[Pki-users] enabling key usage extension in caRouterCert

Christina Fu cfu at redhat.com
Wed Jan 22 17:30:38 UTC 2020 

Hi Akshath,
It's very common for Dogtag users to create customized profiles
themselves.  So creating two profiles with each tailored to what's needed
is what you need.
The RHCS documentation should cover it. e.g.:
https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html-single/administration_guide/index#Modifying_Certificate_Profiles_through_the_Command_Line

Hope this helps,
Christina

On Fri, Jan 17, 2020 at 8:21 PM Marc Sauton <msauton at redhat.com> wrote:

> I believe that would be a RFE, because by default, there is only 1 profile
> out of the box, called caRouterCert.cfg, for 1 set of the "Key Usage
> Extension Constraint", and we would need 2 profiles.
>
> The workaround is to use a third party tool from EPEL, called sscep, it
> does exist for Fedora and RHEL-7.
> See:
>
> https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/enrolling_a_certificate_in_a_cisco_router#issuing-ecc-certificates-with-scep
> https://github.com/certnanny/sscep
>
> Thanks,
> M.
>
>
> On Fri, Jan 17, 2020 at 6:51 AM Akshath Hegde <arhsagar at gmail.com> wrote:
>
>> Hi,
>> I'm trying to enroll my router with dogtag CA through scep. On router I
>> have 2 different rsa keypairs, one of which is to be used onyl for signing
>> and the other for key encipherment. The router sends scep requests for each
>> of these keys and 2 certificates are expected at the end. I need the key
>> usage extension from the server for this. I need some help in editing the
>> profile for this. I tried editing caRouterCert.cfg file with different
>> values for defaults and constraints, but I couldnt see how to get the final
>> cert o have just what was in the request. If I put default as true for
>> both, then both of them would be in the cert request in both requests sent
>> by router, and when its false none would be there. Any help regarding how
>> to achieve this would be greatly appreciated
>>
>> Thanks
>> Akshath
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20200122/ae254033/attachment.htm>

More information about the Pki-users mailing list