[Pki-users] Certificate Policies
Jonathan Montero
jmrxto at gmail.com
Wed Apr 24 19:52:10 UTC 2019
Yes...
pki-ca-10.5.9-13.el7_6.noarch
CentOS
*Regarding the PolicyQualifiers0 in the debug log*
[24/Apr/2019:13:10:50][http-bio-8443-exec-1]: CAProcessor: -
policyQualifiers: PoliciesExt.num:1^M
PoliciesExt.certPolicy0.enable:true^M
PoliciesExt.certPolicy0.policyId:1.3.6.1.4.1.6.1.1.1.1^M
PoliciesExt.certPolicy0.PolicyQualifiers.num:1^M
PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable:true^M
PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value:http://url.com/^M
PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable:false^M
PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization:^M
PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers:^M
PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value:^M
As i told you, in this case, it looks like DISABLED, but in the
configuration file es ENABLED.
That's whats confuse me there...
*On the other hand, in the CS.cfg file, regarding that policy, look at
this.*
ca.Policy.rule.CertificatePoliciesExt.certPolicy0.cpsURI=
ca.Policy.rule.CertificatePoliciesExt.certPolicy0.noticeRefNumbers=
ca.Policy.rule.CertificatePoliciesExt.certPolicy0.noticeRefOrganization=
ca.Policy.rule.CertificatePoliciesExt.certPolicy0.policyId=
ca.Policy.rule.CertificatePoliciesExt.certPolicy0.userNoticeExplicitText=
ca.Policy.rule.CertificatePoliciesExt.critical=true
ca.Policy.rule.CertificatePoliciesExt.enable=true
ca.Policy.rule.CertificatePoliciesExt.implName=CertificatePoliciesExt
ca.Policy.rule.CertificatePoliciesExt.numCertPolicies=1
ca.Policy.rule.CertificatePoliciesExt.predicate=
The Critical and the Enable, by default were disabled, but i enabled them,
restarted the service, i even rebooted the server at all, but nothing yet.
Jonathan Montero
IT Professional | IT Trainer
M: 809-609-3003
S: tuxmontero
E: jmrxto at gmail.com
A: Santo Domingo, DR
jonathanmontero.com
<https://www.linkedin.com/in/monterojonathan>
<https://twitter.com/tuxmontero> <https://www.facebook.com/jmrxto>
<https://github.com/tuxmontero>
On Wed, Apr 24, 2019 at 3:31 PM Marc Sauton <msauton at redhat.com> wrote:
> I see nothing that seem incorrect in your configurations, I will try a
> test, meanwhile, could you indicate the exact RHEL or Fedora versions and
> rpm -q pki-ca ?
> and are there any other related debug log entries? (like about
> PolicyQualifiers0.usernotice.enable )
> Thanks,
> M.
>
> On Wed, Apr 24, 2019 at 10:19 AM Jonathan Montero <jmrxto at gmail.com>
> wrote:
>
>> Hi, thanks for your answer
>>
>> - in the profile, that policyset.caCertSet.list has p7
>> *DONE*
>> - the CA was restarted after the custom profile changes *DONE*
>> - debug log *DONE?*
>> [24/Apr/2019:12:45:33][http-bio-8443-exec-1]: RequestProcessor:
>> profileId=caClase1
>> [24/Apr/2019:12:46:29][localhost-startStop-1]: Start Profile Creation -
>> caClase1 caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile
>> [24/Apr/2019:12:46:29][localhost-startStop-1]: Done Profile Creation -
>> caClase1
>> [24/Apr/2019:12:46:29][localhost-startStop-1]: Registered Confirmation -
>> caClase1
>>
>> Also looked for more logs...
