[Pki-users] Certificate Policies

Fraser Tweedale ftweedal at redhat.com
Mon Apr 29 07:24:41 UTC 2019 

On Mon, Apr 29, 2019 at 03:22:17PM +1000, Fraser Tweedale wrote:
> There's an error in the configuration, but as pointed out in another
> branch of the thread there is also a bug with arguement order which
> is fatal to the UserNotice use case.  So that will have to be
> triaged and fix.
> 
> I did work out how to include multiple policy qualifiers, though.
> UserNotice is broken but as an example, here's how to get two URIs
> (common prefix elided):
> 
>   PoliciesExt.num=1
>   PolicyQualifiers.num=2
>   PoliciesExt.certPolicy0.enable=true
>   PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1
>   PoliciesExt.certPolicy0.PolicyQualifiers.num=2
>   PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true
>   PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=http://foo.com/
>   PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false
>   PoliciesExt.certPolicy0.PolicyQualifiers1.CPSURI.enable=true
>   PoliciesExt.certPolicy0.PolicyQualifiers1.CPSURI.value=http://bar.com/
>   PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.enable=false
> 
> It is necessary to include both CPSURL.enable=bool and
> usernotice.enable=bool, with CPSURL taking precedence.
> 
> The PolicyQualifiers.num=N applies to all policies, which is a bug
> (it prevents defining policies with different numbers of
> qualifiers).  But it is adequate for a single-policy,
> multiple-qualifier use case.
> 
> Cheers,
> Fraser
> 
Filed ticket: https://pagure.io/dogtagpki/issue/3100

> 
> 
> On Sun, Apr 28, 2019 at 10:52:22PM -0400, Jonathan Montero wrote:
> > Thanks for your answer, but no, it didn't work...
> > 
> > i got a java error when i try to approve the certificate, meaning that
> > something is wrong with the configuration.
> > 
> > To be a good config i had to take all those 1 to 0 back again.
> > 
> > 
> > 
> > Jonathan Montero
> > 
> > IT Professional | IT Trainer
> > M: 809-609-3003
> > S: tuxmontero
> > E: jmrxto at gmail.com
> > A: Santo Domingo, DR
> > 
> > jonathanmontero.com
> > 
> > <https://www.linkedin.com/in/monterojonathan>
> > <https://twitter.com/tuxmontero> <https://www.facebook.com/jmrxto>
> > <https://github.com/tuxmontero>
> > 
> > 
> > 
> > On Sun, Apr 28, 2019 at 9:19 PM Fraser Tweedale <ftweedal at redhat.com> wrote:
> > 
> > > On Wed, Apr 24, 2019 at 12:21:23AM -0400, Jonathan Montero wrote:
> > > > Hi, I'm having an issue regarding the certificates policies.
> > > >
> > > > It is as follows...
> > > > policyset.caCertSet.p7.constraint.class_id=noConstraintImpl
> > > > policyset.caCertSet.p7.constraint.name=No Constraint
> > > > policyset.caCertSet.p7.default.class_id=certificatePoliciesExtDefaultImpl
> > > > policyset.caCertSet.p7.default.name=Certificate Policies Extension
> > > Default
> > > > policyset.caCertSet.p7.default.params.Critical=true
> > > > policyset.caCertSet.p7.default.params.PoliciesExt.num=1
> > > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.enable=true
> > > >
> > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1
> > > >
> > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true
> > > >
> > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=
> > > > http://url.com/
> > > >
> > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=true
> > > >
> > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=Some
> > > > Text Here
> > > >
> > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=1
> > > >
> > > policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=Company
> > > > text Here
> > > >
> > > >
> > > > So, with this configuration i got not all the result i want, don't know
> > > > why....
> > > >
> > > > i obtain
> > > > policyId=1.3.6.1.4.1.6.1.1.1.1
> > > >
> > > > Also
> > > > CPSURI.value=http://url.com/
> > > >
> > > > But can't get the explicitText.value and organization...
> > > >
> > > > For some reason, those 2 latter options don't appear in the certificate.
> > > >
> > > > What could this be?
> > > >
> > > Dogtag cert policies config is very unfriendly.  Without having
> > > confirmed, I'm pretty sure you need something like:
> > >
> > > PoliciesExt.certPolicy0.enable=true
> > > PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1
> > > PoliciesExt.certPolicy0.PolicyQualifiers.num=2
> > > PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true
> > > PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=http://url.com/
> > > PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.enable=true
> > > PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.explicitText.value=Some
> > > text Here
> > >
> > > PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.noticeReference.noticeNumbers=1
> > > PoliciesExt.certPolicy0.PolicyQualifiers1.usernotice.noticeReference.organization=Company
> > > text Here
> > >
> > > Each policy qualified can be either a CPS URI or a user notice, so
> > > if you want both, you need two qualifiers.  This is not a
> > > restriction in Dogtag, rather it is part of X.509 standard:
> > >
> > >
> > >    Qualifier ::= CHOICE {
> > >            cPSuri           CPSuri,
> > >            userNotice       UserNotice }
> > >
> > > Hope that helps!
> > >
> > > Cheers,
> > > Fraser
> > >

More information about the Pki-users mailing list