This is the ipa ticket:
https://fedorahosted.org/freeipa/ticket/3074 Add CRL and OCSP CNAME to certificate profile
Possible changes - need to confirm with rcrit and awnuk:
OLd:
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
policyset.serverCertSet.9.constraint.class_id=noConstraintImpl policyset.serverCertSet.9.constraint.name=No Constraint policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default policyset.serverCertSet.9.default.params.crlDistPointsCritical=false policyset.serverCertSet.9.default.params.crlDistPointsNum=1 policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0= policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0= policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=https://ipa.example.com/ipa/crl/MasterCRL.bin
policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=
New ?:
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=ocsp-ipa.example.com
policyset.serverCertSet.9.constraint.class_id=noConstraintImpl policyset.serverCertSet.9.constraint.name=No Constraint policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default policyset.serverCertSet.9.default.params.crlDistPointsCritical=false policyset.serverCertSet.9.default.params.crlDistPointsNum=2 policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0= policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0= policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=https://ipa-ocsp.example.com/ipa/crl/MasterCRL.bin
policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName policyset.serverCertSet.9.default.params.crlDistPointsReasons_0= policyset.serverCertSet.9.default.params.crlDistPointsEnable_1=true policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_1= policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_1= policyset.serverCertSet.9.default.params.crlDistPointsPointName_1=https://ipa.example.com/ipa/crl/MasterCRL.bin
policyset.serverCertSet.9.default.params.crlDistPointsPointType_1=URIName policyset.serverCertSet.9.default.params.crlDistPointsReasons_1=
OK --
So here are the new diffs:
For AIA (ocsp):
Old: policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 policyset.serverCertSet.5.default.params.authInfoAccessCritical=false policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
New: policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ocsp-ipa.example.com/ca/ocsp policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 policyset.serverCertSet.5.default.params.authInfoAccessADEnable_1=true policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_1=URIName policyset.serverCertSet.5.default.params.authInfoAccessADLocation_1= policyset.serverCertSet.5.default.params.authInfoAccessADMethod_1=1.3.6.1.5.5.7.48.1 policyset.serverCertSet.5.default.params.authInfoAccessCritical=false policyset.serverCertSet.5.default.params.authInfoAccessNumADs=2
For CRLDP:
Old: policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default policyset.serverCertSet.9.default.params.crlDistPointsCritical=false policyset.serverCertSet.9.default.params.crlDistPointsNum=1 policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=https://vm-107.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=
New: policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default policyset.serverCertSet.9.default.params.crlDistPointsCritical=false policyset.serverCertSet.9.default.params.crlDistPointsNum=2 policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=https://ipa-ocsp.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName policyset.serverCertSet.9.default.params.crlDistPointsReasons_0= policyset.serverCertSet.9.default.params.crlDistPointsEnable_1=true policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_1=CN=Certificate Authority,o=ipaca policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_1=DirectoryName policyset.serverCertSet.9.default.params.crlDistPointsPointName_1=https://vm-107.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin policyset.serverCertSet.9.default.params.crlDistPointsPointType_1=URIName policyset.serverCertSet.9.default.params.crlDistPointsReasons_1=
Also, the CRLDP does not show up currently in the IPA certs because the list of extensions to be included:
policyset.serverCertSet.list=1,2,3,4,5,6,7,8,10
does not include policy 9. We will need to change this in the policy, but this will also require changes in the ipa install code because this list is parsed there.
The above changes create a cert that looks like:
