From jmrxto at gmail.com Wed Apr 24 04:21:23 2019 From: jmrxto at gmail.com (Jonathan Montero) Date: Wed, 24 Apr 2019 00:21:23 -0400 Subject: [Pki-users] Certificate Policies Message-ID: Hi, I'm having an issue regarding the certificates policies. It is as follows... policyset.caCertSet.p7.constraint.class_id=noConstraintImpl policyset.caCertSet.p7.constraint.name=No Constraint policyset.caCertSet.p7.default.class_id=certificatePoliciesExtDefaultImpl policyset.caCertSet.p7.default.name=Certificate Policies Extension Default policyset.caCertSet.p7.default.params.Critical=true policyset.caCertSet.p7.default.params.PoliciesExt.num=1 policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.enable=true policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1 policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value= http://url.com/ policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=true policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=Some Text Here policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=1 policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=Company text Here So, with this configuration i got not all the result i want, don't know why.... i obtain policyId=1.3.6.1.4.1.6.1.1.1.1 Also CPSURI.value=http://url.com/ But can't get the explicitText.value and organization... For some reason, those 2 latter options don't appear in the certificate. What could this be? Jonathan Montero IT Professional | IT Trainer M: 809-609-3003 S: tuxmontero E: jmrxto at gmail.com A: Santo Domingo, DR jonathanmontero.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Wed Apr 24 16:26:05 2019 From: msauton at redhat.com (Marc Sauton) Date: Wed, 24 Apr 2019 09:26:05 -0700 Subject: [Pki-users] Certificate Policies In-Reply-To: References: Message-ID: make sure: - in the profile, that policyset.caCertSet.list has p7 - the CA was restarted after the custom profile changes - a review of the CA debug log, the profile you modified should be listed after a restart as, for example: [14/Feb/2019:00:30:49][localhost-startStop-1]: added plugin profile caServerCertEnrollImpl Server Certificate Enrollment Profile Certificate Authority Server Certificate Enrollment Profile com.netscape.cms.profile.common.ServerCertCAEnrollProfile [14/Feb/2019:00:31:43][localhost-startStop-1]: added plugin profile caServerCertEnrollImpl Server Certificate Enrollment Profile Certificate Authority Server Certificate Enrollment Profile com.netscape.cms.profile.common.ServerCertCAEnrollProfile [14/Feb/2019:00:31:45][localhost-startStop-1]: Start Profile Creation - caServerCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [14/Feb/2019:00:31:45][localhost-startStop-1]: Done Profile Creation - caServerCert [14/Feb/2019:00:31:45][localhost-startStop-1]: Registered Confirmation - caServerCert and between the "Start" and "Done", there should be the details of the profile, with string "BasicProfile: createProfilePolicy" and more info - review the same debug log after enrollment, for more details. Thanks, Marc S. On Tue, Apr 23, 2019 at 9:23 PM Jonathan Montero wrote: > Hi, I'm having an issue regarding the certificates policies. > > It is as follows... > policyset.caCertSet.p7.constraint.class_id=noConstraintImpl > policyset.caCertSet.p7.constraint.name=No Constraint > policyset.caCertSet.p7.default.class_id=certificatePoliciesExtDefaultImpl > policyset.caCertSet.p7.default.name=Certificate Policies Extension Default > policyset.caCertSet.p7.default.params.Critical=true > policyset.caCertSet.p7.default.params.PoliciesExt.num=1 > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.enable=true > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1 > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value= > http://url.com/ > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=true > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=Some > Text Here > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=1 > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=Company > text Here > > > So, with this configuration i got not all the result i want, don't know > why.... > > i obtain > policyId=1.3.6.1.4.1.6.1.1.1.1 > > Also > CPSURI.value=http://url.com/ > > But can't get the explicitText.value and organization... > > For some reason, those 2 latter options don't appear in the certificate. > > What could this be? > > > > > Jonathan Montero > > IT Professional | IT Trainer > M: 809-609-3003 > S: tuxmontero > E: jmrxto at gmail.com > A: Santo Domingo, DR > > jonathanmontero.com > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmrxto at gmail.com Wed Apr 24 17:19:02 2019 From: jmrxto at gmail.com (Jonathan Montero) Date: Wed, 24 Apr 2019 13:19:02 -0400 Subject: [Pki-users] Certificate Policies In-Reply-To: References: Message-ID: Hi, thanks for your answer - in the profile, that policyset.caCertSet.list has p7 *DONE* - the CA was restarted after the custom profile changes *DONE* - debug log *DONE?