|

»

»

»

The question about dnQualifier

View: New views

8 Messages — Rating Filter: Alert me

	The question about dnQualifier by 王木旺 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Dear sir: I'm writing to ask you some questions about how to operate the Ejbca. I want to create a certificate for an end entity using the Ejbca, The certificate's subject must be like this : dnQualifier = XXX,C = CN,O = CE,CN = drm-test,and dnQualifier should be the public key thumbprint of the end entity . How to operate the Ejbca to create a certificate like this? could you give me some help and suggestion? Thank you! ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Ejbca-develop mailing list Ejbca-develop@... https://lists.sourceforge.net/lists/listinfo/ejbca-develop
	Re: The question about dnQualifier by Johan Eklund :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, EJBCA is not able to produce this without modifying the sourcecode, but I guess that is why you sent a mail to the developer list. =) A good place to start looking might be X509CA→generateCertificate(...), but I have a hard time thinking up a general solution for this.. Does it have to dnQualifier? Isn't there already a standard extension called KeyIdentifier for this? Best Regards, Johan Eklund 王木旺 skrev: > Dear sir: > I'm writing to ask you some questions about how to operate the Ejbca. > I want to create a certificate for an end entity using the Ejbca, The > certificate's subject must be like this : dnQualifier = XXX,C = CN,O = > CE,CN = drm-test,and dnQualifier should be the public key thumbprint > of the end entity . > How to operate the Ejbca to create a certificate like this? could you > give me some help and suggestion? > Thank you! > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://sourceforge.net/services/buy/index.php > ------------------------------------------------------------------------ > > _______________________________________________ > Ejbca-develop mailing list > Ejbca-develop@... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > -- PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact info@... for more information. http://download.primekey.se/documents/ejbca_subscription.pdf http://download.primekey.se/documents/ejbca_training.pdf ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Ejbca-develop mailing list Ejbca-develop@... https://lists.sourceforge.net/lists/listinfo/ejbca-develop smime.p7s (3K) Download Attachment
	Re: The question about dnQualifier by Tomas Gustavsson :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I agree about using KeyIdentifier. Using a custom RA interface I think it would be possible to make what you want. Since you need to have the certificate request before the user is added/edited in EJBCA. You could make a custom web for enrollment, where the user is added or changed (possibly with approvals) when the request is received. The users DN could then be changed for every request to set a new value for dnQualifier. We (Johan) has made such custom web-pages before, and it's rather easy to use the EJB-interface by modeling after the already existing web interface. What do you think about that Johan? It should be possible right? Cheers, Tomas Johan Eklund wrote: > Hi, > > EJBCA is not able to produce this without modifying the sourcecode, but > I guess that is why you sent a mail to the developer list. =) > > A good place to start looking might be X509CA→generateCertificate(...), > but I have a hard time thinking up a general solution for this.. > > Does it have to dnQualifier? Isn't there already a standard extension > called KeyIdentifier for this? > > Best Regards, > Johan Eklund > > 王木旺 skrev: >> Dear sir: >> I'm writing to ask you some questions about how to operate the Ejbca. >> I want to create a certificate for an end entity using the Ejbca, The >> certificate's subject must be like this : dnQualifier = XXX,C = CN,O = >> CE,CN = drm-test,and dnQualifier should be the public key thumbprint >> of the end entity . >> How to operate the Ejbca to create a certificate like this? could you >> give me some help and suggestion? >> Thank you! >> ------------------------------------------------------------------------ >> >> ------------------------------------------------------------------------- >> Check out the new SourceForge.net Marketplace. >> It's the best place to buy or sell services for >> just about anything Open Source. >> http://sourceforge.net/services/buy/index.php >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Ejbca-develop mailing list >> Ejbca-develop@... