[Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA

Marcin Mierzejewski marcinmierzejewski1024 at gmail.com
Wed Oct 14 09:29:05 UTC 2015 

Thanks for solution Dave, but changing this 2 lines exits the firefox while
browser try to generate/send keys to dogtag. I am using firefox 17.0 (in
newer versions I got error that crypto objects are not supported in this
versions). I don't get any stacktrace or something to paste : /
I thought this class:
*encKeyGenInputImpl*
does not support generating RSA pair
so replaced it with
*keyGenInputImpl*

And then it is working!

2015-10-13 19:27 GMT+02:00 Dave Sirrine <dsirrine at redhat.com>:

> Marcin,
>
> Not sure what exactly you're looking for here, but the beauty of profiles
> is you can create your own. If the ECC profile works as you would expect,
> you can always create a copy with a new name and change the appropriate
> lines. A quick diff of the two profiles you mention shows that there's not
> a lot that's different between the two:
>
> diff caEncECUserCert.cfg caEncUserCert.cfg
> 1c1
> < desc=This certificate profile is for enrolling user ECC encryption
> certificates. It works only with latest Firefox.
> ---
> > desc=This certificate profile is for enrolling user encryption
> certificates with option to archive keys.
> 5c5
> < name=Manual User Encryption ECC Certificates Enrollment
> ---
> > name=Manual User Encryption Certificates Enrollment
> 7,8c7,10
> < input.list=i1
> < input.i1.class_id=encKeyGenInputImpl
> ---
> > input.list=i1,i2,i3
> > input.i1.class_id=certReqInputImpl
> > input.i2.class_id=subjectNameInputImpl
> > input.i3.class_id=submitterInfoInputImpl
> 31,32c33,34
> < policyset.encryptionCertSet.3.constraint.params.keyType=EC
> <
> policyset.encryptionCertSet.3.constraint.params.keyParameters=nistp256,nistp521
> ---
> > policyset.encryptionCertSet.3.constraint.params.keyType=RSA
> >
> policyset.encryptionCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
> 93a96
> >
>
> In theory (I have not tested this) you should be able to change the lines
> for 'policyset.encryptionCertSet.3.constraint.params.keyType' and
> 'policyset.encryptionCertSet.3.constraint.params.keyParameters' to match
> the caEncUserCert.cfg profile and keep everything else the same. If you
> have the KRA installed and configured to work with your CA, the encryption
> keys should automatically be archived in the KRA.
>
> -- Dave
>
> On Tue, Oct 13, 2015 at 10:36 AM, Marcin Mierzejewski <
> marcinmierzejewski1024 at gmail.com> wrote:
>
>> there is a caEncECUserCert that works as I expect but generates Eliptic
>> curve certificate. Is there any eqiuvalent for RSA? And next question is:
>> could I use this profile to generate enduser certificate remote by calling
>> REST service?
>>
>> 2015-10-13 15:51 GMT+02:00 Marcin Mierzejewski <
>> marcinmierzejewski1024 at gmail.com>:
>>
>>> Hi All,
>>>
>>> What I want is simple profile for requesting encryption(not sign)
>>> personal certificate that will private key be stored in KRA/DRM. I check
>>> existing profiles and found profile that name and description meet the
>>> goals I want to achieve.
>>>
>>> *CaEncUserCert.cfg*
>>>
>>> this profile was not visible I change that. I opened this profile in end
>>> user CA application
>>>
>>>
>>> *Certificate Profile - Manual User Encryption Certificates Enrollment *
>>>
>>> This certificate profile is for enrolling user encryption certificates
>>> with option to archive keys.
>>> *Certificate Request Input *
>>> - Certificate Request Type list ( pcks10 or crmf)
>>> - Certificate Request (text area for request)
>>> *  Subject Name * -fields with info about user(propably should be same
>>> values that were in certificate request)
>>>
>>> *Requestor Information *- info about requestor
>>>
>>> How it's possible to store private key without even sending it to CA?
>>> can be private key enclosed into "Certificate Request"? If answer is no -
>>> as I think why there is a "option to archieve keys"?
>>>
>>>
>>>
>>> Marcin
>>>
>>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20151014/1084ba11/attachment.htm>

More information about the Pki-users mailing list