Nadeera, (CC'ing pki-devel)
Setting the number of intermediate CAs can be achieved by using "Basic Constraints Extension" [1] and setting the PathLen= to the required value. You need to set this extension on a CA profile and then issue a CA signing cert. You can't modify this value on an already issued CA cert. Read more on how to add this constraint to a profile here [2] [1] https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html-single/administration_guide_common_criteria_edition/index#Basic_Constraints_Extension_Default [2] https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html-single/administration_guide_common_criteria_edition/index#about-extensions Regards, --Dinesh On Fri, May 22, 2020 at 8:57 AM Nadeera Galagedara < nadeeragalaged...@yahoo.com> wrote: > Dear Dinesh, > > I want another help from you. How can I change the "Maximum number of > intermediate CAs: unlimited" value. > On Friday, May 22, 2020, 10:57:45 AM GMT+5:30, Nadeera Galagedara < > nadeeragalaged...@yahoo.com> wrote: > > > Dear Dinesh, > > That is a great explanation. That problem that problem is also solved. > Again thank you. > > On Wednesday, May 20, 2020, 08:27:56 PM GMT+5:30, Dinesh Prasanth > Moluguwan Krishnamoorthy <dmolu...@redhat.com> wrote: > > > Hi Nadeera, > > I'm glad I could resolve your issues. > > As for the friendly/nickname, these names are customizable based on the > system you use and are not specified during the certificate issuance. > > For instance, when you specified " > *pki_ca_signing_nickname=mycompany_nickname"* this nickname was used to > import the CA system certificate in your PKI server's NSSDB. You can view > this by doing `certutil -L -d /etc/pki/pki-tomcat/alias` and you should see > the *mycompany_nickname* listed. > > I have very limited knowledge of handling certificates in windows. From > Googling around: you can try to *right-click on the certificate -> > Properties -> "general" tab -> Set "Friendly Name"*. > > HTH > > Regards, > --Dinesh > > On Wed, May 20, 2020 at 3:28 AM Nadeera Galagedara < > nadeeragalaged...@yahoo.com> wrote: > > Dear Dinesh, > > Thank you for your support and it is been very helpful. I am using Centos > 7 and the version came with it is 10.5. I am using that version. I think I > have corrected the country (with c=LK). But I still have a problem with the > nickname. > > I used the *pki_ca_signing_nickname=mycompany_nickname* line but still > the friendly name show on windows PC (I have imported the issued > certificate to a windows PC) format like <Common Name>'s <Organisation> ID. > My requirement is to show the the Friendly Name (shows as in Windows PC) as > "*mycompany_nickname* " I have attached a screenshot also. Please tell me > what did I do wrong. > > > [image: Inline image] > > > The full config is mentioned below > > > *Step 1* > > *[CA]* > *pki_admin_email=mycomp...@abc.lk <mycomp...@abc.lk>* > *pki_admin_name=caadmin* > *pki_admin_nickname=caadmin* > *pki_admin_password=Secret.123* > *pki_admin_uid=caadmin* > > *pki_client_database_password=Secret.123* > *pki_client_database_purge=False* > *pki_client_pkcs12_password=Secret.123* > > *pki_ds_base_dn=dc=issueca,dc=mycompany,dc=lk* > *pki_ds_database=ca2* > *pki_ds_password=Secret.123* > > *pki_security_domain_name=mycompany_domain* > *pki_token_password=Secret.123* > > *pki_external=True* > *pki_external_step_two=False* > > > *pki_ca_signing_subject_dn=cn=mycompany_cn,ou=mycompany_ou,o=mycompany_o,c=LK* > *pki_ca_signing_csr_path=ca_signing.csr* > > *pki_ca_signing_nickname=mycompany_nickname* > > *pki_default_ocsp_uri=http://ocsp.mycompany.lk <http://ocsp.mycompany.lk>* > > > > *Step 2* > > *[CA]* > *pki_admin_email=mycomp...@abc.lk <mycomp...@abc.lk>* > *pki_admin_name=caadmin* > *pki_admin_nickname=caadmin* > *pki_admin_password=Secret.123* > *pki_admin_uid=caadmin* > > *pki_client_database_password=Secret.123* > *pki_client_database_purge=False* > *pki_client_pkcs12_password=Secret.123* > > *pki_ds_base_dn=dc=issueca,dc=mycompany,dc=lk* > *pki_ds_database=ca2* > *pki_ds_password=Secret.123* > > *pki_security_domain_name=mycompany_domain* > *pki_token_password=Secret.123* > > *pki_external=True* > *pki_external_step_two=True* > > *pki_ca_signing_csr_path=ca_signing.csr* > *pki_ca_signing_cert_path=ca_signing.crt* > > *pki_ca_signing_nickname=mycompany_nickname* > > *pki_default_ocsp_uri=http://ocsp.mycompany.lk <http://ocsp.mycompany.lk>* > > > > > Thank you and best regards, > Nadeera. > > > > > > On Wednesday, May 20, 2020, 03:29:15 AM GMT+5:30, Dinesh Prasanth > Moluguwan Krishnamoorthy <dmolu...@redhat.com> wrote: > > > Hi Nadeera, > > What version of dogtag PKI are you trying to install? You are referring to > PKI 10.5 docs. The latest release is 10.8.3 > > If you are using the latest packages, our docs are available in our > upstream repo: https://github.com/dogtagpki/pki/tree/v10.8/docs > > (see inline reply) > > On Tue, May 19, 2020 at 9:22 AM Nadeera Galagedara < > nadeeragalaged...@yahoo.com> wrote: > > Dear all, > > I am new to dogtag and I am installing a sub ca using the method > described in > https://www.dogtagpki.org/wiki/PKI_10.5_Installing_CA_with_External_CA_Signing_Certificate > . I want to know. > > 1) What is the parameter to change the *Friendly Name* > > We do not use "Friendly Name". Instead, we use "nickname" > To configure the nickname for CA signing certificate use: > pki_ca_signing_nickname= > > 2) What is the parameter to change the *Country/Locality* > > This is set using subject dn. So, in your case specify the Country using > this attribute: pki_ca_signing_subject_dn= > > > 3) Where (a page link ) I can find details about each of this > configuration parameters. > > I don't have a page that explains all the config parameters. But, I do > have a page that can give you a list of parameters that you can use (since > you mentioned 10.5, I'm listing the contents of 10.5 branch. Refer to the > appropriate branch for an updated list) > > https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_BRANCH/base/server/etc/default.cfg > > HTH > > Regards, > --Dinesh > > > > > Thank you. > > _______________________________________________ > Pki-devel mailing list > Pki-devel@redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel > >
_______________________________________________ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel