Yes... pki-ca-10.5.9-13.el7_6.noarch CentOS *Regarding the PolicyQualifiers0 in the debug log* [24/Apr/2019:13:10:50][http-bio-8443-exec-1]: CAProcessor: - policyQualifiers: PoliciesExt.num:1^M PoliciesExt.certPolicy0.enable:true^M PoliciesExt.certPolicy0.policyId:1.3.6.1.4.1.6.1.1.1.1^M PoliciesExt.certPolicy0.PolicyQualifiers.num:1^M PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable:true^M PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value:http://url.com/^M PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable:false^M PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization:^M PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers:^M PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value:^M
As i told you, in this case, it looks like DISABLED, but in the configuration file es ENABLED. That's whats confuse me there... *On the other hand, in the CS.cfg file, regarding that policy, look at this.* ca.Policy.rule.CertificatePoliciesExt.certPolicy0.cpsURI= ca.Policy.rule.CertificatePoliciesExt.certPolicy0.noticeRefNumbers= ca.Policy.rule.CertificatePoliciesExt.certPolicy0.noticeRefOrganization= ca.Policy.rule.CertificatePoliciesExt.certPolicy0.policyId= ca.Policy.rule.CertificatePoliciesExt.certPolicy0.userNoticeExplicitText= ca.Policy.rule.CertificatePoliciesExt.critical=true ca.Policy.rule.CertificatePoliciesExt.enable=true ca.Policy.rule.CertificatePoliciesExt.implName=CertificatePoliciesExt ca.Policy.rule.CertificatePoliciesExt.numCertPolicies=1 ca.Policy.rule.CertificatePoliciesExt.predicate= The Critical and the Enable, by default were disabled, but i enabled them, restarted the service, i even rebooted the server at all, but nothing yet. Jonathan Montero IT Professional | IT Trainer M: 809-609-3003 S: tuxmontero E: jmr...@gmail.com A: Santo Domingo, DR jonathanmontero.com <https://www.linkedin.com/in/monterojonathan> <https://twitter.com/tuxmontero> <https://www.facebook.com/jmrxto> <https://github.com/tuxmontero> On Wed, Apr 24, 2019 at 3:31 PM Marc Sauton <msau...@redhat.com> wrote: > I see nothing that seem incorrect in your configurations, I will try a > test, meanwhile, could you indicate the exact RHEL or Fedora versions and > rpm -q pki-ca ? > and are there any other related debug log entries? (like about > PolicyQualifiers0.usernotice.enable ) > Thanks, > M. > > On Wed, Apr 24, 2019 at 10:19 AM Jonathan Montero <jmr...@gmail.com> > wrote: > >> Hi, thanks for your answer >> >> - in the profile, that policyset.caCertSet.list has p7 >> *DONE* >> - the CA was restarted after the custom profile changes *DONE* >> - debug log *DONE?* >> [24/Apr/2019:12:45:33][http-bio-8443-exec-1]: RequestProcessor: >> profileId=caClase1 >> [24/Apr/2019:12:46:29][localhost-startStop-1]: Start Profile Creation - >> caClase1 caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile >> [24/Apr/2019:12:46:29][localhost-startStop-1]: Done Profile Creation - >> caClase1 >> [24/Apr/2019:12:46:29][localhost-startStop-1]: Registered Confirmation - >> caClase1 >> >> Also looked for more logs... >> I see and XML section for some reason i see this in the XML >> <description>This default populates a Certificate Policies Extension to >> the request. The default values are Criticality=true, >> {PoliciesExt.num:1,{Enable:true,Policy >> Id:1.3.6.1.4.1.6.1.1.1.1,PolicyQualifiers.num:,{CPSuri >> Enable:true,UserNotice Enable:true,UserNoticeReference Organization:Company >> text Here,UserNoticeReference Numbers:1,UserNoticeReference Explicit >> Text:Some Text Here,CPS uri:http://url.com/}}}</description> >> >> *BUTTTTT, if i go down in the file i see* >> PoliciesExt.certPolicy0.enable:true
 >> PoliciesExt.certPolicy0.policyId:1.3.6.1.4.1.6.1.1.1.1
 >> PoliciesExt.certPolicy0.PolicyQualifiers.num:1
 >> PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable:true
 >> PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value: >> http://url.com/
 >> PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable:*false*
 >> >> PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization:
 >> >> PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers:
