[Pki-users] CErtificate profile validation

Mon Mar 22 19:33:46 UTC 2010

Hmmm... unless something has changed in a new version of the PKI software
(it has been a few months since I last looked at DogTag), I've never had 
to modify a .vm or .cgi file to change a profile.  

The certificate profiles were always accessible through the PKI Console,
regardless of whether it was an RA or CA instance. 

Arshad Noor
StrongAuth, Inc.

----- Original Message -----
From: "Thomas Shanthi-LST016" <Shanthi.Thomas at motorola.com>
To: "Arshad Noor" <arshad.noor at strongauth.com>
Cc: pki-users at redhat.com
Sent: Monday, March 22, 2010 12:22:35 PM (GMT-0800) America/Los_Angeles
Subject: RE: [Pki-users] CErtificate profile validation

Thanks again for the prompt reply, Arshad.

I had created the profile at the CA but had not configured it on the RA
(just to check if the CA was validating it). But I will try it out
completely and get back again.

Also, to confirm - when you say profile configuration at the RA and CA,
I'm assuming you mean the modification of the .vm and .cgi files at the
RA, and at the CA the profile configuration is specified via the
PKI-console. 

Thanks,
Shanthi 

>>-----Original Message-----
>>From: Arshad Noor [mailto:arshad.noor at strongauth.com] 
>>Sent: Monday, March 22, 2010 12:36 PM
>>To: Thomas Shanthi-LST016
>>Cc: pki-users at redhat.com
>>Subject: Re: [Pki-users] CErtificate profile validation
>>
>>In order to accomplish what you're doing, Shanthi, what you 
>>need to do is have two profiles - one at the RA that performs 
>>verification tasks, and one at the CA that performs 
>>modifications.  So, for example, you were creating a custom 
>>profile for a "Basic Assurance Signing Profile"
>>(the name is just an example), you would use the same profile 
>>at the RA and the CA instances, but configure the profile at 
>>the RA to only verify the information you were expecting from 
>>the end-entity (such as name-form, key-size, key-type, etc.) 
>>and then send it to the CA where the profile adds the 
>>required extensions and constraints.  
>>
>>What is confusing for many RHCS/DogTag users is that while 
>>the same profile can exist on the RA and the CA, they do not 
>>see each others'
>>profile configurations - they only see their own 
>>configurations.  You likely configured the profile at the RA 
>>instance, which the CA is logically ignoring.  Modify/create 
>>your profile at the CA instance and you will get the 
>>certificates you want.
>>
>>Arshad Noor
>>StrongAuth, Inc.
>>
>>----- Original Message -----
>>From: "Thomas Shanthi-LST016" <Shanthi.Thomas at motorola.com>
>>To: "Arshad Noor" <arshad.noor at strongauth.com>
>>Cc: pki-users at redhat.com
>>Sent: Monday, March 22, 2010 9:48:28 AM (GMT-0800) America/Los_Angeles
>>Subject: RE: [Pki-users] CErtificate profile validation
>>
>>Thanks, Arshad. Is there some way to enforce the CA to 
>>cross-check the CSR against the profile when the RA is also 
>>present? Or is this automatically enabled?
>>
>>I must have missed something when I set the cert preofile... 
>>When I tried this, it seemed as if the CA was not verifying 
>>correctness of the issued certificate against the cert 
>>profile. It seemed to be just adding its signature. Also it 
>>added the Authority Key Indentifier but not the subject key 
>>identifier (as per RFC 5280 it looks the CA adds this field)
>>- though both were mentioned in the profile. 
>>
>>>>-----Original Message-----
>>>>From: Arshad Noor [mailto:arshad.noor at strongauth.com]
>>>>Sent: Monday, March 22, 2010 11:43 AM
>>>>To: Thomas Shanthi-LST016
>>>>Cc: pki-users at redhat.com
>>>>Subject: Re: [Pki-users] CErtificate profile validation
>>>>
>>>>Technically, it can occur at either or both locations.  
>>>>However, from a business and operational point-of-view, 
>>most PKIs do 
>>>>the verification at the RA.  This is because it allows 
>>different RA's 
>>>>to use different policies, procedures and tools to do the 
>>>>key-generation, verification, etc., before sending the 
>>verified CSR to 
>>>>the CA for signing.
>>>>
>>>>From an operational point of view, having RAs do the verification 
>>>>allows you to scale a CA to sign more certificates in a 
>>given unit of 
>>>>time if it only had to sign certificates and CRLs instead 
>>of verifying 
>>>>and signing.
>>>>
>>>>Yes, the CA can indeed add all the required 
>>constraints/extensions as 
>>>>needed to the certificate based on the profile, before it signs the 
>>>>CSR.
>>>>
>>>>Arshad Noor
>>>>StrongAuth, Inc.
>>>>
>>>>----- Original Message -----
>>>>From: "Thomas Shanthi-LST016" <Shanthi.Thomas at motorola.com>
>>>>To: pki-users at redhat.com
>>>>Sent: Monday, March 22, 2010 9:00:59 AM (GMT-0800) 
>>America/Los_Angeles
>>>>Subject: [Pki-users] CErtificate profile validation
>>>>
>>>>_______________________________________________
>>>>Pki-users mailing list
>>>>Pki-users at redhat.com
>>>>https://www.redhat.com/mailman/listinfo/pki-users
>>>>
>>>>
>>
>>