[Pki-users] Add info to a new OID

Christina Fu cfu at redhat.com
Thu Jan 23 16:47:33 UTC 2014 

Hi Sergio,

  I did wonder if what you needed was Subject Alternative Name extension 
but since you said it's a "special attribute" I thought you want 
something different ;-).

SubjectAlternativeName Extension is easy to apply in Dogtag.

First, here is info regarding SubjectAlternativeName:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#Subject_Alternative_Name_Extension_Default

Scroll down a page or two then you will find Table B.21 Subject 
Alternative Name extension Default Configuration Parameters.
This is pretty much what you need.  I think what you want for "Type" is 
"OIDName".

So for example, you would have:
policyset.set1.p06.constraint.class_id=noConstraintImpl
policyset.set1.p06.constraint.name=No Constraint
policyset.set1.p06.default.class_id=subjectAltNameExtDefaultImpl
policyset.set1.p06.default.name=Subject Alternative Name Extension Default
policyset.set1.p06.default.params.subjectAltNameExtCritical=false
policyset.set1.p06.default.params.subjAltNameNumGNs=1
policyset.set1.p06.default.params.subjAltExtType_0=OIDName
policyset.set1.p06.default.params.subjAltExtPattern_0=2.16.76.1.3.3
policyset.set1.p06.default.params.subjAltExtGNEnable_0=true

again, the pattern part you can change it to take it from the input once 
it's working.  However, unless you are in a controlled environment, it's 
better to have a constraint (You can write a plugin to suit your 
needs).  And unless you have multiple OID's to insert, there is really 
no need to take from input.

Regarding Generic Extension, I know it should work.  Maybe your value 
did not match the constraint.  But it's a moot point now since you are 
looking for SAN.