 >> >> PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value:
 >> >> *The last 3 lines are EMPTY.* >> >> >> Jonathan Montero >> >> IT Professional | IT Trainer >> M: 809-609-3003 >> S: tuxmontero >> E: jmr...@gmail.com >> A: Santo Domingo, DR >> >> jonathanmontero.com >> >> <https://www.linkedin.com/in/monterojonathan> >> <https://twitter.com/tuxmontero> <https://www.facebook.com/jmrxto> >> <https://github.com/tuxmontero> >> >> >> >> On Wed, Apr 24, 2019 at 12:26 PM Marc Sauton <msau...@redhat.com> wrote: >> >>> make sure: >>> - in the profile, that policyset.caCertSet.list has p7 >>> - the CA was restarted after the custom profile changes >>> - a review of the CA debug log, the profile you modified should be >>> listed after a restart as, for example: >>> [14/Feb/2019:00:30:49][localhost-startStop-1]: added plugin profile >>> caServerCertEnrollImpl Server Certificate Enrollment Profile Certificate >>> Authority Server Certificate Enrollment Profile >>> com.netscape.cms.profile.common.ServerCertCAEnrollProfile >>> [14/Feb/2019:00:31:43][localhost-startStop-1]: added plugin profile >>> caServerCertEnrollImpl Server Certificate Enrollment Profile Certificate >>> Authority Server Certificate Enrollment Profile >>> com.netscape.cms.profile.common.ServerCertCAEnrollProfile >>> [14/Feb/2019:00:31:45][localhost-startStop-1]: Start Profile Creation - >>> caServerCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile >>> [14/Feb/2019:00:31:45][localhost-startStop-1]: Done Profile Creation - >>> caServerCert >>> [14/Feb/2019:00:31:45][localhost-startStop-1]: Registered Confirmation - >>> caServerCert >>> and between the "Start" and "Done", there should be the details of the >>> profile, with string "BasicProfile: createProfilePolicy" and more info >>> - review the same debug log after enrollment, for more details. >>> Thanks, >>> Marc S. >>> >>> On Tue, Apr 23, 2019 at 9:23 PM Jonathan Montero <jmr...@gmail.com> >>> wrote: >>> >>>> Hi, I'm having an issue regarding the certificates policies. >>>> >>>> It is as follows... >>>> policyset.caCertSet.p7.constraint.class_id=noConstraintImpl >>>> policyset.caCertSet.p7.constraint.name=No Constraint >>>> >>>> policyset.caCertSet.p7.default.class_id=certificatePoliciesExtDefaultImpl >>>> policyset.caCertSet.p7.default.name=Certificate Policies Extension >>>> Default >>>> policyset.caCertSet.p7.default.params.Critical=true >>>> policyset.caCertSet.p7.default.params.PoliciesExt.num=1 >>>> >>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.enable=true >>>> >>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.policyId=1.3.6.1.4.1.6.1.1.1.1 >>>> >>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true >>>> >>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value= >>>> http://url.com/ >>>> >>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=true >>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=Some >>>> Text Here >>>> >>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=1 >>>> policyset.caCertSet.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=Company >>>> text Here >>>> >>>> >>>> So, with this configuration i got not all the result i want, don't know >>>> why.... >>>> >>>> i obtain >>>> policyId=1.3.6.1.4.1.6.1.1.1.1 >>>> >>>> Also >>>> CPSURI.value=http://url.com/ >>>> >>>> But can't get the explicitText.value and organization... >>>> >>>> For some reason, those 2 latter options don't appear in the certificate. >>>> >>>> What could this be? >>>> >>>> >>>> >>>> >>>> Jonathan Montero >>>> >>>> IT Professional | IT Trainer >>>> M: 809-609-3003 >>>> S: tuxmontero >>>> E: jmr...@gmail.com >>>> A: Santo Domingo, DR >>>> >>>> jonathanmontero.com >>>> >>>> <https://www.linkedin.com/in/monterojonathan> >>>> <https://twitter.com/tuxmontero> <https://www.facebook.com/jmrxto> >>>> <https://github.com/tuxmontero> >>>> >>>> _______________________________________________ >>>> Pki-users mailing list >>>> Pki-users@redhat.com >>>> https://www.redhat.com/mailman/listinfo/pki-users >>> >>>
_______________________________________________ Pki-users mailing list Pki-users@redhat.com https://www.redhat.com/mailman/listinfo/pki-users
