[Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA

John Magne jmagne at redhat.com
Tue Oct 13 18:21:41 UTC 2015 

Marcin:

What Dave said , but also we have another profile that is RSA for this:

caEncUserCert.cfg

Also, you can use the pki CLI issue a request against such a profile:

The following is approx set of commands to experiment with


RSA cert request

    CRMFPopClient -d ~/.dogtag/nssdb/ -p password -o csr -a rsa -l 2048 -n "UID=username" -f caEncUserCert -b transport.pem

    transport.pem is the KRA's transport cert, which can be found in the CA's CS.cfg


 Download the profile

RSA:

    pki cert-request-profile-show caUserCert --output testuser.xml


Edit testuser.xml to add the csr you just created.

cert_request= your csr
cert_request_type = crmf

Submit Request

pki cert-request-submit testuser.xml


Use the agent interface to approve the request.

More info:

http://pki.fedoraproject.org/wiki/PKI_Certificate_CLI


----- Original Message -----
> From: "Dave Sirrine" <dsirrine at redhat.com>
> To: "Marcin Mierzejewski" <marcinmierzejewski1024 at gmail.com>
> Cc: pki-users at redhat.com
> Sent: Tuesday, October 13, 2015 10:27:10 AM
> Subject: Re: [Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA
> 
> Marcin,
> 
> Not sure what exactly you're looking for here, but the beauty of profiles is
> you can create your own. If the ECC profile works as you would expect, you
> can always create a copy with a new name and change the appropriate lines. A
> quick diff of the two profiles you mention shows that there's not a lot
> that's different between the two:
> 
> diff caEncECUserCert.cfg caEncUserCert.cfg
> 1c1
> < desc=This certificate profile is for enrolling user ECC encryption
> certificates. It works only with latest Firefox.
> ---
> > desc=This certificate profile is for enrolling user encryption certificates
> > with option to archive keys.
> 5c5
> < name=Manual User Encryption ECC Certificates Enrollment
> ---
> > name=Manual User Encryption Certificates Enrollment
> 7,8c7,10
> < input.list=i1
> < input.i1.class_id=encKeyGenInputImpl
> ---
> > input.list=i1,i2,i3
> > input.i1.class_id=certReqInputImpl
> > input.i2.class_id=subjectNameInputImpl
> > input.i3.class_id=submitterInfoInputImpl
> 31,32c33,34
> < policyset.encryptionCertSet.3.constraint.params.keyType=EC
> <
> policyset.encryptionCertSet.3.constraint.params.keyParameters=nistp256,nistp521
> ---
> > policyset.encryptionCertSet.3.constraint.params.keyType=RSA
> > policyset.encryptionCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
> 93a96
> > 
> 
> In theory (I have not tested this) you should be able to change the lines for
> 'policyset.encryptionCertSet.3.constraint.params.keyType' and
> 'policyset.encryptionCertSet.3.constraint.params.keyParameters' to match the
> caEncUserCert.cfg profile and keep everything else the same. If you have the
> KRA installed and configured to work with your CA, the encryption keys
> should automatically be archived in the KRA.
> 
> -- Dave
> 
> On Tue, Oct 13, 2015 at 10:36 AM, Marcin Mierzejewski <
> marcinmierzejewski1024 at gmail.com > wrote:
> 
> 
> 
> there is a caEncECUserCert that works as I expect but generates Eliptic curve
> certificate. Is there any eqiuvalent for RSA? And next question is: could I
> use this profile to generate enduser certificate remote by calling REST
> service?
> 
> 2015-10-13 15:51 GMT+02:00 Marcin Mierzejewski <
> marcinmierzejewski1024 at gmail.com > :
> 
> 
> 
> Hi All,
> 
> What I want is simple profile for requesting encryption(not sign) personal
> certificate that will private key be stored in KRA/DRM. I check existing
> profiles and found profile that name and description meet the goals I want
> to achieve.
> 
> CaEncUserCert.cfg
> 
> this profile was not visible I change that. I opened this profile in end user
> CA application
> 
> 
> Certificate Profile - Manual User Encryption Certificates Enrollment
> 
> This certificate profile is for enrolling user encryption certificates with
> option to archive keys. Certificate Request Input
> 	* Certificate Request Type list ( pcks10 or crmf)
> 	
> 	* Certificate Request (text area for request)
> Subject Name
> -fields with info about user(propably should be same values that were in
> certificate request)
> Requestor Information
> - info about requestor
> 
> How it's possible to store private key without even sending it to CA? can be
> private key enclosed into "Certificate Request"? If answer is no - as I
> think why there is a "option to archieve keys"?
> 
> 
> 
> 
> 
> 
> Marcin
> 
> 
> 
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
> 
> 
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list