* [24/Apr/2019:12:45:33][http-bio-8443-exec-1]: RequestProcessor: profileId=caClase1 [24/Apr/2019:12:46:29][localhost-startStop-1]: Start Profile Creation - caClase1 caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [24/Apr/2019:12:46:29][localhost-startStop-1]: Done Profile Creation - caClase1 [24/Apr/2019:12:46:29][localhost-startStop-1]: Registered Confirmation - caClase1 Also looked for more logs... I see and XML section for some reason i see this in the XML This default populates a Certificate Policies Extension to the request. The default values are Criticality=true, {PoliciesExt.num:1,{Enable:true,Policy Id:1.3.6.1.4.1.6.1.1.1.1,PolicyQualifiers.num:,{CPSuri Enable:true,UserNotice Enable:true,UserNoticeReference Organization:Company text Here,UserNoticeReference Numbers:1,UserNoticeReference Explicit Text:Some Text Here,CPS uri:http://url.com/}}} *BUTTTTT, if i go down in the file i see* PoliciesExt.certPolicy0.enable:true PoliciesExt.certPolicy0.policyId:1.3.6.1.4.1.6.1.1.1.1 PoliciesExt.certPolicy0.PolicyQualifiers.num:1 PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable:true PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value:http://url.com/ PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable:*false* PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization: PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers: PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value: *The last 3 lines are EMPTY.* Jonathan Montero IT Professional | IT Trainer M: 809-609-3003 S: tuxmontero E: jmrxto at gmail.com A: Santo Domingo, DR jonathanmontero.com On Wed, Apr 24, 2019 at 12:26 PM Marc Sauton wrote: > make sure: > - in the profile, that policyset.caCertSet.list has p7 > - the CA was restarted after the custom profile changes > - a review of the CA debug log, the profile you modified should be listed > after a restart as, for example: > [14/Feb/2019:00:30:49][localhost-startStop-1]: added plugin profile > caServerCertEnrollImpl Server Certificate Enrollment Profile Certificate > Authority Server Certificate Enrollment Profile > com.netscape.cms.profile.common.ServerCertCAEnrollProfile > [14/Feb/2019:00:31:43][localhost-startStop-1]: added plugin profile > caServerCertEnrollImpl Server Certificate Enrollment Profile Certificate > Authority Server Certificate Enrollment Profile > com.netscape.cms.profile.common.ServerCertCAEnrollProfile > [14/Feb/2019:00:31:45][localhost-startStop-1]: Start Profile Creation - > caServerCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile > [14/Feb/2019:00:31:45][localhost-startStop-1]: Done Profile Creation - > caServerCert > [14/Feb/2019:00:31:45][localhost-startStop-1]: Registered Confirmation - > caServerCert > and between the "Start" and "Done", there should be the details of the > profile, with string "BasicProfile: createProfilePolicy" and more info > - review the same debug log after enrollment, for more details. > Thanks, > Marc S. > > On Tue, Apr 23, 2019 at 9:23 PM Jonathan Montero wrote: > >> Hi, I'm having an issue regarding the certificates policies. >> >> It is as follows... >> policyset.caCertSet.p7.constraint.class_id=noConstraintImpl >> policyset.caCertSet.p7.constraint.name=No Constraint >> policyset.caCertSet.p7.default.class_id=certificatePoliciesExtDefaultImpl >> policyset.caCertSet.p7.default.name=Certificate Policies Extension >> Default >> policyset.caCertSet.p7.default.params.Critical=true >> policyset.caCertSet.p7.default.params.PoliciesExt.num=1 >> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.enable=true >> >> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1 >> >> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true >> >> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value= >> http://url.com/ >> >> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=true >> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=Some >> Text Here >> >> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=1 >> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=Company >> text Here >> >> >> So, with this configuration i got not all the result i want, don't know >> why.... >> >> i obtain >> policyId=1.3.6.1.4.1.6.1.1.1.1 >> >> Also >> CPSURI.value=http://url.com/ >> >> But can't get the explicitText.value and organization... >> >> For some reason, those 2 latter options don't appear in the certificate. >> >> What could this be? >> >> >> >> >> Jonathan Montero >> >> IT Professional | IT Trainer >> M: 809-609-3003 >> S: tuxmontero >> E: jmrxto at gmail.com >> A: Santo Domingo, DR >> >> jonathanmontero.com >> >> >> >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Wed Apr 24 19:31:07 2019 From: msauton at redhat.com (Marc Sauton) Date: Wed, 24 Apr 2019 12:31:07 -0700 Subject: [Pki-users] Certificate Policies In-Reply-To: References: Message-ID: I see nothing that seem incorrect in your configurations, I will try a test, meanwhile, could you indicate the exact RHEL or Fedora versions and rpm -q pki-ca ? and are there any other related debug log entries? (like about PolicyQualifiers0.usernotice.enable ) Thanks, M. On Wed, Apr 24, 2019 at 10:19 AM Jonathan Montero wrote: > Hi, thanks for your answer > > - in the profile, that policyset.caCertSet.list has p7 > *DONE* > - the CA was restarted after the custom profile changes *DONE* > - debug log *DONE?