#358 Add CRL and OCSP CNAME to ipa certificate profile
Closed: Fixed None Opened 11 years ago by vakwetu.

This is the ipa ticket:

https://fedorahosted.org/freeipa/ticket/3074
Add CRL and OCSP CNAME to certificate profile


Possible changes - need to confirm with rcrit and awnuk:

OLd:

policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=

policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
policyset.serverCertSet.9.constraint.name=No Constraint
policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl
policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default
policyset.serverCertSet.9.default.params.crlDistPointsCritical=false
policyset.serverCertSet.9.default.params.crlDistPointsNum=1
policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true
policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=
policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=
policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=https://ipa.example.com/ipa/crl/MasterCRL.bin

policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName
policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=

New ?:

policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=ocsp-ipa.example.com

policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
policyset.serverCertSet.9.constraint.name=No Constraint
policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl
policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default
policyset.serverCertSet.9.default.params.crlDistPointsCritical=false
policyset.serverCertSet.9.default.params.crlDistPointsNum=2
policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true
policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=
policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=
policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=https://ipa-ocsp.example.com/ipa/crl/MasterCRL.bin

policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName
policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=
policyset.serverCertSet.9.default.params.crlDistPointsEnable_1=true
policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_1=
policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_1=
policyset.serverCertSet.9.default.params.crlDistPointsPointName_1=https://ipa.example.com/ipa/crl/MasterCRL.bin

policyset.serverCertSet.9.default.params.crlDistPointsPointType_1=URIName
policyset.serverCertSet.9.default.params.crlDistPointsReasons_1=

OK --

So here are the new diffs:

For AIA (ocsp):

Old:
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1

New:
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ocsp-ipa.example.com/ca/ocsp
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_1=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_1=URIName
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_1=
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_1=1.3.6.1.5.5.7.48.1
policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
policyset.serverCertSet.5.default.params.authInfoAccessNumADs=2

For CRLDP:

Old:
policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl
policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default
policyset.serverCertSet.9.default.params.crlDistPointsCritical=false
policyset.serverCertSet.9.default.params.crlDistPointsNum=1
policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true
policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca
policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=https://vm-107.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin
policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName
policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=

New:
policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl
policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default
policyset.serverCertSet.9.default.params.crlDistPointsCritical=false
policyset.serverCertSet.9.default.params.crlDistPointsNum=2
policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true
policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca
policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=https://ipa-ocsp.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin
policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName
policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=
policyset.serverCertSet.9.default.params.crlDistPointsEnable_1=true
policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_1=CN=Certificate Authority,o=ipaca
policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_1=DirectoryName
policyset.serverCertSet.9.default.params.crlDistPointsPointName_1=https://vm-107.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin
policyset.serverCertSet.9.default.params.crlDistPointsPointType_1=URIName
policyset.serverCertSet.9.default.params.crlDistPointsReasons_1=

Also, the CRLDP does not show up currently in the IPA certs because the list of extensions to be included:

policyset.serverCertSet.list=1,2,3,4,5,6,7,8,10

does not include policy 9. We will need to change this in the policy, but this will also require changes in the ipa install code because this list is parsed there.

The above changes create a cert that looks like:

