[Pki-users] CErtificate profile validation

[Arshad Noor]

In order to accomplish what you're doing, Shanthi, what you need to do
is have two profiles - one at the RA that performs verification tasks,
and one at the CA that performs modifications.  So, for example, you
were creating a custom profile for a "Basic Assurance Signing Profile"
(the name is just an example), you would use the same profile at the
RA and the CA instances, but configure the profile at the RA to only
verify the information you were expecting from the end-entity (such
as name-form, key-size, key-type, etc.) and then send it to the CA
where the profile adds the required extensions and constraints.  

What is confusing for many RHCS/DogTag users is that while the same
profile can exist on the RA and the CA, they do not see each others'
profile configurations - they only see their own configurations.  You
likely configured the profile at the RA instance, which the CA is
logically ignoring.  Modify/create your profile at the CA instance and
you will get the certificates you want.

Arshad Noor
StrongAuth, Inc.

----- Original Message -----
From: "Thomas Shanthi-LST016" <Shanthi.Thomas at motorola.com>
To: "Arshad Noor" <arshad.noor at strongauth.com>
Cc: pki-users at redhat.com
Sent: Monday, March 22, 2010 9:48:28 AM (GMT-0800) America/Los_Angeles
Subject: RE: [Pki-users] CErtificate profile validation

Thanks, Arshad. Is there some way to enforce the CA to cross-check the
CSR against the profile when the RA is also present? Or is this
automatically enabled?

I must have missed something when I set the cert preofile... When I
tried this, it seemed as if the CA was not verifying correctness of the
issued certificate against the cert profile. It seemed to be just adding
its signature. Also it added the Authority Key Indentifier but not the
subject key identifier (as per RFC 5280 it looks the CA adds this field)
- though both were mentioned in the profile. 

>>-----Original Message-----
>>From: Arshad Noor [mailto:arshad.noor at strongauth.com] 
>>Sent: Monday, March 22, 2010 11:43 AM
>>To: Thomas Shanthi-LST016
>>Cc: pki-users at redhat.com
>>Subject: Re: [Pki-users] CErtificate profile validation
>>
>>Technically, it can occur at either or both locations.  
>>However, from a business and operational point-of-view, most 
>>PKIs do the verification at the RA.  This is because it 
>>allows different RA's to use different policies, procedures 
>>and tools to do the key-generation, verification, etc., 
>>before sending the verified CSR to the CA for signing.  
>>
>>From an operational point of view, having RAs do the 
>>verification allows you to scale a CA to sign more 
>>certificates in a given unit of time if it only had to sign 
>>certificates and CRLs instead of verifying and signing.
>>
>>Yes, the CA can indeed add all the required 
>>constraints/extensions as needed to the certificate based on 
>>the profile, before it signs the CSR.
>>
>>Arshad Noor
>>StrongAuth, Inc.
>>
>>----- Original Message -----
>>From: "Thomas Shanthi-LST016" <Shanthi.Thomas at motorola.com>
>>To: pki-users at redhat.com
>>Sent: Monday, March 22, 2010 9:00:59 AM (GMT-0800) America/Los_Angeles
>>Subject: [Pki-users] CErtificate profile validation
>>
>>_______________________________________________
>>Pki-users mailing list
>>Pki-users at redhat.com
>>https://www.redhat.com/mailman/listinfo/pki-users
>>
>>