl > policyset.set1.p06.default.name=User Supplied Extension Default > policyset.set1.p06.default.params.userExtOID=Comment Here... > policyset.set1.p1.constraint.class_id=noConstraintImpl > policyset.set1.p1.constraint.name=No Constraint > policyset.set1.p1.default.class_id=userSubjectNameDefaultImpl > policyset.set1.p1.default.name=User Supplied Subject Name Default > policyset.set1.p2.constraint.class_id=noConstraintImpl > policyset.set1.p2.constraint.name=No Constraint > policyset.set1.p2.default.class_id=validityDefaultImpl > policyset.set1.p2.default.name=Validity Default > policyset.set1.p2.default.params.range=180 > policyset.set1.p2.default.params.startTime=0 > policyset.set1.p3.constraint.class_id=noConstraintImpl > policyset.set1.p3.constraint.name=No Constraint > policyset.set1.p3.default.class_id=userKeyDefaultImpl > policyset.set1.p3.default.name=User Supplied Key Default > policyset.set1.p3.default.params.keyMaxLength=4096 > policyset.set1.p3.default.params.keyMinLength=512 > policyset.set1.p3.default.params.keyType=RSA > policyset.set1.p4.constraint.class_id=noConstraintImpl > policyset.set1.p4.constraint.name=No Constraint > policyset.set1.p4.default.class_id=signingAlgDefaultImpl > policyset.set1.p4.default.name=Signing Algorithm Default > policyset.set1.p4.default.params.signingAlg=- > > policyset.set1.p4.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,,SHA512withEC > policyset.set1.p5.constraint.class_id=noConstraintImpl > policyset.set1.p5.constraint.name=No Constraint > policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl > policyset.set1.p5.default.name=Key Usage Extension Default > policyset.set1.p5.default.params.keyUsageCritical=true > policyset.set1.p5.default.params.keyUsageCrlSign=true > policyset.set1.p5.default.params.keyUsageDataEncipherment=true > policyset.set1.p5.default.params.keyUsageDecipherOnly=true > policyset.set1.p5.default.params.keyUsageDigitalSignature=true > policyset.set1.p5.default.params.keyUsageEncipherOnly=true > policyset.set1.p5.default.params.keyUsageKeyAgreement=true > policyset.set1.p5.default.params.keyUsageKeyCertSign=true > policyset.set1.p5.default.params.keyUsageKeyEncipherment=true > policyset.set1.p5.default.params.keyUsageNonRepudiation=true > visible=true > > thx in advance, > sergio > > > _______________________________________________ > Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users > > > ****************************************************************************************
This > email and any files transmitted with are confidential and intended solely > for the
use of the individual or entity to whom they are addressed. If > you have received this
email in error then please delete it and notify > the sender. Do not make a copy or forward
it to anyone. This footnote > also confirms that this email message has been swept for the
presence of > computer viruses.

Adaptive Mobile Security Ltd, Ferry House, 48 > Lower Mount Street, Dublin 2, Ireland
Directors: B. Collins, G. > Maclachlan (UK), N. Grierson (UK), J. Ennis (UK), D. Summers > (UK).
Registered in Ireland, Company No. 370343, VAT > Reg.No.IE6390343O
**************************************************************************************** > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jindrich.dolezal at adaptivemobile.com Wed Jan 22 12:09:57 2014 From: jindrich.dolezal at adaptivemobile.com (Jindrich Dolezal) Date: Wed, 22 Jan 2014 13:09:57 +0100 Subject: [Pki-users] Add info to a new OID In-Reply-To: References: <52DFA704.4000202@adaptivemobile.com> Message-ID: <52DFB515.60109@adaptivemobile.com> what about openssl x509 -in certificate.crt -text On 01/22/2014 01:07 PM, Sergio Pereira wrote: > Hi JD, > > Just did it and I could sign the certificate. Any idea how to verify > (list) the new OID info from a base64 cert? > thx, > sp > > > 2014/1/22 Jindrich Dolezal > > > hi, > have you tried something like this: > policyset.set1.p6.constraint.class_id=noConstraintImpl > policyset.set1.p6.constraint.name > =No Constraint > policyset.set1.p6.default.class_id=userExtensionDefaultImpl > policyset.set1.p6.default.name > =User Supplied Key Usage > Extension > policyset.set1.p6.default.params.userExtOID=2.16.76.1.3.3 > > jd > > > On 01/22/2014 11:41 AM, Sergio Pereira wrote: >> hi guys, >> >> I'm trying to create a certificate profile in a way to have at >> the end a certificate with a special attributes (supplied by the >> user through web enrollment form). I'm running dogtag 10.1 on >> Fedora 20...fresh install. I added a certificate profile using >> pkiconsole but I'm struggling in how to find the right Policies, >> Inputs and Outputs for the new profile. The OID I intent to write >> to it is the 2.16.76.1.3.3 (country specific OID). Here is my >> profile's config file: >> >> auth.instance_id= >> desc=UserCNPJ >> enable=false >> enableBy=admin >> input.CNPJ.class_id=genericInputImpl >> input.CNPJ.name =Generic Input >> input.CNPJ.params.gi_display_name0=Cadastro Nacional Pessoa Juridica >> input.CNPJ.params.gi_display_name1= >> input.CNPJ.params.gi_display_name2= >> input.CNPJ.params.gi_display_name3= >> input.CNPJ.params.gi_display_name4= >> input.CNPJ.params.gi_param_enable0=true >> input.CNPJ.params.gi_param_enable1=false >> input.CNPJ.params.gi_param_enable2=false >> input.CNPJ.params.gi_param_enable3=false >> input.CNPJ.params.gi_param_enable4=false >> input.CNPJ.params.gi_param_name0=cnpj >> input.CNPJ.params.gi_param_name1= >> input.CNPJ.params.gi_param_name2= >> input.CNPJ.params.gi_param_name3= >> input.CNPJ.params.gi_param_name4= >> input.i1.class_id=keyGenInputImpl >> input.i1.name =Key Generation Input >> input.i2.class_id=subjectNameInputImpl >> input.i2.name =Subject Name Input >> input.i3.class_id=submitterInfoInputImpl >> input.i3.name =Submitter Information Input >> input.list=i1,i2,i3,CNPJ >> input.params.gi_display_name0=Cadastro Nacional Pessoa Juridica >> input.params.gi_display_name1= >> input.params.gi_display_name2= >> input.params.gi_display_name3= >> input.params.gi_display_name4= >> input.params.gi_param_enable0=true >> input.params.gi_param_enable1=false >> input.params.gi_param_enable2=false >> input.params.gi_param_enable3=false >> input.params.gi_param_enable4=false >> input.params.gi_param_name0=cnpj >> input.params.gi_param_name1= >> input.params.gi_param_name2= >> input.params.gi_param_name3= >> input.params.gi_param_name4= >> lastModified=1390319210315 >> name=UserCNPJ >> output.list=o1 >> output.o1.class_id=certOutputImpl >> output.o1.name =Certificate Output >> policyset.list=set1 >> policyset.set1.list=p1,p2,p3,p4,p5,p06 >> policyset.set1.p06.constraint.class_id=noConstraintImpl >> policyset.set1.p06.constraint.name >> =No Constraint >> policyset.set1.p06.default.class_id=userExtensionDefaultImpl >> policyset.set1.p06.default.name >> =User Supplied Extension >> Default >> policyset.set1.p06.default.params.userExtOID=Comment Here... >> policyset.set1.p1.constraint.class_id=noConstraintImpl >> policyset.set1.p1.constraint.name >> =No Constraint >> policyset.set1.p1.default.class_id=userSubjectNameDefaultImpl >> policyset.set1.p1.default.name >> =User Supplied Subject >> Name Default >> policyset.set1.p2.constraint.class_id=noConstraintImpl >> policyset.set1.p2.constraint.name >> =No Constraint >> policyset.set1.p2.default.class_id=validityDefaultImpl >> policyset.set1.p2.default.name >> =Validity Default >> policyset.set1.p2.default.params.range=180 >> policyset.set1.p2.default.params.startTime=0 >> policyset.set1.p3.constraint.class_id=noConstraintImpl >> policyset.set1.p3.constraint.name >> =No Constraint >> policyset.set1.p3.default.class_id=userKeyDefaultImpl >> policyset.set1.p3.default.name >> =User Supplied Key Default >> policyset.set1.p3.default.params.keyMaxLength=4096 >> policyset.set1.p3.default.params.keyMinLength=512 >> policyset.set1.p3.default.params.keyType=RSA >> policyset.set1.p4.constraint.class_id=noConstraintImpl >> policyset.set1.p4.constraint.name >> =No Constraint >> policyset.set1.p4.default.class_id=signingAlgDefaultImpl >> policyset.set1.p4.default.name >> =Signing Algorithm Default >> policyset.set1.p4.default.params.signingAlg=- >> policyset.set1.p4.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,,SHA512withEC >> policyset.set1.p5.constraint.class_id=noConstraintImpl >> policyset.set1.p5.constraint.name >> =No Constraint >> policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl >> policyset.set1.p5.default.name >> =Key Usage Extension Default >> policyset.set1.p5.default.params.keyUsageCritical=true >> policyset.set1.p5.default.params.keyUsageCrlSign=true >> policyset.set1.p5.default.params.keyUsageDataEncipherment=true >> policyset.set1.p5.default.params.keyUsageDecipherOnly=true >> policyset.set1.p5.default.params.keyUsageDigitalSignature=true >> policyset.set1.p5.default.params.keyUsageEncipherOnly=true >> policyset.set1.p5.default.params.keyUsageKeyAgreement=true >> policyset.set1.p5.default.params.keyUsageKeyCertSign=true >> policyset.set1.p5.default.params.keyUsageKeyEncipherment=true >> policyset.set1.p5.default.params.keyUsageNonRepudiation=true >> visible=true >> thx in advance, >> sergio >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > ****************************************************************************************
This > email and any files transmitted with are confidential and intended > solely for the
use of the individual or entity to whom they are > addressed. If you have received this
email in error then > please delete it and notify the sender. Do not make a copy or > forward
it to anyone. This footnote also confirms that this > email message has been swept for the
presence of computer > viruses.

Adaptive Mobile Security Ltd, Ferry House, 48 > Lower Mount Street, Dublin 2, Ireland
Directors: B. Collins, G. > Maclachlan (UK), N. Grierson (UK), J. Ennis (UK), D. Summers > (UK).
Registered in Ireland, Company No. 370343, VAT > Reg.No.IE6390343O
**************************************************************************************** > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > ****************************************************************************************
This email and any files transmitted with are confidential and intended solely for the
use of the individual or entity to whom they are addressed. If you have received this
email in error then please delete it and notify the sender. Do not make a copy or forward
it to anyone. This footnote also confirms that this email message has been swept for the
presence of computer viruses.

Adaptive Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, Ireland
Directors: B. Collins, G. Maclachlan (UK), N. Grierson (UK), J. Ennis (UK), D. Summers (UK).
