[Pki-users] Add info to a new OID

Sergio Pereira shopereira at gmail.com
Thu Jan 23 12:12:28 UTC 2014 

Hi Christina,

I really appreciate for your response and time. I did try your suggestion
but with no luck, when enrolling through web form I get the message: "Sorry,
your request has been rejected. The reason is "Request Rejected - {0}".
Attached is a picture of a real certificate, signed by a Brazilian CA and
that is what I'm trying to accomplish using DogTag certificate system. The
OID I'm trying to write to is marked in red and its value has some sort of
Hex form (that would be the second step to be accomplished). One thing I
realized is that the OID in question is in Subject Alternative Name and not
as Generic Extension.

thx,
sp


2014/1/23 Christina Fu <cfu at redhat.com>

>  Hi,
>
> If I understand it correctly, you just want the OID to appear in the
> cert?  if so, Generic Extension might be what you are looking for:
>
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#Generic_Extension_Default
>
> Here is an example of it:
> policyset.set1.p06.constraint.class_id=extensionConstraintImpl
> policyset.set1.p06.constraint.name=Extension Constraint
> policyset.set1.p06.constraint.params.extCritical=-
> policyset.set1.p06.constraint.params.extOID=2.16.76.1.3.3
> policyset.set1.p06.default.class_id=userExtensionDefaultImpl
> policyset.set1.p06.default.name=Generic Extension Default
> policyset.set1.p06.default.params.genericExtData=bz
> policyset.set1.p06.default.params.genericExtOID=2.16.76.1.3.3
> policyset.set1.p06.default.params.enericExtCritical=false
>
> In the above example, I just put your country OID in the profile, but I
> imagine you could change it to take it from the input.  If you do so, you
> might want to lighten up on the constraint.  I suggest you try the above
> hard-coded profile first just to see if the cert comes out what you are
> looking for before adding input in the profile.
>
> There is actually a bug in the GenericExtension area in regards to setting
> critical to true.  I have yet to check the fix into Dogtag.  Let me know if
> you do need that.
>
> BTW, regarding userExtensionDefault, it can only be used if your CSR has
> the wanted extension in the request already, so it's not going to help you.
>
> Hope this helps.
> Christina
>
>
> On 01/22/2014 02:41 AM, Sergio Pereira wrote:
>
> hi guys,
>
>  I'm trying to create a certificate profile in a way to have at the end a
> certificate with a special attributes (supplied by the user through web
> enrollment form). I'm running dogtag 10.1 on Fedora 20...fresh install. I
> added a certificate profile using pkiconsole but I'm struggling in how to
> find the right Policies, Inputs and Outputs for the new profile. The OID I
> intent to write to it is the 2.16.76.1.3.3 (country specific OID). Here is
> my profile's config file:
>
>  auth.instance_id=
> desc=UserCNPJ
> enable=false
> enableBy=admin
> input.CNPJ.class_id=genericInputImpl
> input.CNPJ.name=Generic Input
> input.CNPJ.params.gi_display_name0=Cadastro Nacional Pessoa Juridica
> input.CNPJ.params.gi_display_name1=
> input.CNPJ.params.gi_display_name2=
> input.CNPJ.params.gi_display_name3=
>  input.CNPJ.params.gi_display_name4=
> input.CNPJ.params.gi_param_enable0=true
> input.CNPJ.params.gi_param_enable1=false
> input.CNPJ.params.gi_param_enable2=false
> input.CNPJ.params.gi_param_enable3=false
> input.CNPJ.params.gi_param_enable4=false
> input.CNPJ.params.gi_param_name0=cnpj
> input.CNPJ.params.gi_param_name1=
> input.CNPJ.params.gi_param_name2=
> input.CNPJ.params.gi_param_name3=
> input.CNPJ.params.gi_param_name4=
> input.i1.class_id=keyGenInputImpl
> input.i1.name=Key Generation Input
> input.i2.class_id=subjectNameInputImpl
