[Pki-users] enabling key usage extension in caRouterCert
Marc Sauton
msauton at redhat.com
Sat Jan 18 04:20:34 UTC 2020
I believe that would be a RFE, because by default, there is only 1 profile
out of the box, called caRouterCert.cfg, for 1 set of the "Key Usage
Extension Constraint", and we would need 2 profiles.
The workaround is to use a third party tool from EPEL, called sscep, it
does exist for Fedora and RHEL-7.
See:
https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/enrolling_a_certificate_in_a_cisco_router#issuing-ecc-certificates-with-scep
https://github.com/certnanny/sscep
Thanks,
M.
On Fri, Jan 17, 2020 at 6:51 AM Akshath Hegde <arhsagar at gmail.com> wrote:
> Hi,
> I'm trying to enroll my router with dogtag CA through scep. On router I
> have 2 different rsa keypairs, one of which is to be used onyl for signing
> and the other for key encipherment. The router sends scep requests for each
> of these keys and 2 certificates are expected at the end. I need the key
> usage extension from the server for this. I need some help in editing the
> profile for this. I tried editing caRouterCert.cfg file with different
> values for defaults and constraints, but I couldnt see how to get the final
> cert o have just what was in the request. If I put default as true for
> both, then both of them would be in the cert request in both requests sent
> by router, and when its false none would be there. Any help regarding how
> to achieve this would be greatly appreciated
>
> Thanks
> Akshath
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20200117/2dea5e9a/attachment.htm>
More information about the Pki-users
mailing list