[Pki-users] Certificate Policies
Fraser Tweedale
ftweedal at redhat.com
Mon Apr 29 01:18:54 UTC 2019
On Wed, Apr 24, 2019 at 12:21:23AM -0400, Jonathan Montero wrote:
> Hi, I'm having an issue regarding the certificates policies.
>
> It is as follows...
> policyset.caCertSet.p7.constraint.class_id=noConstraintImpl
> policyset.caCertSet.p7.constraint.name=No Constraint
> policyset.caCertSet.p7.default.class_id=certificatePoliciesExtDefaultImpl
> policyset.caCertSet.p7.default.name=Certificate Policies Extension Default
> policyset.caCertSet.p7.default.params.Critical=true
> policyset.caCertSet.p7.default.params.PoliciesExt.num=1
> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.enable=true
> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1
> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true
> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=
> http://url.com/
> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=true
> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=Some
> Text Here
> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=1
> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=Company
> text Here
>
>
> So, with this configuration i got not all the result i want, don't know
> why....
>
> i obtain
> policyId=1.3.6.1.4.1.6.1.1.1.1
>
> Also
> CPSURI.value=http://url.com/
>
> But can't get the explicitText.value and organization...
>
> For some reason, those 2 latter options don't appear in the certificate.
>
> What could this be?
>
Dogtag cert policies config is very unfriendly. Without having
confirmed, I'm pretty sure you need something like:
PoliciesExt.certPolicy0.enable=true
PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1
PoliciesExt.certPolicy0.PolicyQualifiers.num=2
PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true
PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=http://url.com/
PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.enable=true
PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.explicitText.value=Some text Here
PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.noticeReference.noticeNumbers=1
PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.noticeReference.organization=Company text Here
Each policy qualified can be either a CPS URI or a user notice, so
if you want both, you need two qualifiers. This is not a
restriction in Dogtag, rather it is part of X.509 standard:
Qualifier ::= CHOICE {
cPSuri CPSuri,
userNotice UserNotice }
Hope that helps!
Cheers,
Fraser
More information about the Pki-users
mailing list