Created attachment 450882 [details]
debug log

Same thing when using unmodified DomainController.cfg profile.
I'm attaching relevant debug log.

The fix for the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=623452, turns out to include the solution this bug. It was needed to test the feature implemented in that bug for the CRLDistribtionPoint extension. Marking modified..

Jack, I don't have access to that bug. How do I fix this one? Is there any patch already for it? Thanks.

Hello: The portion of the patch  to the other bug that fixes this is here:

Index: base/util/src/netscape/security/x509/CRLDistributionPointsExtension.java
===================================================================
--- base/util/src/netscape/security/x509/CRLDistributionPointsExtension.java    (revision 1496)
+++ base/util/src/netscape/security/x509/CRLDistributionPointsExtension.java    (working copy)
@@ -74,6 +74,7 @@
         //throws IOException
     {
       try {
+
         this.extensionId = PKIXExtensions.CRLDistributionPoints_Id;
         this.critical = critical.booleanValue();
         this.extensionValue = (byte[])((byte[])value).clone();
@@ -169,6 +170,13 @@
     /////////////////////////////////////////////////////////////
     public static final String NAME = "CRLDistributionPoints";

+     static {
+         try {
+            OIDMap.addAttribute(CRLDistributionPointsExtension.class.getName(),
+                                OID, NAME);
+        } catch (CertificateException e) {}
+    }
+
     public String toString() {
         return NAME;
     }

Verified.

RHEL Version:
Red Hat Enterprise Linux Server release 5.6 (Tikanga)

RHCS Version:
[root@cs81box ~]# rpm -qa|grep pki- |sort
pki-ca-8.1.0-4.el5pki
pki-common-8.1.0-9.el5pki
pki-console-8.1.0-2.el5pki
pki-java-tools-8.1.0-3.el5pki
pki-kra-8.1.0-4.el5pki
pki-native-tools-8.1.0-2.el5pki
pki-ocsp-8.1.0-4.el5pki
pki-ra-8.1.0-5.el5pki
pki-selinux-8.1.0-2.el5pki
pki-setup-8.1.0-3.el5pki
pki-tks-8.1.0-4.el5pki
pki-tps-8.1.0-9.el5pki
pki-util-8.1.0-3.el5pki
redhat-pki-ca-ui-8.1.0-3.el5pki
redhat-pki-common-ui-8.1.0-2.el5pki
redhat-pki-console-ui-8.1.0-2.el5pki
redhat-pki-kra-ui-8.1.0-3.el5pki
redhat-pki-ocsp-ui-8.1.0-2.el5pki
redhat-pki-ra-ui-8.1.0-2.el5pki
redhat-pki-tks-ui-8.1.0-2.el5pki
redhat-pki-tps-ui-8.1.0-3.el5pki
[root@cs81box ~]

Steps used to verify:
1.Open CA Agent page and disable caUserCert.profile through Manage Certificate Profiles.
2.Launch pkiconsole and click on Certificate Profiles under Certificate Manager and choose the disabled profile(caUserCert) for edit.
3.Now Click on add and choose "CRL Distribution Points Extension Default". click ok.
4.Now in Policy editor fill following fields.
      -policy ID
      -crlDistPointsPointType_0
      -crlDistPointsPointName_0
   and select true for crlDistPointsEnable_0. click ok
5.Go to CA Agent page and Approve the caUserCert.profile.
6.Go to End-entity page and issue a certificate request using profile 'Manual User Dual-Use Certificate Enrollment(caUserCert)'.
7.Go to CA Agent page and approve the request.
8.Go to End-entity page and retrieve the the certificate

Result: Certificate Request using a certificate profile where CRL Distribution point is defined is working fine now.

CRL Distribution point Extension extract from the Certificate.