Registered in Ireland, Company No. 370343, VAT Reg.No.IE6390343O
**************************************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: From shopereira at gmail.com Wed Jan 22 13:37:50 2014 From: shopereira at gmail.com (Sergio Pereira) Date: Wed, 22 Jan 2014 11:37:50 -0200 Subject: [Pki-users] Add info to a new OID In-Reply-To: <52DFB515.60109@adaptivemobile.com> References: <52DFA704.4000202@adaptivemobile.com> <52DFB515.60109@adaptivemobile.com> Message-ID: nope ... I see the x509 format certificate but can't see the new OID info. What I also did was to import the cert to a browser and checked the cert's details and also there is no new OID in it. sp 2014/1/22 Jindrich Dolezal > > what about openssl x509 -in certificate.crt -text > > > On 01/22/2014 01:07 PM, Sergio Pereira wrote: > > Hi JD, > > Just did it and I could sign the certificate. Any idea how to verify > (list) the new OID info from a base64 cert? > thx, > sp > > > 2014/1/22 Jindrich Dolezal > >> hi, >> have you tried something like this: >> policyset.set1.p6.constraint.class_id=noConstraintImpl >> policyset.set1.p6.constraint.name=No Constraint >> policyset.set1.p6.default.class_id=userExtensionDefaultImpl >> policyset.set1.p6.default.name=User Supplied Key Usage Extension >> policyset.set1.p6.default.params.userExtOID=2.16.76.1.3.3 >> >> jd >> >> >> On 01/22/2014 11:41 AM, Sergio Pereira wrote: >> >> hi guys, >> >> I'm trying to create a certificate profile in a way to have at the end >> a certificate with a special attributes (supplied by the user through web >> enrollment form). I'm running dogtag 10.1 on Fedora 20...fresh install. I >> added a certificate profile using pkiconsole but I'm struggling in how to >> find the right Policies, Inputs and Outputs for the new profile. The OID I >> intent to write to it is the 2.16.76.1.3.3 (country specific OID). Here is >> my profile's config file: >> >> auth.instance_id= >> desc=UserCNPJ >> enable=false >> enableBy=admin >> input.CNPJ.class_id=genericInputImpl >> input.CNPJ.name=Generic Input >> input.CNPJ.params.gi_display_name0=Cadastro Nacional Pessoa Juridica >> input.CNPJ.params.gi_display_name1= >> input.CNPJ.params.gi_display_name2= >> input.CNPJ.params.gi_display_name3= >> input.CNPJ.params.gi_display_name4= >> input.CNPJ.params.gi_param_enable0=true >> input.CNPJ.params.gi_param_enable1=false >> input.CNPJ.params.gi_param_enable2=false >> input.CNPJ.params.gi_param_enable3=false >> input.CNPJ.params.gi_param_enable4=false >> input.CNPJ.params.gi_param_name0=cnpj >> input.CNPJ.params.gi_param_name1= >> input.CNPJ.params.gi_param_name2= >> input.CNPJ.params.gi_param_name3= >> input.CNPJ.params.gi_param_name4= >> input.i1.class_id=keyGenInputImpl >> input.i1.name=Key Generation Input >> input.i2.class_id=subjectNameInputImpl >> input.i2.name=Subject Name Input >> input.i3.class_id=submitterInfoInputImpl >> input.i3.name=Submitter Information Input >> input.list=i1,i2,i3,CNPJ >> input.params.gi_display_name0=Cadastro Nacional Pessoa Juridica >> input.params.gi_display_name1= >> input.params.gi_display_name2= >> input.params.gi_display_name3= >> input.params.gi_display_name4= >> input.params.gi_param_enable0=true >> input.params.gi_param_enable1=false >> input.params.gi_param_enable2=false >> input.params.gi_param_enable3=false >> input.params.gi_param_enable4=false >> input.params.gi_param_name0=cnpj >> input.params.gi_param_name1= >> input.params.gi_param_name2= >> input.params.gi_param_name3= >> input.params.gi_param_name4= >> lastModified=1390319210315 >> name=UserCNPJ >> output.list=o1 >> output.o1.class_id=certOutputImpl >> output.o1.name=Certificate Output >> policyset.list=set1 >> policyset.set1.list=p1,p2,p3,p4,p5,p06 >> policyset.set1.p06.constraint.class_id=noConstraintImpl >> policyset.set1.p06.constraint.name=No Constraint >> policyset.set1.p06.default.class_id=userExtensionDefaultImpl >> policyset.set1.p06.default.name=User Supplied Extension Default >> policyset.set1.p06.default.params.userExtOID=Comment Here... >> policyset.set1.p1.constraint.class_id=noConstraintImpl >> policyset.set1.p1.constraint.name=No Constraint >> policyset.set1.p1.default.class_id=userSubjectNameDefaultImpl >> policyset.set1.p1.default.name=User Supplied Subject Name Default >> policyset.set1.p2.constraint.class_id=noConstraintImpl >> policyset.set1.p2.constraint.name=No Constraint >> policyset.set1.p2.default.class_id=validityDefaultImpl >> policyset.set1.p2.default.name=Validity Default >> policyset.set1.p2.default.params.range=180 >> policyset.set1.p2.default.params.startTime=0 >> policyset.set1.p3.constraint.class_id=noConstraintImpl >> policyset.set1.p3.constraint.name=No Constraint >> policyset.set1.p3.default.class_id=userKeyDefaultImpl >> policyset.set1.p3.default.name=User Supplied Key Default >> policyset.set1.p3.default.params.keyMaxLength=4096 >> policyset.set1.p3.default.params.keyMinLength=512 >> policyset.set1.p3.default.params.keyType=RSA >> policyset.set1.p4.constraint.class_id=noConstraintImpl >> policyset.set1.p4.constraint.name=No Constraint >> policyset.set1.p4.default.class_id=signingAlgDefaultImpl >> policyset.set1.p4.default.name=Signing Algorithm Default >> policyset.set1.p4.default.params.signingAlg=- >> >> policyset.set1.p4.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,,SHA512withEC >> policyset.set1.p5.constraint.class_id=noConstraintImpl >> policyset.set1.p5.constraint.name=No Constraint >> policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl >> policyset.set1.p5.default.name=Key Usage Extension Default >> policyset.set1.p5.default.params.keyUsageCritical=true >> policyset.set1.p5.default.params.keyUsageCrlSign=true >> policyset.set1.p5.default.params.keyUsageDataEncipherment=true >> policyset.set1.p5.default.params.keyUsageDecipherOnly=true >> policyset.set1.p5.default.params.keyUsageDigitalSignature=true >> policyset.set1.p5.default.params.keyUsageEncipherOnly=true >> policyset.set1.p5.default.params.keyUsageKeyAgreement=true >> policyset.set1.p5.default.params.keyUsageKeyCertSign=true >> policyset.set1.p5.default.params.keyUsageKeyEncipherment=true >> policyset.set1.p5.default.params.keyUsageNonRepudiation=true >> visible=true >> >> thx in advance, >> sergio >> >> >> _______________________________________________ >> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users >> >> >> ****************************************************************************************
This >> email and any files transmitted with are confidential and intended solely >> for the
use of the individual or entity to whom they are addressed. If >> you have received this
email in error then please delete it and notify >> the sender. Do not make a copy or forward
it to anyone. This footnote >> also confirms that this email message has been swept for the
presence of >> computer viruses.

