[Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA

Marcin Mierzejewski marcinmierzejewski1024 at gmail.com
Thu Oct 15 09:26:33 UTC 2015 

Ok, after futher reading this symmetric key is encypted with CA public key
in wrapSessionKey(...) method.
Question I still have is how to user in rest client?

2015-10-15 10:59 GMT+02:00 Marcin Mierzejewski <
marcinmierzejewski1024 at gmail.com>:

> Thanks fo clue. RMFPopClientTool is a cli tool. I check implementation and
> I found this method wrapPrivateKey(...).
> Can it be used to wrap private key which could be added to
> CertEnrollRequest to request certificate from my rest client?
> And do You have ideas how to get symmetric key for that? I think better
> solution would be use CA public key to encrypt it but I don't have that
> much knowlege in PKI and Dogtag architecture.
>
> 2015-10-14 19:25 GMT+02:00 John Magne <jmagne at redhat.com>:
>
>> If you see the email I sent the other day,
>> we make use of the CRMFPopClient tool that uses the transport key to wrap
>> the private key.
>>
>>
>>
>> ----- Original Message -----
>> From: "Marcin Mierzejewski" <marcinmierzejewski1024 at gmail.com>
>> To: "Dave Sirrine" <dsirrine at redhat.com>
>> Cc: pki-users at redhat.com
>> Sent: Wednesday, October 14, 2015 2:35:00 AM
>> Subject: Re: [Pki-users] Dogtag profile for encryption certificate with
>> storing private key in DRM/KRA
>>
>> But after this change it is not adding private key to DRM: /
>>
>> 2015-10-13 19:27 GMT+02:00 Dave Sirrine < dsirrine at redhat.com > :
>>
>>
>>
>> Marcin,
>>
>> Not sure what exactly you're looking for here, but the beauty of profiles
>> is you can create your own. If the ECC profile works as you would expect,
>> you can always create a copy with a new name and change the appropriate
>> lines. A quick diff of the two profiles you mention shows that there's not
>> a lot that's different between the two:
>>
>> diff caEncECUserCert.cfg caEncUserCert.cfg
>> 1c1
>> < desc=This certificate profile is for enrolling user ECC encryption
>> certificates. It works only with latest Firefox.
>> ---
>> > desc=This certificate profile is for enrolling user encryption
>> certificates with option to archive keys.
>> 5c5
>> < name=Manual User Encryption ECC Certificates Enrollment
>> ---
>> > name=Manual User Encryption Certificates Enrollment
>> 7,8c7,10
>> < input.list=i1
>> < input.i1.class_id=encKeyGenInputImpl
>> ---
>> > input.list=i1,i2,i3
>> > input.i1.class_id=certReqInputImpl
>> > input.i2.class_id=subjectNameInputImpl
>> > input.i3.class_id=submitterInfoInputImpl
>> 31,32c33,34
>> < policyset.encryptionCertSet.3.constraint.params.keyType=EC
>> <
>> policyset.encryptionCertSet.3.constraint.params.keyParameters=nistp256,nistp521
>> ---
>> > policyset.encryptionCertSet.3.constraint.params.keyType=RSA
>> >
>> policyset.encryptionCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
>> 93a96
>> >
>>
>> In theory (I have not tested this) you should be able to change the lines
>> for 'policyset.encryptionCertSet.3.constraint.params.keyType' and
>> 'policyset.encryptionCertSet.3.constraint.params.keyParameters' to match
>> the caEncUserCert.cfg profile and keep everything else the same. If you
>> have the KRA installed and configured to work with your CA, the encryption
>> keys should automatically be archived in the KRA.
>>
>> -- Dave
>>
>> On Tue, Oct 13, 2015 at 10:36 AM, Marcin Mierzejewski <
>> marcinmierzejewski1024 at gmail.com > wrote:
>>
>>
>>
>> there is a caEncECUserCert that works as I expect but generates Eliptic
>> curve certificate. Is there any eqiuvalent for RSA? And next question is:
>> could I use this profile to generate enduser certificate remote by calling
>> REST service?
>>
>> 2015-10-13 15:51 GMT+02:00 Marcin Mierzejewski <
>> marcinmierzejewski1024 at gmail.com > :
>>
>>
>>
>> Hi All,
>>
>> What I want is simple profile for requesting encryption(not sign)
>> personal certificate that will private key be stored in KRA/DRM. I check
>> existing profiles and found profile that name and description meet the
>> goals I want to achieve.
>>
>> CaEncUserCert.cfg
>>
>> this profile was not visible I change that. I opened this profile in end
>> user CA application
>>
>>
>> Certificate Profile - Manual User Encryption Certificates Enrollment
>>
>> This certificate profile is for enrolling user encryption certificates
>> with option to archive keys. Certificate Request Input
>>         * Certificate Request Type list ( pcks10 or crmf)
>>
>>         * Certificate Request (text area for request)
>> Subject Name
>> -fields with info about user(propably should be same values that were in
>> certificate request)
>> Requestor Information
>> - info about requestor
>>
>> How it's possible to store private key without even sending it to CA? can
>> be private key enclosed into "Certificate Request"? If answer is no - as I
>> think why there is a "option to archieve keys"?
>>
>>
>>
>>
>>
>>
>> Marcin
>>
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20151015/a7db5a13/attachment.htm>

More information about the Pki-users mailing list