[Pki-users] Certificate Policies

Fraser Tweedale ftweedal at redhat.com
Mon Apr 29 05:22:44 UTC 2019 

There's an error in the configuration, but as pointed out in another
branch of the thread there is also a bug with arguement order which
is fatal to the UserNotice use case.  So that will have to be
triaged and fix.

I did work out how to include multiple policy qualifiers, though.
UserNotice is broken but as an example, here's how to get two URIs
(common prefix elided):

  PoliciesExt.num=1
  PolicyQualifiers.num=2
  PoliciesExt.certPolicy0.enable=true
  PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1
  PoliciesExt.certPolicy0.PolicyQualifiers.num=2
  PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true
  PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=http://foo.com/
  PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false
  PoliciesExt.certPolicy0.PolicyQualifiers1.CPSURI.enable=true
  PoliciesExt.certPolicy0.PolicyQualifiers1.CPSURI.value=http://bar.com/
  PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.enable=false

It is necessary to include both CPSURL.enable=bool and
usernotice.enable=bool, with CPSURL taking precedence.

The PolicyQualifiers.num=N applies to all policies, which is a bug
(it prevents defining policies with different numbers of
qualifiers).  But it is adequate for a single-policy,
multiple-qualifier use case.

Cheers,
Fraser



On Sun, Apr 28, 2019 at 10:52:22PM -0400, Jonathan Montero wrote:
> Thanks for your answer, but no, it didn't work...
> 
> i got a java error when i try to approve the certificate, meaning that
> something is wrong with the configuration.
> 
> To be a good config i had to take all those 1 to 0 back again.
> 
> 
> 
> Jonathan Montero
> 
> IT Professional | IT Trainer
> M: 809-609-3003
> S: tuxmontero
> E: jmrxto at gmail.com
> A: Santo Domingo, DR
> 
> jonathanmontero.com
> 
> <https://www.linkedin.com/in/monterojonathan>
> <https://twitter.com/tuxmontero> <https://www.facebook.com/jmrxto>
> <https://github.com/tuxmontero>
> 
> 
> 
> On Sun, Apr 28, 2019 at 9:19 PM Fraser Tweedale <ftweedal at redhat.com> wrote:
> 
> > On Wed, Apr 24, 2019 at 12:21:23AM -0400, Jonathan Montero wrote:
> > > Hi, I'm having an issue regarding the certificates policies.
> > >
> > > It is as follows...
> > > policyset.caCertSet.p7.constraint.class_id=noConstraintImpl
> > > policyset.caCertSet.p7.constraint.name=No Constraint
> > > policyset.caCertSet.p7.default.class_id=certificatePoliciesExtDefaultImpl
> > > policyset.caCertSet.p7.default.name=Certificate Policies Extension
> > Default
> > > policyset.caCertSet.p7.default.params.Critical=true
> > > policyset.caCertSet.p7.default.params.PoliciesExt.num=1
> > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.enable=true
> > >
> > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1
> > >
> > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true
> > >
> > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=
> > > http://url.com/
> > >
> > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=true
> > >
> > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=Some
> > > Text Here
> > >
> > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=1
> > >
> > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=Company
> > > text Here
> > >
> > >
> > > So, with this configuration i got not all the result i want, don't know
> > > why....
> > >
> > > i obtain
> > > policyId=1.3.6.1.4.1.6.1.1.1.1
> > >
> > > Also
> > > CPSURI.value=http://url.com/
> > >
> > > But can't get the explicitText.value and organization...
> > >
> > > For some reason, those 2 latter options don't appear in the certificate.
> > >
> > > What could this be?
> > >
> > Dogtag cert policies config is very unfriendly.  Without having
> > confirmed, I'm pretty sure you need something like:
> >
> > PoliciesExt.certPolicy0.enable=true
> > PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1
> > PoliciesExt.certPolicy0.PolicyQualifiers.num=2
> > PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true
> > PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=http://url.com/
> > PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.enable=true
> > PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.explicitText.value=Some
> > text Here
> >
> > PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.noticeReference.noticeNumbers=1
> > PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.noticeReference.organization=Company
> > text Here
> >
> > Each policy qualified can be either a CPS URI or a user notice, so
> > if you want both, you need two qualifiers.  This is not a
> > restriction in Dogtag, rather it is part of X.509 standard:
> >
> >
> >    Qualifier ::= CHOICE {
> >            cPSuri           CPSuri,
> >            userNotice       UserNotice }
> >
> > Hope that helps!
> >
> > Cheers,
> > Fraser
> >

More information about the Pki-users mailing list