Adaptive Mobile Security Ltd, Ferry House, 48 >> Lower Mount Street, Dublin 2, Ireland
Directors: B. Collins, G. >> Maclachlan (UK), N. Grierson (UK), J. Ennis (UK), D. Summers >> (UK).
Registered in Ireland, Company No. 370343, VAT >> Reg.No.IE6390343O
**************************************************************************************** >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > > ****************************************************************************************
This > email and any files transmitted with are confidential and intended solely > for the
use of the individual or entity to whom they are addressed. If > you have received this
email in error then please delete it and notify > the sender. Do not make a copy or forward
it to anyone. This footnote > also confirms that this email message has been swept for the
presence of > computer viruses.

Adaptive Mobile Security Ltd, Ferry House, 48 > Lower Mount Street, Dublin 2, Ireland
Directors: B. Collins, G. > Maclachlan (UK), N. Grierson (UK), J. Ennis (UK), D. Summers > (UK).
Registered in Ireland, Company No. 370343, VAT > Reg.No.IE6390343O
**************************************************************************************** > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Luca.Moretti at selex-es.com Wed Jan 22 14:38:39 2014 From: Luca.Moretti at selex-es.com (Moretti Luca) Date: Wed, 22 Jan 2014 15:38:39 +0100 Subject: [Pki-users] using Dogtag as a time-stamping CA Message-ID: Hi all, I've installed Dogtag 10.0.6 on Fedora 18. It's running fine. I would like to create a sub-CA with time-stamping extended key usage and then I would like to sign documents and their relative time-stamp with this certificate. I've seen a tool named "signtool". Is it possible to use Dogtag for time-stamping purposes? Any suggestion for implementing this? Thanks, Luca This email and any attachments are confidential to the intended recipient and may also be privileged. If you are not the intended recipient please delete it from your system and notify the sender. You should not copy it or use it for any purpose nor disclose or distribute its contents to any other person. Questa e-mail e tutti i suoi allegati sono da intendersi inviati in via riservata all'effettivo destinatario e possono essere soggetti a restrizioni legali. Se non siete l'effettivo destinatario o avete ricevuto il messaggio per errore siete pregati di cancellarlo dal vostro sistema e di avvisare il mittente. E' vietata la duplicazione, l'uso a qualsiasi titolo, la divulgazione o la distribuzione dei contenuti di questa e-mail a qualunque altro soggetto. Prima di stampare questa comunicazione consideratene, per favore, l'impatto ambientale Please consider the environment before printing this email From cfu at redhat.com Thu Jan 23 02:31:14 2014 From: cfu at redhat.com (Christina Fu) Date: Wed, 22 Jan 2014 18:31:14 -0800 Subject: [Pki-users] Add info to a new OID In-Reply-To: References: Message-ID: <52E07EF2.1080806@redhat.com> Hi, If I understand it correctly, you just want the OID to appear in the cert? if so, Generic Extension might be what you are looking for: https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#Generic_Extension_Default Here is an example of it: policyset.set1.p06.constraint.class_id=extensionConstraintImpl policyset.set1.p06.constraint.name=Extension Constraint policyset.set1.p06.constraint.params.extCritical=- policyset.set1.p06.constraint.params.extOID=2.16.76.1.3.3 policyset.set1.p06.default.class_id=userExtensionDefaultImpl policyset.set1.p06.default.name=Generic Extension Default policyset.set1.p06.default.params.genericExtData=bz policyset.set1.p06.default.params.genericExtOID=2.16.76.1.3.3 policyset.set1.p06.default.params.enericExtCritical=false In the above example, I just put your country OID in the profile, but I imagine you could change it to take it from the input. If you do so, you might want to lighten up on the constraint. I suggest you try the above hard-coded profile first just to see if the cert comes out what you are looking for before adding input in the profile. There is actually a bug in the GenericExtension area in regards to setting critical to true. I have yet to check the fix into Dogtag. Let me know if you do need that. BTW, regarding userExtensionDefault, it can only be used if your CSR has the wanted extension in the request already, so it's not going to help you. Hope this helps. Christina On 01/22/2014 02:41 AM, Sergio Pereira wrote: > hi guys, > > I'm trying to create a certificate profile in a way to have at the end > a certificate with a special attributes (supplied by the user through > web enrollment form). I'm running dogtag 10.1 on Fedora 20...fresh > install. I added a certificate profile using pkiconsole but I'm > struggling in how to find the right Policies, Inputs and Outputs for > the new profile. The OID I intent to write to it is the 2.16.76.1.3.3 > (country specific OID). Here is my profile's config file: > > auth.instance_id= > desc=UserCNPJ > enable=false > enableBy=admin > input.CNPJ.class_id=genericInputImpl > input.CNPJ.name =Generic Input > input.CNPJ.params.gi_display_name0=Cadastro