* > [24/Apr/2019:12:45:33][http-bio-8443-exec-1]: RequestProcessor: > profileId=caClase1 > [24/Apr/2019:12:46:29][localhost-startStop-1]: Start Profile Creation - > caClase1 caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile > [24/Apr/2019:12:46:29][localhost-startStop-1]: Done Profile Creation - > caClase1 > [24/Apr/2019:12:46:29][localhost-startStop-1]: Registered Confirmation - > caClase1 > > Also looked for more logs... > I see and XML section for some reason i see this in the XML > This default populates a Certificate Policies Extension to > the request. The default values are Criticality=true, > {PoliciesExt.num:1,{Enable:true,Policy > Id:1.3.6.1.4.1.6.1.1.1.1,PolicyQualifiers.num:,{CPSuri > Enable:true,UserNotice Enable:true,UserNoticeReference Organization:Company > text Here,UserNoticeReference Numbers:1,UserNoticeReference Explicit > Text:Some Text Here,CPS uri:http://url.com/}}} > > *BUTTTTT, if i go down in the file i see* > PoliciesExt.certPolicy0.enable:true > PoliciesExt.certPolicy0.policyId:1.3.6.1.4.1.6.1.1.1.1 > PoliciesExt.certPolicy0.PolicyQualifiers.num:1 > PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable:true > PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value:http://url.com/ > ; > PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable:*false* > > PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization: > > PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers: > > PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value: > > *The last 3 lines are EMPTY.* > > > Jonathan Montero > > IT Professional | IT Trainer > M: 809-609-3003 > S: tuxmontero > E: jmrxto at gmail.com > A: Santo Domingo, DR > > jonathanmontero.com > > > > > > > > On Wed, Apr 24, 2019 at 12:26 PM Marc Sauton wrote: > >> make sure: >> - in the profile, that policyset.caCertSet.list has p7 >> - the CA was restarted after the custom profile changes >> - a review of the CA debug log, the profile you modified should be listed >> after a restart as, for example: >> [14/Feb/2019:00:30:49][localhost-startStop-1]: added plugin profile >> caServerCertEnrollImpl Server Certificate Enrollment Profile Certificate >> Authority Server Certificate Enrollment Profile >> com.netscape.cms.profile.common.ServerCertCAEnrollProfile >> [14/Feb/2019:00:31:43][localhost-startStop-1]: added plugin profile >> caServerCertEnrollImpl Server Certificate Enrollment Profile Certificate >> Authority Server Certificate Enrollment Profile >> com.netscape.cms.profile.common.ServerCertCAEnrollProfile >> [14/Feb/2019:00:31:45][localhost-startStop-1]: Start Profile Creation - >> caServerCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile >> [14/Feb/2019:00:31:45][localhost-startStop-1]: Done Profile Creation - >> caServerCert >> [14/Feb/2019:00:31:45][localhost-startStop-1]: Registered Confirmation - >> caServerCert >> and between the "Start" and "Done", there should be the details of the >> profile, with string "BasicProfile: createProfilePolicy" and more info >> - review the same debug log after enrollment, for more details. >> Thanks, >> Marc S. >> >> On Tue, Apr 23, 2019 at 9:23 PM Jonathan Montero >> wrote: >> >>> Hi, I'm having an issue regarding the certificates policies. >>> >>> It is as follows... >>> policyset.caCertSet.p7.constraint.class_id=noConstraintImpl >>> policyset.caCertSet.p7.constraint.name=No Constraint >>> policyset.caCertSet.p7.default.class_id=certificatePoliciesExtDefaultImpl >>> policyset.caCertSet.p7.default.name=Certificate Policies Extension >>> Default >>> policyset.caCertSet.p7.default.params.Critical=true >>> policyset.caCertSet.p7.default.params.PoliciesExt.num=1 >>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.enable=true >>> >>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1 >>> >>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true >>> >>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value= >>> http://url.com/ >>> >>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=true >>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=Some >>> Text Here >>> >>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=1 >>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=Company >>> text Here >>> >>> >>> So, with this configuration i got not all the result i want, don't know >>> why.... >>> >>> i obtain >>> policyId=1.3.6.1.4.1.6.1.1.1.1 >>> >>> Also >>> CPSURI.value=http://url.com/ >>> >>> But can't get the explicitText.value and organization... >>> >>> For some reason, those 2 latter options don't appear in the certificate. >>> >>> What could this be? >>> >>> >>> >>> >>> Jonathan Montero >>> >>> IT Professional | IT Trainer >>> M: 809-609-3003 >>> S: tuxmontero >>> E: jmrxto at gmail.com >>> A: Santo Domingo, DR >>> >>> jonathanmontero.com >>> >>> >>> >>> >>> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmrxto at gmail.com Wed Apr 24 19:52:10 2019 From: jmrxto at gmail.com (Jonathan Montero) Date: Wed, 24 Apr 2019 15:52:10 -0400 Subject: [Pki-users] Certificate Policies In-Reply-To: References: Message-ID: Yes... pki-ca-10.5.9-13.el7_6.noarch CentOS *Regarding the PolicyQualifiers0 in the debug log* [24/Apr/2019:13:10:50][http-bio-8443-exec-1]: CAProcessor: - policyQualifiers: PoliciesExt.num:1^M PoliciesExt.certPolicy0.enable:true^M PoliciesExt.certPolicy0.policyId:1.3.6.1.4.1.6.1.1.1.1^M PoliciesExt.certPolicy0.PolicyQualifiers.num:1^M PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable:true^M PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value:http://url.com/^M PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable:false^M PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization:^M PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers:^M PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value:^M As i told you, in this case, it looks like DISABLED, but in the configuration file es ENABLED. That's whats confuse me there... *On the other hand, in the CS.cfg file, regarding that policy, look at this.* ca.Policy.rule.CertificatePoliciesExt.certPolicy0.cpsURI= ca.Policy.rule.CertificatePoliciesExt.certPolicy0.noticeRefNumbers= ca.Policy.rule.CertificatePoliciesExt.certPolicy0.noticeRefOrganization= ca.Policy.rule.CertificatePoliciesExt.certPolicy0.policyId= ca.Policy.rule.CertificatePoliciesExt.certPolicy0.userNoticeExplicitText= ca.Policy.rule.CertificatePoliciesExt.critical=true ca.Policy.rule.CertificatePoliciesExt.enable=true ca.Policy.rule.CertificatePoliciesExt.implName=CertificatePoliciesExt ca.Policy.rule.CertificatePoliciesExt.numCertPolicies=1 ca.Policy.rule.CertificatePoliciesExt.predicate= The Critical and the Enable, by default were disabled, but i enabled them, restarted the service, i even rebooted the server at all, but nothing yet. Jonathan Montero IT Professional | IT Trainer M: 809-609-3003 S: tuxmontero E: jmrxto at gmail.com A: Santo Domingo, DR jonathanmontero.com On Wed, Apr 24, 2019 at 3:31 PM Marc Sauton wrote: > I see nothing that seem incorrect in your configurations, I will try a > test, meanwhile, could you indicate the exact RHEL or Fedora versions and > rpm -q pki-ca ? > and are there any other related debug log entries? (like about > PolicyQualifiers0.usernotice.enable ) > Thanks, > M. > > On Wed, Apr 24, 2019 at 10:19 AM Jonathan Montero > wrote: > >> Hi, thanks for your answer >> >> - in the profile, that policyset.caCertSet.list has p7 >> *DONE* >> - the CA was restarted after the custom profile changes *DONE* >> - debug log *DONE?* >> [24/Apr/2019:12:45:33][http-bio-8443-exec-1]: RequestProcessor: >> profileId=caClase1 >> [24/Apr/2019:12:46:29][localhost-startStop-1]: Start Profile Creation - >> caClase1 caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile >> [24/Apr/2019:12:46:29][localhost-startStop-1]: Done Profile Creation - >> caClase1 >> [24/Apr/2019:12:46:29][localhost-startStop-1]: Registered Confirmation - >> caClase1 >> >> Also looked for more logs... >> I see and XML section for some reason i see this in the XML >> This default populates a Certificate Policies Extension to >> the request. The default values are Criticality=true, >> {PoliciesExt.num:1,{Enable:true,Policy >> Id:1.3.6.1.4.1.6.1.1.1.1,PolicyQualifiers.num:,{CPSuri >> Enable:true,UserNotice Enable:true,UserNoticeReference Organization:Company >> text Here,UserNoticeReference Numbers:1,UserNoticeReference Explicit >> Text:Some Text Here,CPS uri:http://url.com/}}} >> >> *BUTTTTT, if i go down in the file i see* >> PoliciesExt.certPolicy0.enable:true >> PoliciesExt.certPolicy0.policyId:1.3.6.1.4.1.6.1.1.1.1 >> PoliciesExt.certPolicy0.PolicyQualifiers.num:1 >> PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable:true >> PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value: >> http://url.com/ >> PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable:*false* >> >> PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization: >> >> PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers: >> >> PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value: >> >> *The last 3 lines are EMPTY.