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://sourceforge.net/services/buy/index.php > > > ------------------------------------------------------------------------ > > _______________________________________________ > Ejbca-develop mailing list > Ejbca-develop@... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Ejbca-develop mailing list Ejbca-develop@... https://lists.sourceforge.net/lists/listinfo/ejbca-develop
	Re: The question about dnQualifier by Johan Eklund :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Since the CN was drm-test I would assume that this isn't a regular webbrowser-request.. But absolutely, if there already exists a private key a simple Servlet would be enough to parse incoming certificate requests and return a new certificate, much like I did for the MS "autoenroll" feature. I think we need some more info from王木旺 to be able to give a definite answer here.. 1. Does the key already exist or is a generated keystore (P12/JKS) with a certificate you need? 2. Is it an automated request over a trusted channel to the CA? /Johan Tomas Gustavsson skrev: > I agree about using KeyIdentifier. > > Using a custom RA interface I think it would be possible to make what > you want. Since you need to have the certificate request before the user > is added/edited in EJBCA. You could make a custom web for enrollment, > where the user is added or changed (possibly with approvals) when the > request is received. The users DN could then be changed for every > request to set a new value for dnQualifier. > > We (Johan) has made such custom web-pages before, and it's rather easy > to use the EJB-interface by modeling after the already existing web > interface. > > What do you think about that Johan? It should be possible right? > > Cheers, > Tomas > > > Johan Eklund wrote: > >> Hi, >> >> EJBCA is not able to produce this without modifying the sourcecode, but >> I guess that is why you sent a mail to the developer list. =) >> >> A good place to start looking might be X509CA→generateCertificate(...), >> but I have a hard time thinking up a general solution for this.. >> >> Does it have to dnQualifier? Isn't there already a standard extension >> called KeyIdentifier for this? >> >> Best Regards, >> Johan Eklund >> >> 王木旺 skrev: >> >>> Dear sir: >>> I'm writing to ask you some questions about how to operate the Ejbca. >>> I want to create a certificate for an end entity using the Ejbca, The >>> certificate's subject must be like this : dnQualifier = XXX,C = CN,O = >>> CE,CN = drm-test,and dnQualifier should be the public key thumbprint >>> of the end entity . >>> How to operate the Ejbca to create a certificate like this? could you >>> give me some help and suggestion? >>> Thank you! >>> ------------------------------------------------------------------------ >>> >>> ------------------------------------------------------------------------- >>> Check out the new SourceForge.net Marketplace. >>> It's the best place to buy or sell services for >>> just about anything Open Source. >>> http://sourceforge.net/services/buy/index.php >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Ejbca-develop mailing list >>> Ejbca-develop@... >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>> >>> >> >> ------------------------------------------------------------------------ >> >> ------------------------------------------------------------------------- >> Check out the new SourceForge.net Marketplace. >> It's the best place to buy or sell services for >> just about anything Open Source. >> http://sourceforge.net/services/buy/index.php >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Ejbca-develop mailing list >> Ejbca-develop@... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://sourceforge.net/services/buy/index.php > ------------------------------------------------------------------------ > > _______________________________________________ > Ejbca-develop mailing list > Ejbca-develop@... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > -- PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact info@... for more information. http://download.primekey.se/documents/ejbca_subscription.pdf http://download.primekey.se/documents/ejbca_training.pdf ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Ejbca-develop mailing list Ejbca-develop@... https://lists.sourceforge.net/lists/listinfo/ejbca-develop smime.p7s (3K) Download Attachment