Nacional Pessoa Juridica > input.CNPJ.params.gi_display_name1= > input.CNPJ.params.gi_display_name2= > input.CNPJ.params.gi_display_name3= > input.CNPJ.params.gi_display_name4= > input.CNPJ.params.gi_param_enable0=true > input.CNPJ.params.gi_param_enable1=false > input.CNPJ.params.gi_param_enable2=false > input.CNPJ.params.gi_param_enable3=false > input.CNPJ.params.gi_param_enable4=false > input.CNPJ.params.gi_param_name0=cnpj > input.CNPJ.params.gi_param_name1= > input.CNPJ.params.gi_param_name2= > input.CNPJ.params.gi_param_name3= > input.CNPJ.params.gi_param_name4= > input.i1.class_id=keyGenInputImpl > input.i1.name =Key Generation Input > input.i2.class_id=subjectNameInputImpl > input.i2.name =Subject Name Input > input.i3.class_id=submitterInfoInputImpl > input.i3.name =Submitter Information Input > input.list=i1,i2,i3,CNPJ > input.params.gi_display_name0=Cadastro Nacional Pessoa Juridica > input.params.gi_display_name1= > input.params.gi_display_name2= > input.params.gi_display_name3= > input.params.gi_display_name4= > input.params.gi_param_enable0=true > input.params.gi_param_enable1=false > input.params.gi_param_enable2=false > input.params.gi_param_enable3=false > input.params.gi_param_enable4=false > input.params.gi_param_name0=cnpj > input.params.gi_param_name1= > input.params.gi_param_name2= > input.params.gi_param_name3= > input.params.gi_param_name4= > lastModified=1390319210315 > name=UserCNPJ > output.list=o1 > output.o1.class_id=certOutputImpl > output.o1.name =Certificate Output > policyset.list=set1 > policyset.set1.list=p1,p2,p3,p4,p5,p06 > policyset.set1.p06.constraint.class_id=noConstraintImpl > policyset.set1.p06.constraint.name > =No Constraint > policyset.set1.p06.default.class_id=userExtensionDefaultImpl > policyset.set1.p06.default.name > =User Supplied Extension Default > policyset.set1.p06.default.params.userExtOID=Comment Here... > policyset.set1.p1.constraint.class_id=noConstraintImpl > policyset.set1.p1.constraint.name > =No Constraint > policyset.set1.p1.default.class_id=userSubjectNameDefaultImpl > policyset.set1.p1.default.name > =User Supplied Subject Name Default > policyset.set1.p2.constraint.class_id=noConstraintImpl > policyset.set1.p2.constraint.name > =No Constraint > policyset.set1.p2.default.class_id=validityDefaultImpl > policyset.set1.p2.default.name > =Validity Default > policyset.set1.p2.default.params.range=180 > policyset.set1.p2.default.params.startTime=0 > policyset.set1.p3.constraint.class_id=noConstraintImpl > policyset.set1.p3.constraint.name > =No Constraint > policyset.set1.p3.default.class_id=userKeyDefaultImpl > policyset.set1.p3.default.name > =User Supplied Key Default > policyset.set1.p3.default.params.keyMaxLength=4096 > policyset.set1.p3.default.params.keyMinLength=512 > policyset.set1.p3.default.params.keyType=RSA > policyset.set1.p4.constraint.class_id=noConstraintImpl > policyset.set1.p4.constraint.name > =No Constraint > policyset.set1.p4.default.class_id=signingAlgDefaultImpl > policyset.set1.p4.default.name > =Signing Algorithm Default > policyset.set1.p4.default.params.signingAlg=- > policyset.set1.p4.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,,SHA512withEC > policyset.set1.p5.constraint.class_id=noConstraintImpl > policyset.set1.p5.constraint.name > =No Constraint > policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl > policyset.set1.p5.default.name > =Key Usage Extension Default > policyset.set1.p5.default.params.keyUsageCritical=true > policyset.set1.p5.default.params.keyUsageCrlSign=true > policyset.set1.p5.default.params.keyUsageDataEncipherment=true > policyset.set1.p5.default.params.keyUsageDecipherOnly=true > policyset.set1.p5.default.params.keyUsageDigitalSignature=true > policyset.set1.p5.default.params.keyUsageEncipherOnly=true > policyset.set1.p5.default.params.keyUsageKeyAgreement=true > policyset.set1.p5.default.params.keyUsageKeyCertSign=true > policyset.set1.p5.default.params.keyUsageKeyEncipherment=true > policyset.set1.p5.default.params.keyUsageNonRepudiation=true > visible=true > thx in advance, > sergio > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From shopereira at gmail.com Thu Jan 23 12:12:28 2014 From: shopereira at gmail.com (Sergio Pereira) Date: Thu, 23 Jan 2014 10:12:28 -0200 Subject: [Pki-users] Add info to a new OID In-Reply-To: <52E07EF2.1080806@redhat.com> References: <52E07EF2.1080806@redhat.com> Message-ID: Hi Christina, I really appreciate for your response and time. I did try your suggestion but with no luck, when enrolling through web form I get the message: "Sorry, your request has been rejected. The reason is "Request Rejected - {0}". Attached is a picture of a real certificate, signed by a Brazilian CA and that is what I'm trying to accomplish using DogTag certificate system. The OID I'm trying to write to is marked in red and its value has some sort of Hex form (that would be the second step to be accomplished). One thing I realized is that the OID in question is in Subject Alternative Name and not as Generic Extension. thx, sp 2014/1/23 Christina Fu > Hi, > > If I understand it correctly, you just want the OID to appear in the > cert? if so, Generic Extension