[Pki-users] Certificate Policies
Jonathan Montero
jmrxto at gmail.com
Mon Apr 29 02:52:22 UTC 2019
Thanks for your answer, but no, it didn't work...
i got a java error when i try to approve the certificate, meaning that
something is wrong with the configuration.
To be a good config i had to take all those 1 to 0 back again.
Jonathan Montero
IT Professional | IT Trainer
M: 809-609-3003
S: tuxmontero
E: jmrxto at gmail.com
A: Santo Domingo, DR
jonathanmontero.com
<https://www.linkedin.com/in/monterojonathan>
<https://twitter.com/tuxmontero> <https://www.facebook.com/jmrxto>
<https://github.com/tuxmontero>
On Sun, Apr 28, 2019 at 9:19 PM Fraser Tweedale <ftweedal at redhat.com> wrote:
> On Wed, Apr 24, 2019 at 12:21:23AM -0400, Jonathan Montero wrote:
> > Hi, I'm having an issue regarding the certificates policies.
> >
> > It is as follows...
> > policyset.caCertSet.p7.constraint.class_id=noConstraintImpl
> > policyset.caCertSet.p7.constraint.name=No Constraint
> > policyset.caCertSet.p7.default.class_id=certificatePoliciesExtDefaultImpl
> > policyset.caCertSet.p7.default.name=Certificate Policies Extension
> Default
> > policyset.caCertSet.p7.default.params.Critical=true
> > policyset.caCertSet.p7.default.params.PoliciesExt.num=1
> > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.enable=true
> >
> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1
> >
> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true
> >
> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=
> > http://url.com/
> >
> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=true
> >
> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=Some
> > Text Here
> >
> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=1
> >
> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=Company
> > text Here
> >
> >
> > So, with this configuration i got not all the result i want, don't know
> > why....
> >
> > i obtain
> > policyId=1.3.6.1.4.1.6.1.1.1.1
> >
> > Also
> > CPSURI.value=http://url.com/
> >
> > But can't get the explicitText.value and organization...
> >
> > For some reason, those 2 latter options don't appear in the certificate.
> >
> > What could this be?
> >
> Dogtag cert policies config is very unfriendly. Without having
> confirmed, I'm pretty sure you need something like:
>
> PoliciesExt.certPolicy0.enable=true
> PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1
> PoliciesExt.certPolicy0.PolicyQualifiers.num=2
> PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true
> PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=http://url.com/
> PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.enable=true
> PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.explicitText.value=Some
> text Here
>
> PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.noticeReference.noticeNumbers=1
> PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.noticeReference.organization=Company
> text Here
>
> Each policy qualified can be either a CPS URI or a user notice, so
> if you want both, you need two qualifiers. This is not a
> restriction in Dogtag, rather it is part of X.509 standard:
>
>
> Qualifier ::= CHOICE {
> cPSuri CPSuri,
> userNotice UserNotice }
>
> Hope that helps!
>
> Cheers,
> Fraser
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20190428/ad3ea397/attachment.htm>
More information about the Pki-users
mailing list