	Re: The question about dnQualifier by 张鑫-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On behalf of 王木旺: 1. Does the key already exist or is a generated keystore (P12/JKS) with a certificate you need? Some users provide key, and the key is already exist, maybe generate keystore, and the others get their keys and certificates with ejbca. 2. Is it an automated request over a trusted channel to the CA? Yes, the channel is trusted. -----Original Message----- From: Johan Eklund <ejbca-support@...> To: ejbca-develop@... Cc: zhangxin@... Date: Thu, 05 Jun 2008 12:51:34 +0200 Subject: Re: [Ejbca-develop] The question about dnQualifier Since the CN was drm-test I would assume that this isn't a regular webbrowser-request.. But absolutely, if there already exists a private key a simple Servlet would be enough to parse incoming certificate requests and return a new certificate, much like I did for the MS "autoenroll" feature. I think we need some more info from王木旺 to be able to give a definite answer here.. 1. Does the key already exist or is a generated keystore (P12/JKS) with a certificate you need? 2. Is it an automated request over a trusted channel to the CA? /Johan Tomas Gustavsson skrev: > I agree about using KeyIdentifier. > > Using a custom RA interface I think it would be possible to make what > you want. Since you need to have the certificate request before the user > is added/edited in EJBCA. You could make a custom web for enrollment, > where the user is added or changed (possibly with approvals) when the > request is received. The users DN could then be changed for every > request to set a new value for dnQualifier. > > We (Johan) has made such custom web-pages before, and it's rather easy > to use the EJB-interface by modeling after the already existing web > interface. > > What do you think about that Johan? It should be possible right? > > Cheers, > Tomas > > > Johan Eklund wrote: > >> Hi, >> >> EJBCA is not able to produce this without modifying the sourcecode, but >> I guess that is why you sent a mail to the developer list. =) >> >> A good place to start looking might be X509CA→generateCertificate(...), >> but I have a hard time thinking up a general solution for this.. >> >> Does it have to dnQualifier? Isn't there already a standard extension >> called KeyIdentifier for this? >> >> Best Regards, >> Johan Eklund >> >> 王木旺 skrev: >> >>> Dear sir: >>> I'm writing to ask you some questions about how to operate the Ejbca. >>> I want to create a certificate for an end entity using the Ejbca, The >>> certificate's subject must be like this : dnQualifier = XXX,C = CN,O = >>> CE,CN = drm-test,and dnQualifier should be the public key thumbprint >>> of the end entity . >>> How to operate the Ejbca to create a certificate like this? could you >>> give me some help and suggestion? >>> Thank you! >>> ------------------------------------------------------------------------ >>> >>> ------------------------------------------------------------------------- >>> Check out the new SourceForge.net Marketplace. >>> It's the best place to buy or sell services for >>> just about anything Open Source. >>> http://sourceforge.net/services/buy/index.php >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Ejbca-develop mailing list >>> Ejbca-develop@... >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>> >>> >> >> ------------------------------------------------------------------------ >> >> ------------------------------------------------------------------------- >> Check out the new SourceForge.net Marketplace. >> It's the best place to buy or sell services for >> just about anything Open Source. >> http://sourceforge.net/services/buy/index.php >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Ejbca-develop mailing list >> Ejbca-develop@... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://sourceforge.net/services/buy/index.php > ------------------------------------------------------------------------ > > _______________________________________________ > Ejbca-develop mailing list > Ejbca-develop@... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > -- PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact info@... for more information. http://download.primekey.se/documents/ejbca_subscription.pdf http://download.primekey.se/documents/ejbca_training.pdf ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Ejbca-develop mailing list Ejbca-develop@... https://lists.sourceforge.net/lists/listinfo/ejbca-develop
