Ives Steglich schrieb:
DN_TYPE_IE_SUBJECTALTNAMES "email" "IP" "DNS" "DNS"
k u change this to: DN_TYPE_IE_SUBJECTALTNAMES
then you can comment out thos lines or remove them:
DN_TYPE_IE_SUBJECTALTNAME_1 "alternative email" DN_TYPE_IE_SUBJECTALTNAME_1_MINIMUM_LENGTH 3 DN_TYPE_IE_SUBJECTALTNAME_1_REQUIRED "NO"
DN_TYPE_IE_SUBJECTALTNAME_2 "IP address" DN_TYPE_IE_SUBJECTALTNAME_2_MINIMUM_LENGTH 7 DN_TYPE_IE_SUBJECTALTNAME_2_REQUIRED "NO"
DN_TYPE_IE_SUBJECTALTNAME_3 "DNS name" DN_TYPE_IE_SUBJECTALTNAME_3_MINIMUM_LENGTH 9 DN_TYPE_IE_SUBJECTALTNAME_3_REQUIRED "NO"
DN_TYPE_IE_SUBJECTALTNAME_4 "DNS name" DN_TYPE_IE_SUBJECTALTNAME_4_MINIMUM_LENGTH 9 DN_TYPE_IE_SUBJECTALTNAME_4_REQUIRED "NO"
and look for:
ADDITIONAL_REQUEST_ATTRIBUTES "requestercn" "email" "department" "telephone"
ADDITIONAL_ATTRIBUTES_DISPLAY_VALUE "Name (first and Last name)" "Email" "Department" "Telephone"
ADDITIONAL_REQUEST_ATTRIBUTES_STRING_TYPE "LATIN1_LETTERS" "EMAIL" "LATIN1_LETTERS" "LATIN1_LETTERS"
those ones u leave in but without things behind so it becomes: ADDITIONAL_REQUEST_ATTRIBUTES ADDITIONAL_ATTRIBUTES_DISPLAY_VALUE ADDITIONAL_REQUEST_ATTRIBUTES_STRING_TYPE
in the configfile
Thank you for the fast answer, but i want disable all ADDITIONAL_REQUEST_ATTRIBUTES, if i delete the entries from etc/servers/pub.conf.template, i get an error about the missing entries.
i hope the above helps ;) its now more clear i think what to do in the config-files
Is it possible to set LOA, role, RA and keylength as hidden fields in CSRs, because there is only 1 RA and 1 Policy, all CSRs who are filled at this public interface are for user-certificates and the keylength should always be 2048bit.
this part oliver answered i think - u must change the html generation
so it will become hidden fields... keylength may not work to set if you alow browsergenerated certificates - there is actually no way to force the browser just to show 2048bit for key-generation, if its only serverbased - there is in those config files also an option to set allowed/Supported keysizes...
as for the loa - you can limit this to one, so the user may see it, but can't change it to something different:
## Basic CSR Forms Basic_CSR_Keysizes "1024" "2048" "4096"
DN_TYPES "BASIC" "TOKEN" "SPKAC" "IE" "PKCS10"
here u can also limit, the available forms for the user - maybe to just BASIC - so everything is servergenerated - and so on...
if u put only "BASIC" and "PKCS10" in the page for users may look like this:
Beantragen eines Zertifikates mit automatischer Browsererkennung [Benutzen Sie diesen Link, wenn Sie nicht wissen, was Sie tun sollen] Allgemeiner Zertifzierungsantrag [Serverseitige Schl�ssel- und Antragserstellung] Zertifzierungsantrag f�r Server [PEM-formatierter PKCS#10-Antrag]
so only those options are available, available roles you can limit with with the files in: etc/rbac/rolex.xml
just remove or comment not needed roles out, you must restart the server process then... since the xml gets cached...
its also a good idea to change the .template files an rerun the configure_sh script, so if you may run it by 'accident' it won't overwrite changes in the .conf files from .templatefiles then...
available loa values are set in the etc/loa.xml file (changes here also require a restart ./openca_rc restart of course ;)
so your users may then see all values but they can't change them anyway, if you setup the system accordingly...
greetings dalini
------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
