<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi Rafael,</p>
<p> I think the following should work for you in theory (Note: I
have not tried it myself).<br>
</p>
<p> If you mean the web server cert, by default it uses the
caServerCert profile. So to add SAN you would want to add Subject
Alt Name Default and possibly constraint to that profile. You can
look up how other default profiles.</p>
<p>Here is an example policy you could add:</p>
<p>policyset.serverCertSet.9.constraint.class_id=noConstraintImpl<br>
policyset.serverCertSet.9.constraint.name=No Constraint<br>
policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl<br>
policyset.serverCertSet.9.default.name=Subject Alternative Name
Extension Default<br>
policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true<br>
policyset.serverCertSet.9.default.params.subjAltExtPattern_0=yourServer.example.com<br>
policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName<br>
policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1<br>
</p>
<p>Make sure you add the set id "9" (if unique..you can change it to
another unique id) to <br>
</p>
<p>policyset.serverCertSet.list=</p>
<p>It is important that you add that to the profile before you
proceed with the renewal instruction (under the assumption that
you wish to reuse keys), because the instruction I am about to
give you will use the same profile that the original cert was
issued through. Restart the CA after the above config change.<br>
</p>
<p>About renewal, if you want to reuse the same keys of the original
web server certificate, you could try going to the ee page
Enrollment/Renewal tab. Where you would find on the last link of
the page to be <br>
</p>
<p>Renewal: Renew certificate to be manually approved by agents.</p>
<p>Enter the current (to be replaced) server cert serial number and
submit. Have the CA agent approve the request. Download and
update your server cert, restart the intended web server.</p>
<p>If you don't want to reuse keys, then simply enroll through the
Manual Server Certificate Enrollment, which uses the profile that
you just modified, but will expect a whole new csr to be the input
(rekey). Incidentally, if you happen to have the original CSR
(hence preserving the same keys), you would end up having the same
keys with the new update profile (with SAN) as well, which would
effectively give you the same result.<br>
</p>
<p>Let us know if that works for you.</p>
<p>Christina<br>
</p>
<br>
<div class="moz-cite-prefix">On 05/30/2017 06:29 PM, Rafael
Leiva-Ochoa wrote:<br>
</div>
<blockquote
cite="mid:CACRrE5w9o5ZbqrhvczGbxfjF7VyDfTKAc_Nz2xKcZKvk+z707g@mail.gmail.com"
type="cite">
<div dir="ltr">Any takers?
<div><br>
</div>
<div>Rafael</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Sat, May 27, 2017 at 10:29 PM,
Rafael Leiva-Ochoa <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:spawn@rloteck.net"
target="_blank">spawn@rloteck.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hi Everyone,
<div><br>
</div>
<div> I am was looking through the Dogtag CA
documentation, and I was not able to find the process
for renewing the Dogtag Web page certificate. I wanted
to update the cert since all browser now required a SAN
on the cert. Any help would be great.</div>
<div><br>
</div>
<div>Thanks,</div>
<div><br>
</div>
<div>Rafael</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Pki-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a></pre>
</blockquote>
<br>
</body>
</html>