	Re: The question about dnQualifier by Johan Eklund :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Ok. Then we can scrap the simple Servlet solution. Is the use dnQualifier instead of KeyIdentifier an absolute requirement for you? /Johan 张鑫 skrev: > On behalf of 王木旺: > 1. Does the key already exist or is a generated keystore (P12/JKS) with > a certificate you need? > Some users provide key, and the key is already exist, maybe generate > keystore, and the others get their keys and certificates with ejbca. > > 2. Is it an automated request over a trusted channel to the CA? > Yes, the channel is trusted. > > -----Original Message----- > From: Johan Eklund <ejbca-support@...> > To: ejbca-develop@... > Cc: zhangxin@... > Date: Thu, 05 Jun 2008 12:51:34 +0200 > Subject: Re: [Ejbca-develop] The question about dnQualifier > > Since the CN was drm-test I would assume that this isn't a regular > webbrowser-request.. But absolutely, if there already exists a private > key a simple Servlet would be enough to parse incoming certificate > requests and return a new certificate, much like I did for the MS > "autoenroll" feature. > > I think we need some more info from王木旺 to be able to give a > definite > answer here.. > 1. Does the key already exist or is a generated keystore (P12/JKS) > with > a certificate you need? > 2. Is it an automated request over a trusted channel to the CA? > > /Johan > > Tomas Gustavsson skrev: > > I agree about using KeyIdentifier. > > > > Using a custom RA interface I think it would be possible to make > what > > you want. Since you need to have the certificate request before > the user > > is added/edited in EJBCA. You could make a custom web for > enrollment, > > where the user is added or changed (possibly with approvals) > when the > > request is received. The users DN could then be changed for every > > request to set a new value for dnQualifier. > > > > We (Johan) has made such custom web-pages before, and it's > rather easy > > to use the EJB-interface by modeling after the already existing web > > interface. > > > > What do you think about that Johan? It should be possible right? > > > > Cheers, > > Tomas > > > > > > Johan Eklund wrote: > > > >> Hi, > >> > >> EJBCA is not able to produce this without modifying the > sourcecode, but > >> I guess that is why you sent a mail to the developer list. =) > >> > >> A good place to start looking might be > X509CA→generateCertificate(...), > >> but I have a hard time thinking up a general solution for this.. > >> > >> Does it have to dnQualifier? Isn't there already a standard > extension > >> called KeyIdentifier for this? > >> > >> Best Regards, > >> Johan Eklund > >> > >> 王木旺 skrev: > >> > >>> Dear sir: > >>> I'm writing to ask you some questions about how to operate the > Ejbca. > >>> I want to create a certificate for an end entity using the > Ejbca, The > >>> certificate's subject must be like this : dnQualifier = XXX,C > = CN,O = > >>> CE,CN = drm-test,and dnQualifier should be the public key > thumbprint > >>> of the end entity . > >>> How to operate the Ejbca to create a certificate like this? > could you > >>> give me some help and suggestion? > >>> Thank you! > >>> > ------------------------------------------------------------------------ > >>> > >>> > ------------------------------------------------------------------------- > >>> Check out the new SourceForge.net Marketplace. > >>> It's the best place to buy or sell services for > >>> just about anything Open Source. > >>> http://sourceforge.net/services/buy/index.php > >>> > ------------------------------------------------------------------------ > >>> > >>> _______________________________________________ > >>> Ejbca-develop mailing list > >>> Ejbca-develop@... > >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > >>> > >>> > >> > >> > ------------------------------------------------------------------------ > >> > >> > ------------------------------------------------------------------------- > >> Check out the new SourceForge.net Marketplace. > >> It's the best place to buy or sell services for > >> just about anything Open Source. > >> http://sourceforge.net/services/buy/index.php > >> > >> > >> > ------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> Ejbca-develop mailing list > >> Ejbca-develop@... > >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > >> > > > > > > > ------------------------------------------------------------------------ > > > > > ------------------------------------------------------------------------- > > Check out the new SourceForge.net Marketplace. > > It's the best place to buy or sell services for > > just about anything Open Source. > > http://sourceforge.net/services/buy/index.php > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejbca-develop@... > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > -- > PrimeKey Solutions offers a commercial EJBCA support subscription > and training for EJBCA. Please see www.primekey.se > <http://www.primekey.se> or contact info@... for more > information. > http://download.primekey.se/documents/ejbca_subscription.pdf > http://download.primekey.se/documents/ejbca_training.pdf > > > -- PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact info@... for more information. http://download.primekey.se/documents/ejbca_subscription.pdf http://download.primekey.se/documents/ejbca_training.pdf ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Ejbca-develop mailing list Ejbca-develop@... https://lists.sourceforge.net/lists/listinfo/ejbca-develop smime.p7s (3K) Download Attachment
	Re: The question about dnQualifier by 张鑫-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message According to our industry standards, the certificate's stucture shall like the following: 0 1185: SEQUENCE { 4 905: SEQUENCE { 8 3: [0] { 10 1: INTEGER 2 : } 13 9: INTEGER 00 FA 82 11 7E E1 03 3B 55 24 13: SEQUENCE { 26 9: OBJECT IDENTIFIER : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 37 0: NULL : } 39 138: SEQUENCE { 42 22: SET { 44 20: SEQUENCE { 46 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 51 13: PrintableString 'CA.TEST.COM' : } : } 66 22: SET { 68 20: SEQUENCE { 70 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) 75 13: PrintableString 'CA.TEST.COM' : } : } 90 49: SET { 92 47: SEQUENCE { 94 3: OBJECT IDENTIFIER commonName (2 5 4 3) 99 40: PrintableString 'DEVICE.TEST.COM' : } : } 141 37: SET { 143 35: SEQUENCE { 145 3: OBJECT IDENTIFIER dnQualifier (2 5 4 46) 150 28: PrintableString 'xTgTEEyCjOPfyGbt/RMVTTStz1M=' : } : } : } 180 30: SEQUENCE { 182 13: UTCTime 05/06/2008 13:04:55 GMT 197 13: UTCTime 31/05/2028 13:04:55 GMT : } 212 138: SEQUENCE { 215 22: SET { 217 20: SEQUENCE { 219 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 224 13: PrintableString 'CA.TEST.COM' : } : } 239 22: SET { 241 20: SEQUENCE { 243 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) 248 13: PrintableString 'CA.TEST.COM' : } : } 263 49: SET { 265 47: SEQUENCE { 267 3: OBJECT IDENTIFIER commonName (2 5 4 3) 272 40: PrintableString 'DEVICE.TEST.COM' : } : } 314 37: SET { 316 35: SEQUENCE { 318 3: OBJECT IDENTIFIER dnQualifier (2 5 4 46) 323 28: PrintableString 'xTgTEEyCjOPfyGbt/RMVTTStz1M=' : } : } : } 353 290: SEQUENCE { 357 13: SEQUENCE { 359 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1) 370 0: NULL : } 372 271: BIT STRING, encapsulates { 377 266: SEQUENCE { 381 257: INTEGER : 00 BE 0D 2A F0 85 94 84 81 D1 51 6B D9 7E 72 99 : 41 F9 53 92 F9 3C 08 84 84 17 0A B7 C6 07 85 D5 : 7B 4C F6 8D 8F 37 12 0B CC 3C 9E 41 12 E1 08 69 : BD FD 8C DE B1 9F 28 8C 77 E1 22 5A EB 11 3E 9C : 0A 74 2F E6 58 B8 06 7F 3B 23 4A F5 08 85 AF C4 : A0 C9 3C AC 85 FA A7 FB 28 44 03 BD 39 1F 00 56 : 1C 30 C2 C4 3D 59 7B EA 38 EF 3E AA F0 AA A6 AA : AD 95 D4 45 AF 19 91 71 00 B9 57 27 9C 88 EA 44 : [ Another 129 bytes skipped ] 642 3: INTEGER 65537 : } : } : } 647 262: [3] { 651 258: SEQUENCE { 655 29: SEQUENCE { 657 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14) 662 22: OCTET STRING, encapsulates { 664 20: OCTET STRING : C5 38 13 10 4C 82 8C E3 DF C8 66 ED