Certificate: Data: Version: v3 Serial Number: 0xFFE0008 Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM Validity: Not Before: Monday, October 29, 2012 3:52:47 PM EDT America/New_York Not After: Thursday, October 30, 2014 3:52:47 PM EDT America/New_York Subject: CN=vm-065.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM Subject Public Key Info: Algorithm: RSA - 1.2.840.113549.1.1.1 Public Key: Exponent: 65537 Public Key Modulus: (2048 bits) : C7:5E:46:51:68:E2:5A:74:B7:74:4C:18:84:5A:AB:DF: 60:61:42:7F:1D:A7:10:62:09:D9:CC:59:36:47:51:BD: 17:F2:F0:06:27:11:69:64:27:52:E1:3B:3E:DB:CB:8D: 0B:54:C8:0E:D8:D5:FD:E8:BA:0D:4C:17:91:2C:9D:21: 3E:93:54:DE:A2:57:8C:E7:88:89:AE:85:4C:BA:8F:0C: 6F:21:F3:AF:F7:B8:FD:9A:C8:C2:EF:8D:07:50:16:57: E8:E9:71:23:60:1C:14:FA:45:4D:FD:9E:C2:9C:73:FF: B8:C9:E3:5B:21:E6:69:07:15:50:26:FA:2C:9B:C6:AA: 7A:D6:A8:25:B1:9D:26:57:BE:B6:1E:59:CD:6B:D5:B5: 1B:1E:60:16:C7:45:04:64:85:AE:C3:44:F8:4F:9B:D1: 64:13:1F:3A:B4:44:6D:6F:DD:71:9D:30:35:26:76:3C: 7E:17:C5:9D:74:D0:26:2A:E5:6C:C0:F7:4C:4F:14:C8: F4:EB:4C:01:51:C7:31:C9:BC:09:F3:04:37:6A:5D:B5: E5:90:16:D9:F9:91:F6:C4:A5:3F:F3:21:AF:18:B5:2B: BD:32:90:E9:17:79:D5:BB:F6:7E:9F:1F:4F:96:6F:21: 56:3A:CA:FD:11:02:EB:B9:37:FA:81:77:21:03:99:C5 Extensions: Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: A4:C5:A9:81:66:47:D5:FA:0B:45:11:41:A7:16:F0:E4: 11:62:34:06 Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1 Critical: no Access Description: Method #0: ocsp Location #0: URIName: http://ocsp-ipa.example.com/ca/ocsp Method #1: ocsp Location #1: URIName: http://vm-107.idm.lab.bos.redhat.com:80/ca/ocsp Identifier: Key Usage: - 2.5.29.15 Critical: yes Key Usage: Digital Signature Non Repudiation Key Encipherment Data Encipherment Identifier: Extended Key Usage: - 2.5.29.37 Critical: no Extended Key Usage: 1.3.6.1.5.5.7.3.1 1.3.6.1.5.5.7.3.2 Identifier: Subject Key Identifier - 2.5.29.14 Critical: no Key Identifier: 5C:20:4C:EA:E5:FE:9C:E5:F9:1D:11:38:3E:9F:3F:3D: 64:F7:76:DB Identifier: CRL Distribution Points - 2.5.29.31 Critical: no Number of Points: 2 Point 0 Distribution Point: [URIName: https://ipa-ocsp.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin] CRL Issuer: [CN=Certificate Authority,O=ipaca] Point 1 Distribution Point: [URIName: https://vm-107.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin] CRL Issuer: [CN=Certificate Authority,O=ipaca] Signature: Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Signature: 48:5B:3E:0F:BD:05:23:36:61:71:1A:7D:53:B7:A1:F2: E0:03:69:7A:61:96:5F:D7:25:6E:83:E9:6C:4A:E9:C5: 57:E0:9E:0E:B8:49:BC:54:B6:D2:67:9F:14:0B:34:0F: 58:BE:A7:67:4C:69:FF:9F:38:62:B6:81:BD:59:FA:D8: EA:D6:E5:6A:36:32:C8:70:CC:32:D9:3D:DE:68:E1:53: F2:E5:51:41:56:96:35:D7:51:2D:E9:11:69:EF:46:D4: DA:B0:6E:1B:91:1B:FC:7E:35:E9:A8:EE:7D:9A:80:79: C9:DD:DE:2C:B7:35:89:89:71:4D:6C:8E:29:41:DC:54: 2A:F6:CE:21:F1:20:19:03:AC:EC:D6:5F:83:19:83:E9: B1:9D:90:58:D6:CD:05:67:53:F0:FA:1A:26:CA:CA:15: AF:78:DA:4B:19:79:7B:6C:F2:A4:F2:80:D5:F8:00:7C: 1D:4B:D8:DC:3A:7B:26:EC:C6:A5:69:36:DB:9D:65:57: D1:89:8A:0A:EB:B9:70:59:65:D5:EB:2B:A6:BB:BE:3F: CD:9C:7D:02:DB:AE:36:29:58:07:77:98:7A:F8:61:5F: 2F:D4:E5:A3:A1:E8:C8:17:CF:7F:DB:28:8D:EE:EA:92: 97:F8:29:1B:54:7D:74:4D:D5:8D:87:C6:70:48:3D:D3 FingerPrint MD2: 18:9B:3D:1F:20:C5:49:D1:75:65:1C:06:EF:23:EC:38 MD5: 79:2F:38:9B:78:52:21:37:85:CD:87:84:15:3C:B5:8C SHA1: 71:17:0A:9B:F4:EF:7C:77:EF:59:41:E3:17:65:DD:8D: 33:21:9E:D2 SHA256: 99:DC:09:FA:A6:2D:20:8C:61:2F:1D:C6:41:57:64:12: 44:2F:5E:46:74:AF:4A:E3:BD:66:DB:CC:76:6F:02:54 SHA512: 33:BE:16:8C:B4:65:51:6D:01:E7:EA:98:DB:59:6C:ED: 8A:73:BA:6A:CB:74:EE:ED:55:DC:3A:BB:01:27:5B:05: E6:C7:FA:B0:51:B0:31:9C:F6:3F:2F:57:87:0D:24:A7: F3:E6:F2:D2:A1:8E:BC:7B:D0:59:1B:05:66:6A:CE:C2
Moving to rc1. Changes required are provided to IPA. However, these need to be co-ordinated with changes in IPA.
For symmetry : use :
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ocsp-ipa.example.com:80/ca/ocsp
it has been decided that any changes to the profile will be handled by the IPA install/upgrade scripts -- as the code needs to be written for upgrade in any case.
Therefore closing this ticket as nothing is required for dogtag to change here. IPA to reopen if needed.
Metadata Update from @vakwetu: - Issue assigned to vakwetu - Issue set to the milestone: 10.0.0-0.X.rc1
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/929
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.