* >> >> >> Jonathan Montero >> >> IT Professional | IT Trainer >> M: 809-609-3003 >> S: tuxmontero >> E: jmrxto at gmail.com >> A: Santo Domingo, DR >> >> jonathanmontero.com >> >> >> >> >> >> >> >> On Wed, Apr 24, 2019 at 12:26 PM Marc Sauton wrote: >> >>> make sure: >>> - in the profile, that policyset.caCertSet.list has p7 >>> - the CA was restarted after the custom profile changes >>> - a review of the CA debug log, the profile you modified should be >>> listed after a restart as, for example: >>> [14/Feb/2019:00:30:49][localhost-startStop-1]: added plugin profile >>> caServerCertEnrollImpl Server Certificate Enrollment Profile Certificate >>> Authority Server Certificate Enrollment Profile >>> com.netscape.cms.profile.common.ServerCertCAEnrollProfile >>> [14/Feb/2019:00:31:43][localhost-startStop-1]: added plugin profile >>> caServerCertEnrollImpl Server Certificate Enrollment Profile Certificate >>> Authority Server Certificate Enrollment Profile >>> com.netscape.cms.profile.common.ServerCertCAEnrollProfile >>> [14/Feb/2019:00:31:45][localhost-startStop-1]: Start Profile Creation - >>> caServerCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile >>> [14/Feb/2019:00:31:45][localhost-startStop-1]: Done Profile Creation - >>> caServerCert >>> [14/Feb/2019:00:31:45][localhost-startStop-1]: Registered Confirmation - >>> caServerCert >>> and between the "Start" and "Done", there should be the details of the >>> profile, with string "BasicProfile: createProfilePolicy" and more info >>> - review the same debug log after enrollment, for more details. >>> Thanks, >>> Marc S. >>> >>> On Tue, Apr 23, 2019 at 9:23 PM Jonathan Montero >>> wrote: >>> >>>> Hi, I'm having an issue regarding the certificates policies. >>>> >>>> It is as follows... >>>> policyset.caCertSet.p7.constraint.class_id=noConstraintImpl >>>> policyset.caCertSet.p7.constraint.name=No Constraint >>>> >>>> policyset.caCertSet.p7.default.class_id=certificatePoliciesExtDefaultImpl >>>> policyset.caCertSet.p7.default.name=Certificate Policies Extension >>>> Default >>>> policyset.caCertSet.p7.default.params.Critical=true >>>> policyset.caCertSet.p7.default.params.PoliciesExt.num=1 >>>> >>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.enable=true >>>> >>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1 >>>> >>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true >>>> >>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value= >>>> http://url.com/ >>>> >>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=true >>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=Some >>>> Text Here >>>> >>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=1 >>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=Company >>>> text Here >>>> >>>> >>>> So, with this configuration i got not all the result i want, don't know >>>> why.... >>>> >>>> i obtain >>>> policyId=1.3.6.1.4.1.6.1.1.1.1 >>>> >>>> Also >>>> CPSURI.value=http://url.com/ >>>> >>>> But can't get the explicitText.value and organization... >>>> >>>> For some reason, those 2 latter options don't appear in the certificate. >>>> >>>> What could this be? >>>> >>>> >>>> >>>> >>>> Jonathan Montero >>>> >>>> IT Professional | IT Trainer >>>> M: 809-609-3003 >>>> S: tuxmontero >>>> E: jmrxto at gmail.com >>>> A: Santo Domingo, DR >>>> >>>> jonathanmontero.com >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Pki-users mailing list >>>> Pki-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/pki-users >>> >>> -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Mon Apr 29 01:18:54 2019 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 29 Apr 2019 11:18:54 +1000 Subject: [Pki-users] Certificate Policies In-Reply-To: References: Message-ID: <20190429011854.GG17746@T470s> On Wed, Apr 24, 2019 at 12:21:23AM -0400, Jonathan Montero wrote: > Hi, I'm having an issue regarding the certificates policies. > > It is as follows... > policyset.caCertSet.p7.constraint.class_id=noConstraintImpl > policyset.caCertSet.p7.constraint.name=No Constraint > policyset.caCertSet.p7.default.class_id=certificatePoliciesExtDefaultImpl > policyset.caCertSet.p7.default.name=Certificate Policies Extension Default > policyset.caCertSet.p7.default.params.Critical=true > policyset.caCertSet.p7.default.params.PoliciesExt.num=1 > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.enable=true > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1 > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value= > http://url.com/ > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=true > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=Some > Text Here > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=1 > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=Company > text Here > > > So, with this configuration i got not all the result i want, don't know > why.... > > i obtain > policyId=1.3.6.1.4.1.6.1.1.1.1 > > Also > CPSURI.value=http://url.com/ > > But can't get the explicitText.value and organization... > > For some reason, those 2 latter options don't appear in the certificate. > > What could this be? > Dogtag cert policies config is very unfriendly. Without having confirmed, I'm pretty sure you need something like: PoliciesExt.certPolicy0.enable=true PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1 PoliciesExt.certPolicy0.PolicyQualifiers.num=2 PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=http://url.com/ PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.enable=true PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.explicitText.value=Some text Here PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.noticeReference.noticeNumbers=1 PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.noticeReference.organization=Company text Here Each policy qualified can be either a CPS URI or a user notice, so if you want both, you need two qualifiers. This is not a restriction in Dogtag, rather it is part of X.509 standard: Qualifier ::= CHOICE { cPSuri CPSuri, userNotice UserNotice } Hope that helps! Cheers, Fraser From jmrxto at gmail.com Mon Apr 29 02:52:22 2019 From: jmrxto at gmail.com (Jonathan Montero) Date: Sun, 28 Apr 2019 22:52:22 -0400 Subject: [Pki-users] Certificate Policies In-Reply-To: <20190429011854.GG17746@T470s> References: <20190429011854.GG17746@T470s> Message-ID: Thanks for your answer, but no, it didn't work... i got a java error when i try to approve the certificate, meaning that something is wrong with the configuration. To be a good config i had to take all those 1 to 0 back again. Jonathan Montero IT Professional | IT Trainer M: 809-609-3003 S: tuxmontero E: jmrxto at gmail.com A: Santo Domingo, DR jonathanmontero.com On Sun, Apr 28, 2019 at 9:19 PM Fraser Tweedale wrote: > On Wed, Apr 24, 2019 at 12:21:23AM -0400, Jonathan Montero wrote: > > Hi, I'm having an issue regarding the certificates policies. > > > > It is as follows... > > policyset.caCertSet.p7.constraint.class_id=noConstraintImpl > > policyset.caCertSet.p7.constraint.name=No Constraint > > policyset.caCertSet.p7.default.class_id=certificatePoliciesExtDefaultImpl > > policyset.caCertSet.p7.default.name=Certificate Policies Extension > Default > > policyset.caCertSet.p7.default.params.Critical=true > > policyset.caCertSet.p7.default.params.PoliciesExt.num=1 > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.enable=true > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1 > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value= > > http://url.com/ > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=true > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=Some > > Text Here > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=1 > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=Company > > text Here > > > > > > So, with this configuration i got not all the result i want, don't know > > why.... > > > > i obtain > > policyId=1.3.6.1.4.1.6.1.1.1.1 > > > > Also > > CPSURI.value=http://url.com/ > > > > But can't get the explicitText.value and organization... > > > > For some reason, those 2 latter options don't appear in the certificate. > > > > What could this be? > > > Dogtag cert policies config is very unfriendly. Without having > confirmed, I'm pretty sure you need something like: > > PoliciesExt.certPolicy0.enable=true > PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1 > PoliciesExt.certPolicy0.PolicyQualifiers.num=2 > PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true > PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=http://url.com/ > PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.enable=true > PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.explicitText.value=Some > text Here > > PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.noticeReference.noticeNumbers=1 > PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.noticeReference.organization=Company > text Here > > Each policy qualified can be either a CPS URI or a user notice, so > if you want both, you need two qualifiers. This is not a > restriction in Dogtag, rather it is part of X.509 standard: > > > Qualifier ::= CHOICE { > cPSuri CPSuri, > userNotice UserNotice } > > Hope that helps! > > Cheers, > Fraser > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Mon Apr 29 05:22:44 2019 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 29 Apr 2019 15:22:44 +1000 Subject: [Pki-users] Certificate Policies In-Reply-To: References: <20190429011854.GG17746@T470s> Message-ID: <20190429052147.GL17746@T470s> There's an