might be what you are looking for: > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#Generic_Extension_Default > > Here is an example of it: > policyset.set1.p06.constraint.class_id=extensionConstraintImpl > policyset.set1.p06.constraint.name=Extension Constraint > policyset.set1.p06.constraint.params.extCritical=- > policyset.set1.p06.constraint.params.extOID=2.16.76.1.3.3 > policyset.set1.p06.default.class_id=userExtensionDefaultImpl > policyset.set1.p06.default.name=Generic Extension Default > policyset.set1.p06.default.params.genericExtData=bz > policyset.set1.p06.default.params.genericExtOID=2.16.76.1.3.3 > policyset.set1.p06.default.params.enericExtCritical=false > > In the above example, I just put your country OID in the profile, but I > imagine you could change it to take it from the input. If you do so, you > might want to lighten up on the constraint. I suggest you try the above > hard-coded profile first just to see if the cert comes out what you are > looking for before adding input in the profile. > > There is actually a bug in the GenericExtension area in regards to setting > critical to true. I have yet to check the fix into Dogtag. Let me know if > you do need that. > > BTW, regarding userExtensionDefault, it can only be used if your CSR has > the wanted extension in the request already, so it's not going to help you. > > Hope this helps. > Christina > > > On 01/22/2014 02:41 AM, Sergio Pereira wrote: > > hi guys, > > I'm trying to create a certificate profile in a way to have at the end a > certificate with a special attributes (supplied by the user through web > enrollment form). I'm running dogtag 10.1 on Fedora 20...fresh install. I > added a certificate profile using pkiconsole but I'm struggling in how to > find the right Policies, Inputs and Outputs for the new profile. The OID I > intent to write to it is the 2.16.76.1.3.3 (country specific OID). Here is > my profile's config file: > > auth.instance_id= > desc=UserCNPJ > enable=false > enableBy=admin > input.CNPJ.class_id=genericInputImpl > input.CNPJ.name=Generic Input > input.CNPJ.params.gi_display_name0=Cadastro Nacional Pessoa Juridica > input.CNPJ.params.gi_display_name1= > input.CNPJ.params.gi_display_name2= > input.CNPJ.params.gi_display_name3= > input.CNPJ.params.gi_display_name4= > input.CNPJ.params.gi_param_enable0=true > input.CNPJ.params.gi_param_enable1=false > input.CNPJ.params.gi_param_enable2=false > input.CNPJ.params.gi_param_enable3=false > input.CNPJ.params.gi_param_enable4=false > input.CNPJ.params.gi_param_name0=cnpj > input.CNPJ.params.gi_param_name1= > input.CNPJ.params.gi_param_name2= > input.CNPJ.params.gi_param_name3= > input.CNPJ.params.gi_param_name4= > input.i1.class_id=keyGenInputImpl > input.i1.name=Key Generation Input > input.i2.class_id=subjectNameInputImpl > input.i2.name=Subject Name Input > input.i3.class_id=submitterInfoInputImpl > input.i3.name=Submitter Information Input > input.list=i1,i2,i3,CNPJ > input.params.gi_display_name0=Cadastro Nacional Pessoa Juridica > input.params.gi_display_name1= > input.params.gi_display_name2= > input.params.gi_display_name3= > input.params.gi_display_name4= > input.params.gi_param_enable0=true > input.params.gi_param_enable1=false > input.params.gi_param_enable2=false > input.params.gi_param_enable3=false > input.params.gi_param_enable4=false > input.params.gi_param_name0=cnpj > input.params.gi_param_name1= > input.params.gi_param_name2= > input.params.gi_param_name3= > input.params.gi_param_name4= > lastModified=1390319210315 > name=UserCNPJ > output.list=o1 > output.o1.class_id=certOutputImpl > output.o1.name=Certificate Output > policyset.list=set1 > policyset.set1.list=p1,p2,p3,p4,p5,p06 > policyset.set1.p06.constraint.class_id=noConstraintImpl > policyset.set1.p06.constraint.name=No Constraint > policyset.set1.p06.default.class_id=userExtensionDefaultImpl > policyset.set1.p06.default.name=User Supplied Extension Default > policyset.set1.p06.default.params.userExtOID=Comment Here... > policyset.set1.p1.constraint.class_id=noConstraintImpl > policyset.set1.p1.constraint.name=No Constraint > policyset.set1.p1.default.class_id=userSubjectNameDefaultImpl > policyset.set1.p1.default.name=User Supplied Subject Name Default > policyset.set1.p2.constraint.class_id=noConstraintImpl > policyset.set1.p2.constraint.name=No Constraint > policyset.set1.p2.default.class_id=validityDefaultImpl > policyset.set1.p2.default.name=Validity Default > policyset.set1.p2.default.params.range=180 > policyset.set1.p2.default.params.startTime=0 > policyset.set1.p3.constraint.class_id=noConstraintImpl > policyset.set1.p3.constraint.name=No Constraint > policyset.set1.p3.default.class_id=userKeyDefaultImpl > policyset.set1.p3.default.name=User Supplied Key Default > policyset.set1.p3.default.params.keyMaxLength=4096 > policyset.set1.p3.default.params.keyMinLength=512 > policyset.set1.p3.default.params.keyType=RSA > policyset.set1.p4.constraint.class_id=noConstraintImpl > policyset.set1.p4.constraint.name=No Constraint > policyset.set1.p4.default.class_id=signingAlgDefaultImpl > policyset.set1.p4.default.name=Signing Algorithm Default > policyset.set1.p4.default.params.signingAlg=- > > policyset.set1.p4.