Dear Dinesh,
I tried the method and still have the problem. I will tell you what i did and
can you tell me where did I do wrong.
My root CA has "Maximum number of intermediate CAs: unlimited" and now I am
installing the issuing ca (what I use for to issue certificates for clients).
For the issuing CA Maximum number of intermediate CAs want to be Zero.
I basically follow
https://www.dogtagpki.org/wiki/PKI_10.5_Installing_CA_with_External_CA_Signing_Certificate
steps (send the CSR to root CA and get back the signed certificate) and added
policyset.caCertSet.5.default.name=Basic Constraints Extension Default
policyset.caCertSet.5.default.params.basicConstraintsCritical=true
policyset.caCertSet.5.default.params.basicConstraintsIsCA=true
policyset.caCertSet.5.default.params.basicConstraintsPathLen=0lines to both
step 1 and step 2 config files and installed the Issuing CA.
Then I went to the Issuing CA's "SSL End Users Services" -> "Manual User
Dual-Use Certificate Enrollment" and created a certificate. Then I wend to
Agent Services and approve that request.
I imported that certificate to browser. But still it shows my issuing CA
Maximum number of intermediate CAs: unlimited.
Can you tell me what did I do wrong.
On Friday, May 22, 2020, 11:27:29 PM GMT+5:30, Dinesh Prasanth Moluguwan
Krishnamoorthy wrote:
Nadeera,
(CC'ing pki-devel)
Setting the number of intermediate CAs can be achieved by using "Basic
Constraints Extension" [1] and setting the PathLen= to the required value.
You need to set this extension on a CA profile and then issue a CA signing
cert. You can't modify this value on an already issued CA cert. Read more on
how to add this constraint to a profile here [2]
[1]
https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html-single/administration_guide_common_criteria_edition/index#Basic_Constraints_Extension_Default[2]
https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html-single/administration_guide_common_criteria_edition/index#about-extensions
Regards,--Dinesh
On Fri, May 22, 2020 at 8:57 AM Nadeera Galagedara
wrote:
Dear Dinesh,
I want another help from you. How can I change the "Maximum number of
intermediate CAs: unlimited" value.On Friday, May 22, 2020, 10:57:45 AM
GMT+5:30, Nadeera Galagedara wrote:
Dear Dinesh,
That is a great explanation. That problem that problem is also solved. Again
thank you.
On Wednesday, May 20, 2020, 08:27:56 PM GMT+5:30, Dinesh Prasanth Moluguwan
Krishnamoorthy wrote:
Hi Nadeera,
I'm glad I could resolve your issues.
As for the friendly/nickname, these names are customizable based on the system
you use and are not specified during the certificate issuance.
For instance, when you specified "pki_ca_signing_nickname=mycompany_nickname"
this nickname was used to import the CA system certificate in your PKI server's
NSSDB. You can view this by doing `certutil -L -d /etc/pki/pki-tomcat/alias`
and you should see the mycompany_nickname listed.
I have very limited knowledge of handling certificates in windows. From
Googling around: you can try to right-click on the certificate -> Properties ->
"general" tab -> Set "Friendly Name".
HTH
Regards,--Dinesh
On Wed, May 20, 2020 at 3:28 AM Nadeera Galagedara
wrote:
Dear Dinesh,
Thank you for your support and it is been very helpful. I am using Centos 7 and
the version came with it is 10.5. I am using that version. I think I have
corrected the country (with c=LK). But I still have a problem with the
nickname.
I used the pki_ca_signing_nickname=mycompany_nickname line but still the
friendly name show on windows PC (I have imported the issued certificate to a
windows PC) format like 's ID. My requirement is to
show the the Friendly Name (shows as in Windows PC) as "mycompany_nickname " I
have attached a screenshot also. Please tell me what did I do wrong.
The full config is mentioned below
Step 1
[CA]pki_admin_email=mycompany@abc.lkpki_admin_name=caadminpki_admin_nickname=caadminpki_admin_password=Secret.123pki_admin_uid=caadmin
pki_client_database_password=Secret.123pki_client_database_purge=Falsepki_client_pkcs12_password=Secret.123
pki_ds_base_dn=dc=issueca,dc=mycompany,dc=lkpki_ds_database=ca2pki_ds_password=Secret.123
pki_security_domain_name=mycompany_domainpki_token_password=Secret.123
pki_external=Truepki_external_step_two=False
pki_ca_signing_subject_dn=cn=mycompany_cn,ou=mycompany_ou,o=mycompany_o,c=LKpki_ca_signing_csr_path=ca_signing.csr
pki_ca_signing_nickname=mycompany_nickname
pki_default_ocsp_uri=http://ocsp.mycompany.lk
Step 2
[CA]pki_admin_email=mycompany@abc.lkpki_admin_name=caadminpki_admin_nickname=caadminpki_admin_password=Secret.123pki_admin_uid=caadmin
pki_client_database_password=Secret.123pki_client_database_purge=Falsepki_client_pkcs12_password=Secret.123
pki_ds_base_dn=dc=issueca,dc=mycompany,dc=lkpki_ds_database=ca2pki_ds_password=Secret.123
