<div> I can send you the email that I got from the list? Will this be good?</div><div><br></div><div>Thanks,</div><div><br></div><div>R<br><div class="gmail_quote"><div>On Thu, Jan 12, 2017 at 3:05 PM John Magne <<a href="mailto:jmagne@redhat.com">jmagne@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi:<br class="gmail_msg"><br><br class="gmail_msg"><br>Is there any way you can reproduce the confusing answer you got, which may give us a head start?<br class="gmail_msg"><br><br class="gmail_msg"><br><br class="gmail_msg"><br><br class="gmail_msg"><br><br class="gmail_msg"><br><br class="gmail_msg"><br>----- Original Message -----<br class="gmail_msg"><br>> From: "Rafael Leiva-Ochoa" <<a href="mailto:spawn@rloteck.net" class="gmail_msg" target="_blank">spawn@rloteck.net</a>><br class="gmail_msg"><br>> To: <a href="mailto:pki-users@redhat.com" class="gmail_msg" target="_blank">pki-users@redhat.com</a><br class="gmail_msg"><br>> Sent: Thursday, January 12, 2017 2:36:36 PM<br class="gmail_msg"><br>> Subject: Re: [Pki-users] SAN on Certificate<br class="gmail_msg"><br>><br class="gmail_msg"><br>> Any takers?<br class="gmail_msg"><br>> On Tue, Jan 10, 2017 at 4:35 PM Rafael Leiva-Ochoa < <a href="mailto:spawn@rloteck.net" class="gmail_msg" target="_blank">spawn@rloteck.net</a> ><br class="gmail_msg"><br>> wrote:<br class="gmail_msg"><br>><br class="gmail_msg"><br>><br class="gmail_msg"><br>><br class="gmail_msg"><br>> Hi Everyone,<br class="gmail_msg"><br>><br class="gmail_msg"><br>> I am sorry for asking this question again, but the last time I asked it, I<br class="gmail_msg"><br>> was confused with the answer. I am trying to create a "certificate profile"<br class="gmail_msg"><br>> that will support 3 to 4 SAN (Subject Alternative Names), since the current<br class="gmail_msg"><br>> profiles do not have support for this by default. I was trying to duplicate<br class="gmail_msg"><br>> the "Manual Server Certificate Enrollment" profile, and adding SAN support.<br class="gmail_msg"><br>> I tried using this as a guild:<br class="gmail_msg"><br>><br class="gmail_msg"><br>> <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default" rel="noreferrer" class="gmail_msg" target="_blank">https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default</a><br class="gmail_msg"><br>><br class="gmail_msg"><br>> and<br class="gmail_msg"><br>><br class="gmail_msg"><br>> <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Managing_Subject_Names_and_Subject_Alternative_" rel="noreferrer" class="gmail_msg" target="_blank">https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Managing_Subject_Names_and_Subject_Alternative_</a><br class="gmail_msg"><br>> Names .html<br class="gmail_msg"><br>><br class="gmail_msg"><br>> This is how the profile looks like:<br class="gmail_msg"><br>><br class="gmail_msg"><br>> policyset.serverCertSet.9. constraint.class_id= noConstraintImpl<br class="gmail_msg"><br>> policyset.serverCertSet.9.constraint. name =No Constraint<br class="gmail_msg"><br>> policyset.serverCertSet.9. default.class_id= subjectAltNameExtDefaultImpl<br class="gmail_msg"><br>> policyset.serverCertSet.9.default. name = Subject Alternative Name Extension<br class="gmail_msg"><br>> Default<br class="gmail_msg"><br>> policyset.serverCertSet.9. default.params. subjAltExtGNEnable_0=true<br class="gmail_msg"><br>> policyset.serverCertSet.9. default.params. subjAltExtPattern_0=<br class="gmail_msg"><br>> policyset.serverCertSet.9. default.params.subjAltExtType_ 0=DNSName<br class="gmail_msg"><br>> policyset.serverCertSet.9. default.params. subjAltNameExtCritical=false<br class="gmail_msg"><br>> policyset.serverCertSet.9. default.params. subjAltNameNumGNs=1<br class="gmail_msg"><br>><br class="gmail_msg"><br>> The CSR looks like this:<br class="gmail_msg"><br>><br class="gmail_msg"><br>> *Common Name :* <a href="http://node1.example.com" rel="noreferrer" class="gmail_msg" target="_blank">node1.example.com</a><br class="gmail_msg"><br>> * Subject Alternative Names :* <a href="http://test.example.com" rel="noreferrer" class="gmail_msg" target="_blank">test.example.com</a> , <a href="http://test1.example.com" rel="noreferrer" class="gmail_msg" target="_blank">test1.example.com</a> ,<br class="gmail_msg"><br>> <a href="http://test2.example.com" rel="noreferrer" class="gmail_msg" target="_blank">test2.example.com</a><br class="gmail_msg"><br>> *Organization:* Test Corp<br class="gmail_msg"><br>> *Organization Unit:* IT Department<br class="gmail_msg"><br>> *Locality:* LA<br class="gmail_msg"><br>> *State:* OR<br class="gmail_msg"><br>> *Country:* US<br class="gmail_msg"><br>><br class="gmail_msg"><br>> I am doing to do this instead of using wildcard certs.<br class="gmail_msg"><br>><br class="gmail_msg"><br>> Thanks,<br class="gmail_msg"><br>><br class="gmail_msg"><br>> Rafael<br class="gmail_msg"><br>><br class="gmail_msg"><br>><br class="gmail_msg"><br>><br class="gmail_msg"><br>><br class="gmail_msg"><br>><br class="gmail_msg"><br>><br class="gmail_msg"><br>><br class="gmail_msg"><br>><br class="gmail_msg"><br>><br class="gmail_msg"><br>><br class="gmail_msg"><br>><br class="gmail_msg"><br>><br class="gmail_msg"><br>><br class="gmail_msg"><br>><br class="gmail_msg"><br>><br class="gmail_msg"><br>><br class="gmail_msg"><br>><br class="gmail_msg"><br>><br class="gmail_msg"><br>><br class="gmail_msg"><br>><br class="gmail_msg"><br>><br class="gmail_msg"><br>><br class="gmail_msg"><br>><br class="gmail_msg"><br>> _______________________________________________<br class="gmail_msg"><br>> Pki-users mailing list<br class="gmail_msg"><br>> <a href="mailto:Pki-users@redhat.com" class="gmail_msg" target="_blank">Pki-users@redhat.com</a><br class="gmail_msg"><br>> <a href="https://www.redhat.com/mailman/listinfo/pki-users" rel="noreferrer" class="gmail_msg" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a><br class="gmail_msg"><br></blockquote></div></div>