[Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA
John Magne
jmagne at redhat.com
Tue Oct 13 18:21:41 UTC 2015
Marcin:
What Dave said , but also we have another profile that is RSA for this:
caEncUserCert.cfg
Also, you can use the pki CLI issue a request against such a profile:
The following is approx set of commands to experiment with
RSA cert request
CRMFPopClient -d ~/.dogtag/nssdb/ -p password -o csr -a rsa -l 2048 -n "UID=username" -f caEncUserCert -b transport.pem
transport.pem is the KRA's transport cert, which can be found in the CA's CS.cfg
Download the profile
RSA:
pki cert-request-profile-show caUserCert --output testuser.xml
Edit testuser.xml to add the csr you just created.
cert_request= your csr
cert_request_type = crmf
Submit Request
pki cert-request-submit testuser.xml
Use the agent interface to approve the request.
More info:
http://pki.fedoraproject.org/wiki/PKI_Certificate_CLI
----- Original Message -----
> From: "Dave Sirrine" <dsirrine at redhat.com>
> To: "Marcin Mierzejewski" <marcinmierzejewski1024 at gmail.com>
> Cc: pki-users at redhat.com
> Sent: Tuesday, October 13, 2015 10:27:10 AM
> Subject: Re: [Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA
>
> Marcin,
>
> Not sure what exactly you're looking for here, but the beauty of profiles is
> you can create your own. If the ECC profile works as you would expect, you
> can always create a copy with a new name and change the appropriate lines. A
> quick diff of the two profiles you mention shows that there's not a lot
> that's different between the two:
>
> diff caEncECUserCert.cfg caEncUserCert.cfg
> 1c1
> < desc=This certificate profile is for enrolling user ECC encryption
> certificates. It works only with latest Firefox.
> ---
> > desc=This certificate profile is for enrolling user encryption certificates
> > with option to archive keys.
> 5c5
> < name=Manual User Encryption ECC Certificates Enrollment
> ---
> > name=Manual User Encryption Certificates Enrollment
> 7,8c7,10
> < input.list=i1
> < input.i1.class_id=encKeyGenInputImpl
> ---
> > input.list=i1,i2,i3
> > input.i1.class_id=certReqInputImpl
> > input.i2.class_id=subjectNameInputImpl
> > input.i3.class_id=submitterInfoInputImpl
> 31,32c33,34
> < policyset.encryptionCertSet.3.constraint.params.keyType=EC
> <
> policyset.encryptionCertSet.3.constraint.params.keyParameters=nistp256,nistp521
> ---
> > policyset.encryptionCertSet.3.constraint.params.keyType=RSA
> > policyset.encryptionCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
> 93a96
> >
>
> In theory (I have not tested this) you should be able to change the lines for
> 'policyset.encryptionCertSet.3.constraint.params.keyType' and
> 'policyset.encryptionCertSet.3.constraint.params.keyParameters' to match the
> caEncUserCert.cfg profile and keep everything else the same. If you have the
> KRA installed and configured to work with your CA, the encryption keys
> should automatically be archived in the KRA.
>
> -- Dave
>
> On Tue, Oct 13, 2015 at 10:36 AM, Marcin Mierzejewski <
> marcinmierzejewski1024 at gmail.com > wrote:
>
>
>
> there is a caEncECUserCert that works as I expect but generates Eliptic curve
> certificate. Is there any eqiuvalent for RSA? And next question is: could I
> use this profile to generate enduser certificate remote by calling REST
> service?
>
> 2015-10-13 15:51 GMT+02:00 Marcin Mierzejewski <
> marcinmierzejewski1024 at gmail.com > :
>
>
>
> Hi All,
>
> What I want is simple profile for requesting encryption(not sign) personal
> certificate that will private key be stored in KRA/DRM. I check existing
> profiles and found profile that name and description meet the goals I want
> to achieve.
>
> CaEncUserCert.cfg
>
> this profile was not visible I change that. I opened this profile in end user
> CA application
>
>
> Certificate Profile - Manual User Encryption Certificates Enrollment
>
> This certificate profile is for enrolling user encryption certificates with
> option to archive keys. Certificate Request Input
> * Certificate Request Type list ( pcks10 or crmf)
>
> * Certificate Request (text area for request)
> Subject Name
> -fields with info about user(propably should be same values that were in
> certificate request)
> Requestor Information
> - info about requestor
>
> How it's possible to store private key without even sending it to CA? can be
> private key enclosed into "Certificate Request"? If answer is no - as I
> think why there is a "option to archieve keys"?
>
>
>
>
>
>
> Marcin
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
More information about the Pki-users
mailing list