<div dir="ltr">Hi Everyone, <div><br></div><div>    I am sorry for asking this question again, but the last time I asked it, I was confused with the answer. I am trying to create a "certificate profile" that will support 3 to 4 SAN (Subject Alternative Names), since the current profiles do not have support for this by default. I was trying to duplicate the "Manual Server Certificate Enrollment" profile, and adding SAN support. I tried using this as a guild:</div><div><br></div><div><a href="https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default" rel="noreferrer" target="_blank" style="font-size:12.8px">https://access.redhat.com/<wbr>documentation/en-US/Red_Hat_<wbr>Certificate_System/8.1/html/<wbr>Admin_Guide/Certificate_and_<wbr>CRL_Extensions.html#Subject_<wbr>Alternative_Name_Extension_<wbr>Default</a><br></div><div><br></div><div>and</div><div><br></div><div><a href="https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Managing_Subject_Names_and_Subject_Alternative_Names.html" rel="noreferrer" target="_blank" style="font-size:12.8px">https://access.redhat.com/<wbr>documentation/en-US/Red_Hat_<wbr>Certificate_System/8.1/html/<wbr>Admin_Guide/Managing_Subject_<wbr>Names_and_Subject_Alternative_<wbr><span class="gmail-il">Names</span>.html</a><br></div><div><br></div><div>This is how the profile looks like:</div><div><br></div><div><span style="color:rgb(80,0,80);font-size:12.8px">policyset.serverCertSet.9.</span><wbr style="color:rgb(80,0,80);font-size:12.8px"><span style="color:rgb(80,0,80);font-size:12.8px">constraint.class_id=</span><wbr style="color:rgb(80,0,80);font-size:12.8px"><span style="color:rgb(80,0,80);font-size:12.8px">noConstraintImpl</span><br style="color:rgb(80,0,80);font-size:12.8px"><a href="http://policyset.servercertset.9.constraint.name/" rel="noreferrer" target="_blank" style="font-size:12.8px">policyset.serverCertSet.9.<wbr>constraint.<span class="gmail-il">name</span></a><span style="color:rgb(80,0,80);font-size:12.8px">=No Constraint</span><br style="color:rgb(80,0,80);font-size:12.8px"><span style="color:rgb(80,0,80);font-size:12.8px">policyset.serverCertSet.9.</span><wbr style="color:rgb(80,0,80);font-size:12.8px"><span style="color:rgb(80,0,80);font-size:12.8px">default.class_id=</span><wbr style="color:rgb(80,0,80);font-size:12.8px"><span style="color:rgb(80,0,80);font-size:12.8px">subjectAltNameExtDefaultImpl</span><br style="color:rgb(80,0,80);font-size:12.8px"><a href="http://policyset.servercertset.9.default.name/" rel="noreferrer" target="_blank" style="font-size:12.8px">policyset.serverCertSet.9.<wbr>default.<span class="gmail-il">name</span></a><span style="color:rgb(80,0,80);font-size:12.8px">=</span><span class="gmail-il" style="color:rgb(80,0,80);font-size:12.8px">Subject</span><span style="color:rgb(80,0,80);font-size:12.8px"> </span><span class="gmail-il" style="color:rgb(80,0,80);font-size:12.8px">Alternative</span><span style="color:rgb(80,0,80);font-size:12.8px"> </span><span class="gmail-il" style="color:rgb(80,0,80);font-size:12.8px">Name</span><span style="color:rgb(80,0,80);font-size:12.8px"> Extension</span><br style="color:rgb(80,0,80);font-size:12.8px"><span style="color:rgb(80,0,80);font-size:12.8px">Default</span><br style="color:rgb(80,0,80);font-size:12.8px"><span style="color:rgb(80,0,80);font-size:12.8px">policyset.serverCertSet.9.</span><wbr style="color:rgb(80,0,80);font-size:12.8px"><span style="color:rgb(80,0,80);font-size:12.8px">default.params.</span><wbr style="color:rgb(80,0,80);font-size:12.8px"><span style="color:rgb(80,0,80);font-size:12.8px">subjAltExtGNEnable_0=true</span><br style="color:rgb(80,0,80);font-size:12.8px"><span style="color:rgb(80,0,80);font-size:12.8px">policyset.serverCertSet.9.</span><wbr style="color:rgb(80,0,80);font-size:12.8px"><span style="color:rgb(80,0,80);font-size:12.8px">default.params.</span><wbr style="color:rgb(80,0,80);font-size:12.8px"><span style="color:rgb(80,0,80);font-size:12.8px">subjAltExtPattern_0=</span><br style="color:rgb(80,0,80);font-size:12.8px"><span style="color:rgb(80,0,80);font-size:12.8px">policyset.serverCertSet.9.</span><wbr style="color:rgb(80,0,80);font-size:12.8px"><span style="color:rgb(80,0,80);font-size:12.8px">default.params.subjAltExtType_</span><wbr style="color:rgb(80,0,80);font-size:12.8px"><span style="color:rgb(80,0,80);font-size:12.8px">0=DNSName</span><br style="color:rgb(80,0,80);font-size:12.8px"><span style="color:rgb(80,0,80);font-size:12.8px">policyset.serverCertSet.9.</span><wbr style="color:rgb(80,0,80);font-size:12.8px"><span style="color:rgb(80,0,80);font-size:12.8px">default.params.</span><wbr style="color:rgb(80,0,80);font-size:12.8px"><span style="color:rgb(80,0,80);font-size:12.8px">subjAltNameExtCritical=false</span><br style="color:rgb(80,0,80);font-size:12.8px"><span style="color:rgb(80,0,80);font-size:12.8px">policyset.serverCertSet.9.</span><wbr style="color:rgb(80,0,80);font-size:12.8px"><span style="color:rgb(80,0,80);font-size:12.8px">default.params.</span><wbr style="color:rgb(80,0,80);font-size:12.8px"><span style="color:rgb(80,0,80);font-size:12.8px">subjAltNameNumGNs=1</span><br></div><div><span style="color:rgb(80,0,80);font-size:12.8px"><br></span></div><div><span style="color:rgb(80,0,80);font-size:12.8px">The CSR looks like this:</span></div><div><span class="gmail-im" style="font-size:12.8px"><br></span><span style="font-size:12.8px">*Common </span><span class="gmail-il" style="font-size:12.8px">Name</span><span style="font-size:12.8px">:* </span><a href="http://node1.example.com/" rel="noreferrer" target="_blank" style="font-size:12.8px">node1.example.com</a><br style="font-size:12.8px"><span style="font-size:12.8px">*</span><span class="gmail-il" style="font-size:12.8px">Subject</span><span style="font-size:12.8px"> </span><span class="gmail-il" style="font-size:12.8px">Alternative</span><span style="font-size:12.8px"> </span><span class="gmail-il" style="font-size:12.8px">Names</span><span style="font-size:12.8px">:* </span><a href="http://test.example.com/" rel="noreferrer" target="_blank" style="font-size:12.8px">test.example.com</a><span style="font-size:12.8px">, </span><a href="http://test1.example.com/" rel="noreferrer" target="_blank" style="font-size:12.8px">test1.example.com</a><span style="font-size:12.8px">,</span><br style="font-size:12.8px"><a href="http://test2.example.com/" rel="noreferrer" target="_blank" style="font-size:12.8px">test2.example.com</a><br style="font-size:12.8px"><span style="font-size:12.8px">*Organization:* Test Corp</span><br style="font-size:12.8px"><span style="font-size:12.8px">*Organization Unit:* IT Department</span><br style="font-size:12.8px"><span style="font-size:12.8px">*Locality:* LA</span><br style="font-size:12.8px"><span style="font-size:12.8px">*State:* OR</span><br style="font-size:12.8px"><span style="font-size:12.8px">*Country:* US</span><span style="color:rgb(80,0,80);font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">I am doing to do this instead of using wildcard certs. </span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Thanks,</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Rafael</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"><br></span></div>







</div>