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,,SHA512withEC > policyset.set1.p5.constraint.class_id=noConstraintImpl > policyset.set1.p5.constraint.name=No Constraint > policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl > policyset.set1.p5.default.name=Key Usage Extension Default > policyset.set1.p5.default.params.keyUsageCritical=true > policyset.set1.p5.default.params.keyUsageCrlSign=true > policyset.set1.p5.default.params.keyUsageDataEncipherment=true > policyset.set1.p5.default.params.keyUsageDecipherOnly=true > policyset.set1.p5.default.params.keyUsageDigitalSignature=true > policyset.set1.p5.default.params.keyUsageEncipherOnly=true > policyset.set1.p5.default.params.keyUsageKeyAgreement=true > policyset.set1.p5.default.params.keyUsageKeyCertSign=true > policyset.set1.p5.default.params.keyUsageKeyEncipherment=true > policyset.set1.p5.default.params.keyUsageNonRepudiation=true > visible=true > > thx in advance, > sergio > > > _______________________________________________ > Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ScreenshotCert.png Type: image/png Size: 78799 bytes Desc: not available URL: From cfu at redhat.com Thu Jan 23 16:47:33 2014 From: cfu at redhat.com (Christina Fu) Date: Thu, 23 Jan 2014 08:47:33 -0800 Subject: [Pki-users] Add info to a new OID In-Reply-To: References: <52E07EF2.1080806@redhat.com> Message-ID: <52E147A5.9000106@redhat.com> Hi Sergio, I did wonder if what you needed was Subject Alternative Name extension but since you said it's a "special attribute" I thought you want something different ;-). SubjectAlternativeName Extension is easy to apply in Dogtag. First, here is info regarding SubjectAlternativeName: https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#Subject_Alternative_Name_Extension_Default Scroll down a page or two then you will find Table B.21 Subject Alternative Name extension Default Configuration Parameters. This is pretty much what you need. I think what you want for "Type" is "OIDName". So for example, you would have: policyset.set1.p06.constraint.class_id=noConstraintImpl policyset.set1.p06.constraint.name=No Constraint policyset.set1.p06.default.class_id=subjectAltNameExtDefaultImpl policyset.set1.p06.default.name=Subject Alternative Name Extension Default policyset.set1.p06.default.params.subjectAltNameExtCritical=false policyset.set1.p06.default.params.subjAltNameNumGNs=1 policyset.set1.p06.default.params.subjAltExtType_0=OIDName policyset.set1.p06.default.params.subjAltExtPattern_0=2.16.76.1.3.3 policyset.set1.p06.default.params.subjAltExtGNEnable_0=true again, the pattern part you can change it to take it from the input once it's working. However, unless you are in a controlled environment, it's better to have a constraint (You can write a plugin to suit your needs). And unless you have multiple OID's to insert, there is really no need to take from input. Regarding Generic Extension, I know it should work. Maybe your value did not match the constraint. But it's a moot point now since you are looking for SAN. hope this helps, Christina On 01/23/2014 04:12 AM, Sergio Pereira wrote: > Hi Christina, > > I really appreciate for your response and time. I did try your > suggestion but with no luck, when enrolling through web form I get the > message: "Sorry, your request has been rejected. The reason is > "Request Rejected - {0}". > Attached is a picture of a real certificate, signed by a Brazilian CA > and that is what I'm trying to accomplish using DogTag certificate > system. The OID I'm trying to write to is marked in red and its value > has some sort of Hex form (that would be the second step to > be accomplished). One thing I realized is that the OID in question is > in Subject Alternative Name and not as Generic Extension. > > thx, > sp > > > 2014/1/23 Christina Fu > > > Hi, > > If I understand it correctly, you just want the OID to appear in > the cert? if so, Generic Extension might be what you are looking for: > https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#Generic_Extension_Default > > Here is an example of it: > policyset.set1.p06.constraint.class_id=extensionConstraintImpl > policyset.set1.p06.constraint.name > =Extension Constraint > policyset.set1.p06.constraint.params.extCritical=- > policyset.set1.p06.constraint.params.extOID=2.16.76.1.3.3 > policyset.set1.p06.default.class_id=userExtensionDefaultImpl > policyset.set1.p06.default.name > =Generic Extension Default > policyset.set1.p06.default.params.genericExtData=bz > policyset.set1.p06.default.params.genericExtOID=2.16.76.1.3.3 > policyset.set1.p06.default.params.enericExtCritical=false > > In the above example, I just put your country OID in the profile, > but I imagine you could change it to take it from the input. If > you do so, you might want to lighten up on the constraint. I > suggest you try the above hard-coded profile first just to see if > the cert comes out what you are looking for before adding input in > the profile. > > There is actually a bug in the GenericExtension area in regards to > setting critical to true. I have yet to check the fix into > Dogtag. Let me know if you do need