FD 13 15 4D : 34 AD CF 53 : } : } 686 191: SEQUENCE { 689 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35) 694 183: OCTET STRING, encapsulates { 697 180: SEQUENCE { 700 20: [0] : C5 38 13 10 4C 82 8C E3 DF C8 66 ED FD 13 15 4D : 34 AD CF 53 722 144: [1] { 725 141: [4] { 728 138: SEQUENCE { 731 22: SET { 733 20: SEQUENCE { 735 3: OBJECT IDENTIFIER : organizationName (2 5 4 10) 740 13: PrintableString 'CA.TEST.COM' : } : } 755 22: SET { 757 20: SEQUENCE { 759 3: OBJECT IDENTIFIER : organizationalUnitName (2 5 4 11) 764 13: PrintableString 'CA.TEST.COM' : } : } 779 49: SET { 781 47: SEQUENCE { 783 3: OBJECT IDENTIFIER commonName (2 5 4 3) 788 40: PrintableString 'DEVICE.TEST.COM' : } : } 830 37: SET { 832 35: SEQUENCE { 834 3: OBJECT IDENTIFIER dnQualifier (2 5 4 46) 839 28: PrintableString 'xTgTEEyCjOPfyGbt/RMVTTStz1M=' : } : } : } : } : } 869 9: [2] 00 FA 82 11 7E E1 03 3B 55 : } : } : } 880 18: SEQUENCE { 882 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 887 1: BOOLEAN TRUE 890 8: OCTET STRING, encapsulates { 892 6: SEQUENCE { 894 1: BOOLEAN TRUE 897 1: INTEGER 5 : } : } : } 900 11: SEQUENCE { 902 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 907 4: OCTET STRING, encapsulates { 909 2: BIT STRING 2 unused bits : '100000'B (bit 5) : } : } : } : } : } 913 13: SEQUENCE { 915 9: OBJECT IDENTIFIER : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 926 0: NULL : } 928 257: BIT STRING : 76 B0 89 E6 F8 8C 0E FF FD 35 58 8C 45 70 58 15 : 15 DA 96 87 2F BC 2D 59 9F 0E 49 15 DA FA 6E 5F : 77 7A 82 CE 22 1F D6 7D 66 8D 9F B4 48 5C E3 33 : E2 17 70 82 CE E6 2E 73 B5 4A 96 86 1B 7D 6A 5C : 56 8C F4 E0 FF 22 8B 44 D4 A5 7F C9 42 64 98 82 : 43 ED 93 6E 85 14 27 22 15 A3 36 A8 6A 49 1A 6F : 71 DF 92 0D 67 93 BA 82 A7 57 5F 04 48 1E 4C 10 : 79 65 B2 B5 3C 82 48 F7 E0 F0 76 B7 60 0E 01 7C : [ Another 128 bytes skipped ] : } "Public Key Thumbprint (DnQualifier) -- Exactly one instance of the DnQualifier attribute shall be present in the Subject name and the Issuer name. It is a Base64 PrintableString encoding of a Public Key Thumbprint." -----Original Message----- From: Johan Eklund <ejbca-support@...> To: 张鑫 <zhangxin@...> Cc: ejbca-develop@... Date: Thu, 05 Jun 2008 16:08:36 +0200 Subject: Re: [Ejbca-develop] The question about dnQualifier Ok. Then we can scrap the simple Servlet solution. Is the use dnQualifier instead of KeyIdentifier an absolute requirement for you? /Johan 张鑫 skrev: > On behalf of 王木旺: > 1. Does the key already exist or is a generated keystore (P12/JKS) with > a certificate you need? > Some users provide key, and the key is already exist, maybe generate > keystore, and the others get their keys and certificates with ejbca. > > 2. Is it an automated request over a trusted channel to the CA? > Yes, the channel is trusted. > > -----Original Message----- > From: Johan Eklund <ejbca-support@...> > To: ejbca-develop@... > Cc: zhangxin@... > Date: Thu, 05 Jun 2008 12:51:34 +0200 > Subject: Re: [Ejbca-develop] The question about dnQualifier > > Since the CN was drm-test I would assume that this isn't a regular > webbrowser-request.. But absolutely, if there already exists a private > key a simple Servlet would be enough to parse incoming certificate > requests and return a new certificate, much like I did for the MS > "autoenroll" feature. > > I think we need some more info from王木旺 to be able to give a > definite > answer here.. > 1. Does the key already exist or is a generated keystore (P12/JKS) > with > a certificate you need? > 2. Is it an automated request over a trusted channel to the CA? > > /Johan > > Tomas Gustavsson skrev: > > I agree about using KeyIdentifier. > > > > Using a custom RA interface I think it would be possible to make > what > > you want. Since you need to have the certificate request before > the user > > is added/edited in EJBCA. You could make a custom web for > enrollment, > > where the user is added or changed (possibly with approvals) > when the > > request is received. The users DN could then be changed for every > > request to set a new value for dnQualifier. > > > > We (Johan) has made such custom web-pages before, and it's > rather easy > > to use the EJB-interface by modeling after the already existing web > > interface. > > > > What do you think about that Johan? It should be possible right? > > > > Cheers, > > Tomas > > > > > > Johan Eklund wrote: > > > >> Hi, > >> > >> EJBCA is not able to produce this without modifying the > sourcecode, but > >> I guess that is why you sent a mail to the developer list. =) > >> > >> A good place to start looking might be > X509CA→generateCertificate(...), > >> but I have a hard time thinking up a general solution for this.. > >> > >> Does it have to dnQualifier? Isn't there already a standard > extension > >> called KeyIdentifier for this? > >> > >> Best Regards, > >> Johan Eklund > >> > >> 王木旺 skrev: > >> > >>> Dear sir: > >>> I'm writing to ask you some questions about how to operate the > Ejbca. > >>> I want to create a certificate for an end entity using the > Ejbca, The > >>> certificate's subject must be like this : dnQualifier = XXX,C > = CN,O = > >>> CE,CN = drm-test,and dnQualifier should be the public key > thumbprint > >>> of the end entity . > >>> How to operate the Ejbca to create a certificate like this? > could you > >>> give me some help and suggestion? > >>> Thank you! > >>> > ------------------------------------------------------------------------ > >>> > >>> > ------------------------------------------------------------------------- > >>> Check out the new SourceForge.net Marketplace. > >>> It's the best place to buy or sell services for > >>> just about anything Open Source. > >>> http://sourceforge.net/services/buy/index.php > >>> > ------------------------------------------------------------------------ > >>> > >>> _______________________________________________ > >>> Ejbca-develop mailing list > >>> Ejbca-develop@... > >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > >>> > >>> > >> > >> > ------------------------------------------------------------------------ > >> > >> > ------------------------------------------------------------------------- > >> Check out the new SourceForge.net Marketplace. > >> It's the best place to buy or sell services for > >> just about anything Open Source. > >> http://sourceforge.net/services/buy/index.php > >> > >> > >> > ------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> Ejbca-develop mailing list > >> Ejbca-develop@... > >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > >> > > > > > > > ------------------------------------------------------------------------ > > > > > ------------------------------------------------------------------------- > > Check out the new SourceForge.net Marketplace. > > It's the best place to buy or sell services for > > just about anything Open Source. > > http://sourceforge.net/services/buy/index.php > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejbca-develop@... > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > -- > PrimeKey Solutions offers a commercial EJBCA support subscription > and training for EJBCA. Please see www.primekey.se > < http://www.primekey.se> or contact info@... for more > information. > http://download.primekey.se/documents/ejbca_subscription.pdf > http://download.primekey.se/documents/ejbca_training.pdf > > > -- PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact info@... for more information. http://download.primekey.se/documents/ejbca_subscription.pdf http://download.primekey.se/documents/ejbca_training.pdf ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Ejbca-develop mailing list Ejbca-develop@... https://lists.sourceforge.net/lists/listinfo/ejbca-develop
	Re: The question about dnQualifier by Johan Eklund :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Ok. Just by curiosity, who is behind this standard and what is the name of the standard? So we have to add this extension, and we can't guarantee that the keys exists before EJBCA's internal processing. X509CA.generateCertificate(..) might be the right place after all. I image a solution where you have a checkbox "Replace dnQualifier with b64 encoded key identifier. Required to Comply with the XXX standard." when you edit a certificate profile. Since empty dnQualifier will be removed during validation and early processing a dummy might be neccesary.. When a generating the certificate any present dnQualifier extension with the correct dummy value is replaced with the correct key identifier. However this isn't very nice, since it is a highly specialized solution for this special case, but it's