error in the configuration, but as pointed out in another branch of the thread there is also a bug with arguement order which is fatal to the UserNotice use case. So that will have to be triaged and fix. I did work out how to include multiple policy qualifiers, though. UserNotice is broken but as an example, here's how to get two URIs (common prefix elided): PoliciesExt.num=1 PolicyQualifiers.num=2 PoliciesExt.certPolicy0.enable=true PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1 PoliciesExt.certPolicy0.PolicyQualifiers.num=2 PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=http://foo.com/ PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false PoliciesExt.certPolicy0.PolicyQualifiers1.CPSURI.enable=true PoliciesExt.certPolicy0.PolicyQualifiers1.CPSURI.value=http://bar.com/ PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.enable=false It is necessary to include both CPSURL.enable=bool and usernotice.enable=bool, with CPSURL taking precedence. The PolicyQualifiers.num=N applies to all policies, which is a bug (it prevents defining policies with different numbers of qualifiers). But it is adequate for a single-policy, multiple-qualifier use case. Cheers, Fraser On Sun, Apr 28, 2019 at 10:52:22PM -0400, Jonathan Montero wrote: > Thanks for your answer, but no, it didn't work... > > i got a java error when i try to approve the certificate, meaning that > something is wrong with the configuration. > > To be a good config i had to take all those 1 to 0 back again. > > > > Jonathan Montero > > IT Professional | IT Trainer > M: 809-609-3003 > S: tuxmontero > E: jmrxto at gmail.com > A: Santo Domingo, DR > > jonathanmontero.com > > > > > > > > On Sun, Apr 28, 2019 at 9:19 PM Fraser Tweedale wrote: > > > On Wed, Apr 24, 2019 at 12:21:23AM -0400, Jonathan Montero wrote: > > > Hi, I'm having an issue regarding the certificates policies. > > > > > > It is as follows... > > > policyset.caCertSet.p7.constraint.class_id=noConstraintImpl > > > policyset.caCertSet.p7.constraint.name=No Constraint > > > policyset.caCertSet.p7.default.class_id=certificatePoliciesExtDefaultImpl > > > policyset.caCertSet.p7.default.name=Certificate Policies Extension > > Default > > > policyset.caCertSet.p7.default.params.Critical=true > > > policyset.caCertSet.p7.default.params.PoliciesExt.num=1 > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.enable=true > > > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1 > > > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true > > > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value= > > > http://url.com/ > > > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=true > > > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=Some > > > Text Here > > > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=1 > > > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=Company > > > text Here > > > > > > > > > So, with this configuration i got not all the result i want, don't know > > > why.... > > > > > > i obtain > > > policyId=1.3.6.1.4.1.6.1.1.1.1 > > > > > > Also > > > CPSURI.value=http://url.com/ > > > > > > But can't get the explicitText.value and organization... > > > > > > For some reason, those 2 latter options don't appear in the certificate. > > > > > > What could this be? > > > > > Dogtag cert policies config is very unfriendly. Without having > > confirmed, I'm pretty sure you need something like: > > > > PoliciesExt.certPolicy0.enable=true > > PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1 > > PoliciesExt.certPolicy0.PolicyQualifiers.num=2 > > PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true > > PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=http://url.com/ > > PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.enable=true > > PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.explicitText.value=Some > > text Here > > > > PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.noticeReference.noticeNumbers=1 > > PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.noticeReference.organization=Company > > text Here > > > > Each policy qualified can be either a CPS URI or a user notice, so > > if you want both, you need two qualifiers. This is not a > > restriction in Dogtag, rather it is part of X.509 standard: > > > > > > Qualifier ::= CHOICE { > > cPSuri CPSuri, > > userNotice UserNotice } > > > > Hope that helps! > > > > Cheers, > > Fraser > > From ftweedal at redhat.com Mon Apr 29 07:24:41 2019 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 29 Apr 2019 17:24:41 +1000 Subject: [Pki-users] Certificate Policies In-Reply-To: <20190429052147.GL17746@T470s> References: <20190429011854.GG17746@T470s> <20190429052147.GL17746@T470s> Message-ID: <20190429072441.GA17446@T470s> On Mon, Apr 29, 2019 at 03:22:17PM +1000, Fraser Tweedale wrote: > There's an error in the configuration, but as pointed out in another > branch of the thread there is also a bug with arguement order which > is fatal to the UserNotice use case. So that will have to be > triaged and fix. > > I did work out how to include multiple policy qualifiers, though. > UserNotice is broken but as an example, here's how to get two URIs > (common prefix elided): > > PoliciesExt.num=1 > PolicyQualifiers.num=2 > PoliciesExt.certPolicy0.enable=true > PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1 > PoliciesExt.certPolicy0.PolicyQualifiers.num=2 > PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true > PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=http://foo.com/ > PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false > PoliciesExt.certPolicy0.PolicyQualifiers1.CPSURI.enable=true > PoliciesExt.certPolicy0.PolicyQualifiers1.CPSURI.value=http://bar.com/ > PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.enable=false > > It is necessary to include both CPSURL.enable=bool and > usernotice.enable=bool, with CPSURL taking precedence. > > The PolicyQualifiers.num=N applies to all policies, which is a bug > (it prevents defining policies with different numbers of > qualifiers). But it is adequate for a single-policy, > multiple-qualifier use case. > > Cheers, > Fraser > Filed ticket: https://pagure.io/dogtagpki/issue/3100 > > > On Sun, Apr 28, 2019 at 10:52:22PM -0400, Jonathan Montero wrote: > > Thanks for your answer, but no, it didn't work... > > > > i got a java error when i try to approve the certificate, meaning that > > something is wrong with the configuration. > > > > To be a good config i had to take all those 1 to 0 back again. > > > > > > > > Jonathan Montero > > > > IT Professional | IT Trainer > > M: 809-609-3003 > > S: tuxmontero > > E: jmrxto at gmail.com > > A: Santo Domingo, DR > > > > jonathanmontero.com > > > > > > > > > > > > > > > > On Sun, Apr 28, 2019 at 9:19 PM Fraser Tweedale wrote: > > > > > On Wed, Apr 24, 2019 at 12:21:23AM -0400, Jonathan Montero wrote: > > > > Hi, I'm having an issue regarding the certificates policies. > > > > > > > > It is as follows... > > > > policyset.caCertSet.p7.constraint.class_id=noConstraintImpl > > > > policyset.caCertSet.p7.constraint.name=No Constraint > > > > policyset.caCertSet.p7.default.class_id=certificatePoliciesExtDefaultImpl > > > > policyset.caCertSet.p7.default.name=Certificate Policies Extension > > > Default > > > > policyset.caCertSet.p7.default.params.Critical=true > > > > policyset.caCertSet.p7.default.params.PoliciesExt.num=1 > > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.enable=true > > > > > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1 > > > > > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true > > > > > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value= > > > > http://url.com/ > > > > > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=true > > > > > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=Some > > > > Text Here > > > > > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=1 > > > > > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=Company > > > > text Here > > > > > > > > > > > > So, with this configuration i got not all the result i want, don't know > > > > why.... > > > > > > > > i obtain > > > > policyId=1.3.6.1.4.1.6.1.1.1.1 > > > > > > > > Also > > > > CPSURI.value=http://url.com/ > > > > > > > > But can't get the explicitText.value and organization... > > > > > > > > For some reason, those 2 latter options don't appear in the certificate. > > > > > > > > What could this be? > > > > > > > Dogtag cert policies config is very unfriendly. Without having > > > confirmed, I'm pretty sure you need something like: > > > > > > PoliciesExt.certPolicy0.enable=true > > > PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1 > > > PoliciesExt.certPolicy0.PolicyQualifiers.num=2 > > > PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true > > > PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=http://url.com/ > > > PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.enable=true > > > PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.explicitText.value=Some > > > text Here > > > > > > PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.noticeReference.noticeNumbers=1 > > > PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.noticeReference.organization=Company > > > text Here > > > > > > Each policy qualified can be either a CPS URI or a user notice, so > > > if you want both, you need two qualifiers. This is not a > > > restriction in Dogtag, rather it is part of X.509 standard: > > > > > > > > > Qualifier ::= CHOICE { > > > cPSuri CPSuri, > > > userNotice UserNotice } > > > > > > Hope that helps! > > > > > > Cheers, > > > Fraser > > >