>  input.i2.name=Subject Name Input
> input.i3.class_id=submitterInfoInputImpl
> input.i3.name=Submitter Information Input
> input.list=i1,i2,i3,CNPJ
> input.params.gi_display_name0=Cadastro Nacional Pessoa Juridica
> input.params.gi_display_name1=
> input.params.gi_display_name2=
> input.params.gi_display_name3=
> input.params.gi_display_name4=
> input.params.gi_param_enable0=true
> input.params.gi_param_enable1=false
> input.params.gi_param_enable2=false
> input.params.gi_param_enable3=false
> input.params.gi_param_enable4=false
> input.params.gi_param_name0=cnpj
> input.params.gi_param_name1=
> input.params.gi_param_name2=
> input.params.gi_param_name3=
> input.params.gi_param_name4=
> lastModified=1390319210315
> name=UserCNPJ
> output.list=o1
> output.o1.class_id=certOutputImpl
> output.o1.name=Certificate Output
> policyset.list=set1
> policyset.set1.list=p1,p2,p3,p4,p5,p06
> policyset.set1.p06.constraint.class_id=noConstraintImpl
> policyset.set1.p06.constraint.name=No Constraint
> policyset.set1.p06.default.class_id=userExtensionDefaultImpl
> policyset.set1.p06.default.name=User Supplied Extension Default
> policyset.set1.p06.default.params.userExtOID=Comment Here...
> policyset.set1.p1.constraint.class_id=noConstraintImpl
> policyset.set1.p1.constraint.name=No Constraint
> policyset.set1.p1.default.class_id=userSubjectNameDefaultImpl
> policyset.set1.p1.default.name=User Supplied Subject Name Default
> policyset.set1.p2.constraint.class_id=noConstraintImpl
> policyset.set1.p2.constraint.name=No Constraint
> policyset.set1.p2.default.class_id=validityDefaultImpl
> policyset.set1.p2.default.name=Validity Default
> policyset.set1.p2.default.params.range=180
> policyset.set1.p2.default.params.startTime=0
>  policyset.set1.p3.constraint.class_id=noConstraintImpl
> policyset.set1.p3.constraint.name=No Constraint
> policyset.set1.p3.default.class_id=userKeyDefaultImpl
> policyset.set1.p3.default.name=User Supplied Key Default
> policyset.set1.p3.default.params.keyMaxLength=4096
> policyset.set1.p3.default.params.keyMinLength=512
> policyset.set1.p3.default.params.keyType=RSA
> policyset.set1.p4.constraint.class_id=noConstraintImpl
> policyset.set1.p4.constraint.name=No Constraint
> policyset.set1.p4.default.class_id=signingAlgDefaultImpl
> policyset.set1.p4.default.name=Signing Algorithm Default
> policyset.set1.p4.default.params.signingAlg=-
>
> policyset.set1.p4.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,,SHA512withEC
> policyset.set1.p5.constraint.class_id=noConstraintImpl
> policyset.set1.p5.constraint.name=No Constraint
> policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl
> policyset.set1.p5.default.name=Key Usage Extension Default
> policyset.set1.p5.default.params.keyUsageCritical=true
> policyset.set1.p5.default.params.keyUsageCrlSign=true
> policyset.set1.p5.default.params.keyUsageDataEncipherment=true
> policyset.set1.p5.default.params.keyUsageDecipherOnly=true
> policyset.set1.p5.default.params.keyUsageDigitalSignature=true
> policyset.set1.p5.default.params.keyUsageEncipherOnly=true
> policyset.set1.p5.default.params.keyUsageKeyAgreement=true
> policyset.set1.p5.default.params.keyUsageKeyCertSign=true
> policyset.set1.p5.default.params.keyUsageKeyEncipherment=true
> policyset.set1.p5.default.params.keyUsageNonRepudiation=true
> visible=true
>
> thx in advance,
> sergio
>
>
> _______________________________________________
> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20140123/1856eed8/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ScreenshotCert.png
Type: image/png
Size: 78799 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-users/attachments/20140123/1856eed8/attachment.png>

More information about the Pki-users mailing list