hope this helps,
Christina

On 01/23/2014 04:12 AM, Sergio Pereira wrote:
> Hi Christina,
>
> I really appreciate for your response and time. I did try your 
> suggestion but with no luck, when enrolling through web form I get the 
> message: "Sorry, your request has been rejected. The reason is 
> "Request Rejected - {0}".
> Attached is a picture of a real certificate, signed by a Brazilian CA 
> and that is what I'm trying to accomplish using DogTag certificate 
> system. The OID I'm trying to write to is marked in red and its value 
> has some sort of Hex form (that would be the second step to 
> be accomplished). One thing I realized is that the OID in question is 
> in Subject Alternative Name and not as Generic Extension.
>
> thx,
> sp
>
>
> 2014/1/23 Christina Fu <cfu at redhat.com <mailto:cfu at redhat.com>>
>
>     Hi,
>
>     If I understand it correctly, you just want the OID to appear in
>     the cert?  if so, Generic Extension might be what you are looking for:
>     https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#Generic_Extension_Default
>
>     Here is an example of it:
>     policyset.set1.p06.constraint.class_id=extensionConstraintImpl
>     policyset.set1.p06.constraint.name
>     <http://policyset.set1.p06.constraint.name>=Extension Constraint
>     policyset.set1.p06.constraint.params.extCritical=-
>     policyset.set1.p06.constraint.params.extOID=2.16.76.1.3.3
>     policyset.set1.p06.default.class_id=userExtensionDefaultImpl
>     policyset.set1.p06.default.name
>     <http://policyset.set1.p06.default.name>=Generic Extension Default
>     policyset.set1.p06.default.params.genericExtData=bz
>     policyset.set1.p06.default.params.genericExtOID=2.16.76.1.3.3
>     policyset.set1.p06.default.params.enericExtCritical=false
>
>     In the above example, I just put your country OID in the profile,
>     but I imagine you could change it to take it from the input.  If
>     you do so, you might want to lighten up on the constraint.  I
>     suggest you try the above hard-coded profile first just to see if
>     the cert comes out what you are looking for before adding input in
>     the profile.
>
>     There is actually a bug in the GenericExtension area in regards to
>     setting critical to true.  I have yet to check the fix into
>     Dogtag.  Let me know if you do need that.
>
>     BTW, regarding userExtensionDefault, it can only be used if your
>     CSR has the wanted extension in the request already, so it's not
>     going to help you.
>
>     Hope this helps.
>     Christina
>
>
>     On 01/22/2014 02:41 AM, Sergio Pereira wrote:
>>     hi guys,
>>
>>     I'm trying to create a certificate profile in a way to have at
>>     the end a certificate with a special attributes (supplied by the
>>     user through web enrollment form). I'm running dogtag 10.1 on
>>     Fedora 20...fresh install. I added a certificate profile using
>>     pkiconsole but I'm struggling in how to find the right Policies,
>>     Inputs and Outputs for the new profile. The OID I intent to write
>>     to it is the 2.16.76.1.3.3 (country specific OID). Here is my
>>     profile's config file:
>>
>>     auth.instance_id=
>>     desc=UserCNPJ
>>     enable=false
>>     enableBy=admin
>>     input.CNPJ.class_id=genericInputImpl
>>     input.CNPJ.name <http://input.CNPJ.name>=Generic Input
>>     input.CNPJ.params.gi_display_name0=Cadastro Nacional Pessoa Juridica
>>     input.CNPJ.params.gi_display_name1=
>>     input.CNPJ.params.gi_display_name2=
>>     input.CNPJ.params.gi_display_name3=
>>     input.CNPJ.params.gi_display_name4=
>>     input.CNPJ.params.gi_param_enable0=true
>>     input.CNPJ.params.gi_param_enable1=false
>>     input.CNPJ.params.gi_param_enable2=false
>>     input.CNPJ.params.gi_param_enable3=false
>>     input.CNPJ.params.gi_param_enable4=false
>>     input.CNPJ.params.gi_param_name0=cnpj
>>     input.CNPJ.params.gi_param_name1=
>>     input.CNPJ.params.gi_param_name2=
>>     input.CNPJ.params.gi_param_name3=
>>     input.CNPJ.params.gi_param_name4=
>>     input.i1.class_id=keyGenInputImpl
>>     input.i1.name <http://input.i1.name>=Key Generation Input
>>     input.i2.class_id=subjectNameInputImpl
>>     input.i2.name <http://input.i2.name>=Subject Name Input
>>     input.i3.class_id=submitterInfoInputImpl
>>     input.i3.name <http://input.i3.name>=Submitter Information Input
>>     input.list=i1,i2,i3,CNPJ
>>     input.params.gi_display_name0=Cadastro Nacional Pessoa Juridica
>>     input.params.gi_display_name1=
>>     input.params.gi_display_name2=
