<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Il 20/03/12 12 15:27, Riccardo Brunetti ha scritto:
<blockquote
cite="mid:6097BEF1-A97A-4FA0-AA39-31EB8B6A4A2F@to.infn.it"
type="cite">
<div><br>
</div>
<div>Thanks Joshua for the prompt reply and answer.</div>
<div>I used the User Supplied Extension Default and it works.</div>
<div><br>
</div>
<div>Thank you very much again</div>
<div><br>
</div>
<div>Best Regards</div>
<div>Riccardo</div>
<br>
<div apple-content-edited="true">
<span class="Apple-style-span" style="border-collapse: separate;
color: rgb(0, 0, 0); font-family: Helvetica; font-style:
normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: normal; orphans: 2;
text-align: -webkit-auto; text-indent: 0px; text-transform:
none; white-space: normal; widows: 2; word-spacing: 0px;
-webkit-border-horizontal-spacing: 0px;
-webkit-border-vertical-spacing: 0px;
-webkit-text-decorations-in-effect: none;
-webkit-text-size-adjust: auto; -webkit-text-stroke-width:
0px; font-size: medium; "><span class="Apple-style-span"
style="border-collapse: separate; color: rgb(0, 0, 0);
font-family: Helvetica; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal;
line-height: normal; orphans: 2; text-align: -webkit-auto;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px;
-webkit-border-horizontal-spacing: 0px;
-webkit-border-vertical-spacing: 0px;
-webkit-text-decorations-in-effect: none;
-webkit-text-size-adjust: auto; -webkit-text-stroke-width:
0px; font-size: medium; ">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space; ">
<div>Riccardo Brunetti</div>
<div>INFN-Torino</div>
<div>Tel: +390116707295</div>
<div><a moz-do-not-send="true"
href="mailto:riccardo.brunetti@to.infn.it">riccardo.brunetti@to.infn.it</a></div>
<div><br>
</div>
</div>
</span><br class="Apple-interchange-newline">
</span><br class="Apple-interchange-newline">
</div>
<br>
<div>
<div>On 20/mar/2012 12, at 12:29, Joshua Roys wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div>On 03/20/2012 06:54 AM, Riccardo Brunetti wrote:<br>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite">Dear pki-users.<br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite">I'm trying to setup a pki-ca
instance to produce X509 certificates which include a
Subject Alternative Name Extension with the following
attributes:<br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite">Criticality = not critical<br>
</blockquote>
<blockquote type="cite">Type = RFC822Name<br>
</blockquote>
<blockquote type="cite">Value = the email of the requestor.<br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite">I'm using the Signed
CMC-Authenticated User Certificate Enrollment profile and
this is the relevant section of my
/var/lib/pki-ca/profiles/ca/caFullCMCUserCert.cfg file:<br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite">policyset.cmcUserCertSet.8.constraint.class_id=extensionConstraintImpl<br>
</blockquote>
<blockquote type="cite">policyset.cmcUserCertSet.8.constraint.name=Extension
Constraint<br>
</blockquote>
<blockquote type="cite">policyset.cmcUserCertSet.8.constraint.params.extCritical=false<br>
</blockquote>
<blockquote type="cite">policyset.cmcUserCertSet.8.constraint.params.extOID=2.5.29.17<br>
</blockquote>
<blockquote type="cite">policyset.cmcUserCertSet.8.default.class_id=subjectAltNameExtDefaultImpl<br>
</blockquote>
<blockquote type="cite">policyset.cmcUserCertSet.8.default.name=Subject
Alternative Name Extension Default<br>
</blockquote>
<blockquote type="cite">policyset.cmcUserCertSet.8.default.params.subjAltExtGNEnable_0=true<br>
</blockquote>
<blockquote type="cite">policyset.cmcUserCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$<br>
</blockquote>
<blockquote type="cite">policyset.cmcUserCertSet.8.default.params.subjAltExtType_0=RFC822Name<br>
</blockquote>
<blockquote type="cite">policyset.cmcUserCertSet.8.default.params.subjAltNameExtCritical=false<br>
</blockquote>
<blockquote type="cite">policyset.cmcUserCertSet.8.default.params.subjAltNameNumGNs=1<br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite">The input certificate request is
generated using certutil and CMCEnroll and the command
used is the following:<br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite">certutil -R -g 2048 -s
"<the-subject>" -7"<the-requestor-email>"
-d<a-local-dir> ……<br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite">The certificate is generated, but
the extension is not populated with the email address and
I always get:<br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite">Identifier: Subject Alternative Name
- 2.5.29.17<br>
</blockquote>
<blockquote type="cite"> Critical: no<br>
</blockquote>
<blockquote type="cite"> Value:<br>
</blockquote>
<blockquote type="cite"> RFC822Name:
$request.requestor_email$<br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<br>
Hello,<br>
<br>
In short, the email is not being looked at because
$request.requestor_email$ is created through the WebUI
through an input box (Requestor Email). See [1] for some
more variables. You may want to configure the
caFullCMCUserCert to copy all subjAltNames in the input to
the output certificate using the User Supplied Extension
Default (with 2.5.29.17 as the argument):<br>
"This default populates a User-Supplied Extension
(2.5.29.17) to the request."<br>
<br>
Josh<br>
<br>
[1] <a moz-do-not-send="true"
href="http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Admin_Guide/Managing_Subject_Names_and_Subject_Alternative_Names.html#tab.Variables_Used_to_Populate_Certificates">http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Admin_Guide/Managing_Subject_Names_and_Subject_Alternative_Names.html#tab.Variables_Used_to_Populate_Certificates</a><br>
<br>
_______________________________________________<br>
Pki-users mailing list<br>
<a moz-do-not-send="true" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a><br>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a><br>
</div>
</blockquote>
</div>
<br>
</blockquote>
Dear Pki-users.<br>
I'm having the same problem when trying to generate user
certificates using the web user interface provided by the RA
subsystem.<br>
In short, when I request a user certificate using the "User
Enrollment" link in the RA web interface, I'm presented a form in
which I enter the UID, Full Name, Site ID and email.<br>
The certificate which is produced after the RA agent approves the
request contains again an extension like:<br>
<br>
Identifier: Subject Alternative Name - 2.5.29.17<br>
Critical: no<br>
Value:<br>
RFC822Name: $request.requestor_email$<br>
<br>
The email is contained in the DN of the certificate, which is not
what I want.<br>
I tried to modify the profile caDualRAuserCert, changing the policy
8 as Josh suggested above, but the answer is that the extension is
not found.<br>
<br>
Do you have some suggestions?<br>
<br>
Thanks a lot<br>
Riccardo<br>
<pre class="moz-signature" cols="72">--
-------------------
Riccardo Brunetti
INFN - Torino
Tel: +390116707295
Skype: rbrunetti
-------------------</pre>
</body>
</html>