that. > > BTW, regarding userExtensionDefault, it can only be used if your > CSR has the wanted extension in the request already, so it's not > going to help you. > > Hope this helps. > Christina > > > On 01/22/2014 02:41 AM, Sergio Pereira wrote: >> hi guys, >> >> I'm trying to create a certificate profile in a way to have at >> the end a certificate with a special attributes (supplied by the >> user through web enrollment form). I'm running dogtag 10.1 on >> Fedora 20...fresh install. I added a certificate profile using >> pkiconsole but I'm struggling in how to find the right Policies, >> Inputs and Outputs for the new profile. The OID I intent to write >> to it is the 2.16.76.1.3.3 (country specific OID). Here is my >> profile's config file: >> >> auth.instance_id= >> desc=UserCNPJ >> enable=false >> enableBy=admin >> input.CNPJ.class_id=genericInputImpl >> input.CNPJ.name =Generic Input >> input.CNPJ.params.gi_display_name0=Cadastro Nacional Pessoa Juridica >> input.CNPJ.params.gi_display_name1= >> input.CNPJ.params.gi_display_name2= >> input.CNPJ.params.gi_display_name3= >> input.CNPJ.params.gi_display_name4= >> input.CNPJ.params.gi_param_enable0=true >> input.CNPJ.params.gi_param_enable1=false >> input.CNPJ.params.gi_param_enable2=false >> input.CNPJ.params.gi_param_enable3=false >> input.CNPJ.params.gi_param_enable4=false >> input.CNPJ.params.gi_param_name0=cnpj >> input.CNPJ.params.gi_param_name1= >> input.CNPJ.params.gi_param_name2= >> input.CNPJ.params.gi_param_name3= >> input.CNPJ.params.gi_param_name4= >> input.i1.class_id=keyGenInputImpl >> input.i1.name =Key Generation Input >> input.i2.class_id=subjectNameInputImpl >> input.i2.name =Subject Name Input >> input.i3.class_id=submitterInfoInputImpl >> input.i3.name =Submitter Information Input >> input.list=i1,i2,i3,CNPJ >> input.params.gi_display_name0=Cadastro Nacional Pessoa Juridica >> input.params.gi_display_name1= >> input.params.gi_display_name2= >> input.params.gi_display_name3= >> input.params.gi_display_name4= >> input.params.gi_param_enable0=true >> input.params.gi_param_enable1=false >> input.params.gi_param_enable2=false >> input.params.gi_param_enable3=false >> input.params.gi_param_enable4=false >> input.params.gi_param_name0=cnpj >> input.params.gi_param_name1= >> input.params.gi_param_name2= >> input.params.gi_param_name3= >> input.params.gi_param_name4= >> lastModified=1390319210315 >> name=UserCNPJ >> output.list=o1 >> output.o1.class_id=certOutputImpl >> output.o1.name =Certificate Output >> policyset.list=set1 >> policyset.set1.list=p1,p2,p3,p4,p5,p06 >> policyset.set1.p06.constraint.class_id=noConstraintImpl >> policyset.set1.p06.constraint.name >> =No Constraint >> policyset.set1.p06.default.class_id=userExtensionDefaultImpl >> policyset.set1.p06.default.name >> =User Supplied Extension >> Default >> policyset.set1.p06.default.params.userExtOID=Comment Here... >> policyset.set1.p1.constraint.class_id=noConstraintImpl >> policyset.set1.p1.constraint.name >> =No Constraint >> policyset.set1.p1.default.class_id=userSubjectNameDefaultImpl >> policyset.set1.p1.default.name >> =User Supplied Subject >> Name Default >> policyset.set1.p2.constraint.class_id=noConstraintImpl >> policyset.set1.p2.constraint.name >> =No Constraint >> policyset.set1.p2.default.class_id=validityDefaultImpl >> policyset.set1.p2.default.name >> =Validity Default >> policyset.set1.p2.default.params.range=180 >> policyset.set1.p2.default.params.startTime=0 >> policyset.set1.p3.constraint.class_id=noConstraintImpl >> policyset.set1.p3.constraint.name >> =No Constraint >> policyset.set1.p3.default.class_id=userKeyDefaultImpl >> policyset.set1.p3.default.name >> =User Supplied Key Default >> policyset.set1.p3.default.params.keyMaxLength=4096 >> policyset.set1.p3.default.params.keyMinLength=512 >> policyset.set1.p3.default.params.keyType=RSA >> policyset.set1.p4.constraint.class_id=noConstraintImpl >> policyset.set1.p4.constraint.name >> =No Constraint >> policyset.set1.p4.default.class_id=signingAlgDefaultImpl >> policyset.set1.p4.default.name >> =Signing Algorithm Default >> policyset.set1.p4.default.params.signingAlg=- >> policyset.set1.p4.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,,SHA512withEC >> policyset.set1.p5.constraint.class_id=noConstraintImpl >> policyset.set1.p5.constraint.name >> =No Constraint >> policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl >> policyset.set1.p5.default.name >> =Key Usage Extension Default >> policyset.set1.p5.default.params.keyUsageCritical=true >> policyset.set1.p5.default.params.keyUsageCrlSign=true >> policyset.set1.p5.default.params.keyUsageDataEncipherment=true >> policyset.set1.p5.default.params.keyUsageDecipherOnly=true >> policyset.set1.p5.default.params.keyUsageDigitalSignature=true >> policyset.set1.p5.default.params.keyUsageEncipherOnly=true >> policyset.set1.p5.default.params.keyUsageKeyAgreement=true >> policyset.set1.p5.default.params.keyUsageKeyCertSign=true >> policyset.set1.p5.default.params.keyUsageKeyEncipherment=true >> policyset.set1.p5.default.params.keyUsageNonRepudiation=true >> visible=true >> thx in advance, >> sergio >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: