Re: [Pki-users] how to use both CA ISSUER and OCSP URLs in AIA

[marcin kowalski]

I did something like this, a while ago, on DogTag. Seems to work for me.


I did that on server certificate profile ; so you may need to adjust it a
bit.

/var/lib/pki/<instance>/ca/profiles/ca/caServerCert.cfg
================================================
policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
policyset.serverCertSet.5.constraint.name=No Constraint
policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
policyset.serverCertSet.5.default.name=AIA Extension Default

<!-- this is the default OCSP entry, configured elsewhere in your pki
instance, i just left it here -->
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
policyset.serverCertSet.5.default.params.authInfoAccessCritical=false

<!-- these are custom entries -->
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_1=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_1=URIName
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_1=
http://server1/root.crt
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_1=1.3.6.1.5.5.7.48.2

policyset.serverCertSet.5.default.params.authInfoAccessADEnable_2=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_2=URIName
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_2=
http://server2/root.crt
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_2=1.3.6.1.5.5.7.48.2


<!-- adjust as necessary the amount of entries here -->
policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
policyset.serverCertSet.5.default.params.authInfoAccessNumADs=3



After that, restart your instance and review the certificate request in
agent. Hope it works fine.


2016-04-01 15:08 GMT+02:00 Kamal Perera <techpkiu...@gmail.com>:

> Dear All,
>
> Hope you guys are doing great.
>
> I just want to know how to configure the user certificate profile to have
> both OCSP URL and CA ISSUERs certificate URL to be present in the
> certificate.
>
> Thanks.
> Kaml
>
> _______________________________________________
> Pki-users mailing list
> Pki-users@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>

_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users