Certificate: 
    Data: 
        Version:  v3
        Serial Number: 0xFFE0008
        Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
        Issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM
        Validity: 
            Not Before: Monday, October 29, 2012 3:52:47 PM EDT America/New_York
            Not  After: Thursday, October 30, 2014 3:52:47 PM EDT America/New_York
        Subject: CN=vm-065.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM
        Subject Public Key Info: 
            Algorithm: RSA - 1.2.840.113549.1.1.1
            Public Key: 
                Exponent: 65537
                Public Key Modulus: (2048 bits) :
                    C7:5E:46:51:68:E2:5A:74:B7:74:4C:18:84:5A:AB:DF:
                    60:61:42:7F:1D:A7:10:62:09:D9:CC:59:36:47:51:BD:
                    17:F2:F0:06:27:11:69:64:27:52:E1:3B:3E:DB:CB:8D:
                    0B:54:C8:0E:D8:D5:FD:E8:BA:0D:4C:17:91:2C:9D:21:
                    3E:93:54:DE:A2:57:8C:E7:88:89:AE:85:4C:BA:8F:0C:
                    6F:21:F3:AF:F7:B8:FD:9A:C8:C2:EF:8D:07:50:16:57:
                    E8:E9:71:23:60:1C:14:FA:45:4D:FD:9E:C2:9C:73:FF:
                    B8:C9:E3:5B:21:E6:69:07:15:50:26:FA:2C:9B:C6:AA:
                    7A:D6:A8:25:B1:9D:26:57:BE:B6:1E:59:CD:6B:D5:B5:
                    1B:1E:60:16:C7:45:04:64:85:AE:C3:44:F8:4F:9B:D1:
                    64:13:1F:3A:B4:44:6D:6F:DD:71:9D:30:35:26:76:3C:
                    7E:17:C5:9D:74:D0:26:2A:E5:6C:C0:F7:4C:4F:14:C8:
                    F4:EB:4C:01:51:C7:31:C9:BC:09:F3:04:37:6A:5D:B5:
                    E5:90:16:D9:F9:91:F6:C4:A5:3F:F3:21:AF:18:B5:2B:
                    BD:32:90:E9:17:79:D5:BB:F6:7E:9F:1F:4F:96:6F:21:
                    56:3A:CA:FD:11:02:EB:B9:37:FA:81:77:21:03:99:C5
        Extensions: 
            Identifier: Authority Key Identifier - 2.5.29.35
                Critical: no 
                Key Identifier: 
                    A4:C5:A9:81:66:47:D5:FA:0B:45:11:41:A7:16:F0:E4:
                    11:62:34:06
            Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
                Critical: no 
                Access Description: 
                    Method #0: ocsp
                    Location #0: URIName: http://ocsp-ipa.example.com/ca/ocsp
                    Method #1: ocsp
                    Location #1: URIName: http://vm-107.idm.lab.bos.redhat.com:80/ca/ocsp
            Identifier: Key Usage: - 2.5.29.15
                Critical: yes 
                Key Usage: 
                    Digital Signature 
                    Non Repudiation 
                    Key Encipherment 
                    Data Encipherment 
            Identifier: Extended Key Usage: - 2.5.29.37
                Critical: no 
                Extended Key Usage: 
                    1.3.6.1.5.5.7.3.1
                    1.3.6.1.5.5.7.3.2
            Identifier: Subject Key Identifier - 2.5.29.14
                Critical: no 
                Key Identifier: 
                    5C:20:4C:EA:E5:FE:9C:E5:F9:1D:11:38:3E:9F:3F:3D:
                    64:F7:76:DB
            Identifier: CRL Distribution Points - 2.5.29.31
                Critical: no 
                Number of Points: 2
                Point 0
                    Distribution Point: [URIName: https://ipa-ocsp.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin]
                    CRL Issuer: [CN=Certificate Authority,O=ipaca]
                Point 1
                    Distribution Point: [URIName: https://vm-107.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin]
                    CRL Issuer: [CN=Certificate Authority,O=ipaca]
    Signature: 
        Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
        Signature: 
            48:5B:3E:0F:BD:05:23:36:61:71:1A:7D:53:B7:A1:F2:
            E0:03:69:7A:61:96:5F:D7:25:6E:83:E9:6C:4A:E9:C5:
            57:E0:9E:0E:B8:49:BC:54:B6:D2:67:9F:14:0B:34:0F:
            58:BE:A7:67:4C:69:FF:9F:38:62:B6:81:BD:59:FA:D8:
            EA:D6:E5:6A:36:32:C8:70:CC:32:D9:3D:DE:68:E1:53:
            F2:E5:51:41:56:96:35:D7:51:2D:E9:11:69:EF:46:D4:
            DA:B0:6E:1B:91:1B:FC:7E:35:E9:A8:EE:7D:9A:80:79:
            C9:DD:DE:2C:B7:35:89:89:71:4D:6C:8E:29:41:DC:54:
            2A:F6:CE:21:F1:20:19:03:AC:EC:D6:5F:83:19:83:E9:
            B1:9D:90:58:D6:CD:05:67:53:F0:FA:1A:26:CA:CA:15:
            AF:78:DA:4B:19:79:7B:6C:F2:A4:F2:80:D5:F8:00:7C:
            1D:4B:D8:DC:3A:7B:26:EC:C6:A5:69:36:DB:9D:65:57:
            D1:89:8A:0A:EB:B9:70:59:65:D5:EB:2B:A6:BB:BE:3F:
            CD:9C:7D:02:DB:AE:36:29:58:07:77:98:7A:F8:61:5F:
            2F:D4:E5:A3:A1:E8:C8:17:CF:7F:DB:28:8D:EE:EA:92:
            97:F8:29:1B:54:7D:74:4D:D5:8D:87:C6:70:48:3D:D3
    FingerPrint
        MD2:
            18:9B:3D:1F:20:C5:49:D1:75:65:1C:06:EF:23:EC:38
        MD5:
            79:2F:38:9B:78:52:21:37:85:CD:87:84:15:3C:B5:8C
        SHA1:
            71:17:0A:9B:F4:EF:7C:77:EF:59:41:E3:17:65:DD:8D:
            33:21:9E:D2
        SHA256:
            99:DC:09:FA:A6:2D:20:8C:61:2F:1D:C6:41:57:64:12:
            44:2F:5E:46:74:AF:4A:E3:BD:66:DB:CC:76:6F:02:54
        SHA512:
            33:BE:16:8C:B4:65:51:6D:01:E7:EA:98:DB:59:6C:ED:
            8A:73:BA:6A:CB:74:EE:ED:55:DC:3A:BB:01:27:5B:05:
            E6:C7:FA:B0:51:B0:31:9C:F6:3F:2F:57:87:0D:24:A7:
            F3:E6:F2:D2:A1:8E:BC:7B:D0:59:1B:05:66:6A:CE:C2

Moving to rc1. Changes required are provided to IPA. However, these need to be co-ordinated with changes in IPA.

For symmetry : use :

policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=​http://ocsp-ipa.example.com:80/ca/ocsp

it has been decided that any changes to the profile will be handled by the IPA install/upgrade scripts -- as the code needs to be written for upgrade in any case.

Therefore closing this ticket as nothing is required for dogtag to change here. IPA to reopen if needed.

Metadata Update from @vakwetu:
- Issue assigned to vakwetu
- Issue set to the milestone: 10.0.0-0.X.rc1

7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/929

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata