[Pki-users] Add info to a new OID
Christina Fu
cfu at redhat.com
Thu Jan 23 02:31:14 UTC 2014
Hi,
If I understand it correctly, you just want the OID to appear in the
cert? if so, Generic Extension might be what you are looking for:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#Generic_Extension_Default
Here is an example of it:
policyset.set1.p06.constraint.class_id=extensionConstraintImpl
policyset.set1.p06.constraint.name=Extension Constraint
policyset.set1.p06.constraint.params.extCritical=-
policyset.set1.p06.constraint.params.extOID=2.16.76.1.3.3
policyset.set1.p06.default.class_id=userExtensionDefaultImpl
policyset.set1.p06.default.name=Generic Extension Default
policyset.set1.p06.default.params.genericExtData=bz
policyset.set1.p06.default.params.genericExtOID=2.16.76.1.3.3
policyset.set1.p06.default.params.enericExtCritical=false
In the above example, I just put your country OID in the profile, but I
imagine you could change it to take it from the input. If you do so,
you might want to lighten up on the constraint. I suggest you try the
above hard-coded profile first just to see if the cert comes out what
you are looking for before adding input in the profile.
There is actually a bug in the GenericExtension area in regards to
setting critical to true. I have yet to check the fix into Dogtag. Let
me know if you do need that.
BTW, regarding userExtensionDefault, it can only be used if your CSR has
the wanted extension in the request already, so it's not going to help you.
Hope this helps.
Christina
On 01/22/2014 02:41 AM, Sergio Pereira wrote:
> hi guys,
>
> I'm trying to create a certificate profile in a way to have at the end
> a certificate with a special attributes (supplied by the user through
> web enrollment form). I'm running dogtag 10.1 on Fedora 20...fresh
> install. I added a certificate profile using pkiconsole but I'm
> struggling in how to find the right Policies, Inputs and Outputs for
> the new profile. The OID I intent to write to it is the 2.16.76.1.3.3
> (country specific OID). Here is my profile's config file:
>
> auth.instance_id=
> desc=UserCNPJ
> enable=false
> enableBy=admin
> input.CNPJ.class_id=genericInputImpl
> input.CNPJ.name <http://input.CNPJ.name>=Generic Input
> input.CNPJ.params.gi_display_name0=Cadastro Nacional Pessoa Juridica
> input.CNPJ.params.gi_display_name1=
> input.CNPJ.params.gi_display_name2=
> input.CNPJ.params.gi_display_name3=
> input.CNPJ.params.gi_display_name4=
> input.CNPJ.params.gi_param_enable0=true
> input.CNPJ.params.gi_param_enable1=false
> input.CNPJ.params.gi_param_enable2=false
> input.CNPJ.params.gi_param_enable3=false
> input.CNPJ.params.gi_param_enable4=false
> input.CNPJ.params.gi_param_name0=cnpj
> input.CNPJ.params.gi_param_name1=
> input.CNPJ.params.gi_param_name2=
> input.CNPJ.params.gi_param_name3=
> input.CNPJ.params.gi_param_name4=
> input.i1.class_id=keyGenInputImpl
> input.i1.name <http://input.i1.name>=Key Generation Input
> input.i2.class_id=subjectNameInputImpl
> input.i2.name <http://input.i2.name>=Subject Name Input
> input.i3.class_id=submitterInfoInputImpl
> input.i3.name <http://input.i3.name>=Submitter Information Input
> input.list=i1,i2,i3,CNPJ
> input.params.gi_display_name0=Cadastro Nacional Pessoa Juridica
> input.params.gi_display_name1=
> input.params.gi_display_name2=
> input.params.gi_display_name3=
> input.params.gi_display_name4=
> input.params.gi_param_enable0=true
> input.params.gi_param_enable1=false
> input.params.gi_param_enable2=false
> input.params.gi_param_enable3=false
> input.params.gi_param_enable4=false
> input.params.gi_param_name0=cnpj
> input.params.gi_param_name1=
> input.params.gi_param_name2=
> input.params.gi_param_name3=
> input.params.gi_param_name4=
> lastModified=1390319210315
> name=UserCNPJ
> output.list=o1
> output.o1.class_id=certOutputImpl
> output.o1.name <http://output.o1.name>=Certificate Output
> policyset.list=set1
> policyset.set1.list=p1,p2,p3,p4,p5,p06
> policyset.set1.p06.constraint.class_id=noConstraintImpl
> policyset.set1.p06.constraint.name
> <http://policyset.set1.p06.constraint.name>=No Constraint
> policyset.set1.p06.default.class_id=userExtensionDefaultImpl
> policyset.set1.p06.default.name
> <http://policyset.set1.p06.default.name>=User Supplied Extension Default
> policyset.set1.p06.default.params.userExtOID=Comment Here...
