[Pki-users] Re: No CDP by default?
Christina Fu
cfu at redhat.com
Mon Apr 14 14:30:02 UTC 2008
Hi, your values for crlDistPointsIssuerType_0 and
crlDistPointsIssueName_0 need to be switched. Let me know if this helps.
Christina
Chris Cayetano wrote:
> Additional Info:
>
> Some entries from the debug log:
>
> [12/Apr/2008:23:54:42][http-9443-Processor20]:
> CRLDistribtionPointsExtDefault: createExtension Invalid Property
> http://pkica.company.com <http://pkica.company.com/>
> [12/Apr/2008:23:54:42][http-9443-Processor20]:
> CRLDistribtionPointsExtDefault: createExtension Invalid Property
> http://pkica.company.com <http://pkica.company.com/>
>
> From the Red Hat documentation, when using the IssuerName_0=URIName,
> the IssuerType_n= should be:
>
> / For URIName, the value must be a non-relative URI following the URL
> syntax and encoding rules. The name must include both a scheme, such
> as http, and a fully qualified domain name or IP address of the host.
> For example, http://testCA.example.com./
>
> So based on the Red Hat documentation, not sure what the value to be.
>
> Thanks,
> Chris Cayetano
>
>
> On 4/11/08, *Chris* <crc408 at gmail.com <mailto:crc408 at gmail.com>> wrote:
>
>
> Unable to get the CDP in the issuing certificates. Taking the
> caUserCert profile, it looks like CDP isn't in the profiles by
> default, which appears to be the default for all certificates.
>
> Using the PKI Console, I added the CRL Distribution Points
> Extension Default with No Constraints
>
> * The information below was entered based on examples in the Red
> Hat documentation (
> http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Defaults_Reference-CRL_Distribution_Points_Extension_Default.html
> ).
>
> [Default] tab
> crlDistPointsCritical = false
> crlDistPointsPointType_0 = URIName
> crlDistPointsPointName_0 = http://crl.company.com:80
> <http://crl.company.com/>
> crlDistPointsReasons_0 = unused,superseded
> crlDistPointsIssuerType_0 = http://pkica.corp.company.com
> <http://pkica.corp.company.com/>
> crlDistPointsIssueName_0 = URIName
> crlDistPointsEnable_0 = true
>
> When generating the certificate the CDP field is still not
> visible.I've attached a summary of the profile below with the new
> CDP field added.
>
> Any ideas?
>
> Thanks.
>
> Chris
>
>
> --
> ------------------------------------
>
>
> *Certificate Profile Information:*
> Certificate Profile Id: caUserCert
> Certificate Profile Name: Manual User Dual-Use Certificate
> Enrollment <http://profileselect/?profileId=caUserCert>
> Description: This certificate profile is for enrolling user
> certificates.
> Approved: false
> Approved By:
>
> *Policy Information:*
>
> Policy Set: userCertSet
>
> *#* *Extensions / Fields* *Constraints*
> 1 This default populates a User-Supplied Certificate Subject Name
> to the request.
> This constraint accepts the subject name that matches CN=.*
> 2 This default populates a Certificate Validity to the request.
> The default values are Range=180 in days
> This constraint rejects the validity that is not between 365 days
> 3 This default populates a User-Supplied Certificate Key to the
> request.
> This constraint accepts the key only if Key Type=-, Key Min
> Length=256, Key Max Length=4096
> 4 This default populates an Authority Key Identifier Extension
> (2.5.29.35 <http://2.5.29.35/>) to the request.
> No Constraint
> 5 This default populates a Authority Info Access Extension
> (1.3.6.1.5.5.7.1.1) to the request. The default values are
> Criticality=false, Record #0{Method:1.3.6.1.5.5.7.48.1,Location
> Type:URIName,Location:,Enable:true}
> No Constraint
> 6 This default populates a Key Usage Extension (2.5.29.15
> <http://2.5.29.15/>) to the request. The default values are
> Criticality=true, Digital Signature=true, Non-Repudiation=true,
> Key Encipherment=true, Data Encipherment=false, Key
> Agreement=false, Key Certificate Sign=false, Key CRL Sign=false,
> Encipher Only=false, Decipher Only=false
> This constraint accepts the Key Usage extension, if present, only
> when Criticality=true, Digital Signature=true,
> Non-Repudiation=true, Key Encipherment=true, Data
> Encipherment=false, Key Agreement=false, Key Certificate
> Sign=false, Key CRL Sign=false, Encipher Only=false, Decipher
> Only=false
> 7 This default populates an Extended Key Usage Extension () to
> the request. The default values are Criticality=false,
> OIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
> No Constraint
> 9 This default populates the Certificate Signing Algorithm. The
> default values are Algorithm=SHA1withRSA
> This constraint accepts only the Signing Algorithms of
> SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC
>
> 12 This default populates a CRL Distribution Points Extension
> (2.5.29.31 <http://2.5.29.31/>) to the request. The default values
> are Criticality=false, Record #0{Point
> Type:http://crl.company.com:80 <http://crl.company.com/>,Point
> Name:URIName,Reasons:unused,superseded,Issuer
> Type:http://pkica.company.com <http://pkica.company.com/>,Issuer
> Name:URIName,Enable:true}Record #1{Point Type:,Point
> Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false}Record
> #2{Point Type:,Point Name:,Reasons:,Issuer Type:,Issuer
> Name:,Enable:false}Record #3{Point Type:,Point
> Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false}Record
> #4{Point Type:,Point Name:,Reasons:,Issuer Type:,Issuer
> Name:,Enable:false}
> No Constraint
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
More information about the Pki-users
mailing list