[Pki-users] No CDP by default?

Chris crc408 at gmail.com
Fri Apr 11 18:56:24 UTC 2008 

Unable to get the CDP in the issuing certificates. Taking the caUserCert
profile, it looks like CDP isn't in the profiles by default, which appears
to be the default for all certificates.

Using the PKI Console, I added the CRL Distribution Points Extension Default
with No Constraints

* The information below was entered based on examples in the Red Hat
documentation (
http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Defaults_Reference-CRL_Distribution_Points_Extension_Default.html).

[Default] tab
crlDistPointsCritical = false
crlDistPointsPointType_0 = URIName
crlDistPointsPointName_0 = http://crl.company.com:80<http://crl.company.com/>
crlDistPointsReasons_0 = unused,superseded
crlDistPointsIssuerType_0 = http://pkica.corp.company.com
crlDistPointsIssueName_0 = URIName
crlDistPointsEnable_0 = true

When generating the certificate the CDP field is still not visible.I've
attached a summary of the profile below with the new CDP field added.

Any ideas?

Thanks.

Chris


-- 
------------------------------------


*Certificate Profile Information:*
  Certificate Profile Id: caUserCert  Certificate Profile Name: Manual User
Dual-Use Certificate Enrollment
<http://profileselect/?profileId=caUserCert> Description:
This certificate profile is for enrolling user certificates.  Approved: false
 Approved By:

*Policy Information:*

Policy Set: userCertSet

  *#* *Extensions / Fields* *Constraints*  1 This default populates a
User-Supplied Certificate Subject Name to the request.
This constraint accepts the subject name that matches CN=.*  2 This default
populates a Certificate Validity to the request. The default values are
Range=180 in days
This constraint rejects the validity that is not between 365 days  3 This
default populates a User-Supplied Certificate Key to the request.
This constraint accepts the key only if Key Type=-, Key Min Length=256, Key
Max Length=4096  4 This default populates an Authority Key Identifier
Extension (2.5.29.35) to the request.
No Constraint  5 This default populates a Authority Info Access Extension
(1.3.6.1.5.5.7.1.1) to the request. The default values are
Criticality=false, Record #0{Method:1.3.6.1.5.5.7.48.1,Location
Type:URIName,Location:,Enable:true}
No Constraint  6 This default populates a Key Usage Extension (2.5.29.15) to
the request. The default values are Criticality=true, Digital
Signature=true, Non-Repudiation=true, Key Encipherment=true, Data
Encipherment=false, Key Agreement=false, Key Certificate Sign=false, Key CRL
Sign=false, Encipher Only=false, Decipher Only=false
This constraint accepts the Key Usage extension, if present, only when
Criticality=true, Digital Signature=true, Non-Repudiation=true, Key
Encipherment=true, Data Encipherment=false, Key Agreement=false, Key
Certificate Sign=false, Key CRL Sign=false, Encipher Only=false, Decipher
Only=false  7 This default populates an Extended Key Usage Extension () to
the request. The default values are Criticality=false,
OIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
No Constraint  9 This default populates the Certificate Signing Algorithm.
The default values are Algorithm=SHA1withRSA
This constraint accepts only the Signing Algorithms of
SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC  12
This default populates a CRL Distribution Points Extension (2.5.29.31) to
the request. The default values are Criticality=false, Record #0{Point Type:
http://crl.company.com:80 <http://crl.company.com/>,Point
Name:URIName,Reasons:unused,superseded,Issuer
Type:http://pkica.company.com,Issuer
Name:URIName,Enable:true}Record #1{Point Type:,Point Name:,Reasons:,Issuer
Type:,Issuer Name:,Enable:false}Record #2{Point Type:,Point
Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false}Record #3{Point
Type:,Point Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false}Record
#4{Point Type:,Point Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false}
No Constraint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20080411/f3e49fdd/attachment.htm>

More information about the Pki-users mailing list