Re: [Pki-devel] Configuration of Friendly Name and Country

[Nadeera Galagedara]

 Dear Dinesh,
I tried the method and still have the problem. I will tell you what i did and 
can you tell me where did I do wrong.
My root CA has "Maximum number of intermediate CAs: unlimited" and now I am 
installing the issuing ca (what I use for to issue certificates for clients). 
For the issuing CA Maximum number of intermediate CAs want to be Zero. 
I basically follow 
https://www.dogtagpki.org/wiki/PKI_10.5_Installing_CA_with_External_CA_Signing_Certificate
 steps (send the CSR to root CA and get back the signed certificate) and added 
policyset.caCertSet.5.default.name=Basic Constraints Extension Default
policyset.caCertSet.5.default.params.basicConstraintsCritical=true
policyset.caCertSet.5.default.params.basicConstraintsIsCA=true
policyset.caCertSet.5.default.params.basicConstraintsPathLen=0lines to both 
step 1 and step 2 config files and installed the Issuing CA.
Then I went to the Issuing CA's  "SSL End Users Services" -> "Manual User 
Dual-Use Certificate Enrollment" and created a certificate.  Then I wend to 
Agent Services and approve that request.
I imported that certificate to browser. But still it shows my issuing CA 
Maximum number of intermediate CAs: unlimited. 
Can you tell me what did I do wrong.

    On Friday, May 22, 2020, 11:27:29 PM GMT+5:30, Dinesh Prasanth Moluguwan 
Krishnamoorthy <dmolu...@redhat.com> wrote:  
 
 Nadeera,
(CC'ing pki-devel)
Setting the number of intermediate CAs can be achieved by using "Basic 
Constraints Extension" [1] and setting the PathLen= to the required value.
You need to set this extension on a CA profile and then issue a CA signing 
cert. You can't modify this value on an already issued CA cert. Read more on 
how to add this constraint to a profile here [2]

[1] 
https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html-single/administration_guide_common_criteria_edition/index#Basic_Constraints_Extension_Default[2]
 
https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html-single/administration_guide_common_criteria_edition/index#about-extensions
Regards,--Dinesh

On Fri, May 22, 2020 at 8:57 AM Nadeera Galagedara 
<nadeeragalaged...@yahoo.com> wrote:

  Dear Dinesh,
I want another help from you. How can I change the "Maximum number of 
intermediate CAs: unlimited" value.    On Friday, May 22, 2020, 10:57:45 AM 
GMT+5:30, Nadeera Galagedara <nadeeragalaged...@yahoo.com> wrote:  
 
  Dear Dinesh,
That is a great explanation. That problem that problem is also solved. Again 
thank you.
    On Wednesday, May 20, 2020, 08:27:56 PM GMT+5:30, Dinesh Prasanth Moluguwan 
Krishnamoorthy <dmolu...@redhat.com> wrote:  
 
 Hi Nadeera,
I'm glad I could resolve your issues.
As for the friendly/nickname, these names are customizable based on the system 
you use and are not specified during the certificate issuance.
For instance, when you specified "pki_ca_signing_nickname=mycompany_nickname" 
this nickname was used to import the CA system certificate in your PKI server's 
NSSDB. You can view this by doing `certutil -L -d /etc/pki/pki-tomcat/alias` 
and you should see the mycompany_nickname listed.
I have very limited knowledge of handling certificates in windows. From 
Googling around: you can try to right-click on the certificate -> Properties -> 
"general" tab -> Set "Friendly Name".  

HTH
Regards,--Dinesh

On Wed, May 20, 2020 at 3:28 AM Nadeera Galagedara 
<nadeeragalaged...@yahoo.com> wrote:

 Dear Dinesh,
Thank you for your support and it is been very helpful. I am using Centos 7 and 
the version came with it is 10.5. I am using that version. I think I have 
corrected the country (with c=LK). But I still have a problem with the 
nickname. 
I used the pki_ca_signing_nickname=mycompany_nickname line but still the 
friendly name show on windows PC (I have imported the issued certificate to a 
windows PC) format like <Common Name>'s <Organisation> ID. My requirement is to 
show the the Friendly Name (shows as in Windows PC) as "mycompany_nickname " I 
have attached a screenshot also. Please tell me what did I do wrong.




The full config is mentioned below

Step 1
[CA]pki_admin_email=mycompany@abc.lkpki_admin_name=caadminpki_admin_nickname=caadminpki_admin_password=Secret.123pki_admin_uid=caadmin
pki_client_database_password=Secret.123pki_client_database_purge=Falsepki_client_pkcs12_password=Secret.123
pki_ds_base_dn=dc=issueca,dc=mycompany,dc=lkpki_ds_database=ca2pki_ds_password=Secret.123
pki_security_domain_name=mycompany_domainpki_token_password=Secret.123
pki_external=Truepki_external_step_two=False
pki_ca_signing_subject_dn=cn=mycompany_cn,ou=mycompany_ou,o=mycompany_o,c=LKpki_ca_signing_csr_path=ca_signing.csr
pki_ca_signing_nickname=mycompany_nickname
pki_default_ocsp_uri=http://ocsp.mycompany.lk


Step 2
[CA]pki_admin_email=mycompany@abc.lkpki_admin_name=caadminpki_admin_nickname=caadminpki_admin_password=Secret.123pki_admin_uid=caadmin
pki_client_database_password=Secret.123pki_client_database_purge=Falsepki_client_pkcs12_password=Secret.123
pki_ds_base_dn=dc=issueca,dc=mycompany,dc=lkpki_ds_database=ca2pki_ds_password=Secret.123
pki_security_domain_name=mycompany_domainpki_token_password=Secret.123
pki_external=Truepki_external_step_two=True
pki_ca_signing_csr_path=ca_signing.csrpki_ca_signing_cert_path=ca_signing.crt
pki_ca_signing_nickname=mycompany_nickname
pki_default_ocsp_uri=http://ocsp.mycompany.lk



Thank you and best regards,Nadeera.




    On Wednesday, May 20, 2020, 03:29:15 AM GMT+5:30, Dinesh Prasanth Moluguwan 
Krishnamoorthy <dmolu...@redhat.com> wrote:  
 
 Hi Nadeera,
What version of dogtag PKI are you trying to install? You are referring to PKI 
10.5 docs. The latest release is 10.8.3

If you are using the latest packages, our docs are available in our upstream 
repo: https://github.com/dogtagpki/pki/tree/v10.8/docs
(see inline reply)

On Tue, May 19, 2020 at 9:22 AM Nadeera Galagedara 
<nadeeragalaged...@yahoo.com> wrote:

Dear all,
I am new to dogtag and I am installing a sub ca using the method described  in  
https://www.dogtagpki.org/wiki/PKI_10.5_Installing_CA_with_External_CA_Signing_Certificate
  . I want to know.
1) What is the parameter to change the Friendly Name
We do not use "Friendly Name". Instead, we use "nickname"To configure the 
nickname for CA signing certificate use:  pki_ca_signing_nickname=

2) What is the parameter to change the Country/Locality
This is set using subject dn. So, in your case specify the Country using this 
attribute: pki_ca_signing_subject_dn= 
3) Where (a page link ) I can find details about each of this configuration 
parameters.
I don't have a page that explains all the config parameters. But, I do have a 
page that can give you a list of parameters that you can use (since you 
mentioned 10.5, I'm listing the contents of 10.5 branch. Refer to the 
appropriate branch for an updated list)
https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_BRANCH/base/server/etc/default.cfg
HTH
Regards,--Dinesh
 

Thank you.
_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
  
    
  
_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel