Bug 442836 - Need sample profile with EKU for Microsoft smartcard login
Need sample profile with EKU for Microsoft smartcard login
Status: CLOSED ERRATA
Product: Dogtag Certificate System
Classification: Community
Component: Profile (Show other bugs)
unspecified
All Linux
high Severity low
: ---
: ---
Assigned To: Christina Fu
Chandrasekar Kannan
:
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2008-04-17 01:43 EDT by Bob Lord
Modified: 2015-01-04 18:31 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-22 19:28:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
The profile example for MS login (11.10 KB, text/plain)
2009-02-26 20:33 EST, Christina Fu
no flags Details
The corresponding changes needed to register the new profile in CS.cfg (54.11 KB, text/plain)
2009-02-26 20:36 EST, Christina Fu
no flags Details

  None (edit)
Description Bob Lord 2008-04-17 01:43:29 EDT
Description of problem:
I don't see a sample profile that contains the EKU OID for Microsoft smartcard
login.  The OID is 1.3.6.1.4.311.20.2.2

We should have a sample profile that people can use as a starting point for
their custom profiles.
Comment 2 Andrew Bartlett 2008-06-25 21:02:52 EDT
I need this for Samba4 testing with smart cards.  I have a developer who wants
to work on this feature (for Samba), but for me to test his work, I need to
setup a dogtag CA for my test network. 
Comment 4 Christina Fu 2009-02-26 20:33:20 EST
Created attachment 333419 [details]
The profile example for MS login
Comment 5 Christina Fu 2009-02-26 20:36:10 EST
Created attachment 333420 [details]
The corresponding changes needed to register the new profile in CS.cfg
Comment 6 Christina Fu 2009-02-26 20:39:58 EST
You will need patches from 
https://bugzilla.redhat.com/show_bug.cgi?id=481790
and
https://bugzilla.redhat.com/show_bug.cgi?id=487592
to work.

To activate,
* put this profile in <install dir>/profiles/ca
* modify the profile to match your env.  e.g. the basedn for ldap search, hostname and port, crl distribution point.
* update your CS.cfg to have the profile defs (if you are putting this in existin g installation).. if you install new from the newest build, you will not need to do any mod here.
* update TPS's CS.cfg to have a profile pointing to this CA enroll profile,
e.g.
   op.enroll.userKey.keyGen.signing.ca.profileId=caTokenMSLiginEnrollment

NOTE:
It is assumed that you have populated the "upn" in user ldap entries.
Comment 7 Christina Fu 2009-02-26 22:15:22 EST
already reviewed by awnuk.

$ svn commit conf/CS.cfg profiles/ca/caTokenMSLoginEnrollment.cfg
Sending        conf/CS.cfg
Adding         profiles/ca/caTokenMSLoginEnrollment.cfg
Transmitting file data ..
Committed revision 258.
Comment 8 Jenny Galipeau 2009-06-18 13:40:46 EDT
Verified:

The following profile exists with Extended Key Usage

Certificate Profile Id: 	caTokenMSLoginEnrollment
Certificate Profile Name: 	Token User MS Login Certificate Enrollment
Description: 	This profile is for enrolling MS Login Certificate 

p15 	

This default populates an Extended Key Usage Extension () to the request. The default values are Criticality=false, OIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.4.1.311.20.2.2
	

No Constraint

Note You need to log in before you can comment on or make changes to this bug.