>> I see and XML section for some reason i see this in the XML
>> <description>This default populates a Certificate Policies Extension to
>> the request. The default values are Criticality=true,
>> {PoliciesExt.num:1,{Enable:true,Policy
>> Id:1.3.6.1.4.1.6.1.1.1.1,PolicyQualifiers.num:,{CPSuri
>> Enable:true,UserNotice Enable:true,UserNoticeReference Organization:Company
>> text Here,UserNoticeReference Numbers:1,UserNoticeReference Explicit
>> Text:Some Text Here,CPS uri:http://url.com/}}}</description>
>>
>> *BUTTTTT, if i go down in the file i see*
>> PoliciesExt.certPolicy0.enable:true
>> PoliciesExt.certPolicy0.policyId:1.3.6.1.4.1.6.1.1.1.1
>> PoliciesExt.certPolicy0.PolicyQualifiers.num:1
>> PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable:true
>> PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value:
>> http://url.com/
>> PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable:*false*
>>
>> PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization:
>>
>> PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers:
>>
>> PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value:
>>
>> *The last 3 lines are EMPTY.*
>>
>>
>> Jonathan Montero
>>
>> IT Professional | IT Trainer
>> M: 809-609-3003
>> S: tuxmontero
>> E: jmrxto at gmail.com
>> A: Santo Domingo, DR
>>
>> jonathanmontero.com
>>
>> <https://www.linkedin.com/in/monterojonathan>
>> <https://twitter.com/tuxmontero> <https://www.facebook.com/jmrxto>
>> <https://github.com/tuxmontero>
>>
>>
>>
>> On Wed, Apr 24, 2019 at 12:26 PM Marc Sauton <msauton at redhat.com> wrote:
>>
>>> make sure:
>>> - in the profile, that policyset.caCertSet.list has p7
>>> - the CA was restarted after the custom profile changes
>>> - a review of the CA debug log, the profile you modified should be
>>> listed after a restart as, for example:
>>> [14/Feb/2019:00:30:49][localhost-startStop-1]: added plugin profile
>>> caServerCertEnrollImpl Server Certificate Enrollment Profile Certificate
>>> Authority Server Certificate Enrollment Profile
>>> com.netscape.cms.profile.common.ServerCertCAEnrollProfile
>>> [14/Feb/2019:00:31:43][localhost-startStop-1]: added plugin profile
>>> caServerCertEnrollImpl Server Certificate Enrollment Profile Certificate
>>> Authority Server Certificate Enrollment Profile
>>> com.netscape.cms.profile.common.ServerCertCAEnrollProfile
>>> [14/Feb/2019:00:31:45][localhost-startStop-1]: Start Profile Creation -
>>> caServerCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile
>>> [14/Feb/2019:00:31:45][localhost-startStop-1]: Done Profile Creation -
>>> caServerCert
>>> [14/Feb/2019:00:31:45][localhost-startStop-1]: Registered Confirmation -
>>> caServerCert
>>> and between the "Start" and "Done", there should be the details of the
>>> profile, with string "BasicProfile: createProfilePolicy" and more info
>>> - review the same debug log after enrollment, for more details.
>>> Thanks,
>>> Marc S.
>>>
>>> On Tue, Apr 23, 2019 at 9:23 PM Jonathan Montero <jmrxto at gmail.com>
>>> wrote:
>>>
>>>> Hi, I'm having an issue regarding the certificates policies.
>>>>
>>>> It is as follows...
>>>> policyset.caCertSet.p7.constraint.class_id=noConstraintImpl
>>>> policyset.caCertSet.p7.constraint.name=No Constraint
>>>>
>>>> policyset.caCertSet.p7.default.class_id=certificatePoliciesExtDefaultImpl
>>>> policyset.caCertSet.p7.default.name=Certificate Policies Extension
>>>> Default
>>>> policyset.caCertSet.p7.default.params.Critical=true
>>>> policyset.caCertSet.p7.default.params.PoliciesExt.num=1
>>>>
>>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.enable=true
>>>>
>>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1
>>>>
>>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true
>>>>
>>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=
>>>> http://url.com/
>>>>
>>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=true
>>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=Some
>>>> Text Here
>>>>
>>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=1
>>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=Company
>>>> text Here
>>>>
>>>>
>>>> So, with this configuration i got not all the result i want, don't know
>>>> why....
>>>>
>>>> i obtain
>>>> policyId=1.3.6.1.4.1.6.1.1.1.1
>>>>
>>>> Also
>>>> CPSURI.value=http://url.com/
>>>>
>>>> But can't get the explicitText.value and organization...
>>>>
>>>> For some reason, those 2 latter options don't appear in the certificate.
>>>>
>>>> What could this be?
>>>>
>>>>
>>>>
>>>>
>>>> Jonathan Montero
>>>>
>>>> IT Professional | IT Trainer
>>>> M: 809-609-3003
>>>> S: tuxmontero
>>>> E: jmrxto at gmail.com
>>>> A: Santo Domingo, DR
>>>>
>>>> jonathanmontero.com
>>>>
>>>> <https://www.linkedin.com/in/monterojonathan>
>>>> <https://twitter.com/tuxmontero> <https://www.facebook.com/jmrxto>
>>>> <https://github.com/tuxmontero>
>>>>
>>>> _______________________________________________
>>>> Pki-users mailing list
>>>> Pki-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20190424/22328d08/attachment.htm>
More information about the Pki-users
mailing list