>>     input.params.gi_display_name3=
>>     input.params.gi_display_name4=
>>     input.params.gi_param_enable0=true
>>     input.params.gi_param_enable1=false
>>     input.params.gi_param_enable2=false
>>     input.params.gi_param_enable3=false
>>     input.params.gi_param_enable4=false
>>     input.params.gi_param_name0=cnpj
>>     input.params.gi_param_name1=
>>     input.params.gi_param_name2=
>>     input.params.gi_param_name3=
>>     input.params.gi_param_name4=
>>     lastModified=1390319210315
>>     name=UserCNPJ
>>     output.list=o1
>>     output.o1.class_id=certOutputImpl
>>     output.o1.name <http://output.o1.name>=Certificate Output
>>     policyset.list=set1
>>     policyset.set1.list=p1,p2,p3,p4,p5,p06
>>     policyset.set1.p06.constraint.class_id=noConstraintImpl
>>     policyset.set1.p06.constraint.name
>>     <http://policyset.set1.p06.constraint.name>=No Constraint
>>     policyset.set1.p06.default.class_id=userExtensionDefaultImpl
>>     policyset.set1.p06.default.name
>>     <http://policyset.set1.p06.default.name>=User Supplied Extension
>>     Default
>>     policyset.set1.p06.default.params.userExtOID=Comment Here...
>>     policyset.set1.p1.constraint.class_id=noConstraintImpl
>>     policyset.set1.p1.constraint.name
>>     <http://policyset.set1.p1.constraint.name>=No Constraint
>>     policyset.set1.p1.default.class_id=userSubjectNameDefaultImpl
>>     policyset.set1.p1.default.name
>>     <http://policyset.set1.p1.default.name>=User Supplied Subject
>>     Name Default
>>     policyset.set1.p2.constraint.class_id=noConstraintImpl
>>     policyset.set1.p2.constraint.name
>>     <http://policyset.set1.p2.constraint.name>=No Constraint
>>     policyset.set1.p2.default.class_id=validityDefaultImpl
>>     policyset.set1.p2.default.name
>>     <http://policyset.set1.p2.default.name>=Validity Default
>>     policyset.set1.p2.default.params.range=180
>>     policyset.set1.p2.default.params.startTime=0
>>     policyset.set1.p3.constraint.class_id=noConstraintImpl
>>     policyset.set1.p3.constraint.name
>>     <http://policyset.set1.p3.constraint.name>=No Constraint
>>     policyset.set1.p3.default.class_id=userKeyDefaultImpl
>>     policyset.set1.p3.default.name
>>     <http://policyset.set1.p3.default.name>=User Supplied Key Default
>>     policyset.set1.p3.default.params.keyMaxLength=4096
>>     policyset.set1.p3.default.params.keyMinLength=512
>>     policyset.set1.p3.default.params.keyType=RSA
>>     policyset.set1.p4.constraint.class_id=noConstraintImpl
>>     policyset.set1.p4.constraint.name
>>     <http://policyset.set1.p4.constraint.name>=No Constraint
>>     policyset.set1.p4.default.class_id=signingAlgDefaultImpl
>>     policyset.set1.p4.default.name
>>     <http://policyset.set1.p4.default.name>=Signing Algorithm Default
>>     policyset.set1.p4.default.params.signingAlg=-
>>     policyset.set1.p4.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,,SHA512withEC
>>     policyset.set1.p5.constraint.class_id=noConstraintImpl
>>     policyset.set1.p5.constraint.name
>>     <http://policyset.set1.p5.constraint.name>=No Constraint
>>     policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl
>>     policyset.set1.p5.default.name
>>     <http://policyset.set1.p5.default.name>=Key Usage Extension Default
>>     policyset.set1.p5.default.params.keyUsageCritical=true
>>     policyset.set1.p5.default.params.keyUsageCrlSign=true
>>     policyset.set1.p5.default.params.keyUsageDataEncipherment=true
>>     policyset.set1.p5.default.params.keyUsageDecipherOnly=true
>>     policyset.set1.p5.default.params.keyUsageDigitalSignature=true
>>     policyset.set1.p5.default.params.keyUsageEncipherOnly=true
>>     policyset.set1.p5.default.params.keyUsageKeyAgreement=true
>>     policyset.set1.p5.default.params.keyUsageKeyCertSign=true
>>     policyset.set1.p5.default.params.keyUsageKeyEncipherment=true
>>     policyset.set1.p5.default.params.keyUsageNonRepudiation=true
>>     visible=true
>>     thx in advance,
>>     sergio
>>
>>
>>     _______________________________________________
>>     Pki-users mailing list
>>     Pki-users at redhat.com  <mailto:Pki-users at redhat.com>
>>     https://www.redhat.com/mailman/listinfo/pki-users
>
>
>     _______________________________________________
>     Pki-users mailing list
>     Pki-users at redhat.com <mailto:Pki-users at redhat.com>
>     https://www.redhat.com/mailman/listinfo/pki-users
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20140123/e87649d7/attachment.htm>

More information about the Pki-users mailing list