[Pki-users] Modify Certificate Profies - removing 'Critical' key-usage indication

Ebbe Hansen ehansen at spyrus.com
Wed Apr 30 21:14:27 UTC 2008 

While attempting to test various Email clients in a windows environment
(including Outlook Express and Outlook), I am having trouble getting the
Email client (Outlook Express) to accept the certificates generated by
the RedHat/DogTag CA. I am using the 'CAUserCert.cfg' profile and I am
adding a SubjectAltName extension as described in my earlier message.
However, I am still not successful getting the Email client to use the
DogTag user certificates for signature purposes.

Is there a documented procedure that describes how to generate user
certificates accepted by the windows-based Outlook Express client?

Comparing the RadHat user certificate with a Microsoft user certificate
reveals that the RedHat CA sets the 'KeyUsage' extension to 'Critical'
-- while the Microsoft CA does not! After modifying the DogTag CA
Profile ('CAUserCert.cfg') to specify a "non critical" 'KeyUsage'
extension, any new request using the modified profile fails -  error
message is:

"Sorry, your request has been rejected. The reason is "Request Rejected
- Criticality Not Matched".

Are there multiple places I need to adjust the Profile -- so far I have
only modified the 'CAUserCert.cfg' file in the
'<CA-instance>/profiles/ca' directory. 

Ebbe @ SPYRUS


"This message and any attached documents contain SPYRUS confidential
and/or proprietary information and may be subject to privilege or exempt
from disclosure under applicable law. These materials are intended only
for the use of the intended recipient. If you are not the intended
recipient of this electronic message, you are hereby notified that any
use of this message is strictly prohibited. Delivery of this message to
any person other than the intended recipient shall not constitute any
waiver of any privilege. If you have received this message in error,
please delete this message from your system and notify the sender
immediately. Thank you."


-----Original Message-----
From: Marc Sauton [mailto:msauton at redhat.com] 
Sent: Wednesday, April 30, 2008 10:17 AM
To: Ebbe Hansen
Cc: pki-users at redhat.com
Subject: Re: [Pki-users] Modify Certificate Profies - include
SubjectAltName

If in /var/lib/pki-ca/profiles/ca/caUserCert.cfg
has
policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requ
estor_email$
policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
and the enrollment request has an e-mail, the subject alt name extension

field should be correctly initialized upon certificate issuance.
You may want to turn on some debug in CS.cfg
debug.enabled=true
debug.level=0
and see your debug log for more details.
M.

It depends how the request hadEbbe Hansen wrote:
>
> Looking at the 'CAUserCert.cfg' profile (first profile on the WEB 
> Agent profile-list) it appears it should trigger the inclusion of the 
> "SubjectAltName" extension. I have not been successful generating any 
> certicites where the SubjectAltName extension is included!
>
> In the Agents display the SubjectAltName is listed as 'Null' - even 
> after editing the 'Null' to the desired RFC822 value, the issued 
> certificate always comes without any SubjectAtltName extension?
>
> What can I do to get the CA to include the SubjectAltName extension? I

> am always specifying an email value in the request field!
>
> Ebbe
>
> "This message and any attached documents contain SPYRUS confidential 
> and/or proprietary information and may be subject to privilege or 
> exempt from disclosure under applicable law. These materials are 
> intended only for the use of the intended recipient. If you are not 
> the intended recipient of this electronic message, you are hereby 
> notified that any use of this message is strictly prohibited. Delivery

> of this message to any person other than the intended recipient shall 
> not constitute any waiver of any privilege. If you have received this 
> message in error, please delete this message from your system and 
> notify the sender immediately. Thank you."
>
>
------------------------------------------------------------------------
>
> *From:* pki-users-bounces at redhat.com 
> [mailto:pki-users-bounces at redhat.com] *On Behalf Of *Chris
> *Sent:* Wednesday, April 09, 2008 10:10 PM
> *To:* pki-users at redhat.com
> *Subject:* Re: [Pki-users] Modify Certificate Profies
>
> Thanks. That worked.
>
> On Wed, Apr 9, 2008 at 12:10 PM, Christina Fu <cfu at redhat.com 
> <mailto:cfu at redhat.com>> wrote:
>
> Profiles can be configured in <Dogtag install root>/profiles/ca. If 
> you add your own new profiles, you need to modify <Dogtag install 
> root>//conf/CS.cfg "profile.list" to contain the new profile name, and

> add the corresponding "class_id" and "config" (see the existing 
> entries in CS.cfg as example), and restart the CA.
>
> In addition, Dogtag provides flexible plugin infrastructure that 
> allows people to customize various areas. Profile is one of them.
> The standard profile related polugins code is in 
> pki/base/common/src/com/netscape/cms/profile/. That's for advanced 
> users who know what they are doing. Make sure the certs produced still

> comply.
>
> hope this helps.
> Christina
>
> Chris wrote:
>
>
> Sorry, hit the send by mistake....
>
> I've succesfully installed Dogtag. The documentation was clear and I 
> didn't have any issues.
> My question is in regards to customizing certificate profiles. In the 
> current CA environment I manager, I deal with customizing profiles. Is

> there a way to create customized certificate profiles?
> The fields which apply are:
> CertificatePolicies
> - Policy Identifier
> - User Notice with custom text
> ExtendedKeyUsage
> - New Key Usage OID
> Also, in one profile, we've created a new field that programically 
> ties to the EKU
>
> On our current CA software, a config file is modified to customize 
> profiles. Also there is some DER encoding required to convert the 
> appropriate text.
>
> Is this feature available?
>
>
------------------------------------------------------------------------
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
------------------------------------------------------------------------
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>

More information about the Pki-users mailing list