[Pki-users] Certificate Policies

Marc Sauton msauton at redhat.com
Wed Apr 24 19:31:07 UTC 2019


I see nothing that seem incorrect in your configurations, I will try a
test, meanwhile, could you indicate the exact RHEL or Fedora versions and
rpm -q pki-ca ?
and are there any other related debug log entries? (like about
PolicyQualifiers0.usernotice.enable )
Thanks,
M.

On Wed, Apr 24, 2019 at 10:19 AM Jonathan Montero <jmrxto at gmail.com> wrote:

> Hi, thanks for your answer
>
> - in the profile, that policyset.caCertSet.list has p7
> *DONE*
> - the CA was restarted after the custom profile changes       *DONE*
> - debug log   *DONE?*
> [24/Apr/2019:12:45:33][http-bio-8443-exec-1]: RequestProcessor:
> profileId=caClase1
> [24/Apr/2019:12:46:29][localhost-startStop-1]: Start Profile Creation -
> caClase1 caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile
> [24/Apr/2019:12:46:29][localhost-startStop-1]: Done Profile Creation -
> caClase1
> [24/Apr/2019:12:46:29][localhost-startStop-1]: Registered Confirmation -
> caClase1
>
> Also looked for more logs...
> I see and XML section for some reason i see this in the XML
> <description>This default populates a Certificate Policies Extension to
> the request. The default values are Criticality=true,
> {PoliciesExt.num:1,{Enable:true,Policy
> Id:1.3.6.1.4.1.6.1.1.1.1,PolicyQualifiers.num:,{CPSuri
> Enable:true,UserNotice Enable:true,UserNoticeReference Organization:Company
> text Here,UserNoticeReference Numbers:1,UserNoticeReference Explicit
> Text:Some Text Here,CPS uri:http://url.com/}}}</description>
>
> *BUTTTTT, if i go down in the file i see*
> PoliciesExt.certPolicy0.enable:true&#xD;
> PoliciesExt.certPolicy0.policyId:1.3.6.1.4.1.6.1.1.1.1&#xD;
> PoliciesExt.certPolicy0.PolicyQualifiers.num:1&#xD;
> PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable:true&#xD;
> PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value:http://url.com/&#xD
> ;
> PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable:*false*&#xD;
>
> PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization:&#xD;
>
> PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers:&#xD;
>
> PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value:&#xD;
>
> *The last 3 lines are EMPTY.*
>
>
> Jonathan Montero
>
> IT Professional | IT Trainer
> M: 809-609-3003
> S: tuxmontero
> E: jmrxto at gmail.com
> A: Santo Domingo, DR
>
> jonathanmontero.com
>
> <https://www.linkedin.com/in/monterojonathan>
> <https://twitter.com/tuxmontero> <https://www.facebook.com/jmrxto>
> <https://github.com/tuxmontero>
>
>
>
> On Wed, Apr 24, 2019 at 12:26 PM Marc Sauton <msauton at redhat.com> wrote:
>
>> make sure:
>> - in the profile, that policyset.caCertSet.list has p7
>> - the CA was restarted after the custom profile changes
>> - a review of the CA debug log, the profile you modified should be listed
>> after a restart as, for example:
>> [14/Feb/2019:00:30:49][localhost-startStop-1]: added plugin profile
>> caServerCertEnrollImpl Server Certificate Enrollment Profile Certificate
>> Authority Server Certificate Enrollment Profile
>> com.netscape.cms.profile.common.ServerCertCAEnrollProfile
>> [14/Feb/2019:00:31:43][localhost-startStop-1]: added plugin profile
>> caServerCertEnrollImpl Server Certificate Enrollment Profile Certificate
>> Authority Server Certificate Enrollment Profile
>> com.netscape.cms.profile.common.ServerCertCAEnrollProfile
>> [14/Feb/2019:00:31:45][localhost-startStop-1]: Start Profile Creation -
>> caServerCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile
>> [14/Feb/2019:00:31:45][localhost-startStop-1]: Done Profile Creation -
>> caServerCert
>> [14/Feb/2019:00:31:45][localhost-startStop-1]: Registered Confirmation -
>> caServerCert
>> and between the "Start" and "Done", there should be the details of the
>> profile, with string "BasicProfile: createProfilePolicy" and more info
>> - review the same debug log after enrollment, for more details.
>> Thanks,
>> Marc S.
>>
>> On Tue, Apr 23, 2019 at 9:23 PM Jonathan Montero <jmrxto at gmail.com>
>> wrote:
>>
>>> Hi, I'm having an issue regarding the certificates policies.
>>>
>>> It is as follows...
>>> policyset.caCertSet.p7.constraint.class_id=noConstraintImpl
>>> policyset.caCertSet.p7.constraint.name=No Constraint
>>> policyset.caCertSet.p7.default.class_id=certificatePoliciesExtDefaultImpl
>>> policyset.caCertSet.p7.default.name=Certificate Policies Extension
>>> Default
>>> policyset.caCertSet.p7.default.params.Critical=true
>>> policyset.caCertSet.p7.default.params.PoliciesExt.num=1
>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.enable=true
>>>
>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1
>>>
>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true
>>>
>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=
>>> http://url.com/
>>>
>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=true
>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=Some
>>> Text Here
>>>
>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=1
>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=Company
>>> text Here
>>>
>>>
>>> So, with this configuration i got not all the result i want, don't know
>>> why....
>>>
>>> i obtain
>>> policyId=1.3.6.1.4.1.6.1.1.1.1
>>>
>>> Also
>>> CPSURI.value=http://url.com/
>>>
>>> But can't get the explicitText.value and organization...
>>>
>>> For some reason, those 2 latter options don't appear in the certificate.
>>>
>>> What could this be?
>>>
>>>
>>>
>>>
>>> Jonathan Montero
>>>
>>> IT Professional | IT Trainer
>>> M: 809-609-3003
>>> S: tuxmontero
>>> E: jmrxto at gmail.com
>>> A: Santo Domingo, DR
>>>
>>> jonathanmontero.com
>>>
>>> <https://www.linkedin.com/in/monterojonathan>
>>> <https://twitter.com/tuxmontero> <https://www.facebook.com/jmrxto>
>>> <https://github.com/tuxmontero>
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20190424/a5cefbe1/attachment.htm>


More information about the Pki-users mailing list