> policyset.set1.p1.constraint.class_id=noConstraintImpl
> policyset.set1.p1.constraint.name
> <http://policyset.set1.p1.constraint.name>=No Constraint
> policyset.set1.p1.default.class_id=userSubjectNameDefaultImpl
> policyset.set1.p1.default.name
> <http://policyset.set1.p1.default.name>=User Supplied Subject Name Default
> policyset.set1.p2.constraint.class_id=noConstraintImpl
> policyset.set1.p2.constraint.name
> <http://policyset.set1.p2.constraint.name>=No Constraint
> policyset.set1.p2.default.class_id=validityDefaultImpl
> policyset.set1.p2.default.name
> <http://policyset.set1.p2.default.name>=Validity Default
> policyset.set1.p2.default.params.range=180
> policyset.set1.p2.default.params.startTime=0
> policyset.set1.p3.constraint.class_id=noConstraintImpl
> policyset.set1.p3.constraint.name
> <http://policyset.set1.p3.constraint.name>=No Constraint
> policyset.set1.p3.default.class_id=userKeyDefaultImpl
> policyset.set1.p3.default.name
> <http://policyset.set1.p3.default.name>=User Supplied Key Default
> policyset.set1.p3.default.params.keyMaxLength=4096
> policyset.set1.p3.default.params.keyMinLength=512
> policyset.set1.p3.default.params.keyType=RSA
> policyset.set1.p4.constraint.class_id=noConstraintImpl
> policyset.set1.p4.constraint.name
> <http://policyset.set1.p4.constraint.name>=No Constraint
> policyset.set1.p4.default.class_id=signingAlgDefaultImpl
> policyset.set1.p4.default.name
> <http://policyset.set1.p4.default.name>=Signing Algorithm Default
> policyset.set1.p4.default.params.signingAlg=-
> policyset.set1.p4.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,,SHA512withEC
> policyset.set1.p5.constraint.class_id=noConstraintImpl
> policyset.set1.p5.constraint.name
> <http://policyset.set1.p5.constraint.name>=No Constraint
> policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl
> policyset.set1.p5.default.name
> <http://policyset.set1.p5.default.name>=Key Usage Extension Default
> policyset.set1.p5.default.params.keyUsageCritical=true
> policyset.set1.p5.default.params.keyUsageCrlSign=true
> policyset.set1.p5.default.params.keyUsageDataEncipherment=true
> policyset.set1.p5.default.params.keyUsageDecipherOnly=true
> policyset.set1.p5.default.params.keyUsageDigitalSignature=true
> policyset.set1.p5.default.params.keyUsageEncipherOnly=true
> policyset.set1.p5.default.params.keyUsageKeyAgreement=true
> policyset.set1.p5.default.params.keyUsageKeyCertSign=true
> policyset.set1.p5.default.params.keyUsageKeyEncipherment=true
> policyset.set1.p5.default.params.keyUsageNonRepudiation=true
> visible=true
> thx in advance,
> sergio
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20140122/5b990ec2/attachment.htm>
More information about the Pki-users
mailing list