Mathias Sch�fer wrote:
Ives Steglich schrieb:
DN_TYPE_IE_SUBJECTALTNAMES "email" "IP" "DNS" "DNS"
k u change this to: DN_TYPE_IE_SUBJECTALTNAMES
then you can comment out thos lines or remove them:
DN_TYPE_IE_SUBJECTALTNAME_1 "alternative email" DN_TYPE_IE_SUBJECTALTNAME_1_MINIMUM_LENGTH 3 DN_TYPE_IE_SUBJECTALTNAME_1_REQUIRED "NO"
DN_TYPE_IE_SUBJECTALTNAME_2 "IP address" DN_TYPE_IE_SUBJECTALTNAME_2_MINIMUM_LENGTH 7 DN_TYPE_IE_SUBJECTALTNAME_2_REQUIRED "NO"
DN_TYPE_IE_SUBJECTALTNAME_3 "DNS name" DN_TYPE_IE_SUBJECTALTNAME_3_MINIMUM_LENGTH 9 DN_TYPE_IE_SUBJECTALTNAME_3_REQUIRED "NO"
DN_TYPE_IE_SUBJECTALTNAME_4 "DNS name" DN_TYPE_IE_SUBJECTALTNAME_4_MINIMUM_LENGTH 9 DN_TYPE_IE_SUBJECTALTNAME_4_REQUIRED "NO"
and look for:
ADDITIONAL_REQUEST_ATTRIBUTES "requestercn" "email" "department" "telephone"
ADDITIONAL_ATTRIBUTES_DISPLAY_VALUE "Name (first and Last name)" "Email" "Department" "Telephone"
ADDITIONAL_REQUEST_ATTRIBUTES_STRING_TYPE "LATIN1_LETTERS" "EMAIL" "LATIN1_LETTERS" "LATIN1_LETTERS"
those ones u leave in but without things behind so it becomes: ADDITIONAL_REQUEST_ATTRIBUTES ADDITIONAL_ATTRIBUTES_DISPLAY_VALUE ADDITIONAL_REQUEST_ATTRIBUTES_STRING_TYPE
in the configfile
Thank you for the fast answer, but i want disable all ADDITIONAL_REQUEST_ATTRIBUTES, if i delete the entries from etc/servers/pub.conf.template, i get an error about the missing entries.
i hope the above helps ;) its now more clear i think what to do in the config-files
Is it possible to set LOA, role, RA and keylength as hidden fields in CSRs, because there is only 1 RA and 1 Policy, all CSRs who are filled at this public interface are for user-certificates and the keylength should always be 2048bit.
this part oliver answered i think - u must change the html generation
so it will become hidden fields... keylength may not work to set if you alow browsergenerated certificates - there is actually no way to force the browser just to show 2048bit for key-generation, if its only serverbased - there is in those config files also an option to set allowed/Supported keysizes...
as for the loa - you can limit this to one, so the user may see it, but can't change it to something different:
## Basic CSR Forms Basic_CSR_Keysizes "1024" "2048" "4096"
DN_TYPES "BASIC" "TOKEN" "SPKAC" "IE" "PKCS10"
here u can also limit, the available forms for the user - maybe to just BASIC - so everything is servergenerated - and so on...
if u put only "BASIC" and "PKCS10" in the page for users may look like this:
Beantragen eines Zertifikates mit automatischer Browsererkennung [Benutzen Sie diesen Link, wenn Sie nicht wissen, was Sie tun sollen] Allgemeiner Zertifzierungsantrag [Serverseitige Schl�ssel- und Antragserstellung] Zertifzierungsantrag f�r Server [PEM-formatierter PKCS#10-Antrag]
so only those options are available, available roles you can limit with with the files in: etc/rbac/rolex.xml
i forgot something here: if you change names here or add new roles
you have to adopt or create new files in etc/openssl/openssl with the same name and so on ;) there you may also change the certificate parameters which openssl puts into the certs then...
you have to set those things at the ca and public interface of course the same, except you may give the ra-operator more fields then the user and so on... if you set this different in ra.conf from pub.conf and so on...
greetings dalini
------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