the best idea I have so far.. Best Regards, Johan Eklund 张鑫 skrev: > According to our industry standards, the certificate's stucture shall > like the following: > 0 1185: SEQUENCE { > 4 905: SEQUENCE { > 8 3: [0] { > 10 1: INTEGER 2 > : } > 13 9: INTEGER 00 FA 82 11 7E E1 03 3B 55 > 24 13: SEQUENCE { > 26 9: OBJECT IDENTIFIER > : sha256WithRSAEncryption (1 2 840 113549 1 1 11) > 37 0: NULL > : } > 39 138: SEQUENCE { > 42 22: SET { > 44 20: SEQUENCE { > 46 3: OBJECT IDENTIFIER organizationName (2 5 4 10) > 51 13: PrintableString 'CA.TEST.COM' > : } > : } > 66 22: SET { > 68 20: SEQUENCE { > 70 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) > 75 13: PrintableString 'CA.TEST.COM' > : } > : } > 90 49: SET { > 92 47: SEQUENCE { > 94 3: OBJECT IDENTIFIER commonName (2 5 4 3) > 99 40: PrintableString 'DEVICE.TEST.COM' > : } > : } > 141 37: SET { > 143 35: SEQUENCE { > 145 3: OBJECT IDENTIFIER dnQualifier (2 5 4 46) > 150 28: PrintableString 'xTgTEEyCjOPfyGbt/RMVTTStz1M=' > : } > : } > : } > 180 30: SEQUENCE { > 182 13: UTCTime 05/06/2008 13:04:55 GMT > 197 13: UTCTime 31/05/2028 13:04:55 GMT > : } > 212 138: SEQUENCE { > 215 22: SET { > 217 20: SEQUENCE { > 219 3: OBJECT IDENTIFIER organizationName (2 5 4 10) > 224 13: PrintableString 'CA.TEST.COM' > : } > : } > 239 22: SET { > 241 20: SEQUENCE { > 243 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) > 248 13: PrintableString 'CA.TEST.COM' > : } > : } > 263 49: SET { > 265 47: SEQUENCE { > 267 3: OBJECT IDENTIFIER commonName (2 5 4 3) > 272 40: PrintableString 'DEVICE.TEST.COM' > : } > : } > 314 37: SET { > 316 35: SEQUENCE { > 318 3: OBJECT IDENTIFIER dnQualifier (2 5 4 46) > 323 28: PrintableString 'xTgTEEyCjOPfyGbt/RMVTTStz1M=' > : } > : } > : } > 353 290: SEQUENCE { > 357 13: SEQUENCE { > 359 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1) > 370 0: NULL > : } > 372 271: BIT STRING, encapsulates { > 377 266: SEQUENCE { > 381 257: INTEGER > : 00 BE 0D 2A F0 85 94 84 81 D1 51 6B D9 7E 72 99 > : 41 F9 53 92 F9 3C 08 84 84 17 0A B7 C6 07 85 D5 > : 7B 4C F6 8D 8F 37 12 0B CC 3C 9E 41 12 E1 08 69 > : BD FD 8C DE B1 9F 28 8C 77 E1 22 5A EB 11 3E 9C > : 0A 74 2F E6 58 B8 06 7F 3B 23 4A F5 08 85 AF C4 > : A0 C9 3C AC 85 FA A7 FB 28 44 03 BD 39 1F 00 56 > : 1C 30 C2 C4 3D 59 7B EA 38 EF 3E AA F0 AA A6 AA > : AD 95 D4 45 AF 19 91 71 00 B9 57 27 9C 88 EA 44 > : [ Another 129 bytes skipped ] > 642 3: INTEGER 65537 > : } > : } > : } > 647 262: [3] { > 651 258: SEQUENCE { > 655 29: SEQUENCE { > 657 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14) > 662 22: OCTET STRING, encapsulates { > 664 20: OCTET STRING > : C5 38 13 10 4C 82 8C E3 DF C8 66 ED FD 13 15 4D > : 34 AD CF 53 > : } > : } > 686 191: SEQUENCE { > 689 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35) > 694 183: OCTET STRING, encapsulates { > 697 180: SEQUENCE { > 700 20: [0] > : C5 38 13 10 4C 82 8C E3 DF C8 66 ED FD 13 15 4D > : 34 AD CF 53 > 722 144: [1] { > 725 141: [4] { > 728 138: SEQUENCE { > 731 22: SET { > 733 20: SEQUENCE { > 735 3: OBJECT IDENTIFIER > : organizationName (2 5 4 10) > 740 13: PrintableString 'CA.TEST.COM' > : } > : } > 755 22: SET { > 757 20: SEQUENCE { > 759 3: OBJECT IDENTIFIER > : organizationalUnitName (2 5 4 11) > 764 13: PrintableString 'CA.TEST.COM' > : } > : } > 779 49: SET { > 781 47: SEQUENCE { > 783 3: OBJECT IDENTIFIER commonName (2 5 4 3) > 788 40: PrintableString 'DEVICE.TEST.COM' > : } > : } > 830 37: SET { > 832 35: SEQUENCE { > 834 3: OBJECT IDENTIFIER dnQualifier (2 5 4 46) > 839 28: PrintableString 'xTgTEEyCjOPfyGbt/RMVTTStz1M=' > : } > : } > : } > : } > : } > 869 9: [2] 00 FA 82 11 7E E1 03 3B 55 > : } > : } > : } > 880 18: SEQUENCE { > 882 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) > 887 1: BOOLEAN TRUE > 890 8: OCTET STRING, encapsulates { > 892 6: SEQUENCE { > 894 1: BOOLEAN TRUE > 897 1: INTEGER 5 > : } > : } > : } > 900 11: SEQUENCE { > 902 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) > 907 4: OCTET STRING, encapsulates { > 909 2: BIT STRING 2 unused bits > : '100000'B (bit 5) > : } > : } > : } > : } > : } > 913 13: SEQUENCE { > 915 9: OBJECT IDENTIFIER > : sha256WithRSAEncryption (1 2 840 113549 1 1 11) > 926 0: NULL > : } > 928 257: BIT STRING > : 76 B0 89 E6 F8 8C 0E FF FD 35 58 8C 45 70 58 15 > : 15 DA 96 87 2F BC 2D 59 9F 0E 49 15 DA FA 6E