       Data: 
            Version:  v3
            Serial Number: 0x2A
            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Issuer: CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain
            Validity: 
                Not Before: Monday, May 9, 2011 12:27:13 PM IST Asia/Calcutta
                Not  After: Saturday, November 5, 2011 12:27:13 PM IST Asia/Calcutta
            Subject: UID=ksiddiqu,E=ksiddiqu,CN=ksiddiqu,OU=Engineering Services,O=Redhat,C=IN
            Subject Public Key Info: 
            Extensions: 
                Identifier: Authority Key Identifier - 2.5.29.35
                    Critical: no 
                    Key Identifier: 
                        BB:CF:FD:D8:74:48:AD:75:2B:74:9A:84:30:BB:40:73:
                        2C:16:F0:37
                Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
                    Critical: no 
                    Access Description: 
                        Method #0: ocsp
                        Location #0: URIName: http://cs81box.pnq.redhat.com:9180/ca/ocsp
                Identifier: Key Usage: - 2.5.29.15
                    Critical: yes 
                    Key Usage: 
                        Digital Signature 
                        Non Repudiation 
                        Key Encipherment 
                Identifier: Extended Key Usage: - 2.5.29.37
                    Critical: no 
                    Extended Key Usage: 
                        1.3.6.1.5.5.7.3.2
                        1.3.6.1.5.5.7.3.4
                Identifier: CRL Distribution Points - 2.5.29.31
                    Critical: no 
                    Number of Points: 1
                    Point 0
                        Distribution Point: [URIName: http://cs81box.pnq.redhat.com:9444/ca/ee/ca/crl/MasterCRL.crl]


Here CRL Distribution Point value is enclosed between braces.

Well, what can I tell you guys. I stumbled upon same problem with recent PKI packages. This time, however, I'm running java 1.7 as 1.6 is unsupported. 

1.7 will be gone soon, too, but I'm trying to be as close to 1.6 as possible. 

======================================
jdk-1.7.0_55-fcs
pki-ca-8.1.6-1
pki-common-8.1.12-4
pki-console-8.1.0-5
pki-java-tools-8.1.0-6
pki-migrate-8.1.0-10
pki-native-tools-8.1.0-7
pki-ocsp-8.1.1-1
pki-selinux-8.1.0-2
pki-setup-8.1.0-4
pki-util-8.1.1-2
redhat-pki-ca-ui-8.1.0-8
redhat-pki-common-ui-8.1.0-2
redhat-pki-console-ui-8.1.0-2
redhat-pki-ocsp-ui-8.1.0-5
======================================

Some packages contain my tiny mods (additional exts), but that's irrelevant to the problem.


It's essentially exactly the same problem. I'm getting that exception when tyring to view Certificates with CRLDistribution extension in them.

In "agent services", I'm getting:

====================================================================
INFO: caProfileReview: java.lang.ClassCastException: netscape.security.x509.Extension cannot be cast to netscape.security.x509.CRLDistributionPointsExtension
        at com.netscape.cms.profile.def.CRLDistributionPointsExtDefault.getValue(CRLDistributionPointsExtDefault.java:398)
        at com.netscape.cms.profile.def.EnrollDefault.getValue(EnrollDefault.java:238)
        at com.netscape.cms.servlet.profile.ProfileReviewServlet.handlePolicy(ProfileReviewServlet.java:410)
        at com.netscape.cms.servlet.profile.ProfileReviewServlet.process(ProfileReviewServlet.java:231)
        at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:502)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
        at com.netscape.cms.servlet.filter.AgentRequestFilter.doFilter(AgentRequestFilter.java:106)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:542)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875)
        at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
        at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
        at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
        at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)
        at java.lang.Thread.run(Thread.java:745)
====================================================================

When using "end services" endpoint, the extension is shown in "binary" mode:

====================================================================
                Identifier: 2.5.29.31
                    Critical: no 
                    Value: 
                        30:3C:30:3A:A0:38:A0:36:86:34:68:74:74:70:3A:2F:
                        2F:63:61:32:2E:66:75:73:65:64:2E:6E:65:74:3A:39:
                        31:38:30:2F:63:61:2F:65:65:2F:63:61:2F:63:72:6C:
                        2F:4D:61:73:74:65:72:43:52:4C:2E:63:72:6C
====================================================================

Yes, it is registered, it's present, I'm using latest packages. 
I even tried substituting Extension to netscape.security.x509.Extension. I tried using old CRLDistributionPointsExtDefault and old CRLDistributionPointsExtension.java. Nothing helped!

Thanks!

So, for those that encounter this bug, you need to do the following:

- Enable a profile with CRLDistributionPointsExtDefault extension in it
- Go to end-services page and submit a cert request using that profile (any dumb req will do)

And voila, you've got CRLDistributionPointsExtension working. You can now go to agent page and reject/delete dump request. This will last till next CA reboot.

Works on RH CA 8.1.